At a glance.
- Forensic reports may not be privileged.
- Malware steals data from a wide range of apps.
- Florida cardiology practice sustains ransomware attack.
- Dutch sport fishing vendor undergoes data exposure incident.
Judge rules forensic report admissible in breach lawsuit.
In a landmark ruling, a US federal judge has declared that the investigative report resulting from Rutter’s convenience store’s 2019 data breach is not considered privileged information, the Legal Intelligencer reports. The breach, which was the result of a malware attack on the Pennsylvania-based convenience store, compromised customer payment card information and led victims to wage a class-action lawsuit. Rutter’s counsel enlisted Kroll Cyber Security to conduct a forensic investigation into the breach, and while the plaintiffs requested that the report be submitted as evidence, Rutter’s argued the report was protected by the attorney-client and work product privileges. The decision from US Magistrate Chief Judge Karoline Mehalchick allows the plaintiffs to compel the document, as the language in Rutter’s contract with Kroll indicates “the purpose of the investigation was to determine whether data was compromised, and the scope of such compromise if it occurred. Without knowing whether or not a data breach had occurred, defendant cannot be said to have unilaterally believed that litigation would result.” The ruling could set a precedent for future data breach litigation.
Jeremy Byellin Vice President of Legal and Regulatory Affairs at Shared Assessments, wrote to say that the court got it right, and that legal counsel needs to be on any incident response team:
“In these two circumstances, the court made the right call, since it’s generally understood that if a report or investigation is not conducted either by an attorney or in anticipation of litigation, it is not work product shielded from discovery.
“If companies can learn anything from this, it’s that they should always presume litigation will follow a breach, and that they need to bring legal into the picture as soon as possible after a breach.”
Developments in XCSSET malware operation.
Trend Micro examines recent updates to the XCSSET malware campaign. While it was well known that the malware, which targets macOS11, steals data from various apps and sends it to the hackers’ command-and-control (C&C) server, researchers have now discovered the mechanism used to pinpoint and collect the sensitive data. It’s also evident that the attackers have refined their approach, employing new C&C domains and a new module used to execute XSS injection on Google’s Canary browser, an experimental version of Chrome.
Erich Kron, Security Awareness Advocate at KnowBe4, wrote to share some thoughts on lessons that might be drawn from this and other similar incidents:
"Sadly, the days of not having to worry about malware on Macs are long gone, as demonstrated here. It is unfortunate that a Telegram account can be taken over by doing something as simple as copying the folder to another machine; however, sometimes these attacks do not have to be particularly high tech to be brutally effective.
"By stealing passwords from the Chrome browser, the attackers open up a whole world of chaos, especially if the user shares passwords across multiple web services or stores their email password in Chrome. If the cyber criminals can take over an email account, they can often use it to reset passwords on other critical accounts such as banking and shopping, locking the account owners out of them and risking unapproved purchases or an empty bank account. If users reuse passwords across different services, bad actors know they can try those common credential pairs on major financial and shopping sites, with good odds that they will successfully find another site the credentials work on.
"Education is the key to help avoid many of these issues. As most malware is spread through email phishing, teaching users to spot and report phishing attacks is a critical part of cyber defense, both at an individual and organizational level. In addition, educating people about the dangers of password reuse is another key area that will pay high dividends when dealing with cyber threats.
Florida cardiology center suffers ransomware attack.
WFTX reports that US cardiology specialists Florida Heart Associates (FHA) was hit by a ransomware attack in May that not only took down their computer and phone systems, but also resulted in the loss of staff. FHA was able to regain control of their systems without paying a ransom, but they are currently struggling to restore their appointment procedures and will likely not see full recovery until late August or early September.
Fishing store on the hook for customer data leak.
SafetyDetectives reports that Dutch fishing supply store Raven Hengelsport exposed the data of hundreds of thousands of customers in an unsecured Microsoft Azure storage blob. While most of the 450,000 customer records belonged to Dutch citizens, some customers from other parts of the EU were also impacted, as Raven’s website is frequented by shoppers from countries like France, Belgium, and Germany. The 180GB of data consisted of online order details and PII logs including names, customer IDs, shipment tracking numbers, addresses, genders, phone numbers, and email addresses. If the breach is determined a violation of the EU’s General Data Protection Regulation, Raven could face a fine of up to €20 million or 4% of Raven’s annual revenue, whichever is greater.