than

now browsing by tag

 
 

#deepweb | More than 200 million MGM customers could have stolen info on the black market

Source: National Cyber Security – Produced By Gregory Evans

MGM RESORTS SAYS THERE WAS A DATA BREACH IN JULY 2019 — Morgan & Morgan has filed a lawsuit against MGM Resorts International over a data breach that has exposed the personal information of millions of people. The lawsuit was filed February 21, 2020 and states that in July of 2019, MGM’s computer network system was hacked. The stolen information was then posted on a closed Internet forum.

Related: Attorney files lawsuit against MGM Resorts over recent data breach

The report states more than 10.6 million MGM guests were impacted, but one of the lead attorneys said it could be much more.

“We absolutely have heard that we could be talking upwards of 200 million plus,” said Attorney Jean Martin.

She said one of their main concerns is what information was stolen. She said initially, MGM reached out to impacted customers in September of 2019, saying only names and maybe addresses had been posted online, but that information had been taken down. However in February, the lawsuit says even more personal information had been posted on an internet hacking forum, leading to prolonged risk of that stolen information spreading. Some of the information stolen included names, addresses, driver’s license numbers, passport numbers, military ID numbers, phone numbers, emails and birthdays.

“That’s what happens when your information is compromised. You never know when it’s going to go up on the web and on the dark web, when it’s going to be sold and when it’s going to be used, so now the people that have had their information compromised face this risk for the rest of their lives,” said Martin.

MGM Resorts released a statement prior to the lawsuit’s filing, and declined to give any updated information.

“Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts. We are confident that no financial, payment card or password data was involved in this matter. MGM Resorts promptly notified guests potentially impacted by this incident in accordance with applicable state laws. Upon discovering the issue, the Company retained two leading cybersecurity forensics firms to assist with its internal investigation, review and remediation of the issue. At MGM Resorts, we take our responsibility to protect guest data very seriously, and we have strengthened and enhanced the security of our network to prevent this from happening again.”

Source link
——————————————————————————————————

The post #deepweb | <p> More than 200 million MGM customers could have stolen info on the black market <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | The Washington State Privacy Act Could Be More Comprehensive Than the CCPA

Source: National Cyber Security – Produced By Gregory Evans

Washington state could be next in line to pass a state-wide consumer privacy law in the absence of a federal mandate. 

In January, a bipartisan group of legislators introduced the Washington Privacy Act (WPA) and Senator Reuven Carlyle, who sponsored the bill, discussed why the senators believe the bill is important: “It has never been more important for state governments to take bold and meaningful action in the arena of consumer data privacy. That’s what this legislation does.”

The WPA is, in some ways, similar to some of the most recognizable privacy acts, such as CCPA and GDPR. In fact, the bill borrows many practices from those same bills. However, it differs in some significant ways, and, if it passes, it will be the most comprehensive privacy law in the US.

What’s notable about the WPA is the ripple effects it could create down businesses’ supply chains: The WPA not only stipulates data protection responsibilities for organizations which determine the purposes and means of data processing (“controller”), it also requires these organizations to verify that their vendors (“data processor”) have sufficient data protection mechanisms in place to process personal data safely.

Regardless of whether or not this particular piece of legislation passes, it’s important for businesses to understand the WPA and what it represents: individual states are thinking about and passing legislation requiring businesses to address consumer privacy and data protection. As more states pass these kinds of laws, the burden on businesses to comply with them will continue to grow. 

What businesses would need to be WPA compliant?

As it is written currently, the WPA would apply to two categories of companies that conduct business in or target consumers in Washington:

  1. Businesses that control or process personal data of 100,000 or more consumers.
  2. Businesses that derive greater than 50% of gross revenue from the sale of personal data and processes, and control or process the personal data of 25,000 or more consumers.

Notably, this means that the WPA would apply to some of the biggest businesses in the country, such as Amazon and Microsoft. But it would also apply to little known data brokers and retail stores. 

The WPA focuses on two groups: The first is controllers — businesses or individuals who decide how and for what purposes personal data is processed. For example, a business that collects data and uses it to send targeted ads or email marketing would be a controller.

The other group is processors — businesses or individuals that do not make decisions about how data is used and only process it as directed by the controller. A credit card processing company is a good example of a processor; they don’t collect or make decisions about the data, they just process it for the controller.

What rights does the WPA give consumers? 

Under the WPA, consumers have certain rights when it comes to their personal data. These rights include:

Right of access: The right of a consumer to know if a controller is processing their personal data and to access that personal data.

Right to correction: The right of a consumer to correct their personal data.

Right to deletion: The right of a consumer to request that their data be deleted.

Right to data portability: The right of a consumer to obtain their personal data in a portable and, as much as technically feasible, readily usable format.

Right to opt out: The right of a consumer to opt out of having their personal data processed for targeted advertising, the sale of their personal data, or profiling in furtherance of decisions that produce legal or significant effects on the consumer.

Individuals would not be able to bring lawsuits against companies for breaking the law, but the state Attorney General’s Office would be able to pursue violations under the state’s Consumer privacy Act. 

Processor_requirements_WPA

Controller requirements under the WPA

In short, the WPA requires controllers to be more transparent about their data use and to only use consumer data for the purposes they specified when collecting the data. There are a few other specific requirements, but many of them flow into those core purposes.

The WPA creates these specific controller responsibilities:

Transparency: This would require controllers to provide a privacy notice to consumers that includes what personal data is being processed, why it is being processed, how they can exercise their rights, what data is shared with third parties, and what categories of third parties controllers share their data with. Additionally, if the controller sells personal data, they have to “clearly and conspicuously” disclose this and explain how consumers can opt out.

Purpose Specification: Controllers are limited to collecting data that is reasonably necessary for the express purpose the data is being processed for. 

Data Minimization: Data collection must be adequate, relevant, and limited to what the controller actually needs to collect for the specified purpose.

Avoid Secondary Use: Processing personal data is prohibited for any purpose that isn’t necessary or compatible with the specified purpose of collecting or processing the data — unless the controller has the consumer’s consent.

Security: Controllers are required to put administrative, technical, and physical data security policies and processes in place to protect the confidentiality, integrity, and accessibility of the consumer data they are collecting or processing.

Nondiscrimination: Controllers are disallowed from processing personal data in a way that breaks anti-discrimination laws. It also forbids them from using data to discriminate against consumers for exercising their rights by denying them — or providing a different quality of —  goods and services.

Sensitive Data: Processing sensitive data without a consumer’s consent is forbidden.

Minors and Children: Processing personal data of a child without obtaining consent from their parent or legal guardian is prohibited.

Non-waiver of Consumer Rights: Any contract or agreement that waived or limited a consumer’s WPA right is null and void.

Data Protection Assessments: Companies would also be required under the WPA to conduct confidential Data Protection Assessments for all processing activities involving personal data, and repeat the assessments any time there are processing changes that materially increase risks to consumers.

Data controllers must weigh the benefits of data processing against the risks. If the potential risks for privacy harm to consumers are substantial and outweigh the interests, then the controller would only be able to engage in processing with the explicit consent of the consumer. 

Hyperproof

Processor requirements under the WPA

Processors’ responsibilities are different than the controllers’ responsibilities, and while the bulk of the WPA is currently on the controller, it does require that processors have the following items in place:

  • Technical and organizational processes for fulfilling controllers’ obligations to respond to consumer rights requests
  • Breach notification requirements
  • Reasonable processes and policies for protecting consumers’ personal data
  • Confidentiality
  • Controller ability to object to subcontractors
  • The ability for controllers to conduct audits

Additionally, processors and controllers must have contracts in place with provisions regarding personal data processing. The required provisions are similar to the GDPR’s data processing requirements.

How does the WPA differ from the CCPA?

While the WPA borrowed heavily from the CCPA in some areas, there are some key differences that make the WPA more comprehensive.

For example, the WPA requires businesses to weigh the risks and benefits posed to the consumer before they process their data. Specifically, covered businesses must conduct data protection assessments for all processing activities involving personal data. 

The WPA also prohibits businesses from exclusively relying on automated data processing to make decisions that could have a significant impact on consumers, which is not included in the CCPA.

Another significant difference is how the WPA addresses facial recognition software. The CCPA treats facial recognition and other biometric data the same as all other personal data, while the WPA has more specific requirements for how controllers and processors must treat facial recognition data. 

Namely, the WPA specifies that, among other things, facial recognition technology must be tested for accuracy and potential bias, controllers must obtain consent for adding a consumer’s face to a database, consumers must be notified in public places where it is happening, and results must be verified by humans when making critical decisions utilizing facial recognition technology.

What are the consequences of non-compliance?

information_security_policy

The cost of non-compliance with the WPA

While the CCPA allows individuals to bring action against companies that are noncompliant, the WPA doesn’t have this provision. However, it does give the Washington Attorney General authority to take legal action and enforce penalties of up to $7,500 per violation. This will add up quickly for businesses that have data breaches or are found to be out of compliance with the WPA.

Preparing for the WPA and beyond

Many businesses are already thinking about WPA compliance, and the most forward-thinking businesses are also considering what this means for the future of privacy laws. The WPA is receiving praise from advocate groups such as Consumer Reports as well as tech giants like Microsoft, and many are even calling for further improvements to the bill. 

Even if the WPA does not come to pass, it is likely for other states to pass similar legislations around consumer data privacy. Either way, your organization needs to be prepared to operate in a world where data privacy issues will be continue to be legislated and litigated.

Companies with already mature infosec and privacy practices will have a big head start when implementing WPA-compliant practices.

To prepare for the WPA and future privacy laws, start by understanding what’s required by the existing industry-agnostic data privacy regulations (e.g., CCPA, GDPR). You’ll need to ensure that your privacy policy, data handling practices, security protocols and vendor contracts are compliant with these regulations. Doing so will help your organization be well prepared when new legislation like the WPA goes into effect. 

To learn more about what your organization can do to readily meet common data privacy legislations, check out this article Understanding Data Privacy and Why It Needs to Be a Priority for Your Business.  

Additionally, to help organizations strengthen their security posture and meet regulatory requirements, Hyperproof has published a suite of articles on cybersecurity controls, best practices and standards. Here are a few of the most popular resources on our website: 

Hyperproof’s compliance operations software comes with pre-built frameworks to help you  implement common cybersecurity and data privacy standards (e.g., GDPR, CCPA, SOC 2, ISO 27001) — so you can improve your data protection mechanisms and business processes to readily meet data privacy and data security regulations. Hyperproof not only provides guidance when you implement these compliance standards, it also automates many compliance activities to save you time when adhering to multiple regulations and industry standards. 

If you’d like to learn more about how Hyperproof can help you prepare to meet the WPA as well as existing data privacy laws, please contact us for a personalized demo.

Banner photo by Felipe Galvan on Unsplash

The post The Washington State Privacy Act Could Be More Comprehensive Than the CCPA appeared first on Hyperproof.

*** This is a Security Bloggers Network syndicated blog from Hyperproof authored by Jingcong Zhao. Read the original post at: https://hyperproof.io/washington-state-privacy-act/

Source link

The post #cybersecurity | #hackerspace |<p> The Washington State Privacy Act Could Be More Comprehensive Than the CCPA <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | Less than 10% of enterprise email domains are protected from spoofing — is yours?

Source: National Cyber Security – Produced By Gregory Evans Flaws in email security are among the leading causes of cybersecurity incidents for many organizations. Whether it’s ransomware, business email compromise (BEC) attacks, or a spear-phishing email that leads to cyber criminals gaining access to sensitive data, email is the common denominator. While there are many […] View full post on AmIHackerProof.com

#nationalcybersecuritymonth | Ransomware may have cost the US more than $7.5 billion in 2019

Source: National Cyber Security – Produced By Gregory Evans

It was another big year for ransomware, the extremely profitable style of cyberattack in which computer systems and data are taken over by hackers and held hostage until the victim hands over a payoff.

In 2019, these attacks wreaked havoc around the globe, earned criminals vast sums, and even occasionally provided a weapon for government hackers. This marked the fifth straight year of growth, with national and local governments and public institutions increasingly becoming targets.

The money: The potential cost of ransomware in the United States last year was over $7.5 billion, according to a recent report from the cybersecurity firm Emisoft that attempted to estimate the impact of a very opaque set of incidents. 

The victims: Emisoft tallied up 113 governments and agencies, 764 health-care providers, and up to 1,233 individual schools affected by ransomware in America. Big cities including Baltimore and New Orleans were both struck by ransomware attacks last year.

The why: One root cause, according to an October 2019 report from the State Auditor of Mississippi, is a “disregard for cybersecurity in state government.” Others agree: Research from the University of Maryland published earlier in the year concluded with admirable directness “that most American local governments do a poor job practicing cybersecurity.”

This isn’t a problem just for small towns and their ill-equipped agencies. Last month, a US Coast Guard facility was forced offline for over 30 hours when ransomware hit the base’s cameras, access systems, and critical monitoring systems, the BBC reported.

Source link

The post #nationalcybersecuritymonth | Ransomware may have cost the US more than $7.5 billion in 2019 appeared first on National Cyber Security.

View full post on National Cyber Security

5G Is More Secure Than 4G and 3G—Except When It’s Not

Source: National Cyber Security – Produced By Gregory Evans You’ve probably been hearing the hype about lightning-fast 5G for years now. And while the new wireless networks still aren’t ubiquitous in the United States, 5G is slowly cropping up in cities from Boston and Seattle to Dallas and Kansas City. With the faster connection speeds […] View full post on AmIHackerProof.com

Brace #Yourself For #More than 10 #Billion #Cyberattacks in #2018

Source: National Cyber Security News

The internet is a dangerous place. In 2017 alone, we experienced the Equifax hack, the WannaCry ransomware attack, and the rise of Logan Paul. And according to a new report released by cyber threat research firm SonicWall on Thursday, it’s probably only going to get worse.

SonicWall’s report outlines cybersecurity trends from the past year that are likely to continue into 2018. One of the main takeaways? Malware is back in a big way.

The previous high for yearly malware attacks was set in 2015, before slightly dipping in 2016. But SonicWall found that the incidence of malware attacks shot up again in 2017, setting a new record of 9.32 billion attacks. Last year’s jump was an 18 percent increase over 2017. If the incidence of malware attacks increases at the same rate this year, we could see nearly 11 billion malware attacks in 2018.

It’s not particularly surprising that people are launching cyber attacks with increasing regularity. As technology improves, the barriers to hacking are lessening, and rapid advances in artificial intelligence will make attacks more cost-effective and efficient.

Another key finding from the report is that while total malware attacks increased, ransomware attacks actually dropped by 71 percent.

Read More….

advertisement:

View full post on National Cyber Security Ventures

Cybersecurity: The #Tech #Companies More #Important than the #FANGs.

Source: National Cyber Security – Produced By Gregory Evans

The products and services provided by the behemoths of the tech industry may seem indispensable, and the most fundamental features of the technological environment, however, there are a group of less glamorous firms that arguably are the necessary foundations of the whole industry: cybersecurity firms.

Cybersecurity is defined as the measures taken to ensure protection against unauthorised or criminal use of electronic data.

The world has become acutely aware in recent years that data is the new oil- and reserves are plentiful and exponentially growing. The amount of data in the digital world is growing so rapidly due to trends such as the ‘internet of things’ and ‘bring your own device’ (BYOD); the enormous amount of devices connected to the internet makes data abundant and cybersecurity a constant war ground.

The main antagonist in the cybersecurity realm is ransomware which is a pernicious software emanating from cryptovirology that poses the threat of making a victim’s data public, or permanently blocking access to it, unless a ransom is paid.

Therefore, as more data is created, more ransomware will inevitably be deployed. The ubiquity of ransomware is debilitating for anyone with data and internet access, but it represents a pot of gold for cybersecurity firms – the mercenaries of the technological age.

The Casualties

Everyone reading this will likely be aware of some large organisation that has been attacked by ransomware during 2017. Ransomware victims range from multinational companies such as Equifax and WPP to state institutions such as the NHS.

One of the most malicious attacks that has been seen was this year’s ‘WannaCry’ attack, which impacted 230,000 computers and 10,000 companies throughout 150 countries.

WannaCry infected 47 NHS hospitals, starkly highlighting the callous nature of these attacks. They are not just against multi-billion dollar institutes that are considered to line the pockets of the top 1%, but are also instigated much like actual warfare and terrorism, with no consideration for the innocence or relevance of its victims.

No sector is immune from cyber attacks and over 20% of institutions in financial services, education, entertainment, media, IT and telecoms have all been targeted recently.

One reason for the rapid increase in attacks is that it is becoming increasingly easy to launch a malware attack due to the ability to hire malware. By having the option to hire malware, criminals can launch attacks online with rented viruses which in turn opens up the battlefield to low-skilled, street criminals as well as highly-educated criminals.

The Figures

The opportunities available to cybersecurity firms are plentiful, providing they have the ability to innovate and stay ahead of the malware. The industry is so dynamic as attackers are constantly evolving and producing more vicious, efficient attacks and providing cybersecurity firms can produce the solutions to these attacks: they are indispensable to helpless victims.

The growth that has already been witnessed in this industry is evidence of the huge future potential for growth: the global cybersecurity market was worth $3.5bn in 2004, $64bn in 2011, $138bn in 2017, and is projected to be worth $232bn by 2022.

Furthermore, the US Bureau of Labor Statistics reports that by 2024 there will be an increase in the demand for cybersecurity staff by 36% – double the demand compared to digital workers in other fields.

The vast increase in demand for workers in cybersecurity corroborates the notion that this industry is on track to being one of the most important and lucrative sectors out there.

The Firms

Fortinet is arguably the market leader in cybersecurity and has a very large, diverse product base which enables it to trade with large and small firms. Its reports from 2017 Q1 showed a 20% increase in revenue and an increase in net income of 410% YTD, taking it to $10.7 million. Fortinet’s expected revenue for the entire year is estimated at $1.77bn.

CyberArk Software primarily focuses on protecting internal digital infrastructure, keeping privileged accounts safe, which includes the most sacred and hence potentially dangerous data.

In essence, if an attack manages to breach an initial firewall, CyberArk’s security will keep the crown jewels safe. CyberArk currently has flat earnings but is debt free and has amassed cash assets of $287m.

Furthermore, CyberArk is one of the pioneering companies in the industry and has an impressive client list of 3,200 and does business with 45% of Fortune 100 companies. Additionally, CyberArk acquired Conjur this year ($42m) which will allow it to expand into other areas of security.

Palo Alto Networks focuses on protecting data infrastructure and sells its products and services to 85 of the Fortune 100 companies. This year adjust EPS rose 32.6% to $0.61 and the 3Q revenue report showed a record of $432m, as well as gaining the second highest number of new customers since the business began.

Going Forward

It is clear that the growth potential for cybersecurity is enormous. In fact, some might even say that it is terrifying how dependent society will be on this industry in the near future. People must also not approach cybersecurity in a myopic sense and assume that it only has applications for large firms that have the capital to pay high-price ransoms.

The futuristic phrase of ‘cyberwarfare’ may seem reserved for the cinema screens, however, if hackers sitting in their bedrooms can wreak havoc on some of the biggest institutions in the world, imagine what a government-funded group of experienced, ruthless ‘cyber soldiers’ could do. Less than 10 countries have nuclear capabilities but any country with an internet connection could have access to cyber arms.

Conclusion

Finishing on a more positive note, cybersecurity is currently one of the most highly paid careers in technology with 39% of its employees earning more than £87,000 and 75% earning more than £47,000.

In the past, one would have to risk their lives for almost no remuneration to complete patriotic duty. Now, one can fulfil this moral craving whilst sitting at home, rather than in a dilapidated barracks.

The post Cybersecurity: The #Tech #Companies More #Important than the #FANGs. appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Google: Our #hunt for #hackers reveals #phishing is far #deadlier than #data #breaches

Source: National Cyber Security – Produced By Gregory Evans

Google has released the results of a year-long investigation into Gmail account hijacking, which finds that phishing is far riskier for users than data breaches, because of the additional information phishers collect.

Hardly a week goes by without a new data breach being discovered, exposing victims to account hijacking if they used the same username and password on multiple online accounts.

While data breaches are bad news for internet users, Google’s study finds that phishing is a much more dangerous threat to its users in terms of account hijacking.

In partnership with the University of California Berkeley, Google pointed its web crawlers at public hacker forums and paste sites to look for potential credential leaks. They also accessed several private hacker forums.

The blackhat search turned up 1.9 billion credentials exposed by data breaches affecting users of MySpace, Adobe, LinkedIn, Dropbox and several dating sites. The vast majority of the credentials found were being traded on private forums.

Despite the huge numbers, only seven percent of credentials exposed in data breaches match the password currently being used by its billion Gmail users, whereas a quarter of 3.8 million credentials exposed in phishing attacks match the current Google password.

The study finds that victims of phishing are 400 times more likely to have their account hijacked than a random Google user, a figure that falls to 10 times for victims of a data breach. The difference is due to the type of information that so-called phishing kits collect.

Phishing kits contain prepackaged fake login pages for popular and valuable sites, such as Gmail, Yahoo, Hotmail, and online banking. They’re often uploaded to compromised websites, and automatically email captured credentials to the attacker’s account.

Phishing kits enable a higher rate of account hijacking because they capture the same details that Google uses in its risk assessment when users login, such as victim’s geolocation, secret questions, phone numbers, and device identifiers.

The researchers find that 83 percent of 10,000 phishing kits collect victims’ geolocation, while 18 percent collect phone numbers. By comparison, fewer than 0.1 percent of keyloggers collect phone details and secret questions.

The study finds that 41 percent of phishing kit users are from Nigeria based on the geolocation of the last sign-in to a Gmail account used to receive stolen credentials. The next biggest group is US phishing-kit users, who account for 11 percent.

Interestingly, the researchers found that 72 percent of the phishing kits use a Gmail account to send captured credentials to the attacker. By comparison, only 6.8 percent used Yahoo, the second most popular service for phishing-kit operators. The phishing kits sent were sending 234,887 potentially valid credentials every week.

Gmail users also represent the largest group of phishing victims, accounting for 27 percent of the total in the study. Yahoo phishing victims follow at 12 percent. However, Yahoo and Hotmail users are the largest group of leaked credential victims, both representing 19 percent, followed by Gmail at 12 percent.

They also found most victims of phishing were from the US, whereas most victims of keyloggers were from Brazil.

The researchers note that two-factor authentication can mitigate the threat of phishing, but acknowledges that ease of use is an obstacle to adoption.

The post Google: Our #hunt for #hackers reveals #phishing is far #deadlier than #data #breaches appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Why We Need to Worry More Than Ever About Getting Hacked

Source: National Cyber Security – Produced By Gregory Evans

The narrative around hacking has changed. Thanks to the proliferation of high-profile hacks in recent years, we’re no longer asking ourselves, “What if?” Now, the question is, “When?” After all, if a powerhouse with unlimited resources like HBO is vulnerable to a hack, surely anyone is susceptible. It can be…

The post Why We Need to Worry More Than Ever About Getting Hacked appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

DHS: Cyberattack greater threat than bombs

Source: National Cyber Security – Produced By Gregory Evans

Much has been said in the past month about Guam’s military readiness in the event of a missile attack, with most of the rhetoric spurred on by media fervor surrounding direct threats to Guam from North Korea. Adelup officials, facing the international spotlight for days, essentially repeated the same statement:…

The post DHS: Cyberattack greater threat than bombs appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures