Posted December 5, 2017
This weekly brief highlights the latest threat intelligence news to provide insight into the latest threats to various industries.
“Executives could face jail time for not reporting data breaches in a timely manner, if a proposed bill becomes law. Three Democrat senators introduced on Thursday the Data Security and Breach Notification Act, which would require companies to report data breaches within 30 days. If an individual knowingly conceals a data breach, they could face up to five years in prison.
The bill’s introduction follows Uber’s recent disclosure of a major 2016 data breach. After hackers stole data on 57 million customers late last year, Uber paid them $100,000 to destroy the data. It did not disclose the breach to the public or regulators until last week. Data breach notification practices have been in the spotlight over the last few months. Before Uber’s disclosure, a massive Equifax (EFX) hack exposed names, social security numbers, and other private data on more than 145 million people. It took the credit reporting company 41 days to notify the public of the breach.
The legislation was introduced by Florida Senator Bill Nelson and co-sponsored by Senator Richard Blumenthal of Connecticut and Wisconsin Senator Tammy Baldwin. “We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” Nelson said in a statement. Currently, 48 states have data breach notification laws that require companies to report hacks. They vary by state.”
Insurance + Healthcare
“Nearly all top healthcare providers – 98 percent – have not implemented Domain-based Message Authentication, Reporting & Conformance (DMARC), which could lead to healthcare email security issues, according to a recent survey. Healthcare is at the highest risk of being targeted by fraudulent email, the report showed. Fifty-seven percent of emails that are allegedly from the healthcare industry are fraudulent or unauthenticated. Furthermore, 92 percent of healthcare domains have been targeted by fraudulent email.”
“According to government and industry experts who spoke at the 2017 CyberCon, the proliferation of internet of things devices tied into critical industries, such as transportation and healthcare, is changing the perspective on what constitutes critical infrastructure. According to Jeanette Manfra, assistant secretary in the Department of Homeland Security’s Office of Cybersecurity and Communications, digital devices are changing the meaning of infrastructure that used to refer only to physical systems. According to the panel discussion, including Ret. Maj. Gen. John Davis, vice president and federal chief security officer at Palo Alto Networks, when all devices involved in life-saving functions and transportation are connected, it opens a whole different category of impact, and the attack surface is expanded greatly. The cybersecurity problems posed by IoT are divided into three categories: IoT as vulnerable endpoints on a critical infrastructure’s network, consumers buying unsecured IoT devices that could be conscripted into a denial of service or botnet campaign, and IoT devices imbedded in cars or healthcare tools that pose a life-threatening vulnerability.”
“For the first time in recent years, credit card fraud — which remains the highest fraud type for online retailers — has dropped to 42% of total fraud during the holiday weekend (Nov. 24 – 27, 2017). This level was 59% of total fraud for the same period in 2016, according to data from device intelligence for authentication and fraud prevention provider lovation.”