At a glance.
- Maryland confirms ransomware attack.
- Austria finds a use of Google Analytics to be a GDPR violation.
- Accellion settles breach suit.
Maryland confirms that a recent cyber incident was a ransomware attack.
After previously declining to disclose details in the wake of a December attack on the Maryland Department of Health, officials have now confirmed that the cyber incident was, in fact, a ransomware attack. Maryland Matters reports that Chip Stewart, Maryland Chief Information Security Officer, explained, “While the investigation is ongoing — and occurring on a parallel track to our restoration efforts — we can confirm this much today: this was, in fact, a ransomware attack.” Maryland Governor Lawrence J. Hogan Jr. stated that although the attackers requested an extortion payment, the state did not concede. “Unlike Texas and I think a couple of other dozen states, we haven’t lost hundreds of millions of dollars, and we haven’t compromised millions of peoples’ data.” Atif T. Chaudhry, deputy secretary of operations for the Department of Health, said the agency is working with the Department of Information Technology in coordination with the federal government to recover from the attack. The House Health and Government Operations and Senate Education, Health and Environmental Affairs will hold an online hearing today to discuss further details.
Austrian DPA finds website’s use of Google Analytics in violation of GDPR.
Austria’s Data Protection Agency (DPA) has found Austrian health website netdoktor.at to be in breach of the EU’s General Data Protection Regulation (GDPR) for its use of Google Analytics to track user data. The watchdog determined that site visitors’ IP addresses and identifiers used in cookies should be considered personal data, meaning the transfer of this data is in violation of Chapter V of the GDPR. As TechCrunch explains, the decision could have long-reaching implications, as it sets a precedent for the use of tools that require the transfer of Europeans’ personal data to the US for processing, and it emphasizes the need for data handlers to institute supplementary measures to enhance standard provisions in order to comply with the EU law. As Austrian privacy expert Max Schrems stated, “Instead of adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice. Many EU companies have followed the lead instead of switching to legal options.” In response to the Austrian watchdog’s decision, Schrems commented, “This is a very detailed and sound decision. The bottom line is: Companies can’t use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced.”
Accellion reaches settlement in breach lawsuit.
Reuters reports that Accellion has reached an $8.1 million settlement in the class-action lawsuit connected to last year’s massive attack on its legacy file transfer platform. In what many consider to be one of the largest breaches in US history, hackers exploited a vulnerability in Accellion's platform in order to gain access to the data of millions of individuals and high-profile clients like leading supermarket chain Kroger and law firm Jones Day. The suit’s plaintiffs claimed that the tech company was at fault for neglecting to properly secure the data. While the settlement resolves claims against Accellion, there are several outstanding claims against Accellion clients like Flagstar Bancorp and Health Net LLC that are awaiting decisions. Kroger has agreed to a $5 million settlement that has received preliminary court approval.