At a glance.
- Update on the Capcom breach.
- Notes on phishbait.
- Proposed Canadian privacy legislation will affect how companies do business in Canada.
- Hosting service takes its servers offline after ransomware attack.
Leading game maker takes major damage.
Capcom, the prolific Japanese video game developer known for classic titles like Street Fighter and Resident Evil, has had its data stolen and published by the cybercriminals who unleashed a ransomware attack on its systems in November, reports Naked Security. Capcom notified the public they had experienced a ransomware attack when they discovered their email and file servers had been infiltrated by an unauthorized party. The Ragnar Locker group took credit for the attack, declaring they had stolen a massive amount of data from the game company and demanding a rumored ransom of $11 million. Capcom refused to pay, but conducted an investigation and confirmed Ragnar’s claims. They found that the personal info of more than 350,000 staff, customers, and shareholders had been compromised, including a wide range of data from passport details to shareholding figures, Security Week reports, though damage to Capcom’s access logs made it difficult to pinpoint exactly how much had been stolen. However, social media response indicates that creative development records were also included in the public data dump, as Redditors have begun commenting on confidential plans for Capcom’s future projects. The upside: at least the Reddit reviews are positive.
LinkedIn is the best bait for phishing scams.
The success of a phishing scam depends heavily on one factor: how effective is the fraudulent email’s subject line at persuading the victim to open it? Security training and intelligence shop KnowBe4 has conducted its annual analysis of phishing email subject lines to determine which are most successful, Atlas VPN reports. For the third year running, phishing scams masquerading as LinkedIn emails are more likely to work than those from any other social media platform, with a whopping 47% open rate. The runner-up is Twitter, followed closely by Facebook. Overall, messages that appear to be from the victim’s employer tend to be the most compelling, with subject lines containing the keyword “payroll” unsurprisingly garnering the most attention, just barely edging out COVID-19-related scams.
New Canadian privacy law threatens massive penalties.
If adopted by the Parliament of Canada, a proposed privacy law would give Canadians increased protection against data exposure, reports Reuters. The Digital Charter Implementation Act would allow individuals to file a complaint with the Privacy Commissioner if they feel their data have been used without their permission. Companies found at fault would be compelled to delete and cease the collection of the data in question. If they don't comply, the resulting penalty could be up to 5% of their revenue in fines. As the EU enacted the General Data Protection Regulation in 2018 and the US state of California established the California Consumer Privacy Act earlier this year, an update to Canada’s twenty-year-old privacy regulations seems in keeping with the times.
We heard from Trevor Morgan, product manager with comforte AG, who draws some lessons for business from the pending rules:
"The move should serve as a strong reminder to businesses located or operating in Canada that data security is paramount to doing business in the country. Each organization should rethink how they protect sensitive data throughout its entire lifecycle, including knowing where this data is within their infrastructure, the level of sensitivity, and the right way to protect sensitive information.
"Data-centric security measures such as tokenization and format-preserving encryption are far more effective than perimeter-based methods, facilitating data freedom of movement that businesses need in order to use that information effectively while complying with strong data privacy regulations such as this proposed act.”
Hosting service Managed.com taken offline after ransomware attack.
Managed.com, a widely used hosting service, has taken its servers down after a ransomware attack affected some of its customers' sites. ZDNet reports that the attack appears to have occurred on Monday.
James McQuiggan, security awareness advocate at KnowBe4, sees the incident as an object lesson in the importance of well-developed incident response plans:
“It's essential to have documented procedures for handling various incidents and responses to support an event within any organization. These repeatable, established procedures should include communication paths and outlined responsibilities for all people involved in the incidents, whether it's an endpoint system infected with malware or an enterprise server environment compromised by ransomware.
"It can damage the brand, reputation and possible bottom-line revenue if an outage source is not transparent to an organization’s customers. All communications should be internally authorized before making them public to avoid any confusion or concern by those who might use the victimized organization's product or service.”