This week
Thanks for your feedback on the Need to Know Matrix last week. Hopefully, this size is more legible on smaller screens. (The more feedback, the merrier: let me know what you think!)
- SEC fines companies for misleading breach disclosures (This Week)
- Change Healthcare breach affects over 100M people (This Week)
- Hong Kong government bans WeChat (Interesting Reads)
- OpenAI’s voice API can be used to automate phone scams (Interesting Reads)
- CFPB warns over consent for workplace surveillance (Privacy)
- TikTok intern was fired for interfering with AI models (Incidents)
- Ireland’s DPC fines LinkedIn €310 million (Privacy)
- REvil leadership receive prison sentences (Law Enforcement)
SEC fines four companies in settlement over SolarWinds incident disclosures
- The Securities and Exchange Commission (SEC) has fined four companies in a settlement over claims they failed to accurately disclose the nature or extent of breaches. LINK
- Unisys, Avaya, Check Point, and Mimecast were all caught up in the SolarWinds Orion breach at the end of 2020, but SEC enforcement director Sanjay Wadhwa says they “provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.” They will pay $4 million, $1 million, $995,000, and $990,000, respectively.
- In Unisys’ case, their investigation found that seven network and 34 cloud accounts had been accessed over 16 months and used to steal 33 gigabytes of data; the public filing talked about the incident in hypothetical terms. Meanwhile, Avaya knew a server holding customer data had been compromised, then the company received further notification from a third party but chose to describe the incident as relating to “a limited number of company email messages,” continuing that there was “no current evidence of unauthorized access to our other internal systems.” Avaya’s statement was conciliatory, while Check Point and Mimecast both maintain they didn’t do anything wrong and have settled in the best interests of shareholders. LINK
- The message is clear: the SEC expects honest appraisals of security incidents in regulatory filings and annual reports and that it is incumbent to “not further victimize their shareholders”.
UnitedHealth says Change Healthcare breach affects over 100 million people
UnitedHealth says the breach at subsidiary Change Healthcare affects over 100 million people, the first time it has acknowledged the scale of the breach with a specific number.
- UnitedHealth Group (UHG) says it is reaching the end of its process to notify the affected individuals, which commenced in July, citing the “volume and complexity of the data involved”.
- Writing for Tech Crunch, Zack Whittaker reports, “The stolen data varies by individual, but Change previously confirmed that it includes personal information, such as names and addresses, dates of birth, phone numbers and email addresses, and government identity documents, including Social Security numbers, driver’s license numbers, and passport numbers. The stolen health data includes diagnoses, medications, test results, imaging and care and treatment plans, and health insurance information — as well as financial and banking information found in claims and payment data taken by the criminals.”
- The breach, which occurred in February 2024, was claimed by the ALPHV/BlackCat ransomware gang. LINK
Sophos to acquire SecureWorks for $859 million
- UK cyber security company Sophos has announced that it is acquiring Secureworks in an all-cash deal reportedly worth $859 million. The deal is a ~28% premium on Secureworks’ current share price.
- Sophos says that the deal is about broadening and strengthening its portfolio of products and services for SME and enterprise customers. Identity threat detection and response (ITDR), ‘next-gen’ SIEM, and operation technology (OT) capabilities are all cited as new offerings.
- Secureworks is still 79% owned by Dell, who took the company publish in 2016, while private equity firm Thoma Bravo backs Sophos. LINK
Interesting stats
Cyber Essentials
The UK’s Cyber Essentials scheme is 10 years old. LINK
31,294 organisations had achieved certification in February 2024, which, by my maths * I reckon is 2.2% of UK employers.
31% of large, 13% of medium, 4% of small, and 0.2% of micro* employers (see definitions below) have achieved Cyber Essentials certification, according to a new impact evaluation. LINK
- It seems the research company has conflicting definitions of ‘micro’ as either 1 to 9 or ‘fewer than 10’ staff. The 0.2% value appears to be based on the existence of 5 million eligible businesses in the UK. I believe this 5 million is an oft-cited but misrepresentative number and that the 1.4 million ‘employers’ (1+ staff) are a better basis unswayed by myriad holding companies. That’s a separate post, though.
Typically, it costs £1,894 micro (1 to 9 employees), £4,741 small (10 to 49 employees), £6,267 medium (50 to 249 employees), and £31,459 large (250+ employees) to become certified.
The vast majority have done so because it’s a contractual requirement, though other ‘business enabling’ reasons were also cited: 35% say they obtained it because it was a contractual requirement, 17% because it was a customer requirement (but presumably not contractual), 6% to help them attract new customers
Other newsy bits / in brief
🤓 Interesting reads:
- Cyber insurance: ”An effective government backstop would require preexisting consensus on security standards, data sharing, and cooperation,” argues Eduard von Herbestein. There’s also an interesting comparison from folks at Spectra, showing how the data collected for property insurance has evolved. Presumably as models have increased in nuance, too. LINK
- Artificial intelligence company Anthropic has added the capability to control a user’s keyboard and mouse to its Claude 3.5 Sonnet model. The ‘computer use tools’ come with a warning that “instructions on webpages or contained in images may override instructions or cause Claude,” and users should “avoid risks related to prompt injection.” It’s cool, but what could possibly go wrong? LINK
- Hong Kong’s government has banned WeChat from its computers over data breach concerns. LINK
- Researchers at the University of Illinois Urbana-Champaign (UIUC) say OpenAI’s real-time voice API can be used torun phone scams with an average success rate of 36% and cost of $0.75. There’s a video of their AI agent running through the steps to steal funds from a Bank of America account; you’d probably (hopefully!) not fall for it, but it’s more about the concept. LINK, VIDEO
- Google DeepMind has released a tool called SynthAI that can seamlessly watermark images, video, audio, and text created with generative AI. LINK
- Eric Geller on software liabilities for The Record, which has been struggling to gain traction in the US due to lobbying and a lack of decision on the appropriate standard. In contrast, earlier this month, the European Commission issued a directive that for consumer technology, existing product liability rules should apply and make it easier to claim damages. US, EU
⚠️ Incidents:
- Hacktivist groups, including LulzSec Black and Anonymous Syria, have attacked Cyprus’ critical infrastructure to “punish” the country for supporting Israel. Temporary disruptions to banks, airports, and government websites were reported as the result of distributed denial of service (DDOS) attacks. LINK
- A threat actor calling themselves ‘Satanic’ claims to have stolen the data of 350 million customers of clothing company Hot Topic. The names, email, physical addresses and dates of birth are allegedly from the retailer’s loyalty programme. Some card details (last four digits, hashed expiry) are also claimed to have been taken. The attacker is asking for $20,000 for the database. LINK
- US Insurance administrator Landmark says that 800,000 people were affected by a data breach in May this year. In a regulatory filing, Landmark Admin said names, Social Security numbers, and tax IDs were exposed. LINK
- Trump and Vance may have been possible targets of the China-backed attack on lawful intercept platforms at US telcos. LINK
- TikTok parent company ByteDance has admitted firing an intern for “serious disciplinary violations” relating to the training of its AI models but downplayed the damage caused, which online rumours suggest extends to “tens of millions of dollars”. Much with SolarWinds ‘blame the intern’ defence (vol. 4, iss. 9), if a single intern can do that much damage, then you’re doing something wrong. LINK
- The Internet Archive attacker claims to still have access to the tools used by the company, including its Zendesk support instance. LINK
- The Polyfill[.]io supply chain attack (vol. 7, iss. 26) may have been designed to redirect Chinese users to copycat gambling sites, according to Silent Push researchers. LINK
🕵️ Threat Intel:
- Ransomware groups are targeting a critical vulnerability in Veeam’s backup solution, which was disclosed a month ago. Backup solutions often have access or routes across an organisation’s network (necessary to transfer and back up data), and so they present an attractive target with good access. LINK
- The Black Basta ransomware group is using Microsoft Teams and posing as IT support to social engineer their way into company environments. LINK
- Cisco Talos says that the Akira ransomware gang is back to encrypting victims’ data again after a period focusing solely on exfiltrating data for extortion purposes. LINK
- Qilin ransomware-as-a-service group have released a ‘more advanced’ variant of their malware with improved encryption and evasion capabilities, according to Halcyon. LINK
- The Ghostpulse malware now receives its commands via the pixels in PNG image files. The payload is extracted from specially crafted images and reconstructed using each pixel’s red/green/blue values sequentially. LINK
🪲 Vulnerabilities:
- VMware has had a second stab at patching two vulnerabilities that it “did not completely address”. CVE-2024-38812 (9.8/10) and CVE-2024-38813 (7.5/10) are remote code execution and privilege escalation issues, respectively. LINK, ADVISORY
- Akamai security researcher Stiv Kupchik has released proof-of-concept code to carry out NTML relay attacks and stage takeovers of Microsoft Windows domains. CVE-2024-43532 (8.8/10) was fixed in October’s Patch Tuesday and relates to how Microsoft’s Remote Registry client handles RPC authentication when SMB is unavailable. LINK, ADVISORY
- Fortinet is keeping quiet about a zero-day vulnerability in its FortGate firewall suite. Multiple discussions on Reddit and social media examine the issue, which appears to stem from a default setting allowing an attacker to enrol their own ‘malicious’ Frigate appliance to a customer’s FortiManager and gain access to their network. FortiManager instances exposed to the internet — of which there are 60,000 — appear to be vulnerable. LINK, (No advisory ‘cos Fortinet are trying to keep it quiet).
🛠️ Security engineering:
- Google plans to let businesses create their own curated “Enterprise Web Store” of browser extensions. LINK
🧿 Privacy:
- The US is proposing new regulations governing the transfer of personal data to ‘adversarial nations’, such as Russia and China. Thresholds are set to prevent 100 Americans’ genomic data, 1,000 Americans’ geolocation or biometric data, 10,000 health and financial data, and 100,000 personal identifiers (including device IDs, Social Security numbers and driver’s license numbers) from being transferred within a 12 month period. The regulations build on an announcement in February this year and also include a provision to prevent data brokers from selling data where they believe it may be transferred to one of those adversarial nations. LINK
- The FCC is expanding its Privacy and Data Protection Task Force and working more closely to coordinate investigations with attorneys general in Main, Vermont, Massachusetts, Delaware and Indiana. LINK
- Ireland’s Data Protection Commission (DPC) has announced it is fining LinkedIn €310 million ($335M, £258M) for using members’ data for advertising purposes without their consent. LINK
- The US Consumer Financial Protection Bureau (CFPB) has issued guidance warning that companies must obtain workers’ consent for workplace digital surveillance. Rohit Chopra, CFPB director, said “I have serious concerns about how these background dossiers and reputation scores are being used in hiring, promotion and reassignment.” LINK
📜 Policy & Regulation:
- The UK government introduced the Data Use and Access Bill to parliament this week. It’s Labour’s replacement for the previous Conservative administration’s Data Protection and Digital Information Bill. The UK will need to tread carefully to maintain the EU’s ‘adequacy’ decision, which allows for the seamless transfer of personal data across borders. Amongst the measures are a strengthened Information Commissioner’s Office, another stab at a digital identity scheme, and estimated economic benefits of £10 billion over 10 years. LINK
👮 Law Enforcement:
- Four members of Evil received prison sentences of up to six-and-a-half years this week. Russian authorities scooped up Artem Zayets, Alexey Malozemov, Daniil Puzyrevsky and Ruslan Khansvyarov after a tip-off from US counterparts and a conversation between presidents Biden and Putin on the subject of ransomware following several high-profile incidents. LINK
💰 Investments, mergers and acquisitions:
- Socket, a startup providing tools to find open-source software vulnerabilities, has raised $40 million. LINK