At a glance.
- DHS IG reports on 2019 Customs and Border Protection PII breach.
- Talking to those who hold data hostage.
- Continuing Blackbaud fallout.
- Challenges for personal identity verification during telework.
Department of Homeland Security Inspector General releases report on 2019 Customs and Border Protection Breach.
The US Department of Homeland Security's Inspector General has concluded its investigation into a 2019 breach at Customs and Border Protection. The IG's report concluded that traveler’s faces, license plates, and "care information" had indeed leaked, and that some of it appeared on the dark web. The breach was traced to a Customs and Border Protection (CBP) subcontractor, Perceptics, which transferred copies of CBP biometric data to its own systems, where the data were apparently left unencrypted. As the IG put it, "DHS requires subcontractors to protect personally identifiable information (PII) from identity theft or misuse. However, in this case, Perceptics staff directly violated DHS security and privacy protocols when they downloaded CBP’s sensitive PII from an unencrypted device and stored it on their own network. Given Perceptics’ ability to take possession of CBP-owned sensitive data, CBP’s information security practices during the pilot were inadequate to prevent the subcontractor’s actions."
Tales from the ransomware trenches.
Ransom negotiator Artwork Ehuan conducts discussions on the dark web, attempting to drive down the asking price after obtaining proof that attackers can decrypt affected files, according to blogger Bob Sullivan. Limited global collaboration combined with Bitcoin-facilitated anonymity makes hackers’ job easy. Ehuan says protecting and segregating one’s digital assets is much less expensive than paying ransom, and the “it won’t happen to me” outlook is a mistake. This is the busiest he’s been in twenty years, and he only expects things to get worse, quoting an FBI friend: “Why would they quit, there is so much more money to be made?” Meanwhile, a Sophos survey found that forking over ransom typically doubles the ultimate price tag of an attack, a conclusion that might well inform a victim's cost-benefit calculations.
Back in Blackbaud news.
The St. Augustine Record reports that Flager College, a liberal arts college in the US state of Florida, had data exposed in the May ransomware attack on software vendor Blackbaud. Flager explained in a statement that the breach impacted former students, benefactors, and other affiliates’ personal details and history with the college. Flager investigated the incident, engaged an outside company to investigate Blackbaud’s investigation, and is “revisiting” its contract with the vendor. For its part, Blackbaud has “hired third-party cybersecurity experts to monitor the dark web indefinitely to ensure no evidence arises that data was released.” Healthcare Info Security worries that Blackbaud may have “painted a target on its back” by paying the requested ransom, noting that companies that do so can find themselves a repeat victim.
Bank Info Security says at least ten potential class-action lawsuits have been filed against the vendor thus far, variously alleging invasion of privacy, negligence, breach of contract, and transgressions of state law. The legal exposure isn't confined to American institutions, either: Blackbaud's business extended to much of the English-speaking world. BirminghamLive reports that, in the UK, the University of Birmingham finds itself among an unspecified number of institutions against whom solicitors from Simpson Millar are preparing possible lawsuits.
The extent of Blackbaud customers’ liability remains an open question. Flager College says, to its credit, that it endeavors “to live up to [their] core value of citizenship with integrity, and this includes setting a high expectation of honesty, integrity, and responsibility.” Stay tuned to see whether such responsibility will eventually be adjudicated, and whether exposure to third-party risk eventually takes a pecuniary form.
Don’t click that link.
As the world's workforce has gone remote, and physical methods of identity validation like IDs and thumbprints have become a fond memory, threat actors who used to target areas like buffer overflow and DNS vulnerabilities have switched their sights to social tactics, according to FCW. Bogus calls, messages, profiles, and pages are the new vectors to watch out for in this era of tele-partnerships. Cybersecurity and Infrastructure Security Agency expert Sean Connelly points out that “attacks are shifting everywhere traditional network security controls are not located."