Friday Five: 1/10 Edition
Possible Iranian retaliation may include cyberattacks, laboratory testing company receives lawsuit after data breach, and another school district hit with ransomware - catch up on the week's news with the Friday Five.
1. DHS Warns of Possible Iranian Cyberattacks After Killing of Qassem Soleimani by Eduard Kovacs
News about the U.S. attack on Iran, and a possible retaliation, is consuming almost all media outlets this week. After Qassem Soleimani was killed last week by a U.S. airstrike, tensions quickly escalated, and Iran vowed revenge and threatened to take military and other actions against the United States. The U.S. Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency (CISA) have issued warnings that some of the revenge may come in form of cyberattacks. The DHS has advised organizations to prepare for such incidents, and CISA's Director, Christopher Krebs, urged security officials to “brush up on Iranian TTPs, pay close attention to critical systems, particularly ICS, and watch third party accesses.” Iran has a robust cyber program and is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States. On Saturday, the DHS issued a new National Terrorism Advisory System bulletin (.PDF) that acts as a summary of terrorism threats to the U.S.
2. Lawsuit Filed Against LifeLabs Over Data Breach by Sarah Coble
The cyberattack that we touched on a couple weeks ago that involved the exposure of data of 15 million customers of the Canadian laboratory testing company, LifeLabs, has now resulted in a lawsuit. LifeLabs paid the cybercriminals an undisclosed amount to not publicize the stolen information, and now they may face even more costs. Lawyers Peter Waldmann and Andrew Stein filed an unproven statement of claim on December 27 and are allegedly seeking $1.13 billion in compensation. On behalf of five named plaintiffs, LifeLabs is being accused of breach of contract and negligence. It is further alleged that the company violated consumer protection laws and their customers’ privacy and confidence by storing customers’ personal information on unsecured networks, failing to implement adequate cybersecurity measures, not encrypting data, and neglecting to hire or train any security personnel. The plaintiffs are seeking additional punitive and moral damages to make up for the mental anguish, wasted time, and damage to their credit reputation.
3. Why a Steak in California Comes With a Privacy Notice by Karl Bode
California’s new privacy law, the California Consumer Privacy Act (CCPA), is ending the era of corporations selling private data with little to no transparency or accountability. Companies now must make it clear to consumers that they have the right to opt out of the sale of their private data, and the data must be deleted within 45 days of a request. The law applies to corporation giants, such as Facebook, all the way to small brick and mortar companies. All businesses are required to inform consumers of the categories of personal information that they collect and how they plan to use it. One company that's complying with the law early on is the Brazilian steakhouse Fogo de Chão, which included a notice about the new law with their customers’ meals. The restaurant indicates that it’s simply trying to comply with the CCPA and is informing customers that they can opt out of having their data sold. Data obtained by the restaurant was previously used to engage with customers on social platforms, market to them, track rewards, conduct surveys, or facilitate requests to send communications to customers. Although this slip of paper may make some customers a bit uncomfortable, it is a step in the right direction and companies will have a better idea of how to best comply with the law once California's Attorney General begins enforcing it.
4. Hackers Hit Pittsburg Schools with Ransomware Attack by Alejandro Serrano
On Monday, school officials from the Pittsburg Unified School District - a public school district in California - reported that the school's computer system was hit by a ransomware attack over winter break, something which forced them to shut down the district’s email and server for a period of time. The servers that were thought to be in jeopardy were taken offline immediately and the school officials solicited external help from information technology firms and lawyers. Fortunately, there is no indication that any personal data or information was exposed. The attack is still impacting operations in the school district however. Students returned to school on Tuesday but classes resumed without the use of any laptops or internet. The investigation into the ransomware attack is still ongoing, so the school district is unable to provide students and families with any further details or definite findings.
5. City of Las Vegas Said it Successfully Avoided Devastating Cyber-Attack by Catalin Cimpanu
The city of Las Vegas suffered a breach that took place on January 7 at 4:30 a.m. City officials immediately detected the breach and promptly took the necessary security measures to prevent any damage. To protect impacted systems, several services were taken offline as the city’s software security systems and IT staff worked to secure the network. In a statement published on Twitter, the city reassured residents that it avoided a potentially devasting situation, and that it has resumed full operations with all data systems functioning as normal. "We do not believe any data was lost from our systems and no personal data was taken. We are unclear as to who was responsible for the compromise, but we will continue to look for potential indications," the city also added. It is likely that the threat actors gained access to the city’s network via malicious email, but an investigation by the city's system analysts into the breach is ongoing. The type of attack is also still unclear, but if it turns out to be ransomware, it is just the latest in the string of attacks on major US cities like Atlanta, Baltimore, and more recently New Orleans.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business