If it sounds too good to be true…
Adidas fans
hit by phishing scam
Why users always fall for the lamest phishing
scams is beyond comprehension, but hackers take advantage of this
weakness and hide their scheming behind the usual fake prizes and
too-good-to-be-true giveaways. This time, it was Adidas’ turn to
feature in a major phishing
scam that targeted users in specific regions.
A fake Adidas campaign promising free shoes
instantly became popular through WhatsApp, and it’s not even the
first time such a phishing scheme was used this year. To celebrate
its 69th anniversary, the sports company was allegedly giving away
2,500 pairs of shoes to users who filled out a four-question survey.
All they had to do was click on a link to claim
the prize and share it on WhatsApp with their contacts
… No matter how many times users tried to
share the campaign, they had no way to confirm that the share
actually went through. It was just part of the scam. The very
detail that they couldn’t
choose color or size should have been a hint that it
wasn’t a legitimate campaign – either that or the
misspelled company name in the spoofed link.
Users were promised free sneakers in exchange for
$1 to claim them, but all they were left with was a recurring
$50-per-month subscription fee. Through the scam, hackers got access
to users’ payments and contact details. The subscription users are
automatically signed up for the “organizejobs” service, which has
been identified
as a scam.
Not the best ‘Business Continuity’ example.
'We do not
know when this is going to be fixed,' American says of CLT flight
problems
American Airlines struggled to recover Monday from
a recurring computer problem that left one of its key regional
carriers unable to fly to or from Charlotte Douglas International
Airport, stranding hundreds of passengers for the second time in a
week.
The problem, airline spokeswoman Katie Cody said,
traced back to the crew scheduling and tracking system at PSA
Airlines, a wholly-owned subsidiary that operates flights under the
American Eagle brand. The issue is with hardware at PSA's
headquarters in Dayton, Ohio, and it's left the carrier unable to get
flight crews and planes matched up. About 350 flights into and out
of Charlotte have been canceled since Sunday, Cody said.
… PSA canceled about 70 flights on Sunday, a
bit more than 10 percent of the total at Charlotte Douglas. A
similar number were planned to be canceled Monday night, Cody said.
For PSA, it was the second time in a week trouble
struck. A technical issue with the regional carrier caused more than
120 Charlotte flights to be canceled last week, on Thursday, and the
issue continued into Friday morning.
… The
outage indicates there might not be a backup software system for crew
scheduling at PSA, Harteveldt said. The problem also
appears to be bigger than American first realized, he said.
“This is apparently a more complex problem than
initially thought, and it could take several days, based on my
understanding, potentially even a week, to really fix this,” he
said.
What different? Only the excuses.
A U.S. Department of Health and Human Services Administrative Law Judge (ALJ) has ruled that The University of Texas MD Anderson Cancer Center (MD Anderson) violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties to OCR. This is the second summary judgment victory in OCR’s history of HIPAA enforcement and the $4.3 million is the fourth largest amount ever awarded to OCR by an ALJ or secured in a settlement for HIPAA violations.
MD Anderson is both a degree-granting academic institution and a comprehensive cancer treatment and research center located at the Texas Medical Center in Houston. OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals. OCR’s investigation found that MD Anderson had written encryption policies going as far back as 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011, and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013. The ALJ agreed with OCR’s arguments and findings and upheld OCR’s penalties for each day of MD Anderson’s non-compliance with HIPAA and for each record of individuals breached.
...
MD Anderson claimed that it was not obligated to encrypt its devices, and asserted that the ePHI at issue was for “research,” and thus was not subject to HIPAA’s nondisclosure requirements. MD Anderson further argued that HIPAA’s penalties were unreasonable. The ALJ rejected each of these arguments and stated that MD Anderson’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times.”
The Notice of Proposed Determination and the ALJ’s opinion may be found on the OCR website at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/mdanderson/index.html
SOURCE: HHS
Previous coverage of the incidents referenced
in this case can be found on DataBreaches.net here.
Will this rise to the level of a significant
concern? Will surveillance technology find itself limited to small,
closely held companies or even foreign companies?
Amazon
shareholders call for halt of facial recognition sales to police
In a letter delivered to CEO Jeff Bezos late
Friday, the shareholders, many of whom are advocates of socially
responsible investing, say they're concerned about the privacy threat
of government surveillance from the tool.
Amazon's technology, called Rekognition and
introduced in 2016, detects objects and faces in images and videos.
Customers, which include law enforcement in Orlando, Florida and
Washington County, Oregon, can upload face databases to automatically
identify individuals.
… The shareholders, which include the Social
Equity Group and Northwest Coalition for Responsible Investment, are
joining groups such as the ACLU in efforts to stop the company
from selling the service — pointing out the risks of mass
surveillance.
… "We are concerned the technology would
be used to unfairly and disproportionately target and surveil
people of color, immigrants, and civil society
organizations," the shareholders write. "We are concerned
sales may be expanded to foreign governments, including authoritarian
regimes."
In a blog post earlier this month, Matt Wood, a
general manager of artificial intelligence at Amazon Web Services,
said Amazon's policy prohibits the use of its service for activities
that are illegal, violate the rights of others, or may be harmful.
Plus ça change, plus
c'est la même chose. What else could you expect when the
“punishment” required a few days of pretending to be sorry and
moving to a new office.
Cambridge
Analytica staffers are on the job – working on 2020 campaign
Quartz:
“Hang on to your data, dear Facebook friends. Cambridge
Analytica—the political consultancy that collapsed into bankruptcy
in May after a
scandal about its nefarious information-collection methods—is
apparently metamorphosing. The company that Marc Zuckerberg admitted
targeted 87 million Facebook users’ data, and whose work could well
have influenced elections in the US and UK, may be currently
disgraced. But it also appears to be putting a new face on its same
old data-gathering gig. The Associated Press (AP) on
June 15 reported that top staffers from the fallen consultancy
are back on the job at a newly-formed company with a name that’s
eerily reminiscent of the last place they worked—Data Propria. As
the name implies, the new company is similarly preoccupied with
gathering information, specifically to target voters and consumers.
Basically, it’s the same mission that Cambridge Analytica had.
Matt Oczkowski—head of product at the predecessor firm—is leading
Data Propria, which also employs Cambridge Analytica’s former chief
data scientist, David Wilkinson, and others from the scandal-ridden
company…”
(Related) What does political awareness have in
common with digital savvyness?
Distinguishing
Between Factual and Opinion Statements in the News
“The politically aware, digitally savvy and
those more trusting of the news media fare better; Republicans and
Democrats both influenced by political appeal of statements In
today’s fast-paced and complex information environment, news
consumers must make rapid-fire judgments about how to internalize
news-related statements – statements that often come in snippets
and through pathways that provide little context. A new Pew
Research Center survey of 5,035 U.S. adults examines a basic step
in that process: whether members of the public can recognize news as
factual – something that’s capable of being proved or disproved
by objective evidence – or as an opinion that reflects the beliefs
and values of whoever expressed it. The findings from the survey,
conducted between Feb. 22 and March 8, 2018, reveal that even this
basic task presents a challenge. The main portion of the study,
which measured the public’s ability to distinguish between five
factual statements and five opinion statements, found that a majority
of Americans correctly identified at least three of the five
statements in each set. But this
result is only a little better than random guesses. Far
fewer Americans got all five correct, and roughly a quarter got most
or all wrong. Even more revealing is that certain Americans do far
better at parsing through this content than others. Those with high
political awareness, those
who are very digitally savvy and those who place high
levels of trust in the news media are better able than others to
accurately identify news-related statements as factual or opinion…”
(Related) Will anyone learn from these examples?
Cyber
Attack Aims to Manipulate Mexican Election
On
Wednesday June 13, in the run-up to Mexico's July 1 presidential
election, a website operated by the rightist National Action Party
(PAN) was taken off-line for several hours by a DDoS attack. The
outage occurred at the time of a televised presidential debate, and
just following a point at which the PAN candidate held up a placard
with the website address claiming it held proof of potential
corruption.
PAN
secretary Damian Zepeda later suggested that front-running leftist
candidate Andres Manuel Lopez Obrador (AMLO) was behind the attack
… The
source of the DDoS attack is unknown and possibly unknowable – but
it is a reminder of the extent to which the internet can be used to
influence or even control public opinion.
The
accusations of Russian involvement in both the
Trump election in the U.S. and the UK Brexit referendum
are still fresh. Perhaps more directly relevant is the controversy
over the DDoS attack on the FCC website just as it was gathering
public comment on the (then) proposed elimination of the net
neutrality rules.
The
FCC claimed it had been taken
off-line by a DDoS attack. Critics of the FCC plans have
suggested it was purposely taken off-line to avoid registering mass
public dissent over the FCC rules. If the Mexico event was a direct
parallel to these claims, it could suggest that PAN couldn't prove
the criticisms it was making, and took down the website itself.
This
last possibility is not a serious proposal – but it illustrates the
plausible deniability and difficulty
of attribution that comes with cyber activity. The DDoS attack
could have been delivered by Russia (because it has a history of
interference); by AMLO (to prevent access to his competitor's
website); by the U.S. (because it would almost certainly prefer a
right-leaning to a left-leaning neighbor); or by PAN itself (as a
false flag). Or, of course, none of the above -- a straightforward
DDoS attack by cybercriminals.
I wonder what caused/allowed this?
KPMG's
audit work unacceptable, says watchdog
The auditing work of one of the world's "Big
Four" accounting firms has been sharply criticised by the
industry's watchdog.
KPMG audits had shown an "unacceptable
deterioration" and will be subject to closer supervision, the
Financial Reporting Council said.
The FRC added all the Big Four - which also
include PwC, EY and Deloitte - needed to reverse a decline.
KPMG said it was "disappointed" and was
taking steps to improve audit quality.
… "There has been an unacceptable
deterioration in quality at one firm, KPMG," the FRC said in a
statement. "50% of KPMG's FTSE 350 audits required more than
just limited improvements, compared to 35% in the previous year."
… "They must address urgently several
factors that are vital to audit, including the level of challenge and
scepticism by auditors, in particular in their bank audits. We also
expect improvements in group audits and in the audit of pension
balances."
… KPMG came in for criticism over its audit of
collapsed construction firm Carillion earlier this year, and the FRC
has opened an investigation into the group under the Audit
Enforcement Procedure.
The auditor was also recently fined £3.2m by the
watchdog over its audit of insurance firm Quindell. Last year, the
FRC opened an investigation into KPMG's audit of the accounts of
aero-engine maker Rolls-Royce.
… the accounting industry has faced a lot of
criticism in the last few years over whether their verdicts on
companies' accounts can be trusted.
No comments:
Post a Comment