Retirement plan breach shakes financial giant.

A breach at J.P. Morgan Chase exposes data of over 451,000 individuals. President Biden Signs a National Security Memorandum to Strengthen and Secure U.S. Critical Infrastructure. Verizon’s DBIR is out. Cornell researchers unveil a worm called Morris II. A prominent newspaper group sues OpenAI. Marriott admits to using inadequate encryption. A Finnish man gets six years in prison for hacking a psychotherapy center. Qantas customers had unauthorized access to strangers’ travel data. The Feds look to shift hiring requirements toward skills. In our Industry Voices segment, Steve Riley, Vice President and Field CTO at Netskope, discusses generative AI and governance. Major automakers take a wrong turn on privacy. 

Today is May 1, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A breach at J.P. Morgan Chase exposes data of over 451,000 individuals. 

J.P. Morgan Chase has reported a data breach impacting over 451,000 retirement plan participants, according to a filing with the Maine Attorney General. The breach exposed names, addresses, Social Security numbers, payment details, and bank account information linked to direct deposits. This incident, discovered on February 26, was due to a software flaw and not a cyberattack. There's no evidence of data misuse. The breach occurred when three users, linked to J.P. Morgan customers, accessed unauthorized information through system reports between August 2021 and February 2024. The bank responded by updating the software to prevent future breaches and is offering two years of identity theft protection through Experian to affected individuals.

President Biden Signs a National Security Memorandum to Strengthen and Secure U.S. Critical Infrastructure.

President Joe Biden has signed a National Security Memorandum (NSM-22) aimed at securing and enhancing the resilience of America's critical infrastructure, replacing a previous policy from President Barack Obama's era. This comprehensive strategy focuses on protecting infrastructure against current and future threats by refining federal roles in security, resilience, and risk management, and implementing a coordinated national approach.

NSM-22 establishes minimum security requirements, accountability mechanisms, and leverages federal agreements to enforce these standards. It also improves intelligence collection and sharing related to infrastructure threats, involving federal, state, local, tribal, territorial, private sector, and international partners to facilitate risk mitigation. Additionally, the memorandum promotes investments in technologies that mitigate risks from evolving threats and strengthens international collaborations for global infrastructure security.

The Department of Homeland Security (DHS), led by the Cybersecurity and Infrastructure Security Agency (CISA), will spearhead this whole-of-government effort, with CISA acting as the National Coordinator for Security and Resilience. The initiative reaffirms the designation of 16 critical infrastructure sectors, each managed by a specific Sector Risk Management Agency (SRMA) responsible for risk management and coordination.

The policy directs federal departments and agencies to implement these strategies while respecting privacy, civil rights, and civil liberties. It also sets timelines for risk management plans and sector-specific assessments, emphasizing the need for a robust federal framework to combat the complex and frequent threats facing critical infrastructure, ensuring national vigilance, security, and resilience.

Verizon’s DBIR is out. 

Verizon's 2024 Data Breach Investigations Report (DBIR) is out, highlighting key trends in cybercrime. It reveals a significant 180% increase in attacks exploiting vulnerabilities compared to last year. This surge was predominantly due to Ransomware and Extortion-related threats, with web applications being the common entry point. Ransomware and other Extortion techniques contributed to one-third of all breaches, with pure Extortion attacks making up 9% of incidents. The report also notes a growing trend of breaches involving third-party vulnerabilities and errors, with errors now accounting for 28% of breaches. Additionally, phishing remains a critical concern, with users typically succumbing to phishing emails in less than a minute. Financial losses from Ransomware and Extortion attacks vary greatly, with a median loss of $46,000. The report aims to guide organizations in enhancing their security measures against evolving cyber threats.

Cornell researchers unveil a worm called Morris II.

Researchers at Cornell Tech have developed "Morris II," a generative AI worm that poses significant risks by spreading through interconnected AI systems. Named after the infamous 1988 Morris worm, Morris II can hijack generative AI email assistants to exfiltrate data and distribute spam. It exploits large language models (LLMs) by using an "adversarial self-replicating prompt" technique, which compels the AI to generate a prompt that further spreads the malicious code. The researchers demonstrated Morris II's capabilities by sending emails containing these prompts, which then poisoned AI systems like ChatGPT and Gemini by leveraging Retrieval-Augmented Generation (RAG). This could potentially jailbreak AI services, allowing unauthorized access to data. OpenAI recognized the vulnerabilities highlighted and is working to fortify its systems against such attacks.

A prominent newspaper group sues OpenAI. 

Eight prominent U.S. newspapers owned by Alden Global Capital, including the New York Daily News and Chicago Tribune, are suing OpenAI and Microsoft for copyright infringement, claiming the tech giants used their articles to train AI models without permission. This lawsuit, filed in the Southern District of New York, builds on a similar case by the New York Times and emphasizes the growing legal challenges AI companies face from publishers. Unlike others who have negotiated paid deals, these newspapers allege that their content was used unlawfully to enhance AI products like ChatGPT and Copilot, also accusing the firms of reputational damage through AI-generated inaccuracies. The outcome could reshape compensation structures for news content in the AI era.

Marriott admits to using inadequate encryption. 

Marriott admitted in a court case about a 2018 data breach that it had used the outdated Secure Hash Algorithm 1 (SHA-1) rather than the more secure AES-128 encryption it previously claimed. This disclosure came during a hearing in the U.S. District Court for the District of Maryland. Marriott’s misrepresentation of its security measures could have serious legal and financial implications, including potential lawsuits from its insurance carrier and impacts on its stock prices. The revelation also complicates the breach's fallout, as SHA-1's vulnerability to quick hacking could mean that sensitive data was not as secure as stakeholders were led to believe. Marriott has faced scrutiny for not disclosing this correction more transparently, only adding a brief update to an old webpage rather than issuing a new statement.

A Finnish man gets six years in prison for hacking a psychotherapy center. 

A Finnish court has sentenced a 26-year-old man, Aleksanteri Kivimäki, to over six years in prison for a major cybercrime involving the hacking of around 33,000 patient records from the Vastaamo psychotherapy center. Kivimäki's crimes included an aggravated data breach, nearly 21,000 aggravated blackmail attempts, and over 9,200 instances of aggravated dissemination of private information. He was arrested in France in 2023 and deported to Finland for trial. The court described his actions as "ruthless" and "very damaging," particularly given the vulnerable psychological state of the victims. Some victims even succumbed to suicide due to the breach. After the center refused his ransom demands, Kivimäki leaked the data on the dark web and directly extorted patients.

Qantas customers had unauthorized access to strangers’ travel data. 

Australian airline Qantas experienced a data mishap where customers logging into the airline's app inadvertently accessed other users' information, including names, upcoming flight details, and frequent flyer points. This incident, reported widely on social media, occurred over two periods on Wednesday and allowed some customers to view and interact with bookings not their own, even leading to accidental cancellations. The airline attributed the issue to a "technology issue" related to recent system updates, clarifying that it was not a cybersecurity breach. Despite the exposure, Qantas assured that no financial data was compromised and that no unauthorized boarding occurred. The airline has since advised customers to re-login to their accounts and is closely monitoring the situation.

The Feds look to shift hiring requirements toward skills. 

Federal agencies are set to adopt skill-based hiring for IT roles by next summer, focusing on actual proficiencies rather than traditional qualifications like degrees or years of experience. This shift, announced by National Cyber Director Harry Coker, aims to fill nearly 100,000 IT positions and address a wider cyber job gap currently leaving about 500,000 roles vacant across the U.S. This new hiring approach, which also applies to federal contractors, is part of a broader initiative to diversify the cybersecurity workforce, often underrepresented by women and people of color, and to bolster the nation's defenses against escalating cyber threats. The move aligns with the Biden administration's strategy to leverage federal influence to drive private sector change, particularly in critical areas like cybersecurity.

 

On our Industry Voices segment, Netskope’s VP and Field CTO Steve Riley joins us to talk about generative AI and governance. 

We’ll be right back

Welcome back

Major automakers take a wrong turn on privacy. 

A Senate probe, spearheaded by Senators Ron Wyden and Ed Markey, has exposed hypocrisy among most major car manufacturers: they've been sharing drivers' location data with law enforcement without requiring warrants, blatantly contradicting their public pledges of privacy protection. Despite previously committing to needing a warrant or court order before disclosing such sensitive information, only five out of the fourteen automakers surveyed actually adhere to this practice, and just one informs customers of law enforcement requests. This deception has led the senators to demand a Federal Trade Commission (FTC) investigation into these misleading practices and the automakers' data retention policies. The Alliance for Automotive Innovation's statements on commitment to privacy starkly contrast the reality of these findings, further fueling frustrations over the lack of transparency and respect for consumer privacy. This breach of trust highlights the need for stringent regulatory oversight to ensure that automakers live up to their promises and protect consumer data as they claim to.

Maybe what we really need is a little dashboard light that comes on every time your car is ratting you out to law enforcement. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.