Misconfigured Box Accounts Can Expose Data

Security researchers at Adversis have discovered that dozens of companies have inadvertently leaked corporate and customer data through their Box enterprise storage accounts because staff are sharing public links to their private corporate files.

According to the researchers, data stored in Box enterprise accounts is private by default, but if users share the files or folders, the data can be publicly accessible. The researchers found that when they used a script to scan for Box accounts with lists of company names and wildcard searches, they found more than 90 companies, some very well known, including Box, with publicly accessible folders.

Some of the folders contained innocuous data, but others included personal information, including passport photographs, bank account information, employee lists, Social Security numbers, and passwords.

Box responded to the discovery by stating that customers are the ones deciding the security level of their enterprise accounts, and although Box provides controls so the customers can choose the level of security they want, if users are sharing files or folders broadly, the folders may be made accessible. Box is attempting to make the security settings more clear and to educate its customers on how files and folders can be shared.

If your company uses an enterprise Box account, you may wish to consider educating your employees on the importance of not sharing the link to files or folders with others inside or outside of the company, and also to review and update your account configuration.

Jackson County, Georgia Pays Hackers $400,000 After Ransomware Attack

Cities and towns continue to be a profitable target for successful ransomware attacks. As we previously reported [view related posts], the list of cities and towns getting hit with ransomware attacks continues to grow.

Last week, Jackson County, Georgia admitted that it paid hackers $400,000 to obtain access to its information that was locked down by a ransomware attack. The ransomware attack locked agencies out of almost all of their systems, including the sheriff’s office that does criminal bookings, causing the county to try to do business the old-fashioned way—using paper.

According to the County Manager, rebuilding the networks from scratch (apparently there was no back-up system in place), would be a long and costly endeavor. The City Manager said they were facing closure of operations for many months, so paying the ransom was an easier option.

After payment was made, the hacker sent the decryption key, which allowed county employees to get back on their computers and resume work. The ransomware involved was Ryuk, which has been rampant and is believed to originate from Eastern Europe or Russia.

The message to state and municipal governmental entities? Check that back-up system and test it to see if it works in an emergency.

Federal Privacy Law – Could It Happen in 2019?

This was a busy week for activity and discussions on the federal level regarding existing privacy laws – namely the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). But the real question is, could a federal privacy law actually happen in 2019? Cybersecurity issues and the possibility of a federal privacy law were in the spotlight at the recent Senate Judiciary Committee hearing. This week also saw the introduction of bipartisan federal legislation regarding Internet of Things (IoT)-connected devices.

Senate Judiciary Committee Hearing on GDPR and CCPA

Let’s start by discussing this week’s hearing before the Senate Judiciary Committee in Washington. On March 12, the Committee convened a hearing entitled GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation.  The Committee received testimony from several interested parties who discussed the pros and cons of both laws from various perspectives. One thing was clear – technology has outpaced the law, and several of those who provided testimony to the Committee argued strongly for one uniform federal privacy law rather than the collection of 50 different state laws.

Some of the testimony focused on the impact of the GDPR, both on businesses and economic concerns, and some felt it is too early yet to truly know the full impact. Others discussed ethical concerns regarding data use, competition, artificial intelligence, and the necessity for meaningful enforcement by the Federal Trade Commission (FTC).

One thing made clear by the testimony presented is that people want their data protected, and maybe they even want to prevent it from being shared and sold, but the current landscape makes that difficult for consumers to navigate. The reality is that many of us simply can’t keep track of every privacy policy we read, or every “cookie” we consent to. It’s also increasingly clear that putting the burden on consumers to opt in/opt out or try to figure out the puzzle of where our data is going and how it’s used, may not be the most effective means of legislating privacy protections.

Model Federal Privacy Law

Several of the presenters at the Senate hearing included legislative proposals for a federal privacy law. (See the link included above to the Committee website with links to individual testimony). Recently, the U.S. Chamber of Commerce also released its version of a model federal privacy law. The model legislation proposal contains consumer opt-out rights and a deletion option, and would empower the FTC to enforce violations and impose civil penalties for violations.

IoT Federal Legislation Is Back – Sort of

In 2017, federal legislation regarding IoT was introduced but didn’t pass. This week, the Internet of Things Cybersecurity Improvement Act of 2019 was introduced in Congress in a bipartisan effort to impose cybersecurity standards on IoT devices purchased by the federal government. The new bipartisan bill’s supporters acknowledge the proliferation of internet-connected things and devices and the risks to the federal government of IoT cybersecurity vulnerabilities. This latest federal legislation applies to federal government purchases of IoT devices and not to a broader audience. We recently discussed the California IoT law that was enacted last year. Effective January 1, 2020, all IoT devices sold in California will require a manufacturer to equip the device with “reasonable security feature or features” to “protect the device and any information contained therein from unauthorized access, destruction, use modification or disclosure.”

The convergence of the new California law and the prospect of federal IoT legislation begs the question of whether the changes to California law and on the federal level would be enough to drive change in the industry to increase the security of all IoT devices. The even bigger question is whether there is the political will in 2019 to drive change to enact a comprehensive federal privacy law. That remains to be seen as the year progresses.

Employees and Partner Organizations Pose Threat to Companies

According to the 2019 Verizon Insider Threat Report, 20 percent of all cybersecurity incidents and 15 percent of data breaches in 2018 were caused by insiders—that is, employees or partner organizations. The reasons for these threats included financial gain (to use or sell company data to make money—47.8 percent), pure fun (23.4 percent) and espionage (14.4 percent).

The report lists five categories of insider threat actors:

  1. The Careless Worker—who misappropriates resources, installs unauthorized apps and workarounds, breaks the company’ acceptable use program, or mishandles data.
  2. The Insider Agent—who is recruited, solicited or bribed to exfiltrate data from the company.
  3. The Disgruntled Employee—who wants to hurt the company by destroying or exfiltrating data to cause harm to the company.
  4. The Malicious Insider—who accesses corporate assets and intellectual property information for personal gain.
  5. The Feckless Third Party—business partners who have reduced security, compromising company data through negligence, misuse, or malicious threat.

The Verizon Report provides a framework on how to be proactive in addressing insider threat.

U.S. Navy to Contract New Unmanned Surface and Underwater Vehicles

The U.S. Navy is moving fast to acquire a new unmanned surface vehicle (USV) and hopes to award a contract for the USV by the end of 2019. Over the next two months, the Navy plans to issue a request for proposals for a new, medium-sized USV, up to 50 meters long. The Navy seeks a USV that can function as a sensor and communication relay as part of a family of unmanned surface systems being developed by the Navy. Additionally, the USV will be able to carry a payload similar to that of a 40-foot shipping container, return to port, and be capable of refueling at sea. The USV will also be able to autonomously operate at a cruising speed of about 16 knots, with a minimum range of 4,500 nautical miles, operated through a government-provided communication relay system.

In addition to these USVs, the Navy plans to invest to improve the technology on its unmanned underwater vehicles as well. The Navy also plans to add 100 personnel to its explosive ordnance disposal (EOD) force so it can have a greater presence around the globe. These two additions to its fleet will allow the Navy to search bodies of water for potential dangers and neutralize threats much faster.

The Navy has eight (8) unmanned systems platoons now and will grow to 16 in the next three years. Unlike other parts of the EOD community, the men and women in the unmanned systems platoons are not EOD techs, but rather pull from a range of fleet ratings.

The Navy’s goal is to enable the unmanned vehicle to make decisions while it’s in the water, and reach a level of trust in the vehicle to make the right decisions. If the vehicle sees an object of interest, it can decide to take more passes at it so the Navy can better understand what’s there, which in turn will save team members the time of having to send out a second mission. We will provide updates on other maritime unmanned vehicle projects as the Navy invests more efforts in this area.

Privacy Tip #181- IRS Warns Consumers and Employers About Tax-Related Phishing Schemes

In another round of warnings from the federal government on protecting yourself from tax return fraud and identity theft, the Internal Revenue Service (IRS) has issued its 2019 “Dirty Dozen” Campaign, designed to warn individuals about the most common tax-related phishing schemes that are focused on tax fraud and identity theft.

During tax season, cyber criminals work around the clock to locate and dupe consumers into giving them information they need in order to file false tax returns. The schemes can happen over the telephone, via text messages, websites, or email.

The first of the Dirty Dozen is a warning about the highest threat – phishing.  Phishing emails look very real and use the IRS’ logo and threatening language designed to scare the recipient into giving personal information. The email or telephone call appears to be from someone from the IRS, threatening legal action or fines if you don’t pay taxes due. They are usually urgent and require the recipient to make a split-second decision.

A new twist on phishing campaigns this year was one targeted at tax preparers and professionals. The campaign against these professionals obtains the personal information of the professional’s clients, fraudulent tax returns were filed in their names, paid the refunds to the scammers, and then the scammers contacted the taxpayers posing as a debt collector acting on behalf of the IRS to get the refund back.  Very clever.

The IRS also warned payroll offices and human resources departments that they should be on high alert for phishing emails requesting W-2 forms of employees, which the scammers use to file false tax returns seeking refunds. According to the IRS, variations of these schemes include requesting changes to an employee’s direct deposit information (which should always be verified directly with the employee), payment of fake invoices, or requests for wiring instructions to a new or different account.

The IRS requests that anyone who has become the victim of any of these schemes report it to phishing@irs.gov. It reminds people that the IRS generally does not email or call individuals regarding their taxes, and to be on high alert for any calls or emails claiming to be from the IRS.

Financial Industry Getting Hammered with Cyber-Attacks

Cybersecurity company Carbon Black recently issued a report of the results of a survey of chief information security officers (CISOs) of financial organizations, which showed that the financial industry is getting hammered by more frequent and sophisticated cyber-attacks. Carbon Black partnered with Optiv to survey banks and financial institutions around the world.

According to the survey, two-thirds of the CISOs in the financial sector who responded to the survey said there has been an increase in cyberattacks against their organizations in the last year, and 80 percent said the attackers are more sophisticated in how they are targeting and launching attacks on organizations, particularly through social engineering and targeted phishing campaigns.

Consistent with our other reporting, 26 percent of those replying to the survey said they had been hit with a destructive attack meant to destroy rather than steal data. According to the survey, this is a 160 percent increase from last year.

Seventy percent of those surveyed said they were most concerned about attackers seeking financial gain, while 30 percent were most concerned about nation-state attacks. Both concerns are realistic and concerning, as banks have been pegged by Moody’s as one of the top four industries most vulnerable to cyber-attacks (along with securities exchanges, investment firms and hospitals), where the disruption and economic effect from a successful attack could be devastating.

Plaintiff Argues GoDaddy Texting Campaign Used an Autodialer

Lead plaintiff, John Herrick, in the Telephone Consumer Protection Act (TCPA) class action lawsuit against GoDaddy.com LLC (GoDaddy.com) opposed an Arizona federal judge’s May 2018 decision to grant summary judgment in favor of GoDaddy.com. The court granted summary judgment on the grounds that the platform used to send the text messages did not qualify as an autodialer under the TCPA since the platform did not have the ability to generate the numbers it texted or to send text messages without human intervention. The court based its decision on the D.C. Circuit’s ruling in March 2018 in ACA International v. Federal Communications Commission (FCC), which narrowed a 2015 FCC order that defined an “automatic telephone dialing system” (or autodialer) to mean any device with the ‘capacity’ to place autodialed calls, even if it required additional software.

However, Herrick’s counsel argued that the court should look at its own precedent in Marks v. Crunch San Diego, which reached the opposite conclusion of the D.C. Circuit when it came to the validity of the FCC’s broad autodialer definition.  Herrick’s counsel now argues that the Mark decision compels reversal of the district court’s order granting summary judgment.

This has been one of the highest profile TCPA cases in the last year because of the almost 30-year old law’s definition of an autodialing system as “equipment which has the capacity to store or produce telephone numbers to be called, using a random or sequential number generator, and to dial such numbers.” We will follow the court’s decision on this issue.

Data Privacy and Security Contractual Provisions

During a dispute between parties, or in the middle of a security incident, is not the best time to determine whether you have sufficient contractual provisions in place with a customer or vendor. Lately, I have been asking clients these questions: “Do you have a contract in place and what does it say about ‘this?’” or “What are our obligations under our contract with the customer?” or “What does the vendor have to tell us about ‘this’ in the contract?”

Often when we get and read a contract, it is silent on what we need to rely upon, or is ambiguous or adverse to the client’s position. Often times, the contract has not been reviewed by legal and has been signed by the business unit without negotiation. And then when the contract needs to be reviewed to determine the applicable provisions when there is an issue, it becomes very difficult to make the other party agree to do something that might be fair under the circumstances because it wasn’t addressed in the contractual language.

Virtually every business relationship or merger and acquisition these days involves some sort of data sharing, transmission, access or use between the contractual parties. And yet it is shocking the number of times we get involved in a data security issue for a client with another business and find there is no contractual language applicable to data privacy and security. When there is no language to address data privacy and security issues, the parties duke out what they will agree to or not agree to, who will pay for what, and who has insurance, and they end up pointing the finger indiscriminately. It is much easier to address a data security issue when there is contractual language in place between the parties.

Whether you have a formal vendor management program in place or not, as you evaluate contracts going forward, or during your next merger or acquisition, consider inserting contractual language and representations and warranties about data privacy and security. That way, when an issue occurs, the obligations of the parties will be unambiguous and the dispute can be resolved in a more amicable manner.

Privacy Tip #180 – National Consumer Protection Week—Tax Identity Theft

This week is National Consumer Protection Week. In celebration of that, this post is devoted to protection from tax identity theft.

At this time of year, as we all prepare and file our tax returns with the Internal Revenue Service (IRS), we are reminded again that tax identity theft continues to be a problem. Tax identity theft occurs when a criminal has either purchased or obtained your personal information and files a false tax return in your name to get a refund from the IRS. Then when you file your taxes, you get a notice that your tax return has already been filed and your refund issued. The problem is that you didn’t file your tax return and get the refund, the criminal has. If you are a victim, there are a number of things you must do to prove who you are in order to file your real tax return, and to rectify the fraud. It is a time consuming and rather irritating process,caused by this criminal act.

We have written about tax identity theft before in more detail, so click here for more information.

We also note that the Federal Trade Commission is hosting a twitter chat tomorrow, March 8, 2019 at 11 a.m. EST with the Identity Theft Resource Center to discuss protecting yourself against tax identity theft. Here is the information if you want to join the conversation: https://twitter.com/FTC; or https://twitter.com/ITRCSD.

You can also follow along using the #NCPW2019 hashtag.