Friday, July 31, 2020

They either did not know or chose to hide the scope of the breach. Neither says much for management.

https://www.cpomagazine.com/cyber-security/new-details-indicate-that-scope-of-the-2019-mgm-data-breach-is-much-bigger-than-expected/

New Details Indicate That Scope of the 2019 MGM Data Breach Is Much Bigger Than Expected

In early 2020, there was a report that the MGM Grand resort in Las Vegas had experienced a major data breach. The personal information of about 10.6 million guests had been exfiltrated, going back an unknown number of years.

The wording of the report was always confusing. Some news articles named only the MGM Grand resort, which was plausible for a data breach dating back years given that the property has nearly 7,000 rooms (the largest amount in the United States) and is quite popular with Vegas tourists. However, other articles named parent company MGM Resorts International. This company operates many casino-hotels in a number of states, including nearly half of the properties on the Vegas Strip and a handful of properties in China.

A new discovery of over 142 million guest credentials on the dark web appears to confirm that the data breach nabbed information from a variety of MGM Resorts properties, not just the MGM Grand. ZDNet reporters found the information on sale for $2,939 USD in mid-July. MGM had previously contacted guests that were impacted by the data breach, but these new numbers indicated there may be over ten times as many that were not contacted and are not aware that their personal information has been compromised.





A hopeful article.

https://www.zdnet.com/article/ransomware-how-clicking-on-one-phishing-email-left-a-whole-business-in-big-trouble/?&web_view=true

Ransomware: How clicking on one email left a whole business in big trouble

Security experts have given an insight into how a targeted ransomware attack took down the network of a food and drink manufacturer after hackers took advantage of common security vulnerabilities.

The crooks used a phishing attack and took advantage of a number of vulnerabilities – from old hardware to default passwords – to first deploy Emotet and Trickbot malware before delivering the Ryuk ransomware and attempting to extort a fee from the victim to restore the network.

In this case, the organisation didn't opt to pay the ransom – something that authorities discourage and would only fund additional attacks by cyber criminals – but instead had security experts come in to examine the network and restore functionality within 48 hours.





Something to follow?

https://www.reuters.com/article/epiq-dataprivacy-ransomware/after-ransomware-attack-legal-services-company-epiq-faces-california-privacy-lawsuit-idUSL2N2F12Q3

After ransomware attack, legal services company Epiq faces California privacy lawsuit

Lawyers for Epiq Systems Inc have removed a lawsuit to federal court that alleges the legal services provider failed to adequately protect personal information under California’s consumer privacy law.

The proposed class action lawsuit, originally filed in California state court and removed to federal court on Wednesday, claims that individuals “face a lifetime risk of identity theft” after the Missouri-based company was hit by a ransomware attack in February.

To read the full story on Westlaw Today, click here: bit.ly/2P86lcz





More crime during the pandemic? (The report is locked)

Amazon says police demands for customer data have gone up

Zack Whittaker reports:

Amazon has said the number of demands for user data made by U.S. federal and local law enforcement have increased more during the first half of 2020 than during the same period a year earlier.

The disclosure came in the company’s latest transparency report, published Thursday.

Read more on TechCrunch.





Weak law is worse than no law?

Protect consumer privacy: Repeal GLBA’s privacy provisions

It is so hard to get privacy protections for consumers that you might think that if a law has privacy provisions, you’d want to keep them. Not necessarily, as Robert Gellman explains in an opinion piece that opened my eyes — and may open yours, too.

How do the privacy protections in the Gramm-Leach-Bliley Act — the well-known banking law — help consumers? The short answer is that the GLBA does almost nothing to help consumer privacy. Understanding that the GLBA is essentially a privacy fraud is important because exemptions for the GLBA are features of some state and federal privacy bills.
Let’s look at the provisions of the GLBA. The privacy part of the law provides two — and only two — provisions for consumers. First, each financial institution must have a privacy notice. That’s something but not much.

Read more on IAPP..




No comments: