Tag Archives: Hiscox

News Bites for the Week Ending January 4, 2019

Vietnam’s New Cybersecurity Law in Effect

Vietnam’s new “cybersecurity” law which requires companies to remove any content from the Internet that the government finds offensive went into effect on January 1.

It also requires some companies like Facebook and Google to open offices in Vietnam if they want to continue to do business there.

The law prohibits individuals from spreading anti-government information.  The Vietnam Association of Journalists announced a new code of conduct prohibiting reporters from posting anything on the Internet that “runs counter” to the state.

Google has apparently agreed to open an office there, although they are being somewhat sly about it;  Facebook does not seem to have committed to that.

Companies will need to decide if the income from Vietnam is worth the risk.  Source: South China Morning Post.

 

Android Apps Send Data to Facebook without User Permission

Apparently the Facebook software development kit did not even give app developers the option not to send data to Facebook until a month after GDPR went into effect.

Apps that have not updated their software are likely still sending data, probably without user consent, to Facebook, even if the user does not have a Facebook account.

Some apps send data to Facebook the second they are opened; others, like travel apps, send data to Facebook every time you search for a flight.

Integrating the data from various apps, Facebook could determine your religion (prayer app), gender (period app), employment status (job search app) and travel plans including number of children traveling (travel app).

Example apps are prayer apps, MyFitnessPal, Kayak, Indeed, Spotify, TripAdvisor and others.  The test was against Android apps, so it is not clear if the Apple Facebook library does the same thing.

Facebook admitted that they have a problem. Source: Android Police.

Both Facebook and the app developers could be on the hook for fines of $20 million Euros or more for violating GDPR.

Hackers Leak Private Info on 100s of German Politicians

Hackers leaked sensitive data on German Chancellor Angela Merkel and Brandenburg’s prime minister Dietmar Woidke, along with other politicians, artists and journalists.

Leaked information includes private conversations, photo IDs, credit card information,bills and other personal info.

Germany’s Federal Office of Information Security, who is investigating this said that government computers were not affected.  Other than covering their own butts, it is not clear why they would say that since no one suggested that government computers were being attacked.

This does point out that protecting your phones and tablets by making sure they are patched (many older phones do not have patches available and are therefore vulnerable if people use them to log on to web sites that contain email and other personal info), that applications on them are patched and unneeded applications are removed is very important.  Unfortunately, older devices for which there are no patches should be replaced.  Details here.

 

Lloyd’s of London Denies THEY Were Hacked; Throws Partner Hiscox Under the Bus

As a follow up to a blog post from earlier this week, hackers have now posted a sample of docs related to 9/11 lawsuits reportedly hacked from Lloyds and Hiscox.

Lloyd’s claims that they were not hacked but rather their business partner Hiscox was hacked.

Nice of them proclaim themselves innocent while throwing their partner under the bus.  No doubt this was an effort to divert lawsuits from them to Hiscox.  I will point out that this likely won’t work since a client of Lloyd’s has no agreement with or ability to select or control Lloyd’s vendors.  This is yet another reason why we are so adamant about companies implementing robust vendor cyber risk management programs.  Read details here.

Facebooktwitterredditlinkedinmailby feather

Another Law Firm Hacked?

Remember the Panama Papers hack?  11 million documents stolen causing one Prime Minister to resign and another to be fired?  If not, check out an old post here .  That hack caused the law firm of Mossack Fonseca to go out of business.

We it seems that some other firms may be on the wrong end of the hacker’s mouse pointer.

The hacking group The Dark Overlord claims to have hacked law firms handling September 11th litigation and has stolen tens of thousands of documents.  It is believed that there are two law firms involved: Hiscox Syndishares Ltd and Lloyds of London.  The group claims to have hundreds of gigabytes of documents.

They say the data stolen includes emails, retainer agreements, litigation strategies, liability analytics, expert witness testimony and conversations with the FBI, DoJ and DoD, among other stuff.

They claim that at least one law firm paid the initial ransom but then violated the terms of service by bringing in the police.  Now they want more ransom.

The hackers claim to be shopping the data on the dark web.

However, they are very kind.  They say that if you are working with this law firm and you don’t want your stuff released, contact them, pay them a separate ransom and they won’t release your stuff.

You have to admit that it is pretty entrepreneurial.

This is the same group that stole the unaired episodes of Orange is the New Black, threatened to publish the plastic surgery files and photos of the rich and the famous and even threatened to physically harm school children, sending school districts and parents copies of stolen information on the kids.  Not necessarily a nice bunch.

The cops did arrest a Serbian who, they claimed, was associated with the group, but that apparently hasn’t stopped them.

What does this mean for you?

One challenge is that no law firm has admitted to the breach or paying the ransom, but if you believe that Hiscox and Lloyds were the targets and you are a client of theirs, you might want to start thinking about damage control.

It does appear that these folks are pretty mercenary, so if the law firms pay up, maybe they won’t release anything.

If they do release documents, there is the prospect of collateral damage.  Maybe they will very selectively release documents, but more than likely, since they say they will bury the law firms, they will be less than selective.  In which case, collateral damage is likely.

Now would be a good time to look at your agreements with your various  law firms, no matter who they are.

On the other hand, if you are a law firm, now would be a good time to review your security practices.

Is there anything in writing about cybersecurity requirements?

What about  liability for damages if they get hacked?

Do they have to provide annual third party certification of their cybersecurity practices?

Are they even required to notify you if your stuff is compromised?  (Note that in many cases, the law does not require that).

And, of course, you are dealing with lawyers.  If it is not in writing it will be hard to impossible to enforce.

If cybersecurity requirements are missing, now might be a good time to review and amend your agreement.  In many cases you can switch law firms at any time since it is extremely rare to have any kind of exclusivity with law firms.  Even if there is current litigation, you could leave that with the existing firm and move new business to a new firm.

If the firms say that you should trust them, tell them that you do.  And you still want it in writing.  Trust, but verify, so to speak.

One thing that we do not know – how many other firms have been hacked and have not said anything about it?  Think about reviewing and changing your law firm agreements as insurance.

Information for this post came from SC Magazine.

 

Facebooktwitterredditlinkedinmailby feather