.png?width=200&height=78&name=CH%20Diligence%20(thicker%20line).png "CH Diligence (thicker line).png")
BNN Bloomberg: Colonial Pipeline Co. paid nearly US$5 million to Eastern European hackers on Friday, contradicting reports earlier this week that the company had no intention of paying an extortion fee to help restore the country’s largest fuel pipeline, according to two people familiar with the transaction.
ZDNet: Web applications represented 39% of all data breaches in the last year with phishing attacks jumping 11% and ransomware up 6% from a year ago, according to the Verizon Business Data Breach Investigations Report.
Compliance Week: A Colorado-based broker-dealer will pay $1.5 million as part of a settlement with the Securities and Exchange Commission (SEC) announced for lapses in the filing of suspicious activity reports (SARs) related to the threat of cyber-breaches.
O Canada: President Joe Biden on Wednesday signed an executive order to improve federal cyber security capabilities and digital security standards across the private sector.
Yahoo Finance: A new report estimates nearly two-thirds of businesses globally, including 63 per cent in Canada, have seen an increase in targeted cyberattacks since they switched to widespread remote work.
MSN Money: Cybersecurity is more critical than ever, especially in a world already reeling from supply disruptions and bottlenecks caused by the coronavirus pandemic. The latest big ransomware attack, against Colonial Pipeline Co., is an eye-opener, as it has led to the shutdown of the 5,500-mile Colonial Pipeline system and could push up gasoline prices.
BNN Bloomberg: Criminals launched more websites to trick people into giving up data, downloading malware and sending them money during 2020, taking advantage of pandemic lockdown by pretending to be celebrities, shops and government agencies, according to the U.K.’s National Cyber Security Centre.
The target: Peloton, an exercise equipment manufacturer.
The take: Exposure of an unknown number of its 3 million user’s personally identifiable information such as: user ID, instructor ID, location, workout statistics, gender and age, and studio check-ins.
The attack vector: The leak occurred due to lack of authentication and authorization controls in the API endpoints used in Peloton’s mobile app, website, and backend (An API is an Application Programming Interface, a software intermediary that allows two applications to exchange data). Unauthenticated individuals were able to manually send an API request and return profile information for Peloton users, even if those profiles were marked as ‘private’.
This breach highlights critical importance of robust authentication whenever user data is being requested and transferred in a firm’s IT systems which are available to the public. Thorough testing of authentication protocols is an integral part of maintaining a rigorous cybersecurity posture. Exposed personal data can lead to extremely effective phishing attacks and further data breaches of a firm’s customers.
Institutional Asset Manager: At the same time, the behaviour and culture of financial institutions is under growing scrutiny from a wide range of stakeholders in areas such as sustainability, employment practices, diversity and inclusion and executive pay.
ABC News: In an apparent industry first, the global insurance company AXA said Thursday it will stop writing cyber-insurance policies in France that reimburse customers for extortion payments made to ransomware criminals.
