At a glance.
- The future of work-from-home, including employee supervision and monitoring.
- REvil ransomware operators offer more celebrity data for sale.
- EasyJet breached; passenger information lost.
Big Tech will continue work-from-home policies into next year.
Many tech firms are able to support general work-from-home, and safety, convenience, and cost savings are likely to prolong the period of remote work beyond the formal end of the pandemic emergency. The Washington Post has a summary of how tech firms' plans for remote work are progressing.
With remote work comes some degree of remote supervision. VPN Mentor reports that employee monitoring services are finding a market. It costs around $5 a month to keep track of a single employee.
REvil ransomware operators offer more celebrity data for sale.
DarkOwl researchers have been tracking the activities of the REvil gang that's claimed responsibility for hacking celebrity law firm Grubman Shire Meiselas & Sacks. The criminals say they've received offers for information they claim to have on President Trump, and that their next offer is of data connected with Madonna. Bidding starts at $1 million. We recommend you pass, no matter how big a fan you may be.
EasyJet breached; passenger information lost.
EasyJet has disclosed a databreach that affected some nine-million customers. The Guardian writes that the airline describes the incident as the work of "highly sophisticated" criminals. The data include not only passenger names, email addresses, and itineraries, but a range of other information, including paycard numbers, was lost in some cases as well.
Brian Higgins, security specialist at Comparitech, offered some advice on what the people whose data were lost might expect:
“Attacks like this have enormous, knock-on effects for the victims. Once the attack is made public criminal organizations will immediately seek to take full advantage of the fear and uncertainty the 9 million customers of EasyJet are currently feeling and begin campaigns to exploit them.
"They will email, call on the telephone or in person, make contact via social media channels. In fact they will use any and all methods to make contact, pretend to be EasyJet and use that fear and uncertainty to make people reveal more of their personal information, login credentials, bank details etc. in order to commit more crime. Any and all unsolicited contact from EasyJet should be ignored, however difficult that may be. Check their official website or contact the Office of the Information Commissioner for advice. Never engage with any other offers of help. They will almost certainly cause you more harm.
The incident also has implications for the business. It's a tough time for airlines, given the way travel has fallen since the beginning of the pandemic, and the business risk any data breach presents is even more unwelcome than usual. Mark Bower, senior vice president at comforte AG, sent these comments:
“The aviation industry is struggling at present given the current pandemic, so seeing another major airline succumb to a data breach is not pleasant. On first glance, EasyJet has followed the correct procedures and informed all affected customers who have had their sensitive data compromised. However, this situation could have been avoided.
"Airlines and the GDS booking platforms that support them contain huge amounts of regulated PII in passenger data that’s potentially at risk. Organizations that process PII data need to take a serious approach to data-centric security. There are proven methods available which can reduce the impact of such data breaches. Tokenization is a great example. With such an approach, all sensitive data elements get replaced by tokens. That means that in the case of a data breach, the data is worthless for attackers. Furthermore, as it is the data elements themselves that are protected, security travels with the data. No matter if it is processed and stored within the company network, or whether it moves outside the perimeter. Too often we see organization only secure what is mandated – like credit card data, leaving PII exposed at scale. If the full spectrum of personal data isn’t protected as required by modern privacy laws, businesses must realize that it is their brand and reputation that will be negatively affected."
And, of course, there are lessons about preparation for incident response to be learned, for both businesses and customers. Higgins added, "A company the size of EasyJet should have a comprehensive incident response plan to deal with this attack. The coming days will show us if that is the case, although how they can assure their customers that ‘there is no evidence that any personal information of any nature has been misused’ shows a worrying naivety. This is the golden hour for cyber criminals. EasyJet customers have one line of defense right now: ignore them.”