Category: Uncategorized

Bloomberg Markets European Open kick starts the trading day, breaking down what’s moving markets and why. Francine Lacqua and Tom Mackenzie live from London bring you an action-packed hour of news no investor in Europe can afford to miss.
Overnight on Wall Street is morning in Europe. Bloomberg Daybreak Europe, anchored live from London, tracks breaking news in Europe and around the world. Markets never sleep, and neither does Bloomberg News. Monitor your investments 24 hours a day, around the clock from around the globe.
Filmed at key heritage sites all across Hong Kong, including Tai Kwun, Tang Tsing Lok Ancestral Hall and Kowloon Walled City Park, this documentary showcases Hong Kong’s multicultural history. Prominent historians and conservation experts explain the architectural relevance of buildings ranging from houses of worship to former colonial outposts and tenements.
First Republic Shares Inch Higher as Eyes Turn to Rescue Talks
European Stocks Were Muted as Traders Eye Fed Decision, UK CPI
Shock Jump in UK Inflation Pressures BOE Before Decision
Australia Growth Seen Weaker, Recession Risk Rises, Survey Shows
World Bank Chief Urges China to Restructure Poor Nation Debt
GameStop Surges After Reporting First Profit in Two Years
Iranian Activists Want Tech Companies to Ban the Ayatollah
Tencent Stems Revenue Drop as China Poised for Gaming Recovery
Jumia Pushes Into Small African Cities With French Retail Giant
Virgin Orbit Resumes Some Operations in Bid to Shake off Crisis
Ukraine Latest: Zelenskiy Condemns Latest Russian Drone Strikes
How India’s Hunt for a Separatist Preacher Cut Off the Internet for 27 Million People
How Asian Investors Can Navigate Bank Turmoil
SVB’s Loans to Insiders Tripled to $219 Million Before It Failed
Succession’s Brilliant Final Season Veers Into Uncharted Waters: Review
Swiss, Japanese Watch Collectors Outperform with 40% Returns
Quitting London Might Do Little for BAT Stock’s Health
Finally, a Serious Offer to Take Putin Off Russia’s Hands
No, Taxpayers Should Not Underwrite the Banking System
Iranian Activists Want Tech Companies to Ban the Ayatollah
A Visual Guide to How America Uses Freight Trains
Trump’s Tariffs Couldn’t Save the California Olive Industry
First Female Leader at India’s Refinery Builder Plots Big Change
Oklahoma Supreme Court Allows Abortion to Save a Mother’s Life
EU Plans to Give Some Parts of Aviation Industry a Green Label
Beijing Chokes on Dust as Sandstorms Return With a Vengeance
As Amazon’s HQ2 Stalls, Incentives Have, Too
California’s Newsom Scores Win in Bid to Curb Oil Profits
NYPD Blows Overtime Budget by Nearly $100 Million, On Pace for Record
Circle USDC Stablecoin Redemptions Rise to About $6 Billion
Miami and New York’s Crypto CityCoins Meet Quiet Demise
FTX’s LedgerX Attracts Bids From Firms Including Miami Exchange
Illustrator: Hokyoung Kim
Such credentials in the wrong hands could be dangerous, experts say, potentially allowing physical access to data centers. The affected data center operators say the stolen information didn’t pose risks for customer IT systems.
Jordan Robertson
Subscriber Benefit
Subscribe
In an episode that underscores the vulnerability of global computer networks, hackers got ahold of login credentials for data centers in Asia used by some of the world’s biggest businesses, a potential bonanza for spying or sabotage, according to a cybersecurity research firm.
The previously unreported data caches involve emails and passwords for customer-support websites for two of the largest data center operators in Asia: Shanghai-based GDS Holdings Ltd. and Singapore-based ST Telemedia Global Data Centres, according to Resecurity Inc., which provides cybersecurity services and investigates hackers. About 2,000 customers of GDS and STT GDC were affected. Hackers have logged into the accounts of at least five of them, including China’s main foreign exchange and debt trading platform and four others from India, according to Resecurity, which said it infiltrated the hacking group.

source

Credit: Peter Nguyen/Unsplash
Cyber attackers continue to target the financial sector. What will happen when an attack takes down a bank or other critical platform, locking users out of their accounts?
Tight financial and technological interconnections within the financial sector can facilitate the quick spread of attacks through the entire system, potentially causing widespread disruption and loss of confidence. Cybersecurity is a clear a threat to financial stability.
Among emerging market and developing economies, most financial supervisors haven’t introduced cybersecurity regulations or build resources to enforce them, according to a recent IMF survey of 51 countries.
We also found:
Meanwhile, a Bank for International Settlements assessment of 29 jurisdictions identified shortcomings in the oversight of financial markets infrastructures. 
There are, however, defenses against these risks, including preparation and concerted regulatory action, as we discussed at our recent global cybersecurity workshop in Washington. It won’t be easy though, and comprehensive and collective responses are urgently needed.
Proliferating threats
Just as rapid technological advances offer attackers tools that are cheaper and easier to use, so too do the changes give financial institutions greater ability to thwart them.
Even so, greater vulnerabilities are to be expected in an increasingly digitalized world. Targets proliferate as more systems and devices are connected. Fintech firms that rely heavily on new digital technologies can make the financial industry more efficient and inclusive, but also more vulnerable to cyber risks.
The escalation of geopolitical tensions has also intensified cyberattacks. Perpetrators and their motivation are often obscure, and the risks are not limited to regions of conflict. History shows that spill-over of disruptive malware can cause global damage. For instance, the NotPetya malware attack that first swamped the IT systems of Ukrainian organizations in 2017 quickly spread to several other countries and caused damages estimated at more than $10 billion.
Finally, reliance on common service providers means attacks have a higher probability of having systemic implications. The concentration of risks for commonly used services, including cloud computing, managed security services, and network operators, could impact entire sectors. Losses can be high and become macro critical.
While financial firms and regulators are becoming more aware of, and prepared for, attacks, gaps in the prudential framework remain substantial.
Neutralizing the threat
Financial institutions and regulators must prepare for heightened cyber threats and potential successful breaches by prioritizing five things:
Cross-jurisdictional risk
The strength of cyber defenses depends on the weakest link. With growing interconnections across the world, curbing risk requires an international effort. For its part, the IMF continues to help financial supervisors through capacity development initiatives aimed at designing and implementing international standards and best practices as an urgent priority.
Digital technologies shielded labor and productivity from the pandemic, while lagging countries accelerated the adoption of technology. However, digitalization gaps persist.
A new kind of multilateral platform could improve cross-border payments, leveraging technological innovations for public policy objectives
Stronger financial regulation and supervision, and developing global standards, can help address many concerns about crypto assets
IMFBlog is a forum for the views of the International Monetary Fund (IMF) staff and officials on pressing economic and policy issues of the day. The IMF, based in Washington D.C., is an organization of 190 countries, working to foster global monetary cooperation and financial stability around the world. The views expressed are those of the author(s) and do not necessarily represent the views of the IMF and its Executive Board. Read More
© Copyright International Monetary Fund

source

By Shweta Sharma
Senior Writer, CSO |
Multilayered, well-funded cybersecurity systems are unable to protect enterprises in the US and Europe from cyberattacks, according to a report by automated security validation firm Pentera.
The report, which was based on a survey of 300 CIOs, CISOs and security executives to get insights on their current IT and security budgets and cybersecurity validation practices, noted that the financial slowdown has had a minimal impact on cybersecurity budgets.
“We’re seeing more organizations increase the cadence of pentesting, but what we really need to achieve is continuous validation across the entire organization,” Aviv Cohen, chief marketing officer of Pentera, said in a press note. “Annual pentesting assessments leave security teams in the dark most of the year regarding their security posture. Security teams need up-to-date information about their exposure using automated solutions for their security validation.”
Pentesting, also known as penetration testing, is a practice of testing computer systems, networks, or web applications to identify vulnerabilities that an attacker could potentially exploit. This is achieved by simulating an attack on a system or application in a controlled environment to uncover security weaknesses and provide recommendations for remediation.
On average, the survey found, a company was found to have deployed nearly 44 security solutions, suggesting that they follow a defense-in-depth (also security-in-depth) approach that involves layering multiple security solutions to offer maximum protection to critical assets. However, despite having a substantial number of security measures in place, 88% of organizations acknowledge experiencing a cybersecurity incident within the last two years.
The numbers are consistent with the observations of other experts.
“Defense-in-depth is not just about prevention, detecting and responding to attacks are part of the strategy as well,” said Erik Nost, a Forrester analyst. “In fact, it is likely that these organizations’ defense-in-depth strategies are what detected these breaches and mitigated their impact. The reality is that organizations have sprawling attack surfaces, some of which they don’t know about. Assessing attack surfaces for vulnerabilities and exposures can lead to lengthy findings, which then need prioritizing and time to remediate.”
The report noted that a slowed down world economy may not affect the cybersecurity budgets in 2023. As per the survey, 92% of organizations have increased their IT security budgets, and 85% have increased their budget for pentesting.
“While greater emphasis on validation of the entire security stack must be put in by the CISOs, I’m encouraged to see security teams are getting the budgets they need to protect their organizations,” Chen Tene, vice president of Customer Operations at Pentera said in a press note.
Although the initial need for pentesting was driven by regulatory demands, the key reasons for conducting it were found to be security validation, assessment of potential damage, and cybersecurity insurance, according to the report.
Only 22% of respondents considered compliance as their primary motivation for pentesting, indicating regulatory or executive mandates are not the primary driving force behind the practice.
“While in our 2020 survey, regulatory compliance was the second most common answer among CISOs, today it has dropped all the way to the bottom,” Cohen said. “This is a positive shift showcasing how security executives aren’t waiting for regulations to mandate further action.”
Cybersecurity insurance policies emerged as another prominent driver for pentesting amid pandemic-induced surge in cyberattacks, as 36% of survey participants identified it as their primary reason for conducting pentesting. This contrasts with the 2020 findings, where only 2% considered cybersecurity insurance as their top driver for pentesting.
“Sometimes an initial push from a regulator or governing body is what some organizations need to get a buy-in to make a change,” Nost said. “But as security solutions, technology, and threats evolve, it is unlikely that regulatory requirements will be able to evolve with it to maintain relevancy.”
The report found that 82% of companies are already implementing pentesting in some way. However, the main obstacle to the adoption of this practice is the apprehension regarding business continuity. Both companies — that currently conduct pentesting and those that do not — identify the risk to business continuity as their primary concern when contemplating increasing the frequency of pentesting.
About 45% of participants who already conducted pentesting, whether manual or automated, said that the risk to business applications or network availability prevented them from increasing the pentesting frequency, and this number increased to 56% for those who didn’t conduct pentesting assessments at all.
Copyright © 2023 IDG Communications, Inc.
Copyright © 2023 IDG Communications, Inc.

source

The unauthorized parties used login credentials to access PayPal user accounts, according to a PayPal notification of a security incident.
Between December 6 and December 8, 2022, hackers gained unauthorized access to the accounts of thousands of individuals. A total of 34,942 accounts were reportedly accessed by threat actors employing a ‘credential stuffing attack’.
Attacks called “credential stuffing” include trying different username and password combinations obtained from data leaks on numerous websites in an effort to get access to an account.
Since many users use the same password and username/email repeatedly, submitting those sets of stolen credentials to dozens or hundreds of other websites can enable an attacker to compromise those accounts as well. This can happen when those credentials are exposed (by a data breach or phishing attack).
“The unauthorized third parties were able to view, and potentially acquire, some personal information for certain PayPal users”, reads the PayPal notice of security incident.
According to PayPal, the personal information that was leaked may have included name, address, Social Security number, individual tax identification number, and/or date of birth.
On December 20, 2022, PayPal confirms that a third party used the login information to access the PayPal customer account.
The firm identified it at the time and took steps to mitigate it, but it also launched an internal investigation to determine how the hackers gained access to the accounts.
The electronic payment system states that there was no system breach, and there is no proof that the user credentials were taken directly from the users.
“We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account.” 
“There is also no evidence that your login credentials were obtained from any PayPal systems”, PayPal.
PayPal is giving impacted customers free access for two years to Equifax’s identity monitoring services.
“We reset the passwords of the affected PayPal accounts and implemented enhanced security controls that will require you to establish a new password the next time you log in to your account”, PayPal noted.
Protect Yourself
Network Security Checklist – Download Free E-Book

source

It’s not news that phishing attacks are getting more complex and happening more often. This year alone, APWG reported a record-breaking total of 1,097,811 phishing attacks. These attacks continue to target organizations and individuals to gain their sensitive information.
The hard news: they’re often successful, have a long-lasting negative impact on your organization and employees, including:
The harder news: These often could have been easily avoided.
Phishing, educating your employees, and creating a cyber awareness culture? These are topics we’re sensitive to and well-versed in. So, how can you effectively protect your organization against phishing attempts? These best practices will help transform your employees’ behavior and build organizational resilience to phishing attacks.
According to the 2022 Tessian Security Cultures Report, “security leaders underestimate just how much they should be a part of the employee experience” across onboarding, role changes, offboarding, relocations, and day-to-day activities.
But we’ve repeatedly seen that ad hoc, scattershot employee training attempts don’t work. If you want sufficient internal defenses against sophisticated phishing threats, you should train 100% of your employees monthly.
Granted, it isn’t easy if your team is growing rapidly or spread across different locations and time zones. Yet doing anything less than 100% employee training leaves you with too many security holes and opportunities for hackers to break in. Unfortunately, it also means you have no way of knowing your employees’ level of threat awareness or whether they know how to react to threats. You might be missing your weakest link or getting into a scenario that could have been easily avoided.
Ever been told there’ll be a fire evacuation drill? Likely, you weren’t caught off guard when the practice started and could have paid more attention. That’s the thing about drills; they’re in place to prepare us for present and future threats.
Cybersecurity training is no different. While it can quickly become ticking a compliance box to satisfy minimum requirements. To prevent it, you need to catch your staff off guard. Knowing that a threat could present itself at any time keeps employees vigilant and accountable between more extensive training campaigns.
It would be best if you kept giving your employees these unexpected opportunities to learn on an ongoing basis. They will likely make easily avoidable mistakes if they only receive occasional simulations. You might miss new employees without sufficient cybersecurity training, or it might take time for them to revisit and build on this training.
The solution: Conducting consistent cybersecurity training is the best way to keep it top of mind for everyone—train for yesterday, today, and tomorrow.
You might use cybersecurity understanding or departments as categories. Start by segmenting your workforce into groups. Then, develop adaptive training based on each group’s needs – and even based on individual behavior. That’s critical to adequately address the challenges of given scenarios of future attack campaigns.
These can include data or password requests, messages from legitimate sources, or realistic content tailored to an organization’s specific role or department.
You strengthen employees’ defenses by adapting your content to individual responses and specific attack vectors. Doing so turns the human element from a security gap to a security advantage.
English might be your corporate language, but it might not be every employee’s mother tongue, and cultural contexts might be perceived differently in some branches.
Using employees’ mother tongue within a location’s cultural context will dramatically enhance their learning retention. By citing local references (such as national holidays, significant news sources, popular social media platforms, and more), you make your simulations more believable and relatable. Your employees will likely pay better attention during training and will be less susceptible to attacks.
Lastly, there could be different implications regarding email compliance standards in different places. Ensure your team is aware of that and incorporate the necessary precautions in these locations’ training.
In our experience, one in every five employees is a “serial clicker.” Serial clickers click, open, and download attachments that often place them and your organization in danger. They might be a new or existing employee. We’ve seen it all, from entry-level positions to company stakeholders.
They’re not trained or equipt to reliably identify phishing attacks, nor understand how dangerous and their destructive impact. So they keep clicking links in emails that they shouldn’t have opened.
The good news: We believe serial clickers can be cured because we’ve seen it repeatedly happen with employee training and education.
We know that serial clickers are just some of the ones to worry about. Employees respond differently to a variety of attack vectors. It’s recommended to use data science to understand how employee groups within your organization – from new hires, executive leadership, and veteran employees – respond to potential threats.
Once you analyze the data to understand these groups’ behavior, you can develop programs that shift them toward a more discerning approach to email management based on their specific needs and their current place in their cybersecurity awareness journey.
These programs must include expert knowledge, adjusted frequency, timely reminders, custom simulations, and training content designed for highly susceptible groups while respecting employees’ privacy.
Regardless of the size of your organization, the complexity required to run a training program like the one described above can be challenging. Whether you’re looking at it from the perspective of time, resources, or economics, it’s almost impossible without a truly automated solution that has expert knowledge baked into the software.
CybeReady provides a fully-automated platform powered by machine learning technology. It mitigates the risks of human error through an educational approach that continuously provides frequent, adaptive, engaging training. Get in touch today to foster a culture that cares, retains information to keep your organization safe, and feels accountable. Make your organization cyber-ready. Learn how you can upgrade your security awareness program with a short, perosanilized demo.
Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.

source

Most Popular
Data belonging to customers of The Good Guys have been compromised in a security breach involving the Australian retailer’s former third-party supplier, My Rewards. 
Formerly known as Pegasus Group Australia, My Rewards also confirmed the breach in a statement Thursday, revealing that preliminary investigations pointed to an “unauthorised access” to its systems in August 2021, which led to the data compromise. 
This meant that personally identifiable information, including names, email addresses, and phone numbers, likely had been made publicly available, the company said, noting that all its data were stored in Australia.
My Rewards added that its IT systems currently had not suffered any breach and would work with the relevant authorities. including the Australian Federal Police, regarding the breach. 
In its own statement Thursday, The Good Guys said it was notified of the breach this month and that its own IT systems were not involved. 
It previously worked with My Rewards to provide reward services for its Concierge members, some of whom would have set up My Rewards account that required a password. And while optional, customers’ dates of birth also might have been provided. 
Compromised data did not include financial or identity document details, such as credit card, driver’s licence, or passport information. 
The Good Guys said affected customers would be contacted about the breach. It added that My Rewards accounted linked to its Concierge benefits programme were closed and the former third-party vendor no longer held any personal data of its members. 
“The Good Guys is extremely disappointed that My Rewards, a former services provider, has experienced this breach and we apologise for any concern that this may cause,” the Australian retailer said. 
Commenting on the breach, BlueVoyant’s Asia-Pacific Japan vice president Sumit Bansal noted that the incident as well as last year’s Medibank breach involved third-party vendors, serving as a reminder for businesses to scrutinise their suppliers and other third parties involved in their supply chain. 
“These companies are far from the only ones to be negatively impacted by a breach related to a third party, and most likely will not be the last,” Bansal said. 
Citing the security vendor’s recent study, he noted that 97% of Asia-Pacific organisations had been negatively impacted by a breach in their supply chain. Almost 40% said they would not know if a third party had security vulnerabilities. 
The finding revealed a challenge with monitoring such risks, he said. “Digital supply chains are made of vendors, suppliers, and other third parties with network access. As organisations’ own internal cybersecurity becomes stronger, a third party may have weaker security,” he added. “To help prevent breaches, organisations should first make sure they know which third parties they use or have used in the past, and what data and network access they may have.”
“Organisations should only provide employees and third-parties with access to the data needed for their role. This helps to control what data can be accessed in the event of a breach. They should also put policies in place to prevent third parties from retaining data after their services are no longer used.”
Australia-based Jacuqeline Jayne, who is KnowBe4’s Asia-Pacific security awareness advocate, further noted that the compromised data could be used to facilitate social engineering attacks, even if personal financial information were not leaked. 
The data could be manipulated to create phishing email messages that looked legitimate and be used to redirect payments or collect more sensitive information from targeted victims, Jayne said. 
“Because many victims will assume an email or text message containing legitimate information about previous orders would be trustworthy, it can make it much easier for a social engineering attack to be successful,” she said. “Victims of this [The Good Guys] data loss should be very cautious when it comes to future communications and they should pay close attention to any links in messages or requests for more information.”
The Australian government in November passed a legislation to increase financial penalties for data privacy violators, pushing up maximum fines for serious or repeated breaches to AU$50 million ($32.34 million), from its current AU$2.22 million, or three times the value of any benefit obtained through the data misuse, or 30% of the company’s adjusted turnover in the relevant period, whichever is greater. 

source

The settlement benefits individuals who received a notification from True Health New Mexico that their personal identifiers and/or health information may have been compromised in a data breach Oct. 5, 2021.
True Health New Mexico agreed to a class action settlement to resolve claims that it failed to protect patient data from a 2021 data breach.
The settlement benefits individuals who received a notification from True Health New Mexico that their personal identifiers and/or health information may have been compromised in a data breach Oct. 5, 2021.
Plaintiffs in several data breach class action lawsuits claimed True Health New Mexico failed to protect their sensitive information from an October 2021 ransomware attack that compromised identifiers and protected health information. According to the data breach class actions, this incident affected nearly 63,000 patients.
True Health New Mexico is a health insurance provider. The company discontinued its healthcare plans in New Mexico at the end of 2022.
True Health hasn’t admitted any wrongdoing but agreed to pay an undisclosed sum as part of a settlement to resolve these allegations.
Under the terms of the settlement, class members can receive reimbursement of up to $250 for data breach-related expenses (credit-related costs, bank fees, communication charges, etc.) and up to five hours of lost time at a rate of $20 per hour. 
Class members who experienced “extraordinary” expenses related to the data breach can receive higher payments of up to $5,000 for actual, documented and unreimbursed monetary losses caused by fraud or identity theft resulting from the data breach. This reimbursement may include three additional hours of unreimbursed lost time compensated at a rate of $20 per hour.
The deadline for exclusion and objection is April 14, 2023.
The final approval hearing for the settlement is scheduled for May 10, 2023.
To receive settlement benefits, class members must submit a valid claim form by Aug. 14, 2023.
Individuals who received a notification from True Health New Mexico that their personal identifiers and/or health information may have been compromised in a data breach Oct. 5, 2021.
$5,250
Documentation of data breach-related losses and expenses
NOTE: If you do not qualify for this settlement do NOT file a claim.
Remember: you are submitting your claim under penalty of perjury. You are also harming other eligible Class Members by submitting a fraudulent claim. If you’re unsure if you qualify, please read the FAQ section of the Settlement Administrator’s website to ensure you meet all standards (Top Class Actions is not a Settlement Administrator). If you don’t qualify for this settlement, check out our database of other open class action settlements you may be eligible for.
08/14/2023
McCullough, et al. v. True Health New Mexico Inc., Case No. D-202-CV-2021-06816, in the 2nd District Court of the State of New Mexico
Clement, et al. v. True Health New Mexico Inc., Case No. D-101-CV-2022-00129, in the 2nd District Court of the State of New Mexico
Shanks, et al. v. True Health New Mexico Inc., Case No. D-202-CV-2022-00449, in the 2nd District Court of the State of New Mexico
05/10/2023
THNMSettlement.com
True Health Claims Administrator
P.O. Box 4190
Portland, OR 97208-4190
info@THNMSettlement.com
877-506-4514
Ben Barnow 
Anthony Parkhill 
BARNOW AND ASSOCIATES PC

Andrew W Ferich 
AHDOOT & WOLFSON PC
BAKER & HOSTETLER LLP
Read About More Class Action Lawsuits & Class Action Settlements:
Δ
ATTORNEY ADVERTISING
Top Class Actions is a Proud Member of the American Bar Association
LEGAL INFORMATION IS NOT LEGAL ADVICE
Top Class Actions Legal Statement
©2008 – 2023 Top Class Actions® LLC
Various Trademarks held by their respective owners
This website is not intended for viewing or usage by European Union citizens.
Please add me
ADD ME
Your email address will not be published. By submitting your comment and contact information, you agree to receive marketing emails from Top Class Actions regarding this and/or similar lawsuits or settlements, and/or to be contacted by an attorney or law firm to discuss the details of your potential case at no charge to you if you qualify. Required fields are marked *
Comment *
Name *
Email *


Δ
Δ
Please add me
ADD ME
Your email address will not be published. By submitting your comment and contact information, you agree to receive marketing emails from Top Class Actions regarding this and/or similar lawsuits or settlements, and/or to be contacted by an attorney or law firm to discuss the details of your potential case at no charge to you if you qualify. Required fields are marked *
Comment *
Name *
Email *


Δ
Please note: Top Class Actions is not a settlement administrator or law firm. Top Class Actions is a legal news source that reports on class action lawsuits, class action settlements, drug injury lawsuits and product liability lawsuits. Top Class Actions does not process claims and we cannot advise you on the status of any class action settlement claim. You must contact the settlement administrator or your attorney for any updates regarding your claim status, claim form or questions about when payments are expected to be mailed out.

Δ
@2023 Top Class Actions. All Rights Reserved. Privacy Policy | Terms and Conditions

source

Sign in
A newsletter briefing on cybersecurity news and policy.
with research by Vanessa Montalbano
A newsletter briefing on cybersecurity news and policy.
Welcome to The Cybersecurity 202! David DiMolfetta is going to be the full-time researcher for both us and The Technology 202, and he contributed on his very first day! On occasions when he takes over in my absence, he’s surely going to diversify the music recommendations I’m prone to giving around here. Please give him a warm welcome.
Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.
Below: The National Security Council is hosting a roundtable on artificial intelligence today with experts from the United States and European Union, and the U.S. Marshals Service suffered a “major” security breach last week. First:
Congress should advance legislation allowing software manufacturers to be held legally liable for the insecurity of their products, and it should also shield companies that develop secure software from legal liability, Cybersecurity and Infrastructure Security Agency Director Jen Easterly said Monday.
By calling for that proposal, Easterly waded into one of the toughest cyber issues to crack.
But Easterly mentioning it “made my day,” said Mark Montgomery, who was executive director of the solarium commission and serves in the same role in its successor organization CSC 2.0. It’s “one of the hardest kinds of legislation to get done in Congress,” he told me, because it would hold a whole industry accountable for its security missteps.
Easterly’s proposal comes amid a CISA push for tech companies to offer products that are “secure-by-design,” meaning that security is baked into the design process from the beginning, and “secure-by-default,” which refers to products that arrive with secure settings at no additional cost.
“Government can work to advance legislation to prevent technology manufacturers from disclaiming liability by contract, establishing higher standards of care for software in specific critical infrastructure entities and driving the development of a safe harbor framework to shield from liability companies that securely develop and maintain their software products and services,” Easterly said during a speech at Carnegie Mellon University.
Easterly elaborated afterward in a question-and-answer session with the audience:
But she hasn’t reached out to Congress or industry to gauge interest in the legislative proposal, she told reporters after the event. She said she expects to see “some of the ideas I previewed today in the national cyber strategy,” a long-awaited Biden administration policy blueprint. The Office of the National Cyber Director worked with industry on the document, she noted. 
“Obviously we want to work any of these things very closely with the Congress, and frankly, cybersecurity is an issue that has enjoyed bipartisan support and we want to continue to have that bipartisan support,” Easterly said. “Industry realizes the importance of this as well, so I’m looking forward to having robust conversations with both.”
Because of the push-and-pull between software companies that want protections and consumer advocates who want accountability, the idea has been tough to get off the ground, Montgomery said. 
“If she can thread that needle, good on her,” he said of Easterly. Further complicating matters, Montgomery said, is deciding specifics like, “When does that liability end? When you stop doing software upgrades?” Microsoft supported Windows 7, released in 2009, with patches until 2020.
The Solarium panel drafted sample legislation as a starting point for any lawmaker who wants to embrace the issue, but it has had trouble finding takers, as of a CSC 2.0 report in the fall.
It shares space among the commission’s most difficult proposals with consolidating congressional oversight of cybersecurity into one committee each in the House and Senate. Lawmakers are notorious for not wanting to give up their existing oversight powers.
Two arguments cautioning against the liability legislation idea go like this, courtesy of Chris Wysopal, a member of the famed hacker collective L0pht and the founder and chief technology officer of the cybersecurity company Veracode:
In addition, House Republicans like Homeland Security Committee Chairman Mark Green (R-Tenn.) have appeared skeptical of imposing additional cybersecurity regulations on the private sector. A spokesperson for Green did not respond to a request for comment.
One industry group that represents prominent software makers, BSA |  The Software Alliance said in response to Easterly’s comments that it has been pushing secure software guidelines and has listed improving software security as its top cyber agenda item.
“Laws and policies that seek to improve software security should be risk-based, technology and vendor-neutral, and incentivize innovation,” Aaron Cooper, vice president of policy at the group, told me via email. 
The Information Technology Industry Council, another group, “has long advocated for secure-by-design practices as an important component of a holistic approach to cybersecurity risk management,” said John Miller, its senior vice president of policy and general counsel. 
The groups look forward to working with the Biden administration and Congress, Cooper and Miller said.
Jay Bhargava, a spokesperson for Senate Homeland Security and Governmental Affairs Chair Gary Peters (D-Mich.), said, “We’re currently examining this issue.”
The National Security Council is hosting a high-profile group of artificial intelligence and policy experts today as part of a new collaboration between the U.S. and E.U. on AI, according to details shared exclusively with The Cybersecurity 202. 
The meeting is meant to kick-start discussions about the technology’s growing threat across the globe. It will feature presentations by research teams in both countries about their progress so far in delivering benefits for extreme weather and climate forecasting, emergency response management, health and medicine improvements, electric grid optimization, and agriculture optimization, according to an NSC spokesperson who spoke on the condition of anonymity to speak candidly on the matter. 
The collaboration comes as the cyber world is wrestling with how to deal with artificial intelligence because many of its impacts remain unknown. Last month’s announcement of the collaboration said it would be crucial to establishing a secure internet and maintaining digital privacy. 
The U.S. Marshals Service on Monday confirmed that it suffered a significant data breach earlier this month in which hackers were able to access sensitive law enforcement information about the subjects of agency investigations, NBC News’s Andrew Blankstein, Michael Kosnar, Jonathan Dienst, and Tom Winter report.
In a statement Monday, Marshals Service spokesperson Drew Wade told NBC that the Feb. 17 extraction “contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees.”
He added that ransomware affected a stand-alone system, which was quickly disconnected from the network. The Justice Department has already launched a forensic investigation into the breach and the agency has also been able to create a workaround so that it can still conduct critical business. 
A senior official familiar with the matter who spoke on the condition of anonymity to discuss the incident said that it did not involve the database related to the witness protection program, and that none of those individuals were in danger because of the breach. 
Itemized lists of components that make up software products, known as Software Bills of Materials (SBOMs), are increasingly recognized as helpful in advancing software security, an industry group said in a policy paper today — but it stressed that policymakers should not rush to institute SBOMs in statutory cyber reporting requirements. 
The Information Technology Industry Council said in the paper it shared exclusively with The Cybersecurity 202 that SBOMs can help organizations identify their potential risk vulnerabilities. But requirements now would be impractical because present-day SBOM reports would not necessarily align with other reporting requirements developed later, and the concept still needs time to develop before becoming law, the group said. Lawmakers excluded an SBOM proposal from last year’s defense policy bill.
Many thanks to our new colleague David DiMolfetta for helping report this item. 
White House gives agencies 30 days to impose federal device TikTok ban (CNBC)
House panel to debate bill allowing president to ban TikTok (The Hill)
‘Take It Down’ tool helps young people remove explicit online images (Wall Street Journal)
Danish hospital websites targeted in cyber attack (The Local Denmark)
New Exfiltrator-22 post-exploitation kit linked to LockBit ransomware (Bleeping Computer)
Murdoch admits some Fox hosts ‘were endorsing’ election falsehoods (By Jeremy Barr, Sarah Ellison and Rachel Weiner)
TikTok banned on all Canadian government mobile devices (Associated Press)
Study: 96 Percent Of Humans Would Rather Be Animatronic Bear https://t.co/yXIe8DFwXh pic.twitter.com/juqVjntwDZ
Thanks for reading. See you tomorrow.

source

On February 17, 2023, Tom James Company filed notice of a data breach with the Attorney General of Montana after experiencing a ransomware attack that compromised the security of information stored on the company’s computer network. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names and Social Security numbers. After confirming that consumer data was leaked, Tom James began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification from Tom James Company, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Tom James Company data breach, please see our recent piece on the topic here.
The information about the Tom James breach comes from the company’s filing with the Attorney General Offices in Maine and Montana. According to these sources, in August 2022, Tom James discovered unusual activity within its computer network. Shortly afterward, an unauthorized actor contacted the company, claiming to have stolen files from the company’s computer system. In response, Tom James secured its network and began an investigation to learn more about the incident and what, if any, consumer data was leaked as a result.
The Tom James investigation confirmed that the unauthorized activity was a ransomware attack. As a result, the hackers were able to access certain files on the company’s network that contained confidential consumer information.
Upon discovering that sensitive consumer data was made available to an unauthorized party, Tom James began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name and Social Security number.
On February 17, 2023, Tom James sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. According to the Maine Attorney General, the Tom James Company breach affected 8,656 people.
Established in 1966, Tom James Company is a clothing manufacturer and retailer based in Franklin, Tennessee. The company creates custom clothing for men and women, conducting fitting sessions at customers’ homes or offices. Tom Jones markets many of its clothes under the Tom James label but also sells clothing under the Oxxford Clothes and Holland & Sherry names. Tom James employs more than 320 people and generates approximately $869 million in annual revenue.
See more »
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Console and Associates, P.C. | Attorney Advertising
Refine your interests »
Back to Top
Explore 2023 Readers’ Choice Awards
Copyright © JD Supra, LLC

source

Medibank is going to take a $26 million half-year hit as the result of its 2022 security breach, and this is expected to climb to between $40 million and $45 million over the full year.
The insurer has also gone public for the first time with technical detail of the attack.
In a half-year results announcement [pdf], Medibank said the attacker first obtained the user ID and password used by a third-party IT services contractor.
A misconfigured firewall allowed the attacker to bypass the need to present “an additional digital security certificate” to access its systems, using those credentials.
“The criminal was able to obtain further usernames and passwords to gain access to a number of Medibank’s systems and their access was not contained," Medibank stated.
The attack triggered a security alert on October 11, and Medibank said there was no further access after October 12.
“In December, we completed operation safeguard, which saw us take our systems offline” to strengthen security, CEO David Koczkar said.
The insurer has also ensured that all of its firewalls are securely configured.
“We now defend more than 18 million perimeter attacks a day”, he said.
“We will continue to strengthen our security environment.”
Both internal and third-party security monitoring have been scaled up, Koczkar said.
Data management will also be re-examined, he said, especially in the light of likely revisions to the Privacy Act.
Koczkar said after the attack, Medibank lost 13,000 subscribers, but customer acquisition has begun to recover.

source