Bangkok Airways has admitted that a cyber-attack last week led to the compromise of an unspecified volume of passengers’ personally identifiable information (PII).
The Thai airline claimed in a brief update late last week that although the incident didn’t affect “operational or aeronautical security systems,” it does appear as if personal data has been accessed.
Personal data could include full name, nationality, gender, phone number, email and home address, contact details, passport and historical travel information, partial credit card info and special meal information.
“This incident has been reported to the Royal Thai police as well as providing notification to the relevant authorities. For primary prevention measures, the company highly recommends passengers to contact their bank or credit card provider and follow their advice and change any compromised passwords as soon as possible,” the notice continued.
“In addition to that, the company would like to caution passengers to be aware of any suspicious or unsolicited calls and/or emails, as the attacker may be claiming to be Bangkok Airways and attempt to gather personal data by deception (known as ‘phishing’).”
Although the airline itself didn’t specify how the attackers compromised its IT systems or their intent, the notice appeared online at around the same time as ransomware group LockBit 2.0 published info on the attack.
A tweet citing its leak site claimed the group had 103GB of stolen files from the firm it planned to release.
LockBit 2.0 was also blamed for a compromise at global consultancy Accenture earlier this month. The Australian Cyber Security Centre (ACSC) published details on the group, which first appeared in June, on its website.
It revealed that LockBit 2.0 had been exploiting the CVE-2018-13379 vulnerability in Fortinet FortiOS and FortiProxy in an attempt to gain initial access into victim networks.
A human rights group based in the United States is encouraging Afghans to delete their data to prevent the Taliban from using it against them.
The Deobandi Islamist religious-political movement and military organization seized control of Afghanistan on August 15, two decades after they were removed from power by US-led forces.
With the official American mission to evacuate US citizens and Afghan allies from Afghanistan set to end tomorrow, Human Rights First is advising Afghans who remain in the country to erase their digital footprints.
Welton Chang, chief technology officer at Human Rights First, told Reuters that in the most "dire circumstance," the Taliban could use Afghans' data to target those who had worked with the previous government, its security forces, and its foreign allies.
“We understand that the Taliban is now likely to have access to various biometric databases and equipment in Afghanistan,” the group wrote on Twitter on Monday.
“This technology is likely to include access to a database with fingerprints and iris scans and include facial recognition technology."
On August 25, civil society groups, including Access Now, the Commonwealth Human Rights Initiative, Unwanted Witness and Electronic Frontier Foundation, issued an open statement calling for "an urgent safeguard of digital identity and biometric databases created in Afghanistan by development assistance missions, foreign governments previously aiding Afghan authorities, humanitarian actors, aid agencies, and the private sector vendors whose tools have been deployed to ensure they are not misused against people."
According to the statement there are at minimum three digital identity systems known to have been in use recently in Afghanistan, including the e-Tazkira electronic national identity card system, and an Afghanistan Automated Biometric Identification System maintained by the Afghan Ministry of the Interior with support from the US government.
The third – the US military “Handheld Interagency Identity Detection Equipment” – were seized by the Taliban earlier this month along with the biometric data it stores.
A lending-focused decentralized finance platform has lost millions of dollars’ worth of AMP tokens and crypto-currency after falling victim to a second flash loan attack.
In a flash loan attack, a cyber-thief takes out a loan that requires no collateral – a flash loan – and uses it to manipulate and exploit the markets for financial gain. The criminal uses the capital that they’ve borrowed and pays it back in the same transaction.
Cyber-thieves drained DeFi protocols Cream Finance and Alpha Finance of funds totaling $37.5m back in February. Now Cream Finance has lost millions of AMP tokens and more than a thousand ether worth over $25m in a similar smart-contract exploit.
The latest flash loan attack was first reported by PeckShield on social media on Monday. Researchers at the blockchain security firm became suspicious when they came across Ethereum (ETH) records revealing that at least $6m had been drained at 5:44 UTC.
The theft was confirmed by Cream Finance on Monday via a Tweet that read: "C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract."
The platform went on to say that they had "stopped the exploit by pausing supply and borrow on AMP" and that "no other markets were affected."
According to Coinspeaker, the flash loan attack occurred in the early morning of August 30. It may have involved two cyber-thieves and a total of seventeen transactions.
In May, DeFi yield farming aggregator and optimizer for Binance Smart Chan (BSC) and ETH, Pancakebunny, lost close to $3m in a flash loan attack.
Announcing the attack on Twitter, the company said: “Attention Bunny Fam. Our project has suffered a flash loan attack from an outside exploiter. We will be posting a postmortem, in-depth analysis, but for the time being, we would like to update the community as to how this happened.”
Around a week later, a flash loan attack on Binance Smart Chain DeFi project Bogged Finance saw $3m exploited.
New positions are being created at the United States Department of Justice (DOJ) with the intention of helping prosecutors and attorneys handle emerging national security threats.
The positions are part of a new Cyber Fellowship program, announced by Deputy Attorney General Lisa Monaco on Friday. The fellowship program will be coordinated by the Criminal Division’s Computer Crime and Intellectual Property Section.
In May, Monaco ordered a comprehensive cyber review of the Department of Justice with the purpose of developing actionable recommendations to improve and increase the department’s efforts against digital threats.
The suggestion to create a Cyber Fellowship program is one of the actionable recommendations to have emerged so far from this ongoing 120-day review.
Monaco said attorneys and prosecutors needed to have training if they were to stand a chance against future threat actors.
“As we have witnessed this past year, cyber threats pose a significant and increasing risk to our national security, our economic security, and our personal security,” said Monaco.
“We need to develop the next generation of prosecutors with the training and experience necessary to combat the next generation of cyber threats. This Fellowship gives attorneys a unique opportunity to gain the well-rounded experience they need to tackle the full range of those threats.”
Applications to the three-year Cyber Fellowship will be accepted through the Justice Department’s Honors Program application portal. To be accepted into the program, applicants must be able to secure a Top Secret security clearance.
The training will take place in the Washington, DC, area, with fellows' being given the chance to handle a broad range of cyber cases taken on by the department so they can develop a deep understanding of how the DOJ responds to both critical and emerging threats.
In a statement released Friday, the DOJ said: "Fellows can expect to investigate and prosecute state-sponsored cyber threats; transnational criminal groups; infrastructure and ransomware attacks; and the use of cryptocurrency and money laundering to finance and profit from cyber-based crimes."
Fellows will rotate through multiple department components, including the Criminal Division, the National Security Division and the US Attorneys’ Offices, while completing their training.
An entertaining new campaign has been launched to combat the sea of misinformation about coronavirus vaccines on social media that was branded an "infodemic" by the World Health Organization.
The Instagram-based campaign was created by healthcare agency FCB Health New York IPG and non-profit group GMHC and is fronted by drag queen and influencer Miz Jade.
As the glamorous and red-headed Ms. Information, the performer imparts facts about COVID-19 and coronavirus vaccines in a comedic style that bemoans the crippling impact of the pandemic on her social life.
The campaign's creators hope that playfully portraying the virus as the destroyer of a "hot girl summer" will encourage members of the LGBTQ+ community to get vaccinated.
Ms. Information shares the facts in a fun way in a series of short video clips. Visitors to @therealmsinformation will encounter the drag queen wearing a figure-hugging leopard print dress and matching elbow-length gloves, imparting such witticisms as, “Girl, misinformation is spreading faster than a fire in a wig factory.”
Jason Cianciotto, GMHC’s senior managing director of institutional development & strategy, said that the campaign was a light-hearted alternative approach to putting hard pressure on the public to get vaccinated.
“We recognize that shaming people is not effective and can be detrimental to the well-being of the people we serve,” said Cianciotto. “We don’t want to lose the battle of misinformation about HIV/AIDS and Covid-19.”
Recent data analysis from the Human Rights Campaign Foundation and PSB Insights found a high level of vaccine hesitancy in the black LGBTQ community.
The data is based on a survey of 22,000 adults in the United States which asked how many LGBTQ people may be unlikely to say they want to get vaccinated.
Overall, 42% of LGBTQ adults said that they were very likely to get the COVID-19 vaccine compared to just 39% of the general American population. However, only 29% of black LGBTQ said they were likely to get vaccinated.
In exploring the impact of misinformation about the vaccine on the LGBTQ community, HRCF observed: "Despite the vaccines' being available for free, LGBTQ adults have concerns about the cost of the vaccine, especially LGBTQ adults of color, bisexual adults and transgender adults."
Customers were warned that threat actors could even delete their main database by exploiting a vulnerability in Microsoft Azure's flagship Cosmos DB database that has been named ChaosDB.
The alleged flaw was unearthed on August 9 by a team of security researchers, who found that they could get hold of keys that unlock access to databases belonging to thousands of businesses. The researchers are employed by security company Wiz, which was reportedly paid $40,000 by Microsoft for detecting and reporting the serious vulnerability.
Microsoft told Reuters: "We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under coordinated vulnerability disclosure."
However, Reuters reports that Microsoft was not able to immediately fix the issue itself, as the company cannot make changes to customers' keys. Instead, Microsoft emailed its cloud computing customers yesterday and instructed them to cut new virtual keys.
In its email to customers, Microsoft said: "We have no indication that external entities outside the researcher (Wiz) had access to the primary read-write key."
But the severity of the vulnerability was apparent to Wiz chief technology officer Ami Luttwak. The former CTO at Microsoft's Cloud Security Group said: “This is the worst cloud vulnerability you can imagine. It is a long-lasting secret. This is the central database of Azure, and we were able to get access to any customer database that we wanted.”
In a blog post dedicated to the discovery, Wiz stated that its researchers "were able to gain complete unrestricted access to the accounts and databases of several thousand Microsoft Azure customers, including many Fortune 500 companies."
Luttwak warned that the flaw, which was found lurking in a visualization tool called Jupyter Notebook, may have impacted additional Microsoft customers who have not been notified, since the company only emailed customers whose keys were visible in August.
Camille Charaudeau, vice president of product strategy at CybelAngel, commented that the flaw met all the conditions for "a proper ransomware attack."
The US Air Force has chosen a town nicknamed "Danger City" to be the location for the Air National Guard's first Cyber Warfare Wing.
Mansfield has around 50,000 inhabitants and is situated in the northeastern part of Ohio, midway between Columbus and Cleveland. According to local beer-maker, the Phoenix Brewing Company, the town earned its ominous nickname in the 1970s when businesses fled the downtown area for premises in a suburban shopping mall.
The US Air Force announced on Wednesday that the town's Mansfield-Lahm Air National Guard Base has beaten Minneapolis-St. Paul International Airport in Minnesota to be chosen as the base for a new Cyber Warfare Wing mission.
News of the selection followed a visit to the base earlier this month by a site survey team. To advance the new cyber mission, the Air Force plans to retire eight C-130H Hercules from its aging inventory at the 179th Airlift Wing in 2022.
The Air Force plans to create 175 new positions at Mansfield ANGB, which will be STEM and IT focused.
In a press release issued Thursday, 179th Airlift Wing commander, Col. Todd Thomas, said that the transition from air to desk will be a hard one.
“Since becoming the Wing Commander, I have always told our Airmen we must do everything in our ability to 'keep the front gate open' and flex to whatever mission allows us to be viable well into the future and aligns with the National Defense Strategy," said Thomas.
"I am extremely confident our Airmen are capable of shifting focus from tactical air-land and air-drop operations to the cyber battlefield. I look forward to what our Airmen will bring to the cyber fight.”
Ohio governor Mike DeWine welcomed the new mission as "a tremendous win" for the state.
"Ohio is gaining a leading-edge mission that will strengthen the fabric of the military community and further solidify Ohio as a national leader in cybersecurity excellence," said DeWine.
"Not only will this new mission bring more jobs into the community, but it will also spur more economic growth and create new opportunities for industry and academic growth."
The FBI has issued a warning to firms about an increasingly prolific new ransomware variant known as Hive.
The Flash alert posted this week noted that the affiliate-based ransomware uses multiple mechanisms to compromise corporate networks, making it harder for defenders to mitigate.
It noted that these include phishing emails with malicious attachments to gain initial access and the hijacking of Remote Desktop Protocol (RDP) to move laterally.
The malware itself looks for and terminates processes linked to backups, anti-virus and file copying to boost its chances of success. Encrypted files end with a .hive suffix.
“The Hive ransomware then drops a hive.bat script into the directory, which enforces an execution timeout delay of one second in order to perform clean-up after the encryption is finished, by deleting the Hive executable and the hive.bat script,” the alert continued.
“A second file, shadow.bat, is dropped into the directory to delete shadow copies, including disc backup copies or snapshots, without notifying the victim and then deletes the shadow.bat file.”
The ransom note, dropped into every impacted directory, warns that if encrypted files are modified, renamed or deleted, they can’t be recovered. In the spirit of modern ransomware operations, which are highly professionalized, there’s also a live chat link to a ‘sales department,’ accessible through a TOR browser, for further communication.
Some victims told the FBI they had received follow-up phone calls from their attackers urging payment. A second tactic is to exfiltrate and publish stolen files on a public leak site.
It’s believed the group, or affiliates associated with Hive, were responsible for the attack on Memorial Health System earlier this month, which disrupted IT systems at nearly all of its 64 clinics and three hospitals.
According to Palo Alto Networks, Hive had breached 28 organizations listed on its leak site as of this week, including a European airline company. It was first discovered in June.
Security researchers have discovered another critical bug in IoT security camera systems that could allow attackers to hijack devices.
NVRs are an important part of any connected security camera system in that they’re designed to capture, store and manage incoming video feeds from IP cameras.
If exploited, the vulnerability could cause a stack-based buffer overflow, allowing an unauthenticated, remote attacker to access sensitive information and execute code, according to an ICS advisory from the Cybersecurity and Infrastructure Security Agency (CISA).
Nozomi Networks said this could lead to a loss of confidentiality, integrity and device availability. In practice, this means enabling attackers to snoop on or delete footage, change the configuration of motion detector alarms, or halt recording altogether.
As such, a cyber-attack exploiting CVE-2021-32941 could be used to support physical robberies of premises protected by Annke devices.
The bug itself could be exploited directly by attackers to elevate privileges on the system and indirectly in drive-by-download attacks.
“It is sufficient for an administrator, operator, or user to browse a specifically crafted webpage, while simultaneously logged in to the web interface of the device, to potentially cause the execution of external malicious code on the device itself,” warned Nozomi.
Fortunately, Annke acted quickly to fix the issue, releasing new firmware to patch the problem just 11 days after Nozomi’s responsible disclosure.
This is the second critical flaw affecting IoT cameras that Nozomi Networks has found this summer. Back in June it warned of a bug in a popular software component from ThroughTek, which OEMs use to manufacture IP cameras, and baby and pet monitoring cameras.
This could also have allowed attackers to eavesdrop on users.
Another vulnerability was found in ThroughTek’s Kalay platform just last week, affecting potentially millions of devices.
A Chinese game developer has unwittingly exposed the personal and device details of over a million players after leaving an internet-facing server unsecured, according to researchers.
A team at vpnMentor led by Noam Rotem and Ran Locar, discovered the unprotected Elasticsearch server on July 5. After no reply from its owner, EskyFun Entertainment Network Limited, they contacted the Hong Kong CERT, and the next day, July 28, the database was secured.
The 134GB trove contained an estimated 365 million records linked to players of the firm’s fantasy games: Rainbow Story: Fantasy MMORPG; Metamorph M; and Dynasty Heroes: Legends of Samkok.
This giant collection of user records is even more noteworthy given the firm collected only a rolling log of the previous seven days’ records, with anything older deleted to make way for fresh data.
“The reason for the sheer size of the data exposed appears to be EskyFun’s aggressive and deeply troubling tracking, analytics, and permissions settings,” vpnMentor claimed. “EskyFun gains access and control to almost every aspect of a person’s device and even their private networks. Most of [the data] is totally unnecessary for the games to function.”
Among the data leaked via the unsecured server were IP address, device model, phone number, geolocation and buyer account ID. The researchers also found over 217 million email addresses and plaintext EskyFun passwords.
The vpnMentor team estimated the number of users affected at over one million due to the number of Android downloads the three affected games have: around 1.5 million.
“Combining a user’s email address, gaming history, and support requests, hackers could send thousands of phishing emails posing as EskyFun’s support,” the researchers wrote.
“The database also contained plenty of data to build a profile of users and identify two vulnerable groups: high-paying accounts and children. By focusing on these users, hackers could reap huge financial rewards from a small group of victims.”
Cyber-criminals could also have used the plaintext passwords to hijack user’s EskyFun gaming accounts or to support credential stuffing campaigns designed to unlock other accounts across the web that the same credentials may protect.
The most popular uses for facial recognition technology (FRT) by federal agencies are cybersecurity and digital access, according to a new report by the United States Government Accountability Office.
The GAO surveyed 24 agencies about their FRT activities in the fiscal year 2020 and found 75% (18) use an FRT system for one or more purposes.
Sixteen agencies reported deploying the technology for digital access or cybersecurity purposes, with two of these agencies (General Services Administration and Social Security Administration) saying that they were testing FRT to verify the identities of people who were accessing government websites.
The report stated that 14 of these 16 agencies "authorized personnel to use FRT to unlock their agency-issued smartphones — the most common purpose of FRT reported."
Six agencies said that they had been using FRT to generate leads in criminal investigations; for example, to identify a person of interest by comparing their image against mugshots.
"In some cases, agencies identify crime victims, such as exploited children, by using commercial systems that compare against publicly available images, such as from social media," stated the report.
Just over a quarter (27.5%) of agencies reported using FRT to monitor or surveil locations to control access to a building or facility or to detect the presence of an individual, such as someone on a watchlist.
More than half of the agencies (55%) reported FRT-related research and development that included examining the technology's ability to detect image manipulation and researching how accurately it could identify individuals wearing masks during the COVID-19 pandemic.
The Department of Justice reported conducting applied research on the capabilities and limitations of current synthetic face detection, such as deepfakes, and the relationship between skin tone and false match rates in facial recognition algorithms.
Plans to expand their use of FRT through to 2023 were reported by 10 of the 18 agencies, with one agency planning to pilot the use of FRT to automate identity verification processes for travelers at airports.
The US Treasury Inspector General for Tax Administration reported buying an FRT system that can identify facial images of criminal suspects. The system searches an online image cache that includes evidence from seized devices for potential matches of individuals linked to other investigations.
Police in Arizona have arrested a Tennessee man who went on the run after being indicted over a scheme to profit from confidential records belonging to the Memphis Police Department (MPD).
On Wednesday, US Marshal Tyreece Miller announced the arrest of Roderick Harvey for bribery of a public servant and violation of a computer act over $10,000.
The Tennessee Bureau of Investigation (TBI), working with the US Marshals Two Rivers Violent Fugitive Task Force, tracked Harvey to Phoenix, where he was detained without incident and booked into the Maricopa County Jail.
Miller said: “Despite Harvey’s attempt to evade arrest by traveling over a thousand miles, he was safely apprehended.”
Harvey was one of nine people indicted by a Shelby County Grand Jury on August 6 following a year-long investigation by the TBI that began in June 2020.
The probe was requested by district attorney general Amy Weirich after former Shelby County assistant district attorney Glenda Adams was fired from her role and investigated after allegedly misusing confidential information.
Harvey's alleged co-conspirators include Adams, three former employees of MPD, and a personal injury attorney with Wells & Associates. The TBI investigation found that Adam, Harvey, Egypt Berry, Latausha Blair, Renatta Dillard, Marcus Lewis, Aaron Neglia, Martin Nolan, and Mustafa Sajid "were responsible for an elaborate scheme to profit from the use of confidential information in Memphis police reports.”
Case prosecutor Bryant Dunaway said the scheme involved buying information about traffic crashes from government employees before that information became public.
He said: "It seems to be there's big business in personal injury attorneys and others to acquire information on crash victims, early, before it's available to the public. It's kind of a race to get there."
Adams, Berry, Lewis, Neglia, Nolan and Sajid are all accused of bribing a public servant. Adams, Berry, Blair, Dillard, Neglia and Nolan are accused of a violation of the computer act over $10,000. Adams, Berry and Nolan are accused of official misconduct.
Berry and Dillard were in custody by August 6, and all the other defendants except Harvey made arrangements to turn themselves into law enforcement.
The TBI said the investigation remains ongoing and “more indictments are expected.”
The attorney general of New Mexico has brought a lawsuit against a Finnish game developer over its treatment of children's data.
In the complaint, Hector Balderas accuses Rovio Entertainment of illegally collecting the data of children under the age of 13 who play the puzzle video game Angry Birds.
Rovio is further accused of sending the children's data to multiple third-party marketing companies that analyze, repackage, resell and otherwise use the information to sell targeted advertising to those children.
The suit states: "Rovio monetizes children by surreptitiously exfiltrating their personal information while they play the Angry Birds Gaming Apps and then using that personal information for commercial exploitation."
Developers of child-directed games are required under the federal Children’s Online Privacy Protection Act (COPPA) to obtain parental consent before collecting any personal information from players. Creators whose games are targeted at a wide age range must still take action to ensure that data belonging to users under the age of 13 is not collected.
"The State’s complaint alleges that Rovio has deliberately attempted to turn a blind eye to its enormous child audience, while simultaneously marketing the Angry Birds games to kids through movies, lunch boxes, kids’ meals, and more," wrote the New Mexico attorney general's office in a statement released Wednesday.
New Mexico is seeking an injunction to prohibit Rovio's data collection practices. The state is also pursuing civil penalties and restitution from the Finnish game developer.
“Parents must have the power to protect their children and determine who can have access to their child’s personal data, and New Mexican parents are being misled about what information is being collected from their children,” said Balderas.
“This company must follow the law, and we will always hold companies accountable that risk the safety of children.”
Angry Birds is a simplistic game in which cartoon birds are launched from a giant slingshot to knock down structures erected by green cartoon pigs.
Since the game series was launched in 2009, its 35 spin-off games have been downloaded more than 4.5 billion times collectively, making Angry Birds the most downloaded freemium game series of all time.
The UK Cyber Security Council has today announced it has opened its membership application process.
The self-regulatory body for the cybersecurity education and skills sector, which launched as an independent entity earlier this year, is now inviting applications from eligible organizations throughout the UK. These are any organizations “with an interest in promoting, supporting and developing the cybersecurity profession.”
Those organizations whose membership applications are accepted will be allowed to nominate representatives to the Council’s committees, focusing on the core activities of professional standards, qualifications and careers, ethics and diversity.
Don MacIntyre, interim CEO for the UK Cyber Security Council, commented: “Professional standards, qualifications and careers, ethics and diversity are the stand-out issues facing the profession and its practitioners. Businesses with an interest in cyber security will never have a better opportunity to influence the direction and development of these and other issues than to join the Council and getting involved.”
The Council added that it would be putting in place engagement mechanisms to gather views from member organizations and use these insights to inform activities and decisions. MacIntyre said: “It is only through building an actively engaged community of members that the Council will be able to speak as the representative voice for the UK’s cyber security profession. With every new membership, our voice becomes clearer, louder and increasingly more difficult to be ignored.”
The UK government commissioned the UK Cyber Security Council in 2018 to promote and steward standards across the industry, and the overarching aim of helping close the UK’s cyber skills gap.
In June, the Council announced its first two initiatives as part of its remit to boost professional standards in the cyber industry. These were to determine the terms of two committees: a Professional Standards & Ethics Committee and a Qualifications & Careers Committee. These committees are tasked with helping ensure a common set of standards are adopted throughout education and training interventions related to cybersecurity. The Council also revealed it would be working on an initial mapping of CyBOK’s Qualifications Framework onto a public-facing Career Pathways Framework.
For more information on how to apply for membership to the Council, visit: https://www.ukcybersecuritycouncil.org.uk/membership/
Personal and clinical data of more than 73,000 patients have been affected by a “sophisticated ransomware cyber-attack” on a private medical clinic in Singapore.
In a press release, Eye & Retina Surgeons revealed the attack took place on 6 August, compromising sensitive data including patients’ names, addresses, ID card numbers, contact details and clinical information. However, no credit card or bank account details were accessed or compromised in the incident.
“Patients are now being progressively informed of this cyber-incident,” the release stated.
The clinic confirmed that the attack impacted servers and several computer terminals at its branch in Camden medical, although none of its other branches were unaffected. Thankfully, none of the eye specialist’s clinical operations were affected, and its IT systems are now securely restored.
The company noted it “maintains segregated networks and active medical records are maintained separately on a cloud-based system and thus were not accessed or compromised.”
The incident was reported to the Personal Data Protection Commission and the Singapore Computer Emergency Response Team (SingCERT), while the Eye & Retina Surgeons’ IT team is working with the Cybersecurity Agency of Singapore (CSA) and the Ministry of Health (MOH) to investigate the causes and perpetrators of the attack.
The clinic said there is no evidence that any compromised data has been published, but it will continue to monitor the situation. It added: “(Eye & Retina Surgeons) regrets this breach and wishes to assure its patients that it takes patient confidentiality very seriously.”
In a separate statement, Singapore’s MOH reassured citizens that the compromised systems are not connected to its own IT network, including the National Electronic Health Record, and “there have been no similar cyberattacks on MOH’s IT systems.”
It added: “Following this incident, MOH will be reminding all its licensed healthcare institutions to remain vigilant, strengthen their cybersecurity posture, and ensure the security and integrity of their IT assets, systems, and patient data. It is only through the disciplined maintenance of a safe and secure data and IT system that healthcare professionals will be able to deliver accurate and appropriate care and uphold patient safety.”
Commenting on the story, Jonathan Knudsen, senior security strategist at the Synopsys Software Integrity Group, said: “Every organization is a software organization, even an eye clinic. All organizations, no matter their size or industry, must include cybersecurity as part of their day-to-day operations. A comprehensive, proactive approach to security reduces risk for the organization and its customers.
“In the case of Eye & Retina Surgeons, segmenting the network between administrative functions and medical data was a smart defensive move and prevented this attack from being much worse. This technique is part of the basic security hygiene that all organizations should practice. Even with the best defenses, things can still go wrong. Incident planning helps the organization be prepared to remediate problems and notify customers and authorities.”
The UK government’s preferred candidate to be the next information commissioner will be John Edwards, who currently serves as New Zealand’s current privacy commissioner.
The information commissioner plays an increasingly important role in the UK’s regulatory landscape following the country’s departure from the EU.
The Information Commissioner’s Office (ICO) is an independent body that regulates the GDPR and its UK equivalent, the Data Protection Act 2018, as well as the Freedom of Information Act, the NIS Directive — transposed into UK law as the Network and Information Systems Regulation 2018 — and the Privacy and Electronic Communications Regulations (PECR), which govern nuisance calls and spam.
Edwards was appointed privacy commissioner in 2014 and is currently serving his second five-year term in New Zealand. He brings with him over two decades of regulatory and legal experience.
Edwards will now appear before MPs on the Digital, Culture, Media and Sport Select Committee for pre-appointment scrutiny on September 9.
He will arrive at a key moment for the UK as it seeks to strike multibillion-pound “data adequacy” agreements with the US, Australia and South Korea, and navigate a tricky relationship with the EU.
Although the bloc has adopted a data adequacy decision enabling the free flow of information to and from the continent, it may be challenged in court given concerns that the UK’s intelligence services could snoop on European citizens’ data.
“There is a great opportunity to build on the wonderful work already done and I look forward to the challenge of steering the organisation and the British economy into a position of international leadership in the safe and trusted use of data for the benefit of all,” said Edwards.
Current information commissioner Elizabeth Denham claimed her office had supported innovation while driving public trust in data use during the pandemic.
“Implementing any changes parliament decides on will fall to my successor, who will take on a role that has never been more important or more relevant to people’s lives,” she added.
“John Edwards would bring extraordinary breadth, international leadership and credibility to this role. He will receive the support of a modern, independent ICO that has the courage, resources and expertise to make a positive difference to people’s lives.”
Over 1850 teenagers signed up for a government-backed cybersecurity skills initiative this summer, a record number, according to the National Cyber Security Centre (NCSC).
The CyberFirst summer course is run by the GCHQ off-shoot and went online-only last year during the pandemic.
That saw record participation which has been surpassed again in 2021, the NCSC claimed. The number of applications this year was also record-breaking, increasing from 3,909 in 2020 to 4,384.
The course itself is open to 14 to 17-year-olds and covers topics such as digital forensics, ethical hacking and cryptography. Pupils now have the option of attending in person at a location in Warwickshire or completing it online.
This year, 43% of attendees were girls, and nearly half (47%) were pupils from ethnic minority backgrounds. Both groups are under-represented in the industry.
CyberFirst courses are intended to spur and nurture an interest in cybersecurity, which will ultimately help close major skills shortages and gaps in the sector.
According to the government, half (50%) of businesses have a basic skills gap — which means those in charge of cybersecurity don’t have the confidence to perform basic tasks. Meanwhile, the shortage of cyber professionals in the UK is estimated at over 27,000, according to the ISC2.
“It’s fantastic to see so many young people engaging with cyber security and developing the skills that will help them thrive in the industry,” said Chris Ensor, NCSC deputy director for cyber growth.
“Our summer courses provide fun, hands-on opportunities to learn about defending our digital world and we hope they will be inspired to pursue their interests further. The next generation of cyber experts must be diverse as well as skilled, and through CyberFirst we are committed to making the industry a more accessible and inclusive place for all.”
More than 55,000 students have taken part in CyberFirst courses and the Girls Competition since 2016.
Some of the world’s biggest tech companies have committed tens of billions of dollars to improving supply chain security, closing industry skills gaps and driving security awareness among the public, according to the White House.
As reported by Infosecurity yesterday, the Biden administration welcomed the CEOs of Microsoft, Apple, Google, IBM and others to a meeting yesterday to discuss the “whole-of-nation” effort needed to address cybersecurity threats.”
The result of that encounter has been a series of commitments from these firms, including $10bn from Google over the next five years to expand zero trust and improve supply chain and open source security. The tech giant will apparently also help 100,000 Americans earn “digital skills certificates.”
IBM said it would train 150,000 people in cyber skills over the coming three years and focus on improving the diversity of the security workforce, while Microsoft has committed $20bn over five years to drive security by design, and $150m for federal, local and state governments.
Apple will establish a new program to improve supply chain security, including among its 9000 US suppliers, with multi-factor authentication (MFA), vulnerability remediation, event logging and incident response all playing a key role.
Amazon is making MFA devices available to all AWS customers and rolling out the security training it offers employees to the general public.
Aside from these commitments, the White House announced the expansion of its Industrial Control Systems Cybersecurity Initiative, from the electricity sector to natural gas pipelines, and said the National Institute of Standards and Technology (NIST) would develop a new framework for supply chain security.
In another potentially significant move, insurer Resilience said it would require policyholders to meet a threshold of cybersecurity best practice as a condition of receiving coverage — something experts have been demanding for some time across the industry.
“I’m especially excited to see that Resilience is requiring minimum cybersecurity standards as a condition of coverage,” argued Jake Williams, co-founder and CTO at BreachQuest. “Many organizations view cyber-insurance as an alternative to implementing security controls rather than as a complement to those controls.”
There were also pledges from several education providers to help improve security awareness among the public and grow America’s cyber workforce. The White House claimed it currently has a skills shortage of nearly 500,000 professionals.
“We applaud Amazon’s commitment to make security awareness training available at no charge and to deliver multi-factor authentication (MFA) to all Amazon Web Services account holders. Such basic defenses should be in place everywhere,” argued Jack Kudale, founder and CEO of Cowbell Cyber.
“The security crisis is acute within the small and mid-size business segment. Incentives to drive change and adoption of fundamental cyber-hygiene practices including cybersecurity and cyber-insurance will change the balance of power between businesses and cyber-criminals.”
A coalition bill that grants the police more powers to spy on criminal suspects online has been passed by the Australian government.
The Surveillance Legislation Amendment (Identify and Disrupt) bill has created three new types of warrants that enable the Australian Federal Police (AFP) and Australian Criminal Intelligence Commission (ACIC) to modify and delete data belonging to cybercriminal suspects and take over their accounts.
Using the new data disruption warrants, the AFP and the ACIC can prevent serious offenses from being committed online by modifying, adding, copying or deleting data. Network activity warrants allow the agencies to gather intelligence on criminal activity being carried out by cyber-criminal networks, while account takeover warrants can be used to take control of a suspect's online account.
An eligible judge or a nominated member of the administrative appeals tribunal (AAT) can issue the data disruption and network activity warrants. However, the account takeover warrants must come from a magistrate who is satisfied that there are reasonable grounds that such a step is required to collect evidence relating to a relevant offense.
On Tuesday, Labor MP Andrew Giles told the lower house that the bill had gained the support of the opposition because “the cyber-capabilities of criminal networks have expanded, and we know that they are using the dark web and anonymizing technology to facilitate serious crime, which is creating significant challenges for law enforcement.”
The Greens flagged that the new powers go against a central recommendation of the Richardson review of the legal framework for Australia's intelligence community. Richardson found that “law enforcement agencies should not be given specific cyber-disruption powers.”
Recommendations to improve safeguards and oversight concerning the new powers were made earlier this month by the parliamentary joint committee on intelligence and security (PJCIS), though not all of them were implemented.
The committee can review the bill after four years, and the Independent National Security Legislation Monitor will review the bill in 2024.
Kieran Pender, senior lawyer at the Human Rights Law Centre, told Guardian Australia that the new powers granted to the AFP and ACIC under the bill “are unprecedented and extraordinarily intrusive."
Private data belonging to an alleged treaty violator was accessible to unauthorized FBI agents for months because of a software program flaw.
Former Ethereum developer Griffith was arrested at Los Angeles International Airport in November 2019 and charged with violating the International Emergency Economic Powers Act by traveling to the Democratic People’s Republic of Korea to give a presentation and technical advice on using crypto-currency and blockchain technology to evade sanctions.
In January 2020, in a Southern District of New York courthouse, Griffith pleaded not guilty to the charge.
The Palantir defect exposed data that had been recovered from Griffith's Twitter and Facebook accounts in March 2020 during the execution of a federal search warrant. Prosecutors in the case against Griffith, who described the glitch in a letter, said it pertained to the program's default setting.
“When data is loaded onto the Platform, the default setting is to permit access to the data to other FBI personnel otherwise authorized to access the Platform,” wrote prosecutors.
The prosecutors wrote that word of the unauthorized access came to Griffith's assigned FBI case agent via an email sent by another agent. The email explained that material seized in the search and entered in Palantir through the program's default settings had been accessed by FBI analyst.
A letter filed by the Bureau on Tuesday states: “An FBI analyst, in the course of conducting a separate investigation, had identified communications between the defendant and the subject of that other investigation by means of searches on the Platform that accessed the Search Warrant Returns.”
Prosecutors learned that three FBI analysts and an agent had viewed Griffith's private data owing to the Palantir glitch. None of the FBI employees who accessed Griffith's data were working on his case.
Between May 2020 and August 2021, the seized material was accessed at least four times.
Griffith is scheduled to appear in court on September 21.