Was Chipolte’s Breach Due To Willful Negligence and Elementary Security?

Chipolte seems to be challenged to catch a break.  After the E.coli outbreak in 2015 and shareholder lawsuits, Chipolte tried to make a comeback.  Last month the announced that they had been hacked and credit cards compromised.  Chipolte hasn’t said which restaurants were affected or how many cards were compromised, but they have announced the time range of the breach – March24, 2017 to April 18, 2017.

Chipolte’s advice to customers:  Watch your credit card statements and if you see something wrong, contact your bank – you are generally not responsible for fraudulent charges.

While true, it doesn’t sound like Chipolte is taking much responsibility for the breach and that is the basis for the proposed class action.  The suit was filed on May 4th and has not been class certified yet.

The members of the proposed class action are 100 plus banks and credit unions who say their damages exceed $5 million.

The suit estimates that hundreds of thousands of Chipolte customers could have had their credit cards hacked.

The big issue in the suit is the fact that Chipolte apparently intentionally chose not to upgrade its credit card system to use the chip cards.  Chip reader enabled credit card terminals encrypt the credit card information the moment it is entered into the terminal and not decrypted until it reaches the credit card processor.  This makes things much harder – although not impossible – for the crooks to hack in and obtain useful credit card information.

And why, you ask, hasn’t Chipolte upgraded its credit card system to use the new chip readers? Because they are slower and that would slow down the line.  This is basically the same excuse Wendys gave for not upgrading.  It’s expensive to upgrade and slows things down.

But there is a twist to this.  Since October 2015, merchants who don’t upgrade to chip readers are (basically, there are some nuances to this) 100% liable for all costs of a breach based on language in their credit card merchant agreement.

What hasn’t happened yet is the credit card industry enforcing this on a large scale, but it is likely to happen at some point.  If a company like Chipolte gets hit with a mega fine, that will likely get people’s attention.

There is a long way to go on this.  The first hearing is July 18 in Denver.  The banks are saying that not installing chip readers is negligence.  We shall see of the court agrees.

Information for this post came from Denver’s Channel 7.

Facebooktwitterredditlinkedinmailby feather

Bill Aims to Remove Fox From Hen House Guard Duty

The NSA has two roles in life – OFFENSIVE cyber and DEFENSIVE cyber.  The NSA spends, according to some estimates, 90% of its cyber budget on offensive cyber.

NSA, in its alter ego Cyber Command, is charged with defensive cyber.

What this means is that when NSA finds a bug like the one that was exploited in WannaCry, it has to make a decision as to whether it should disclose it to the vendor (and further its defensive mission) and therefore not be able to use it to further its offensive mission or keep it secret and be able to continue to use it.

The only problem is what happens if someone else discovers the bug and uses it against American companies. That is the conundrum.

Under President Obama the intelligence community was supposed to use something called the vulnerabilities equities process to decide whether to disclose or keep secret any vulnerabilities that they find.  That process was voluntary.  After WannaCry, Congress is kind of wondering whether the process is not working.

The bill, called the PATCH (Protecting our Ability To Counter Hacking) Act, is designed to take the control of the decision making process away from the NSA exclusively and create a review board including the FBI, Homeland Security, CIA, Director of National Intelligence, Commerce and NSA.  State, Treasury, Energy and the FTC would be involved when needed.  Homeland Security will chair the board.

That does not mean that the spies are going reveal every bug they find, but it may mean that the review process will be more balanced.

Since this bill was just introduced, it has a long way to go before it may become a law.

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather

Massive Docusign Phishing Attack After Breach

Docusign is one of the major eSigning providers in the country.  eSigning allows customers to electronically sign documents instead of having to go somewhere to place a pen on paper and sign those documents with ink.  As a result of this convenience, eSigning is extremely popular.  It is used in every industry vertical where document signing is a part of the process.

Docusign noticed an uptick in phishing emails targeting its customers this month.  The emails targeted existing customers of Docusign.   Docusign says that they have 100 million users in their system.

Initially they thought that this was just another of many generic phishing attacks, but they soon realized that the hacker had too much very realistic information.  Docusign had been hacked.

The company discovered that what they call a non-core system had been compromised and their customer list taken.  At this time the company says that no financial information or signed documents were taken, but what was taken – names and emails – allows attackers to launch a very targeted attack against Docusign customers.

The way the attack works is that the customer receives an email that looks strikingly like a real Docusign request EXCEPT that it is asking the user to download and open a Word document – something that Docusign does not do.  Of course, most Docusign customers do not know this.  If they do open the document and follow the rest of the instructions from the attacker, the user’s system is now compromised.  The attacker can do whatever he or she wants to do.

While this campaign uses a Word document, the next campaign could use something else – maybe a malicious URL.

For companies that use any eSigning technology, it appears that now would be a good time to educate your users about what a legitimate eSign request looks like and what an eSign phishing attack looks like.

For the mortgage industry, which is a big user of eSign technology, this is just another attack vector.  Just like the industry has set up processes to warn its clients about fake wire transfer requests, it looks like the industry now has to warn its clients about fraudulent eSign requests.  Today it is Docusign;  tomorrow is could be any Docusign competitor.  In fact, any mortgage purchase or refinance client could be a target – eSign or not.  After all, clients are deluged with requests during the mortgage process and it is very hard for clients to know what is real and what is fake.

Another day, another opportunity.

Information for this post came from KnowBe4 and KrebsOnSecurity.

Facebooktwitterredditlinkedinmailby feather

Why Those “Secret” Questions are Not a Very Good Security Measure

You have likely been subjected to websites that use so called “out of wallet” questions to validate that you are who you say you are.  Sometimes those questions are used to allow you to reset your password and other times those questions are used when you set up your account in the first place.

Examples of those questions are what street did you live on in third grade or what make of car did you own in 1992 and many, many others.

But here is the problem.  Those secret questions are no longer secret for two reasons.  For many of the questions, the answers are available after a few taps into Google or from some information broker.  For others, the massive number of security breaches have exposed those answers and organized criminal gangs are using those databases of compromised information to create new compromises.

An example:

Equifax offers a service to companies like Northrop, the University of Louisville and many others to distribute W2s to current and former employees electronically instead of printing them and placing them in an envelope with a stamp.  For large businesses, this is a large cost savings; for some employees it is easier than keeping track of paper W2s.

But hackers have figured out that Equifax only protected that information with a 4 digit PIN instead of a password AND allowed people to reset that PIN by providing the answers to a couple of not-so-secret questions.

Equifax – actually a wholly owned subsidiary called Talx – has been pretty quiet on the whole story and here is why.

Because the security at this division of Equifax was so sloppy (by allowing you to reset you password by entering the answers to a few no-so-secret questions) , they don’t really know how many W2s were stolen.  They know of some because fraudulent tax refunds were issued using that data, but, they say, because this looked like a normal password reset, they can’t tell the difference between you doing it and a hacker pretending to be you doing it.

The only good news here is that the hackers had to compromise the accounts one at a time and could not do it in bulk.

But the problem of web sites thinking that secret answers are still secret today – that is spread all the way across the web.

So what can you do?

Well, unfortunately, it depends.

For web sites that allow you to pick your own answers to security questions, you can do something.  Remember, they are just matching the answer to what is stored.  They don’t care if the answer is right.  In that case, if the question is “What is your mother’s maiden name” and the answer is “Smith” and you answer it “Giraffe”, you have made the hacker’s job much harder.  BUT, MAKE SURE YOU REMEMBER WHAT YOUR ANSWERS WERE.

In this case, even two factor authentication does not help because, for the most part, the password reset process completely and totally ignores two factor.

In the case where the web site is buying answers from a company like Experian and not allowing you to make up an answer (like Experian prohibited in this case), there really isn’t much that you can do to protect yourself except not use the web site. In the case of Experian, the people who’s information was compromised didn’t even choose to use the web site at all – that was the choice of their employer.  In those cases, the best that you can do is tell your employer that you think the vendor that they picked has crappy security and you don’t appreciate them putting your data at risk.

Until then, the best you can do it hope – and that is not a great strategy.

Information for this post came from Krebs on Security.


Facebooktwitterredditlinkedinmailby feather

Why Cyber Insurance is Important to Small Businesses

While the breaches at Target, the IRS, Chipolte and others made the news during 2017, small business breaches were up over 40% between 2015 and 2016 and doesn’t show any signs of letting up.

Given that, here are some reasons why small businesses should have cyber risk insurance.

#1 – Small businesses do not have as sophisticated defenses as large businesses.  As a result, small businesses are an easier target for the bad guys.  Small businesses do not have a full time cyber security team and often outsource IT completely with no one really directing that outside vendor unless something breaks.

#2 – Small businesses collect large amounts of personal data from their customers.  While business owners may disagree with this, the reality says that there is a lot of data.  There is also a lot of internal sensitive data like company credit card and personnel information.  When customer or internal sensitive data is taken, general liability insurance will not cover either the expenses or the losses.  Small businesses also do not have the sophisticated applications that large businesses use to protect that sensitive data.

#3 – Often, after breaches come and go, what follows is lawsuits.  While lawsuits may ultimately be dismissed, the costs involved in defending your company are expensive and the lawsuits are distracting, so, in many cases, companies choose to settle.  Recently, Avmed settled for $3.1 million, Schnucks for $2.1 million and Vendini settled for $3 million.  While such a settlement would be petty cash to Target, it is a large check to write for a small business.  In addition to writing the settlement check, the company also has to pay for their defense and, in many cases, the other side’s offense.  That is a lot of money for small businesses.

#4 – The only things certain are death …. and cyber breaches … to paraphrase an old expression.  While the exact numbers are debatable, the source article for this post says that more than half of small and medium businesses are out of business within six months of a successful attack.  If a small business cannot recover from a ransomware attack, it could be toast.  Lets say that number is wrong and it is only 25% that fail after a cyber attack – that would be devastating to the owners and the employees.  And even if the company stays in business, its ability to operate may be seriously impacted as a result of the distraction, expenses, customer defections and legal costs.

Right now cyber insurance is reasonably priced. Not free, but usually affordable.  And, for companies that practice good cyber security practices, the rates are often lower than for companies that do not have an active cyber security program.

Could your company afford to write a million dollar check after a cyber breach?

In addition, the insurance companies offer preventative services for free and cyber incident response services from a variety of vendors at negotiated rates.


Information for this post came from NoPa$$iveIncome .

Facebooktwitterredditlinkedinmailby feather

How Would You Respond to a Ransom Demand?

Since we have been talking a lot about ransomware lately, here is a slightly different twist to it.  A few weeks ago, hackers stole the whole upcoming season of Orange is the New Black and leaked 10 episodes on the Internet after the studio refused to pay their ransom.  Likely this had a significant effect on advertising rates for the hit series and may affect the show’s viewership as the most rabid fans probably viewed the pirated versions.

But now, Disney has admitted that real life (cyber) pirates have stolen a copy of the new Pirates of the Caribbean movie that is due out  next week and are demanding  what Disney says is a huge ransom.  They say that if they do not get the ransom, which Disney says they are not going to pay, that they will release 20 minute segments until they do get paid.  So far, they have not released anything.  While this MAY not have much of an effect on the theatre revenue since it comes with popcorn and a big screen experience, it could impact DVD and PPV revenue, neither of which come with popcorn.

In both of these cases, Pirates and OITNB, the movies (and the number of movies and TV series stolen now come to almost 40), were likely stolen from suppliers, not from the studios themselves.

This sort of begs two questions.

First, how good is your third party vendor risk management program?  Do you know if your vendors’ information security programs are up to dealing with a cyber attack?

And, second, what would you do if a hacker stole your intellectual property, possibly deleting or worse yet corrupting what was left behind (note that if the hackers know that you have, say 10 days of backups and wait until day 11 to tell you that they corrupted your data, you would not have a clean backup to restore and likely would not know what they corrupted)?  What if the hackers stole, say, NFL players socials,  credit cards and legal records as happened after a breach at PIP printing that went on for four months earlier this year?  Or if hackers stole confidential client information from a law firm?  Or all of the mortgage applications from a mortgage company?

Some hackers are figuring out that they can extract more money from stealing intellectual property than by stealing credit cards.

If you don’t pay the ransom and they do release the information, the legal fees, fines, lost customers, reputational damage and other costs could be very significant.

One question to ask is whether you have extortion insurance coverage for intellectual property extortion, but the bigger question is are you ready to deal with this situation?  It could cost you lawsuits and lost clients, so it is a serious situation – one that should be planned for in advance.

Don’t hope that the bad guys are going to pass you over.  For the most part, it is a crime of opportunity caused by an employee opening the wrong email or clicking on the wrong link.  The hackers don’t, for the most part, care who’s intellectual property they steal.

Now is the time to plan for the worst and hope for the best.


Information for this post came from NBC, and Forbes.


Facebooktwitterredditlinkedinmailby feather