We bring to your attention a sampling of recent media stories involving cyber risk & privacy liability. Exposures include business interruption (first-party exposure) and legal liability (lawsuits), also crisis costs to investigate the breach, notify the victims, and defend against class action lawsuits, regulatory actions and fines. Also, don’t miss the items below in ORANGE.


CYBER RISK SUMMIT – REGISTRATION OPEN
Join us in Toronto on February 23, 2018!

Featuring a designated Risk Management Track, Regulatory and Litigation Updates, What’s New in Cyber Coverage, Security Solutions, and more! Register now!


CRYPTO CURRENCY
Tether Claims $31 Million Theft of USD Token by Hacker, Flags it ‘Non-Redeemable’

The Tether Treasury wallet has been hacked, leading to the loss of $31 million in USDT, a crypto-token which pegs its value to the US dollar through an inflationary monetary policy. Click to read entire article.

Massive Ethereum breach spells opportunity for banks

A collective “I told you so!” could be heard last week from the many bankers who have steered clear of cryptocurrency wallets. A programmer messing around in the code of the digital currency wallet provider Parity Technologies killed a smart contract and vaporized between $150 million and $350 million of the digital currency Ether. The owners of the funds, many of them small businesses, are still waiting to find out if they’ll ever get their money back. Click to read entire article.

PHARMACEUTICAL
—RANSOMWARE CAUSING BUSINESS INTERRUPTION—
Merck Cyber Attack: The Aftermath of a 135 Million Dollar Data Breach

In a quarterly report, Merck quantified the impact of the cyber attack in their annual revenue report. The financial impact was estimated at around US$135 million and $174 million in additional costs since June. The reason for the lost revenue can be traced back to NotPeyta’s disruption of operations that forced a halt on drug production. Click to read entire article.

MOBILE APP
—CLASS ACTION ALERT – 50 MILLION USER BREACH—
Uber hit with 2 lawsuits over gigantic 2016 data breach

“Uber knew or should have known its security systems were inadequate.” The cases allege substantial negligence on Uber’s part: plaintiffs say the company failed to keep safe the data of the affected 50 million customers and 7 million drivers. Uber reportedly paid $100,000 to delete the stolen data and keep news of the breach quiet. Click to read entire article.

HIGHER EDUCATION
UK University fails to learn – UEA, a data breach repeat offender

The UEA has suffered another data breach; an email was sent to about 300 students in the social science faculty which included the personal health information of a member of staff, in a repeat use of a flaw not fixed previously. Click to read entire article.

Medical College of Wisconsin hit by data security breach

The Medical College of Wisconsin has notified thousands of patients their confidential information may have been compromised. The information includes addresses, bank accounts and Social Security numbers. Click to read entire article.

HEALTHCARE
Feds investigating exposure of patient data at Cook County Health and Hospitals System

The federal government is investigating a security lapse that exposed the personal information of more than 700 patients at Cook County Health and Hospitals System this year. Click to read entire article.

Lessons To Be Learned From The Breach Of Nearly 500,000 Individual Health Records Reported In September 2017

A recent report indicates that nearly 500,000 individual health records were breached in September 2017. This figure is taken from the 39 healthcare data breaches involving more than 500 records that were reported to the Department of Health and Human Services’ Office for Civil Rights in September 2017. Click to read entire article.

UPMC hospital experiences data breach affecting 1.2k patients

A data breach led to the inappropriate access of at least 1,200 Williamsport, Pa.-based UPMC Susquehanna patients’ information, the hospital said in a statement Friday. Click to read entire article.

INTERNET OF THINGS (IoT)
Boeing 757 Hacked By DHS In Cybersecurity Test

A group of security researchers from private industry, universities, and the Department of Homeland Security (DHS), were able to successfully hack a Boeing 757 remotely in a non-laboratory setting. Click to read entire article.

20 million Amazon Echos and Google Homes threatened by widespread Bluetooth hack

Known as BlueBourne, the hack was first made public in September, after security firm Armis, which discovered the Bluetooth-based hack, had alerted Apple, Microsoft, Google and other manufacturers about their findings. Devices were quickly patched after it was claimed some five billion products using Bluetooth were at risk. Click to read entire article.

RETAIL
Forever 21 investigating possible data breach

The clothing store Forever 21 says customers who shopped at certain locations this year may have had their credit-card information stolen. Click to read entire article.

NON PROFIT
Nonprofit Data Breaches, Security Policies You Can’t Overlook

Utah Food Bank’s breach might have exposed the financial records of more than 10,000 donors. Sophisticated, high-profile hacks make the headlines, but for most nonprofits, it’s the small stuff that leads to lost or stolen data. If you’re writing or reviewing acceptable use or data security policies, there are five things you absolutely need to do. Click to read entire article.

PUBLIC ENTITY
—OPERATIONAL SHUTDOWN—
Hacker Breaches Sacramento Public Transportation System, Asks for 1 BTC Ransom

The Sacramento Regional Transit (SacRT) public transportation agency was forced to shut down its website due to a security breach that took place on Saturday, November 18. The shutdown happened after an unknown hacker had breached its server and defaced the agency’s portal. Click to read entire article.

Holly Springs addresses data breach, reaches out to residents

Holly Springs leaders said they have taken steps to secure residents’ personal information after the city experienced a data breach earlier this year, although one resident says it’s not enough. Residents received a letter this week from city officials alerting homeowners they recently identified and addressed “a security incident that may have involved (their) personal information.” Click to read entire article.

SERVICE PROVIDER (IT)
Spirit One faces lawsuit over email service collapse, data breach

A lawsuit filed Thursday seeks to recover data and damages from Portland internet service provider Spirit One, whose email service has been largely unaccessible to customers since September 29. Click to read entire article.

CYBER INSURANCE
Recent Decision Is Reminder That Separate Cyber Insurance Policies Are Necessary

The U.S. District Court for the Middle District of Florida, in Innovak International v. The Hanover Insurance Co., recently granted summary judgment in favor of Hanover Insurance Company finding that it had no duty to defend Innovak against a data breach lawsuit. Click to read entire article.

Children’s Hospital Sues Insurer For Data Breach Coverage

A California children’s hospital sued Illinois Union Insurance Co. for coverage of an underlying suit brought after the hospital mistakenly sent a document containing the protected information of more than 20,000 “young patients” to job applicants, according to a notice removing the suit to California federal court Friday. Click to read entire article.

LEGAL UPDATES
Unfair And Deceptive Trade Practices Claims In Data-Breach Lawsuits

Section 5 of the Federal Trade Commission Act provides a powerful tool for the federal government to regulate companies’ data-security practices. Rather than adopt specific data-security standards, the FTC often uses Section 5’s flexible and open-ended concepts of unfairness and deception to bring enforcement actions against companies for data-security failures. Click to read entire article.

Supreme Court May Decide Data Breach Victims’ Rights

The U.S. Supreme Court may decide whether you can act on that “Dear valued customer, we regret to inform you that your data may have been compromised …” letter or e-mail with an individual or class action lawsuit. Click to read entire article.

CANADA
Canadian organizations target of spear phishing attack, says IBM

Canadian small and medium-sized businesses are being targeted with spear phishing attacks from a gang trying to get employees to reveal corporate banking passwords and two-factor authentications, IBM researchers said today. Click to read entire article.

Student charged after McMaster database breach, 25K applicants affected

An 18-year-old McMaster student is facing charges after a password-protected database containing student admission offer letters was breached at the university. Click to read entire article.

EUROPE / UK
Barclays in major security breach as it admits posting out pin numbers with new cards

The bank’s actions are leaving account holders vulnerable, with many fearing their cards and pins could easily fall into the wrong hands. Click to read entire article.

Cash Converters Hit by Suspected Data Breach

UK pawnbroker Cash Converters believes customer data may be in the hands of a malicious third party after a suspected breach of its old website. Click to read entire article.

MIDDLE EAST
Will Google face legal action in Saudi Arabia and the UAE after breach admission?

Google maybe subject to criminal and legal action after the media giant has admitted that it is tracking people’s phones around the world even when they turn off location services and remove their Sim card. Click to read entire article.

ASIA/PACIFIC
Data breach hits Department of Social Services credit card system

The Department of Social Services has written to 8,500 current and former employees warning them their personal data held by a contractor has been breached. Click to read entire article.

—CLOUD RISK—
Australian broadcaster hit by data breach

The Australian Broadcasting Corporation is the latest organisation to fall prey to misconfigured Amazon S3 storage buckets, exposing database backups and sensitive data such as login credentials. Click to read entire article.

Regards,
Mark Greisiger
NetDiligence®
Cyber Risk Readiness & Response