Author: rescue@crimefire.in

February 24, 2023
You must be a member of ACAMS to read this article. Please login or join today for full access to www.ACAMSToday.org and other exclusive member-only content.
You must be logged in to post a comment.




View Poll Archive
Post a Job | More Jobs
ACAMS is the largest membership organization dedicated to enhancing the knowledge and skills of financial crime detection and prevention professionals worldwide. Its CAMS certification is the most widely recognized anti-money laundering certification among compliance professionals. Visit the ACAMS website at www.acams.org.

source

Nearly Rs 1 crore on an average was stolen every day by cyber fraudsters in 2022 from individuals in Karnataka, recording a surge of 150 per cent in the money lost in internet crimes, according to the data shared by the state home department. Karnataka lost a whopping Rs 363 crore in 2022, and since 2019 the scamsters have managed to siphon away Rs 722 crore.
Responding to a question raised by MLC M Nagaraj at the legislative council, the home department said that in 2022, Karnataka lost Rs 363,11,54,443, while the officials also managed to recover 12 per cent of the sum; ie; 46,87,89,415. In 2021, the state lost Rs 145,05,85,810 to cyber crimes. There has been no let up in such crimes even in 2023, as the state registered 1,325 cybercrime cases in January alone and several individuals lost Rs 36.63 crore to the scamsters.
According to the official data, Bengaluru topped the chart with victims losing Rs 266,70,35, 040 followed by Mysuru city at a distant second (Rs 14,07,03,467) and Mandya district in the third spot (Rs 13,82,22,366).
In 2022, the number of cyber crime cases in Karnataka skyrocketed to 12,551 compared to the previous year’s 8,132.
According to a police officer, the recovery of money in cybercrime cases is really hard because of various factors, including digital wallets, delay in reporting the crime and lack of coordination among states. “Whatever recovery has been made is with the help of Cyber Crime Information Report (CIR). Also we need to accept that the state has a good mechanism to report cyber crimes with CEN police stations at every division level in Bengaluru and one each at the districts of the state, said a police officer.
A senior police officer said that the mode of cybercrimes has changed due to the increasing dependence of digital payment applications post Covid-19.
“Like earlier days, cyber criminals won’t be asking for One Time Password (OTP) or engaged in Skimming, largely. Cyber education is very much essential at schools as internet crimes are likely to increase in the days to come,” said the officer.
The Home Department in its response said that it has been making efforts to create awareness among the public by distributing cyber awareness books and is also trying to educate children against cyber bullying.
Year-wise data on cyber crime cases in Karnataka:
2019
Total money lost in cyber crime cases: Rs 71,27,19,806
Total money recovered in cyber crime cases: Rs 8,59,45,570
2020
Total money lost in cyber cyber crime cases: Rs 1,05,99,55,357
Total money recovered in cyber crime cases s: Rs 14,83,49,627
2021
Total money lost in cyber crime cases: Rs 1,45,05,85,810
Total money recovered in cyber crime cases: Rs 25,96,33,607
2022
Total money lost in cyber crime cases: Rs 3,63,11,54,443
Total money recovered in cyber crime cases: Rs 46,87,89,415
2023 (Till end of January)
Total money lost in cyber crime cases: Rs 36,63,82,797
Total money recovered in cyber crime cases: Rs 1,03,44,045
Total number of cyber crime cases registered:
2020: 10,738
2021: 8,132
2022: 12,551
2023 (till the end of June): 1,325

Maharashtra State Council of Examination Commissioner Shailaja Darade, brother booked in teacher recruitment racket

source

By Andrew Leahey
Personal data is big business. Recent news of the 2017 Equifax data breach settlement checks reaching the 147 million Americans affected focused on the paucity of the per-consumer amount—which were mostly in the single-digit-dollar range. The settlement pool was more than $380 million, but when the breach included just a shade under 45% of the US population, even hundreds of millions of dollars doesn’t go very far.
But we still need entities such as Equifax, and we can’t shut them down simply because they leaked out just under half of our identities. After all, what about the other 56% of the population that the company presumably didn’t have information on or somehow didn’t leak? Isn’t that worth something?
Sure, and so are Equifax Inc., Experian PLC, and the like. Experian is an information company similar to Equifax that, in 2015, leaked out a mess of data on T-Mobile customers and paid about 0.0004% of its value—derived chiefly from said data—to do so. Experian offers a protection plan that costs about $25 per month. If the Equifax payout is any indication, most folks’ settlement checks will cover about a week of that plan. And if you purchased said plan immediately in the wake of the breach news, you’d have paid in just shy of $1,500 by the time you’re reading this.
Credit reporting agencies may need to be incentivized through a fine or excise tax. Because unlike the tech companies, there isn’t a tremendous amount of competition. It isn’t as though, in light of the Equifax and Experian breaches, one can simply take their consumer credit report information elsewhere.

Companies such as Apple Inc., Google LLC, and Meta Platforms Inc. will often offer what’s called a bug bounty, or a fund for ethical white hat hackers that report discovered vulnerabilities to be patched rather than sold on the open market. This motivates hackers who would prefer to operate above board to act as a nefarious hacker might—but to lay out what they found to the company itself rather than to the dark web.
Perhaps we should ask why we’re considering reorienting a policy to reward the hackers who necessitate the policy to begin with while putting money in the hands of those who would gleefully leak our information if we didn’t pay them not to. But protecting the status quo is to make permanent the identity of winners and losers. It’s hard to tell who the winner is, but it’s crystal clear who the losers are.
Offering incentives to white hats corrals market forces to put a value in the legitimate economy on something that only had value in the underground economy. The same approach needs to be taken here. If credit reporting agencies need to exist, they need to have incentives to offer bounties on confirmed exploits.
A completed portfolio or tax return for an individual shouldn’t be selling for $70 apiece on the dark web; the individual who found the vulnerability that led to the leak should already have been paid hundreds of thousands of dollars by the credit agency through a legitimate channel.
There’s a theory in tort law that, to ascertain the fairness of compensation after the fact, one might reimagine an exchange between two parties that gives rise to a claim as a pre-negotiated contract.
In this case, one party theoretically approaches 147 million Americans one at a time and informs them that they would very much like to leak their information. The individuals theoretically hear the request and agree to the contract but respond that they’d need to be paid about $7 for their troubles.
Imagine if you approached people on the street and asked if they’d be willing to share a piece of identifying information, such as a driver’s license or Social Security Number, for $7—you wouldn’t get a lot of takers. And yet, it seems this has been deemed fair compensation for having that information taken from you and made public.
One might also look to the value of that information in the marketplace. In this case, the “marketplace” would be the dark web, where 2022 individual completed 1040 forms with proof of identity are selling for about $70. The entrepreneurs peddling these portfolios indicate much of the information was gleaned from the 2017 Equifax breach.
Whether or not that’s true, it is true that personal information being sold in bulk is almost certainly from some sort of breach—Experian, Equifax, or one of the myriad others. And if that breach ended in a settlement, there’s no reason to believe it would lead to more favorable compensation terms for the victims.
Suffice it to say, then, that the justice system values our personal information at a bit under $10, while fraudsters value it at around $70. And we would each likely pay 10 times that to avoid the hassle and headache of having to deal with identity theft.

This is a regular column from tax and technology attorney Andrew Leahey, principal at Hunter Creek Consulting and a sales suppression expert. Look for Leahey’s column on Bloomberg Tax, and follow him on Mastodon at @andrew@esq.social.
To read more articles log in.

source

Bloomberg Markets European Open kick starts the trading day, breaking down what’s moving markets and why. Francine Lacqua and Tom Mackenzie live from London bring you an action-packed hour of news no investor in Europe can afford to miss.
Overnight on Wall Street is morning in Europe. Bloomberg Daybreak Europe, anchored live from London, tracks breaking news in Europe and around the world. Markets never sleep, and neither does Bloomberg News. Monitor your investments 24 hours a day, around the clock from around the globe.
Filmed at key heritage sites all across Hong Kong, including Tai Kwun, Tang Tsing Lok Ancestral Hall and Kowloon Walled City Park, this documentary showcases Hong Kong’s multicultural history. Prominent historians and conservation experts explain the architectural relevance of buildings ranging from houses of worship to former colonial outposts and tenements.
First Republic Shares Inch Higher as Eyes Turn to Rescue Talks
European Stocks Were Muted as Traders Eye Fed Decision, UK CPI
Shock Jump in UK Inflation Pressures BOE Before Decision
Australia Growth Seen Weaker, Recession Risk Rises, Survey Shows
World Bank Chief Urges China to Restructure Poor Nation Debt
GameStop Surges After Reporting First Profit in Two Years
Iranian Activists Want Tech Companies to Ban the Ayatollah
Tencent Stems Revenue Drop as China Poised for Gaming Recovery
Jumia Pushes Into Small African Cities With French Retail Giant
Virgin Orbit Resumes Some Operations in Bid to Shake off Crisis
Ukraine Latest: Zelenskiy Condemns Latest Russian Drone Strikes
How India’s Hunt for a Separatist Preacher Cut Off the Internet for 27 Million People
How Asian Investors Can Navigate Bank Turmoil
SVB’s Loans to Insiders Tripled to $219 Million Before It Failed
Succession’s Brilliant Final Season Veers Into Uncharted Waters: Review
Swiss, Japanese Watch Collectors Outperform with 40% Returns
Quitting London Might Do Little for BAT Stock’s Health
Finally, a Serious Offer to Take Putin Off Russia’s Hands
No, Taxpayers Should Not Underwrite the Banking System
Iranian Activists Want Tech Companies to Ban the Ayatollah
A Visual Guide to How America Uses Freight Trains
Trump’s Tariffs Couldn’t Save the California Olive Industry
First Female Leader at India’s Refinery Builder Plots Big Change
Oklahoma Supreme Court Allows Abortion to Save a Mother’s Life
EU Plans to Give Some Parts of Aviation Industry a Green Label
Beijing Chokes on Dust as Sandstorms Return With a Vengeance
As Amazon’s HQ2 Stalls, Incentives Have, Too
California’s Newsom Scores Win in Bid to Curb Oil Profits
NYPD Blows Overtime Budget by Nearly $100 Million, On Pace for Record
Circle USDC Stablecoin Redemptions Rise to About $6 Billion
Miami and New York’s Crypto CityCoins Meet Quiet Demise
FTX’s LedgerX Attracts Bids From Firms Including Miami Exchange
Illustrator: Hokyoung Kim
Such credentials in the wrong hands could be dangerous, experts say, potentially allowing physical access to data centers. The affected data center operators say the stolen information didn’t pose risks for customer IT systems.
Jordan Robertson
Subscriber Benefit
Subscribe
In an episode that underscores the vulnerability of global computer networks, hackers got ahold of login credentials for data centers in Asia used by some of the world’s biggest businesses, a potential bonanza for spying or sabotage, according to a cybersecurity research firm.
The previously unreported data caches involve emails and passwords for customer-support websites for two of the largest data center operators in Asia: Shanghai-based GDS Holdings Ltd. and Singapore-based ST Telemedia Global Data Centres, according to Resecurity Inc., which provides cybersecurity services and investigates hackers. About 2,000 customers of GDS and STT GDC were affected. Hackers have logged into the accounts of at least five of them, including China’s main foreign exchange and debt trading platform and four others from India, according to Resecurity, which said it infiltrated the hacking group.

source

Credit: Peter Nguyen/Unsplash
Cyber attackers continue to target the financial sector. What will happen when an attack takes down a bank or other critical platform, locking users out of their accounts?
Tight financial and technological interconnections within the financial sector can facilitate the quick spread of attacks through the entire system, potentially causing widespread disruption and loss of confidence. Cybersecurity is a clear a threat to financial stability.
Among emerging market and developing economies, most financial supervisors haven’t introduced cybersecurity regulations or build resources to enforce them, according to a recent IMF survey of 51 countries.
We also found:
Meanwhile, a Bank for International Settlements assessment of 29 jurisdictions identified shortcomings in the oversight of financial markets infrastructures. 
There are, however, defenses against these risks, including preparation and concerted regulatory action, as we discussed at our recent global cybersecurity workshop in Washington. It won’t be easy though, and comprehensive and collective responses are urgently needed.
Proliferating threats
Just as rapid technological advances offer attackers tools that are cheaper and easier to use, so too do the changes give financial institutions greater ability to thwart them.
Even so, greater vulnerabilities are to be expected in an increasingly digitalized world. Targets proliferate as more systems and devices are connected. Fintech firms that rely heavily on new digital technologies can make the financial industry more efficient and inclusive, but also more vulnerable to cyber risks.
The escalation of geopolitical tensions has also intensified cyberattacks. Perpetrators and their motivation are often obscure, and the risks are not limited to regions of conflict. History shows that spill-over of disruptive malware can cause global damage. For instance, the NotPetya malware attack that first swamped the IT systems of Ukrainian organizations in 2017 quickly spread to several other countries and caused damages estimated at more than $10 billion.
Finally, reliance on common service providers means attacks have a higher probability of having systemic implications. The concentration of risks for commonly used services, including cloud computing, managed security services, and network operators, could impact entire sectors. Losses can be high and become macro critical.
While financial firms and regulators are becoming more aware of, and prepared for, attacks, gaps in the prudential framework remain substantial.
Neutralizing the threat
Financial institutions and regulators must prepare for heightened cyber threats and potential successful breaches by prioritizing five things:
Cross-jurisdictional risk
The strength of cyber defenses depends on the weakest link. With growing interconnections across the world, curbing risk requires an international effort. For its part, the IMF continues to help financial supervisors through capacity development initiatives aimed at designing and implementing international standards and best practices as an urgent priority.
Digital technologies shielded labor and productivity from the pandemic, while lagging countries accelerated the adoption of technology. However, digitalization gaps persist.
A new kind of multilateral platform could improve cross-border payments, leveraging technological innovations for public policy objectives
Stronger financial regulation and supervision, and developing global standards, can help address many concerns about crypto assets
IMFBlog is a forum for the views of the International Monetary Fund (IMF) staff and officials on pressing economic and policy issues of the day. The IMF, based in Washington D.C., is an organization of 190 countries, working to foster global monetary cooperation and financial stability around the world. The views expressed are those of the author(s) and do not necessarily represent the views of the IMF and its Executive Board. Read More
© Copyright International Monetary Fund

source

By Shweta Sharma
Senior Writer, CSO |
Multilayered, well-funded cybersecurity systems are unable to protect enterprises in the US and Europe from cyberattacks, according to a report by automated security validation firm Pentera.
The report, which was based on a survey of 300 CIOs, CISOs and security executives to get insights on their current IT and security budgets and cybersecurity validation practices, noted that the financial slowdown has had a minimal impact on cybersecurity budgets.
“We’re seeing more organizations increase the cadence of pentesting, but what we really need to achieve is continuous validation across the entire organization,” Aviv Cohen, chief marketing officer of Pentera, said in a press note. “Annual pentesting assessments leave security teams in the dark most of the year regarding their security posture. Security teams need up-to-date information about their exposure using automated solutions for their security validation.”
Pentesting, also known as penetration testing, is a practice of testing computer systems, networks, or web applications to identify vulnerabilities that an attacker could potentially exploit. This is achieved by simulating an attack on a system or application in a controlled environment to uncover security weaknesses and provide recommendations for remediation.
On average, the survey found, a company was found to have deployed nearly 44 security solutions, suggesting that they follow a defense-in-depth (also security-in-depth) approach that involves layering multiple security solutions to offer maximum protection to critical assets. However, despite having a substantial number of security measures in place, 88% of organizations acknowledge experiencing a cybersecurity incident within the last two years.
The numbers are consistent with the observations of other experts.
“Defense-in-depth is not just about prevention, detecting and responding to attacks are part of the strategy as well,” said Erik Nost, a Forrester analyst. “In fact, it is likely that these organizations’ defense-in-depth strategies are what detected these breaches and mitigated their impact. The reality is that organizations have sprawling attack surfaces, some of which they don’t know about. Assessing attack surfaces for vulnerabilities and exposures can lead to lengthy findings, which then need prioritizing and time to remediate.”
The report noted that a slowed down world economy may not affect the cybersecurity budgets in 2023. As per the survey, 92% of organizations have increased their IT security budgets, and 85% have increased their budget for pentesting.
“While greater emphasis on validation of the entire security stack must be put in by the CISOs, I’m encouraged to see security teams are getting the budgets they need to protect their organizations,” Chen Tene, vice president of Customer Operations at Pentera said in a press note.
Although the initial need for pentesting was driven by regulatory demands, the key reasons for conducting it were found to be security validation, assessment of potential damage, and cybersecurity insurance, according to the report.
Only 22% of respondents considered compliance as their primary motivation for pentesting, indicating regulatory or executive mandates are not the primary driving force behind the practice.
“While in our 2020 survey, regulatory compliance was the second most common answer among CISOs, today it has dropped all the way to the bottom,” Cohen said. “This is a positive shift showcasing how security executives aren’t waiting for regulations to mandate further action.”
Cybersecurity insurance policies emerged as another prominent driver for pentesting amid pandemic-induced surge in cyberattacks, as 36% of survey participants identified it as their primary reason for conducting pentesting. This contrasts with the 2020 findings, where only 2% considered cybersecurity insurance as their top driver for pentesting.
“Sometimes an initial push from a regulator or governing body is what some organizations need to get a buy-in to make a change,” Nost said. “But as security solutions, technology, and threats evolve, it is unlikely that regulatory requirements will be able to evolve with it to maintain relevancy.”
The report found that 82% of companies are already implementing pentesting in some way. However, the main obstacle to the adoption of this practice is the apprehension regarding business continuity. Both companies — that currently conduct pentesting and those that do not — identify the risk to business continuity as their primary concern when contemplating increasing the frequency of pentesting.
About 45% of participants who already conducted pentesting, whether manual or automated, said that the risk to business applications or network availability prevented them from increasing the pentesting frequency, and this number increased to 56% for those who didn’t conduct pentesting assessments at all.
Copyright © 2023 IDG Communications, Inc.
Copyright © 2023 IDG Communications, Inc.

source

The unauthorized parties used login credentials to access PayPal user accounts, according to a PayPal notification of a security incident.
Between December 6 and December 8, 2022, hackers gained unauthorized access to the accounts of thousands of individuals. A total of 34,942 accounts were reportedly accessed by threat actors employing a ‘credential stuffing attack’.
Attacks called “credential stuffing” include trying different username and password combinations obtained from data leaks on numerous websites in an effort to get access to an account.
Since many users use the same password and username/email repeatedly, submitting those sets of stolen credentials to dozens or hundreds of other websites can enable an attacker to compromise those accounts as well. This can happen when those credentials are exposed (by a data breach or phishing attack).
“The unauthorized third parties were able to view, and potentially acquire, some personal information for certain PayPal users”, reads the PayPal notice of security incident.
According to PayPal, the personal information that was leaked may have included name, address, Social Security number, individual tax identification number, and/or date of birth.
On December 20, 2022, PayPal confirms that a third party used the login information to access the PayPal customer account.
The firm identified it at the time and took steps to mitigate it, but it also launched an internal investigation to determine how the hackers gained access to the accounts.
The electronic payment system states that there was no system breach, and there is no proof that the user credentials were taken directly from the users.
“We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account.” 
“There is also no evidence that your login credentials were obtained from any PayPal systems”, PayPal.
PayPal is giving impacted customers free access for two years to Equifax’s identity monitoring services.
“We reset the passwords of the affected PayPal accounts and implemented enhanced security controls that will require you to establish a new password the next time you log in to your account”, PayPal noted.
Protect Yourself
Network Security Checklist – Download Free E-Book

source

It’s not news that phishing attacks are getting more complex and happening more often. This year alone, APWG reported a record-breaking total of 1,097,811 phishing attacks. These attacks continue to target organizations and individuals to gain their sensitive information.
The hard news: they’re often successful, have a long-lasting negative impact on your organization and employees, including:
The harder news: These often could have been easily avoided.
Phishing, educating your employees, and creating a cyber awareness culture? These are topics we’re sensitive to and well-versed in. So, how can you effectively protect your organization against phishing attempts? These best practices will help transform your employees’ behavior and build organizational resilience to phishing attacks.
According to the 2022 Tessian Security Cultures Report, “security leaders underestimate just how much they should be a part of the employee experience” across onboarding, role changes, offboarding, relocations, and day-to-day activities.
But we’ve repeatedly seen that ad hoc, scattershot employee training attempts don’t work. If you want sufficient internal defenses against sophisticated phishing threats, you should train 100% of your employees monthly.
Granted, it isn’t easy if your team is growing rapidly or spread across different locations and time zones. Yet doing anything less than 100% employee training leaves you with too many security holes and opportunities for hackers to break in. Unfortunately, it also means you have no way of knowing your employees’ level of threat awareness or whether they know how to react to threats. You might be missing your weakest link or getting into a scenario that could have been easily avoided.
Ever been told there’ll be a fire evacuation drill? Likely, you weren’t caught off guard when the practice started and could have paid more attention. That’s the thing about drills; they’re in place to prepare us for present and future threats.
Cybersecurity training is no different. While it can quickly become ticking a compliance box to satisfy minimum requirements. To prevent it, you need to catch your staff off guard. Knowing that a threat could present itself at any time keeps employees vigilant and accountable between more extensive training campaigns.
It would be best if you kept giving your employees these unexpected opportunities to learn on an ongoing basis. They will likely make easily avoidable mistakes if they only receive occasional simulations. You might miss new employees without sufficient cybersecurity training, or it might take time for them to revisit and build on this training.
The solution: Conducting consistent cybersecurity training is the best way to keep it top of mind for everyone—train for yesterday, today, and tomorrow.
You might use cybersecurity understanding or departments as categories. Start by segmenting your workforce into groups. Then, develop adaptive training based on each group’s needs – and even based on individual behavior. That’s critical to adequately address the challenges of given scenarios of future attack campaigns.
These can include data or password requests, messages from legitimate sources, or realistic content tailored to an organization’s specific role or department.
You strengthen employees’ defenses by adapting your content to individual responses and specific attack vectors. Doing so turns the human element from a security gap to a security advantage.
English might be your corporate language, but it might not be every employee’s mother tongue, and cultural contexts might be perceived differently in some branches.
Using employees’ mother tongue within a location’s cultural context will dramatically enhance their learning retention. By citing local references (such as national holidays, significant news sources, popular social media platforms, and more), you make your simulations more believable and relatable. Your employees will likely pay better attention during training and will be less susceptible to attacks.
Lastly, there could be different implications regarding email compliance standards in different places. Ensure your team is aware of that and incorporate the necessary precautions in these locations’ training.
In our experience, one in every five employees is a “serial clicker.” Serial clickers click, open, and download attachments that often place them and your organization in danger. They might be a new or existing employee. We’ve seen it all, from entry-level positions to company stakeholders.
They’re not trained or equipt to reliably identify phishing attacks, nor understand how dangerous and their destructive impact. So they keep clicking links in emails that they shouldn’t have opened.
The good news: We believe serial clickers can be cured because we’ve seen it repeatedly happen with employee training and education.
We know that serial clickers are just some of the ones to worry about. Employees respond differently to a variety of attack vectors. It’s recommended to use data science to understand how employee groups within your organization – from new hires, executive leadership, and veteran employees – respond to potential threats.
Once you analyze the data to understand these groups’ behavior, you can develop programs that shift them toward a more discerning approach to email management based on their specific needs and their current place in their cybersecurity awareness journey.
These programs must include expert knowledge, adjusted frequency, timely reminders, custom simulations, and training content designed for highly susceptible groups while respecting employees’ privacy.
Regardless of the size of your organization, the complexity required to run a training program like the one described above can be challenging. Whether you’re looking at it from the perspective of time, resources, or economics, it’s almost impossible without a truly automated solution that has expert knowledge baked into the software.
CybeReady provides a fully-automated platform powered by machine learning technology. It mitigates the risks of human error through an educational approach that continuously provides frequent, adaptive, engaging training. Get in touch today to foster a culture that cares, retains information to keep your organization safe, and feels accountable. Make your organization cyber-ready. Learn how you can upgrade your security awareness program with a short, perosanilized demo.
Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.

source

Most Popular
Data belonging to customers of The Good Guys have been compromised in a security breach involving the Australian retailer’s former third-party supplier, My Rewards. 
Formerly known as Pegasus Group Australia, My Rewards also confirmed the breach in a statement Thursday, revealing that preliminary investigations pointed to an “unauthorised access” to its systems in August 2021, which led to the data compromise. 
This meant that personally identifiable information, including names, email addresses, and phone numbers, likely had been made publicly available, the company said, noting that all its data were stored in Australia.
My Rewards added that its IT systems currently had not suffered any breach and would work with the relevant authorities. including the Australian Federal Police, regarding the breach. 
In its own statement Thursday, The Good Guys said it was notified of the breach this month and that its own IT systems were not involved. 
It previously worked with My Rewards to provide reward services for its Concierge members, some of whom would have set up My Rewards account that required a password. And while optional, customers’ dates of birth also might have been provided. 
Compromised data did not include financial or identity document details, such as credit card, driver’s licence, or passport information. 
The Good Guys said affected customers would be contacted about the breach. It added that My Rewards accounted linked to its Concierge benefits programme were closed and the former third-party vendor no longer held any personal data of its members. 
“The Good Guys is extremely disappointed that My Rewards, a former services provider, has experienced this breach and we apologise for any concern that this may cause,” the Australian retailer said. 
Commenting on the breach, BlueVoyant’s Asia-Pacific Japan vice president Sumit Bansal noted that the incident as well as last year’s Medibank breach involved third-party vendors, serving as a reminder for businesses to scrutinise their suppliers and other third parties involved in their supply chain. 
“These companies are far from the only ones to be negatively impacted by a breach related to a third party, and most likely will not be the last,” Bansal said. 
Citing the security vendor’s recent study, he noted that 97% of Asia-Pacific organisations had been negatively impacted by a breach in their supply chain. Almost 40% said they would not know if a third party had security vulnerabilities. 
The finding revealed a challenge with monitoring such risks, he said. “Digital supply chains are made of vendors, suppliers, and other third parties with network access. As organisations’ own internal cybersecurity becomes stronger, a third party may have weaker security,” he added. “To help prevent breaches, organisations should first make sure they know which third parties they use or have used in the past, and what data and network access they may have.”
“Organisations should only provide employees and third-parties with access to the data needed for their role. This helps to control what data can be accessed in the event of a breach. They should also put policies in place to prevent third parties from retaining data after their services are no longer used.”
Australia-based Jacuqeline Jayne, who is KnowBe4’s Asia-Pacific security awareness advocate, further noted that the compromised data could be used to facilitate social engineering attacks, even if personal financial information were not leaked. 
The data could be manipulated to create phishing email messages that looked legitimate and be used to redirect payments or collect more sensitive information from targeted victims, Jayne said. 
“Because many victims will assume an email or text message containing legitimate information about previous orders would be trustworthy, it can make it much easier for a social engineering attack to be successful,” she said. “Victims of this [The Good Guys] data loss should be very cautious when it comes to future communications and they should pay close attention to any links in messages or requests for more information.”
The Australian government in November passed a legislation to increase financial penalties for data privacy violators, pushing up maximum fines for serious or repeated breaches to AU$50 million ($32.34 million), from its current AU$2.22 million, or three times the value of any benefit obtained through the data misuse, or 30% of the company’s adjusted turnover in the relevant period, whichever is greater. 

source

The settlement benefits individuals who received a notification from True Health New Mexico that their personal identifiers and/or health information may have been compromised in a data breach Oct. 5, 2021.
True Health New Mexico agreed to a class action settlement to resolve claims that it failed to protect patient data from a 2021 data breach.
The settlement benefits individuals who received a notification from True Health New Mexico that their personal identifiers and/or health information may have been compromised in a data breach Oct. 5, 2021.
Plaintiffs in several data breach class action lawsuits claimed True Health New Mexico failed to protect their sensitive information from an October 2021 ransomware attack that compromised identifiers and protected health information. According to the data breach class actions, this incident affected nearly 63,000 patients.
True Health New Mexico is a health insurance provider. The company discontinued its healthcare plans in New Mexico at the end of 2022.
True Health hasn’t admitted any wrongdoing but agreed to pay an undisclosed sum as part of a settlement to resolve these allegations.
Under the terms of the settlement, class members can receive reimbursement of up to $250 for data breach-related expenses (credit-related costs, bank fees, communication charges, etc.) and up to five hours of lost time at a rate of $20 per hour. 
Class members who experienced “extraordinary” expenses related to the data breach can receive higher payments of up to $5,000 for actual, documented and unreimbursed monetary losses caused by fraud or identity theft resulting from the data breach. This reimbursement may include three additional hours of unreimbursed lost time compensated at a rate of $20 per hour.
The deadline for exclusion and objection is April 14, 2023.
The final approval hearing for the settlement is scheduled for May 10, 2023.
To receive settlement benefits, class members must submit a valid claim form by Aug. 14, 2023.
Individuals who received a notification from True Health New Mexico that their personal identifiers and/or health information may have been compromised in a data breach Oct. 5, 2021.
$5,250
Documentation of data breach-related losses and expenses
NOTE: If you do not qualify for this settlement do NOT file a claim.
Remember: you are submitting your claim under penalty of perjury. You are also harming other eligible Class Members by submitting a fraudulent claim. If you’re unsure if you qualify, please read the FAQ section of the Settlement Administrator’s website to ensure you meet all standards (Top Class Actions is not a Settlement Administrator). If you don’t qualify for this settlement, check out our database of other open class action settlements you may be eligible for.
08/14/2023
McCullough, et al. v. True Health New Mexico Inc., Case No. D-202-CV-2021-06816, in the 2nd District Court of the State of New Mexico
Clement, et al. v. True Health New Mexico Inc., Case No. D-101-CV-2022-00129, in the 2nd District Court of the State of New Mexico
Shanks, et al. v. True Health New Mexico Inc., Case No. D-202-CV-2022-00449, in the 2nd District Court of the State of New Mexico
05/10/2023
THNMSettlement.com
True Health Claims Administrator
P.O. Box 4190
Portland, OR 97208-4190
info@THNMSettlement.com
877-506-4514
Ben Barnow 
Anthony Parkhill 
BARNOW AND ASSOCIATES PC

Andrew W Ferich 
AHDOOT & WOLFSON PC
BAKER & HOSTETLER LLP
Read About More Class Action Lawsuits & Class Action Settlements:
Δ
ATTORNEY ADVERTISING
Top Class Actions is a Proud Member of the American Bar Association
LEGAL INFORMATION IS NOT LEGAL ADVICE
Top Class Actions Legal Statement
©2008 – 2023 Top Class Actions® LLC
Various Trademarks held by their respective owners
This website is not intended for viewing or usage by European Union citizens.
Please add me
ADD ME
Your email address will not be published. By submitting your comment and contact information, you agree to receive marketing emails from Top Class Actions regarding this and/or similar lawsuits or settlements, and/or to be contacted by an attorney or law firm to discuss the details of your potential case at no charge to you if you qualify. Required fields are marked *
Comment *
Name *
Email *


Δ
Δ
Please add me
ADD ME
Your email address will not be published. By submitting your comment and contact information, you agree to receive marketing emails from Top Class Actions regarding this and/or similar lawsuits or settlements, and/or to be contacted by an attorney or law firm to discuss the details of your potential case at no charge to you if you qualify. Required fields are marked *
Comment *
Name *
Email *


Δ
Please note: Top Class Actions is not a settlement administrator or law firm. Top Class Actions is a legal news source that reports on class action lawsuits, class action settlements, drug injury lawsuits and product liability lawsuits. Top Class Actions does not process claims and we cannot advise you on the status of any class action settlement claim. You must contact the settlement administrator or your attorney for any updates regarding your claim status, claim form or questions about when payments are expected to be mailed out.

Δ
@2023 Top Class Actions. All Rights Reserved. Privacy Policy | Terms and Conditions

source