Data leak marketplace dials up the pressure
The Marketo marketplace specializes in selling leaked data and is using a new technique to pressure company’s into paying for it. The marketplace has been emailing competitors of impacted companies, offering them sample packs of the stolen data, hoping to entice them to buy the whole thing. The recently shuttered Clop ransomware gang also utilized this ploy in the past. Bleeping Computer reports that Marketo attempted to sell the data belonging to a defense contractor, as well as other prominent large companies.
Bay Area water treatment plant targeted in cyber attack
In February, a malicious actor attempted to raise the levels of lye allowed at a Oldsmar, Florida water plant to toxic levels. Now NBC News reports that earlier in the year, on January 15th, another threat actor attempted to impact the water being processed at a San Francisco Bay Area water treatment plant. The system was accessed through a former employee’s TeamViewer account credentials, and used to delete a program used to treat drinking water. The access was detected the next day, with the program restored. No one reported being sick from the incident and according to the Northern California Regional Intelligence Center, tampering with the program would not have resulted in poisoning the water.
CISA lacks info on federal agency security
In a letter recently sent to Senator Ron Wyden’s office, CISA said it didn’t know which federal agencies were following basic security procedures like segmenting traffic with firewalls. This comes after Senator Wyden questioned why agencies did not have properly configured firewalls, since this would have prevented the SolarWinds Orion supply chain attack from being exploited. In the letter, CISA said it did not plan to mandate the use of firewalls to all federal agencies, since they each have their own operational requirements.
European Commission adopts new data transfer rules
David Stauss at Security Magazine broke down some of the implications of the European Commission’s recently adopted sets of standard contractual clauses, one for use between controllers and processors, and the other overseeing personal data transfers to third countries. The new clauses provide an allowance for parties to take “practical experience” into consideration when looking at the legality of data transfers, rather than a purely objective analysis in light of GDPR regulations. While the new clauses will still require plenty of legal scrutiny, this should provide more clarity on international data transfers, which has been ambiguous since the EU-US Privacy Shield framework was invalidated by the European Court of Justice last year.
Thanks to our episode sponsor, RevCult
Ransomware payments might be tax deductible
According to tax experts interviewed by the Associated Press, ransomware payments made directly by an organization could be tax deductible, as funds lost through more traditional crimes of robbery and embezzlement meet the criteria of being “ordinary and necessary” to be deductible. Payments made by ransomware insurance would not be deductible. The IRS has issued no formal guidance on ransomware payments, although the US FBI and other law enforcement agencies have issued guidance urging organizations not to meet ransomware demands.
(AP News)
China’s crypto crackdown continues
The People’s Bank of China said it recently met with financial institutions and payment firms in the country urging them to crackdown on cryptocurrency trading on their platforms. This comes after China’s State Council said it would step up efforts to restrict bitcoin trading and mining, as well as strengthen the country’s existing digital currency efforts. In response to the meeting Alipay said it will set up a regulator monitoring system targeting key websites and accounts to detect illegal crypto-related transactions, as well as create a ban list for merchants involved in virtual currency transactions.
(Reuters)
Colorado gets closer to passing privacy law
If passed, Colorado would be the third state in the US to have sweeping privacy regulation, following California and Virginia. The Colorado State Senate approved the “Colorado Privacy Act” earlier in June, and it now awaits signature by Governor Jared Polis. If signed the law would go into effect on July 1, 2023. The law would give residents the right to opt-out of the sale of personal data, let consumers deny processing their data for use in personalized ads, right to access and correct data, ensure data portability, and the right to opt-out of automated profiling.
(CISO Mag)
Energy companies remotely change smart thermostats
Houston’s KHOU reports that the energy-conservation promotion called Smart Savers Texas remotely increased the temperature of enrolled smart thermostats by up to 4 degrees during peak energy demand, with the promotion available from energy companies including TXU Energy, CenterPoint and ERCOT. The promotion is run by a company called EnergyHub, and offers entry into a sweepstakes for participating, with customers able to opt-out any time.
(KHOU)