Daily News Digest

Stay current on the global cyber threat landscape and industry developments with CCOE’s daily digest and library of cybersecurity news and articles.

  • US City Fined Over Former Employee's Data Theft

    • New Haven, Connecticut, agreed to pay a $202,400 financial penalty to the Department of Health and Human Services’ Office for Civil Rights and adopt a corrective action plan that includes two years of monitoring to resolve a HIPAA (Health Insurance Portability and Accountability Act) violation case.
    • The OCR launched an investigation in May 2017 after receiving a data breach notification from New Haven in January of that year. OCR found that the city's health department had failed to remove the access rights of an employee who had been fired the previous summer during her probationary period.
    • The OCR stated: "Using her work key, the former employee entered her old office and locked herself and the union representative inside. While inside the office, the former employee logged into her old computer, with her user name and password, and downloaded information off of her computer onto a USB drive."
    • OCR investigators found that New Haven failed to conduct an enterprise-wide risk analysis and failed to implement termination procedures and access controls such as unique user identification.
    - Sarah Coble | November 2, 2020
  • (hak-iq.us20.list-manage.com)
  • Important Cybersecurity Lessons Learned During The Pandemic

    • Given the importance of the user domain in an IT infrastructure, at my company, we’ve maintained a reliable access control system internally during the pandemic that emphasizes training, segregation of duties and the principle of least privilege for all internal users and employees.
    • Training is vital to ensure security in the user domain.
    • Segregation of duties (also known as separation of duties) is an essential principle in cybersecurity that ensures that employees do not have access to systems that will lead to conflicts of interest, fraud or abuse.
    • A secure user domain has helped strengthen the detective and preventive security measures that we also have in place at our organization. Another connection to the lesson touches on proactive cybersecurity measures like the importance of patch management.
    - David Obasiolu | November 2, 2020
  • (hak-iq.us20.list-manage.com)
  • Alibaba's Lazada Suffers Data Breach Involving 1.1M Users

    • Singapore-based Lazada Group, an e-commerce company owned by Chinese tech giant Alibaba Group Holdings Ltd.
    • Lazada confirmed to CNBC that personal data was stolen but claimed the information affected was "more than 18 months out of date."
    • Despite claims that the company does not store credit card numbers and CVV details, Lazada told users to track any “unusual activity or suspicious transactions on your credit cards."
    • Alibaba gained a controlling interest in Lazada in April 2016 for $1 billion. Six months later, in November
    - Aditya Raghunath | November 2, 2020
  • (hak-iq.us20.list-manage.com)
  • Home Depot Canada exposes private customer data following systems error

    • The first reports of the data breach appeared on Twitter on Oct. 28 as customers said they received reminder emails by mistake for hundreds of orders that were ready to pick up. The emails included customer names, email addresses, order numbers and the last four digits of customer payment cards.
    • Customers must be warned that the following scenario could play out:
      • “After this event, any attacker with that information on orders in process or ready can just call or send a look-alike email and say ‘Sorry about this data breach, let us offer you this $50 gift card – please click here to receive it.'
      • "And then, a smart attacker would send a follow-up email or a text to each consumer whose data was leaked, saying ‘we’re sorry – please check your email, we’ve just sent you a gift card as a valuable customer. You can also access your gift card by clicking here.” Or they could pretend to call from HD Customer Service to collect the complete credit card information.”
    - Duncan Riley | November 1, 2020
  • (hak-iq.us20.list-manage.com)
  • California’s Proposition 24 – CCPA 2.0 Meets the California GDPR

    • Proposition 24 is known as the California Privacy Rights Act of 2020 (CPRA). It is on the ballot in California on November 3, and if it passes it will amend and expand certain provisions of the California Consumer Privacy Act (CCPA).
    • Two provisions in particular are very GDPR-like; specifically, the creation of the California Privacy Protection Agency (CPPA), which will become the regulator charged with implementing and enforcing both the CCPA and CPRA, and the expanded definition of sensitive personal information.
    • CPRA creates a new category of data, similar to GDPR, for sensitive personal information.
    • The CPRA requires businesses that sell or share personal information to provide notice to consumers and a separate link to the “Do Not Sell or Share My Personal Information” webpage and a separate link to the “Limit the Use of My Sensitive Personal Information” webpage or a single link to both choices.
    • The CPRA triples the fines set forth in CCPA for collecting and selling children’s private information and requires opt-in consent to sell personal information of consumers under the age of 16.
    • The CPRA expands the consumer’s private right of action to include a breach of a consumer’s email address and password/security question and answer.
    • The above is NOT ALL INCLUSIVE.
    | October 30, 2020
  • (hak-iq.us20.list-manage.com)
  • A new scam uses Google Drive to send out a deluge of dodgy links

    • The success of email spam filters has left scammers looking for new ways to get people to click on malicious links. And Google Drive is pretty accommodating.
    • Scammers are luring people into Google Drive documents in an attempt to get them to visit potentially malicious websites.
    • The smartest part of the scam is that the emails and notifications it generates come directly from Google. On mobile, the scam uses the collaboration feature in Google Drive to generate a push notification inviting people to collaborate on a document.
    - James Temperton | October 29, 2020
  • (hak-iq.us20.list-manage.com)
  • How phishing attacks are targeting schools and colleges

    • Spear phishing campaigns were aimed evenly against most organizations throughout the summer, followed by an increase in September. In contrast, campaigns against the educational sector fell in July and August when schools were closed, and then jumped in September when students returned.
    • The types of attacks against schools also shifted from summer to fall. In July and August, attackers focused on email scams that were less targeted and deployed in large numbers.
    • Targeted BEC campaigns were more common during typical school months such as June and September.
    - Lance Whitney | October 29, 2020
  • (hak-iq.us20.list-manage.com)
  • Home Depot Confirms Data Breach in Order Confirmation SNAFU

    • Home Depot has exposed the private order confirmations of hundreds of Canadian consumers, containing names, physical addresses, email addresses, order details and partial credit-card information.
    • After customers began reporting that they had received hundreds of emails from the home-improvement giant, each containing an order confirmation for a stranger, the company confirmed the issue.
    • Home Depot was the subject of one of the most high-profile data breaches ever to come to light, with 50 million credit card numbers stolen and 53 million email addresses pilfered by unknown attackers in 2014.
    - Tara Seals | October 29, 2020
  • (hak-iq.us20.list-manage.com)
  • Advice for estate agents on avoiding data breach

    • As an estate agent, it’s likely that your job requires you to handle sensitive data and large sums of money often.
    • The biggest mistake any company can make is not putting in these preventative measures before a data breach occurs. Although it may seem like a lot of time and money to spend on this, the long-term benefits of avoiding a breach will be worth it.
    • Hiring an expert to spot any suspicious activity within your systems is a really important step to secure data. They will be able to identify any strange activity, and patch up any gaps in your system to combat it.
    • Working on secure devices is also extremely important within any estate agents to minimise the risk of malicious infiltration.
    property industry eye - Richard Forrest | October 29, 2020
  • (hak-iq.us20.list-manage.com)
  • Gunnebo data breach: Blueprints of bank vaults, security systems leaked online

    • A cyber attack that struck Swedish security company Gunnebo in August led to the exposure of 38,000 internal documents containing blueprints of bank vaults, security doors, alarm equipment, and security functions for ATMs.
    • The company said that soon after its IT department established that unauthorised persons tried to enter the company's IT environment, they immediately shut down the servers to isolate the attack and thanks to the rapid intervention, the operational impact became minimal and operations could be resumed quickly.
    • Commenting on hackers leaking sensitive data stolen from organisations, Warren Poschman, senior solutions architect with comforte AG, said if the data had been secured properly using technologies such as tokenisation or format-preserving encryption then the sensitive details would still be secure and worthless as an instrument of blackmail or identity theft.
    teiss - Jay Jay | October 28, 2020
  • (hak-iq.us20.list-manage.com)