The target: Lyons Companies Insurance Broker
The take: Personal customer information including names, date of birth, contact information, driver license numbers and financial records. Medical information such as patient identification numbers, diagnosis and treatment information, Medicare/Medicaid ID numbers, health insurance and claims information were also compromised, along with a small number of Social Security Numbers.
The attack vector: Attackers gained access to two Lyons employee email accounts between February and March of 2019, and used these credentials to access the above information and offload the sensitive data.
Stringent and robust employee password protocols and the implementation of two-factor authentication are paramount in providing a strong bulwark against account compromises.
Reuters: The personal data watchdog said the full names, addresses, copies of ID cards as well as bank account numbers and property deed data of 33,492 people who have taken loans from the bank had been improperly disclosed and accessed by third parties.
BBC: A team of French police dubbed "cybergendarmes" has destroyed a virus that infected more than 850,000 computers worldwide, authorities say.
Sky News: A cyber attack such as the strike that brought down NHS hospitals in 2017 could prompt a response from all NATO countries, the alliance's general secretary has said.
Financial Review: New Payments Platform Australia, the real-time system owned by the big four banks and 11 other financial institutions, is under pressure to explain how almost 100,000 customers' personal details were accessed as part of its second data breach in three months.
Business Wire: A new report from Juniper Research found that the cost of data breaches will rise from $3 trillion each year to over $5 trillion in 2024, an average annual growth of 11%. This will primarily be driven by increasing fines for data breaches as regulation tightens, as well as a greater proportion of business lost as enterprises become more dependent on the digital realm.
Tech Startups: CrowdStrike, a cybersecurity company that provides cloud-based endpoint protection, has launched a $20m early stage investment fund. Started in partnership with Accel, Falcon Fund will focus on seed and Series A investments in security startups that are building applications on the CrowdStrike Falcon platform.
The target: Hy-Vee, a supermarket chain.
The take: 5.3 million cardholder accounts belonging to people from thirty-five mid-western U.S states. This led to the collection of a massive database which then went for sale on an underground website which sells credit and debit card data stolen from hacked merchants. This information can then be used to create counterfeit copies of the credit-debit cards, allowing the attackers to make profitable transactions.
The attack vector: Remotely installed card-skimming malware was used to compromise point-of-sale targets at Hy-Vee’s operated gas pumps, coffee shops and restaurants. The malicious software copied the data stored on credit or debit card’s magnetic stripe when they’re swiped at infected payment stations.
Business Insider: In a startling revelation, US-based cyber security firm FireEye said on Thursday that China-based hackers broke into a leading Indian healthcare website, stealing 68 lakh records containing key patient and doctor information and credentials.
The Times of India: Banks tend to not report most cybersecurity-related incidents faced by them to law enforcement agencies, nor do they share information about breach attempts. As a result, investigators haven’t been able to fully equip themselves to handle and mitigate such cases.
The Wall Street Journal: A national-security panel that oversees foreign investment in U.S. businesses approved the transfer of a stake in cybersecurity company Cofense Inc. from a Russia-linked private-equity firm to funds managed by BlackRock Inc.
People familiar with the matter said the Committee on Foreign Investment in the U.S., known as Cfius, gave its approval to the deal on Monday.
Funds Europe: Cryptocurrency thefts and scams have surged throughout 2019 so far, with criminals and fraudsters netting billions from users and exchanges as cybercrime techniques continue to evolve with the times.
The Times: Highly sensitive personal data, including banking details of more than 1,600 Natwest customers, has been left in a former employee’s home for more than a decade because the bank has been unable to reach an agreement on the safe return of the information.
The Jerusalem Post: The cybersecurity competition, in partnership with the Mayor’s Office of the Chief Technology Officer (MOCTO) and the New York City Economic Development Corporation (NYCEDC), attracted over 160 cybersecurity start-ups from 18 countries, all presenting solutions to help small businesses protect themselves against cyberattacks.
Asian Investor: The Singaporean state investor remains on the lookout for promising cybersecurity assets to complement its existing platform and provide more than just healthy investment returns.
The target: Suprema, a South Korean biometrics company.
The take: Unencrypted fingerprint data, facial recognition information and images, which are used to secure sensitive physical locations, user permissions and activity logs. Further to this, an additional 27.8 million records of data which included: client dashboards, usernames, passwords, ID’s, staff security levels and clearances, home addresses and emails; business hierarchies; mobile devices and operating system information.
The attack vector: An unsecured server accessed via web browser. This weakness let attackers manipulate the URL to expose huge amounts of unprotected data. Access to this information would allow: unauthorized changes to existing security settings within organization, lock out staff from their own systems, gain access to physical facilities, set up sophisticated phishing campaigns targeting senior personnel, and alter activity logs.
Reuters: The European Central Bank (ECB) shut down one of its websites on Thursday after it was hacked and infected with malicious software.
The ECB said no market-sensitive data had been compromised during the attack on its Banks’ Integrated Reporting Dictionary (BIRD), which it uses to provide bankers with information on how to produce statistical and supervisory reports.
Computer Weekly: The majority of UK financial companies are failing to prevent cyber security incidents, mainly because of employees failing to follow security policies and a lack of security budget, a survey reveals...
SC Media: First American Financial Corp. is reportedly the subject of a US Securities and Exchange Commission investigation, following the discovery of a website defect that left 885 million documents exposed to the public.
CNBC: Presidential contender Sen. Elizabeth Warren wants the Federal Trade Commission’s inspector general to open an investigation into the agency after it announced that victims of the Equifax data breach will get “nowhere near” the $125 compensation package originally advertised.
Reuters: Canadian lender Desjardins Group said on Monday it spent C$70 million ($53 million) in the second quarter related to a data privacy breach earlier this year that exposed personal information of 2.9 million members.
The company offered the affected accounts a credit monitoring plan and identity theft insurance for five years, without any additional costs to those customers, Desjardins said.
Computing: The report, entitled "The Dark Side of Russia: How New Internet Laws & Nationalism Fuel Russian Cybercrime", claims that Russia's new internet laws, which will come into effect on 1st November, will make it difficult for companies operating in Russia to protect both their communications and the privacy of their customers.
Forbes: Apple has massively increased the amount it’s offering hackers for finding vulnerabilities in iPhones and Macs, up to $1 million. It’s by far the highest bug bounty on offer from any major tech company.
That’s up from $200,000, and in the fall the program will be open to all researchers. Previously only those on the company’s invite-only bug bounty program were eligible to receive rewards.
The target: Sark Technologies
The take: Personal information of over 43,000 customers including: names, addresses, phone numbers, email address, encrypted card numbers and cardholder data.
The attack vector: A vulnerability within an image upload function of Sark Technologies’s reservation and management software, SuperINN. This allowed attackers to insert malicious scripts to export customer data to their own pockets. In addition, the hackers also identified another pathway of attack through a vulnerability in a SQL injection, using this to further extract sensitive cardholder data.
The Government of Canada: the Government is announcing two initiatives to help advance Canada’s National Cyber Security Strategy: the release of a National Cyber Security Action Plan, and the re-launching of the Cyber Security Cooperation Program with $10.3 million available over five years to support initiatives in the area of cyber security in Canada.
The LA Times: It took a $650,000 salary for Matt Comyns to entice a seasoned cybersecurity expert to join one of America’s largest companies as chief information security officer in 2012. At the time, it was among the most lucrative offers out there.
MAS: The Monetary Authority of Singapore (MAS) today issued a set of legally binding requirements to raise the cyber security standards and strengthen cyber resilience of the financial sector. The Notice on Cyber Hygiene sets out the measures that financial institutions must take to mitigate the growing risk of cyber threats.
CNN: North Korea earned as much as $2 billion dollars through large-scale cyber attacks to help fund its weapons programs, a United Nations panel alleges in a new report.
CNBC: That brings the total amount of funds the start-up raised to $400 million since it was founded in 2012. Other backers include Lockheed Martin, CRV and Spark Capital. Cybereason did not disclose its valuation.
Computer Weekly: The UK cyber security services market is one of the most mature in the world. It has benefited from the development of a higher education system that generates significant numbers of cyber security professionals, a mature training market that allows people to cross-train, and well-structured career pathways to promote professional practices, underpinned by codes of conduct and ethics that are both meaningful and enforceable.
SEC: Mr. Cohen is the first Chief of the Cyber Unit, created in 2017. The unit focuses on violations involving digital assets and cryptocurrency, cyber-related trading violations such as hacking to obtain material nonpublic information, and cybersecurity disclosures and procedures at public companies and financial institutions. Previously, Mr. Cohen was Co-Chief of the Market Abuse Unit.
The target: Capital One Bank
The take: Highly sensitive information of 106 million customers including: 140,000 Social Security numbers, 1 million Social Insurance Numbers for Canadian credit card customers, bank account numbers, credit card application data including scores, balances, limits and payment history, and some of transaction data.
The attack vector: A misconfigured firewall in Capital One’s AWS infrastructure allowed the attacker to clone data housed in cloud storage instances. The attacker employed VPN and anonymized browsing to execute the attack surreptitiously – but was ultimately found out when they bragged about the heist in public Slack channels. Capital One was notified of the breach via an e-mail tip with directions to a public Github repository where the attacker had archived some of the exfiltrated data.
The Wall Street Journal: BlackRock Inc. is no longer in talks with Pamplona Capital Management to take over the private-equity firm’s stake in cybersecurity company Cofense Inc.
The New York Times: A single weak spot is all savvy hackers need. And they often find them. Already this year, there have been 3,494 successful cyberattacks against financial institutions, according to reports filed with the Treasury Department’s Financial Crimes Enforcement Network.
BTA: The owner of a cyber security company was arrested Tuesday morning for a recent personal data breach in the National Revenue Agency (NRA), sources of the prosecution office told BTA. He was remanded at Sofia Airport as he arrived from Istanbul.
BGR: Just as Equifax is settling an FTC case on the massive data breach from a couple of summers ago, Capital One had to come forward and admit that it suffered a massive breach of its own, affecting more than 100 million customers in America and Canada. The person responsible is already in custody, however, with the FBI saying she practically admitted everything online.
Reinsurance News: Corvus Insurance, an AI-driven insurtech MGA backed by ILS and reinsurance investment manager Hudson Structured Capital Management (HSCM), has expanded its product line with an offering that focuses on silent cyber risks posed by cargo insurance policies.
KnowBe4: Global losses to cybercrime total $1.5 trillion per year, which amounts to $2.9 million per minute, a new report by RiskIQ shows. Some of the largest companies are losing $25 each minute due to security breaches. Phishing campaigns accounts for losses of $17,700 per minute and ransomware attacks are expected to cost the world $22,184 per minute this year.
Cision: As criminal innovation outpaces defensive efforts, cyberattacks are becoming more ubiquitous and sophisticated, and businesses, governments, and individuals are more vulnerable than ever. In a perspective-shifting new article, "Casting the Dark Web in a New Light" (MIT Sloan Management Review), cybersecurity researchers and scientists Keman Huang, Michael Siegel, Keri Pearlson, and Stuart Madnick offer a new lens through which to consider cybercrime.