Thursday, May 20, 2021

Apparently, hackers are not slowed by Covid.

https://www.verizon.com/business/resources/reports/dbir/

2021 Data Breach Investigations Report

Reduce risks with insights from more than 5,250 confirmed breaches.





Remember, in a cyberwar every sector will be attacked simultaneously.

https://www.databreaches.net/cyber-attack-has-caused-enormous-risk-hse-official/

Cyber attack has caused ‘enormous risk’ – HSE official

RTÉ reports:

The Health Service Executive’s National Clinical Adviser for Acute Operations has said there is an “enormous risk” across health services following the cyber attack last week which forced a shutdown of the HSE’s IT systems.
Speaking on RTÉ’s Morning Ireland, Dr Vida Hamilton said it is a “major disaster” and described it as a stressful time in hospitals.
There is enormous risk in the system and everything has to be done so slowly and carefully to mitigate that risk,” Dr Hamilton said.
She said 90% of acute hospitals are substantially impacted by this cyber attack and it is affecting every aspect of patient care.

Read more on RTÉ.

So this is exactly the type of impact we have often cautioned could happen with an attack on the healthcare sector. The HSE incident seems to be getting more media coverage than other similar attacks, perhaps because it is national, but the risks have been known for years now.

So when all is said and done, when it comes time for the forensics, what was HSE’s security like prior to the attack? What was their backup system like? Had they really used “best practices?” Yes, the blame belongs to the criminals, but had HSE deployed reasonable security given the times?

And will this be the incident that puts so much heat on Conti and other ransomware groups that Conti ducks for cover and other groups now exclude healthcare as carefully as they have excluded Russian or CIS entities? Right now, it doesn’t seem that way. They may not get the $20 million they have demanded, but unless something changes, they will live to extort another day.





Would the loss of sales/recovery costs/fines have been greater if they did not pay the ransom?

https://www.databreaches.net/colonial-pipeline-confirms-it-paid-4-4-million-to-hackers/

Colonial Pipeline confirms it paid $4.4 million to hackers

Cathy Bussewitz of AP reports:

The operator of the nation’s largest fuel pipeline confirmed it paid $4.4 million to a gang of hackers who broke into its computer systems.
Colonial Pipeline said Wednesday that after it learned of the May 7 ransomware attack, the company took its pipeline system offline and needed to do everything in its power to restart it quickly and safely, and made the decision then to pay the ransom.

Read more on WSOC-TV.



(Related)

https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636?mod=djemalertNEWS

Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom

Joseph Blount, CEO of Colonial Pipeline Co., told The Wall Street Journal that he authorized the ransom payment of $4.4 million because executives were unsure how badly the cyberattack had breached its systems, and consequently, how long it would take to bring the pipeline back.

… “I know that’s a highly controversial decision,” Mr. Blount said in his first public remarks since the crippling hack. “I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this.”

But it was the right thing to do for the country,” he added.





Did the city take any action against the employee who screwed up? Did they change any procedures?

https://www.databreaches.net/city-pays-350000-after-suing-hackers-for-opening-dropbox-link-it-sent-them/

City pays $350,000 after suing “hackers” for opening Dropbox link it sent them

When is a “hack” not a “hack?” When a government entity mistakenly gives journalists access to files that just maybe, they didn’t intend to give them access to…..

Tim De Chant reports:

The city of Fullerton, California, has agreed to pay $350,000 to settle a lawsuit it brought against two bloggers it accused of hacking the city’s Dropbox account.
Joshua Ferguson and David Curlee frequently made public record requests in the course of covering city government for a local blog, Friends for Fullerton’s Future. The city used Dropbox to fulfill large file requests, and in response to a June 6, 2019, request for records related to police misconduct, Ferguson and Curlee were sent a link to a Dropbox folder containing a password-protected zip file.
But a city employee also sent them a link to a more general “Outbox” shared folder that contained potential records request documents that had not yet been reviewed by the city attorney.

Read more on Ars Technica

[From the article:

As the case made its way through the courts, both the Electronic Frontier Foundation and the Reporters Committee for Freedom of the Press filed amicus briefs earlier this year in support of the bloggers. The EFF’s brief was particularly pointed. “The City’s interpretation would permit public officials to decide—after making records publicly available online (through their own fault or otherwise)—that accessing those records was illegal,” the group wrote. “The City proposes that journalists perusing a website used to disclose public records must guess whether particular documents are intended for them or not, intuit the City’s intentions in posting those documents, and then politely look the other way—or be criminally liable.”

The city of Fullerton faced increasingly long odds of winning the lawsuit, and last week, the city council voted 3-2 to settle the suit. Under the terms of the settlement, the city will pay the defendants $230,000 in attorneys costs and $60,000 each in damages. The city will also post a public apology on its website.





Another example the US won’t bother to follow.

https://www.huntonprivacyblog.com/2021/05/19/ecuador-approves-data-protection-law/

Ecuador Approves Data Protection Law

The Data Protection Law is based on the EU General Data Protection Regulation (the “GDPR”) and requires data controllers to implement safeguards to protect personal data, appoint a data protection officer and provide notice to individuals before processing certain persona data. The Data Protection Law also (1) establishes a national data protection authority; (2) regulates cross-border data transfers; and (3) provides Ecuadorians with the rights to request access to, amendment of and deletion of their personal data.

[The law in Spanish: https://privacyblogfullservice.huntonwilliamsblogs.com/wp-content/uploads/sites/28/2019/09/Anteproyecto-de-Ley-Orga%CC%81nica-de-Proteccio%CC%81n-de-Datos-Personales.pdf





This could be useful.

https://i-sight.com/resources/a-practical-guide-to-data-privacy-laws-by-country/

A Practical Guide to Data Privacy Laws by Country [2021]

Privacy laws have never been as important as they are today, now that data travels the world through borderless networks. Over 130 jurisdictions now have data privacy laws, as of January 2021.





Podcast with full transcript.

https://www.technologyreview.com/2021/05/19/1025016/embracing-the-rapid-pace-of-ai/

Embracing the rapid pace of AI

In a recent survey, “2021 Thriving in an AI World,” KPMG found that across every industry—manufacturing to technology to retail—the adoption of artificial intelligence (AI) is increasing year over year. Part of the reason is digital transformation is moving faster, which helps companies start to move exponentially faster. But, as Cliff Justice, US leader for enterprise innovation at KPMG posits, “Covid-19 has accelerated the pace of digital in many ways, across many types of technologies.” Justice continues, “This is where we are starting to experience such a rapid pace of exponential change that it’s very difficult for most people to understand the progress.” But understand it they must because “artificial intelligence is evolving at a very rapid pace.”

Justice challenges us to think about AI in a different way, “more like a relationship with technology, as opposed to a tool that we program,” because he says, “AI is something that evolves and learns and develops the more it gets exposed to humans.”

Show notes and links 2021 Thriving in an AI World,” KPMG



No comments: