At a glance.
- CISA issues ransomware defense advice.
- SEC sanctions brokers over client data exposure.
- Indonesian Ministry of Health investigates COVID test-and-trace app data exposure.
- Bangkok AIrways ransomware update.
- Another suit filed against T-Mobile.
- Tension between competition and privacy?
CISA issues ransomware attack advice.
The US Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory aimed at helping organizations prevent ransomware attacks, defend private data, and in the case of an incident, develop an appropriate response strategy. Health IT Security offers an overview of the guidance, and prevention tips include maintaining and regularly updating encrypted backup procedures as well as engaging in best practices for Remote Desktop Protocol. CISA also recommends organizations limit the user data collected to only what’s absolutely necessary, and once an attack is detected, expeditiously isolate affected systems and devices, prioritize system restoration, and collaborate with internal and external experts to develop a mitigation strategy. And of course there’s the golden rule of ransomware attacks: Never pay the ransom.
SEC sanctions brokerage firms after email hijacking.
WeathManagement.com reports that the US Securities and Exchange Commission (SEC) is charging eight brokerage firms with sanctions after employee email takeover attacks exposed the personal data of thousands of clients. The SEC has ruled that the firms in question, which include several firms under Cetera, Cambridge Investment Research, Cambridge Investment Research Advisors, and KMS Financial Services, were at fault for not better safeguarding the data against attack. In the case of Cetera, the SEC argues that despite having a robust security system in place, the company did not properly employ its mitigation tools and used misleading language when notifying the public. With Cambridge, the data of over two thousand clients were exposed because the firm allegedly neglected to follow its own policies on securing cloud-based accounts. None of the firms offered comment, but they have all agreed to settle the charges.
Indonesian authorities investigate exposure of COVID-18 data.
Researchers at vpnMentor found that eHAC, the test-and-trace application the Indonesian Ministry of Health uses to help ensure that travelers entering Indonesia aren't carrying the virus, may have exposed the personal data of about a million people.
Trevor Morgan, product manager with comforte AG, commented that the incident highlights two issues--public sensitivity in the time of the pandemic, and the ways in which developers can inadvertently build in vulnerabilities:
“The report that Indonesia is looking into a security flaw in a COVID-19 test-and-trace app accentuates two key issues around these types of applications. The first concern is that with sensitivities to these types of technologies already heightened by the pandemic and the politics surrounding it, having the threat of exposed PHI definitely means that users and the general public will be wary and more concerned for their data privacy.
"The second issue is that software and app developers often inadvertently build in data security vulnerabilities because data security seems to be a lagging concern in the development cycle—either a separate security team factors in data security later in the development cycle, or the software developers cut corners in order to get more critical features and functions nailed down and working at the expense of proper data security measures.
"The big push is to reposition data security upstream at the requirements and design phases so that data security is factored in by the developers throughout the entire development cycle and the application’s workflow.
"Of course, proper design should include data-centric security measures such as protecting sensitive data through format-preserving encryption and tokenization methods. That way, if PHI or other sensitive data is accessed, it is unreadable and therefore cannot be leveraged.”
Further developments in the Bangkok Airways ransomware incident.
The Register reports that the LockBit ransomware gang has, in the wake of Bangkok Airways' refusal to pay the ransom, begun to release the personal data the gang stole. The size of the data dump is assessed variously, with estimates coming in between 103GB and more than 200GB.
Quentin Rhoads-Herrera, Director of Professional Services at Managed Detection and Response (MDR) services provider CRITICALSTART, commented on what's to be expected in data breaches of this kind, and offers some recommendations for Bangkok Airways and other organizations facing this sort of attack:
“Data theft is becoming very common alongside ransomware groups and this category of ransomware that steals information with the threat to disclose is Double Extortion. It’s very important that organizations not only protect their backup infrastructure so they can recover after a breach but also protect their most important data and alert on large data leaving their infrastructure. In this instance, the data LockBit has obtained can be used to extort Bangkok Airways for additional crypto currency or they can release it as a way to damage the brand of Bangkok Airways at the same time of receiving notoriety as a criminal organization.
"It is up to Bangkok Airways to notify the customers impacted which might cause complications due to customers residing in several different countries. Adding on top of that the different regulatory bodies like GDPR might require responses from the airways further adding complexity. The primary thing Bangkok Air needs to do is identify the point of entry used by LockBit. If LockBit group was able to gain entry due to an unpatched externally facing system than not only do they need to evaluate their current external exposure, but they also need to improve their overall asset inventory and patch management processes to ensure systems are updated often. Understanding the way the criminals initially gained entry is pivotal to ensuring this doesn't occur in the future.
"Bangkok Air also needs to understand everything LockBit did once on the inside to ensure they harden their defenses and alert on similar activities in the future. With enough determination any criminal can breach a company. This is why it is very important that organizations work to lowering their time to detect and respond as much as possible to limit the damage of such a breach.”
T-Mobile breach lawsuits continue.
T-Mobile is facing another class-action lawsuit as a result of the recent breach that exposed the data of millions of the mobile giant’s customers, Bloomberg Law reports. The plaintiffs filed a complaint in the US District Court for the Western District of Washington alleging that T-Mobile’s inadequate security left customer data vulnerable to attack. They also claim T-Mobile violated the Washington Consumer Protection Act by neglecting to establish a reasonable breach notification policy. This is at least the third lawsuit that has emerged this month as a result of the attack.
A delicate balancing act.
Benedict Evans explores the relationship between user privacy and ad tracking, and what that means for the future of competition. Tech platforms are struggling to find a way to protect user data while also tracking that data in order to tap into lucrative ad revenue. Solutions like Google’s FLoC (Federated Learning of Cohorts, a method of web tracking that preserves a level of user anonymity by grouping users into "cohorts'') could allow tech giants to have their cake and eat it, too, but questions abound. What data counts as private? Is there a way to truly obtain consent when users are bombarded with a never-ending stream of consent inquiries? And can legislation keep up with the ever-changing landscape of data tracking?