Info Security
22 Americans Indicted Over Card-Skimming Scam
Nearly two dozen Americans have been indicted in connection with a card-cloning scam that targeted a national retail chain headquartered in Chicago, Illinois.
In 2016 and 2017, a malicious software program was installed on multiple computers belonging to the unnamed retailer, which sold clothing, electronics, toys, furniture and home decor.
This malware allowed a co-conspirator to capture the data of more than three million credit cards, debit cards and gift cards that were used in-store at 400 of the retailer's branches.
Data stolen using the card-skimming software was then sold by the co-conspirator to another individual for $4m in Bitcoin. The money was transferred over the course of approximately 66 transactions.
This next link in the criminal chain offered the stolen information for sale on two different websites to over 3,000 users.
An indictment unsealed May 25 in the Northern District of Illinois accuses 22 individuals from nine different states of purchasing that data. Most of the defendants are in their late 20s or early 30s and reside in California or New York state.
It is alleged that the defendants used the data they purchased to buy items at businesses across America, including gas stations, hotels and restaurants. The illegal activity allegedly occurred between August 2016 and July 2020. At least 80 people living in Illinois were victimized as a result.
All but two of the defendants named in the indictment were arrested this month and have entered the federal court system. The defendants who remain at large are believed to have moved overseas.
The Department of Justice said that the investigation into the card-skimming scam remains ongoing.
Typically, the defendants are accused of purchasing the payment card data of between 1,000 and 2,000 skimmed cards. However, one defendant, 35-year-old Barry Shi of Rosemead, California, allegedly bought the data of at least 18,742 payment cards, including at least 13,249 that were used at the Chicago retailer's stores, in exchange for around $507,273 in Bitcoin.
Wire fraud is punishable by up to 20 years in federal prison, while aggravated identity theft carries a mandatory, consecutive prison sentence of two years.
NHS to Share Patient Data with Third Parties, Fueling Privacy and Security Fears
NHS patient data in England will be shared with third parties for research and planning purposes, fueling concerns about privacy and security, it has been reported today.
The Financial Times revealed that NHS Digital, which runs the health service’s IT systems, will create a database containing the medical records of around 55 million patients in England who are registered with a GP clinic. This includes sensitive data on mental and sexual health, criminal records and abuse.
This information will subsequently be made available to academic and commercial third parties involved in research and planning, although no details on the types of organizations that will have access have been provided.
The initiative follows suggestions that the UK’s response to the COVID-19 pandemic was hampered by lack of data sharing and access, including in a report published this year by the House of Commons Science and Technology Committee.
Patients will need to fill in a form and take it to their GP to opt out of the scheme by June 23, otherwise their historical records will become a permanent and irreversible part of the new data set. Any patients who opt out after this date will prevent any future data becoming part of the new system.
The idea for a database of this kind was first set out by UK Health Secretary Matt Hancock in April, and explained in blogs on the NHS website. This emphasized that patients will not be directly identified in the data set.
The plans have received significant criticism from privacy campaigners. The Financial Times cited a letter from Foxglove, a campaign group for digital rights, to the Department of Health and Social Care, questioning the legality of the proposals under current data protection legislation. Rosa Curling, a solicitor at the organization who penned the letter, wrote that “very few members of the public will be aware that the new processing is imminent, directly affecting their personal medical data.”
Cybersecurity experts have also warned that the database will be a tempting target for cyber-criminals. George Papamargaritis, MSS director at Obrela Security Industries, commented: “It is not surprising that the NHS is facing backlash in response to this move. Sharing medical data with third parties is very risky as there is no way to be sure they will have the proper security tools in place to keep the data safe. While it looks like the NHS has plans to anonymize patient data, this is not a 100% guarantee of security protection.”
David Sygula, senior cybersecurity analyst at CybelAngel, said: “This move from the NHS provides some strong benefits from an academic research standpoint. An initiative like this could have been useful in better controlling the magnitude of the pandemic, and all research work that goes with it.
“However, data collection on this scale is creating a new set of risks for individuals, where their Personal Health Information (PHI) is exposed to third-party data breaches. The extent of the unsecured database problem is growing. It's not simply an NHS issue, but the NHS' third, fourth or further removed parties too, and how they will ensure the data is securely handled by all suppliers involved. These security policies and processes absolutely need to be planned well in advance and details shared with both third parties and individuals.
“Several mechanisms must be put in place, starting with the anonymization of data, as data leaks will inevitably happen. Security researchers, attackers, and rogue states have all put in place processes to identify unsecured databases and will rapidly find leaked information. That's the default assumption we should start with. It's about making sure patients are not personally exposed in case of a breach, while setting up the appropriate monitoring tools to look for exposed data among the supply chain.”
NHS England previously tried to store all GP patient information in a central database back in 2013 in a project called Care.data, which was subsequently abandoned in 2016 due to privacy concerns.
UK Police Suffered Thousands of Data Breaches in 2020
There were over 2300 data breach incidents reported by just 22 of the UK’s police forces in 2020, according to new Freedom of Information data.
VPNoverview requested information from the UK’s 45 police forces and received responses from 31.
All told, the results revealed a national average of 299 data breaches per police station over the period dating from 2016 to the first four months of 2021.
This included a combination of human error — for example, staff emailing sensitive information to the wrong recipient — and malicious third-party attacks.
There was no breakdown in the report indicating which accounted for the majority of cases. However, separate FoI data from 23 forces obtained in 2019 revealed that 237 officers and staff members were disciplined, six resigned during investigations and 11 were sacked for computer misuse offenses over the previous two years.
Many of these involved accessing police databases unlawfully to search for individuals.
The VPNoverview study did reveal the best and worst offenders of the past four years. Lancashire Constabulary topped the list of forces suffering most incidents over the period (1300), followed by nearby Cheshire Constabulary (1193), Sussex Police force (980) and the Police Service of Northern Ireland (928).
Five forces reported fewer than 10 incidents from 2016-21 while London’s Metropolitan Police and Dorset Police claimed to have suffered no breaches in over four years.
Sussex Police has already recorded 62 data breach incidents so far in 2021, followed by West Midlands Police (37), North Wales (24) and Wiltshire Constabulary (12).
A Big Brother Watch study from 2016 found that UK police suffered more than 2300 breach incidents over the previous four years as a result of insiders abusing their position.
A year previously, South Wales Police was fined £160,000 after it misplaced unencrypted DVDs containing a highly sensitive video recording of an interview with a sex abuse victim.
Bose Reveals Ransomware Attack Impacting Staff
Bose has told regulators that a sophisticated ransomware attack back in March led to unauthorized access of personal information on current and former employees.
The US audio tech giant told the New Hampshire Office of the Attorney General that it first detected the ransomware back on March 7 2021. However, nearly two months later, on April 29, it found that human resources files were accessed.
“The personal information contained in these files include name, Social Security Number, and compensation-related information,” it continued.
“The forensics evidence at our disposal demonstrates that the threat actor interacted with a limited set of folders within these files. However, we do not have evidence to confirm that the data contained in these files was successfully exfiltrated, but we are also unable to confirm that it was not.”
The firm said it had engaged third-party experts to scour the dark web for this data, to check if it is being actively used by cyber-criminals, and is also working with the FBI.
“Bose has not received any indication through May 19, 2021 its monitoring activities or from impacted employees that the data discussed herein has been unlawfully disseminated, sold, or otherwise disclosed,” it added.
Only a small number of staff were affected and the firm is not thought to have paid the ransom.
However, it disclosed to the regulator a long list of remedial actions taken by its security team to mitigate the risk of a worse attack in the future.
This included: enhanced anti-malware, logging and monitoring; blocking of malicious IPs linked to the threat actor; changing passwords for all end users; and changing access keys for all service accounts.
Robert Golloday, EMEA and APAC director at Illusive, praised Bose for its transparency.
“Kudos for not paying a ransom and for having the appropriate backups in place. With that said, the time to put in controls for early detection and prevention of lateral movement is before these attacks occur, not after,” he added.
“It’s another unfortunate example of an ever-widening criminal enterprise."
Europe’s Top Human Rights Court Rules UK Mass Surveillance Illegal
Privacy groups are celebrating after winning an eight-year battle to prove the UK government’s mass surveillance regime violated human rights.
A ruling by the top court of the European Court of Human Rights yesterday noted that the regime first exposed by Edward Snowden in 2013 violated rights to privacy and freedom of expression.
Three main issues were highlighted by the judges: that bulk interception was authorized by the secretary of state and not an independent party; categories of search terms related to the type of comms to be extracted weren’t included in the warrant application; and that identifiers linked to individuals were not subject to prior authorization.
However, the European court fell short of ruling that bulk interception of communications is illegal in and of itself, claiming instead that stronger safeguards should have been put in place.
The judgement by the Grand Chamber goes further than the European Court of Human Rights’ 2018 ruling, by adding a new requirement of prior independent or judicial authorization for bulk interception of communications, Privacy International argued.
“Today the court reiterated that intelligence agencies cannot act on their own, in secret and in the absence of authorization and supervision by independent authorities,” noted the group’s acting legal director, Ilia Siatista.
“They must be accountable because their capabilities to access personal data about each and every one of us — even if we’re not suspected of any wrongdoing - pose serious risks in a democratic society.”
The case combined three separate challenges from 16 groups and individuals and challenged three different UK surveillance programs: the bulk interception of communications; intelligence sharing; and obtaining communications data from service providers.
The groups argued that the metadata collected by UK digital spy agency GCHQ could reveal intimate secrets of individuals’ personal lives, including where they go, who they contact and which internet sites they visit and when.
The UK government has said its new regime, brought in with the controversial 2016 Investigatory Powers Act or “Snooper’s Charter,” has added safeguards to the process.
However, according to reports, the European judgement will now pave the way for a legal challenge to the law to proceed through the UK courts.
This could have implications for the UK’s much-needed data adequacy decision from the EU. The European Parliament last week sent back the Commission’s draft decision on data protection, asking for better protection for EU citizens from UK mass surveillance.
US to Regulate Pipeline Cybersecurity
The United States Department of Homeland Security (DHS) is to issue its first ever set of cybersecurity regulations for pipelines, according to The Washington Post.
The news comes in the wake of a recent ransomware attack on the Colonial Pipeline that knocked operational systems offline for five days, triggering panic buying that led to fuel shortages in the Southeast.
Last week, Colonial Pipeline paid a ransom of $4.4m to cyber-criminal gang DarkSide to regain control of its systems and data.
According to the Post, a senior DHS official has said that a security directive will be issued this week requiring pipeline companies to report cybersecurity incidents to federal authorities. The directive will come from the Transportation Security Administration, a DHS unit.
This directive will be followed by a meatier set of regulations in a couple of weeks’ time. These rules are expected to lay out in more detail what pipeline operators must do to protect their systems from cyber-attacks.
Post-breach behavior will also be regulated, with companies who succumb to a cyber-attack ordered to adhere to a set of best practices.
These mandatory regulations will replace the voluntary cybersecurity guidelines issued previously by the DHS.
John Bambenek, threat intelligence advisor at Netenrich, said that the US government's "shutting the stable door after the horse has bolted" approach to cybersecurity regulation may not be the best way to protect critical infrastructure.
"Notification to the federal government of cyber-attacks is less significant than whatever protective regulations they issue, but the facts are, we have thousands of pages of policies, regulations, and studies on security for the federal government and they still get breached. A regulatory approach based on preventing the last incident is always going to be lacking in terms of preventing the future incidents," he told Infosecurity Magazine.
Lookout's Hank Schless took a more positive view of the regulations' potential impact.
He told Infosecurity Magazine: "Implementing new regulations could be very effective in the battle against cyber-criminals so long as organizations actually take action to align with them. It takes time and resources to align with new regulations, but this should at least serve as motivation for similar companies to get the ball rolling."
E-tailers See Surge in Automated Fraud
Automated fraud attacks against e-commerce retailers have increased in volume, frequency and sophistication, according to new research published today.
The Automated Fraud Benchmark Report: E-commerce Edition by PerimeterX is a new comprehensive annual report based on e-commerce cyber-attack activity over the past year.
Findings draw upon anonymous data collected during live online interactions by millions of consumers and hundreds of millions of bots in 2020. Analysis of the data revealed traffic and threat patterns across hundreds of the world’s largest websites, mobile apps and application programming interfaces (APIs).
Researchers determined that considerable growth occurred across all major types of automated fraud, including gift card cracking, account takeover (ATO), scraping and checkout attacks in 2020.
"The ongoing daily level of attacks was the same as during the most recent Cyber 5 period — the traditional Black Friday through Cyber Monday shopping timeframe," said a PerimeterX spokesperson.
Key findings of the report were that checkout attacks rose 69% in April 2020, and scalper bots drove more than 40% of total shopping cart requests during peak limited-edition sneaker sales.
In September, 85% of all login attempts were ATO attempts, while peak levels of blocked traffic were over 95% in four months.
Researchers also observed that every major US holiday in 2020 saw increases in gift card fraud.
The report reveals that a broader range of online merchants faced automated fraud attacks last year as cyber-criminals expanded into new industries and started to target smaller businesses with greater frequency.
"What’s clear is that automated fraud has no season. The ‘new normal’ rate of automated attacks far outpaces previous seasonal peaks, and retailers should plan for elevated volumes throughout the year,” said Kim DeCarlis, CMO, PerimeterX.
"Retailers will need to adapt to this new environment of higher automated fraud activity in order to continue to grow their sales and profits, increase efficiency and protect their brands."
DeCarlis added that last year, cyber-criminals were observed trialing their Cyber 5 attack plans in September, a month earlier than usual.
"This compressed the time that development and digital teams had to react and respond to shifting trends in automated attacks and application security,” explained DeCarlis.
Coast Guard to Create Red Team
The United States Coast Guard is to establish a Cyber Operational Assessments Branch this summer and create its first ever red team.
The planned restructuring, first reported by Federal News Network, will support the cybersecurity work currently being undertaken by the Coast Guard's blue team.
Acting as a cyber adversary, the red team will emulate the behavior of threat actors and perform penetration tests to identify any weaknesses in the Coast Guard's cyber-defenses.
Cyber blue team branch chief, Lt. Kenneth Miltenberger, said his team will continue to fulfill its existing duties, which include performing cooperative vulnerability assessments, security consulting for acquisition operations, and endpoint scanning.
Speaking at a webinar hosted last week by the Advanced Technology Academic Research Center (ATARC), Miltenberger said: “We’re excited to see that kind of fusion — of cooperative assessments, plus [the] red team for some kind of holistic assessments."
Among the tasks assigned to the new Cyber Operational Assessments Branch will be an in-depth analysis of the challenges and opportunities associated with 5G infrastructure.
Dan Massey, the program lead of the Department of Defense’s 5G to NextG Initiative, said 5G infrastructure will help to reduce latency in augmented reality and virtual reality training.
“If I tried to do my AR/VR training by pushing everything back to a data center from Joint Base Lewis-McChord in Washington State back to a data center in the Pentagon, I’m stuck with a number of challenges just in terms of bandwidth, in terms of latency. It’s just not going to work well.
"But if I can distribute some of those key aspects out closer to the edge, almost all the way to the edge itself and combine that with back-end processing that might be happening back at that data center, I think I have the most powerful infrastructure,” said Massey.
Another recent technological development that saw the Coast Guard make the headlines was the military service's decision to establish a UxS Cross Functional Working Group. The group's mission will be to help the Coast Guard exploit the capabilities of existing and future unmanned systems.
Three-Quarters of CISOs Predict Another SolarWinds-Style Attack
Some 84% of global organizations have suffered a serious security incident over the past two years and a majority are expecting another SolarWinds-style supply chain attack, according to a new Splunk report.
The IT data platform provider interviewed 535 security leaders in nine leading economies across multiple industries, to compile its latest report, The State of Security 2021.
Of those that were successfully attacked, email compromise (42%) was the most common incident, followed by data breaches (39%), mobile malware (37%) and DDoS (36%).
However, over three-quarters (78%) expressed concern about more sophisticated supply chain attacks coming in the future.
Cloud complexity is emerging as a major threat to global organizations, with three-quarters (75%) of respondents already using multiple providers. Over half (53%) claimed attacks had increased in this area during the pandemic and 76% that remote workers are harder to secure.
Nearly 90% already run a substantial number of their business-critical applications in the public cloud.
Two of the key challenges of securing cloud environments highlighted by respondents were: maintaining and enforcing consistent policies (50%); and the complexity of using multiple security controls (42%).
Splunk urged organizations to modernize their Security Operations Centers (SOCs) with new SIEM platforms and more automation, such as in user and entity behavior analytics (UEBA) and security orchestration, automation and response (SOAR) tools.
It also advocated a zero trust approach, enhanced staff training and improved insight into network behavior to spot lateral movement more effectively.
“That modernized SOC will include an arsenal of the best tools and customization available. But that can create its own headaches, in terms of training and the ability to understand an incident with data from multiple sources,” the report concluded.
“In a complex, multi-cloud, multi-service environment, it’s essential to be able to see across all that data, not just traditional security data. This highest-level, end-to-end perspective is vital not only to security and compliance efforts, but to successful development and operations as well. A consolidated view of the data creates a single source of truth for security and IT teams.”
Cyber-Insurance Premiums Surged by Up to 30% in 2020
Take-up of cyber-insurance has almost doubled over the past four years, but premiums surged during 2020 due to more frequent attacks, according to a new congressional report.
Watchdog the Government Accountability Office (GAO) was ordered to study the industry in the National Defense Authorization Act for fiscal year 2021.
Citing data from global insurer Marsh McLennan, the GAO revealed that the percentage of clients opting to take out cyber-specific insurance policies had risen from 26% in 2016 to 47% in 2020.
However, a surge in successful cyber-attacks of late has had two negative consequences: rising premiums and reduced coverage limits for some sectors.
The GAO claimed that, according to a recent survey of insurance brokers, prices had risen 10-30% in late 2020. It also singled out healthcare and education as two sectors where insurers are now offering lower coverage limits.
Although not named in the update, ransomware is a key factor driving these trends. It was the biggest source of insurance claims in the first half of 2020, according to insurer Coalition.
Many have argued that insurers’ continued coverage perpetuates the ransomware problem as it encourages more threat actors to target organizations, knowing that the ransom will be reimbursed by providers.
Axa recently took a stand against this trend in France by resolving to stop reimbursing payments to threat actors, although it will still cover other losses incurred by attacks.
The GAO report explained that providers are also now offering more cyber-specific packages to clients. However, a lack of common terminology, such as what constitutes cyber-terrorism, can lead to inconsistencies in policies and coverage, it warned.
Confectionary giant Mondelez and global legal firm DLA Piper both sued their insurers in 2019 following major losses incurred after NotPetya. Their providers refused to pay-out due to wrangles over policy and definitions of exactly what kind of attack the global malware constituted.
GDPR Anniversary: Security Leaders More Concerned About Litigation Than Fines
Nine in 10 (90%) security leaders are concerned about data breach litigation from class action lawsuits, according to new research by Egress.
Published on the third anniversary of the GDPR coming into force, the survey highlighted that security leaders and data protection officers (DPOs) are even more concerned about legal settlements for data subjects than they are about regulatory fines (85%) following a serious data breach.
As a result of these concerns, 91% of the 250 security leaders and DPOs in the UK polled revealed they have taken out new cyber-insurance policies or increased their cover to protect themselves from financial exposure because of GDPR.
These fears appear well founded, with high awareness among consumers of the increased rights afforded to them under GDPR also demonstrated by the study. It showed that nearly half (47%) of the 2000 UK consumers surveyed would join a class-action lawsuit against an organization that had leaked their data. Additionally, over two-thirds (67%) said they were aware they have the right to take legal action against an organization that experiences a breach that exposes their personal data.
Tony Pepper, CEO at Egress explained: “The financial cost of data breach has always driven discussion around GDPR – and initially, it was thought hefty regulatory fines would do the most damage. But the widely unforeseen consequences of class action lawsuits and independent litigation are now dominating conversation.
“Organizations can challenge the ICO’s intention to fine to reduce the price tag, and over the last year, the ICO has shown leniency towards pandemic-hit businesses, such as British Airways, letting them off with greatly reduced fines that have been seen by many as merely a slap on the wrist. With data subjects highly aware of their rights and lawsuits potentially becoming ‘opt-out’ for those affected in future, security leaders are right to be nervous about the financial impacts of litigation.”
Commenting, Lisa Forte, partner at Red Goat Cyber Security LLP, said: “The greatest financial risk post breach no longer sits with the regulatory fines that could be issued. Lawsuits are now common place and could equal the writing of a blank cheque if your data is compromised. European countries haven’t typically subscribed to a litigious way of regulating the behavior of companies. That is now changing and without explicit government intervention companies will need to accept they need deeper pockets to cover the lawsuit gold rush we are starting to see."
"The recent Google case that currently sits with the UK Supreme Court could make group claims 'opt out' instead of 'opt in'", Lisa Forte continued. "That will inevitably mean that every single customer affected would be entered into the group action. That should be a huge worry for companies. Companies need to really prioritize preventative measures both technical and human and have a tested incident plan in place.”
Only Two-Fifths of UK Firms Report Data Breaches On Time
It’s three years today since the GDPR was launched across Europe but UK businesses are still failing to meet some of its most basic reporting requirements, CrowdStrike has warned.
The security vendor polled a sample of 500 UK business decision makers between April 30 and May 10 to better understand uptake of the legislation, and the Data Protection Act 2018, which applies its principles in UK law.
Unfortunately, the poll found that just 42% of UK firms that have been breached report the incident to the regulator within 72 hours, as required by law.
The study found a general lack of awareness and visibility elsewhere: 67% of respondents said they consider themselves “prepared” should they become a breach victim, but only around a third (36%) have actually readied specific protocols to deal with the fallout of such an incident.
Over a fifth (22%) claimed they either don’t know or don’t think the GDPR applies to the UK following Brexit.
What’s more, two-thirds of businesses either don’t know (41%) or underestimated (25%) the maximum amount the Information Commissioner’s Office (ICO) can fine erring companies: 4% of global annual turnover or £17 million, whichever is higher.
Zeki Turedi, EMEA CTO at CrowdStrike, told Infosecurity that many organizations are struggling to understand what a data breach even is, and how much time they have to report it.
“For example, some companies are unaware that simply sending confidential information about an individual to an incorrect email address can trigger the need for a GDPR notification,” he argued.
“The CISO has a critical role to play here, not just in helping to protect the business in the first place, but also in ensuring the company understands its legal requirements when it comes to breaches and is in a position to meet them. The research underlines the continued need to educate organizations on the use of GDPR and how it impacts them.”
Alongside the CISO’s role here, the GDPR also mandates most large organizations appoint a Data Protection Office (DPO) to handle such issues.
FBI Employee Indicted Over Illegal Document Removal
An employee of the Federal Bureau of Investigation (FBI) has been accused of stealing classified information and national security documents from her workplace and keeping them at home.
Intelligence analyst Kendra Kingsbury of the FBI's Kansas City Division was charged in a two-count indictment returned under seal by a federal grand jury in Kansas City, Missouri, on Tuesday, May 18.
The federal indictment alleges that 48-year-old Kingsbury took sensitive government material home to her residence in Dodge City for more than a decade.
Kingsbury worked as an intelligence analyst for more than 12 years until she was placed on suspension in December 2017. During her career with the FBI, she held a top-secret security clearance and was assigned to a number of different squads dealing with illegal drug trafficking, violent crime, violent gangs, and counterintelligence.
It is alleged that Kingsbury improperly removed sensitive government materials – including national defense information and classified documents – from June 2004 to December 15, 2017, and kept them at home. According to the indictment, Kimberly had no need to know most, if not all, of the information contained in those materials.
Kingsbury was charged with two counts of having unauthorized possession of documents relating to national defense. The first count relates to numerous secret documents that describe intelligence sources and methods related to US government efforts to defend America against counterterrorism, counterintelligence and cyber-threats.
Detailed in those materials are details of open FBI investigations across multiple field offices and documents relating to sensitive human source operations in national security investigations, intelligence gaps regarding hostile foreign intelligence services and terrorist organizations, and the technical capabilities of the FBI against counterintelligence and counterterrorism targets.
Count two refers to Kingsbury's alleged theft of secret documents that describe intelligence sources and methods related to US government efforts to collect intelligence on terrorist groups. Among these materials is information on al Qaeda members on the African continent, including a suspected associate of Osama bin Laden.
Alan Kohler, Jr., assistant director of the FBI’s Counterintelligence Division, said: “The breadth and depth of classified national security information retained by the defendant for more than a decade is simply astonishing."
Cybersecurity Lecturer Wins Lloyd’s Science of Risk Prize
A lecturer from the University of Plymouth has won a prestigious international prize for her research in maritime cybersecurity.
Dr. Kimberly Tam's work won her the overall gong and the cybersecurity category in the 2021 Lloyd's Science of Risk prize. Tam was among six academics announced as award winners by insurance and reinsurance market Lloyd's of London on May 21.
The Science of Risk prize is awarded to academics and PhD students who further the understanding of risk and insurance through their scientific research. Runner up in the cybersecurity category was Edward Oughton of George Mason University for his stochastic counterfactual risk analysis for the vulnerability assessment of cyber-physical attacks on electricity distribution infrastructure networks.
Tam's award-winning research focused on a suite of software tools designed to enhance maritime cybersecurity. In conjunction with the University of Plymouth’s Maritime Cyber Threats Research Group, Tam developed a Maritime Cyber Risk Assessment (MaCRA) framework.
"The principles behind the MaCRA framework were first set out in a study published in the WMU Journal of Maritime Affairs in 2019, and co-authored by Dr. Tam and Executive Dean of Science and Engineering, Professor Kevin Jones," said a spokesperson for the University of Plymouth.
"The paper proposed a dynamic risk assessment model that uniquely takes into account both information technology and operational technology, both of which are prevalent in sectors like transportation and critical national infrastructure."
Recognizing the value of the software, the Maritime Research and Innovation UK (MarRI-UK) initiative awarded the University a grant to develop it as an industry-ready solution.
“Receiving the overall 2021 Lloyd’s Science of Risk prize is a big honor. It shows there is real appreciation of the growing threat of cybercrime, and the importance of addressing the challenges it could pose for the globally important maritime sector," said Tam.
"My paper looks at ways the physical and cyber worlds affect each other, and how shifting our concept of risk to be more dynamic can be a useful tool moving forward in a more connected world.”
Just over a week ago, Tam's software won the Cyber Den competition run as part of the UK government’s flagship cybersecurity event, CYBERUK.
Michigan Man Admits Selling UPMC Employee Data
A hacker from Michigan has admitted to stealing the sensitive data of more than 65,000 University of Pittsburgh Medical Center (UPMC) employees and selling it online.
Federal Emergency Management Agency (FEMA) IT specialist Justin Sean Johnson, known on the dark web by the handles TheDearthStar, Dearthy Star, TDS, and DS, hacked into UPMC's human resources database in January 2014. Six years later, the 30-year-old resident of Detroit was indicted by a federal grand jury in Pittsburgh and subsequently arrested on charges of conspiracy, wire fraud and aggravated identity theft.
Among the data swiped and sold by Johnson was W-2 information and Personally Identifiable Information (PII) that included Social Security numbers, addresses, names and salary information. Conspirators who bought the data from Johnson via forums filed hundreds of false form 1040 tax returns in 2014 using UPMC employee PII.
Hundreds of thousands of dollars of false tax refunds claimed in these false 1040 filings were then converted into gift cards for online marketplace Amazon.com. Conspirators used the gift cards to purchase products that were later shipped to Venezuela.
The lucrative criminal scheme resulted in the loss of approximately $1.7m in false tax return refunds.
UPMC employees were not the only victims of Johnson's proclivity for data theft. From 2014 through 2017 he also stole and sold nearly 90,000 additional sets of PII to buyers on dark web forums, which could be used to commit identity theft and bank fraud.
On May 20, Johnson pleaded guilty to counts 1 and 39 of a 43-count indictment before Chief United States District Judge Mark R. Hornak. Johnson will remain in detention while a date is set for his sentencing.
"Unfortunately, through no fault of their own, the people whose identities are stolen in cases like this are often victimized repeatedly," said Tom Fattorusso, the special agent in charge of IRS–Criminal Investigation at the time of Johnson's arrest.
"Initially, they have to deal with the stress of knowing their personal information was stolen. Criminals then use the stolen information to file false tax returns, or they sell it to other criminals who use it to file false returns. This causes a hardship for the innocent victims when they try to file their own tax returns. Victims are then left to deal with credit issues caused by the unscrupulous actions of the criminals."
Amex Fined After Sending Over Four Million Spam Emails
American Express is the latest big-name brand to receive a fine from the UK’s data protection regulator after spamming millions of customers.
The Information Commissioner’s Office (ICO) fined American Express Services Europe (Amex) £90,000 after it sent over four million marketing emails to customers who did not want them.
The ICO said it began its investigation after complaints from some of those customers, who claimed to have opted out of receiving the missives.
Amex rejected these complaints, saying the emails were about “servicing” rather than marketing, according to the ICO. The content of these messages apparently included how to get the most out of your card, info on the rewards of shopping online with Amex, and how to download the firm’s app.
However, the ICO disagreed, claiming that a little over four million of the 50 million emails sent as part of this campaign were “a deliberate action for financial gain by the organization” — and as such constituted a marketing effort.
In addition, Amex decided not to review its marketing model following the customer complaints.
Andy Curry, the ICO’s head of investigations, argued that Amex is now facing the “reputational consequences” of making the wrong call.
“The emails in question all clearly contained marketing material, as they sought to persuade and encourage customers to use their card to make purchases,” he added.
“Amex’s arguments, which included that customers would be disadvantaged if they weren’t aware of campaigns, and that the emails were a requirement of its Credit Agreements with customers, were groundless.”
Curry encouraged all companies to revisit their procedures and take time out to better understand the differences between service and marketing emails, ensuring their policies are compliant.
Although the ICO is the UK’s regulator for GDPR, this fine was issued under the country’s Privacy and Electronic Communications Regulations 2003, which state that it’s illegal to send marketing emails to people unless they have freely consented.
Air India: Supplier Breach Hit 4.5 Million Passengers
Air India has confirmed that 4.5 million passengers have had their personal data exposed in a third-party data breach first disclosed over two months ago.
The incident impacted SITA, an IT provider which claims to serve around 90% of the aviation industry. Attackers compromised servers that operate passenger processing systems for airline clients.
Air India said it first received word of the attack on February 25 this year, but was unable to confirm those affected until SITA informed it on 25 March and 5 April.
“The breach involved personal data registered between August 26 2011 and February 3 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data (but no passwords data were affected) as well as credit card data,” the statement noted.
“However, in respect of this last type of data, CVV/CVC numbers are not held by our data processor.”
Air India claimed that, following the incident, the affected servers were secured, external investigators engaged, credit card issuers were notified and frequent flyer passwords were reset.
“Further, our data processor has ensured that no abnormal activity was observed after securing the compromised servers,” it added.
“While we and our data processor continue to take remedial actions including but not limited to the above, we would also encourage passengers to change passwords wherever applicable to ensure safety of their personal data.”
Finnair, Malaysia Airlines, Japan Airlines and Singapore Airlines were among the other big names affected by the breach.
Although Singapore Airlines said it was not a customer of SITA’s, some of its frequent flyer data was apparently compromised via a fellow Star Alliance member that was.
This isn’t the first data security incident to have affected Air India. Back in 2016 a possible insider attack was detected in which threat actors sought to divert over $23,000 in air miles.
Insurance Giant Reportedly Paid $40 Million Ransom
One of America’s largest insurers agreed to pay a $40 million ransom after its IT systems were locked down and data stolen by threat actors, according to a report.
CNA Financial paid its attackers in late March, about a fortnight after the incident, two people familiar with the attack told Bloomberg.
A statement shared with the news site refused to comment on the ransom but claimed that the firm had followed all “laws, regulations and published guidance” when handling the matter. This includes the 2020 guidance published by the US Treasury’s Office of Foreign Assets Control (OFAC), it said.
CNA Financial also noted in a security update that it did “not believe that the systems of record, claims systems, or underwriting systems, where the majority of policyholder data — including policy terms and coverage limits — is stored, were impacted.”
The firm was apparently hit by a variant of the Evil Corp-authored Hades ransomware called Phoenix Locker.
The payment could be the largest ever made to a ransomware group — although not all incidents and payment amounts are disclosed given the commercial sensitivities involved.
Attackers tried to extort $50 million from Acer back in March, although it’s unclear whether they were successful or not.
The FBI urges victims not to do so as it encourages more copycat attacks and does not guarantee that the organization’s stolen files will not be monetized in the future, or that it will even receive a working decryption key.
Insurance companies like CNA Financial have been at the center of fierce debate recently over whether the industry should be assisting customers financially who have been struck by ransomware.
Axa has decided to stop reimbursing new policyholders in France for payments to such threat groups, for example.
Insurers may also be a lucrative target if their attackers manage to find client lists, which would provide them with a handy line-up of companies covered by insurance.
The average payment to ransomware groups increased by 43% from Q4 2020 to the first three months of 2021, according to Coveware.
iC3 Logs Six Millionth Complaint
The Federal Bureau of Investigation's Internet Crime Complaint Center (iC3) logged its six millionth complaint on Saturday.
Between 2019 and 2020, the number of complaints filed with the Center rose by nearly 70%. FBI Special Agent Andrew Sekela believes the increase is linked to the COVID-19 global health pandemic.
He said: "The cyber-actors have absolutely taken every advantage of that opportunity to increase the number of people that they’re targeting, which is why I think we’re seeing an increase again across the board of all different types of fraud schemes and internet crimes."
iC3 was set up 20 years ago, and it took nearly seven years for it to log its first million complaints. However, the Center logged one million complaints in the past 14 months alone.
In a press release, iC3 chief Donna Gregory said, “On one hand, the number holds some positive news. People know how to find us and how to report an incident. But on the other hand, these numbers indicate more people are being affected by online crimes and scams.”
Tyler Shields, CMO at JupiterOne, a Morrisville, North Carolina–based provider of cyber asset management and governance solutions, believes the increase in complaints is linked to a rise in cyber-criminal activity.
"We've seen a significant increase in fraud and online scams in the last 12–24 months. The number of complaints is rising directly in correlation to the increase in attacks," Shields told Infosecurity Magazine.
They added: "Attackers follow the money, and these types of attacks have shown a great return on investment for attackers. Just look at the results from DarkSide's attack campaigns – $90m in 9 months from only 47 victims."
John Morgan, CEO at California cloud cybersecurity detection and response provider Confluera, said verification was harder for employees working from home.
"They can no longer simply turn around to ask others whether an email is legitimate or whether others have also received such notifications," Morgan told Infosecurity Magazine.
He said organizations should educate their employees on contemporary tactics used in cyber-attacks, such as the creation of fake colleagues and companies on LinkedIn.
Telemarketing Fraudster Jailed for Ten Years
A business owner who extorted over $3.5m from Spanish-speaking US residents via fraudulent phone calls has been sentenced to more than 10 years in prison.
California resident Angel Armando Adrianzen teamed up with a series of call centers in Peru to run a telemarketing scam that defrauded thousands of victims. Many of those conned by the 46-year-old owner and operator of AAD Learning Center (AAD) were recent immigrants to the United States.
Victims were contacted by callers using internet-based telephone calls. After claiming to be attorneys or government representatives, the callers would falsely tell victims that they hadn't paid for products. Victims were then threatened with legal action, bad credit, prison, or deportation if they didn't immediately pay a fee.
Under the scam, callers also impersonated employees of Spanish-language television channels, radio stations, toothpaste companies, or lawyers calling from a "minor crimes court" or a firm's legal department.
Adrianzen, who ran ADD from April 2011 until at least September 2019, admitted assisting co-conspirators in Peru with establishing and staffing the call centers involved in the scam.
At times, Adrianzen also provided the callers with lists of consumers to call and even scripts of what to say to them to extort payment. Ultimately, Adrianzen processed over $3,500,000 in payments as part of the scheme.
Adrianzen was arrested on September 16, 2019, and charged with conspiracy to commit mail fraud and wire fraud, five counts of wire fraud, five counts of mail fraud, and four counts of extortion. While executing search warrants upon Adrianzen's laptop and cell phone, police discovered child sexual abuse material (CSAM).
On November 21, 2019, Adrianzen pleaded guilty to conspiracy to commit mail and wire fraud. Today he was sentenced to serve 121 months in prison followed by fifteen years’ supervised release. He was also ordered to make restitution payments to his victims.
“Today’s sentence serves not only as just punishment for this defendant, but also as notice to others who may prey on vulnerable victims,” said Acting US Attorney Juan Antonio Gonzalez for the Southern District of Florida.
“The Justice Department and its partners will aggressively investigate such criminal activity. We will find you and ensure you are held accountable for your crimes.”