In the June issue of SECURITYSTUDIO News Brief, we bring you the top news and information about cybersecurity breaches across the globe. These not only have lasting effects for individuals and businesses, but also highlights the need for third-party vendor risk management and tighter security protocols.
Third-Party Risk Management
- Most organizations work with hundreds, if not thousands, of third parties, which creates new risks that must be actively managed. Although businesses know that managing third-party cyber risk is critical, a lack of continuous monitoring, consistent reporting and other blind spots are creating challenges that could leave organizations vulnerable to data breaches and other consequences.
- Small businesses are thought to be targeted in 43% of cyberattacks. Managing limitations of time and resources means running a small business on a budget is a challenge, and these difficulties become more pronounced when resources are stretched even further by the increased security demands of new technology. One area of threat is the use of Internet of Things (IoT) devices on company networks.
- The Department of Health and Human Services issued a new fact sheet clarifying business associates’ direct liability for violations of HIPAA. This gives guidance and clarity to business associates regarding their potential liability for misuse or improper disclosure of protected health information.
- According to the National Cyber Security Alliance, healthcare companies have increasingly become a target for hackers given the vast amounts of information collected and stored. Robust vendor management strategies are necessary as part of a comprehensive approach to cybersecurity.
- Amid escalating tensions with Iran, the U.S. military cyber forces launched a strike against Iranian military computer systems. These cyberattacks targeted Iran’s Islamic Revolutionary Guard Corps computer system and disabled the computer systems that controlled its rocket and missile launchers.
- The Kremlin warned that reported American hacking into Russia’s electric power grid could escalate into a cyberwar with the United States, but insisted that it was confident in the system’s ability to repel electronic attacks. The program, as described by current and former unidentified American officials, would enable an attack on the Russian power grid in the event of a major conflict between Moscow and Washington
- The Telegram messaging app was overloaded by a Distributed Denial of Services (DDoS) cyberattack that coincided with large protests in Hong Kong over an extradition bill with China. The attack was to flood the app with so much traffic that it slowed users’ connectivity, rather than an attempt to steak users’ data.
- Xenotime, a threat group that had previously focused on targets in the oil and gas industry, is shifting its focus to electrical power plants and utilities, creating new challenges for security teams charged with protecting industrial control systems. Investigators found that Xenotime had its sights set on targets in the U.S. and the Asia-Pacific region.
- Attacks against municipalities continue as the city of Riviera Beach, FL, has agreed to pay hackers roughly $600,000 in bitcoin to end a ransomware attack that crippled the city’s IT infrastructure for nearly a month. Reports indicate it may have started when someone in the city’s police department opened a phishing email.
- The Cybersecurity and Infrastructure Security Agency (CISA), the cybersecurity wing of the Department of Homeland Security, issued an alert regarding BlueKeep, which had used BlueKeep to remotely run code on a Windows 2000 computer. This means that the code can be used for more than just a denial-of-service condition, but can be used to remotely run code or malware on an unpatched computer.
- A urology practice in Ohio and an eye care provider in Indiana are among the latest victims of ransomware attacks in the healthcare sector. The urology practice reported a revenue loss between $30,000 and $50,000 per day as a result of the attack. The ransomware attack in Indiana is listed among the 10 top largest breaches added thus far in 2019 to the Department of Health and Human Services HIPAA Breach Reporting Tool.
- The 42-year-old parent company of American Medical Collection Agency has filed for bankruptcy just weeks after disclosing a data breach that affected its largest clients and millions of patients. This comes after the March discovery of a major data breach, which wasn’t revealed until June, and caused AMCA’s largest clients to end their business relationships with the debt collection agency.
- Researchers at CyberMDX have discovered two vulnerabilities involving an infusion pump widely used in hospitals and medical facilities in approximately 50 countries. The infusion pump’s onbaord computer powers, monitors and controls the infusion pumps and runs on Windows CE.
- A computer science student, Dan Salmon, has been scraping Venmo transactions for the past six months to prove that Venmo’s public activity is not hard to obtain, even after last year, when a privacy researcher showed that Venmo needed to curb its privacy issue. The result is that seven million Venmo transactions were obtained by Salmon in this six-month period.
- The personal data of more than 650,000 clients of Oregon’s Department of Human Services was compromised during a January data breach. The department announced in March that more than 350,000 clients had been impacted, but they were doing an investigation and had not finished yet. When the department completed the investigation this week, they concluded that the number of clients affected was much higher than the original figure released.
- The California Consumer Privacy Act of 2018 (“CCPA”) is a California privacy law that gives consumers affirmative rights with respect to their data privacy. The CCPA endows consumers with certain rights to access information about and control what a business does with their personal information.
- Cyber security experts have warned that strange invitations are showing up in people’s Google calendars as part of a dangerous scam to trick them into being attacked. Users could see their data or money stolen after clicking on a link to a URL included in the calendar event.
SecurityStudio® is the easiest, most comprehensive information security toolkit to measure, mitigate and manage risk. Our goal is to help all organizations build and maintain a strong information security program. We do this by helping organizations understand the need for strong information security, identifying and prioritizing their risks and implement secure methods to address those risks. https://securitystudio.com