CFOs Beware: You are Being Targeted by Nigerian Hackers

A report released by cybersecurity firm Agari has come to a conclusion that we have experienced all year—that a hacking group in Nigeria, dubbed “London Blue,” is targeting CFOs and Controllers in small businesses to multinational corporations to trick them into sending funds through wire transfers.

We have seen too many of them, and the pattern is disturbing. Forensic experts are hired to determine the cause of the fraud, and the fraud is invariably as a result of a successful phishing email that mimics a company insider or a known and trusted vendor, and requests the payment of an invoice or a wire for business purposes.

According to the report, more than half of the victims of this Nigerian hacking group are in the United States. According to the FBI, the fraud losses experienced by businesses around the world total more than $12 billion.

The sophistication of the scheme is impressive. That’s because, according to Agari, London Blue has employed individuals who are working on the fraud scheme just as we work for legitimate purposes. They employ people to work on sales, email marketing, business intelligence, financial resources and human resources. London Blue is able to carry out attacks in 17 languages and has at least 17 collaborators in the US, UK, and the EU.

While investigating London Blue, Agari obtained a list of London Blue’s potential targets which included more than 50,000 finance executives, 71% of whom were CFOs of their company. Mortgage companies were a specific target, with a goal to steal real estate purchases or lease payments.

According to Agari, London Blue has engaged a commercial data provider to assist in obtaining information about those on its list of targets, including executives’ names, titles, personal email addresses and company email addresses.

If you are a CFO, Controller or executive, or involved in a mortgage company, beware of this threat and consider implementing new processes in the company for wire transfers and real estate purchases and leases.

Rhode Island Employees’ Retirement System Seeks to Be Lead Plaintiff in Google + Securities Lawsuit

The State of Rhode Island, Office of the Rhode Island General Treasurer, acting on behalf of the Employees’ Retirement System of Rhode Island, recently filed a motion for consolidation of the two lawsuits and appointment as lead plaintiff in a securities lawsuit filed in the Northern District of California against Alphabet, Inc., the parent of Google.

Google announced this week that it discovered a bug that potentially exposed personal information of approximately 52.5 million Google+ users this week. Google’s announcement also stated that Google+ will be shutting down in April 2019, a few months earlier than originally planned. Google stated that the bug allowed app developers to view user profile information even when the user settings were set to not-public. Google maintained that no third party was known to have compromised its systems or misused the information.

The Retirement System alleged that the state pension fund lost more than $4.8 million in the stock market after the privacy breach was first announced in October. We identified shareholders’ derivative suits involving allegations of data security breaches as an area to watch more than two years ago. It looks like these types of lawsuits will continue to become more common after a major data breach.

Multiple Lawsuits filed Against Marriott After Data Breach – “One of the Largest Digital Infestations in History”

Calling the Marriott data breach “one of the largest digital infestations in history,” a putative class action was filed in Oregon this week seeking up to $12.5 billion dollars in relief. It should come as no surprise that soon after Marriott announced its massive data breach affecting potentially 500 million customers in the Starwood reservations database, several putative class actions were filed around the country and at least one in Canada. Lawsuits were also filed in Maryland and New York.

The Oregon suit alleges negligence, and also seeks injunctive relief. The suit seeks, among other relief, up to $12.5 billion dollars in relief, or $25 for each of the potentially 500 million customers whose privacy may have been compromised. The Maryland lawsuit alleges negligence, FTC violations, and generally faults Marriott for failing to protect its customers’ data. The Complaint also alleges that Marriott failed to take appropriate protective measures to protect and secure customers’ PII, that Marriott took four years to discover the breach, and that customer data is potentially out there on the dark web. The complaint was also critical of Marriott’s response to the breach and its offer to customers of a service that monitors data on the internet to determine if their data was sold or exchanged. There is already talk of multi-district litigation and sorting out how a breach of this magnitude could go unnoticed for four years will be critically important as we learn more about this “digital infestation.”

Addressing Insider Threats

In data privacy and security jargon, an insider threat usually includes:

  • an employee who creates a security risk due to a lack of awareness or carelessness, but doesn’t mean to do anything wrong (clicks on a phishing email and introduces malware or ransomware into the system)
  • an employee who creates a security risk for his or her own purposes (sends a customer list to his or her personal account) or
  • an employee who has malicious intent and is stealing information to sell it or is working for another malicious individual.

Companies are responding to each of these threats and are implementing risk management techniques to address the threats.

There are some simple strategies to start to address these threats.

For the unengaged or careless employee, companies are implementing robust employee awareness campaigns to engage employees and educate them on data security and arm them with ways to address the threats of phishing, wire fraud, spoofing, and basic cyber hygiene involving removable media and complex passwords.

For the employees who are sending company data to their personal email account, companies are implementing data security guidelines that prohibit employees from sending any company data to personal email accounts, advising employees of the requirement, auditing employees’ use of company email, actively monitoring employees’ use of email, using alert tools, and targeted look-backs of emails sent by those employees who depart suddenly or are terminated. When you tell your employees that this is what you are doing, it is effective in addressing this risk.

For the malicious employee, strategies include obtaining background checks, using monitoring tools and look-backs, using security tools that alert IT of suspicious behavior, and using predictive modeling technology. But honestly, a malicious employee, or one who is an actual criminal and becomes employed with the company to steal from it is obviously the hardest risk to address.

How Drones are Conducting Bridge Inspections

Last week, Intel announced two separate collaborations with the Kentucky Transportation Cabinet (KYTC) and the Minnesota Department of Transportation (MnDOT) to improve bridge inspections using drones. Intel and the KYTC have actually used its drones technology to help inspect and analyze the Daniel Carter Beard Bridge, which is an 8-lane interstate that crosses the Ohio River with over 100,000 vehicles crossing the bridge daily. With that much traffic, even a lane closure can result in costly delays. Intel’s Falcon 8+ drone technology allows the bridge to remain open while it captures about 2,500 high-resolution aerial images, or about 22 GB of data that was uploaded to the Intel Insight Platform. The data was used to create 3-D models and applied to monitoring the paint deterioration and cable stability of the bridge over time.

Separately, Intel worked with MnDOT and Collins Engineers to expedite an inspection of the Stone Arch Bridge, which is a pedestrian and bicycle bridge. Due to the complex nature of the aging bridge, it requires inspection annually as opposed to bi-annually. By using drones, they have been able to reduce work hours by about 28% as well as 40% savings in inspection costs. This collaboration is yet another example of how drones are cutting costs and increasing efficiency.

FAA Regulations Extend to Drone Manufacturers

The Federal Aviation Administration (FAA) Reauthorization Act comes with a new set of regulations for drone manufacturers. The FAAs rule is intended to impose safety standards on manufacturers. While drone operators will face stricter scrutiny and enforcement under the Act, the FAA now also wants drone manufacturers to be responsible for implementing safety standards that will essentially force compliance by drone operators. The obligations on drone manufacturers are set forth in Section 345 of the Act and compliance is mandatory. While the process is not yet implemented, the FAA will implement a process by which manufacturers self-certify compliance. The manufacturer must submit a statement of compliance to the FAA which must:

  1. Identify the aircraft make, model, range of serial numbers, and any consensus safety standards used and accepted by the FAA;
  2. State that the aircraft make and model meet the consensus safety standards;
  3. State that the aircraft make and model conforms to the manufacturer’s design data and is manufactured in a consistent way across all units;
  4. State that the manufacturer will make available to the FAA, operators or customers operating instructions and recommended maintenance and inspection procedures;
  5. State that the manufacturer will monitor safety of flight issues;
  6. State that at the request of the FAA, the manufacturer will allow access to its facilities for purposes of overseeing compliance;
  7. State that the manufacturer ground and flight tested random samples of aircraft, found the sample aircraft performance acceptable, and determined that the make and model of aircraft is suitable for safe operation.

The hurdle for those manufacturers who want to be first to market is that safety standards do not yet exist. The FAA will create these standards over the next few months. However, for now, manufacturers can reasonably predict what some of those standards might be–restricting maximum height above ground level, restricting time of day that a drone can be operated, restricting flight in geo-fenced areas using GPS, etc. And while it hasn’t been on the FAA’s radar yet, hopefully some basic security measures for data transmission will be implemented as well. If the FAA doesn’t make that mandate, maybe the industry will take this important step instead.

Privacy Tip #169 – What to Do When You Get the Breach Notification Email from Starwood Hotels/Marriott

I knew I would get it. It was just a matter of time. The dreaded breach notification email from Starwood Hotels/Marriott hit my inbox this Monday. As you know, I am one that is serious about data privacy. I have received notification of data breaches of my information before, and what irks me is that none of these data breaches are a result of my fault, including this one.

This one is particularly disturbing because it includes passport numbers. This is a first for me. I am having a difficult time understanding why Starwood/Marriott would store my passport number. Why do they even have my passport number? Can’t they just ask for it when they need it and then delete it when they no longer need it? The only time I recall giving my passport number to any hotel chain is when you travel internationally, which is an uncommon occurrence.

So now that 500 million others are receiving the same breach notification I received from Starwood/Marriott, what do we do?

Here are some tips:

  • Consider a credit freeze (although this will not tell you if someone is using your passport)
  • Avail yourselves of the services being offered for free by Starwood/Marriott which is outlined in the breach notification letter
  • Check your bank and credit card statements like a hawk (this should be an ongoing activity)
  • Consider obtaining a new passport as there are no monitoring services that I know of that include a passport number (Ugh!)
  • Take a look at the tips provided to us from the FTC

I am frustrated and I know that you are too. This incident emphasizes how important it is for companies to determine why they are collecting our personal information, and how long they need it. If they don’t need it anymore, companies need to consider disposing of it so it does not put the company and us at risk.

Bitcoin Firm Alleges Manipulation of the Bitcoin Cash Network that is Alleged to Have Resulted in a $4 Billion Industry Meltdown

United American Corp., operating as UnitedCorp, filed a lawsuit in the United States District Court for the Southern District of Florida last Thursday alleging that several prominent figures in the Bitcoin cryptocurrency market essentially “hijack[ed] the Bitcoin Cash network” causing widespread harm to U.S. Bitcoin holders. In the twenty-seven page, and one hundred and twenty-two paragraph complaint, UnitedCorp takes aim at bitcoin miner Bitmain Inc. and its owner Jihan Wu, well-known bitcoin investor Roger Ver and his company Bitcoin.com, and the Kraken Bitcoin Exchange, among others, claiming that they attempted to “centraliz[e] what is intended to be a decentralized transactional system enabling the corruption of the democratic and neutral principles of the Bitcoin Cash network.”  Continue Reading

Advanced Care Hospitalists Settles with OCR for $500,000 for Alleged HIPAA Violations

The Office for Civil Rights has announced that it has settled with Lakeland, Florida based Advanced Care Hospitalists (ACH) for $500,000 for allegations of an impermissible disclosure of protected health information by one of its business associates. ACH provides contract internal medicine physicians to nursing homes and hospitals.

According to the press release, between November 2011 and June 2012, ACH engaged an individual who claimed to be a representative of Doctor’s First Choice Billings, Inc., which provides medical billing services. Although the individual used First Choice’s website and company affiliation, the owner of First Choice denied that the individual was employed by First Choice, and stated that the services were provided without the knowledge or permission of First Choice.

On February 11, 2014, a hospital notified ACH that patient information, including names, Social Security numbers and clinical information, was accessible through First Choice’s website.  The website was subsequently taken offline.

Thereafter, ACH submitted a breach notification report to OCR which stated that the PHI of 400 individuals had been impermissibly disclosed through the website, but later amended the report to add another 8,855 patients whose PHI was impermissibly disclosed.

The $500,000 settlement was based upon OCR’s investigation which found that ACH had not implemented any HIPAA policies and procedures until April 1, 2014, and that ACH was disclosing PHI to the individual without entering into a Business Associate Agreement with the individual. The OCR alleges that ACH impermissibly disclosed the PHI of 9,255 patients to the individual, which was subsequently exposed through First Choice’s website.

In addition to the $500,000 payment, ACH also agreed to a Corrective Action Plan to address its HIPAA compliance.

OSHA’s Use of Drones During Workplace Inspections

These days, it is not uncommon to see drones flying overhead. But employers beware…you might see one during your next workplace inspection. Earlier this year, OSHA issued a memo formalizing its use of drones for inspection activities, and, according to a recent report by Bloomberg Law, it used drones for 9 inspections this year.

The memo indicates that OSHA can use drones for a number of purposes, including inspection of inaccessible or unsafe areas, for technical assistance in emergencies, and during compliance assistance activities. The memo sets forth the parameters OSHA must follow when using drones, but it also indicates that OSHA is exploring the option of obtaining a Blanket Public Certificate of Waiver or Authorization (COA) from the FAA to operate drones nationwide. Continue Reading

LexBlog