Ransomware and universities. More fallout from the Accellion compromise. Back to paper records. Virginia's privacy law. Reaction to Clubhouse privacy issues.

At a glance.

• Ransomware as a threat to universities.
• More breaches traced to Accellion FTA.
• Cybercrime temporarily drives hospital back to paper records.
• The Commonwealth of Virginia proceeds with privacy legislation.
• Security industry reaction to Clubhouse privacy issues.

Pandemic puts target on the back of higher education.

BlueVoyant has released its Cybersecurity in Higher Education report, in which the security firm offers a risk analysis of more than twenty-seven hundred universities in over forty countries. The unprecedented repercussions of the pandemic have pushed the field to rely heavily on remote teaching technologies, and cybercriminals are taking advantage of the ever-increasing attack surface. According to BlueVoyant’s findings, ransomware attacks against universities increased 100% in 2020 over 2019, making it the top cyber threat these institutions faced last year. The report also found that a ransomware attack costs a university an average of $447,000, an expense that is heightened, the Daily Swig notes, when institutions are already suffering revenue losses due to decreased enrollment amidst the pandemic. Credential lists from universities are an especially hot commodity on the dark web, and universities are seeing an average of ten thousand brute force attacks per week. Higher ed is also seeing an increase in big game hunting, a tactic previously reserved for more lucrative industries. As two-thirds of the schools surveyed were lacking in email security protocols and more than three-quarters had unsecured remote desktop ports, it’s clear they are not prepared for this surge in attacks. BlueVoyant advises university administrators institute multifactor authentication, require stronger passwords, and implement more intense monitoring of email accounts and networks.  

Bryan Embrey, Director, Product Marketing, Zentry Security commented on why universities are attractive to ransomware gangs. “The sharp rise in ransomware attacks on universities is not surprising given the number of students and faculty studying and working remotely," he said. "Implementing zero-trust solutions that offer multi-factor authentication, single sign-on, and managed and monitored access to IT infrastructure can significantly reduce potential credential stealing as well as data loss and exfiltration. Educating students, faculty, and staff to the dangers of phishing and malware will also go a long way to raising universities’ security profiles.”

Chris Clements, Vice President, Solutions Architecture, at Cerberus Sentinel, also sent comments:

"Universities really are just about perfect target for ransomware gangs. Their historically open nature and departmental autonomy can lead to networks that are easy for cybercriminals to navigate and IT fragmentation that misses basic security precautions like patching and centralized backup. Combine this with high revenues and you have a situation where attackers are more likely to find easier ways of gaining initial access, and that the potential payout if they are successful can be very lucrative.

"To protect themselves, universities must adopt a culture of security that requires a change of mindset in many areas. First, there needs to be a recognition that certain security baselines must be met regardless of the project or department and that all systems and applications require ongoing care and feeding to remain secure. Secondly, IT and especially IT security, must embrace the attitude of efficient service delivery to enable the organization to accomplish their goals with as little friction as is possible. For security to be effective, at some level it has to be easy. Building out light touch processes bolstered by secure defaults can go a long way to drastically improving educational organizations adherence to the needed best practices to ensuring a secure technology environment."

Accellion breach claims more victims.

Transport for NSW (TfNSW), the agency responsible for public transportation in New South Wales, Australia, is the latest organization to disclose that it was impacted by the data breach of California-based file sharing company Accellion, reports iTnews. The agency announced that TfNSW data were stolen before the Accellion breach was contained, but was not able to specify exactly what data were exposed. TfNSW is conducting an investigation in conjunction with Cyber Security NSW to determine the extent of the breach. According to chief cybersecurity officer Tony Chapman, multiple NSW agencies had been using Accellion’s file transfer service, New South Wales health agency NSW health has already stated they were also impacted in the breach. 

Bombardier has also been affected by a "third-party file-sharing" service compromise. The company doesn't identify Accellion, but consensus is that that's the third-party involved. While much of the media attention has gone to an apparent compromise of aircraft design files, Bombardier itself in its disclosure made particular mention of the possibility that some employee and customer personally identifiable information may have been compromised. Trevor Morgan, product manager with comforte AG, sent comments via email:

“The fallout from the Accellion-centered breach continues, purportedly this time with Bombardier. The takeaways should be pretty clear to people keeping score. Always keep software up-to-date or replace it with next-generation software that’s supported by the vendor. If you think you’re safe from breaches like this, then it’s probably time you really reconsider your data security strategy and methods. Complacency is your worst enemy. And if you’re still depending on security methods that protect borders and perimeters, it’s probably time to think from a more data-centric perspective. If the data is the valuable part, protect the data and not the walls around it. That’s the data-centric approach in a nutshell.”

Data breach forces Illinois hospital to depend on paper processes.

Becker’s Hospital Review reports that Illinois hospital St. Margaret’s Health–Spring Valley has added its name to the growing list of US healthcare providers who have been hit in the wave of pandemic-era data breaches. In response, the hospital shut down much of its network, redirecting many of its services to neighboring hospitals and depending on telephone and fax for communication. Vice president of quality and community services Linda Burt stated, “Our computer systems periodically undergo updates that require the system to be shut down. So we just implemented all of our paper processes." While the investigation is still unfolding, there is no evidence that patient data were impacted. 

Virginia’s new privacy law ("CDPA") follows in CCPA’s footsteps.

The California Consumer Protection Act (CCPA) will have a new east coast cousin in the form of the Consumer Data Protection Act (CDPA), reports AdExchanger. The bill was passed by the Virginia house of representatives and senate last week and is expected to soon be signed into law by the governor, making it the second comprehensive privacy regulation in the US. More stringent than the CCPA, the CDPA is an opt-in law and requires clear consumer consent much like the EU’s General Data Protection Regulation (GDPR). While the CPDA does not set a specific revenue threshold for businesses (which the CPA does), the new law is more restrictive in how it defines the word “consumer,” applying it only to Virginia residents who are not acting in a commercial or employment capacity. It’s also worth noting that Virginia’s bill is only enforceable by the attorney general, while the CCPA allows for a private right of action. While businesses that have educated themselves on the CCPA and GDPR should be prepared for the new law, founder of privacy compliance firm Ethyca Cillian Kieran told AdExchanger “it’s important to recognize that each state has nuances...there is no one-size-fits-all solution.”

More industry reaction to Clubhouse's privacy issues.

ESET has a useful overview of the privacy issues that have come to light with respect to Clubhouse. It's not unheard of for a newly popular app to be caught on the hop by security or privacy challenges it hadn't anticipated any more than it expected sudden explosive growth. Compare the experience of Zoom as it saw wide adoption as lockdown responses to the COVID-19 pandemic became common early last year. In the case of Clubhouse, a company representative confirmed that a user wrote a script to pull audio feeds from "multiple rooms" and make them available elsewhere. Clubhouse permanently banned that user and said it had put safeguards in place to prevent a recurrence, but ESET sensibly recommends that everyone be reticent about sharing personal information in Clubhouse (and not only there).

Saryu Nayyar, CEO at Gurucul, sees gaps in authentication and encryption. “The data leakage from audio chat app Clubhouse appears to hinge on a lack of proper authentication and a lack of end-to-end encryption," she said, and went on to say, "Add in the challenge of relying on 3rd party infrastructure and potentially their security as well, and it is easy to understand how something like this can happen. To be secure and private, applications must have their security baked in from the start. It needs to be embedded at every level, from the communications protocols up through the user interface. Unfortunately, cybersecurity is an afterthought for many developers and many organizations rely on their security stack to take over when expedited development takes precedence over secure coding practices.”

David Stewart, CEO of Approov, also commented on the limitations of user authentication: "The Clubhouse data spillage incident looks like yet another example of security based purely on authenticating the user. As we have seen over and over again, you can't keep scripts and bots out of your business unless you know what you are communicating with as well as who. It is therefore essential to authenticate both the user and the mobile app before granting access to your platform."