The
unexpected costs of acquiring a company with poor security.
Kevin Martin reports:
The massive data hack of guest information from the Marriott hotel empire has triggered a $100-million class action lawsuit in Calgary.
A statement of claim filed in Calgary Court of Queen’s Bench says the data breach in which hackers accessed records on as many as 500 million hotel guests was due to the chain’s lack of adequate security.
“The defendants knew or ought to have known that their databases were vulnerable to loss or theft,” says the claim, filed by Calgary lawyer Clint Docken and Edmonton counsel James Brown.
Read
more on Calgary
Sun.
Does this reduce their liability? Should they be
required to pay ransom?
IT service
provider refuses to pay ransom, hackers publish stolen data online
… In
a statement
posted
high on its official web site, CityComp publicly admits it fell
victim to a “targeted cyberattack” sometime last month, and while
the company has since fended off the hackers, customer data
unfortunately got leaked.
“A
still unknown perpetrator has stolen customer data of CITYCOMP and
threatened the company with publication, should it not comply with
the blackmail attempt,” the company states.
… “Since
CITYCOMP does not comply with blackmail the publication of customer
data could not be prevented,”
the notice continues. “The stolen data has now been published by
the perpetrators and CITYCOMP’s customers were informed about it.”
… Many
of CityComp’s clients are located in the European Union, which
means the company should brace for GDPR impact.
Interesting. I might have to tweak my Computer
Security curriculum to reflect some of these requirements. (Probably
not.)
Oh,
I missed something yesterday. President Trump signed an Executive
Order on America’s Cybersecurity Workforce. I can’t find it in
the Federal Register yet, but you can read it here.
“Let’s
turn off the alarms!” a Hollywood cliche.
Design
Flaws Create Security Vulnerabilities for ‘Smart Home’
Internet-of-Things Devices
Researchers
at North Carolina State University have identified design flaws in
“smart home” Internet-of-Things devices that allow third parties
to prevent devices from sharing information. The flaws can be used
to prevent security systems
from signaling that there has been a break-in or uploading video of
intruders.
… “Essentially,
the devices are designed with the assumption that wireless
connectivity is secure and won’t be disrupted – which isn’t
always the case,” says Bradley Reaves, co-author of the paper and
an assistant professor of computer science at North Carolina State.
“However, we have
identified potential solutions that can address these
vulnerabilities.”
… “One
reason these attacks are so problematic is that the system is telling
homeowners that everything is OK, regardless of what’s actually
happening in the home,” Enck says.
These
network layer suppression attacks are possible because, for many IoT
devices, it’s easy to distinguish heartbeat signals from other
signals. And addressing that design feature may point the way toward
a solution.
“One
potential fix would be to make heartbeat signals indistinguishable
from other signals, so malware couldn’t selectively allow heartbeat
signals to pass through,” says TJ O’Connor, first author of the
paper and a graduate student at North Carolina State.
… The
paper, “Blinded
and Confused: Uncovering Systemic Flaws in Device Telemetry for
Smart-Home Internet of Things,”
will be presented at the 12th ACM Conference on Security and Privacy
in Wireless and Mobile Networks being held May 15-17 in Miami, Fla.
Welcome
to ‘Big Brother Net.’
Russia's
new internet law presents a cybersecurity minefield for global
enterprises
… A
new measure signed into law this week by Russian President Vladimir
Putin that would enable the country to create
its own internet network,
independent from the rest of the world and regulated by national
telecom agency Roskomnadzor (RKN), should give corporate executives
around the pause about the cybersecurity implications of doing
business in the country moving forward. As part of the maneuver,
Russia has also demanded 10 of the top providers of Virtual Private
Networks (VPNs) to connect
to a state content-filtering system or
be banned from operating in the country.
According to
Francis Dinha, CEO of OpenVPN, one of the aforementioned VPN
providers facing a ban by the Russian government, companies with
remote workers in the country that need to access sensitive
information from their homes offices in the U.S., Europe or elsewhere
will have to rethink their security approach moving forward as
authorities will have the
ability surveil any data being transmitted through the new network.
A GDPR oops!
HMRC
to delete five million biometric voice records
The
UK's tax authority is to delete the biometric voice records of five
million people because it did not have clear consent from its
customers to have those files.
HM
Revenue and Customs (HMRC) uses the Voice
ID biometric voice security system to
make it easier for callers to pass its security processes when
discussing their account. It says using the system will reduce the
time it takes to speak to an advisor and will help prevent anyone
else accessing accounts.
But
the UK's data privacy watchdog the Information Commissioners Office
(ICO) said that HMRC failed to give customers sufficient information
about how their biometric data would be processed and failed to give
them the chance to give or withhold consent. "This is a breach
of the General Data Protection Regulation," the ICO said.
I’ll
look for the new ToS June 29th at 11:59:59 PM
European
Commission Forces Changes to Facebook Terms of Service
In yet another victory for privacy advocates, the
European Commission (EC) has forced social media giant Facebook to
amend its terms of service in order to accurately reflect how the
company makes money by selling user data. The Facebook terms of
service, once obfuscated by complicated, legalistic language, are now
going to state very clearly that Facebook provides its services free
of charge to consumers in return for the agreement that their
personal data will be shared with third parties and used for targeted
advertising. According to the agreement reached between the European
Commission, European consumer protection authorities and Facebook,
the Silicon Valley giant will have until June 30 to implement the new
changes.
Perspective.
Could Denver privatize RTD? Brobably not, but Leadville could.
‘Uber
Was Supposed To Be Our Public Transit’
In
2017, the growing Toronto exurb of Innisfil, Ontario, became one of
the first towns in the world to subsidize Uber rides in lieu of a
traditional bus. Riders could pay a flat fare of just $3-$5 to travel
to community hubs in the backseat of a car, or get $5 off regular
fares to other destinations in and around town.
People
loved it. By the end of the Uber program’s first full year of
service, they
were taking 8,000 trips a month.
… Now
“Innisfil
Transit”
is changing its structure. As of April 1, flat fares for the
city-brokered Ubers rose by $1. Trip discounts dropped to $4, and a
30-ride monthly cap was implemented. Town leaders say this will
allow Innisfil to continue to cover costs.
But Hudson and
others see the changes as harmful, and a strange way of declaring
success.
