Data Breaches News and Analysis
Did Facebook’s business model make the company an easier target for cybercriminals?
Some researchers argue that the situation showcases why Facebook must revisit how it handles and secures personal information.
Conti ransomware gang hits Broward County Schools with $40M demand
Coral Glades High School, part of Broward County Public Schools. The $40 million ransomware attack on the district was one of a wave of cases targeting educational institutions over the last couple of weeks. (Formulanone, Public domain, via Wikimedia Commons) The Conti ransomware gang encrypted the systems at Broward County Public Schools several weeks ago and threatened to…
Qualys: Breach limited to 3rd-party vendor, but attackers trying to make exposure seem worse
In a detailed update posted on the Qualys website April 2, CISO Ben Carr said that an independent, third-party forensic firm has verified the company’s initial determination that the attack did not jump from Accellion’s file transfer appliance server to Qualys’ larger corporate network.
FatFace disclosure a case study in ‘bungling the process’
U.K.-clothing retailer FatFace has egg on its face after a botched disclosure letter customers and security professionals consider too late, too secretive and too hard to confirm.
Policyholders may be the primary target in hack of cyber insurance provider CNA
In the words of one expert: “The theft of customer policies is the Sword of Damocles that has been hanging over the cyber insurance industry since its inception.”
As legislators work toward law requiring companies to alert feds to breaches, key hurdles emerge
Experts say the idea has merit – if only legislators can balance the promise with the potential liability and burden placed upon industry.
Camera tricks: Privacy concerns raised after massive surveillance cam breach
A hacking collective compromised roughly 150,000 internet-connected surveillance cameras from Verkada. Now experts are weighing in on the potential ramifications that can befall an organization if security footage is leaked or falls into the wrong hands.
As Hafnium timeline crystalizes, signs of new Microsoft Exchange Server attacks emerge
A surge of breaches against Microsoft Exchange Server appear to have rolled out in phases, with signs also pointing to other hackers using the same vulnerabilities after Microsoft announced a patch.
Government briefed on breach of at least 30,000 Microsoft Exchange Servers
The latest details confirm a trend SC Media reported earlier in the week, that security investigators were finding substantially more instances of breached Microsoft Exchange servers than Microsoft’s original report of “limited and targeted” attacks may have let on.
Public companies may not grasp responsibility to investors in sharing info on cyber risk
Public companies “should be explaining to investors the specific risks they face from cybersecurity threats, not vague jargon.
When lawyers get hacked: How law firms grapple with risk tied to supply chain breaches
As companies scramble to assess their own vulnerability amid the wave of supply chain attacks in recent months, law firms find themselves doing double duty: providing complex legal support to clients, and assessing internal safeguards to ensure they themselves practice what they preach.
Nine-year Malaysia Airlines breach gave attackers lots of time to misuse data
The incident is another example of why businesses must assess and manage third-party vendor risk.
Microsoft Exchange Server breaches more widespread than originally thought
In its blog post on critical Exchange Server patches Tuesday, Microsoft pointed to “limited and targeted” exploitation of the vulnerabilities in the wild. But new data suggests that the breaches may not be limited or targeted at all.
At House SolarWinds hearing, bipartisan lawmakers announce breach disclosure bill
Continuing a discussion kicked off earlier this week in the Senate, House lawmakers confirmed that legislation is in the works, pushing for answers on the balance between liability protection and the duty to protect consumers.
Google Alerts used to launch fake Adobe Flash Player updater
The threat actors are “quite clever” in using Google Alerts as an attack vector to prompt users to “update” Adobe Flash Player.
‘Everyone’s half asleep, and bosses don’t want trouble’: The struggle to secure utilities
Padraic O’Reilly, co-founder of cyber risk firm CyberSaint, shared insights with SC Media, about the struggles faced by water plants, energy companies and other utilities to assess cyber risk and prevent cyberattacks.
Anne Neuberger coordinating Biden’s SolarWinds efforts
The announcement came after Sens. Mark Warner, D-Va., and Marco Rubio, R-Fla., sent a letter to the U.S. intelligence services asking them to assign a leader for the response.
Internet-exposed Orion servers drop 25% since SolarWinds breaches announced
One in four SolarWinds Orion servers exposed to the internet at the time of an era-defining espionage campaign have been taken off the internet.
A water-treatment hacking, and the complexities of risk mitigation
And would any water treatment facility judge the calculus differently – revert dollars from elsewhere perhaps – had they known such a cyber incident was coming? Even that is hard to say. We don’t know what would be sacrificed by that trade-off.
With thousands of vendors, companies typically have limited grasp over supply chain security
Organizations operate in networks that on average include 1,409 vendors. Combine that with limited resources, and supply chain security can seem an oxymoron.
