Skip to main content

Friday Five 1/7

by Chris Brook on Friday January 7, 2022

Contact Us
Free Demo

A scientist pleads guilty to stealing trade secret data, a new proof-of-concept iPhone Trojan, and more - catch up on the infosec news of the week with the Friday Five!

1. Health tech vendor QRS faces lawsuit after data theft impacting 319K patients by Jessica Davis

On Wednesday, SC Media recapped a new class action lawsuit that QRS, which makes an electronic portal used by healthcare organizations, is facing following the breach of information belonging to over 300,000 patients last summer. In the suit, filed on Monday, the breach victims claim they've suffered "diminished value to their personal data, out-of-pocket expenses for responding to potential fraud and identity theft risks, lost time and money for recovery efforts, and continued risk to their data." It's unclear exactly what led to the data breach; the suit claims the company failed to implement federally recommended cybersecurity measures but doesn't specify which one wasn't addressed. Attackers didn't compromise every QRS system, just a single portal belonging to an organization; still the information compromised including data - Social Security numbers, patient identification numbers, treatments, diagnoses, and other sensitive data - on 319,778 patients.

Read more

2. F.B.I. Arrests Man Accused of Stealing Unpublished Book Manuscripts by Elizabeth A. Harris

The federal government closed the book - pun absolutely intended - this week on a caper that's puzzled the literary community for years when the FBI arrested an Italian man in connection to the theft of unpublished book manuscripts. According to the FBI, Filippo Bernardini, a 29-year-old rights coordinator for Simon & Schuster UK “impersonated, defrauded, and attempted to defraud, hundreds of individuals” by conducting phishing attacks, tricking recipients into surrendering their login credentials to publishing websites. According to the New York Times, which broke down the indictment on Wednesday, Bernardini used phony domains, similar to the actual ones, more than 160 in total, to dupe publishing professionals. Bernardini was arrested after he landed in New York City and was charged with wire fraud and aggravated identity theft, according to the court filing.

Read more

3. New iPhone malware spies via camera when device appears off by Jovi Umawing

MalwareBytes digs into new research around NoReboot, malware that can apparently track users even when they're turned off. The malware, a proof-of-concept iPhone Trojan, can let attackers use the phone's microphone and camera to spy on victims by simulating a shutdown or reboot. The proof-of-concept attack hijacks the shutdown event on iOS by injecting code into three daemons, which in turn displays a black screen. While the attack is a proof-of-concept, as MalwareBytes notes, it could only be a matter of time until its co-opted by attackers. To truly restart your phone hold down on the iPhone's restart buttons to force it to reboot.

Read more

4. Chinese scientist pleads guilty to stealing US agricultural tech by Charlie Osborne

It took a few years but a former Monsanto employee, suspected of stealing trade secret data dating back to 2014, finally pleaded guilty this week to conspiracy to commit economic espionage. The Department of Justice revealed on Thursday that Xiang Haitao conspired to steal a trade secret from the agrochemical company to benefit China. Mr. Xiang used his insider status at a major international company to steal valuable trade secrets for use in his native China,” U.S. Attorney Sayler Fleming for the Eastern District of Missouri said in a press release this week. “We cannot allow U.S. citizens or foreign nationals to hand sensitive business information over to competitors in other countries, and we will continue our vigorous criminal enforcement of economic espionage and trade secret laws. Xiang was first arrested way back in 2017 while trying to board a flight to Shangai with sensitive trade secret related to crop analysis on a storage device connected to his laptop. It wasn't until two years after, in 2019, that Xiang, a Chinese citizen was indicted.

Read more

5. French privacy regulator slaps Facebook, Google with fines totaling nearly $240M by Tim Starks

It seems like every few months France's data protection authority, the National Commission on Informatics and Liberty, or CNIL, hands down a larger than life fine to one of the major tech companies. It kicked off 2022 with more of the same, fining Google nearly $170 million and Facebook nearly $70 million, for actions it claims violate the French Data Protection Act. Specifically, CNIL claims the companies are making it harder for users to refuse cookies; while users can enable cookies with one click, it takes multiple clicks to refuse them all.

Read more

Tags:  IP theft Malware Data Theft

Recommended Resources

The Definitive Guide to DLP

  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives

The Definitive Guide to Data Classification

  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business