At a glance.
- REvil ups the ante.
- Contact-tracing data abused.
- Criminals don't in fact have the common good at heart.
- High rates of personal data exposure?
Ransomware gang ups its ante.
Grubman Shire Meiselas & Sacks, the attorneys to the stars who were hit by the REvil ransomware gang, have according to Page Six seen a doubling of the ransom REvil wants. The gang's demand is now $42 million, and they say that they will release the information they've stolen if they're not paid within the week. For some reason Lady Gaga seems to be the star client most often mentioned in press coverage of the incident, but REvil says they've taken lots of stuff about President Trump, too, and that they intend to air the President's "dirty laundry" if Grubman Shire doesn't pony up. Granted he may not be as big a star as Lady Gaga, but still, the President's information is probably worth something. Whether they actually have anything on him is open to doubt: sources told Page Six that, celebrity though he may be, and reality TV star that he may have been, President Trump hasn't been a client of the affected law firm.
Contact tracing is not a dating app.
Here's why you might resist sharing personal information even in the cause of public health: data can be abused, and giving someone your contact information can sometimes amount to inviting nemesis into your life. Take this case from New Zealand, as reported by Newshub. A woman in Auckland wanted to buy a sandwich from Subway (as anyone might) and in doing so responsibly filled out a contact form the restaurant presented her (as any restaurant might, during a pandemic emergency). "I had to put my details on their contact tracing form which I didn't think anything of. It asked for my name, home address, email address and phone number so I put all those details down," she told Newshub. The guy who served her gave her the sandwich, but also favored her with lots of unwanted attention via text, Facebook, Instagram, and Facebook Messenger, which made the customer feel "pretty gross." Subway fired the unhappy suitor.
Criminals don't in fact have the common good at heart.
Anyone still willing to take seriously ransomware gangs' claims that they'll restrain themselves during a time of global emergency should consider this: the Wall Street Journal reports that Europol has warned of criminals increasing the rate of ransomware attacks against hospitals providing urgent care during the pandemic. This is as economically rational as it is morally depraved: the hospitals are more needed than ever, and the reliability and availability of their data are more important than ever, which the criminals calculate will make them all the more likely to pay a hefty ransom.
The underworld is also paying attention to how it crafts its phishbait. Proofpoint has found a number of templates in circulation that help criminals craft more convincing spoofs of government messages, especially messages involving the emergency relief programs so many of those in economic trouble find themselves hoping to use for a leg up, out of their difficulties. The templates are most often used in credential-harvesting scams.
High rates of personal data exposure?
A study by Interest looked at significant data breaches and concluded that the average American had personal data stolen or exposed at least four times last year. Social media sites like Facebook were responsible for most of the exposed data. Warren Poschman, senior solutions architect at comforte AG, shared these observations with us in an email:
"Unfortunately, there is no guarantee that even a perfect security program will prevent every breach. With an increasing attack surface, classic perimeter defense is becoming more and more useless. And in the face of these emerging threats, consumers still expect their personal data to remain protected. Often organizations only discover backdoors and other vulnerabilities long after hackers have already used them which is too late. Therefore, the most effective way to reduce the risks associated with breaches is to protect the sensitive data itself, while making it useless for attackers. A data-centric security approach helps organizations deploy data protection focused on security and maintaining privacy with technologies like tokenization and format-preserving encryption."