Consumer Advocates Criticize Equifax Settlement Plan

Mathew J. Schwartz • July 23, 2019

Equifax's move to settle federal and 48 states' probes, as well as class action lawsuits, would see breach victims being able to claim up to $20,000 for unreimbursed expenses. But some consumer advocates and government officials say the proposed deal is insufficient, given the magnitude of Equifax's failures.

Incident & Breach Response

Security Flaw Exposed Valid Airline Boarding Passes

Latest

Governance

Cloud IAM: Integration Issues

Geetha Nandikotkur • July 23, 2019

A major misconception about cloud IAM is that it's easy to implement, says Mark Perry, CTO for APAC at Ping Identity. Implementation poses challenges, and cloud IAM must be carefully integrated with other systems, he says.

Cyberwarfare / Nation-state attacks

Recent DNS Hijacking Campaigns Trigger Government Action

Scott Ferguson • July 22, 2019

A recent spate of attacks targeting domain name system protocols and registrars, including several incidents that researchers believe have ties to nation-state espionage, is prompting the U.S. and U.K. governments to issues warnings and policy updates to improve security.

Fraud Management & Cybercrime

Ireland Assessing Minors' Profiles on Instagram

Jeremy Kirk • July 22, 2019

Ireland's Data Protection Commission says it is "assessing" a report concerning minors who have business profiles on Instagram that may expose email addresses and phone numbers. As many as 5 million kids worldwide have business accounts, but often they have no discernible link to a real business.

Governance

2.3 Billion Files Exposed Online: The Root Causes

Marianne Kolbasuk McGee • July 22, 2019

Misconfigured file storage technologies and a lack of basic security controls are the root causes for the inadvertent online exposure of 2.3 billion files worldwide that contain personal information, including sensitive medical data, says Harrison Van Riper, a security researcher at Digital Shadows.

Business Email Compromise (BEC)

BEC Scams Cost U.S. Companies $300 Million Per Month: Study

Scott Ferguson • July 19, 2019

Business email compromise scams are surging, and they're costing U.S. companies a total of more than $300 million a month, according to a recently released analysis by the U.S. Treasury Department. The report pinpoints which sectors are hardest hit by this type of fraud.

Cybercrime

Phishing Attack Aimed at Stealing Payroll Deposits

Marianne Kolbasuk McGee • July 19, 2019

A Texas-based healthcare system says hackers unsuccessfully tried to divert employee payroll direct deposits through a phishing attack that also potentially exposed patient data. The incident illustrates how business processes can help avert theft.

Encryption & Key Management

Audit Finds More Security Vulnerabilities at IRS

Akshaya Asokan • July 19, 2019

The Internal Revenue Services' internal financial reporting systems and IT infrastructure have 14 new security vulnerabilities, along with a long list of previously unresolved deficiencies, according to a U.S. Government Accountability Office audit.

Application Security

Tesla Vulnerability: A Bounty Hunter's Tale

Nick Holland • July 19, 2019

The latest edition of the ISMG Security Report describes the accidental discovery of a Tesla software vulnerability. Also featured: an analysis of the latest ransomware trends and insights from former federal advisers Richard Clarke and Robert Knake on cyber resilience.

3rd Party Risk Management

Huawei Question Must Be Answered by New UK Prime Minister

Mathew J. Schwartz • July 19, 2019

A powerful parliamentary committee has called on Britain's new prime minister - be it Boris Johnson or Jeremy Hunt - to make a decision "as a matter of priority" about the extent to which telecommunications gear built by Huawei should be used in the nation's 5G network.

Phishing Scheme Targets Amex Cardholders

Akshaya Asokan • July 18, 2019

Researchers have uncovered a new type of phishing campaign that is targeting American Express card users. In these incidents, attackers are sending a hyperlink as part of a phony account update to access the victim's credentials and other account details, according to researchers at the security firm Cofense.

General Data Protection Regulation (GDPR)

Patient Record Snooping Incident Leads to GDPR Fine

Marianne Kolbasuk McGee • July 18, 2019

Authorities in the Netherlands recently levied a $516,000 fine under the General Data Protection Regulation against a hospital in the Hague in connection with a data breach involving "dozens" of staffers who snooped on the electronic medical records of a celebrity.

Cybercrime

Impact of AMCA Breach Continues to Grow

Marianne Kolbasuk McGee • July 18, 2019

The impact of the massive American Medical Collection Agency data breach continues to grow. At least two more laboratories have said their patients' data was potentially compromised by the breach. Meanwhile, court filings accuse AMCA of a lack of "cooperation and transparency" in the wake of the incident.