Tag Archive for: united

Data Breach Notification Laws in the United States: What is Required and How is that Determined? | Burr & Forman

/in


Has your business considered what obligations you would have to notify people in the event of a cyber-attack that compromises some or all of your IT systems? Have you cataloged all the data you collect and where it is stored so that you can determine whose information is impacted by a breach? If not, you are certainly not alone. With the continuing increase in cyber-attacks and particularly ransomware, combined with laws that are imposing shorter and shorter notice deadlines, it is important for all businesses to understand the scope of their potential notification obligations in the event they fall victim to an attack.

Breach Notification Laws

Breach notification requirements obligate organizations that are collecting, storing, processing, or otherwise in possession of personally identifiable information to notify the individuals if the information is compromised in a security breach. In addition to notifying the identified individuals, many states require that the Attorneys General offices and the Credit Reporting Agencies be notified, depending on how many identified individuals in the state received notices. If you are missing contact information for some of the identifiable individuals, if the number of identified individuals is particularly high, or if the cost of the required notifications is excessive, you may have the option to, or be required to, provide substitute notice in lieu of or in addition to individual notices. In most cases, substitute notice requires notification to be placed prominently on your website as well as distributed through the media, in print, on television, and/or by radio.

In the United States, certain Federal Laws govern obligations to report data breaches in particular industries, including:

  • The Health Insurance Portability and Accountability (HIPAA) Act provides notification requirements for a security breach that compromises protected health information held by a covered entity or its business associates.
  • The Gramm-Leach Bliley Act (GLBA) requires covered financial institutions to notify customers whose non-public personal information is compromised by a security breach.
  • The Computer-Security Incident Notification Requirements for…

Source…

ExpressVPN CIO Helped United Arab of Emirates Hack Into Phones, Computers

/in


The chief information officer for ExpressVPN once helped the United Arab of Emirates orchestrate a massive cyberspying campaign on computers across the globe. 

According to the Justice Department, ExpressVPN CIO Daniel Gericke and two others worked as hackers for hire for the UAE to develop “zero-click” attacks capable of breaking into internet accounts and devices, including those in the US.  

All three formerly worked for the US intelligence community. However, by offering their hacking expertise to a foreign country from 2016 to 2019, the trio broke US export controls, which required them to obtain a license from the State Department to provide such services. Reuters originally reported on the hire-for-hacking scheme with the UAE, and said the spying ensnared iPhones and internet accounts belonging to activists, political rivals, and even Americans.  

The cyberspying naturally raises questions about the security around ExpressVPN. However, the VPN service is sticking with Gericke, who ceased his work with the UAE once he joined ExpressVPN in December 2019.  

“We’ve known the key facts relating to Daniel’s employment history since before we hired him, as he disclosed them proactively and transparently with us from the start,” ExpressVPN wrote in a blog post on Wednesday. “In fact, it was his history and expertise that made him an invaluable hire for our mission to protect users’ privacy and security.”

Despite breaking US laws with the hacking, the Justice Department is refraining from charging Gericke with a crime. Instead, he’s entered into an agreement that forbids him from ever conducting “computer network exploitation” operations on behalf of an employer ever again. He also agreed to pay a $335,000 fine. 

ExpressVPN adds that it constantly vets its VPN service for security. “Of course, we do not rely on trust in our employees alone to protect our users,” it wrote in Wednesday’s blog post. “We have robust systems and security controls in place in all our systems or products. We also engage and provide significant access to many independent third parties to conduct audits, security assessments, and penetration tests on our systems and…

Source…

United Nations’ computer networks breached by hackers earlier this year

/in



Hackers breached the United Nations’ computer networks earlier this year and made off with a trove of data that could be used to target agencies within the intergovernmental organization.


The hackers’ method for gaining access to the UN network appears to be unsophisticated: They likely got in using the stolen username and password of a UN employee purchased off the dark web.





“We can confirm that unknown attackers were able to breach parts of the United Nations infrastructure in April of 2021,” Stéphane Dujarric, spokesman for the UN Secretary-General, said in a statement on Thursday. “The United Nations is frequently targeted by cyberattacks, including sustained campaigns. We can also confirm that further attacks have been detected and are being responded to, that are linked to the earlier breach.”


The credentials belonged to an account on the UN’s proprietary project management software, called Umoja. From there, the hackers were able to gain deeper access to the UN’s network, according to cybersecurity firm Resecurity, which discovered the breach. The earliest known date the hackers obtained access to the UN’s systems was April 5, and they were still active on the network as of Aug. 7.


“Organizations like the UN are a high-value target for cyber-espionage activity,” Resecurity Chief Executive Officer Gene Yoo said. “The actor conducted the intrusion with the goal of compromising large numbers of users within the UN network for further long-term intelligence gathering.”


The attack marks another high-profile intrusion in a year when hackers have grown more brazen. JBS SA, the world’s largest meat producer, was hit by a cyberattack this year that forced the shutdown of U.S. plants. Colonial Pipeline Co., operator of the biggest U.S. gasoline pipeline, also was compromised by a so-called ransomware attack. Unlike those hacks, whoever breached the UN didn’t damage any of its systems, but instead collected information about the UN’s computer networks.


According to Resecurity, company officials informed the UN of its latest breach earlier this year and worked with…

Source…

Chinese hackers behind VPN attack on US defence firms: Security experts, United States News & Top Stories

/in


WASHINGTON (AFP) – Chinese hackers allegedly penetrated a company’s VPN technology to break into computer networks of the US defence industry sector, security consultant Mandiant said on Tuesday (April 20).

Mandiant linked at least two hacking groups, one of them believed to be an official Chinese cyber-spying operation, to malware used to exploit vulnerabilities in VPN security devices made by Pulse Secure, owned by Utah-based Ivanti.

The group used the malware to try to hijack user and administrator identities and enter the systems of US defence industry companies between October 2020 and March 2021, Mandiant said.

It said that governments and financial firms in the US and Europe were also targeted.

It called one of the hacking groups UNC2630.

“We suspect UNC2630 operates on behalf of the Chinese government and may have ties to APT5,” it said, referring to a known Chinese state-sponsored hacking group.

It said a “trusted third party” also tied the hacking to APT5.

“APT5 persistently targets high value corporate networks and often re-compromises networks over many years. Their primary targets appear to be aerospace and defense companies located in the US, Europe, and Asia,” Mandiant said.

it said it did not have enough information to identify who was behind some of the malware.

There was no assessment of how many companies were affected or what the hackers did with their access to the networks.

Pulse confirmed the main parts of the Mandiant report, saying that it had already released fixes to its products to block the malware.

Pulse said the hackers impacted “a limited number of customers.”

Source…