At a glance.
- Recent cyberattacks targeting educational institutions.
- (Un)beautiful streamers.
- BitRAT phishing scam leverages stolen bank data.
- Behavioral advertising draws a fine under GDPR.
Recent cyberattacks targeting educational institutions.
International ransomware gang Vice Society is claiming it published the sensitive personal data of students and employees at Xavier University, located in the US state of Louisiana, The threat actors say university officials refused to meet their ransom demands after a cyberattack on the school’s network. Xavier President Reynold Verret sent an email to the university community on December 22 confirming that an attack occurred on November 22. Because school officials have released very few details about the incident, it is unclear how many individuals were impacted or what data were compromised. Emsisoft threat analyst Brett Callow told NOLA.com, "If you don't tell people what happens, they don't know that they should be on high alert. It increases the chance that one crime could result in another.
Michigan state’s Hope College is currently under fire for withholding information about a September data breach. In December, the US school sent notification letters to approximately 155,000 individuals who were potentially impacted by the breach. Members of the school community are wondering why the school waited three months to inform the victims, and a former student told WZZM13 that recipients of the notification include alums who graduated over forty years ago. The compromised data potentially include student names, Social Security numbers, birth dates, and student ID numbers.
Across the pond in England, a multi-academy trust serving sixteen schools in West Yorkshire and the North West has disclosed it experienced a recent cyberattack, the Bradford Telegraph and Argus reports. In a letter to parents, trust chief executive Luke Sparkes stated, “We want to make you aware that Dixons has been subject to a cyber incident which has caused some disruption across our trust. Although the impact of the incident appears to be limited across our trust, we are currently still investigating. While we do this, we have decided, as a precaution and on advice from cyber specialists, to lock down many of our systems.” This includes some schools’ phone lines, and the community has been directed to their school’s website to stay up-to-date on the incident as the investigation unfolds.
If you thought movie theater prices were steep…
The 2022 World Cup attracted cyber-scammers who lured victims in by advertising fraudulent and malicious links supposedly offering free online streaming of the games. As Fox News explains, this technique is nothing new. There’s been a rise in the number of fraudsters tricking unsuspecting movie fans into clicking on malicious links disguised as free access to popular movies and television shows. Researchers at ReasonLabs uncovered a 2021 operation that took advantage of users hoping to watch the latest SpiderMan film for free online while it was still in theaters. The link actually downloaded cryptocurrency mining malware to the victims devices, designed to hijack the device’s resources in order to search for digital currencies.
BitRAT phishing scam leverages stolen bank data.
Researchers at cybersecurity firm Qualys have discovered a new phishing campaign using sensitive stolen bank information to trick victims into downloading a remote access trojan called BitRAT. The attackers are believed to have infiltrated the networks of a Colombian cooperative bank in order to gain access to customer data, which they then use to make the phishing emails more convincing. Qualys uncovered a database dump containing 418,777 records including customer names, national identity documents, email addresses, phone numbers, payment records, salary details, and addresses, and It’s believed that the data were used by the scammers to craft their phishing messages.
BitRAT is an off-the-shelf malware sold on cybercriminal marketplaces for as little as $20, and it offers a variety of functionalities to steal data or resources from its victims. Qualys researcher Akshat Pradhan told the Hacker News, "Commercial off the shelf RATs have been evolving their methodology to spread and infect their victims. They have also increased the usage of legitimate infrastructures to host their payloads and defenders need to account for it."
Ad practices draw a large EU fine (and may set precedents for online advertising).
Meta's advertising practices have drawn a €210 million (roughly $223 million) fine from European authorities. Meta is the corporate parent of Facebook, Instagram and WhatsApp. The Wall Street Journal reports that what's at issue was Meta's "behavioral ads," which pitched specific ads to users based upon Meta's tracking of the users' online activity.
Ireland's Data Protection Commission (DPC), which oversees activities of US companies on behalf of the larger European Union, announced the conclusion of its two investigations, and the fines. In summary, Data Protection Commissioner (DPC) in Ireland found that Meta Ireland violated transparency obligations under the General Data Protection Regulation (GDPR) by not clearly outlining the legal basis for processing personal data to users. The DPC also found that Meta Ireland did not rely on consent as a lawful basis for processing personal data and instead relied on "contract" as the legal basis for processing personal data in connection with the delivery of personalised services. The DPC proposed substantial fines for Meta Ireland and directed the company to bring its processing operations into compliance within a short period of time.
The DPC summarized its findings as follows, and they’re worth quoting in full:
"1. In breach of its obligations in relation to transparency, information in relation to the legal basis relied on by Meta Ireland was not clearly outlined to users, with the result that users had insufficient clarity as to what processing operations were being carried out on their personal data, for what purpose(s), and by reference to which of the six legal bases identified in Article 6 of the GDPR. The DPC considered that a lack of transparency on such fundamental matters contravened Articles 12 and 13(1)(c) of the GDPR. It also considered that it amounted to a breach of Article 5(1)(a), which enshrines the principle that users’ personal data must be processed lawfully, fairly and in a transparent manner. The DPC proposed very substantial fines on Meta Ireland in relation to the breach of these provisions and directed it to bring its processing operations into compliance within a defined and short period of time.
"2. In circumstances where it found that Meta Ireland did not, in fact, rely on users’ consent as providing a lawful basis for its processing of their personal data, the “forced consent” aspect of the complaints could not be sustained. From there, the DPC went on to consider Meta Ireland’s reliance on “contract” as providing a legal basis for its processing of users’ personal data in connection with the delivery of its personalised services (including personalised advertising). Here, the DPC found that Meta Ireland was not required to rely on consent; in principle, the GDPR did not preclude Meta Ireland’s reliance on the contract legal basis."
The New York Times reports that Meta disputes the finding, and intends to appeal the fines. It maintains its targeted advertising is properly respectful of GDPR, the EU's General Data Protection Regulation, and that the terms of service it asks its users to accept constitute proper consent to tracking.
Added, 9:30 AM ET, January 5th, 2023.
Gil Dabah, co-founder and CEO of Piiano, sees the root cause of the dispute as creative lawyering: “This issue is related to Meta lawyers trying to be creative and bind the usage of Facebook and Instagram to personal ad targeting. They were not allowing users to continue using their services without being profiled for targeted ads. Meta has three months to comply with GDPR. Their future changes to their privacy policy and users’ consent can potentially impact the cost of advertising within Facebook and Instagram. Besides Meta’s fine of $400M, the outcome of this incident can be higher costs for advertisers.”