MENTIS

Week of November 23, 2018

MENTIS
news

Week of November 23, 2018

Amazon Admits To Leaking Of Customer Email Addresses, But Refuses To Give Details*:

  • Amazon emailed users Tuesday, warning them that it exposed an unknown number of customer email addresses after a “technical error” on its website.
  • When reached for comment, an Amazon spokesperson told TechCrunch that the issue exposed names as well as email addresses.
  • The company emailed all impacted users to be cautious.
  • The company denies there was a data breach of its website of any of its systems, and says it’s fixed the issue, but dismissed requests for more info including the cause, scale and circumstances of the error.
  • Amazon’s reticence here puts those impacted at greater risk.
  • Users don’t know which of Amazon’s sites was impacted, who their email address could have been exposed to, or any ballpark figure of the number of victims.
  • The security lapse comes days ahead of one of the busiest retail days of the year, the post-Thanksgiving holiday sales day, Black Friday.
  • The issue could scare users away from Amazon, which could be problematic for revenue if the issue impacted a wide number of users just before the heavy shopping day.
  • Amazon’s vague and non-specific email also sparked criticism from users — including security experts — who accused the company of withholding information.
  • Some said that the correspondence looked like a phishing email, used to trick customers into turning over account information.
  • Amazon, as a Washington-based company, is required to inform the state attorney general of data incidents involving 500 state residents or more.
  • In Europe, where data protection rules are stronger — even in the wake of the recently introduced General Data Protection Regulation (GDPR) — it’s less clear if Amazon needs to disclose the incident.
  • The U.K.’s data protection regulator, the Information Commissioner’s Office, told TechCrunch: “Under the GDPR, organizations must assess if a breach should be reported to the ICO, or to the equivalent supervisory body if they are not based in the UK.”
  • People fear what they don’t understand, and for now, Amazon is failing to help the public understand what happened.

*Source: Tech Crunch, November 21, 2018

https://techcrunch.com/2018/11/21/amazon-admits-it-exposed-customer-email-addresses-doubles-down-on-secrecy/

How Learning From Hackers Can Protect Us From Cyber Attacks*:

  • To protect against cyber attacks, defenders need to take a page out of the book of the criminals and become as agile and innovative as the groups they're trying to protect against, according to a former head of GCHQ.
  • For cyber criminal groups and underground communities on the dark web, speed is key to running a successful operation -- especially when it comes to the use of zero-days and other advanced attacks where there can sometimes be just a short delay between their discovery, and software vendors being able to release security patches.
  • It's all about, can they get there quickly enough, hoover up enough cash to make it worthwhile before the security industry finally catch up with them.
  • So agility and innovation and creativity are really key for them and what they prize above everything else.
  • While many businesses still look at university education and qualifications as an indicator of whether someone is suitable for a cyber security role, this doesn't apply on the Dark Web -- here all individuals require to get involved in cyber crime is the skills to do the job; they don't need to produce the relevant paperwork to showcase what they can do.
  • They've cracked the skills problem in their own way. They don't worry about qualifications, they don't ask for 2:1s in computer science or anything else for that matter.
  • They're interested in whether you can do a particular job and they can pull in those skills from around the internet in a classic criminal gig-economy sort of way.
  • They're constantly thinking of new ways of doing it.
  • Security professionals should take the same approach in order to better protect systems and services from attackers.
  • There's a challenge for us in industry to be a bit more agile, a bit more like cyber crime groups -- although we do have to worry about the law.

*Source: ZD Net, November 20, 2018

https://www.zdnet.com/article/how-learning-from-hackers-to-can-protect-us-from-cyber-attacks/

Chat Platform Knuddles Must Pay Fine After Hacker Attach*:

  • The social network Knuddels.de must pay a fine in the amount of 20,000 euros, because it had stored passwords of users unencrypted.
  • The company from Karlsruhe violated the obligation to ensure the security of personal data, informed the Baden-Wuerttemberg data protection commissioner Stefan Brink on Thursday in Stuttgart.
  • He told the company that after a hacker attack, it turned to the DPA and informed users immediately and extensively about the attack.
  • According to the company, around 808,000 e-mail addresses and 1,872,000 pseudonyms and passwords were stolen by unknown persons and published on the Internet.
  • In addition to the chat name, some users have also made their password, e-mail address as well as information on the real first name or place of residence public.
  • Users of the platform should therefore necessarily change their password, if they have not already done so.
  • This is especially true if you use the same password or a similar variation on other websites.
  • Brink said the company worked in exemplary fashion with his agency and significantly improved IT security.
  • Knuddels claims to have more than two million registered members.
  • Since May, new European data protection rules have been in force and have been laid down in the General Data Protection Regulation (GDPR).
  • They provide for fines of up to € 20 million or, in the case of a company, a fine of up to four percent of the annual turnover achieved worldwide.

*Source: International News, November 22, 2018

http://www.tellerreport.com/tech/--knuddels--chat-platform-must-pay-after-hacker-attack-fine-.S1xs7l4Am.html

Israel To Provide Cybersecurity To The G20 Meeting in Buenos Aires*:

  • Israel will be among the providers of cyber defence and cybersecurity to the G20 meeting that begins at the end of the month.
  • The 13th meeting of the international forum of 20 countries will meet Nov. 30 in Buenos Aires — the first G20 summit to be hosted in South America.
  • The Defence Ministry of Argentina signed a contract worth more than $5 million with its Israeli counterpart last year to provide the cyber defence and cybersecurity services to the meeting.
  • Israel is not a member of the G20 group. The contract is for the implementation of a Cyber ​​Defence Informatics Emergency Response Team (CERT) and a Computer Security Incident Response Team (CSIRT).
  • On Sept. 21, the countries signed the Implementation Agreement for the project.
  • The cyber defence program includes the capability to inhibit drones to a certain range of action.
  • The cybersecurity software includes the ability to collect and analyse information from social networks.
  • The G20 is an international forum for the governments and central bank governors from Argentina, Australia, Brazil, Canada, China, the European Union, France, Germany, India, Indonesia, Italy, Japan, Mexico, Russia, Saudi Arabia, South Africa, South Korea, Turkey, the United Kingdom and the United States.
  • The Argentinean Federal Intelligence Agency, or AFI, will form part of a group of 25,000 agents, military officers and police officers providing security for the event.

*Source: Jewish Telegraphic Agency, November 21, 2018

https://www.jta.org/2018/11/21/news-opinion/israel-provide-cyber-security-g20-meeting-buenos-aires

Cyber-Attacks Shuts Finnish Ministry Jobs Site*:

  • A Finnish Ministry of Economic Affairs and Employment data site has been closed due to a hacker attack.
  • The Toimiala Online (Sector Online) service publishes data including monthly employment ministry surveys and labour exchange reports.
  • According to Jouko Nieminen, Strategy Director of the KEHA Development and Administration Centre, which maintains the service, says officials noticed two or three weeks ago that the service was not working and had been the subject of an external break-in.
  • Nieminen says that no significant damage was done, and no data was lost.
  • He declined to speculate on who might be behind the attack, which is being investigated by the police.
  • Officials have not commented on any possible link to a series of directed denial of service attacks on Finnish public-sector websites in August and September.
  • On Tuesday the Ministry released an employment survey, which Nieminen says was published “nearly normally” despite the service shutdown.
  • He says that his agency will try to get the system up and running again before the next employment survey is issued a month from now.
  • The site is usually used for thousand of data searches monthly.
  • Besides the Ministry of Economic Affairs and Employment, the service includes data produced by the Finance Ministry, Statistics Finland, the Confederation of Finnish Industries (EK) and other bodies. It operates on a state server run by the Government ICT Centre (Valtori).

*Source: YLE.Fi, November 21, 2018

https://yle.fi/uutiset/osasto/news/cyber-attack_shuts_finnish_ministry_jobs_site/10518762

Cybersecurity Is A Top Concern For Healthcare Executives*:

  • Cybersecurity isn’t just a top technology concern of today’s healthcare executives — it’s the top concern.
  • That’s according to “Top of Mind for Top Health Systems 2019,” a new report co-authored by the Center for Connected Medicine (CCM), a think tank focused on the use of technology in healthcare, and the Health Management Academy, a network of healthcare executives.
  • To
  • produce this report, the CCM and the Academy surveyed and interviewed 44 executives from 38 health systems representing 459 hospitals across the U.S.
  • According to those executives, the most common types of cyberattacks their institutions had faced in the previous 12 months were phishing and spear-phishing.
  • Both of those involve gaining access to a network by essentially tricking a person into handing over valuable information, such as passwords and usernames, and they can enable a hacker to access sensitive information about patients.
  • 62 percent of those who contributed their insights to the report believe staff members are the primary point of weakness in their institutions’ cybersecurity.
  • “Employee education” was also cited as the most common cybersecurity challenge, implying it’s a weak spot that hasn’t been easy to address.
  • Thankfully, hospitals appear prepared to meet the challenge of cybersecurity head on.
  • Not one of the respondents claimed their health system planned to decrease spending on cybersecurity efforts in 2019.
  • 87 percent said they planned to spend more than they did in 2018.

*Source: Futurism, November 20, 2018

https://wordpress.futurism.com/cybersecurity-healthcare-executives/

German Town Keeps Christmas Tradition After Privacy Laws Nearly Scrapped It*:

  • A German town managed to revive a children's Christmas tradition after European data protection laws very nearly scrapped it.
  • In previous years up to 4,000 wishes to Father Christmas were placed on a tree at a Christmas market in the southern town of Roth, according to German newspaper Die Welt.
  • The city council would then attempt to fulfil those wishes, which included the names and addresses of the children who wrote them.
  • Previous requests granted included trips to the fire station, books and visits to the mayor. The festive event was seen as a major highlight for local kids.
  • But the popular activity had to stop in 2016 because of Germany's data privacy legislation, Die Welt reports.
  • Roth found a workaround -- putting the wishes in a locked box -- but that was made redundant in May when the European Union's General Data Protection Regulation (GDPR) came into force.
  • That legislation states that parents of minors have to provide consent to the use of their kids' data. Organizations that fail to comply face big financial penalties.
  • Providing proof of this was deemed too onerous by the council and the city decided against festive wish lists for 2018.
  • Local radio station Antenne Bayern found a solution.
  • It created a wish list, which included a parental consent disclaimer, which can be printed from their website and put in the wishing box at the Christmas market.

*Source: CNN World, November 21, 2018

https://edition.cnn.com/2018/11/21/europe/germany-christmas-gdpr-grm-scli-intl/index.html

What Is Cyber Insurance, What Does It Mean For Your Personal Data?*:

  • It's a billion dollar market you probably have never heard of, but there's a good chance cyber insurance is protecting your personal information online.
  • In an ABC11 special report, the I-Team explored the growing demand for cyber insurance policies, which right now is only available to businesses to protect against data breaches and other internet risks.
  • Though industry insiders reports, Cyber Insurance has been available for more than a decade, and the product has emerged as a must-have after major companies like Equifax, Yahoo and Home Depot became victims of costly cyber attacks.
  • "If you think hackers, you think of code scrolling across the screen trying to break into a website, but hackers don't break in anymore," Jason Hollander, a cybersecurity expert, explains to the I-Team.
  • "They log in. They log in because they have access to your information. So now they can be you. Think of how scary that is."
  • According to Hollander, 2018 will be a record year for data breaches, affecting some 4,000 companies and 3.6 billion data records.
  • Those records may include usernames, passwords, social security numbers or bank information.
  • But just as car insurance won't stop a crash, cyber insurance cannot prevent a breach.
  • Instead, it's being used a tool for businesses to keep running in the midst of a breach and to help affected consumers.
  • In some cases, cyber insurance policies provide identity theft protection for affected consumers or even reimburse customers for financial losses.
  • Mike Causey, North Carolina's Insurance Commissioner, reported that 23 insurance carriers are now offering cyber insurance in the Tar Heel State.
  • Still, cyber insurance is so new that the Department of Insurance posted a new webpage on cyber insurance on the same day the I-Team report aired on Eyewitness News.
  • Though currently only available to businesses, Causey expects insurance companies to soon open opportunities for individuals to purchase cyber insurance.
  • Hollander, however, still maintained that individuals have tremendous power to deter cyber attacks by practicing what he calls "good password hygiene."

*Source: ABC 11, November 20, 2018

https://abc11.com/finance/i-team-what-is-cyber-insurance-and-what-does-it-mean-for-your-personal-data/4726826/

More Than 700 School Data Breaches In A Year*:

  • The number of data breaches reported by schools increased by almost a quarter in just two years, new research shows.
  • Schools in the UK reported 703 data breaches to the Information Commissioner’s Office (ICO) in 2016-17, compared with 571 in 2014-15.
  • A freedom of information request by accountancy network UHY Hacker Young showed that 674 were reported in 2015-16.
  • The news comes after a school business managers’ leader last year warned that funding pressures on schools were making them more vulnerable to cyber-attacks.
  • And earlier this year, the Charity Commission warned private schools that fraudsters were trying to intercept fee payments from parents using emails.
  • Allan Hickie, partner at UHY Hacker Young, warned that cyber-attacks can cause schools “extensive reputational damage, especially if the personal data of children and parents is compromised”.
  • Schools are now at a serious risk of large fines from the ICO if they fail to report data breaches, following the introduction of GDPR in May 2018.
  • The regulations make it compulsory for all organisations to report any data breach where there is a risk to people’s data security, including incidents where no information is actually lost or stolen.
  • However, UHY said that the ICO is unlikely to levy large fines on smaller schools and academies where data on pupils has not been put at risk.
  • The Department for Education said that all organisations, including schools and colleges, should have good basic cyber-security measures in place.
  • It pointed to the government's Cyber Essentials scheme, which aims to protect against common vulnerabilities which are widely reported online.

*Source: TES, November 21, 2018

https://www.tes.com/news/exclusive-more-700-school-data-breaches-year

Get in Touch With Us!

Are you interested in receiving more information about our products? Do you have questions about sensitive data security? Would you like a demo? Complete the details below and one of our specialists will get in touch with you.

We love to help our customers solve their data security problems. Please tell us about what you are trying to accomplish, details about your environment, and any other information that will help us understand your needs better.

Image CAPTCHA
scroll top