I know a lot of people who have looked for and been successful in finding an apartment and/or a roommate on Craigslist. If you are looking for an apartment on Craigslist right now—listen up.

The Federal Trade Commission (FTC) announced yesterday (January 18, 2017) that it has charged Credit Bureau Center LLC and three individuals associated with it for “luring consumers with fake rental property ads and deceptive promises of ‘free’ credit reports into signing up for a costly credit monitoring service.”

The scam worked like this: the company placed Craigslist ads for fake rental properties or properties that it didn’t have authority to offer to renters. When people responded to the Craigslist ads, the individuals associated with the company impersonated property owners and sent emails offering tours if consumers would first obtain their credit reports and scores from their website.

Although the sites claimed that the credit reports and scores were free, when consumers provided information in order to obtain the credit report and score, they were automatically enrolled in a credit monitoring service that cost $29.95 per month, which was continuing and was deducted from bank accounts or charged to credit cards.

The sites in question include eFreeScore.com, CreditUpdates.com and FreeCreditNation.com.

The FTC has filed a complaint to stop the defendants from the practice and to return the money to consumers who were scammed. Good for the FTC!

Here are a couple of tips as takeaways from these facts and this case:

1) Don’t give your Social Security number or other personal information to anyone through a website (you need to give a Social Security number in order to get a credit report, so these consumers probably entered their Social Security number into the website in order to get enrolled in the services);

  2) Be careful about giving debit card or credit card numbers into websites if you are not actually purchasing an item (in this case, the consumers were supposed to be getting a free credit report, so why would they give their credit or bank account information, which the FTC says were continuously charged); and

3) Only get your free annual credit report from AnnualCreditReport.com or by calling 877-322-8228.

Following an election season characterized by missing emails, private servers and personal laptops, and amidst pervasive allegations of Russian cybercrimes, outgoing Secretary of Homeland Security Jeh C. Johnson issued an exit memo outlining the cybersecurity strides made by the Department of Homeland Security (DHS) during the Obama administration.  Despite acknowledging “tangible progress,” Johnson warned that “more work remains to be done.”

In the memo, which addressed a myriad of national security topics, Johnson described the breadth of DHS’ reach in protecting both the federal and private sector from cyber attacks, highlighting the achievements of DHS’ National Cybersecurity and Communications Integration Center (NCCIC), which he characterized as the “federal government’s 24/7 hub for cybersecurity information sharing, technical assistance, and incident response.”   According to Johnson, in fiscal year 2016 alone, the NCCIC “disseminated more than 6,000 bulletins and responded on-site to 32 cybersecurity incidents.”  Additionally, Johnson touted the success of the NCCIC’s recently deployed automated indicator sharing platform that facilitates the real time exchange of cyber threat indicators between government and the private sector; as of October 2016, 74 entities, including foreign partners, and 12 federal agencies were connected to this new system.  Johnson further detailed DHS’ collaborations with foreign governments, including China, its push to enable the hiring of top cyber security professionals, and its programs to enhance federal civilian cybersecurity.

Turning to the future, Johnson emphasized his request that Congress establish the Cyber and Infrastructure Protection Agency to replace the National Protection and Programs Directorate, which would enable DHS to “streamline and strengthen existing functions within the Department and ensure [it is] best positioned to execute [its] vital mission of countering cyber threats to the nation.” Johnson also urged Congress to ensure that DHS has the human and financial resources to continue to meet the demand for its services.  Johnson concluded by encouraging “the next Administration, Congress, the private sector, and the general public to build on the progress we have made and continue to make cybersecurity a top national security priority.”

On December 30, 2016, the Los Angeles Community College computer network was kidnapped by cyber criminals requesting a ransom for its return.

The ransomware encrypted the college’s entire network system, including email and voice mail systems. Rather than attempt to restore all of the data days before classes were to resume, on January 4, 2017, the college agreed to pay $28,000 to the hackers for the “key” to allow access to the computer systems. Once the ransom was paid, a “key” was delivered to unlock “hundreds of thousands” of files and according to a college spokesman, “…so  far, the key has worked in every attempt that has been made”  to retrieve the data.

The college determined with law enforcement and outside experts that there was a high likelihood of restoring the data if the ransom was paid, but a high probability that the data would be lost if the ransom wasn’t paid.

Companies, including higher educational institutions continue to grapple with the question of Ransomware: To Pay or Not to Pay? [see related post]. Until we get to the point where we are able to withstand ransomware attacks and refuse to pay the hackers, more and more companies will be victimized as it continues to be big business for cyber criminals.

New York Governor Andrew Cuomo announced a series of cybersecurity proposals that are designed to protect consumers and government entities from cybercrime and identity theft. One of the proposals includes the creation of a Cyber Incident Response Team that would support state and local government bodies, critical infrastructure and schools. It will be led by the State Division of Homeland Security and Emergency Services within the Counter Terrorism Unit.

The team will work with the private sector and governmental agencies to protect systems and critical infrastructure from cyber-attacks, including malware and ransomware, and will have a hotline in order to report incidents.

The proposal includes beefing up punishment for computer tampering and identity theft, and those who prey on seniors and the disabled.

A recent IBM study shows that ransomware increased 6,000 percent in 2016 over 2015. According to the report, ransomware was present in almost 40 percent of all spam email messages.

Ransomware is big business, since according to IBM Research, over 70 percent of business victims of ransomware pay the ransom for the key to get their data returned, despite the FBI’s recommendation not to pay.

A recent PhishMe study also found that over 91 percent of cyber-attacks start with spear phishing emails.

Lessons learned? Continue to impress upon employees how important data security is to your organization and specifically how to detect phishing emails and invest in a robust data back up system. These statistics indicate that ransomware will continue to victimize businesses.

The No More Ransom Project, a coalition of security companies and law enforcement, which was launched through a partnership with the European Cybercrime Centre, the National High Tech Crime Unit of the Netherlands police, Kaspersky Lab and Intel Security has added 30 new members and 32 new decryption tools to combat ransomware variants.

The Project includes a website to assist companies with fighting ransomware. The website provides a tool to assist users with determining which type of ransomware has hit their system, how to prevent ransomware and instructions on reporting incidents to law enforcement personnel.

The partners working on the No More Ransom Project have provided additional decryption tools that have been used by over 6,000 victims to recover files locked down by ransomware.

Military personnel continue to be victimized by data breaches. This time, the personal information of healthcare workers employed by Potomac Healthcare Solutions (Potomac), who work for a U.S. Special Operations Command were exposed. The Potomac healthcare workers travel to provide Navy SEALs, Army Green Berets and Rangers, Delta Force members, and Air Force and Marine commandos with healthcare services. Significantly, the exposed information included unit assignments and posting dating back to 1998, which compromised job site locations of these highly trained operatives.

The unsecured data was found by security researcher Chris Vickery using an Internet of Things search engine. The information, including the names, addresses, email addresses, salaries, security clearances and Social Security numbers of the doctors, nurses and mental health workers was located by Vickery on the Internet. Reports state that it happened when Potomac IT personnel misconfigured a data back-up, exposing the data on the web.

The New Hampshire Department of Health and Human Services has notified up to 15,000 patients of its psychiatric hospital (New Hampshire Hospital) that their names, addresses, Social Security numbers, Medicaid ID numbers and highly sensitive psychiatric health information was posted on a social media site by a former patient.

The former patient gained access to the information through a laptop located in the hospital library in 2015. Although he was seen accessing non-confidential information by a staff member, there was no indication at that time that patient data was available on the laptop.

Months later it was discovered that the patient had posted the information of patients on a social media site and an investigation was launched. Patients who received services prior to November of 2015 may have been affected.

The Federal Trade Commission (FTC) has filed a complaint in Northern California against D-Link for putting thousands of consumers at risk over the past decade for failing to have adequate security practices in its routers and cameras.

In particular, D-Link products have well-known preventable software security flaws, including hard-coded credentials and backdoors which allow attackers the ability “to gain control of consumers’ devices.”

Providence Health & Services, a health system located in Alaska, California, Oregon, Montana and Washington, has reported that its paging system has been breached.

An unauthorized individual was able to intercept pages between healthcare workers and post the contents of the pages online between October 25 and October 28, 2016. The pages included patients’ names, room numbers, medications, dates of birth, medical record numbers, symptoms, diagnoses and medical procedures.

It is reported that the paging system was not secured using encryption technology, and like all devices connected to the Internet, it is hackable if it is not secured.