What would happen if the
hackers attacked all the hospitals in a given area. How far can
emergency patients be transported for care? How would you move all
intensive care patients?
Linda Comins of The Intelligencer is
reporting:
Emergency squad patients are being diverted away from Ohio Valley Medical Center and East Ohio Regional Hospital this weekend because the hospitals’ computer system has been attacked by Ransomware.
Karin Janiszewski, director of marketing and public relations for OVMC and EORH, confirmed Saturday afternoon that a Ransomware attack had occurred. The incident began Friday night.
Read more on The
Intelligencer.
What procedure 1) would have prevented this, and
2) should have been spelled out in the contract?
Bill Dolan reports:
The Lake Ridge School Corp. has had another financial setback only weeks after voters declined to provide more tax revenue to the struggling institution.
The school district recently lost a legal battle with a New York bank to recover more than $120,000 stolen two years ago by an offshore computer hacker.
School Superintendent Sharon Johnson-Shirley said this week she still believes Bank of New York Mellon should have reimbursed the school district.
However, U.S. District Court Judge Theresa Springmann dismissed her lawsuit against the bank, ruling earlier this month that the bank cannot be held responsible under its contract with the school corporation.
Read more on NWI
Times.
[From
the article:
The fraud occurred Oct. 12, 2016, when the bank's
employees followed instructions contained in what they thought was a
legitimate email from the school district to pay $120,882 to several
people listed as project contractors.
Court documents filed by the bank state they later
discovered, "the pay affidavit was fraudulent and had been
submitted by someone who had allegedly hacked into (a school
official's) email while she
was on vacation." [I
wonder if they learned about that on social media? Bob]
"It was wire fraud from overseas,"
Johnson-Shirley said. "The FBI said it had to do with someone
in Africa somewhere.
… She said the school district since has
put security measures in place to prevent future hacking incidents.
[Barn door.
Horse. Bob]
It might be worth gathering ‘Best Practices’
in order to teach a class on GDPR breach responses to my Computer
Security masters students.
Here’s a more detailed analysis of the GDPR fine
of 20,000€ levied
against a German flirting site, knuddels.de. Dr. Henrik Hanssen
and Dr. Stefan Schuppert write:
In the first fine issued by a German data protection authority under the European General Data Protection Regulation (“GDPR”), on 21 November 2018 the authority of the German state of Baden-Württemberg (“LfDI”) imposed a fine of Euro 20,000 on a social media provider for a violation of its data security obligations under Art. 32 of the GDPR. The company’s very good cooperation with the LfDI was key to avoiding a higher level of fines.
Background
According to the press statement of the LfDI (in German), the Company contacted the LfDI with a data breach notification following a hacker attack in the summer of 2018. The attack resulted in the unauthorized access to and disclosure of personal data of around 330,000 users, including passwords and email addresses.
After becoming aware of the incident, the Company immediately informed its users about the attack in a comprehensive and fully transparent manner (as per Art. 34 GDPR). In the proceedings with the LfDI, following the notification of the data breach to the regulator (as per Art. 33 GDPR), the Company disclosed its data processing and company structures as well as its own security failures to the LfDI in an “exemplary manner.” During this investigation, the LfDI became aware that the Company had stored the passwords in plain text and in an unencrypted format, which helped facilitate the attack.
Read more of their analysis on Hogan Lovells
Chronicle
of Data Protection. The analysis concludes with a few take-home
lessons, including the value of cooperation and transparency.
The latter is something that this site has been
particularly critical about in reviewing the incident response of a
number of U.S. entities when breaches are disclosed. Consider the
recent disclosure by Amazon, who did not explain anything about the
“technical error” that resulted in customers’ names and email
addresses being exposed and who simply ignored my inquiries to
@Amazon and @AmazonHelp.
As consumers, we have no idea for how long this
“technical” problem occurred, whether bad actors may have scraped
our data, and whether our email addresses could be linked to our wish
lists or orders on the site.
Will EU regulators look at the Amazon incident and
decide to make an example of Amazon in terms of obligations under
Article 34 of the GDPR?
[From
the Chronicle article:
The following lessons can be learned from the
German enforcement action:
- Having processes in place to promptly detect and report data breaches is paramount.
- Be prepared to accept that notifying a personal data breach might open the door for further regulatory investigations, although this is less likely for minor breaches (in this case, passwords of 330,000 users were lost as a consequence of a malicious attack and the unencrypted storage of those passwords was a contributing factor).
- Learn to manage the reputational impact. In its statement, the LfDI only mentioned that the enforcement involved a social media provider based in Baden-Württemberg (although the media quickly identified the provider behind the press release). From this, there is a positive message: by cooperating with regulators, it may still be possible to be portrayed as a “good corporate citizen” from a privacy perspective.
Getting serious.
UK
Parliament seizes internal Facebook documents
The UK Parliament is determined to get to the
bottom of Facebook's data privacy practices, whether or not Mark
Zuckerberg is willing
to testify. Digital Culture, Media and Sport committee (DCMS)
chairman Damian Collins used an uncommon process to force the founder
of software developer Six4Three to hand over internal Facebook
documents while he was on a
business trip to London. The files reportedly include
details of Facebook data decisions that enabled the Cambridge
Analytica scandal, including emails between executives and
conversations with Zuckerberg.
… The files are already subject to an order
from a California court, which would restrict them from being
published in the US. Facebook has already called on the DCMS
committee to both avoid reviewing the documents and to bring them
back to either Facebook or its legal counsel. However, it's not
certain that Facebook can actually force this since Parliament was
acting under its own jurisdiction.
Perhaps we don’t have the correct mindset. We
say criminal, others might say Intelligence Operatives. Would the US
give up NSA employees?
Dennis Fisher reports:
A top United States law enforcement official called out Russia for not cooperating with cybercrime investigations on Russian citizens, and said the U.S. will continue to “identify nations that routinely block the fair administration of justice and fail to act in good faith”.
In a speech before the Interpol General Assembly on Sunday, Deputy Attorney General Rod Rosenstein said the U.S. has extradited 95 Americans to other countries to stand trial, but said other countries are not reciprocating, particularly when it comes to cybercrime. Rosenstein pointed specifically to the case of Alexsey Belan, a Russian who is under indictment in the U.S. for several major attacks, including an intrusion at Yahoo. The U.S, has issued two arrest warrants for Belan, who was allegedly hiding somewhere in Europe. and Interpol also issued a Red Notice requiring law enforcement agents to arrest him in any country. But Belan eventually made his way back into Russia, where Russian intelligence recruited him, Rosenstein said, and had him target U.S. companies, including Yahoo.
Read more on Decipher.
Perspective.
Over a
third of online Black Friday purchases came from phones
If you spent Black
Friday hunting for deals on your smartphone, you're not the only
one. Adobe analysts have determined
that just over a third (33.5 percent) of online Black Friday sales
were completed on smartphones -- a large uptick from 29.1 percent
just one year earlier. People were willing to splurge, too. There
was over $2.1 billion in sales, a leap from the previous record ($1.4
billion) set on Cyber Monday, not Black Friday.
This comes on the back of a spike in Black Friday
sales, with people spending $6.22 billion (a 23.6 percent increase
over 2017).
No comments:
Post a Comment