The Target: DraftKings, a U.S based sports betting website.
The Take: $300,000 USD of customer funds.
The Vector: Via a credential stuffing attack, where user passwords that have been exposed elsewhere were also used as a login for DraftKings, enabled attackers to login and steal the funds.
This breach is a stark reminder of how critical authentication controls are in an overall robust cybersecurity posture. Credential stuffing attacks can be avoided by enforcing multi-factor authentication and reasonably paced password resets. It is important to employ effective strategies to mitigate these kinds of breaches to protect a firm’s customer base.
BNN Bloomberg: The European Parliament’s website was knocked offline following what its president, Roberta Metsola, described as “a sophisticated cyberattack.” She said a pro-Kremlin group claimed to be behind the attack.
Forbes: For the past two years, the market was like a roller coaster, up, up and up the tracks to hit new and exciting highs. But what goes up must come down, and this year’s market correction has left many passengers screaming as the market tumbles downward.
Financial Post: Striken crypto exchange FTX has suffered cyberattacks and “substantial” assets are missing, attorneys for the firm said, after a court filing said the firm has a total cash balance of $1.24 billion.
Nasdaq: While Cybersecurity Awareness Month recently concluded, the efforts to combat cybercrime continue every day, and for investors, this presents a critical opportunity to invest in this industry that is poised for future growth.
Forbes: Reports in the last year from AARP and the Federal Trade Commission have shown that veterans are at higher risk of digital crime.
Fortune Education: As the number of cybersecurity attacks continues to rise, so does the demand for the talent to protect against them. In fact, there are more than 700,000 open cybersecurity positions in the U.S. alone—and the occupation is growing more than twice as fast as the overall rate across the country’s economy, data from CyberSeek shows.
Global News: “Cyberattacks are unfortunately becoming more and more prevalent and sophisticated in our society and, despite all the measures we put in place, public administrations are not completely immune to this sad reality,” Westmount Mayor Christina Smith wrote in the statement.
The Target: CorrectCare, a U.S based integreated health service for correctional facilities.
The Take: Exposure of Personally Identifiable Information of 600,000 inmates including: name, date of birth, social security number, and limited health information.
The Vector: A misconfigured data server was left open and unsecured, meaning anyone with an internet connection could have viewed and downloaded the data.
This breach is critical reminder that authentication controls are an important piece in an overall robust cybersecurity posture. Multi-factor authentication, reasonably regular forced password resets, and password length and complexity rules are all effective strategies to mitigate these kinds of breaches to protect a firm’s data.
Silicon Canals: The Hague-based Eye Security, a subscription-based cybersecurity and insurtech company, announced on November 16, that it has secured €17M in a fresh financing round led by global venture capital firm Bessemer Venture Partners.
CNN: A Ukrainian man wanted for over a decade by the FBI for a multimillion-dollar hacking scheme has been arrested in Switzerland and is awaiting extradition to the US, Swiss authorities confirmed to CNN.
Financial Post: Canada ranks fifth among 20 countries in its preparation for and response to cybersecurity threats, according to a standard created by an academic journal and a security vendor.
Holland & Knight: The New York Department of Financial Services (NYDFS) on Nov. 9, 2022, released Proposed Amendments to its Cybersecurity Regulation.1 The NYDFS Cybersecurity Regulation was one of the first laws requiring companies to comply with a prescriptive set of requirements in their cybersecurity program and has been credited for influencing similar requirements by several other regulatory bodies.
Businesswire: Financial services organisations in the UK are preparing for an onslaught of increased cyberattacks in the next year, according to new research by Keeper Security. The 2022 Financial Services Cybersecurity Census Report uncovered that, on average, UK financial services businesses experienced 39 cyberattacks in the last 12 months and one in 10 experienced between 500 and 1,000 attacks.
CTV News: The federal auditor general says government departments have not always effectively implemented measures to ensure secure storage of information in the digital cloud.
The Target: Harcourts’s Melbourne branch, a real estate company.
The Take: Exposure of Personally Identifiable Information including: names, email addresses, home addresses, phone number, copy of signatures, photo identification, and some bank details.
The Vector: An employee’s credentials were compromised at one of Harcourt’s third-party providers, Stafflink. The breach occurred because the employee was using one of their own unsecured devices for work rather than a company issue device. The compromised credentials account allowed the attacker full access to the above personal information.
This breach is a stark reminder of how authentication controls are in an overall robust cybersecurity posture, and more critically, why enforcing security rules and strategies is only effective if employees are using compliant devices where these rules exist. Enforcing multi-factor authentication, reasonably paced password resets, and regular social engineering and phishing awareness training are all effective strategies to mitigate these kinds of breaches to protect a firm’s customer base.
Forbes: Executives and other business leaders are constantly bombarded—whether by email, social media or otherwise—with advertising of the latest and greatest cybersecurity products. With thousands of vendors offering solutions in the cybersecurity space, it's no surprise that they are all clamoring for attention and, of course, some share of the wallet.
Harvard Law School Forum: Digitalisation has changed the way companies operate and given rise to a rapidly evolving set of risks that companies face and must prepare for – cybersecurity risks. The increasing prevalence of cyber attacks, notably ransomware, coupled with declining availability of cyber insurance, is leaving companies increasingly exposed to the often-significant impacts of a cybersecurity incident.
Atualidade: The legislation, already agreed between MEPs and the Council in May, will set tighter cybersecurity obligations for risk management, reporting obligations and information sharing. The requirements cover incident response, supply chain security, encryption and vulnerability disclosure, among other provisions.
Mint: According to the report, India respondents consider a catastrophic cyberattack, a resurgence of COVID-19 or a new health crisis, and a new geopolitical conflict among the top three risks.
S&P Global: U.S. information technology M&A activity remained muted in October, despite continued interest in cybersecurity targets. Overall, sector deal volume was down 32.4% year over year in October. At 192 transaction announcements, the month also had eight fewer deals than September, extending 2022's tech M&A downturn.
BNN Bloomberg: Data stolen from an Australian health insurer, including the names, addresses and birthdates of hundreds of customers, has been posted to a forum on the so-called dark web.
Spiceworks: The private markets are seeing an influx of interest from retail investors, but a lack of security technology and practices are threatening innovation, which could hinder private market transformation forbodes Alin Bui, CSO & co-founder of Anduin.
The Target: Dropbox, a U.S based file hosting service.
The Take: Exposure of 130 private GitHub repositories, which contain sensitive files and source code, monitoring tools and configuration files used by the security team.
The Vector: The attacker created a fake login page for one of Dropbox’s third party integrated platforms, CircleCI, which allowed them to steal the legitimate credentials the employees entered.
This breach highlights critical need for employee training to protect a firm against phishing attacks. By using the exposed credentials, the attackers were able to act with all the same permissions as the affected employee. The human component of cybersecurity is a very real and important piece of the overall picture of cybersecurity posture.
Canadian Lawyer: Legal departments are playing an increasingly important role in cybersecurity strategy, and chief legal officers in particular are often front and center, with 84 percent of CLOs now playing a key role in the cybersecurity strategy for their organization – up from 76 percent in 2020 – according to a new report.
BNN Bloomberg: Companies that make security software have turned out to be a relative bright spot in this year’s stock market meltdown, favored by both traders and firms looking to make acquisitions.
Hedge Week: Unfortunately, there is no black box, single hire or other singular silver bullet solution that will solve the cybersecurity challenge by itself. So organisations need to be prepared by having an array of multiple solutions and tools at their disposal to defend against, respond to and remediate a potential attack.
Mondaq: The U.S. Department of Justice (DOJ) issued a press release announcing the unsealing of a criminal complaint in which intelligence officers from the People's Republic of China ("PRC") were charged with attempting to obstruct a criminal prosecution in the Eastern District of New York.
CNBC: U.S. banks and financial institutions processed roughly $1.2 billion in likely ransomware payments in 2021, a new record and almost triple the amount of the previous year, according to a federal financial crimes watchdog.
Business Wire: LastPass today released findings from its fifth annual Psychology of Password findings, which revealed even with cybersecurity education on the rise, password hygiene has not improved. Regardless of generational differences across Boomers, Millennials and Gen Z, the research shows a false sense of password security given current behaviors across the board.
Malay Mail: The US Treasury last month repelled cyber attacks by a pro-Russian hacker group, but the incident caused little to no disruption and confirmed that the department’s stronger approach to financial system cybersecurity was working, a US Treasury official said.