At a glance.
- Australian travelers' data exposed.
- BEC crimewave.
- Legal research platforms and privacy concerns.
- Telework advice for small businesses.
- Blackbaud discloses exposure of sensitive information during ransomware incident.
Dfat exposes email addresses of stranded Australian citizens.
The Australian Department of Foreign Affairs and Trade (Dfat) accidentally disclosed the email addresses of thousands of Australian citizens stranded overseas due to COVID-19 travel restrictions, reports the Guardian. The addresses were unintentionally included in the header of an email message sent by Dfat’s COVID-19 consular operations section to notify the travelers about interest-free loans available to cover travel costs. Dfat, after realizing their mistake, recalled the emails and sent a follow-up email apologizing for the error and asking the recipients to delete the original, but nearly 3,000 individuals were affected.
Global Business Email Compromise steals millions.
Cybersecurity incident response company Mitiga reports they are working with the US Federal Bureau of Investigations (FBI) and secret service to respond to a large-scale Business Email Compromise (BEC) campaign that may have affected over 150 organizations globally. The threat actors have been intercepting sensitive emails by using imposter Office 365 email accounts to impersonate senior executives involved in high-level financial transactions. Once the attackers acquire the necessary wire transfer information, they redirect the funds to rogue bank accounts, stealing about $15 million so far. Mitiga has not yet identified the companies that were impacted.
NYCLU questions privacy of legal research platforms.
The New York Civil Liberties Union (NYCLU) has published a report questioning how user data in legal research platforms is handled and employed, reports Legaltech News. Sharing user data with a third party is not only a privacy concern, but could also bias legal proceedings. While the author of the report, Media Democracy Fund technology fellow Jonathan Stribling-Uss singled out prominent platforms Westlaw and LexisNexis, he has no evidence that they have been sharing user data. A representative from Westlaw told Legaltech News, “We’ve implemented systems and protocols designed to safeguard users’ confidential search histories on Westlaw from unauthorized access,” but did not state whether the platform is currently sharing user data.
US Cyber Readiness Institute offers telework advice to small businesses.
The US Cyber Readiness Institute (CRI) announced that it has released a cybersecurity toolkit designed to help smaller businesses protect their data as they shift to remote work amidst the pandemic. CRI was created to provide small and medium-sized enterprises (SMEs) with free cybersecurity resources. Now, working in conjunction with the Cybersecurity and Infrastructure Security Agency (CISA), CRI has developed the Telework Essentials Toolkit, a series of guides to help these businesses adapt their cybersecurity protocols to the distinctive needs of telework environments.
Blackbaud tells the SEC that sensitive financial information was compromised.
The ransomware attack against Blackbaud and its widely used donor-relations-management platform is now known to be more serious than had been hoped. Blackbaud has determined that the attackers accessed financially sensitive information. A Form 8-K the company filed with the US Securities and Exchange Commission says:
“As previously reported in our Quarterly Report on Form 10-Q for the quarter ended June 30, 2020, on July 16, 2020, we contacted certain customers to inform them about a recent security incident (the “Security Incident”). This information disclosed that in May 2020 we discovered and stopped a ransomware attack. Our Cyber Security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system. Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted (private cloud) environment.
“After July 16, further forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords. In most cases, fields intended for sensitive information were encrypted and not accessible. These new findings do not apply to all customers who were involved in the Security Incident. Customers who we believe are using these fields for such information are being contacted the week of September 27, 2020 and are being provided with additional support. We expect our Security Incident investigation and security enhancements to continue for the foreseeable future. We intend to continue to inform our customers, stockholders and other stakeholders of any such additional information or developments as appropriate.”