Category: Privacy, Data Protection & Information Management

1
China’s main security agency linked to cyber intellectual property theft
2
Beware of third party data breaches
3
US, Russia and China don’t pledge to fight cybercrime
4
Q3 Notifiable breaches industry league results: Health first … lawyers a solid third!
5
Cyber-attackers could exploit security flaw found in the embedded video function of Microsoft Word
6
Apple calls for comprehensive US privacy laws.
7
Sony Smart TV’s ….clearly not smart enough, or secure!
8
Move over Mirai – Torii is tipped to be the new botnet boss
9
Cyber-criminals outspend organisations more than 10 times in bid to find cybersecurity weaknesses – who says cyber-crime doesn’t pay?
10
Privacy Standardization in the United States: We Need Consensus

China’s main security agency linked to cyber intellectual property theft

By Cameron Abbott and Wendy Mansell

In April 2017, PWC, in collaboration with BAE Systems’ published a report on “Operation Cloud Hopper”, which exposed a cyber espionage campaign being conducted by a China-based threat actor. The report suggests that Operation Cloud Hopper is almost certainly the same threat actor known as “APT10”, a Chinese group thought to be behind cyber-attacks against many countries including Japan, Canada and America.

Recently it has been reported that there are links between China’s Ministry of State Security (MSS) and Operation Cloud Hopper. These allegations are from U.S based firm CrowdStrike who have recognised ties between Operation Cloud Hopper and the MSS Tianjin Bureau.

There is no confirmation that the MSS is behind the Cloud Hopper attacks, however Dr Adrian Nish, Head of Threat of Intelligence at BAE Systems said that there is “no reason to doubt” the claims.

The term “Cloud Hopper” describes a technique where cyber espionage groups “hop” from cloud storage services and infiltrate Australian IT systems. Operation Cloud Hopper is responsible for the theft of intellectual property from a number of Australian companies, primarily focused on mining, engineering and professional services firms.

In a week full of news about China activities in the region, the suggestion of state sponsored hacking thefts is a salient warning to companies that their core intellectual property assets are at risk if not well secured.

Beware of third party data breaches

By Cameron Abbott and Keely O’Dowd

A study by Ponemon Institute found the percentage of US and UK companies that faced a data breach because of a vendor or third party is growing. In the US alone, 61% of surveyed respondents confirmed that their organisation had experienced a data breach caused by a third party, which is up 5% from last year and 12% from 2016.

Ponemon Institute’s research also found that 22% of surveyed respondents admitted they did not know if they had a third party data breach during the past 12 months and more than three quarter of companies thought third-party cyber security breaches were increasing.

These research findings suggest to us that businesses must do more to guard against third party data breach risks. This may involve:

  • conducting due diligence on third party vendors to assess their security and privacy practices as part of a procurement process and throughout the ongoing vendor relationship;
  • including robust privacy and data security clauses in contracts with third parties, including the requirement that the third party notify you of actual and suspected data breaches; and
  • keeping a register of all third party vendors your business engages and the types of personal, sensitive of confidential information the third party vendors accesses, stores or shares on behalf of your business.

The third party landscape is becoming increasingly complex and businesses need to better manage and understand what exactly their vendors are up to and doing to protect their data.

US, Russia and China don’t pledge to fight cybercrime

By Cameron Abbott and Wendy Mansell

Fifty countries including Japan, Canada and many EU nations have come together with over 150 tech companies, pledging to fight against cybercrime. United State’s tech giants such as Facebook, Google and Microsoft have also joined the party.

The United States, Russia and China however have decided not to sign on. Each has no doubt very different reasons for this – the disappointment is mostly directed to the US. However it is a shame that Russia and China did not also feel the weight of the international community pressure to accept these principles.

The effort to combat cybercrime is being led by France, with French President Emmanuel Macron claiming that it is urgent that the internet is better regulated.

The countries and companies involved are fighting against illegal online activity like censorship, cyber interference in elections, hate speech and trade secrets theft.

The pledge has been made in a document titled the “Paris call for trust and security in cyberspace”.

Q3 Notifiable breaches industry league results: Health first … lawyers a solid third!

By Cameron AbbottKeely O’Dowd and Colette Légeret

The Office of the Australian Information Commissioner (OAIC) has released its third quarterly report of notifiable data breaches. This is the second OAIC report to be released covering a full quarter.

The report revealed that OAIC received 245 notifications of data breaches, marginally up from 242 notifications in the second quarterly report.

Some interesting figures from the OAIC’s report are as follows:

  • 18% of notifications were from health service providers, 14% were from the finance sector; 14% were from the legal, accounting and management services sector; 7% were from the private education sector, and 5% were from the personal services sector;
  • 85% of data breaches involved individual’s contact details, 45% involved financial details, 35% involved identity details, 22% involved health details, 22% involved tax file numbers, and 7% involved other types of personal information; and
  • 57% of data breaches were due to malicious or criminal attack, with 37% due to human error, and 6% due to system faults, with cyber incidents, namely compromised credentials or phishing being the main the cause of

Of the 245 data breaches, 58 affected only one individual – however, 7 affected more than 10,000 individuals.

These figures are a clear reminder of the need to ensure that your business is equipped to deal with data breaches. To learn more about this, take a look at this 60-second video by Cameron Abbott. With professional services ranking a solid third, we’ll take some of our own advice too!

Cyber-attackers could exploit security flaw found in the embedded video function of Microsoft Word

By Cameron Abbott and Colette Légeret

Cymulate, a leading provider of Breach and Attack Simulation solutions and a Gartner 2018 Cool Vendor, announced last week that its Security Research Team had uncovered a security flaw in the Microsoft Office Suite (Office) that may affect Microsoft Word (Word) users.

The Office security flaw identified is a JavaScript code execution within the embedded video component of Word. This has the potential to impact all users of Office 2016 and users of older Office versions. Cymulate noted that no configuration was required to reproduce the issue and no security warning is presented while opening the document with Word.

Read More

Apple calls for comprehensive US privacy laws.

By Cameron Abbott and Jessica McIntosh

It’s uncomfortable to think one of the world’s biggest business leaders has this week stood up and told us all ”our own information from the everyday to the deeply personal is being weaponized against us with military efficiency” what’s more uncomfortable, these powerful words are only a small snippet of a seriously forceful and passionate speech Tim Cook delivered in Brussels on Wednesday.

Read More

Sony Smart TV’s ….clearly not smart enough, or secure!

By Cameron Abbott and Jessica McIntosh

Security researchers at Fortinet have found flaws in eight Sony Bravia Smart TV models and consequently have got us all thinking…… just how vulnerable does having a smart TV make us?

According to Fortinet the flaws found can facilitate complete ‘remote code execution with root privilege’, in other words – those with a Sony Smart TV are left totally exposed to an attack!

Read More

Move over Mirai – Torii is tipped to be the new botnet boss

By Cameron Abbott and Jessica McIntosh

It’s been hailed a true example of the evolution of IoT malware with researchers from security vendor Avast last week explaining in detail just how persistent and powerful this “new” strain of botnet can be. According to Avast, Torii is a “level of sophistication above anything they have seen before”.

For us, it’s newly found cutting-edge techniques and features mean it is a threat to EVERY type of computer and device…it’s a threat to all of us.

Read More

Cyber-criminals outspend organisations more than 10 times in bid to find cybersecurity weaknesses – who says cyber-crime doesn’t pay?

By Cameron AbbottRob Pulham and Colette Légeret

Cyber attackers are able to search for that one weak link in corporations defences whereas corporates have to create a completely strong chain of defence against every possible scenario.  This asymmetrical fight would you think mean organisations would have to outspend attackers by many multiples.

However, according to software company, Carbon Black, the situation is worse than that because it appears that cyber criminals are outspending corporation!  Cyber-crime is big business, and as such, cyber-criminals are spending an estimated $1 trillion each year on finding weaknesses in the cyber defences of organisations and developing new ways of attacking them, in comparison to the $96 billion spent by organisations in an attempt to secure themselves from these cyber-attacks.

Read More

Privacy Standardization in the United States: We Need Consensus

By Susan P. Altman

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) announced this month that it has launched a collaborative project to develop a voluntary privacy framework to help organizations manage risk relating to protecting privacy in complex networking environments. The goal of the project is to develop a privacy framework that can deliver practical tools for developers of innovative technologies (such as IoT and AI) that will ultimately yield stronger privacy protections for individuals. NIST, which promotes innovation and industrial competitiveness, has had great success with broad adoption of its Cybersecurity Framework Version 1.1 released earlier this year, according to Under Secretary of Commerce for Standards and Technology and NIST Director Walter G. Copan. It is now sponsoring outreach efforts throughout the U.S. to gather the best ideas for a useful and effective privacy framework.
NIST correctly notes that cybersecurity is central to managing privacy risk, but not sufficient in itself. Privacy professionals both inside and outside the U.S. are responding to (and perhaps leading) consumer privacy expectations with positions that NIST politely understates as reflecting “multiplying visions.” A framework of balanced standards for building privacy protections into technology design will benefit society broadly.
NIST, which focuses on standards for technology developers, is only one of several U.S. agencies addressing privacy concerns. For example, the U.S. Department of Commerce’s National Telecommunications and Information Administration is currently engaged in gathering input in order to formulate core, high-level principles on data privacy with a stated goal of avoiding contributing to a fractured and stifling regulatory landscape. And of course, the Federal Trade Commission, the big dog in consumer protection enforcement, continues its efforts to protect consumer privacy while critically analyzing the economic impact of such protection on competition and innovation.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.