Compiled by: Richard Sheinis, Esq.

Supreme Court Denies CareFirst’s Petition to Review Data Breach Case
FierceHealthcare

The U.S. Supreme Court has denied an appeal filed by CareFirst to review a case stemming from a 2014 data breach. The Supreme Court issued its decision on Tuesday, eliminating the possibility, for now, that the court will weigh in on questions about whether the possibility of harm from a data breach …

Hospitals Account for One-Third of Healthcare Data Breaches, Affect the Most Individuals
Clinical Innovation + Technology

Of all types of healthcare providers, hospitals accounted for one-third of all data breaches and affected the largest number of individuals compared to doctors, nurses and social workers, according to a study published in The American Journal of Managed Care. The healthcare industry has been the …

SPH Issues Apology Over HardwareZone Data Breach Affecting 685,000 Users
Marketing Interactive

Singapore Press Holdings Magazines (SPH Magazines) and HardwareZone (HWZ) have apologised for a data breach affecting 685,000 user profiles on the forum site. Meanwhile, a police report has been lodged and the Personal Data Protection Commission (PDPC) has been informed, according …

Lack of Security Upgrades Threaten Health IT Infrastructure
HITInfrastructure.com

This means that more advanced IT infrastructure security will protect against cyberattacks that target hospitals based on their prominence. Entities have the responsibility to deploy security solutions that will protect their entire network. Physical healthcare data backup methods put patient data at risk …

Watch Out. North Korea Keeps Getting Better at Hacking
NBCNews.com

WASHINGTON — In the latest indication that North Korea’s cyber operations are more sophisticated than commonly realized, computer security researchers have identified a group of government hackers and spies in the hermit kingdom who are capable of stealing documents from computers that aren’t …

Australia’s Notifiable Data Breaches Scheme Commencing on February 22
OpenGov Asia

The NDB scheme mandates that Australian Government agencies and the various organisations with obligations to secure personal information under the Privacy Act 1988 (Cth) (Privacy Act) notify individuals affected by data breaches that are likely to result in serious harm. A data breach occurs when …

Colorado Proposes Requiring Data Breaches to be Reported in 30 Days
Healthcare IT News

The Colorado legislature is considering a bill to drastically improve the state’s privacy and data security law, including giving organizations just 30 days to report a breach. Introduced in January, the amended bill passed unanimously in the House Committee on State, Veterans and Military Affairs on Feb.

Data Breach Exposes Thousands of California State Employees
KSBY San Luis Obispo News

Data breach exposes thousands of California state employees … The Sacramento Bee reported Friday that the information included Social Security numbers for Department of Fish and Wildlife employees and contractors. … It did not say if investigators believe criminals might have accessed the data

Belgian Court Orders Facebook to Stop Tracking Web Users
Citizen

“We’ll comply with this new law, just as we’ve complied with existing data protection law in Europe,” Facebook said. A consumer rights organisation said Monday that a German court had found Facebook is breaching data protection rules with privacy settings that over-share by default and by requiring …

Medical Devices Pose Security Nightmare, Researchers Say
ISRAEL21c

Of the many vulnerabilities discovered, the researchers found that CT devices face the greatest risk of cyber-attack due to their pivotal role in acute-care imaging. Because a CT sends scanned results connected to a patient’s medical record via a host computer, attackers can disrupt image results and …

Compiled by: Richard Sheinis, Esq.

Cyberattack Caused Olympic Opening Ceremony Disruption
New York Times

“The purpose of this malware is to perform destruction of the host” and “leave the computer system offline.” In an interview, Talos researchers noted that there was a nuance to the attack that they had not seen before: Even though the hackers clearly demonstrated that they had the ability to destroy …

Implementing the NIST CSF for Improved Healthcare Data Security
HealthITSecurity.com

February 12, 2018 – Cybersecurity frameworks are often cited as key ways for organizations to improve their approach to healthcare data security, especially as more entities utilize connected devices and work toward interoperability. The National Institute of Standards and Technology (NIST) has one of …

Facebook Starts Pushing its Data-Tracking Onavo VPN Within its Main Mobile App
TechCrunch

Onavo Protect, the VPN client from the data-security app maker acquired by Facebook back in 2013, has now popped up in the Facebook app itself, under the new banner “Protect” in the navigation menu. Clicking through on “Protect” will redirect Facebook users to the “Onavo Protect – VPN Security” …

German Court Finds Fault with Facebook’s Default Privacy Settings
TechCrunch

Last month Facebook announced incoming changes to how it approaches privacy — including outing a set of ‘privacy principles’ and trailing a new global privacy settings hub — which are part of its compliance efforts to meet the EU’s new data protection standards. The GDPR, which gives EU data …

Police: Former UGA Student Hacked into System to Change Grade
FOX 5 Atlanta

ATHENS, Ga. – The University of Georgia Police is trying to unravel a computer hacking case which, as of Monday, has landed one a now-former student in jail. Investigators said it remained unclear if others were involved, but UGA said 21-year-old Michael Lamon Williams was arrested on 80 …

MSU Data Breach ‘Not Catastrophic’
Jackson Clarion Ledger

Social Security numbers were not compromised in the data breach that impacted Mississippi State University last week, the university says. Few details have been released about the breach, but MSU Communications Director Sid Salter said the incident was “serious” but “not catastrophic.” “It’s a serious …

Decatur County General Hospital Warns 24K Patients of Data Breach Involving EHR Server
FierceHealthcare

Decatur County General Hospital warns 24K patients of data breach involving EHR server. by Evan Sweeney |. Feb 12, 2018 2:03pm. Security lock on computer data. Decatur was notified about the attack in November by its EHR vendor CPSI. (Getty/gintas77). Share Facebook Twitter LinkedIn Email …

Google-Nest Merger Reawakens Privacy Worries
Naked Security

Privacy advocates found this a daunting marriage, but Google wound up running the business at arm’s length, over in its Alphabet division. Nest co-founder and former CEO Tony Fadell told the BBC at the time of the acquisition that consumers could relax. Nest data wouldn’t be mixed with all the other …

Hackers Hijack Government Websites to Mine Crypto-Cash
BBC News

The Information Commissioner’s Office (ICO) took down its website after a warning that hackers were taking control of visitors’ computers to mine cryptocurrency. Security researcher Scott Helme said more than 4,000 websites, including many government ones, were affected. He said the affected code …

Homeland Security Calls NBC Report on Election Hacking ‘False’
The Hill

Hackers successfully accessed records on 200,000 Illinois voters by penetrating the state voter database. In Arizona, officials say that hackers successfully delivered malware to a county election official’s computer but that malicious actors never actually made it into the system. Homeland Security …

Compiled by: Richard Sheinis, Esq.

Medical Supply Giant to Pay $3.5M in Settlement for Five Separate Data Breaches
PropertyCasualty360

Cyber liability insurance market: Equal parts promise and peril. The cyber liability insurance market presents opportunities as well as potential hazards for insurers.

North Korea Latest: How Kim Jong-Un Trains Elite Hackers to Target Enemies Around World
Express.co.uk

A 2017 report by the US Congressional Research Service predicts there may be as many as “between 3,000 and 6,000 hackers trained in cyber operations” acting on behalf of North Korea. Typically they are able to produce their own sophisticated hacking tools rather than relying on established …

Hacking Threats Loom Over 2018 Olympics
The Hill

Cybersecurity experts believe the group is a so-called “faketivist” hacking persona associated with Fancy Bear. Meanwhile, experts at Trend Micro identified several Olympics sport organizations among the cyber group’s targets in the second half of last year, including the Luge Federation and the …

Russian Accused of Hacking Extradited to US from Spain
The Tribune

Levashov was charged by US prosecutors with causing intentional damage to a protected computer and wire fraud, which carry a potential prison sentence of up to 52 years if he is convicted at trial. He was arrested while on holiday in Barcelona last April and in October, Spain’s High Court granted a …

Western Washington Medical Group Notifies Patients Of Potential Data Breach
The Daily Telescope

EVERETT, Wash., Feb. 2, 2018 – Western Washington Medical Group (“WWMG”), located in Everett, Washington, discovered that medical records and information for some of its patients may have been improperly disposed of on November 13, 2017. On that date, the janitorial service …

EMMC Waited a Month to Alert Patients of Possible Data Breach
Bangor Daily News

More than a month after discovering that a computer hard drive is missing, Eastern Maine Medical Center is alerting hundreds of patients by mail that their … “We take our commitment to uphold our patients’ privacy very seriously and are reviewing our processes to strengthen data security,” EMMC …

Alleged UK Computer Hacker Wins Extradition Appeal
ABC News

Lauri Love, who is accused of hacking into U.S. government computers, speaks to the media outside The Royal Courts of Justice in London, Monday, Feb. 5, 2018. The ruling in Lauri Love’s appeal against extradition to the United States, where he faces solitary confinement and a potential 99 year prison …

Apple, Cisco, Allianz and Aon Take on Ransomware
CIO Dive

As cyberattacks and data breaches continue to hit businesses, the topic of cyber insurance is being approached for the first time by more boards and IT decision makers. The liability of a potential data breach of PII is too great for many companies to avoid getting insurance any longer. Security as a …

South Korean Intelligence Says North Korean Hackers Possibly Behind Coincheck Heist: Sources
Reuters

SEOUL (Reuters) – South Korea’s intelligence agency told lawmakers North Korean hackers could have been behind the $530 million theft of virtual coins … “We acknowledge how we deal with cyber attack is an important issue for our nation’s security, crisis management and the economic growth,” Suga …

12,000 Social Media Influencers, Mostly Women, Exposed by Marketing Firm Data Breach
Gizmodo

More than 12,000 prominent social media influencers from YouTube, Instagram, Twitter, and the gaming platform Twitch were exposed last month by a data breach at a marketing firm that pairs online stars with top brands seeking product reviews and endorsements, according to researchers at the …

Written by: Anthony E. Stewart, Esq.

The Internal Revenue Service (IRS) and state tax agencies are warning employers about one of the most dangerous phishing scams in the tax community. Cybercriminals are targeting organizations nationwide and tricking payroll personnel into disclosing the sensitive personal information of an organization’s entire workforce. Last year, more than 200 employers fell victim to this Form W-2 phishing scam, which compromised the identity of hundreds of thousands of employees.

The IRS has warned that organizations have lost both employees’ W-2s and thousands of dollars in fraudulent wire transfers as a result of the scam. A W-2 contains sensitive personal information, such as an employee’s name, address, social security number, income, and withholdings. If this stolen information is used to create and submit false tax returns or open lines of credit, the organization may also be liable for the resulting identity theft of its employees.

Here’s how it works:

To initiate the scam, an attacker spoofs or hijacks the email account of an organization’s business executive and sends an email to payroll or human resources personnel requesting copies of W-2s for all of the organization’s employees. At first glance, the email appears to be a legitimate request from an executive within the organization. The attacker often will utilize social engineering tactics to convince the target further that this is an authentic request. However, when the target replies with the requested information, his or her response is sent directly to the attacker, resulting in the disclosure of personal information. If the request for the W-2s is successful, the “executive” often follows up with an additional request for a wire transfer. Again, this appears to be a valid request coming from within the organization that often results in a fraudulent wire transfer. More often than not, these funds are unrecoverable.

How to protect your organization from these attacks:

This scam continues to evolve and can fool even the most cautious person. However, there are steps you and your organization can take to reduce the likelihood of becoming the next victim:

Step 1: Educate your employees

Knowledge is power. Share articles like this one with your employees, specifically those in your payroll and HR departments. Let your employees know that this is an active threat and that your organization is a target. Provide training sessions throughout the year to ensure your employees are kept up to date with the latest cyber scams.

Step 2: Implement a policy of verifying all W-2 and wire transfer requests

Any request for sensitive information or to initiate a wire transfer should be independently verified. Employees should not rely on email or other forms of electronic communication to complete this verification process. Instead, the employee should follow up over the phone or, ideally, face-to-face.

Step 3: Protect your network

Not only do you have to worry about a potential data breach and fraudulent wire transfer, but cybercriminals are also taking advantage of this time of year to infect victims with malware. Malware is commonly spread through malicious hyperlinks and email attachments. To help reduce malware infections, install and maintain anti-virus software, firewalls, and email filters. Also, make sure that you keep all of your software up to date.

What to do if you have received a W-2 phishing scam email:

If your organization has lost data to this scam, the IRS may be able to take steps that can help protect your employees from tax-related identity theft. To notify the IRS of W-2 data theft, send an email to dataloss@irs.gov and provide the following information:

  • In the subject line, type “W2 Data Loss.”
  • In the body of the email, include:

o Business name
o Business employer identification number (EIN) associated with the data loss
o Contact name
o Contact phone number
o Summary of how the data loss occurred
o Volume of employees impacted

  • Do not attach or include any employee personally identifiable information data with your report.

To notify the IRS of an attempted W-2 data theft, forward the fraudulent email to phishing@irs.gov and provide the following information:

  • In the subject line, type “W2 Scam”.
  • The IRS needs the email header from the phishing email for its investigation. The headers should be produced in plain ASCII text format. Instructions for retrieving a copy of email headers vary by email provider.
  • Do not attach any employee personally identifiable information data.

After sending the email, the IRS recommends that you file a complaint with the Internet Crime Complaint Center.

These attacks are becoming more and more sophisticated. Attackers are not just targeting Fortune 500 companies. They are attacking organizations across the country ranging from healthcare facilities, small businesses, large corporations, public schools and universities, hospitals, tribal governments, and charities. We anticipate that their frequency will increase, costing organizations millions in stolen data, damage, and downtime. Taking the time now to train your employees and to assess your internal controls is crucial to protect your organization and its employees.

Compiled by: Richard Sheinis, Esq.

‘Jackpotting’ Hackers Steal Over $1 Million from ATMs Across US: Secret Service
Reuters

A hooded man holds a laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture taken on May 13, 2017. … The heists, which involve hacking ATMs to rapidly shoot out torrents of cash, have been observed across the United States spanning from the Gulf …

Tech Giants Brace for Europe’s New Data Privacy Rules
New York Times

Amazon recently began improving the data encryption on its cloud storage service and simplified an agreement with customers over how it processes their information. And on Sunday, Facebook rolled out a new global data privacy center — a single page that allows users to organize who sees their …

As Hackers Gain Strength, Israeli Cyber Firms Raise More Money Than Ever
The Jerusalem Post

As hackers gain strength, Israeli cyber firms raise more money than ever … Investors poured a record-breaking $815 million into the Israeli cyber ecosystem in 2016, totaling some 16% of all global investment in the cybersecurity … Globally, the threat that hackers pose is only increasing, the report notes.

Rabobank Hit by Cyber Attack After Rivals Targeted Over the Weekend
DutchNews.nl

The attack on Rabo fell hard on the heels of similar cyber attacks on rivals ABN Amro and ING over the weekend. The tax office also came under attack for a time on Monday morning. Both ABN Amro and ING were back to normal on Monday morning after a weekend of cyber attacks which crippled the …

Medical Imaging Devices Are Vulnerable to Cyber-Attacks, Israeli Teams Warns
The Times of Israel

In their paper, “Know Your Enemy: Characteristics of Cyber-Attacks on Medical Imaging Devices,” the researchers show how easy it is to exploit unprotected medical devices, such as computed tomography (CT) and magnetic resonance imaging (MRI) machines, many of which don’t get ongoing security …

South Dakota and Colorado Strengthen Data Breach Protections
Data Protection Report

Last week, South Dakota moved closer to implementing a data breach notification law, while Colorado legislators introduced a new bill requiring “reasonable security procedures,” imposing data disposal rules and shortening the time frame in which to alert authorities regarding a breach. South Dakota …

Iowa Legislature Proposes Requiring Orgs to Report Breaches Within 45 Days
Healthcare IT News

Iowa has joined the growing number of state governments to tighten up data security laws by proposing an update to its breach notification act, which includes a requirement for organizations to report data breaches within 45 days. Although Iowa previously required organizations to report breaches …

Security Breach: How a Fitness App Ended Up Revealing More Than the US Bargained For
CBN News

WASHINGTON – U.S. military movements on secret remote military bases are being revealed by an exercise app. The security breach is such a concern that Pentagon top brass and other Department of Defense officials are taking action and have launched an investigation on what to do next. Security …

New AI Tech Blinds Computer Facial Recognition Systems
Forbes

Computers can scan through thousands of images much faster and more accurately than a human, making automated facial matching systems invaluable for speeding up security checks at border controls or for more mundane tasks such as unlocking your smartphone. This is of obvious concern to …

Intel Told Chinese Firms About Chip Flaw Before US Gov: Report
The Hill

China’s foreign ministry has previously said it is “resolutely opposed” to any form of cyber-hacking. The Lenovo Group, a Chinese computer maker, was also reportedly notified in the early stages. A Lenovo spokeswoman told the newspaper that a nondisclosure agreement protected Intel’s information …

Norway’s Data Breach: Lessons for the US Healthcare Industry
IT Security Central

One of Norway’s largest healthcare providers,Health South-East RHF (translated), has become the victim of a data breach that may have exposed sensitive data from half the country’s population. This amounts to about 2.5 million people. For comparison in the U.S. the Equifax data breach exposed …

DOH Detects Data Breach on Disease Reporting System
Hawaii News Now

The DOH was notified last week of the compromise of its data, which includes clinical laboratory test results for individuals diagnosed with diseases that are reported to the division for investigation. Upon notification, DOH removed the affected server from its network, and at this time, there is no evidence …

Written by: Richard Sheinis, Esq.

On January 8, 2018, North Carolina Attorney General Josh Stein, and State Representative Jason Saine, proposed new data breach legislation entitled, “Act to Strengthen Identity Theft Protections” to update the current North Carolina data breach law. This legislation is in response to the recent data breaches at Equifax and Uber, the latter breach having been allegedly hidden by Uber for several months.

While this legislation has several appropriate and reasonable provisions, such as requiring businesses to have reasonable security procedures to protect consumers’ personal information, this post will address two ill-considered and unrealistic requirements of the proposed legislation.

First, the new legislation requires a business to notify the Attorney General’s Office and affected consumers within fifteen (15) days of discovery of a security breach. Having handled well over 100 data breaches, I can tell you that it will be almost impossible for well-meaning businesses to meet this deadline in any breach that involves an appreciable number of affected individuals. Determining the extent of the computer breach, identifying affected individuals, obtaining up to date contact information for these individuals, potentially setting up credit monitoring, and preparing and sending notification letters is logistically next to impossible to accomplish within fifteen (15) days. In an overreaction to prior breaches, the Legislature is setting up thousands of North Carolina businesses to violate this law. I would be interested in knowing how many data breaches the authors of this legislation have ever been responsible for handling. The authors of the legislation need to remember that businesses which are “hacked” are victims of crime themselves. Unfortunately, this legislation treats businesses as the criminal, no matter their efforts to protect against hackers.

The second major problem is that ransomware is included as a security breach requiring notification of the Attorney General and affected consumers. The justification for this requirement is that it will allow the affected person and the Attorney General’s office to determine the risk of harm, rather than leaving this determination up to the breached business.

Ransomware encrypts information in the possession of the affected business, making the information useless to everyone, including the hacker. The hacker does not access, visualize, or acquire the information. Therefore, the very definition of ransomware means that the information cannot be used to harm the affected individuals. If there is other malware that “piggy backs” on the ransomware, then the breach is taken outside the definition of ransomware and can be evaluated as a security breach on its own terms. All the logistics mentioned above are complicated when ransomware is used, thereby making it even more difficult to complete the required notifications within fifteen (15) days.

While it is appropriate to protect the citizens of our State, it is unfortunate that these aspects of the legislation are an overreaction. The legislation perpetuates the misperception that a hacked business is a criminal because it was hacked, rather than being the victim of a crime, and that the only victims are the affected consumers. Hopefully, these aspects of the legislation will be revised before becoming law.

Compiled by: Richard Sheinis, Esq.

Allscripts Still Fighting to Restore All Services 4 Days After Ransomware …
Healthcare IT News

“Ransomware attack on Allscripts has taken down our e-prescribing, EPCS and some other services,” Yvette Crabtree, MD, a Kansas CIty-based physicians affiliated with Sunflower Medical Group said. “At least we don’t use their hosted application. I hear many hosted practices couldn’t access their EMR …

Colorado Looks to Adopt Blockchain Technology to Improve Data Security
BTCManager

Therefore, the problems the state is currently experiencing when it comes to their current collection of data and issues related to retention would be solved, and the records would be kept more secure. At current, Colorado citizens still have to pay a visit to the state agencies in the flesh if they want to …

Bell Canada Alerts Customers Who May Be Affected by Data Breach
Ottawa Citizen

TORONTO — The RCMP has launched an investigation into a data breach at Bell Canada that appears to have compromised customer names and email addresses, but no credit card or banking information. Bell Canada spokesman Nathan Gibson told The Canadian Press that “fewer than 100,000 …

Malaysia Police to Probe Reported Data Breach of Over 200,000 Organ Donors
The Straits Times

KUALA LUMPUR (REUTERS, THE STAR/ASIA NEWS NETWORK) – Malaysian police said on Wednesday (Jan 24) they are probing a reported data breach that saw the personal details of more than 200,000 Malaysian organ donors and their next-of-kin leaked online and made available for over a year.

South Dakota Senate Panel Approves Data Breach Legislation
Seattle Times

South Dakota Senate panel approves data breach legislation. Originally published January 23, … PIERRE, S.D. (AP) — A legislative panel has approved a bill that would require companies to inform South Dakota residents whose personal information was taken in a data breach. The Senate Judiciary …

OnePlus Reports 40,000 Credit Cards Hacked in Data Breach
eWeek

Today’s topics include OnePlus attackers stealing credit card data from 40,000 customers; Google, Amazon and Apple backing Microsoft in its email privacy Supreme Court case; Google rolling out an unlimited data plan for Project Fi wireless users; and the Zyklon malware making a comeback.

Government May Have to Compensate Asylum Seekers Affected by Data Breach
Computerworld Australia

The Office of the Australian Information Commissioner (OAIC) today announced that it was seeking to contact individuals affected by the data breach, which was exposed by Oliver Laughland, Paul Farrell and Asher Wolf in the Guardian in February 2014. An investigation led by the Privacy Commissioner …

Notifiable Data Breaches Scheme: Getting Ready to Disclose a Data Breach in Australia
ZDNet

Australia’s Notifiable Data Breaches (NDB) scheme comes into effect on February 22, 2018, and as the legislative direction is aimed at protecting the individual, there’s a lot of responsibility on each organisation to secure the data it holds. The NDB scheme falls under Part IIIC of the Australian Privacy Act …

Idaho School Works to Recover Data Weeks After Cyberattack
The Seattle Times

JEROME, Idaho (AP) — Nearly six weeks after being hit by a massive ransomware cyberattack, the Jerome School District is still working to recover. On Dec. 11, school district officials found out much of its data was encrypted. Each affected file included a message from the cybercriminal: If you want your …

Half of Norway’s Population Have Medical Data Leaked
SC Magazine UK

Healthcare data has been stolen from more than half of Norway’s population by a hacker or hacker group. The attack happened on 8 January according to … Automated Breach prevention is the only appropriate security mechanism for GDPR notification requirements.” Many commentators, including Raj …

Compiled by: Richard Sheinis, Esq.

US Senate in Russian Hackers’ Crosshairs: Cybersecurity Firms
ABC News

The same Russian government-aligned hackers who penetrated the Democratic Party have spent the past few months laying the groundwork for an espionage campaign against the U.S. Senate, a cybersecurity firm said Friday. The revelation suggests the group often nicknamed Fancy Bear, whose …

Survey: One in Five Healthcare Professionals Had Patient Data Breaches
Healthcare Informatics

When asked where they have seen the most changes occur in the industry over the last year, including quality of care, safety, digital health records and prevention and population health, only 25 percent of RNs and 40 percent of administrative staff cite data security and privacy. “Patient safety is not just …

China Chides Tech Firms Over Privacy Safeguards
Reuters

China reprimanded three top tech firms on Friday over poor privacy protections, as tech companies face an increasing backlash from consumers and authorities over excessive data collection practices. Alibaba Group Holding Ltd payment affiliate Ant Financial, search firm …

Smart Cars Collect a Lot of Data. FTC Wants to Know How It’s Used.
Nextgov

As cars become more connected to the internet and collect more data on their drivers, consumer advocates are working to protect data privacy and cybersecurity on the road. The Federal Trade Commission published a report Wednesday offering insight on what data cars may collect on their passengers …

Car Hacking Remains a very Real Threat as Autos Become Ever More Loaded with Tech
Detroit Free Press

Automakers and suppliers are making progress in protecting vehicles from cyber attacks, but the car-hacking threat is still real and could get increasingly serious in the future when driverless vehicles begin talking to each other. A worst-case scenario would be hackers infiltrating a vehicle through a …

Russian Military Was Behind ‘NotPetya’ Cyberattack in Ukraine, CIA Concludes
Washington Post

The CIA has attributed to Russian military hackers a cyberattack that crippled computers in Ukraine last year, an effort to disrupt that country’s financial system amid its ongoing war with separatists loyal to the Kremlin. The June 2017 attack, delivered through a mock ransomware virus dubbed NotPetya, …

New Cybersecurity Legislation to Penalize Companies for Data Breaches
Security Intelligence

If passed, it would enact strict penalties for breaches in customer data. Specifically, credit rating agencies would receive $100 fines for each piece of personally identifiable information (PII) lost in a data breach, plus $50 for each additional PII file per customer. According to SecurityWeek, the bill also …

After 280K Patients Exposed in Data Breach, Oklahoma Hospital Shares What It Learned
hcanews.com

OSU-CHS reported the data breach, which took place in November, to the Department of Health and Human Services earlier this month, labeling it a “hacking/[information technology incident] on a network server. The Tulsa institution followed up with a digital notice (warning: PDF) and subsequent …

UK: Morrisons Held Vicariously Liable For Its Employee’s Data Protection Breach
Mondaq News Alerts

Morrisons, the supermarket chain, has been held liable for a disgruntled employee’s willful breach of data protection legislation. Mr Skelton was employed by Morrisons as a senior IT internal auditor. This role gave him access to sensitive personal data relating to the company’s staff. He also sold a legal …

Hancock Health Gets Access to Hacked Computer Systems Back After Paying Ransom
Fox 59

HANCOCK COUNTY, Ind.- Officials with Hancock Health paid hackers a ransom to regain access of their computer systems. Hancock Health says a ransomware attack occurred around 9:30 p.m. on Jan. 11. The hackers were able to access the system through a hospital server which was using the …

Ohio Computer Programmer Faces 16 Criminal Charges Over Monitoring Thousands of Computers
ComputerWeekly.com

Acting Assistant Attorney, General John Cronan, said charging Durachinsky is part of the Justice Department’s attempts to find cyber criminals who intrude privacy. “For more than 13 years, Phillip Durachinsky allegedly infected with malware the computers of thousands of Americans and stole their most …

Twitter Account of Indian Ambassador to UN Hacked
The Tribune

In what can only be a case of hacking, two photographs of Pakistan’s flag and the neighbour country’s President Mamnoon Hussain were posted from the Twitter account … Evidently, cyber attack has not been a new strategy for the terrorists in Pakistan, and government officials have been prime targets.

‘Anonymous Greece’ Claims Responsibility for Hacking Turkish President Erdogan’s Website
Tornos News International Edition

Greekcitytimes.com reports that the cyber hacking group ‘Anonymous Greece’ has claimed responsibility for taking over the official website of Turkish President Recep Tayyip Erdogan and bringing it down for over 12 hours. Taking to their social media pages, the group on their Facebook page revealled …

Compiled by: Richard Sheinis, Esq.

Massive Intel Software Vulnerability is a Reminder to Always Protect Sensitive Data
The Hill

Security researchers uncovered a pair of significant vulnerabilities first thought to be limited to Intel processors. It was later revealed this also affect Intel’s peer chipmakers AMD and ARM. If unchecked the weaknesses could cause economy-wide disruption. Data exfiltrated from the combined number of …

IoT Risks, Insider Threats, Password Hacks, Biometric Cracks: Cybersecurity in 2018 Looks Messy
Healthcare IT News

Organizations in 2018 increasingly will adopt standalone cyber insurance policies as boards and executives wake up to cyber liability, the report predicted. As boards and executives experience and witness the impact of cyberattacks, including reduced earnings, operational disruption, and claims …

36 Fake Security Apps in the Google Play Store Downloaded Malware, Stole Data, Tracked Locations
TechRepublic

Security firm Trend Micro recently discovered 36 apps in the Google Play Store with names such as Security Defender, Security Keeper, and Smart Security, that claimed to keep devices safe but actually stole user data, tracked user locations, and heavily pushed advertisements. These findings, detailed …

Medicaid Data Breach May Have Affected up to 30,000, Florida Officials Say
News 13 Orlando

A full review is ongoing. The AHCA is also making sure employees go through security training, and it’s exploring new security options to prevent future data breaches. The AHCA is providing a one-year membership to Experians IdentityWorks program for those affected by the breach, to make sure that …

Data Breach at OSU Center for Health Sciences May Have Exposed Medicaid Patient Information
Tulsa World

A November data breach at the Oklahoma State University Center for Health Sciences may have provided a third party with Medicaid patient information, according to OSU officials. Patient names, Medicaid numbers, health care provider names, dates of service and limited treatment information may …

Confessions of a Former Hacker: 5 Techniques to Make You More Secure Online
Yahoo Finance

Formerly on the US government’s “Most Wanted” list in the 1990s for hacking into cellphone companies, Mitnick served five years in prison for computer fraud. Since his release in 2000, he’s built a career as a “white hat” hacker, working as a security consultant for companies around the world. In this new …

Man, 30, Held Over Hacking Attacks on Two Hong Kong Travel Agencies
South China Morning Post

A 30-year-old Hong Kong man was arrested in connection with cyberattacks in which the computers of two travel agencies in the city were hacked and their clients’ sensitive personal information held for ransom, with payouts in bitcoin sought last week. The two travel agencies reported the incidents to …

Toy Maker VTech Settles with FTC Over Child Privacy Violations
Valley News Live

In its first children’s privacy case involving Internet-connected toys, the FTC also alleges that VTech failed to use reasonable and appropriate data security … In November 2015, VTech was informed by a journalist that a hacker accessed its computer network and personal information about consumers …

Your Local Public Wi-Fi Network May Be a Whole Lot Safer Soon
CNET

The change could provide you nearly as much privacy as your home network. “All of that data … But he added WPA3 will at least be able to block brute-force attacks, which are when a computer (or a very dedicated person) gets access by guessing every possible combination until it gets the password.

Sneaky Malware Disguises Itself as an Adobe Flash Player Installer
ZDNet

Campaigns using this attack technique have been operational since July 2016, but cyber security researchers are still unsure as to how the attackers are bundling their payload alongside a Flash player installer. “The victims are made to believe that the only thing that they are downloading is authentic …

NC Proposal Takes Aim at Recent Cyber Attacks
WUNC

Jason Saine of Lincoln County and Attorney General Josh Stein announced on Monday details of the draft legislation, which comes after a spike in cyber attacks last year. Saine said the bill would require companies who are hacked to notify consumers more quickly. Uber recently acknowledged a …

Jason’s Deli Warns Customers About Possible Data Breach
wtkr.com

The company says on December 22, they were made aware that MasterCard security personnel said a large quantity of payment card information appeared for sale on the “dark web.” An analysis of that data showed that at least a portion of data may have come from various Jason’s Deli locations.

Compiled by: Richard Sheinis, Esq.

FTC Settles with Lenovo Over Ad Software
Broadcasting & Cable

The FTC has been deeded even more authority over computer privacy with the FCC’s vote to overturn the Title II classification of ISPs and return oversight of broadband privacy to the FTC. It does not have to stop pre-loading the software, but it cannot misrepresent any features of that software, must get …

Emory Healthcare Reports Data Breach Involving 24K Patients, a Former Physician and a OneDrive …
FierceHealthcare

Emory Healthcare reports data breach involving 24K patients, a former physician and a OneDrive account. by Evan Sweeney |. Jan 2, 2018 11:06am. cybersecurity2. A former Emory Healthcare physician placed patient files on a OneDrive account accessible to other University of Arizona employees.

Updated HHS Privacy Framework for Sharing Drug Abuse Treatment Data Breaks from HIPAA
Tech2

The U.S. Department of Health and Human Services released its final rule on the confidentiality for patients with substance use disorders, opting to leave the privacy framework relatively untouched for providers using alternative payment models. The HHS’ Substance Abuse and Mental Health Services …

How Antivirus Software Can Be Turned Into a Tool for Spying
New York Times

A month later, The New York Times reported that the Homeland Security directive was based, in large part, on intelligence shared by Israeli intelligence officials who successfully hacked Kaspersky Lab in 2014 and looked on for months as Russian government hackers scanned computers belonging to …

North Korea Accused of Stealing $25K in Cryptocurrency
CNET

Last month, the US accused North Korea of having orchestrated the WannaCry cyberattack which crippled over 300,000 servers worldwide in May, although the state denied any involvement. Victims of the attack found their computers locked and had to pay a ransom in Bitcoin in order to retrieve their …

Forever 21 Investigation Reveals Malware Presence at Some Stores
ZDNet

Forever 21 has revealed that a data breach discovered in November has resulted in the theft of credit card information belonging to customers. The US clothing retailer said previously that a potential data breach was the subject of an …

How Do You Vote? 50 Million Google Images Give a Clue
New York Times

“All of a sudden we can do the same kind of analysis on images that we have been able to do on text,” said Erez Lieberman Aiden, a computer scientist who heads a genomic research center at the Baylor …. But privacy concerns about Street View pictures have been raised in Germany and elsewhere.

This Startup Is Using Blockchain Tech To Rethink Cyber Security In The Bitcoin Era
Forbes

Following the proven effectiveness of their Edge Security platform, Puey packaged their security tools into a proprietary software development kit adopted by other developers for the purpose of enhancing the data protection of their own applications. Through the use of advanced client-side Blockchain …

US Charges Romanians with Hacking Police Cameras Before Trump Inauguration
Reuters

WASHINGTON (Reuters) – The United States has charged two Romanian nationals, alleging that they hacked the Washington police department’s surveillance cameras days before U.S. President Donald Trump’s Jan. 20 inauguration, the Department of Justice said on Thursday. Mihai Alexandru …

Data Breach Affects 29,000 SSM Patients
Fox2now.com

SSM Health learned of the breach on October 30 and launched an immediate internal investigation. The company discovered an employee in the customer service call center had accessed protected health information of patients across several states, including demographic and other types of clinical …

8,000 Tallahassee Utility Customers’ Data at Risk After Breach
Tallahassee.com

Two days later, Nikolov explained in a follow-up email that PayPal had discovered network security vulnerabilities on the TIO platform and issues with TIO’s data security program that did not adhere to PayPal’s information security standards. “We have initiated an internal investigation of TIO’s systems …