Mecklenburg County Hit With Ransomware Attack

Mecklenburg County, North Carolina, home to Charlotte, was hit with a ransomware attack that the county was clearly unprepared to handle.

The good news, if there is any in a situation like this, is that the attackers only compromised about 48 out of the county’s 500 servers, but other servers were shut down to make sure the ransomware didn’t spread to those servers.

The bad news, and there is much more of that, is that the county says it will be some time in 2018 before they get everything put back together.

Some reports say that the attackers wanted two bitcoins or about $30,000, but other reports say they wanted two bitcoins per server, which would have put the bill in the millions.  The county has decided not to pay the ransom.

The county said that because of a backup system, the hack didn’t compromise any personal information.  Clearly, the county officials do not understand how technology works.

This is also one reason why these local governmental organizations can be picked off pretty easily.  Likely due to staffing, money and lack of executive support, these local governments have  poor to non-existent cyber security, disaster recovery and business continuity programs.

Examples of the effects of the backup system that was in place are that calls to the domestic violence hotline are going to voice mail and being picked up later by counselors.

The county jail is having to process inmates in and out of the jail using paper forms.  I am highly confident that nothing will go wrong.

Social Services is having to recreate rides scheduled for seniors and many of those ride requests have been forever lost.

Payments to the tax department have to be made by cash or check and building inspections are using paper forms.

The goal is to attempt to get life preserving services up first and the rest of the services restored in 2018.

Mecklenburg is far from alone in this plight.  City and County governments, especially, do not have either the budget or the expertise to deal with modern day, real world cyber attacks.  All they can do is hope that no one clicks on an infected link in an attack email.

The private sector is in better but not great shape.  They are much more motivated to have systems that work and not spend the millions of dollars that I am sure Mecklenburg is spending to rebuild servers from scratch.  Businesses also don’t want to lose customers.  When Fedex got hit with the WannaCry virus, customers switched to their competitors.  Many of those will never come back.  Mecklenburg doesn’t have that problem – there is no competing government to switch to.

For private businesses, these attacks can be the difference between a profit and a loss, staying in business or going out of business.  Fedex, in the example above, spent $300 million recovering from WannaCry last quarter and will spend an equal amount this quarter.  Many businesses cannot afford the bills that these attacks generate and just go out of business.

Information for this post came from  The Washington Post  and NBC News.

Facebooktwitterredditlinkedinmailby feather

Uber Naughty Tricks Hide Evidence of Theft

First a disclaimer:  I am not a lawyer and don’t pretend to be one on the Internet – at least most of the time.

The Uber Waymo trade secret theft trial is being delayed once again.

Why?  Because the Department of Justice showed the Judge a 37 page letter from the lawyer of a former Uber employee that Uber had not shared with Waymo.  The judge now wants the former employee to appear in court.

The judge is “unhappy” with Uber because he asked them to produce all relevant documents months ago and this document was not among those produced.  The judge said that he can’t trust anything that they say because they have been proven wrong so many times before.  That is probably not the best way to get on the good side of the judge.

The ex-employee was fired from his job at Uber in April but still works for them as a consultant.  They paid him $2+ million plus another million at the end of his consulting contract plus $1 million plus in Uber stock.

The ex-employee said that Uber has a unit within the company called marketplace analytics who’s job is to obtain competitive intel, “acquire” trade secrets and gathering code base.  Your basic dirty tricks organization who’s job it is to break the law and steal confidential information from competitors.

OK, maybe I am being a bit harsh on them, but the methods and techniques really determine whether they broke any laws or not and that is still to be seen.

The ex-employee said that the employees of this group were trained in impeding, obstructing or influencing any lawsuit against Uber.  This includes working very hard to make sure that there was no paper trail of what they were doing.

The employees used self destructing messaging services like Wikr, computers that could not be traced back to Uber and separate servers from the rest of the company.  They even made up reasons – apparently not legally valid ones – for attorney-client privilege.  They also engaged 10 outside security firms.

Waymo is suing Uber for almost $2 billion for theft of trade secrets.

Uber of course, said this is all made up.

There is one thing that is crystal clear as I play a lawyer on the Internet (no this is not legal advice).  *IF* and that is a big if, Uber hid information that they should have disclosed to the other side, that qualifies as a big no-no and could cause Uber all kinds of problems all the way up to the judge providing a verdict in Waymo’s favor.  That level of pain is VERY unusual, but the judge could fine the company, hold them in contempt or even instruct the jury to interpret certain facts in a way that is very unfavorable to Uber because of this.

Right now, he has delayed the trial while Waymo’s attorneys review the letter and decide what to do.

As far as how this affects you and me – if you believe that you MAY be sued, you have  “a duty to preserve” evidence that may be relevant to the future case.  Not preserving the evidence could cause you to lose the case.

OK, that seems pretty straight forward.

Well, maybe.  What if your employees, on their own, decided to use Telegraph or Wickr; decided to use other non-company systems to process or store data – all of which could be part of your duty to preserve.  And what if they did this without telling senior management about this.

The company could be in a world of hurt legally.

What this means is that you as an employer need to understand what tools your employees maybe using, even unofficially or unsanctioned and work with your corporate attorneys to figure out if that is a problem.

For certain industries, you have a duty to preserve even if there is no lawsuit anticipated, so for those companies, without regard to any potential lawsuit, using these tools can get them in trouble.

Something else for you to deal with.  Sorry.

Information for this post came from Reuters.

Facebooktwitterredditlinkedinmailby feather

Be Careful When Completing Those Cyber Insurance Questionnaires

I have written about the troubles of Cottage Health System in California.  They were breached and the protected Health Information of at least 32,000 patients was compromised.

The situation was that they had outsourced the storage of patient records to InSync, which by itself is not a problem, but InSync made this data available on the Internet, unencrypted, where it was indexed by Google.

$4 million later, the hospital submitted bills to their insurance company, which paid the bills.

Except.

The insurance company later came back and said that the hospital lied when it filled out a risk control questionnaire and as a result, they want their money back.  Plus expenses and legal fees.  That is going back and forth and will probably be settled in private.

Now the California Attorney General has decided that Cottage broke the law by exposing patient data in two breaches, including the one above.

The state is fining Cottage $2 million (which their insurance carrier is not likely to pay) and also requiring them to make a number of changes to their previously non-existent cyber security program.  This includes risk assessments, vulnerability scans, training, policies and several other items.

The state said:

“Cottage was running outdated software, failing to apply software patches, not resetting default configurations, not using strong passwords, failing to limit access to sensitive PII, and failing to conduct regular risk assessments, among other things,”

Had Cottage not lied on their insurance questionnaire, the carrier would likely have paid for all of this making Christmas much merrier for the hospital administration.

Of course, if they had a good cyber security program they might not even have gotten breached, which would have been good news all around.

Cottage Health is not some huge organization, so having to come up with $6 million plus spending money on doing the things the state is making them do will probably put a significant crunch on their finances.

And it started from the hospital administration not doing what they said they were doing, on the insurance risk questionnaire.

Information for this post came from Healthcare IT News and Health IT Security.

Facebooktwitterredditlinkedinmailby feather

What if Your Payment Processor Shuts Down?

What would happen to your business if your credit card processor shut down?  If you do online bill pay, what would happen if it shut down?

Millions of people and businesses got to figure that one out this month when Paypal’s TIO Networks unit suddenly shut down.  TIO does payment processing, both for merchants and for consumers who use it to pay bills at kiosks in malls, at grocery stores and other locations.

Paypal paid over $230 million for the company earlier this year.

Whether they were aware of the breach at the time that Paypal bought it or not is not clear.

In fact, all that is clear is that over a million and a half users had their information compromised.

Paypal’s decision was, on November 10th, to shut the unit down until they could fix the problems.

The impact of this shutdown varied from group to group.

If you are using the bill pay service at the grocery store, you are likely to go to another location.  Unfortunately, for TIO Networks, many of those customers won’t come back.  While this may be annoying for customers, the annoyance was likely manageable.

For merchants who uses the vendor as a merchant payment processing service and magically, with no notice, the service is shut down, that could be a big problem.

This is especially a problem for organizations that depend on credit cards such as retail or healthcare or many other consumer services.

We often talk about business continuity and disaster recovery plans, but if you operate a business and credit cards are important to you, then your plan needs to deal with how you would handle an outage of your credit card processing service.

In the case of TIO, after about a week they started bringing the service back online for a few people who were most dependent on it.

Things get a bit complicated here.  Most of the time merchant payment processors require businesses to sign a contract for some number of years.  Since the contract was written by lawyers who work for the credit card processor, it likely says that they aren’t responsible if they shut down for a week or two without notice.  It probably even says that they aren’t liable for your losses and you are still required to pay on your contract.

If you switch to a new processor, you may have two contracts,  Now what do you do?

To make things more complicated, if your payment processor is integrated with other office systems or point of sale systems, switching to a new provider is even more difficult.

I don’t have a magic answer for you – unfortunately – but the problem is solvable.  It just requires some work.  Don’t wait until you have an outage – figure it out NOW!

This is why you need to have a written and tested business continuity and disaster recovery program.

Information for this post came from USAToday.

Facebooktwitterredditlinkedinmailby feather

A New Form of Ransomware

The British shipping company Clarksons was hacked and decided not to pay the ransom.  So far, nothing new.  No ransom, no data.

Well, maybe, they had backups that they could restore – and thumb their nose at the hackers.

I think this is becoming a bigger problem for hackers.  As a result, hackers are changing tactics.

There are still plenty of vanilla ransomware attacks that want your money in exchange for the encryption key.

But now there are many that say that if you don’t pay up we are going to publish what we hacked.

There is a very important distinction between these two types of attacks.  In the traditional attack, it is presumed (but not known) that the hackers did not steal your data – that they did not make a copy of it and upload it somewhere.  In this attack, in order for it to work, the hacker had to steal the data.  ONE THING THIS MEANS IS THAT, UNLESS YOU CAN PROVE THE HACKERS ARE LIEING, YOU LIKELY HAD A REPORTABLE BREACH IF YOU ARE IN AN INDUSTRY OR STATE THAT REQUIRES YOU TO REPORT BREACHES.  I don’t even play a lawyer on the Internet, but I think you are going to be hard pressed to convince regulators that your data was not compromised.

This concept is not far fetched;  in fact, hackers have done this (recently) before.  For this type of attack, whether you have backups or not doesn’t really matter.  What matters is what are the consequences of this data being made public.

In this case, Clarksons has said that they are not paying the ransom and expect the data to be made public.

Of course we have no way of know IF the attackers will really expose the data (I guess we could call that a revenge-release) and Clarksons has been very tight lipped about what was taken and how much was taken.

What they have said is be prepared for stuff to be released.

So, I guess, we wait.  And see.  Stay tuned.

For the rest of us, we have a new cyber security worry.  Making backups and having a disaster recovery plan won’t help with this one.  The only way to protect yourself from this one is the keep the bad guys out.

One other thought.  Data that doesn’t exist can’t be hacked so it is useful to consider the trade-off between keeping data that might, some day, be useful to someone, maybe and data that can be hacked.  This is not always an easy decision, but one that needs to be made.

A corollary to this is that we may need this data for legal or archival reasons, but does it need to be available, online, to all employees.  An example of this might be a mortgage company.  They may need to keep the loan package for all closed and declined loans for seven years, but what if those loans are stored on a disk?  In a bank vault?  It could be difficult to hack.  Just saying.

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather

Senators Propose Bill Providing up to Five Years in Prison For Failing to Report Breaches

Senator Bill Nelson of Florida has introduced a bill as a result of the Uber disclosure that they forgot to tell 57 million people that their data was breached – for a year – that allows for penalties of up to five years in prison for anyone, such as company executives, who willfully conceals a breach for more than thirty days.

That is a serious incentive to disclose breaches quickly.

Now before anyone cheers or panics, Nelson is a Democrat, so the Republicans will likely kill the bill.

And, even if they don’t, there is a VERRRRY long path between a bill being introduced and the President signing it.

Still, in the light of Uber, it is POSSIBLE that Congress could get off it’s rear end and actually pass some sort of Federal data breach law.  The challenge has always been getting something that enough people can agree on.

Over the last several years there have been a couple of attempts to do that, but lobbyists have always gotten bills like this watered down to effectively mean nothing.  And the goal of those same lobbyists has always been to preempt strong state laws like California and Massachusetts with much weaker laws.  From the states’ point of view, this is a states rights issue and Federal preemption of states rights in this Congress is tricky.

The bill also directs the FTC to develop mandatory security standards for businesses and provide incentives for adopting new security technologies.  Color me confused, but five years in prison is a pretty strong motivator for most people.

Still, I presume that the odds of this getting passed are pretty low – but we can be hopeful.

Anyone who thinks that the Uber situation is unusual is being a bit naive,  The fact that a breach OF THAT SIZE was concealed for a year is unusual (or at least we think it is), but that a breach was concealed for a year or forever is likely way more common than we would like to believe.  Yahoo did not disclose its breach of 3 billion accounts for several years.  Equifax did not disclose its breach for 7 months.  On the other side of the coin, over 2,200 breaches were disclosed this year.

For publicly traded companies like Yahoo and Uber, the SEC can fine companies for failing to disclose a breach, but I cannot recall any times that they have done that.  They may do that in the case of Uber since they have a bad boy reputation and some folks may feel that they need to be taught a lesson – stay tuned on that one.

There is one thing working in favor of a Federal breach law and that is the European Union.  You may remember that the U.S. had a law called Safe Harbor which allowed U.S. companies to implement a few controls and say that they were compliant with European privacy laws.  The CJEU, the EU’s highest court, struck down that law several years ago saying that it did not effectively protect E.U. resident’s rights.  The law was replaced a year ago with something called Privacy Shield.  Some say that Privacy Shield is like putting lipstick on a pig, meaning that it is a slightly worked over Safe Harbor, but it just passed an annual review and the E.U. narrowly approved saying that the law was effective at protecting E.U. residents.

But come next May, a new E.U. law, the General Data Protection Regulation comes into force and that places very strict rules on companies – like a requirement to notify people within 72 hours of discovering a breach.

In addition, some folks have taken the Privacy Shield law to court, so it is possible that this new law could get thrown out (technically, the E.U. can’t throw out a U.S. law but they can say that companies that comply with it do not qualify for protecting E.U. residents’ data, which is effectively the same thing).

It is possible that all of the privacy and legal activities in the E.U. could force the U.S. to enact stricter privacy laws.  The last thing that U.S. businesses want is to have their ability to move data between the U.S. and the E.U. blocked.  If it comes down to that, U.S. businesses may, reluctantly, lobby for a stricter security bill rather than lose their ability to move data between the U.S. and E.U. .  We should find out in 2018.

Information for this post came from the Washington Times.

 

Facebooktwitterredditlinkedinmailby feather