At a glance.
- Cyberattack on hotel chain may have exposed data.
- AirTag stalking.
- Lessons learned from Ireland's Health Services Executive (HSE) cyber incident.
- London ordered to give an account of cybersecurity training.
Hong Kong hotel chain suffers cyberattack.
Hong Kong’s Harbour Plaza hotel group has disclosed it was hit with a cyberattack last week, RTHK News reports. Ada Chun of the Office of the Privacy Commissioner for Personal Data says the privacy watchdog will be investigating the incident, which exposed the data of 1.2 million customers of the hotel chain. The goal of the probe is to gather more information regarding exactly what personal information was compromised. In the meantime, customers have been advised to be on the lookout for any suspicious activity in their financial accounts and to be wary of any unusual emails, calls, or texts.
You are the Apple of my AirTag.
Just in time for Valentine’s Day, New York Times journalist Kashmir Hill recounts her adventures in (consensual) spousal surveillance after stashing Apple AirTags, Tile Bluetooth trackers, and another tracker from company LandAirSea in the recesses of her husband’s car. Hill hoped to see just how efficient the devices are at tracking their targets, and also determine how long it would take for her husband to discover he was being tracked. Apple has faced controversy in the year since the AirTags’ launch, as individuals have reported finding the devices placed in their belongings without their knowledge. Some privacy experts have applauded Apple’s built-in feature warning individuals if an AirTag appears to be tracking them, but others feel the notification is inadequate, as targets have little recourse. While Apple did alert Hill’s husband that he was being tracked, he was unable to determine where the AirTag was hidden. That said, Hill found that the AirTags’ and Tiles’ powers were limited by their reliance on Bluetooth, while the LandAirSea device gave her far more precise details about her husband’s activities. When Hill asked LandAirSee why it has no mention of the legal ramifications of spying on their device’s packaging or website, Jared Zientz, the director of analytics, stated, “It’s in our terms somewhere,” but noted that differing state laws make it difficult for the company to make general statements about privacy.
Learning from the attack on Ireland’s health system.
Last year’s cyberattack on Ireland’s Health Services Executive (HSE) was one of the largest the country has ever faced, and consultancy firm PwC’s just-released report on the incident sheds light on why it happened, and what can be done to protect against future attacks. Schneier on Security highlights the inadequate security practices noted in the report, such as the HSE’s lack of an HSE Chief Information Security Officer, and the absence of cyber incident response or recovery plans for such a wide-scale ransomware attack. As well, Information Security Managers were under-resourced and distracted by overseeing the COVID-19 vaccination system, causing them to overlook multiple red flags signaling the attack. Machines running on outdated Windows 7 systems with ineffective patching exacerbated the damage of the incident. The Stack calls the recommendations advised in the report a “corporate textbook” on preventing such attacks. PwC recommends the establishment of “clear responsibilities for IT and cybersecurity across all parties that connect to the [National Healthcare Network, or NHN], or share health data, or access shared health services,” as well as a “code of connection that defines the minimum acceptable level of security controls necessary to connect into the NHN.”
London municipal government ordered to report on cybersecurity training.
UK local government authority Hackney Council has been tight-lipped about the details of the Psya ransomware attack it experienced in October 2020, and Computer Weekly reports the council could face action from the Information Commissioner’s Office (ICO) if they don’t start talking. Darren Martin, a Liberal Democrat campaigner who submitted a Freedom of Information request about the council’s staff IT security training, stated, “If it turns out that the attack that has left our vital services crippled in the borough since 2020…could have been avoided by additional training and security – then the mayor of Hackney and the Labour administration need to take full accountability for that.” The council denied Martin’s request, citing exemptions related to revealing information about the prevention or detection of crime. In response, the ICO sent the council an information order requesting more details about the request rejection, but so far, no answers have been supplied. “The criminal investigation into the attack is ongoing and sophisticated criminal groups continue to target all organizations,” said a council spokesperson. “Even information that might appear low-risk may help criminals to cause further harm to the council and our residents.”