Equifax Agrees to Largest Ever Data Breach Settlement

In connection with the massive 2017 Equifax data breach which affected more than 147 million consumers, a global settlement has been reached to resolve a multi-district consumer action as well as a suit brought by the Federal Trade Commission. Equifax, one of the largest consumer reporting agencies, was allegedly aware of a critical security vulnerability in March 2017. However, it failed to address the issue until July 2017, when suspicious traffic was detected. Ultimately, on September 7, 2017, Equifax announced a data breach involving…
Continue reading...

Yearly Cyber Report Reveals Large Increases in Cyberattacks and Costs

The third Hiscox Cyber Readiness Report, which was published in April 2019, highlights the increased cyber risks that businesses are facing. The report, which drew data from seven countries (Belgium, France, Germany, the Netherlands, Spain, the United Kingdom, and the United States), noted the marked rise in both the amount of attacks and the overall costs stemming from cyber losses. Turning first to the increase in cyberattacks, 61 percent of respondents reported a cyber incident, up from 45 percent last year across the seven…
Continue reading...

Health Industry Cybersecurity Practices

Earlier this year the Department of Health and Human Services issued a report that in part detailed practices hospitals can use to avoid cyberattacks against the health care industry. The genesis of the report was the Cybersecurity Act of 2015 (CSA) and more specifically, section 405(d). That section calls for “aligning health care industry security approaches.” The forward to the report provides that “industry and government came together under the auspices of the 405(d) task group…focused on building a set of voluntary, consensus-based principles to…
Continue reading...

Congress Concludes Additional Federal Oversight Needed after Equifax Data Breach

“Equifax…failed to implement an adequate security program to protect this sensitive data…Such a breach was entirely preventable.” So concludes the December 2018 report on “The Equifax Data Breach” by the U.S. House of Representatives Committee on Oversight and Government Reform. The cause, according to the report, was Equifax’s “acquisition strategy [to benefit] bottom line and stock price,” which “growth brought increasing complexity to Equifax’s IT systems, and expanded data security risks.” Risks, it seems, Equifax did not manage. In 2017, the Department of Homeland Security…
Continue reading...

Congress Continues to Grapple with Election Interference

The Secure Elections Act may be back on the table once again. The bipartisan bill was introduced “to protect the administration of Federal elections against cybersecurity Threats.” In large part, the bill was intended to combat concerns that Russia and other state and private actors could exploit vulnerabilities in backend election systems, including voter registration databases, ballot creation systems, voting machine configuration systems, absentee processing and reporting and tabulation software. The bill’s sponsors hope to pass a version of the bill in time to…
Continue reading...

GAO Report on Cybersecurity Provides Useful Strategies for Federal Agencies and Private Industry

The Government Accountability Office (GAO) recently published another report in its High-Risk Series detailing the major cybersecurity challenges facing the federal government and outlines key strategic elements to address those challenges. While the report focuses on issues pertaining to federal agencies, several of the observations, and recommendations are also applicable to private businesses. To start, the report details five key elements that are needed to make progress in addressing cyber threats: 1) Leadership Commitment; 2) Capacity; 3) Action Plan; 4) Monitoring; and 5) Demonstrated Progress.…
Continue reading...

Lessons in Cyber-Hygiene: How John Podesta was Caught by Phishing

Instead of a Hollywood-style cyberattack into an underground bank of highly secure servers, it appears Hillary Clinton’s campaign chairman John Podesta fell victim to a run-of-the-mill phishing email appearing to come from Google. On March 19, 2016, Podesta received an alarming email to his Gmail account indicating someone had accessed his account, inviting Podesta to click on a Bitly URL (a service providing shortlinks, or smaller URL addresses) pointing to a longer URL that looked like a Google link. According to Bitly’s statistics, the URL…
Continue reading...

Lessons in Cyber-Hygiene: Securing Employee Passwords

The human element remains a significant threat vector for institutions of all sizes, and management is well advised to take proactive steps to educate and implement effective “cyber-hygiene” policies for all employees to minimize the risks associated the range of social engineering tactics, from phishing to inadvertent disclosures, as well as curb the opportunities for plain old mistakes. The area of password protection is among the most obvious areas for improvement in the world of cyber-hygiene. In a recent survey of 750 IT administrators and…
Continue reading...

Judge Rules No Standing to Pursue Fear Of “Hacker Harm”

Last week a judge in the Southern District of Illinois trimmed several claims from a class action complaint made against Chrysler and Harman International Industries stemming from a 2015 WIRED magazine article. The July 21, 2015 WIRED article described the author’s experience of being a “digital crash-test dummy, a willing subject on whom [two hackers] could test the car-hacking research they’d been doing over the past year.” Less than two weeks after the article was published, on August 4, 2015, the plaintiffs filed their class…
Continue reading...

Cybersecurity Down on the Farm

The FBI and Department of Agriculture have issued a Private Industry Notification to increase awareness among farmers that growing reliance on precision agriculture technology, aka “smart farming,” brings increased vulnerability to cyberattacks. While the notification did not suggest attackers could gain control of physical machinery, unauthorized access to farm-level data regarding crop availability and pricing could be used to exploit US agriculture resources and market trends. Earlier this year, for example, the USDA and Microsoft hosted a worldwide competition to design data visualization tools that…
Continue reading...