Category: Uncategorized

1
Hospital systems in quarantine after ransomware attack in Victoria
2
Riding in cars with hackers
3
Hyp3r-misappropriation of data gets Instagram’s attention, but is enough being done?
4
Is your iPhone spying on you (again)?
5
Sorry Sir, Our Data Breach Response Plan is Out of Stock
6
Tourists aren’t the only thing visiting London’s hotspots
7
Thailand joins the party of legislated Data Protection
8
IoT (internet of things) legislation makes an appearance in the U.S Senate
9
Ransomware attack hits the state of Georgia
10
Major political parties join the Federal Parliament in the February data breach

Riding in cars with hackers

By Cameron Abbott, Michelle Aggromito and Alyssia Totham

Ransom-based hacking techniques have primarily been limited to the intangible. We live in a world where unauthorised access to email accounts, bank accounts, and computer systems that may otherwise be private is no longer uncommon.

In some situations, hackers demand a lump sum in return for reinstating control of the accounts and systems to its owners and managers, and otherwise refusing to pay this ransom can likely leave our information and data at the mercy of hackers.

Read More

Hyp3r-misappropriation of data gets Instagram’s attention, but is enough being done?

By Cameron Abbott, Michelle Aggromito and Alyssia Totham

Until recently, a security vulnerability in the social media platform Instagram, allowed Hyp3r to illicitly harvest millions of Instagram users’ data and track their locations.

In a similar manner to the Cambridge Analytica scandal that plagued Facebook following the 2016 US presidential election, this latest example of Hyp3r’s mass data collection was discovered through a journalistic investigation and was not uncovered by the social media platform.

Read More

Sorry Sir, Our Data Breach Response Plan is Out of Stock

By Cameron Abbott, Michelle Aggromito and Max Evans

We are living in an era of online shopping, where consumers are more willing to hand over personal information for goods and services, and are less suspicious of whom they are divulging their personal information to. As a result, online businesses are in possession of a vast amount of their customers’ personal information. The recent hack of Sneaker Platform Stock-X reminds us yet again of the importance of businesses maintaining comprehensive and up to date security processes, and in particular, the necessity of having an adequate data breach response plan in place.

Stock-X, a platform for the re-sale of sneakers and apparel, was recently hacked, exposing over six million users’ personal data, including their real name, username, password, shoe size and trading currency. According to a Report by TechCrunch, Stock-X’s initial response was to reset customer passwords, stating that it was due to system updates. A spokesperson for Stock-X later disclosed to TechCruch that Stock-X was alerted to “suspicious activity”. TechCrunch reports; however, an unnamed data breach seller had contacted it claiming more than 6.8 million records were stolen from Stock-X in May, and that the records had been put up for sale and sold on the dark web for $300.

Read More

Tourists aren’t the only thing visiting London’s hotspots

By Cameron Abbott and Ella Richards

Over 100 million cyber-attacks have hit London’s top tourist attractions over the past few years, signalling hackers turning their attention to the treasure trove of customer’s personal data and related opportunities for ransomware attacks.

Kew Gardens experienced an incredible 86 million attacks during 2018 and has seen a 438% increase in attacks year-on-year. Personal and financial details of over 100,000 of its members and over 800 staff are highly sought after, with 82 million spyware attempts and 1.6 million information-stealing attempts last financial year alone. Although Kew Gardens have performed admirably in mitigating the attacks, a major server breach in 2017-2018 and an incident involving a compromised email address managed to slip through.

Imperial War Museum was the next highest target; with over 10 million cyber security incidents spread over three years and 8 successful ransomware attacks within that time. The Natural History Museum tallied 875,414 cyber-attacks over three years, of which 26,610 were considered ‘unmitigated’ threats.

Lastly, Tate Gallery (which oversees the Tate Modern Tate Britain Galleries) was subject to 494,709 attacks last year alone, however only four attacks featuring malware and phishing software were successful.

These attacks demonstrate hacker’s increasing focus on personal and financial data, which tourist hotspots and museums collect in enormous volumes on a daily basis. Sheila Flavell (COO of FDM Group) points out that in the wake of these incidents, the UK needs to increase their level of cyber expertise by attracting more people into the tech industry. We agree there are not going to be many unemployed cybersecurity consultants with this sort of scale of activities!

Thailand joins the party of legislated Data Protection

By Cameron Abbott and Ella Richards

Following tireless attempts spanning over two decades, Thailand has finally approved the Thailand Personal Data Protection Act (“PDPA”), subject to royal endorsement and publication in the Government Gazette. Previously, the only right pertaining to personal privacy was located in the Thai Constitution, and while certain business sectors (such as telecommunications, healthcare and banking) had some protection, there was an absence of a singular consolidated data protection regime.

You may notice the broad similarity between the PDPA and the European Union’s GDPR; but don’t get too excited. Although various concepts have been drawn from the GDPR, the PDPA has been written with consideration of Thai perspectives, and therefor careful examination of compliance requirements of both regimes will be necessary.

Once the PDPA is published in the Government Gazette, Thailand will allow a transition period for businesses to adapt their practices (as the PDPA will apply to most entities onshore and offshore).

So, what can we do to prepare for the PDPA now?

Any company collecting data from residents of Thailand should ensure they’re in compliance before the PDPA comes into effect. Penalties for non-compliance will be severe, so an evaluation of business procedures will be necessary to determine if additional measures need to be adopted.

IoT (internet of things) legislation makes an appearance in the U.S Senate

By Cameron Abbott and Ella Richards

For those who are not familiar with the acronym, IoT or ‘Internet of things’ refers to the interconnection of network devices and everyday objects for increased control and ease of use.

The US Government has been steadily increasing the amount of IoT devices used in day-to-day business. In response to mounting concerns surrounding this, a bipartisan group in the Senate revealed a piece of legislation that will govern the use of IoT devices in the government context.

As we have blogged previously, the implementation of IoT brings with it an array of potential security issues and vulnerabilities. If hackers are able to access one device, there’s the possibility for them to manipulate others connected on the same network. This could result in national security risks, citizen information breaches or high-scale ransom attacks.

Under the bill, the National Institute of Standards and Technology (NIST) will give recommendations to the federal government, including minimum security requirements and how the government should approach potential cybersecurity issues. These policies and recommendations would be revisited every five years to keep them fresh and responsive to ever-changing cyber threats.

The potential that such standards would provide more industry wide guidance is to be encouraged, as several years into the growth of IoT there remains huge variability in security. The internet of things is generally less of a focus than most people’s computers, but the impact and ability to propagate is arguably greater.

Ransomware attack hits the state of Georgia

By Cameron Abbott and Ella Richards

Jackson County in Georgia has been held ransom after cyber-attackers deployed ransomware that crippled the government’s IT network for 2 weeks. Government officials resorted to coughing up $400,000 in bitcoin to pay the ransom, desperately trying to get out of the offline ‘pen and paper’ situation the attack had left them in. The suspected ransomware, ‘Ryuk’, caught the eye of the authorities at the end of 2018 after it started affecting the printing presses of Tribune Publishing. Due to the highly problematic decryption tool that is provided once the ransom is paid, Ryuk has the frightening capacity to destroy businesses which cannot survive in downtime or do not have restorable backups.

Read further about the incident here: https://www.bankinfosecurity.com/georgia-county-pays-400000-to-ransomware-attackers-a-12159

Major political parties join the Federal Parliament in the February data breach

By Cameron Abbott and Ella Richards

Following an unprecedented surge in cyber attacks against Australian businesses, an attack on Australia’s political infrastructure was imminent. New information reveals that the cyber attack against the Federal Parliament earlier this year was accompanied by yet another directed towards the Liberal, Labour and National parties.

While the malicious culprit starting poking around last November, the full throttle attack didn’t come along until 3 months later. Australia’s political institutions are high value targets for foreign entities, as they’re relatively small organisations with a huge storage of voter and community data.

It’s the distinctive sophistication of this ‘state actor’ attack that has furthered overt suspicions of foreign state agent involvement. Technical experts reported that the infiltration was the first of its kind, ringing alarm bells across the Government to strengthen security against foreign espionage and increase cyber capabilities.

Authorities are trying to calm the masses by reporting that no electoral information was taken, but they also have no idea what data was taken, or what the motives were behind it.

Various media publications have wasted no time trying to connect the dots between these incidents. A whopping 78% increase in attacks on Australian businesses, upcoming elections in May and precarious ties with suspected countries fuel their prophecies. This may be the wake up call needed to ensure the integrity of our electoral system and avoid our very own version of the alleged foreign interference in the 2016 US presidential election.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.