Archive: March 2016

1
Bangladesh Bank considers legal action against the NY Fed in Hollywood-esque hack
2
The biggest cyber security threats experienced by Australian organisations
3
Been Hacked? To Report Or Not To Report… To The SEC, It Isn’t Even A Question.
4
A New Cyber Regulator on the Beat: The CFPB Issues its First Cybersecurity Order and Fine
5
The EU-US Privacy Shield has been released
6
Nissan shakes like a LEAF and disables app after car hacking potential exposed

Bangladesh Bank considers legal action against the NY Fed in Hollywood-esque hack

By Cameron Abbott and Simon Ly

In a story that would make an excellent plot to a sequel to Ocean’s 13, the Federal Reserve Bank of New York has been the target of a successful major cyber hack. Part of the targeted attack was an attempt to steal nearly $1 billion from Bangladesh Bank’s account.

If anyone would be well protected it would be the NY Fed, right? Well, while they were able to block some 30 transactions, 5 were successful, resulting in $81 million being stolen from Bangladesh Bank’s account.

The NY Fed has released a statement outlining that its systems were not breached, but instead pointing to SWIFT, a member-owned cooperative relied upon by banks to authenticate international monetary transactions. In response, a SWIFT representative stated that it “reiterates that the SWIFT network itself was not breached”. For its part, the NY Fed agreed that it “viewed this as a major lapse on the part of FRB NY”.

It will be fascinating to see how this he-said she-said blame game plays out. The current state of events is that the Bangladesh Bank is engaging legal counsel to establish grounds for recompense.

It goes without saying that these mind boggling figures and the nature of the attack emphasise that no one is immune from attacks. Next time someone tells you that it can’t happen to your organisation – remember this example.

For more information, please see Bloomberg’s report here.

The biggest cyber security threats experienced by Australian organisations

By Jim Bulling and Michelle Chasser

The Australian Government Australian Cyber Security Centre (ACSC) has released its 2015 Cyber Security Survey: Major Australian Businesses. 149 organisations across a number of sectors, including banking and finance, defence and energy, responded to the survey which provides some interesting insights into cyber security activity and concerns for the future.

According to the survey the top 10 cyber security incidents experienced by respondents on their networks in the previous 12 months were:

  1. ransomware (72%)
  2. malware (66%)
  3. targeted malicious emails (59%)
  4. virus or worm infection (30%)
  5. theft of mobile devices and laptops (30%)
  6. trojan (27%)
  7. remote access trojans (20%)
  8. unauthorised access (25%)
  9. theft or breach of confidential information (23%)
  10. unauthorised access to information from an outsider (17%)

Read More

Been Hacked? To Report Or Not To Report… To The SEC, It Isn’t Even A Question.

By Tyler Kirk

In the US, the Securities and Exchange Commission has encouraged its regulated entities to self-report. If entities do not self-report, there is the very real possibility that a whistleblower may disclose a cybersecurity incident to the Commission. Significantly, the SEC has indicated that it would take a more adversarial position against an entity that does not self-report.
When self-reporting cybersecurity incidents to the SEC, it is important to approach the Commission with a well thought out plan for responding to the incident. Moreover, a remediation strategy should be a part of every entity’s cybersecurity policies and procedures.

After a cybersecurity incident, SEC regulated entities, such as investment companies and their boards, should move quickly to establish the scope of the incident, decide whether to self-report to the SEC, and begin the remediation process. According to the Commission, under some circumstances, the SEC has tools available to assist with remediation.

Importantly, self-reporting cybersecurity incidents to the SEC could benefit an investment company and its board by leading to a reduced penalty in the event an enforcement action is brought on the basis of the incident.

A New Cyber Regulator on the Beat: The CFPB Issues its First Cybersecurity Order and Fine

By Ted Kornobis

On March 2, 2016, the Consumer Financial Protection Bureau (“CFPB”) instituted its first data security enforcement action, in the form of a consent order against online payment platform Dwolla, Inc.

The CFPB joins several other regulators that have recently issued statements or instituted enforcement actions in this space, including the Securities and Exchange Commission (“SEC”), Commodities Futures Trading Commission (“CFTC”), the Financial Industry Regulatory Authority (“FINRA”), the National Futures Association (“NFA”), the Department of Justice (“DOJ”), state attorneys general, and the Federal Trade Commission (“FTC”), which has been active in this area for several years.

To read more click here.

The EU-US Privacy Shield has been released

By Cameron Abbott and Meg Aitken

The European Commission has now officially released the EU-U.S. Privacy Shield, which sets out the key requirements and principles for trans-Atlantic data flow between Europe to the US.

Read our colleague’s article on the announcement here.

Alternatively, access the European Commission’s Press Release here.

Nissan shakes like a LEAF and disables app after car hacking potential exposed

By Cameron Abbott and Meg Aitken

Lock you doors…oh wait, that won’t protect you. Australian security researchers, Troy Hunt and Scott Helme have exposed a security flaw in Nissan’s Connect app which allows certain features of the manufacturer’s best-selling electric car, the ‘LEAF’, to literally be controlled by someone else on the other side of the world.

Hunt and Helme recently discovered that the app did not require any owner identification information in order to link with and control LEAF cars. All that was required was the Vehicle Identification Number (VIN), which is conveniently displayed on the chassis of the vehicle.

OK, so hackers couldn’t actually steer the car, but they could command the climate control and telematics to access driving data about trip durations, raising privacy concerns. Further, given that the LEAF is an electric powered vehicle, being able to access the climate controls could potentially allow a hacker to drain the battery and leave a driver stranded.

Car companies are racing to embrace the internet of things, and privacy and security seems to be taking a back seat. While there is no doubt that connected car technology boasts exciting functionality for drivers, it is not without road bumps, and we are once again reminded of the dangerous potential presented by interconnected devices. With a bit of luck, Nissan’s scare will see the automotive industry get in the driver’s seat towards developing a better appreciation of the risks associated with these devices and how they can be mitigated.

Nissan has now reportedly disabled the NissanConnect app and plans to release a new version once these security concerns are rectified. According to Hunt’s blog post, it took Nissan more than a month to take the app offline after he reported the security vulnerabilities.

Read Troy Hunt’s blog post on the discovery here.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.