Friday Five: 9/21 Edition
Foreign government hackers target senators e-mails, Mirai botnet hacked sentenced, and more - catch up on the week's infosec news with this wrap-up!
1. State-backed hackers target Gmail of US senators, aides by Frank Bajak and Raphael Satter
Google said this week that it was indeed the company that notified U.S. senators and their aides that their personal email accounts had been targeted by foreign government hackers. Ron Wyden (D-Ore.) told Senate leaders that his office had seen the warning emails on Wednesday but it took until Thursday for Google to confirm that it was the company behind the emails. Google said nothing else with regards to the break-ins, only that it had warned the politicians. The news isn’t a huge surprise; this sort of stuff is par for the course for Google. In fact the company announced back in 2012 that it would alert users who it believes are the target of state-sponsored attacks. It’s even less surprising when you realize that Google has over 1 billion monthly active Gmail users, a portion which are no doubt politicians and beltway dwellers.
2. ICO to Fine Equifax £500,000 for 2017 Data Breach by David Bisson
The wheels of the law, no matter which country, take some time to spin. Perhaps that's why it took the U.K.'s Information Commissioner's Officer a year to fine Equifax for last year's mammoth breach of 155 million Americans. Interesting to note: Since the breach occured between May and July last year, it wasn't prone to GDPR investigation. Instead the ICO imposed the maximum fine under section 55A of the Data Protection Act of 1998, 500,000 pounds. “In respect of the UK data, Equifax Ltd had failed to take appropriate technical and organisational measures against unauthorised and unlawful processing of that data...” the ICO said in a monetary penalty notice, “The affected data included personal data contained in up to 15 million unique records of UK individuals.”
3. Mirai botnet hackers will serve their time working for the FBI by Mallory Locklear
As many expected this week the trio behind the Mirai botnet, an attack that leveraged a swathe of IoT devices and led to a wave of denial of service attacks in 2016, agreed to work with the FBI as punishment for the crime. The men plead guilty in December but it wasn't until this week that they were sentenced. The most interesting catch here: The three have to work with the FBI when it comes to mitigating cyber crime and cybersecurity matters. As Engadget and Wired pointed out this week the trio have already started chipped in: They worked with the FBI to thwart DDoS attacks around Christmas, a primetime for such attacks. They've also been working to “surreptitiously record the activities of known investigative subjects," among other projects.
4. Canada Prepares for New Breach Notification Era by Tom Field
Okay, not an article but a video but still useful, especially if you’re curious about what organizations in Canada can expect once November 1 hits. Data breach notification requirements persuant to the country's Digital Privacy Act kick in on that date. The regulations were outlined in guidance, Breach of Security Safeguards Regulations, back in April, largely bring the country in line with the EU's General Data Protection Regulation, which makes sense, as many Canadian companies deal with both Canadian and European law. An attorney, Imran Ahmad of Toronto-based Miller Thomson LLP, talks to Tom Field, Senior Vice President of Editoral for ISMG, here about what organizations in the Great White North can expect when it goes into effect.
5. The hospital digital revolution & what it means for cybersecurity: 4 Qs with University Hospital Newark, New Jersey's CISO by Jackie Drees
Again, not an article but still worth a few minutes of your time: A quick Q&A via Becker's Health IT & CIO Report, with Jim Garret, the chief information security officer at University Hospital, in Newark, NJ. Garret trumpets the importance of data integrity, discusses how dangerous denial of service attacks can be to a hospital, and gives advice for other hospital CISOs to follow after being hit by a cyberattack.