This week’s Cyber Security Headlines – Week in Review is hosted by David Spark with guest Patrick Heim, co-founder and partner, SYN Ventures
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Wisconsin Medicare users had information leaked in MOVEit breach
More fallout from the MOVEIt breach of last year: “the Centers for Medicare & Medicaid Services (CMS), which is a federal agency that manages the Medicare program, as well as the Wisconsin Physicians Service Insurance Corporation (WPS) said on Friday that they have begun notifying people whose personal information leaked after hackers exploited a vulnerability in the MOVEit software.” The discovery follows a second investigation into the breach conducted by WPS in May, after receiving “new information” about the breach.
West Virginia police officer sues data broker
A retired police officer in West Virginia has filed a class action lawsuit against Whitepages, a data broker, for publishing his home address, a violation of a 2021 West Virginia statute known as Daniel’s Law. The law is thus named after a similar law passed in New Jersey in 2020 following the murder of a federal judge’s son by a disgruntled lawyer. The West Virginia statute, says that “data brokers and others cannot disclose the home address or personal phone number of any active or retired law enforcement personnel “under circumstances in which a reasonable person would believe that providing such information would expose another to harassment or risk of harm to life or property.” Tom Kemp, a privacy advocate who regularly does battle with data brokers, anticipates a ripple effect in which more states and individuals will take data brokers to task.
1.7 million impacted in payment processing breach
In an ironic twist, payment gateway provider Slim CD says they’ve swiftly initiated an investigation into a breach affecting around 1.7 million individuals. While the company claims to be moving quickly to address the issue, the breach actually occurred in August 2023 but went undetected until almost a year later in June 2024. Information exposed in the attack includes names, physical addresses, credit card numbers, and payment card expiration dates. Despite the impact, Slim CD has not offered any free identity theft protection services to those affected, instead advising individuals to stay vigilant and order a free credit report.
(Bleeping Computer), (The Register)
London transit agency drops claim it has ‘no evidence’ of customer data theft
The cyberattack that hit Transport for London (TfL) is now dragging into its second week and some TfL services remain offline. In a brief update on its cyber incident page, TfL said it continues to deal with an “ongoing” incident. However, the update removed a line that previously said, “There is no evidence that any customer data has been compromised,” and replaced it with a statement about the importance of system and customer data security. A TfL spokesperson declined to comment on whether the company had technical means, such as logs, to determine whether customer or employee data was exfiltrated and also declined to comment on the company’s website update.
Huge thanks to our sponsor, Vanta
Cyber staffing shortages remain CISOs’ biggest challenge
Researchers at Command Zero have released a report on challenges faced by chief information security officers (CISOs) and other leaders across 15 industries. The report highlights a skills shortage across all cybersecurity disciplines, but especially in the area of cyber investigations. 88% of leaders interviewed expressed concerns about the lack of staffing to address growing threats. Further, 74% of respondents said that they felt their team lacked sufficient public cloud skills to perform “high-quality investigations.” Due to the cyber skills shortage, teams are stretched thin, which could lead to burnout and decreased effectiveness mitigating potential threats. Due to the skills shortage many companies are competing for the same qualified individuals who have a lot of options, creating heavy turnover in an endless vicious cycle.
The $20 WHOIS vulnerability
Researchers at watchTowr Labs discovered the WHOIS server for the .mobi top-level domain migrated domains, so they spent $20 to acquire the legacy one and spun up a WHOIS server to identify who was still using it. In a week, the researchers identified 135,000 unique systems going to the server, including certificate authorities and popular domain registrars. If abused by threat actors, such a server could be used to issue certificates to the domain, target individual communications, and co-sign malware. Instead, the team crafted a response to tell clients to switch over to the new domain. watchTowr CEO Benjamin Harris characterizes the WHOIS security challenge, saying “People are effectively treating infrastructure as temporary but with very, very permanent effects on what it gives access to, what it authorizes, where it’s trusted.”
(The Register, watchTowr Labs)
Remote access tools plague operational technology
According to a new study by Claroty’s Team82 that looked at over 50,000 remote access-enabled devices, businesses frequently use “non-enterprise grade” tools on networked operational technology devices. These lack central management and visibility for OT network admins. The study found that 79% of organizations use two or more remote access management tools that don’t meet enterprise security standards, often consumer offerings without multi-factor authentication or just discontinued software still in use.
UK recognizes data centers as critical national infrastructure
An announcement made by the UK government’s Technology Secretary Peter Kyle, says that data centers will take a seat alongside energy and water systems in this critical infrastructure category. This means they stand to receive more government support in both anticipating and recovering from incidents. This support extends to organizations like the National Health Service, in which “the government would intervene to ensure contingencies are in place to mitigate the risk of damage or to essential services, including on patients’ appointments or operations.” The United Kingdom, which consists of England, Scotland, Wales and Northern Ireland, has the highest number of data centers in all of Western Europe.
TD Bank fined for sharing inaccurate and negative data on customers
TD Bank, also known as Toronto-Dominion Bank, the second largest bank in Canada, has been fined by the country’s Consumer Financial Protection Bureau for “allegedly disclosing incorrect and negative data on its customers to consumer reporting agencies.” The inaccurate data included “systemic errors about credit card delinquencies and bankruptcies,” according to the Consumer Financial Protection Bureau, who further stated, “the bank broke the law, violating both the Fair Credit Reporting Act and the Consumer Financial Protection Act,” adding that customers who disputed the bad information received no help, and that the bank “failed to conduct proper investigations and sometimes to conduct any investigation at all.” Nearly $8 million of the $28 million fine will be sent to victims who were impacted, CFPB said.