We bring to your attention a sampling of recent media stories involving cyber risk & privacy liability. Among the stories we’re highlighting this month: Flagstar Bank Hit With Latest MOVEit Suit Faulting Cybersecurity, City of Philadelphia Discloses Data Breach After Five Months, White House Issues Groundbreaking Executive Order on Artificial Intelligence and more.
Tech/Security
Okta Cybersecurity Breach Wipes Out More Than $2 Billion in Market Cap
Okta shares continued to slump, closing down more than 8% after the company disclosed that an unidentified hacking group had accessed client files through a support system. Okta makes identity management solutions and is a high-profile target for hackers, which have penetrated Okta’s customers in a spate of material hacks. Click to read entire article.
Government
White House Issues Groundbreaking Executive Order on Artificial Intelligence
The Order aims to create new standards and requirements for American companies and government agencies, operationalizing several principles articulated in the administration’s Blueprint for an AI Bill of Rights. While the Order primarily applies to federal agencies and contractors, it sets a precedent for future AI development and regulation with significant implications for companies and individuals in every sector. Click to read entire article.
Financial Services
(MOVEit related) Flagstar Bank Hit With Latest MOVEit Suit Faulting Cybersecurity
Flagstar Bank faces proposed class action claims alleging it failed to adequately protect customers’ sensitive data from the Clop-MOVEit ransomware hack and then slow-walked its notification to the 837,000 it impacted. Click to read entire article.
(MOVEit related) Cadence Bank Hit With Class Action After Customer Info Was Exposed During MOVEit Data Breach
Cadence Bank faces a class action after it fell victim to a “massive and preventable” data breach that reportedly occurred between May 28 and May 31 of this year. Click to read entire article.
American Family Insurance Confirms Cyberattack Is Behind IT Outages
Insurance giant American Family Insurance has confirmed it suffered a cyberattack and shut down portions of its IT systems after customers reported website outages all week. In an email to BleepingComputer, American Family Insurance confirmed that they detected unusual activity on their network and shut off IT systems to prevent the spread of the cyberattack. Click to read entire article.
Wescom Credit Union Announces Data Breach Following Cybersecurity Incident at Vendor Barracuda Network, Inc.
On October 20, 2023, Wescom Credit Union (“Wescom”) filed a notice of data breach with the Attorney General of Maine after discovering that Barracuda Network, Inc., the vendor that provides security and data protection services to Wescom, experienced a data security incident. In this notice, Wescom explains that the incident resulted in an unauthorized party being able to access consumers’ sensitive information, which includes their names and Social Security numbers. Click to read entire article.
Trust Benefit Technologies Announces Data Breach Impacting an Unknown Number of Social Security Numbers
On October 19, 2023, Trust Benefit Technologies, LLC filed a notice of data breach with the Attorney General of California after discovering that an unauthorized party was able to access portions of the company’s computer system. In this notice, TBT explains that the incident resulted in an unauthorized party being able to access consumers’ sensitive information, which includes their names, Social Security numbers and dates of birth. Click to read entire article.
Public Entity
City of Philadelphia Discloses Data Breach After Five Months
The City of Philadelphia is investigating a data breach after attackers “may have gained access” to City email accounts containing personal and protected health information five months ago. Click to read entire article.
Higher Education
Financial Info of Students, Alumni Compromised by August Data Breach, U-M Says
University of Michigan students, employees and alumni may have had their personal and financial information compromised by an August data breach, the university announced. The university shut down its campus internet services after detecting a “significant security concern” the weekend before classes started. Click to read entire article.
Saint Louis University Confirms Months-Long Data Breach
Saint Louis University officials confirmed a recent data breach in which someone gained “unauthorized access” to personal information. The university is working to determine how many students and employees the data breach affected. The breach lasted nearly eight full months between Dec. 2022 and July 2023. Click to read entire article.
Energy
US Energy Firm Shares How Akira Ransomware Hacked Its Systems
In a rare display of transparency, US energy services firm BHI Energy details how the Akira ransomware operation breached their networks and stole the data during the attack. . . “Using that third-party contractor’s account, the TA (threat actor) reached the internal BHI network through a VPN connection,” reads the data breach notification. Click to read entire article.
Policy
President Biden’s AI Executive Order: What Private Sector Organizations Need to Consider
On October 30, 2023, President Biden signed an Executive Order as a part of the administration’s continued efforts to regulate the development and use of artificial intelligence (AI)-based technologies. Although many components of the Order focus on the federal government’s response to AI-related issues, there are also important items for private sector organizations to consider. Click to read entire article.
New York State Department of Financial Services Amends Cybersecurity Regulation 23 NYCRR Part 500
On November 1, 2023, the New York State Department of Financial Services adopted amendments to its Cybersecurity Regulations to incorporate current best practices to better protect business and consumers from emerging cyber threats. The amendments also incorporate additional requirements for businesses related to protections against cyber threats. Click to read entire article.
Genetic Testing
The 23andMe Data Breach Reveals the Vulnerabilities of Our Interconnected Data
On Oct. 6, news broke that 23andMe, the Google-owned company that collects genetic material from thousands of people for ancestry and genetic predisposition tests, had a massive data breach. But as it turns out, the company’s servers were not hacked. Rather, hackers targeted hundreds of individual user accounts — allegedly those that had weak or repeated passwords. After gaining access to the accounts, hackers could leverage the “DNA relatives matches” function of 23andMe to get information about thousands of people who didn’t use the service. Click to read entire article.
Healthcare
Health Net Data Breach $10M Class Action Settlement
Health Net and other defendants have agreed to a nationwide $10 million data breach class action settlement. The class action lawsuit claimed Health Net did not properly protect the personal information of its members and is therefore liable for the theft of the data — which included addresses, dates of birth, Social Security numbers and more. The class action lawsuit claims the class was injured due to the breach. Click to read entire article.
Casinos
Caesars, MGM Face Lawsuits in Wake of Costly Cyberattacks From September
Last month, separate lawsuits were filed in three states – Nevada, Illinois and New York – by plaintiffs claiming Caesars failed to protect consumer personal information. A suit against MGM was also filed in Nevada. Similar litigation could be forthcoming in states where casinos were infiltrated by the hackers. Click to read entire article.
India
800m Indians Reportedly Exposed in Massive Data Breach
Over half of more than 1.4 billion people in the world’s most populous nation may have been affected by the alleged breach, which could be India’s biggest if confirmed. The US-based cybersecurity company Resecurity said it had identified millions of personal information records belonging to Indian residents on sale on the dark web in early October. Click to read entire article.