top of page


Updated: Jul 12, 2019

Is it ubiquitous and useful or dangerous, impervious and misunderstood ?

This Past Week facial recognition software under the spotlight, Lybia gets malware blast, Son of Wannacry rears its head, ransomware affects organizations of all shapes and sizes, third-party data breaches are back in the spotlight, a Canadian mutual fund sidesteps hackers and major data breached from UK, CANADA & USA.*

This Past Week’s Top Dark Web Compromises*:

Top Source Hits: ID Theft Forum Top Compromise Type: Domain Top Industry: Finance & Insurance Top Employee Count: 1 - 10 Employees

This Past Week’s Top Targeted Industries*:

Software Hits: 375 | Targets: Evite, GitHub, Microsoft, Canonical, Google

Consumer Goods Hits: 164 | Targets: Starwood Hotels & Resorts Worldwide, Marriott International, Target Corp, Wal-Mart, Sony Corp

Service Hits: 162 | Targets: Starwood Hotels & Resorts Worldwide, Marriott International, Saint-Gobain, Health Services, PricewaterhouseCoopers

Hospitality Hits: 149 | Targets: Starwood Hotels & Resorts Worldwide, Marriott International, Panda Express

This Past Week’s Top Threat Actors*:

Hezbollah Hits: 102 | Targets: Israel, Syria, Lebanon, Iran, United States

Sea Turtle Hits: 40 | Targets: Domain Name System, Sweden, Cisco Talos, Greece, Cyprus

Magecart Hits: 23 | Targets: British Airways, Ticketmaster Entertainment, Newegg, Magento, Feedify

GCHQ (UK) Hits: 6 | Targets: Proximus Group, United Kingdom, Belgium, Israel, Germany

APT34 OilRig Hits: 5 | Targets: Saudi Arabia, Israel, United States, Petroleum, Middle Eastern government

This Past Week’s Top Malware Exploits*:

IcedID Hits: 34 | Targets: United States, Microsoft Windows, Banking, Financial Institutions, eCommerce

Trickbot Hits: 31 | Targets: PayPal, United States, Customer Relationship Management, United Kingdom, Banking

Dridex Hits: 27 | Targets: United Kingdom, United States, Banking, France, Microsoft Office Word

Stuxnet Hits: 27 | Targets: Iran, North Korea, Industrial Control Systems, SCADA and ICS Products and Technologies, United States

Wcry Hits: 25 | Targets: Boeing, Microsoft Windows, United Kingdom, Bitcoin, National Health



Facial Recognition under the spotlight*:

Just six months ago, people were excited about Apple allowing you to open your phone just by looking at it. A year ago, Facebook users joyfully tagged their friends in photos. But then the tech got better, and so did the concerns. In May, San Francisco became the first major city in the world to effectively ban facial recognition. A week later, the US Congress heard how it also needed to ban the tech until new rules could be drawn up to cover its safe use. That same week, Amazon shot down a stakeholder proposal to ban the sale of its facial recognition technology from being sold to law enforcement. Then, in June, the US State of Michigan started debating a state wide ban, and the FBI was slammed by the Government Accountability Office (GAO) for failing to measure the accuracy of its face-recognition technology. The current sentiment, especially given a contentious political environment where there is an overt willingness, even determination, to target specific groups, is that facial recognition is dangerous and needs to be carefully controlled. It hasn't helped that China's use of the technology has created a situation previously only imagined in dystopian sci-fi movies: where a man who jaywalked across a road is identified several weeks later while walking down a different street, arrested and fined. CEO of ‘Trueface’, a facial recognition company, Shaun Moore, is keen to point out that San Francisco didn't actually ban the technology; it can still be used if the authorities get a Warrant. This is true. The decision is more of a moratorium: any local government authority that wants to use facial recognition will need to apply to do so, and be approved, before it can. That system will only be lifted when new rules designed to balance privacy and accuracy with technological ability are drawn up. He is, unsurprisingly, not happy about his company's product being blocked by legislation. "It is not the right way to regulate," he complains, especially since it has led to a broader sense that the technology is inherently dangerous. "We risk creating a Facebook situation," he warns – where the US Congress feels obligated to act against a specific technology based on fears but with little or no understanding of how it works. For one, Moore argues, he doesn't know of any law enforcement agency that wants to use the technology for real-time surveillance. They want to use it as an investigative tool after the fact by scouring footage. "It can take five to seven days off investigation time," he told us. "It is one piece of evidence that can be used to search for other evidence." In other words, fear of what facial recognition could be used for is limiting its usefulness in current investigations. Faster, more effective investigations mean better results and more available police time to cover more crimes: a win-win. He also argues that the fear of ubiquitous surveillance is simply not possible, at least not yet. "We don't have the processing power, we can't physically do that," he says in reference to the fear that widespread cameras could be turned into tools of constant surveillance. But as we dig into the concerns around facial recognition, it increasingly feels like the proposed moratoriums make a lot of sense. One of the biggest concerns is around accuracy: how confident can we be that someone on a camera, identified as a specific individual through facial recognition, is really that person? The answer is always given as a percentage likelihood. But that raises a whole host of other questions: what level of accuracy is sufficient for someone – like a police officer – to act? Combined with a well-recognized problem that the datasets used to train these systems are heavily skewed toward white-skinned men – which results in more accurate results for them but less accurate results for anyone who isn't a man, or white – and you have a civil rights nightmare waiting to happen. Moore says that his company – and the facial recognition industry as a whole – is "absolutely" aware of that dangerous bias. While stressing that it is not the technology itself that is racist but there are "lots of racist people" and that the data itself can cause bias, he says that the industry is working hard on fixing those biases. ‘Trueface’ is paying people in other countries across Asia and Africa to send them photos of their faces in order to build a much larger database of faces with different features and darker skin tones and that approach is "actively pushing the bias down." He says that combined with improvements in the technology, we are rapidly getting to the point where within two-to-three years, the degree of accuracy in facial recognition will be in "high 90s" for all types of people – which is basically the same as other forms of identification that we all accept within society, like banking. He even argues that level of accuracy could help counteract human biases: it would be harder for a police officer to justify, say, stopping a black man because he thought he looked like a suspect if there was a facial recognition result that said it was only 80 per cent accurate. But then, of course, we delve into the complex and fraught world of what is supposed to happen versus what really happens on the street. Moore admits that if there isn't a clear picture of someone or the individual in question is wearing a hat, then it is never going to be possible to get a high-90s accuracy. Except he describes it in a way that many of his clients are likely to see it: "If someone is actively avoiding cameras, or pulls on a hat, then there's nothing we can do." We relay the recent story from London where a man was stopped, questioned and fined £90 ($115) for "disorderly behavor" because he tried to hide his face. He didn't want to be on camera; the police immediately assumed he was up to no good. Moore admits that facial recognition use is going to be based on a "social contract" and that "to me, that was inappropriate" to stop and fine the man. It was "probably his right" to avoid the cameras, he notes, but then quickly adds that he "would like to assume that the police officers are trained to recognize behavior." And, he points out, the issue only got a "spotlight on it because facial recognition was in the same sentence." Which is a fair point. Like any new technology, the initial sense of amazement at what has become possible is soon replaced with a fear of the new, of its possible abuses. And when any abuses do come to light, there are given disproportionate weight, leading to a sense of crisis that then drives lawmakers to believe they need to act and pass new laws. This technology journalist often cites the wave of newspaper headlines in 1980s that surrounded the terror that once was "mobile phones." There were even calls to ban them entirely because they being used by football supporters to organize fights. Facial recognition has already proven its worth, Moore argues. One recent example was how a man traveling on a false ID was identified and arrested at a Washington DC airport thanks to their facial recognition system. And, faced with the unpleasant reality of gun violence and mass shootings in the US, its use at live events could end up saving lives and keeping everyone safer. "Guns are a serious problem," he notes. "This technology is there to make better decisions." Which gets us back to the rules and regulations. Which don't exist yet. Moore feels strongly that there is one area where federal – rather than local – regulation is needed. And that should include restrictions on use. The question is what do those rules look like, how are they applied, and around what specific issues can they be drawn. Moore says he doesn't have the answers, but he does help identify some key building blocks: Government versus commercial use; Real-time use versus analysis of recorded footage; Opt-in use (where identification is used to provide access) versus recognition (where identification is used to stop, prevent or limit someone); Transparency and benchmarks. The use of facial recognition is always going to be "situational," Moore argues. And, he notes, it may well be necessary for the use of facial recognition within the US to be reliant on the use of technology that is created within the US, in order to make sure that the new rules are baked into hardware and software. Even assuming new federal rules, a bigger question then is: how do you stop companies and/or specific police departments from abusing the technology? Moore seeks to reassure us. "There are bad people. We have turned down multiple clients where their use of the technology was not aligned with what we wanted to do." It would hard for companies to hide their planned use for such technology, he argues, because "we spend six months at a minimum with clients. If they were trying to deceive us, we would know it, and just shut it down." But what was intended as a reassurance in some respect only serves to further highlight concerns: this technology can be used in wrong and dangerous ways, and there are people out there who are already seeking to spend money to create systems that make the company that sells the technology uncomfortable enough to walk away. Moore is right when he says that facial recognition is an "inevitability." The big question is: is this the sort of technology that should be introduced and then scaled back – like ride-sharing or social media – or is the sort of technology that needs to forced to argue its case before it is introduced?

A threat group has been targeting mobile and desktop users in Libya with malware through Facebook pages, Check Point has discovered.*

The campaign, which the cybersecurity firm has dubbed Operation Tripoli, has been abusing the social network for years to host fraudulent pages and also compromised legitimate websites to host malware and spread it to “tens of thousands of victims mainly from Libya, but also in Europe, the United States and Canada.” One of the pages was impersonating Khalifa Haftar, the commander of Libya’s National Army and a prominent figure in Libya’s political arena. Since its creation in April 2019, the page gathered over 11,000 followers. In addition to posts with political themes, the page also shares URLs to download files that the attacker claims to be leaks from Libya’s intelligence units. Some of the links supposedly lead to mobile apps that allow citizens to join the Libyan armed forces. Instead of the promised content, however, users following these links are taken to malicious VBE or WSF files for Windows environments, and APK files for Android, to infect them with known remote administration tools (RATs) such as Houdini, Remcos, and SpyNote. The malicious samples would usually be stored in file hosting services such as Google Drive, Dropbox, Box and more, but compromised websites were also used to host the malware, including a Russian website, an Israeli website, and a Moroccan news website. The attacker also compromised the site of Libyana, a large mobile operator in Libya, and hosted a malware-packed archive on it back in 2014. By following the username in the Facebook page’s web address (@kalifhafatr, which misspells Haftar’s name), and grammatical mistakes found in almost every post, Check Point’s security researchers were able to identify a network of over 30 Facebook pages operated by the same threat actor as part of a widespread operation ongoing since at least 2014. Some of these Facebook pages were highly popular, with more than 100K users, the researchers reveal. All of them have been already taken down. Over the years, the actor has used more than 40 unique malicious links, some of which were spread via more than one page. The majority of the URLs had thousands of clicks, mostly around the time they were created and shared. The pages would publish updates about the most recent events in Libya, in an attempt to engage their followers and not arouse suspicion. The posts were copied across multiple pages on the same day. Despite the use of political themes related to Libya, however, the actor does not appear to favour one political party over another, the security researchers say. The content mainly warns against external or internal threats. The applications and VBE scripts used in this campaign communicated with the same command and control (C&C) server. This led the researchers to finding a Facebook account that belongs to the attacker, who appears to be Libyan. “This account repeated the same typos that we have observed in the involved pages, enabling us to assess with high confidence that this is the same person that wrote the posts’ content. The account also openly shared almost every aspect of this malicious activity, including screenshots from the panels where the victims were managed,” the researchers say. The attacker shared sensitive information stolen from the victims, such as secret documents belonging to Libya’s government, e-mails, phone numbers belonging to officials, and pictures of the officials’ passports. Check Point was able to observe the evolution of the attacker from the early days and noticed that they don’t use an advanced set of tools. However, the use of tailored content, legitimate websites, and highly active pages allowed them to potentially infect thousands. “Although the attacker does not endorse a political party or any of the conflicting sides in Libya, their actions do seem to be motivated by political events. This can be implied from the participation in operations like OpSyria years ago, as well as the willingness to expose secret documents and personal information stolen from the Libyan government. This is juxtaposed with the constant targeting of Libyan victims but might mean that the attacker is after certain individuals within the larger crowd,” Check Point concludes.

New Windows Vulnerability emerges: The World could face another Wannacry virus*:

The danger of malware, and ransomware, in particular, is greater than ever. Those in need of proof need only remember the desperate situation that the entire world had to endure back in 2017 when WannaCry infected the entire world over the course of a single weekend. More than 100 countries were affected, with hundreds of thousands of computers falling victim to the sneaky virus. WannaCry attacked anyone and anything it could reach, from carmakers in France to railways in Germany. From Indian ATMs to Russian banks, and particularly the UK hospitals. It even hit a mall in Singapore. After the crisis had passed, all that remained was billions of dollars worth of damage on a global level. Now, the world finds itself in a similar danger once again, only this time — the number of infected devices could potentially surge by as many as five times, or more, resulting in over a million infected devices. The new vulnerability is called ‘BlueKeep’, a newly-discovered Windows vulnerability, which could see another global ransomware attack. Luckily, Microsoft identified the danger early on, and it issued a patch, but there are still those who did not apply it to their devices, and could still be in danger. The flaw can be found in Microsoft’s Remote Desktop Protocol, which is a tool that allows users to access their systems remotely. Most Windows versions, apart from Windows 8 and 10, are at risk, including Windows XP, Windows 7, Windows Vista, as well as Windows Server 2008. Researchers have confirmed that the vulnerability can be used by hackers who want to break into other peoples’ systems, and even execute codes, including keyloggers, as well as ransomware. Furthermore, the flaw is also wormable, which means that it can be used for spreading malware among other vulnerable devices. The flaw was discovered earlier this year by the UK’s National Cyber Security Centre, which alerted Microsoft, and gave it time to create a patch. Microsoft then revealed the flaw to the public back in May, after releasing the said patch.

Despite the fact that the patch has been out for nearly two months now, there are still around one million systems that have not applied it. This puts them all at risk, especially now, when hackers know of the flaw as well. Entire corporations could be at risk, as even some of the largest firms out there often neglect their security, and ignore updates and patches.

The danger is massive, and it has experts around the world alarmed. Even the US’ NSA, as well as the Department of Homeland Security, have issued a warning in regards to the flaw. Australian Cyber Security Centre did the same, and so did the UK’s National Cyber Security Centre. Meanwhile, Microsoft itself published several warnings, even going as far as to release a patch for Windows XP — a system so old that it barely sees any updates these days. At this point, the situation looks quite grim. There are more than a few similarities to the situation prior to WannaCry attack, where a vulnerability known as ‘EternalBlue’ was discovered. Despite the patches being issued, many ignored them, and later became victims of the ransomware. Now, the history is repeating itself, and over a million devices remain unsecured. So far, there were no reports of attacks that use ‘BlueKeep’ flaw as part of their attacks. However, researchers believe that it is only a matter of time before the reports start piling up. One security firm, known as GreyNoise, reported that unknown entities are using anonymous Dark Web browser Tor for scanning the internet for unpatched systems. The fact is that not only home computers are in danger, but also those used by businesses, whether small or large. It is high time that the world takes this issue seriously and secure their devices — or ransom messages might start appearing on their computer screens once more.

Broadcom in Talks to Acquire Symantec in $15 Billion Deal*:

US Chipmaker Broadcom is in advanced talks to acquire cybersecurity giant Symantec (Norton) in a deal that could exceed $15 billion, according to several news outlets. Bloomberg broke the news about the acquisition talks and the Financial Times and Reuters managed to obtain independent confirmation from their sources. However, Symantec and Broadcom have refused to confirm or deny the reports. Symantec shares jumped from $22.10 to $25.48 after Bloomberg published its article, but Broadcom stock fell roughly four percent to $284. The news comes after last year Broadcom announced the acquisition of CA Technologies for $18.9 billion. The chipmaker also attempted to buy rival Qualcomm last year, but the deal was blocked by US President Donald Trump. As for Symantec, the company claims to provide its products and services to over 50 million consumers and 350,000 organizations around the world. The company recently reported a revenue of roughly $4.7 billion for the fiscal year 2019. The financial report, which showed a smaller revenue than the previous year and what analysts had estimated and was accompanied by an announcement that Australian, Greg Clark President of Symantic worldwide, had stepped down and board member Richard Hill was named interim chief executive officer and president. If the Broadcom acquisition of Symantec is confirmed, it would be the second time a chip giant acquires a major cybersecurity firm. Intel acquired McAfee in 2010 for $7.68 billion and later renamed it Intel Security. In 2016, however, McAfee once again became an independent company after a sale to TPG that valued it at $4.2 billion.

Google is finally making Chrome Extensions more secure*:

These changes will make it harder for Chrome extensions distributed through Google's Chrome Web Store to quietly grab user data. After years of issues with rogue Chrome extensions, hijacks, and malware, Google announced a slew of new policies Thursday to ensure the little browser applets are secure. The improvements come as part of a wider company push to evaluate how much user data third-party applications can access. Google launched the audit, known as Project Strobe, in October alongside an announcement that Google+ had suffered data exposures and would be shuttered. Later this year, Google will begin requiring that extensions only request access to the minimum amount of user data necessary to function. The company is also expanding its requirements around privacy policies: Previously, only extensions that dealt with personal and sensitive user data had to post the policies, but now extensions that handle personal communications and other user-generated content will need to articulate policies, as well. Google says it is announcing these changes now so developers have time to adapt before the new rules take effect this fall. "To make this ecosystem successful, people need to be confident their data is secure, and developers need clear rules of the road," Google Fellow and vice president of engineering Ben Smith wrote on Thursday. "There are more than 180,000 extensions in the Chrome Web Store, and nearly half of all Chrome desktop users actively use extensions.… Last October, we shared our intention to ensure that all Chrome extensions are trustworthy by default. Today, as part of Project Strobe, we’re continuing that effort with additional Chrome Web Store policies." Project Strobe has also tightened developer access to Gmail data, and on Thursday Google expanded those protections to constrain third-party access to Google Drive. Google is known for robust account security, but its open ecosystems on Android and Chrome can present problems. Third-party app and Chrome extension developers don't always build their software with user security best practices in mind, potentially exposing user data. And rogue developers can exploit the open system to sneak malicious apps into Google Play or simply distribute their nasty Chrome extensions and apps outside of Google's protected channels. The changes announced Thursday will make it harder for Chrome extensions distributed through Google's Chrome Web Store to quietly grab user data. More universal privacy policy requirements will force developers to describe how exactly data is being used within their applet. And the new rules about collecting the smallest amount of data needed to function will reduce the chance that users unintentionally grant Chrome extensions access to a broad array of unnecessary data. Google says it will enforce the policies as part of its regular extension review process. Some users may be surprised that privacy policies and minimal data access weren't already requirements for all Chrome extensions. Google says that it had strongly encouraged developers to take these steps before making them mandatory. But the slow pace of improvements for Chrome extension security has become a real industry concern as problems continue to crop up with the unassuming applets. "It's as if Google assumes all Chrome extensions are malicious, but they run the store anyway," says Matthew Green, a cryptographer at Johns Hopkins University. "I feel like Google treats their extensions like radioactive waste. Maybe they are."



Exploit: Ransomware St. John Ambulance: Non-profit providing first aid and emergency medical service training

Risk to Small Business: 2.444 = Severe: On July 2, the non-profit organization was affected by a ransomware attack that temporarily blocked St. John Ambulance from accessing training systems and customer data. The charity’s IT department was able to restore data from backups, claiming that normal operations were reestablished in less than thirty minutes. This scenario underscores the importance of installing proactive cybersecurity measures, which enabled St. John Ambulance to avoid paying a ransom to recover their content.

Individual Risk: 2.285 = Severe: The personal information of everyone who opened an account or booked and attended a training course until February 2019 may have been compromised. Although St. John Ambulance expressed confidence that the information was not shared outside of the organization, hackers did gain access to names, course credentials, certificate information, invoicing details, and other course-related content. The company uses a third-party payment processing agent to execute transactions, so no payment information was compromised in the breach. Nevertheless, those impacted should carefully monitor their accounts for unusual activity.

Customers Impacted: Unknown

Effect On Customers: Having the technological capabilities to recover from a ransomware attack should be a top priority for any organization. More importantly, every company needs the capability to verify that sensitive data accessed during a ransomware attack doesn’t make its way onto the Dark Web. Since many ransomware attacks begin with malware delivered through phishing emails, comprehensive awareness training can stop these types of attacks from occurring in the first place.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: The Boyd Group Income Fund – CANADA*

Exploit: Ransomware The Boyd Group Income Fund: Unincorporated, open-ended mutual fund trust

Risk to Small Business: 2.555 = Moderate: An internal notification system detected a ransomware attack on June 27th, causing the company to shut down some of its services. Many of the company’s offices were able to continue operations uninterrupted. However, some locations were temporarily disabled, causing them to lose sales during that period. Fortunately, the company previously established a ransomware response policy that dictated immediate actions and prevented the malware from spreading further into their network. The Boyd Group believes that these protocols will minimize the financial impact on their business while helping them recover quickly. Of course, they will still be receiving multiple invoices from cybersecurity experts who are analyzing their network and security protocols.

Individual Risk: No personal information was compromised in the breach.

Customers Impacted: Unknown

Effect On Customers: The Boyd Group’s response plan will certainly mitigate some of the damage from this data breach. For one, the company attained ransomware insurance that will help them recoup any financial loss resulting from the attack. Additionally, their planned response minimized the malware’s ability to compromise their network. Even so, there are always costs associated with full recovery, meaning that a proactive defence is still the most critical component of a data breach security system.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: The American Land Title Company (ALTA) – USA*

Exploit: Phishing attack American Land Title Company (ALTA): National trade association representing various real estate entities

Risk to Small Business: 1.888 = Severe Risk: A so-called ethical hacker contacted ALTA regarding 600 data entries accessed by its members using a phishing campaign. The compromised data may have included highly sensitive company data from ALTA organizations. This is the second phishing scam targeting ALTA members this year when a similar scam that originated within the organization was sent to member companies.

Individual Risk: 2.285 = Severe Risk: While the data accessed pertains to the companies involved, it could also include personal information, including domain identification, IP addresses, usernames, and passwords. ALTA organizations should encourage employees to monitor their accounts for suspicious activity and to ensure that they use unique, strong passwords for all accounts, especially those containing personally identifiable information.

Customers Impacted: Unknown

Effect On Customers: Phishing scams are unleashed with speed and precision, and they can quickly compromise your organization’s data. Fortunately, they are also entirely defensible with comprehensive awareness training. Knowing if your organization’s credentials are compromised before a data breach occurs can prevent a security incident before it harms your company and your customers.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: Mercy Health – USA*

Exploit: Email security breach Mercy Health: Catholic healthcare ministry serving Ohio and Kentucky

Risk to Small Business: 2 = Severe Risk: A compromised email account at a third-party vendor in 2018 ultimately resulted in compromised personal information for Mercy Health patients. The third-party vendor, OS Inc., was involved in a similar data breach last year and was responsible for updating information for Medicare beneficiaries and billing for certain services. The incident reflects the complicated cybersecurity threats facing institutions working with third parties, specifically as it relates to managing personally identifiable information.

Risk to Small Business: 2 = Severe Risk: A compromised email account at a third-party vendor in 2018 ultimately resulted in compromised personal information for Mercy Health patients. The third-party vendor, OS Inc., was involved in a similar data breach last year and was responsible for updating information for Medicare beneficiaries and billing for certain services. The incident reflects the complicated cybersecurity threats facing institutions working with third parties, specifically as it relates to managing personally identifiable information.

Customers Impacted: Unknown

Effect On Customers: Working with contractors and third parties is often a requirement in today’s digital ecosystem. However, those partnerships can create vulnerabilities that organizations need to address before allowing third parties to access their data. Therefore, robust cybersecurity protocols should be a prerequisite for any business relationship that includes that exchange of sensitive personal information.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: US Maryland Department of Labor – USA*

Exploit: Unauthorized database access Maryland Department of Labor: Local government agency serving the state of Maryland

Risk to Small Business: 2.222 = Severe: Hackers gained access to two agency databases that contained personally identifiable information. The breach, which occurred in April, involved data from those who received unemployment benefits in 2012 or pursued a general equivalency diploma in 2009, 2010, or 2014. It’s unclear why the agency waited several months to notify those impacted by the breach, but this cybersecurity incident underscores a troubling trend in government agencies in general and Maryland in particular. The agency will now be responsible for paying victims for two years of credit monitoring services, while also spending precious funds on recovery efforts.

Individual Risk: 2.222 = Severe: A damage assessment conducted by a third-party forensics team concluded that no personal information was downloaded in the attack. However, hackers did have access to a deluge of personal data, including names, social security numbers, birth dates, city or county of residence, graduation dates, and record numbers. Those impacted by the breach are encouraged to closely monitor their credentials and to enrol in the credit monitoring services being offered by the agency.

Customers Impacted: 78,000

Effect On Customers: It’s no secret that data breaches, especially those that compromise sensitive personal information, are always harmful. However, organizations can work to repair the damage by supporting those impacted with protection. By continuously monitoring the Dark Web, where stolen credentials are quickly bought and sold, businesses can grow and retain their customer base while generating loyalty.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: Virgin Islands Police Force – USA*

Exploit: Ransomware U.S. Virgin Islands Police Department: Law enforcement agency serving the United States Virgin Islands

Risk to Small Business: 1.666 = Severe: An April ransomware attack on the island’s police computer network encrypted all files stored on the department’s servers. The impacted data included information related to internal affairs and citizen complaints, and the “Blue Team” and “IAPRO” programs were unavailable for several weeks. In addition, backups for some systems were also corrupted, requiring the department to install new versions of the affected software. Not only is the department struggling to provide services to its constituents, but it will also face a significant repair cost that is growing by the day.

Individual Risk: 2.571 = Moderate: Hackers did encrypt information related to citizen complaints, which could include sensitive personal information. However, there is no indication that this information was viewed or stolen during the ransomware attack.

Customers Impacted: Unknown

Effect on Customers: The true price tag on a data breach can be deceptive, as recovery costs must be added to the opportunity cost of interrupted business processes and reputational damages. Organizations must be capable of knowing if personal information is accessed in an attack and need internal protocols to protect infrastructure and mitigate damage as much as possible. Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS : Alive Hospice – USA*

Exploit: Unauthorized email account access Alive Hospice: Healthcare provider offering hospice and family support services

Risk to Small Business: 2 = Severe: On May 6th, hackers gained access to an employee’s email account containing personally identifiable information for patients at Alive Hospice. Although the company quickly reset the account password, the intruder was able to view significant amounts of sensitive data. In this case, a single email account was able to compromise newsworthy amounts of patient data, while also interrupting business processes. Alive Hospice will incur the expense of credit and identity monitoring services, along with the less quantifiable reputational cost that accompanies a data breach.

Individual Risk: 2 = Severe: Although there is no indication that hackers have misused any company data, they did have access to patients’ names, contact information, dates of birth, social security numbers, driver’s license numbers, credit/debit card numbers, medical history information, treatment and prescription information, physician information, medical record number, Medicaid/Medicare numbers, health insurance information, and other in-house account details. Therefore, those impacted by the breach should enroll in the free credit and identity monitoring services being offered by Alive Hospice while remaining vigilant about monitoring their accounts for suspicious activity.

Customers Impacted: Unknown

Effect On Customers: Personally identifiable information (PII) can quickly make its way to the Dark Web, where it can do considerable damage to those affected by a breach. Therefore, understanding what happens to compromised patient data is a significant part of any data breach recovery effort.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: Georgia Administrative (Courts & Judicial Council) – USA*

Exploit: Ransomware Georgia’s Administrative Office of the Courts and Judicial Council of Georgia: Digital information arm for the Georgia state court system

Risk to Small Business: 2.333 = Severe: A malware attack infected the agency’s computer network with ransomware, encrypting their files and disrupting many of their services. Officials have yet to reveal the ransom amount, but it marks the second significant ransomware attack for a Georgian government agency in 15 months. Fortunately, the agency does not store personal information on the affected network, and servers were brought offline to prevent malware from spreading. The previous attack in 2018 cost $7.2 million, foreshadowing another expensive blow that can be measured in time and money.

Individual Risk: No personal information was compromised in the breach.

Customers Impacted: Unknown

Effect On Customers: Ransomware attacks wreak havoc on an organization's operational and financial integrity. To make matters worse, they are increasingly becoming more common and costly. Nevertheless, many ransomware attacks are delivered through phishing emails, which can be thwarted through organizational cybersecurity training for employees. Given the exceedingly high recovery expense and cascading damages caused by a ransomware attack, such training is the most cost-effective way of protecting your organisation.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.



Company Cut Off from Government Contracts After Data Breach*:

Last month, Perceptics, a maker of license plate readers used by the U.S. Customs and Border Patrol (CPB), endured a significant data breach that resulted in 65,000 files published to the Dark Web. As a result, the company has been placed on a veritable government black-list, suspending Perceptics from procuring government contracts. Although the suspension is technically limited to the CPB, the notice, which cites “evidence of conduct indicating a lack of business honesty or integrity,” could shun the company from doing business with other government agencies. Before the suspension, Perceptics had a 30-year working relationship with CPB, and their dissolution indicates the weight of unimpeachable cybersecurity standards for companies handling sensitive personal information on behalf of the government. What’s more, Perceptics will still face administrative proceedings that will determine the company’s fate as it pertains to future work with the U.S. Government. The incident is a warning to all companies: cybersecurity is an obligation, not just a suggestion. Data breaches place people’s data at risk but are increasingly becoming capable of compromising an organization’s financial stability. Rather than leaving it up to chance, coordinate with a trusted third-party to ensure that your cybersecurity posture is ready to meet the moment.

A Divide in Ransomware Response Ethics – Local Government*

Local governments and municipalities are frequently targeted with ransomware attacks by cyber criminals who view government agencies as soft targets with potentially significant rewards. While leaders are unified in their abhorrence of this behaviour, disparities exist when aligning on response plans. Some Local Governments choose to pay the ransom, seeing it as the least expensive option available. Of course, this behaviour makes other Local Governments more vulnerable to a similar attack because it indicates that authorities are willing to pay criminals to restore access to their systems. In contrast, some local governments refuse to pay, a principled stance that can be more expensive in the long run. For instance, Baltimore authorities in the USA refused to pay a $75,000 ransom to regain access to its network, but full system restoration is estimated to cost $10 million, and other ancillary disruptions may cost $8 million more. The message is clear and simple: all organizations need to do everything they can to prevent a ransomware attack in the first place. Contingency plans like backups and cyber insurance are critical for responding to an attack, but employee awareness training, password monitoring and threat analysis services offered by cybersecurity experts can prevent ransomware attacks before placing your organisation in the precarious position of deciding on ransom payments.

Call Paul Nielsen, Certified Cyber Security Risk Advisor on 0408824122 24/7.

Disclaimer*: Avantia Corporate Services Pty Ltd and Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, and up to 56 other countries who provide cyber breach information to us in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions before taking any action.

bottom of page