Sunday, November 25, 2018

What would happen if the hackers attacked all the hospitals in a given area. How far can emergency patients be transported for care? How would you move all intensive care patients?
OVMC, EORH patients diverted to other hospitals after ransomware attack
Linda Comins of The Intelligencer is reporting:
Emergency squad patients are being diverted away from Ohio Valley Medical Center and East Ohio Regional Hospital this weekend because the hospitals’ computer system has been attacked by Ransomware.
Karin Janiszewski, director of marketing and public relations for OVMC and EORH, confirmed Saturday afternoon that a Ransomware attack had occurred. The incident began Friday night.
Read more on The Intelligencer.




What procedure 1) would have prevented this, and 2) should have been spelled out in the contract?
IN: Lake Ridge Schools loses suit to recover $120,000 missing after hacking incident
Bill Dolan reports:
The Lake Ridge School Corp. has had another financial setback only weeks after voters declined to provide more tax revenue to the struggling institution.
The school district recently lost a legal battle with a New York bank to recover more than $120,000 stolen two years ago by an offshore computer hacker.
School Superintendent Sharon Johnson-Shirley said this week she still believes Bank of New York Mellon should have reimbursed the school district.
However, U.S. District Court Judge Theresa Springmann dismissed her lawsuit against the bank, ruling earlier this month that the bank cannot be held responsible under its contract with the school corporation.
Read more on NWI Times.
[From the article:
The fraud occurred Oct. 12, 2016, when the bank's employees followed instructions contained in what they thought was a legitimate email from the school district to pay $120,882 to several people listed as project contractors.
Court documents filed by the bank state they later discovered, "the pay affidavit was fraudulent and had been submitted by someone who had allegedly hacked into (a school official's) email while she was on vacation." [I wonder if they learned about that on social media? Bob]
"It was wire fraud from overseas," Johnson-Shirley said. "The FBI said it had to do with someone in Africa somewhere.
… She said the school district since has put security measures in place to prevent future hacking incidents. [Barn door. Horse. Bob]




It might be worth gathering ‘Best Practices’ in order to teach a class on GDPR breach responses to my Computer Security masters students.
Data Protection Authority of Baden-Württemberg Issues First German Fine Under the GDPR
Here’s a more detailed analysis of the GDPR fine of 20,000€ levied against a German flirting site, knuddels.de. Dr. Henrik Hanssen and Dr. Stefan Schuppert write:
In the first fine issued by a German data protection authority under the European General Data Protection Regulation (“GDPR”), on 21 November 2018 the authority of the German state of Baden-Württemberg (“LfDI”) imposed a fine of Euro 20,000 on a social media provider for a violation of its data security obligations under Art. 32 of the GDPR. The company’s very good cooperation with the LfDI was key to avoiding a higher level of fines.
Background
According to the press statement of the LfDI (in German), the Company contacted the LfDI with a data breach notification following a hacker attack in the summer of 2018. The attack resulted in the unauthorized access to and disclosure of personal data of around 330,000 users, including passwords and email addresses.
After becoming aware of the incident, the Company immediately informed its users about the attack in a comprehensive and fully transparent manner (as per Art. 34 GDPR). In the proceedings with the LfDI, following the notification of the data breach to the regulator (as per Art. 33 GDPR), the Company disclosed its data processing and company structures as well as its own security failures to the LfDI in an “exemplary manner.” During this investigation, the LfDI became aware that the Company had stored the passwords in plain text and in an unencrypted format, which helped facilitate the attack.
Read more of their analysis on Hogan Lovells Chronicle of Data Protection. The analysis concludes with a few take-home lessons, including the value of cooperation and transparency.
The latter is something that this site has been particularly critical about in reviewing the incident response of a number of U.S. entities when breaches are disclosed. Consider the recent disclosure by Amazon, who did not explain anything about the “technical error” that resulted in customers’ names and email addresses being exposed and who simply ignored my inquiries to @Amazon and @AmazonHelp.
As consumers, we have no idea for how long this “technical” problem occurred, whether bad actors may have scraped our data, and whether our email addresses could be linked to our wish lists or orders on the site.
Will EU regulators look at the Amazon incident and decide to make an example of Amazon in terms of obligations under Article 34 of the GDPR?
[From the Chronicle article:
The following lessons can be learned from the German enforcement action:
  • Having processes in place to promptly detect and report data breaches is paramount.
  • Be prepared to accept that notifying a personal data breach might open the door for further regulatory investigations, although this is less likely for minor breaches (in this case, passwords of 330,000 users were lost as a consequence of a malicious attack and the unencrypted storage of those passwords was a contributing factor).
  • Learn to manage the reputational impact. In its statement, the LfDI only mentioned that the enforcement involved a social media provider based in Baden-Württemberg (although the media quickly identified the provider behind the press release). From this, there is a positive message: by cooperating with regulators, it may still be possible to be portrayed as a “good corporate citizen” from a privacy perspective.




Getting serious.
https://www.engadget.com/2018/11/24/uk-parliament-seizes-internal-facebook-documents/?utm_source=spotim&utm_medium=spotim_recirculation&spotim_referrer=recirculation
UK Parliament seizes internal Facebook documents
The UK Parliament is determined to get to the bottom of Facebook's data privacy practices, whether or not Mark Zuckerberg is willing to testify. Digital Culture, Media and Sport committee (DCMS) chairman Damian Collins used an uncommon process to force the founder of software developer Six4Three to hand over internal Facebook documents while he was on a business trip to London. The files reportedly include details of Facebook data decisions that enabled the Cambridge Analytica scandal, including emails between executives and conversations with Zuckerberg.
… The files are already subject to an order from a California court, which would restrict them from being published in the US. Facebook has already called on the DCMS committee to both avoid reviewing the documents and to bring them back to either Facebook or its legal counsel. However, it's not certain that Facebook can actually force this since Parliament was acting under its own jurisdiction.




Perhaps we don’t have the correct mindset. We say criminal, others might say Intelligence Operatives. Would the US give up NSA employees?
U.S. Says Russia, Other Nations, Are Uncooperative on Cybercrime Investigations
Dennis Fisher reports:
A top United States law enforcement official called out Russia for not cooperating with cybercrime investigations on Russian citizens, and said the U.S. will continue to “identify nations that routinely block the fair administration of justice and fail to act in good faith”.
In a speech before the Interpol General Assembly on Sunday, Deputy Attorney General Rod Rosenstein said the U.S. has extradited 95 Americans to other countries to stand trial, but said other countries are not reciprocating, particularly when it comes to cybercrime. Rosenstein pointed specifically to the case of Alexsey Belan, a Russian who is under indictment in the U.S. for several major attacks, including an intrusion at Yahoo. The U.S, has issued two arrest warrants for Belan, who was allegedly hiding somewhere in Europe. and Interpol also issued a Red Notice requiring law enforcement agents to arrest him in any country. But Belan eventually made his way back into Russia, where Russian intelligence recruited him, Rosenstein said, and had him target U.S. companies, including Yahoo.
Read more on Decipher.




Perspective.
https://www.engadget.com/2018/11/24/third-of-black-friday-sales-on-phones/
Over a third of online Black Friday purchases came from phones
If you spent Black Friday hunting for deals on your smartphone, you're not the only one. Adobe analysts have determined that just over a third (33.5 percent) of online Black Friday sales were completed on smartphones -- a large uptick from 29.1 percent just one year earlier. People were willing to splurge, too. There was over $2.1 billion in sales, a leap from the previous record ($1.4 billion) set on Cyber Monday, not Black Friday.
This comes on the back of a spike in Black Friday sales, with people spending $6.22 billion (a 23.6 percent increase over 2017).


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)