Author: rescue@crimefire.in

Software company Zendesk has informed the crypto trading and portfolio management company Coinigy that it suffered a data breach following a “sophisticated SMS phishing campaign” that targeted several of its employees. 
Coinigy has revealed Zendesk said it became aware of the data breach in October, discovering at that time that some of its targeted employees handed over their login details to the bad actors, SecurityWeek reported. 
Zendesk reportedly disclosed to Coinigy that the hackers — from between the time period of Sept. 25 and Oct. 26, 2022 — were able to access data that was unstructured and in a logging platform. 
Coinigy was informed service data belonging to the company’s account was potentially included in the compromised logging platform data, per a discovery during an ongoing review into the incident that Zendesk said it is conducting, SecurityWeek reported. 
Zendesk reportedly said, however, that it had discovered no indication that Coinigy’s Zendesk instance had been exposed during the data breach, but that it was continuing to look into the possibility. 
Other companies affected by the purported data breach against Zendesk appear to have been informed by the software company sooner than Coinigy, which only received notice this month, according to SecurityWeek. 
Cryptocurrency exchange Kraken, for example, reportedly informed its customers in November about a data breach against Zendesk, with the platform saying at the time that customer accounts and funds were not at risk. 
In another data breach reported this month, PayPal revealed that a credential stuffing attack led to a data breach that exposed the personal information of almost 35,000 of the e-commerce company’s users. 
Have you been affected by a data breach? Let us know in the comments. 
Check out our list of Class Action Lawsuits and Class Action Settlements you may qualify to join!
Read About More Class Action Lawsuits & Class Action Settlements:
Δ
Your email address will not be published. By submitting your comment and contact information, you agree to receive marketing emails from Top Class Actions regarding this and/or similar lawsuits or settlements, and/or to be contacted by an attorney or law firm to discuss the details of your potential case at no charge to you if you qualify. Required fields are marked *
Comment *
Name *
Email *


Δ
Δ
Your email address will not be published. By submitting your comment and contact information, you agree to receive marketing emails from Top Class Actions regarding this and/or similar lawsuits or settlements, and/or to be contacted by an attorney or law firm to discuss the details of your potential case at no charge to you if you qualify. Required fields are marked *
Comment *
Name *
Email *


Δ
Please note: Top Class Actions is not a settlement administrator or law firm. Top Class Actions is a legal news source that reports on class action lawsuits, class action settlements, drug injury lawsuits and product liability lawsuits. Top Class Actions does not process claims and we cannot advise you on the status of any class action settlement claim. You must contact the settlement administrator or your attorney for any updates regarding your claim status, claim form or questions about when payments are expected to be mailed out.

Δ
@2023 Top Class Actions. All Rights Reserved. Privacy Policy | Terms and Conditions

source

Let Cybersecurity Dive’s free newsletter keep you informed, straight from your inbox.

Organizations were not forthright with the causes or potential risks stemming from disclosed incidents.
Organizations are tightening up what they share with customers in government-mandated breach notifications.
In 2022, two-thirds of data breach notices did not include enough details to help individuals and businesses determine potential risk, according to an annual data breach report published Wednesday by the Identity Theft Resource Center.
Data breach notices with attack and victim details comprised 72% of all filings in 2019, but slid to a five-year low of 34% last year.
“The result of these trends is less reliable data that impairs the ability of individuals, businesses and government officials to make informed decisions about the risk of a data compromise and the actions to take in the aftermath of one,” ITRC CEO Eva Velasquez said in the report.
The group identified 1,802 data breach notices in the U.S. last year, a slight decline from 2021. The number of potential victims, however, jumped 41% year over year to 422 million.
The lack of detail in data breach notices underscores the inadequacy of state data breach notification laws, Velasquez said. “Most states put the burden of determining the risk of a data breach to individuals or business partners on the organization that was compromised.”
The ITRC, a non-profit organization focused on identity crime, contends compromised businesses are making a conscious decision to withhold information.
The group specifically called out DoorDash, LastPass and Samsung for issuing breach notices with “limited or no detail about what happened and who was impacted in their state-mandated breach notice.”
The potential damage caused by the breach at LastPass, which also impacted its parent company GoTo, escalated to alarming levels as the password manager informed customers everything but their master passwords were compromised in the attack.
Organizations and professionals that assist data breach victims often don’t have access to enough information to recommend a proper response.
“Increasingly,” Velasquez said, “it is not so much what we know, but what we do not know that is the most troubling and compelling.”
Get the free daily newsletter read by industry experts
Enterprise cybersecurity is navigating market turmoil and vendor consolidation. Here’s what experts expect to happen to the industry in 2023.
Text message and email-based authentication aren’t just the weakest variants of MFA. Cybersecurity professionals say they are broken.
Subscribe to Cybersecurity Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
Enterprise cybersecurity is navigating market turmoil and vendor consolidation. Here’s what experts expect to happen to the industry in 2023.
Text message and email-based authentication aren’t just the weakest variants of MFA. Cybersecurity professionals say they are broken.
The free newsletter covering the top industry headlines

source

This website no longer supports the Internet Explorer web browser.
Microsoft is retiring and will no longer support Internet Explorer.  Please use another web browser to access this website.  
Click here for more details.
NYSE WAB @ 104.22
Locomotive
Freight Car
Freight Services
Digital Intelligence
Transit
Mining
Adjacent Solutions
Company
Our Wabtec entities: Wabtec Corporation, Wabtec UK Limited and Wabtec Brasil Fabricação e Manutenção de Equipamentos Ltda., located in the US, Canada, UK and Brazil, respectively (“together Wabtec”) are providing notice about an event that occurred earlier this year that affected some individuals’ personal information.
What Happened.  On June 26, 2022, Wabtec became aware of unusual activity on its network and promptly began an internal investigation. It was subsequently determined that malware was introduced into certain systems as early as March 15, 2022. Wabtec, with the assistance of leading cybersecurity firms, assessed the scope of the incident to, among other things, determine if personal data may have been affected. Additionally, shortly after discovery of the event, Wabtec notified the Federal Bureau of Investigation.
The forensic investigation did reveal that certain systems containing sensitive information were subject to unauthorized access, and that a certain amount of data was taken from the Wabtec environment on June 26, 2022. The information was later posted to the threat actor’s leak site. On November 23, 2022, Wabtec, with the assistance of data review specialists, determined that personal information was contained within the impacted files. On December 30, 2022, Wabtec began notifying affected individuals, per relevant regulations, with a formal letter, to let them know their data was involved. 
What Information Was Involved.  The affected information varies by individual but includes a combination of the following data elements: First and Last Name, Date of Birth, Non-US National ID Number, Non-US Social Insurance Number or Fiscal Code, Passport Number, IP Address, Employer Identification Number (EIN), USCIS or Alien Registration Number, NHS (National Health Service) Number (UK), Medical Record/Health Insurance Information, Photograph, Gender/Gender Identity, Salary, Social Security Number (US), Financial Account Information, Payment Card Information, Account Username and Password, Biometric Information, Race/Ethnicity, Criminal Conviction or Offense, Sexual Orientation/Life, Religious Beliefs, Union Affiliation.
What Wabtec Is Doing. Wabtec is committed to and takes very seriously its responsibility to safeguard all data entrusted to it. As part of the company’s ongoing commitment to the security of personal information in its care, it has taken additional steps to reinforce the integrity and security of its systems and operations, including implementing additional procedural safeguards. Wabtec has been notifying all applicable regulatory and data protection authorities, as required.
What You Can Do | Potential Consequences. While there is no indication that any specific information was or will be misused, considering the nature of the incident and of the affected personal data, we cannot rule out that there may be attempts to carry out fraudulent activity. For this reason, Wabtec encourages individuals to remain vigilant against incidents of identity theft and fraud by reviewing their financial account statements and credit reports for any anomalies. Please see below for additional details in the different jurisdictions.
For More Information. If individuals have additional questions not addressed in this notice, they may contact a member of Wabtec’s data privacy team by sending an email to privacy [at] wabtec [dot] com. Please see below for additional contact details in the different jurisdictions.
**********
If individuals in the US have additional questions not addressed in this notice, they may also call the dedicated assistance line at 1-888-505-4784 Monday through Friday from 9:00 am to 9:00 pm ET.
Wabtec encourages individuals to learn more about identity theft, fraud alerts, security freezes, and the steps they can take to protect themselves by contacting the consumer reporting agencies, the Federal Trade Commission, or their state Attorney General. 
Under U.S. law, individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus. To order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228.  You may also contact the three major credit bureaus directly to request a free copy of your credit report, a security freeze, or a fraud alert.
 
 
You have the right to place a “security freeze” on your credit report, which will prohibit a consumer reporting agency from releasing information on your credit report without your expressed authorization. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a security freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, you cannot be charged to place or lift a security freeze on your credit report. 
To request a security freeze, you will need to provide the following information:
As an alternative to a security freeze, you have the right to place an initial or extended “fraud alert” on your file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven years.
The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580, www.identitytheft.gov, 1-877-ID-THEFT (1-877-438-4338); TTY: 1-866-653-4261. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. You can obtain further information on how to file such a complaint by way of the contact information listed above. You have the right to file a police report if you ever experience identity theft or fraud.  Please note that in order to file a report with law enforcement for identity theft, you will likely need to provide some proof that you have been a victim. Instances of known or suspected identity theft should also be reported to law enforcement and your state Attorney General. This notice has not been delayed by law enforcement.
**********
Please find below some guidance around the practical steps you can take in the UK to protect yourself: 
**********
 
Nossas entidades Wabtec: Wabtec Corporation, Wabtec UK Limited e Wabtec Brasil Fabricação e Manutenção de Equipamentos Ltda., localizadas respectivamente nos E.U.A, Canadá, Reino Unido e Brazil (em conjunto “Wabtec”) estão neste ato comunicando publicamente acerca de um evento ocorrido no início deste ano que afetou informações pessoais de alguns indivíduos.
O que aconteceu.  Em 26 de junho de 2022, a Wabtec ficou ciente de uma atividade não usual nas suas redes e prontamente iniciou uma investigação interna. Foi determinado posteriormente que um malware já havia sido introduzido em alguns sistemas em 15 de março de 2022. A Wabtec, com o apoio de empresas líderes de mercado em segurança cibernética, analisou o escopo do incidente e, entre outros aspectos, determinou se dados pessoais foram afetados. Além disso, logo após a descoberta do evento, a Wabtec notificou o Federal Bureau of Investigation – FBI.
A investigação forense de fato revelou que certos sistemas, contendo informações sensíveis, foram acessados de modo não autorizado e que uma certa quantidade de dados foi retirada dos ambientes da Wabtec em 26 de junho de 2022. Tais informações foram posteriormente publicadas em site hacker voltado para vazamento de dados. A Wabtec, com a assistência de especialistas em revisão de dados, determinou que havia informações pessoais em alguns dos arquivos impactados. Em 30 de Dezembro de 2022, a Wabtec começou a notificar os indivíduos afetados, de acordo com as normas aplicáveis, com uma carta formal, com o objetivo de fazer com que esses indivíduos tenham conhecimento de que seus dados estavam envolvidos.
Quais Informações Estavam Envolvidas.  As informações afetadas variam de acordo com o indivíduo afetado, mas incluem a combinação dos seguintes dados: Nome e Sobrenome, Data de nascimento, Número de Identificação Nacional não americano, Número de Seguridade Social ou CPF, Número de Carteira de Motorista ou de Identificação Estadual, Número de Passaporte, Registro Médico/Informações sobre Seguro de Saúde, Fotografia, Gênero/Identidade de Gênero, Salário, Número de Seguridade Social (EUA), Informações sobre Contas Financeiras, Informações sobre Cartão de Pagamento, Nome de Usuário e Senha de Contas, Informações Biométricas, Raça/Etnia, Orientação/Vida Sexual, Crenças Religiosas, Filiação a Sindicato.
O que a Wabtec Está Fazendo. A Wabtec está comprometida com e considera de forma muito séria a sua responsabilidade em proteger todos os dados confiados a nós. Como parte do compromisso permanente da empresa relacionado à segurança das informações pessoas sob o seu cuidado, ela tem implementado medidas adicionais para reforçar a integridade e a segurança dos seus sistemas e operações, incluindo a implementação de mais salvaguardas procedimentais. A Wabtec notificou todas as autoridades regulatórias e de proteção de dados de acordo com as normas aplicáveis.
O que Você Pode Fazer | Potenciais Consequências.Enquanto não houver indicação de que qualquer informação específica foi ou será utilizada indevidamente, considerando a natureza do incidente e dos dados pessoais afetados, não podemos afastar a possibilidade de tentativas de atividades fraudulentas. Por essa razão, encorajamos você a permanecer vigilante contra incidentes de roubo de identidade e fraude a partir da revisão dos seus extratos bancários, financeiros e informativos de créditos para identificar qualquer anomalia. Veja abaixo mais detalhes sobre o tema.
Para Mais Informações. Questões adicionais que não foram endereçadas nessa comunicação podem ser encaminhadas a um membro do time de privacidade da Wabtec por meio do e-mail privacy [at] wabtec [dot] com ou o Encarregado de Dados, Henrique Tavares (henrique [dot] tavares [at] wabtec [dot] com, +55 31 999307520).
**********
Seguem abaixo algumas recomendações com medidas práticas que você pode tomar no Brasil para se proteger:
**********
If individuals in Canada have additional questions not addressed in this notice, they may also call the dedicated assistance line at 1-888-505-4784 Monday through Friday from 9:00 am to 9:00 pm ET. Additionally, individuals may contact a member of Wabtec’s Data Privacy Team by emailing privacy [at] wabtec [dot] com
1. Monitor Your Accounts

We encourage you to remain vigilant against incidents of identity theft and fraud, to review your account statements, and to monitor your credit reports for suspicious activity.  You can access your free credit report from Equifax and TransUnion.
2. Place a Fraud Alert on Your Credit File
A fraud alert is a notice placed on your credit file that alerts creditors that you may be a victim of fraud. There are also two types of fraud alerts that you can place on your credit report to put your creditors on notice that you may be a victim of fraud: an initial alert and an extended alert. You may ask that an initial fraud alert be placed on your credit report if you suspect you have been, or are about to be, a victim of identity theft. An initial fraud alert stays on your credit report for at least 90 days. You may have an extended alert placed on your credit report if you have already been a victim of identity theft with the appropriate documentary proof. An extended fraud alert stays on your credit report for seven years. You can place a fraud alert on your credit report by calling the toll-free fraud number of any of the two national credit reporting agencies listed below or visiting the listed websites.
3. Other Steps You Can Take
In addition to the above, we encourage you to:
**********
Nos entités Wabtec : Wabtec Corporation, Wabtec UK Limited et Wabtec Brasil Fabricação e Manutenção de Equipamentos Ltda, situées respectivement aux États-Unis, au Canada, au Royaume-Uni et au Brésil (ensemble, « Wabtec ») vous informent d’un événement survenu au début de l’année qui a affecté les informations personnelles de certaines personnes.
Que s’est-il passé.  Le 26 juin 2022, Wabtec a pris conscience d’une activité inhabituelle sur son réseau et a rapidement lancé une enquête interne. Il a ensuite été déterminé qu’un logiciel malveillant avait été introduit dans certains systèmes dès le 15 mars 2022. Wabtec, avec l’aide de sociétés de cybersécurité de premier plan, a évalué la portée de l’incident pour, entre autres, déterminer si des données personnelles avaient pu être affectées. En outre, peu après la découverte de l’événement, Wabtec a informé le Federal Bureau of Investigation, aux États-Unis.
L’enquête judiciaire a révélé que certains systèmes contenant des informations sensibles ont fait l’objet d’un accès non autorisé et qu’un certain nombre de données ont été extraites de l’environnement de Wabtec le 26 juin 2022. Ces informations ont ensuite été publiées sur le site de fuite de l’acteur de la menace. Le 23 novembre 2022, Wabtec, avec l’aide de spécialistes de l’analyse des données, a déterminé que des informations personnelles étaient contenues dans les fichiers impactés. Le 30 Décembre 2022, Wabtec a commencé à notifier les personnes concernées, conformément aux réglementations pertinentes, par une lettre officielle, pour leur faire savoir que leurs données étaient concernées.
Quelles sont les informations concernées.  Les informations concernées varient selon les individus mais comprennent une combinaison des éléments de données suivants : Nom et Prénom, Date de naissance, Numéro d’assurance sociale ou code fiscal non américain, Sexe/identité sexuelle, Salaire, Numéro de compte financier, Informations d’accès au compte financier, Numéro de carte de paiement..
Ce que fait Wabtec. Wabtec s’engage et prend très au sérieux sa responsabilité de protéger toutes les données qui lui sont confiées. Dans le cadre de son engagement permanent envers la sécurité des informations personnelles qui lui sont confiées, la societé a pris des mesures supplémentaires pour renforcer l’intégrité et la sécurité de ses systèmes et de ses opérations, notamment en mettant en place des garanties procédurales supplémentaires. Wabtec a notifié toutes les autorités réglementaires et de protection des données applicables, tel que requis.
Ce que vous pouvez faire | Conséquences potentielles. Bien que rien n’indique que des informations spécifiques ont été ou seront utilisées à mauvais escient, compte tenu de la nature de l’incident et des données personnelles concernées, nous ne pouvons exclure la possibilité de tentatives d’activités frauduleuses. Pour cette raison, Wabtec encourage les personnes à rester vigilantes face aux incidents d’usurpation d’identité et de fraude en examinant leurs relevés de comptes financiers et leurs rapports de crédit pour détecter toute anomalie. Veuillez voir ci-dessous pour plus de détails.
Pour plus d’informations. Si les individus concernés ont des questions supplémentaires qui ne sont pas abordées dans cet avis, ils peuvent appeler la ligne d’assistance dédiée à cet effet au numéro de téléphone du centre d’appels 1-888-505-4784 du lundi au vendredi partir de 9 :00 am à 9 :00 pm ET. En outre, les personnes peuvent contacter un membre de l’équipe de confidentialité des données de Wabtec en envoyant un courriel à privacy [at] wabtec [dot] com.
 
1. Surveillez vos comptes
Nous vous encourageons à rester vigilant face aux incidents d’usurpation d’identité et de fraude, à examiner vos relevés de compte et à surveiller vos rapports de crédit pour détecter toute activité suspecte. Vous pouvez accéder gratuitement à votre dossier de crédit auprès d’Equifax et de TransUnion.
2. Placez une alerte à la fraude sur votre dossier de crédit
Une alerte à la fraude est un avis placé sur votre dossier de crédit qui avertit les créanciers que vous pourriez être victime d’une fraude. Il existe également deux types d’alertes à la fraude que vous pouvez placer sur votre dossier de crédit pour avertir vos créanciers que vous pourriez être victime d’une fraude : une alerte initiale et une alerte prolongée. Vous pouvez demander qu’une alerte initiale à la fraude soit placée sur votre dossier de crédit si vous pensez avoir été, ou être sur le point d’être, victime d’un vol d’identité. Une alerte initiale à la fraude reste sur votre dossier de crédit pendant au moins 90 jours. Une alerte prolongée peut être placée sur votre dossier de crédit si vous avez déjà été victime d’une usurpation d’identité et que vous disposez des preuves documentaires appropriées. Une alerte de fraude prolongée reste sur votre dossier de crédit pendant sept ans. Vous pouvez placer une alerte à la fraude sur votre dossier de crédit en appelant le numéro gratuit de l’une des deux agences nationales d’évaluation du crédit énumérées ci-dessous ou en consultant les sites Web indiqués
3. Autres mesures que vous pouvez prendre
En plus de ce qui précède, nous vous encourageons à:
 
Transportation solutions that move and improve the world
At Wabtec, we help our customers overcome their toughest challenges by delivering rail and industrial solutions that improve safety, efficiency and productivity.
30 Isabella Street
Pittsburgh, PA 15212 – USA
Phone: 412-825-1000
Fax: 412-825-1019

source

February 13, 2023
A data breach is a security incident where an organization’s data is illegally stolen, copied, viewed, or released by an unauthorized individual or group. Common forms of targeted data include personally identifiable information (PII), proprietary information, financial information, and other sensitive material.
Any organization with sensitive data can be the subject of a data breach regardless of size or industry sector. Attack methods vary, but all data breaches follow four broad steps:
To complete this cycle, threat actors leverage numerous tactics to obtain data. Common methods include:
Stolen or compromised credentials: The threat actor uses a legitimate user’s credentials such as their login and password to access a target system.
Phishing: A malicious email using social engineering to manipulate the reader into giving the sender sensitive information such as credentials or access to a larger computer network.
Breach of third party software: Exploiting a flaw in a software used by the target organization. For example, leveraging a flaw in Microsoft Word’s code to access a company’s network.
Malicious insider: A person within the target organization who intentionally uses their access to steal data or help others steal data.
Accidental data loss: Can include the accidental publishing of sensitive data to the internet, a legitimate user unintentionally releasing their credentials, loss of equipment, and other mishaps.
According to research from the Ponemon Institute, the most common breach methods were:
Many data breaches can go months before the victim organization detects the intrusion and often costs millions of dollars in recovery. Some of the major consequences from a data breach include:
Yahoo, August 2013: Widely considered the biggest data breach of all time with 3 billion accounts impacted. In 2013, the company announced an initial estimate of 1 billion, then in 2017, increased the number to 3 billion demonstrating the difficulty of accurately assessing the damage of a breach immediately after it occurs. Hackers stole account information such as names, email addresses, birth dates, passwords, and more.
Solar Winds, April 2021: A routine update for the Company’s Orion software turned out to be a malicious intrusion tactic by hackers supporting the Russian intelligence service. Solar Winds estimated 18,000 personnel downloaded the false update leading to an estimated compromise of about 100 companies and a dozen government agencies.
LinkedIn, June 2021: The professional networking social media company found 90% of its user base impacted when data associated with 700 million of its members was posted to a dark web forum. A hacker group executed data scraping tactics to exploit LinkedIn’s API and retrieve information such as email addresses, phone numbers, geolocation records, and more.
There’s no better time than the present to start securing and preparing your organization to prevent a data breach. It’s not a question of if you’ll be targeted but when.
An effective plan should establish best practices, define key roles and responsibilities, and define a process for the organization’s response. Focus on restoring data and systems’ confidentiality, integrity and availability, and external requirements such as contacting an insurance carrier or law enforcement entity.
Once you understand the risks to your organization and the gaps within your cybersecurity defenses, set goals to mitigate risk. These efforts should be prioritized as part of a strategic roadmap to improve your overall cybersecurity.
Cyber talent is hard to find and expensive to retain. Professional security consultants have access to the latest threat intelligence to guide your cybersecurity and response to any intrusions or detected events.
Focus your limited resources on those areas of the network that are most critical to your business. Determine where your most  sensitive data or networks are located and implement increased logging and network monitoring. Actively monitor network access.
Patching operating systems and third-party applications is one of the most inexpensive, yet effective ways to harden a network. Build a strong patch management process and ensure that critical security patches are installed as soon as  possible. Update legacy software and systems.
The news is littered with companies that didn’t adequately protect their user accounts. Passwords are consistently reported as being offered for sale on the darknet. If your organization maintains user accounts, audit your password storage functions.
Remote access into your network should always require two-factor authentication. Consider also requiring 2FA for sensitive administrative accounts.
One of the simplest attacks is to use a default password that is shipped out-of-the-box by a vendor. Default passwords, especially for hardware devices (e.g., Wi-Fi routers), can allow direct access to critical data.
Testing readiness with tabletop exercises offers immense benefits when it comes to being operationally ready for a data breach. Working through roles, responsibilities and the steps of a complete incident response plan prepares a team for action and identifies weaknesses.
Training and educating your staff enhances and expands cybersecurity abilities. Consider classes on threat hunting to ensure a proactive approach to detecting intrusion attempts.
Organizations that are better able to detect and respond to breaches often have integrated fraud and IT security departments. Encourage regular information sharing in your organization.
Data breaches are prolific and your organization’s security will only be as strong as your personnel and their ability to detect threats. Try the industry leading software platform with a free trial. Start protecting your data today.
Start Free Trial

source

Official websites use .mass.gov
A .mass.gov website belongs to an official government organization in Massachusetts.

Secure websites use HTTPS certificate
A lock icon ( ) or https:// means you’ve safely connected to the official website. Share sensitive information only on official, secure websites.
Top-requested sites to log in to services provided by the state
Top-requested sites to log in to services provided by the state
BOSTON — A Georgia-based home health and hospice care company will pay $425,000 after it failed to implement proper security measures to protect the personal information of patients and employees, Attorney General Maura Healey announced today.
The complaint and consent judgment against Aveanna Healthcare, LLC, entered today in Suffolk Superior Court, follows a series of phishing attacks that impacted more than 4,000 Massachusetts residents. Aveanna is a national provider of pediatric and adult home health care, operating in 33 states with Massachusetts offices located in Brockton, Plymouth, Shrewsbury, Springfield, Waltham, West Springfield, and Worcester. The AG’s Office alleges that in July 2019, Aveanna employees began receiving fraudulent “phishing” emails designed to cause the recipient to provide credentials, money, or sensitive information.
“Companies have an obligation to put the right security measures and systems in place to prevent hackers from accessing sensitive information,” said AG Healey. “As a result of this resolution, Aveanna will ensure compliance with our strong data security laws and the take steps necessary to protect its employees and the private data of Massachusetts residents moving forward.”
The private information, which may have included social security numbers, driver’s license numbers, financial account numbers, and health information such as diagnoses, medications, and treatment records, of more than 4,000 Massachusetts residents, including patients and employees, was potentially accessed by the hackers.
In one instance, a phishing email was sent to employees that appeared to come from Aveanna’s president. The attacks continued into August 2019, by which point more than 600 phishing emails were sent to employees. Employees’ responses to these emails resulted in hackers obtaining access to portions of Aveanna’s computer network. The hackers also tried to defraud employees by logging into Aveanna’s human resources system and altering individual employees’ direct deposit information. In response to the incident, Aveanna provided affected Massachusetts residents with two years of free credit monitoring.
 The AG’s Office alleges that Aveanna was aware that its cybersecurity required improvement but had not implemented new changes to improve it by the time the phishing attacks occurred. Among the problems Aveanna identified were a lack of sufficient tools and employee training to stop phishing attacks, and a lack of the use of multi-factor authentication, which can also help to stop phishing attacks. Additionally, the AG’s Office alleges that Aveanna’s security program failed to meet the minimum required safeguards to protect personal information under the Massachusetts Data Security Regulations. The complaint also alleges that Aveanna failed to meet the standards for security of protected health information that are required by Federal HIPAA regulations.
 Under the terms of the consent judgment, Aveanna will pay $425,000 to the AG’s Office. Additionally, the company will be required to develop, implement, and maintain a security program that includes phishing protection technology, multi-factor authentication, and other systems designed to detect and address intrusions. 
Aveanna must also continue to train its employees on data security, keep them up to date on security threats, and do an annual independent assessment of its compliance with the consent judgment and the Massachusetts Data Security Regulations for a period of four years.
If you believe that you have been the victim of a data breach, you may need to take steps to protect yourself from identity theft. For additional information, consumers may visit the AG’s website. Guidance for businesses on data breaches can be found here.
This case was handled by Division Chief Jared Rinehimer, of the AG’s Data Privacy and Security Division.
###
The feedback will only be used for improving the website. If you need assistance, please Contact the Attorney General’s Office at (617) 727-2200. Please limit your input to 500 characters.
Thank you for your website feedback! We will use this information to improve this page.
If you would like to continue helping us improve Mass.gov, join our user panel to test new features for the site.

source

Samsung has warned its US customers that their data may have been accessed following a hack in July of this year.
In a statement the technology company said it had discovered a “cyber security incident” which may have led to the sharing of customer information including “name, contact and demographic information, date of birth and product registration information”.
The breach was the result of an unauthorized third party gaining access to Samsung’s US systems in late July, and “acquir[ing] information” from them. It was confirmed on August 4, 2022 via an internal investigation at Samsung that personal customer information was accessed during the breach.  
Samsung noted that they have taken steps to secure the affected systems and has employed the use of a “leading outside cyber security firm” as well as notifying law enforcement of the breach. The company also assured customers that confidential information like social security numbers or credit or debit card details were not accessed during the breach.
Samsung did not disclose how many users were affected by the breach but did confirm that they will be notifying all those whose data was accessed. 
01 March, 2023
Online
08 – 09 March 2023
Free CS Hub Online Event
08 March, 2023
Online
15 March, 2023
Online
15 March, 2023
Online
March 21, 2023
Free CS Hub Online Event
Insights from the world’s foremost thought leaders delivered to your inbox.
2023-04-12
10:00 AM – 11:00 AM EST
2023-03-15
10:00 AM – 11:00 AM EST
2023-03-15
10:00 AM – 11:00 AM SGT
Reach Cyber Security professionals through cost-effective marketing opportunities to deliver your message, position yourself as a thought leader, and introduce new products, techniques and strategies to the market.
Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.
Cyber Security Hub, a division of IQPC

Careers With IQPC| Contact Us | About Us | Cookie Policy
Become a Member today!
Already an IQPC Community Member?
Sign in Here or Forgot Password
Sign up now and get FREE access to our extensive library of reports, infographics, whitepapers, webinars and online events from the world’s foremost thought leaders.
We respect your privacy, by clicking ‘Subscribe’ you will receive our e-newsletter, including information on Podcasts, Webinars, event discounts, online learning opportunities and agree to our User Agreement. You have the right to object. For further information on how we process and monitor your personal data click here. You can unsubscribe at any time.

source

How To Prepare Your Organization For The Future Of Cybercrime  Forbes
source

No products in the cart.
The Odisha government is intensifying its efforts to combat the increasing number of cyber crimes in the state by launching a special phone number, “1930,” for victims and the general public. The move comes in response to the growing number of cyber crimes involving financial offenses and sexual abuse of women and children.
Chief Secretary Suresh Chandra Mahapatra emphasized the need to check any illegal activities using computers, communication devices, or computer networks. To raise awareness, the government has planned to deploy 34 “Sachetanata Rath” vehicles equipped with audio and visual materials throughout the state. The campaign will target various groups, including elderly individuals, students, health workers, and members of self-help groups.
Through the initiative, people will be educated on the importance of verifying authenticity before conducting financial transactions, avoiding friendship with unknown individuals, and not clicking on links, SMSs, or apps from suspicious sources. Regular symposiums, seminars, quiz competitions, debates, and essay competitions will be held, especially in schools.
According to statistics, the number of cybercrime cases has been on the rise in Odisha, with 1485 cases registered in 2019, 1931 in 2020, 2037 in 2021, 3402 petitions received in 2022, and 7700 petitions received in 2022 through the cyber help desk.
This anti-cyber crime campaign in Odisha is a groundbreaking initiative and the first of its kind in the country, according to Chief Secretary Mahapatra.
Your email address will not be published. Required fields are marked *
Comment *
Name *
Email *
Website
Save my name, email, and website in this browser for the next time I comment.

© 2013–2021 | My City Links – Moving Ahead Together…
Our website uses cookies to improve your experience. Learn more about: cookie policy

source

Three Chandigarh residents fall prey to cyber crimes  Hindustan Times
source

The advent of ChatGPT has cybersecurity experts spooked. Some fear the powerful chatbot will make it far easier for non-coders to create malware and become cybercriminals. But so far, one cybersecurity company says, ChatGPT may be having a counterintuitive effect on hacking: supercharging scams that don’t rely on any sort of malicious code at all.
Max Heinemeyer, the chief product officer at the U.K.-based cybersecurity firm Darktrace, says that looking at the one-month period since ChatGPT attained 1 million users in early December, there has been little change in the total number of attempted cyberattacks targeting Darktrace customers. But Darktrace has seen a distinct shift in the tactics used by cybercriminals.
Malicious links in phishing emails declined from 22% of cases to just 14%, Heinemeyer says. But the average linguistic complexity of the phishing emails encountered by Darktrace jumped 17%.
The company’s working theory: Cybercriminals are starting to use ChatGPT to craft much more convincing phishing emails—ones that are so good that cybercriminals don’t even need to rely on embedding malware in attachments or links. After all, malicious links or embedded malware can often be detected and stopped by cybersecurity software such as Darktrace’s.
What’s much harder to stop are attacks that rely completely on old-fashioned deception, or “social engineering.” An email that is so convincingly written that the recipient believes it’s from a trusted source is a great to way pull off an authorized push payments fraud, for example. The victim is fooled into sending funds to pay for what they think is a legitimate transaction or invoice, but is in fact sending the money straight to a fraudster’s account.
In some cases, Heinemeyer says, criminals may be setting the stage for longer cons that involve winning the victims’ trust over a period of time and might involve sophisticated impersonations of real executives or customers.
In addition to A.I. writing tools such as ChatGPT, other new generative A.I. tools could be used to abet such scams. A.I. software, such as that from nascent startup Eleven Labs, can now create realistic voice clones after having been trained on recordings of a target’s voice that might only be a few seconds long. Meanwhile, text-to-image generation software, such as Stable Diffusion, can create increasingly realistic deepfakes with a fraction of the training data previously required for other deepfake methods.
Frauds based on compromised business emails have been on the rise for the past four to five years, Evan Reiser, the founder and CEO of cybersecurity Abnormal says. And while he says that his company has not yet seen any increase in these kinds of attacks since ChatGPT debuted, he thinks it is possible criminals, especially those whose native language is not English, may be tempted to use the tool to craft emails that are less likely to raise red flags with potential victims due to ungrammatical or uncolloquial expressions. “Any tool that is perceived by humans as authentic will make [fraud] worse,” Reiser says.
He says this is especially true of systems where they are explicitly trained to produce text in a particular style, synthesized voices, or images with the intent of fooling people. But he also says that often the simplest tricks—just a very short email that seems to come from a trusted person—works well enough and that criminals generally gravitate towards whatever methods are simplest and require the least effort. “You can send silly, stupid emails and make millions of dollars,” he says. “Why go through the trouble and effort to train [A.I.] models to do that.”
In the wake of the release of ChatGPT, some cybersecurity firms raised the alarm that the A.I. might make it fiendishly easy to pull off a cyberattack. Maya Horowitz, the vice president of research at cybersecurity firm Checkpoint, says that her team was able to get ChatGPT to generate every stage of a cyberattack, starting with a better-than-average phishing email, but then carrying on to actually writing the software code for a malware attack and being able to figure out how to embed that code into an innocuous-looking email attachment. Horowitz said she feared ChatGPT and other generative language models would lead to many more cyberattacks.  
But the same kind of large language models that power ChatGPT can also be used to help cybersecurity companies defend against attacks. Abnormal uses some language models, such as Google’s BERT language model, to help determine what the intent of an email is. If an email is aksing a person to pay for something and putting that person under time pressure, saying it is urgent, or needs to be done ASAP, then that could be a red flag, Reiser says. Language models can also read attachments and see if they match the form and style of previous invoices—or if the invoicing company is one that business has interacted with before. It can even see if the account numbers seem to match ones that have been used previously. (Abnormal even analyses things such as whether an email attachment has fonts that match those previously seen from that company and looks at the meta data of documents for potential signals that something fishy is going on, Reiser says.)
Much of what Abnormal does though is look at patterns across a huge number of features and use machine learning models to figure out if they rise to the threshold where the email should be blocked and a company’s security team alerted. There’s almost always something that will give away a phishing attempt if you know where to look, Reiser says. Even in the case where a legitimate business email account has been compromised, the attacker will often take actions, such as running multiple searches through the account’s history, or using an API to control the account rather than a PC keyboard, that will provide a signal that something isn’t right.
Nicole Eagan, Darktrace’s chief strategy officer, says Darktrace itself has been using the same kind of large language models that underpin to ChatGPT to create more believable spear phishing emails that the compay uses in internal “red teaming” excercises to test its own cybersecurity practices. Eagan says she recently fell for one of these, which was inserted directly into the actual email chain she was having with an outside recruiter Darktrace used.
(Darktrace spent much of the past week trying to prove a different sort of pattern didn’t indicate anything fishy was going on: the company’s share price dropped dramatically after short seller Quintessential Capital Management issued a report claiming it had found evidence that the cybersecurity company might have engaged in dubious accounting practices to try inflate its revenues and profitability ahead of its 2021 initial public offering. Darktrace has denied the accusations in the report, saying that the hedge fund never contacted it before publishing its report and that it has “full confidence” in its accounting practices and the “integrity of our independently audited financial statements.”)
 
Learn how to navigate and strengthen trust in your business with The Trust Factor, a weekly newsletter examining what leaders need to succeed. Sign up here.
© 2023 Fortune Media IP Limited. All Rights Reserved. Use of this site constitutes acceptance of our Terms of Use and Privacy Policy | CA Notice at Collection and Privacy Notice | Do Not Sell/Share My Personal Information | Ad Choices 
FORTUNE is a trademark of Fortune Media IP Limited, registered in the U.S. and other countries. FORTUNE may receive compensation for some links to products and services on this website. Offers may be subject to change without notice.
S&P Index data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Terms & Conditions. Powered and implemented by Interactive Data Managed Solutions.

source