We bring to your attention a sampling of recent media stories involving cyber risk & privacy liability. Among the stories we’re highlighting this month: drug testing firm sends data breach alerts after ransomware attack, Finastra hit by ransomware attack, Cincinnati firm faces $5m data breach lawsuit, NY SHIELD Act’s data security requirements are effective March 21, and more. 

Ransomware Corner

Hammersmith Medicines Research LTD (HMR), a research company on standby to perform live trials of Coronavirus vaccines, has started emailing data breach notifications after having their data stolen and published in a ransomware attack. Click to read entire article.

The Stockdale Radiology medical diagnostics and analysis center is circulating notices of a data breach to its patients. As it seems, the company has fallen victim to a ransomware attack on January 17, 2020, with the network intruders managing to access locally stored patient data. Click to read entire article.

Finastra, a fintech firm that provides technology solutions to banks globally, announced that it shut down its key systems due to a security breach discovered on March 20, 2020. Finastra provides financial technology services to 90 top-rated banks across 130 countries globally. Click to read entire article.

Cyber gangsters have attacked the computer systems of a medical research company on standby to carry out trials of a possible future vaccine for the Covid-19 coronavirus. Click to read entire article.

Rainbow Dental Care, PLLC (Rainbow) has notified patients of a security breach that occurred last year. Click to read entire article.

Microsoft says that an Emotet infection was able to take down an organisation’s entire network by maxing out CPUs on Windows devices and bringing its Internet connection down to a crawl after one employee was tricked to open a phishing email attachment. Click to read entire article.

Remote Working

The popularity of working from home has steadily increased over the last 15 years, and is now estimated at 4.7 million employees — a 173% increase since 2005. This trend is likely to continue for the foreseeable future, even without the catalyst of a public health emergency. Click to read entire article.

Transportation/Logistics

A Cincinnati freight brokerage company is facing a $5m lawsuit over a data breach that occurred last month. Computer systems at Total Quality Logistics (TQL) were compromised in a cyber-attack that took place on February 23. Customer and carrier information was exposed after threat actors breached the company’s online web portal. Click to read entire article.

The threat intelligence team at DynaRisk is always monitoring the dark web for stolen data. On March 13, it found a breached database belonging to Norwegian Cruise Line. That database contained 29,969 records, of which 24,602 were unique. The data in question relates to travel agents, including Co-operative Travel, Hays Travel, TUI and Virgin Holidays, which had used a regional Norwegian Cruise Line partner portal. Click to read entire article.

Technology/Manufacturing

A phisher’s treasure chest of personally identifiable information (PII) for General Electric employees has been exposed – thanks to the compromise of one of the company’s partners, Canon Business Process Services. Click to read entire article.

The suit, Almeida et al. v. Slickwraps Inc., was filed on March 12th in California’s Eastern District Court. It alleges that Slickwraps “was well aware that it had lax data security measures and did absolutely nothing to prevent the very kind of cyber security incident that occurred.” Click to read entire article.

Online Gaming

A federal class action claims Zynga allowed hackers to compromise 173 million of its video game accounts, exposing users’ personal information. Click to read entire article.

Public Entity

On March 6, the Oregon Department of Human Services (DHS) uncovered a phishing incident that affected on staff member’s email. Click to read entire article.

The state judiciary blocked all Public Defender’s Office employees from using the Maryland Electronic Courts system after the “intrusion” compromised a server, The Capital Gazette reported Tuesday. Click to read entire article.

Healthcare

Healthcare Resource Group, Inc. (“HRG”) is providing notice on behalf of Barlow Respiratory Hospital (“Barlow”) of an incident that may affect the security of certain personal information relating to current and former Barlow patients. Click to read entire article.

In January, a vacated office at the medical center was found to contain several boxes of veteran records. The files contained patient identifying information and/or protected health information of 680 veterans. Click to read entire article.

Hackers from outside the United States compromised University of Kentucky computer networks to mine cryptocurrency in large malware attack. Click to read entire article.

The eye center said it became aware of a breach Jan. 13, when malware was introduced by a third party into the center’s computer systems. Patient health information including first and last names and retinal images were encrypted. Click to read entire article.

Financial Services

vpnMentor researchers led by Noam Rotem said the database appears to be connected to MCA Wizard, a now-defunct app that appears to have been developed by Advantage Capital Funding and Argus Capital Funding. Click to read entire article.

Retail

A data breach case against Macy’s, originally filed in Massachusetts state court, has been removed to federal court. The complaint claims a data security breach took place between October 7 and October 15, 2019, during which hackers stole personal consumer information from Macy’s website. Click to read entire article.

Privacy Ethics (Wrongful Data Collection/Sharing)

The company was hit with a class action lawsuit claiming that Zoom illegally shared millions of users’ personal information with Facebook and failed to protect their personal information. Click to read entire article.

Regulation Updates

The New York “Stop Hacks and Improve Electronic Data Security Act” or “SHIELD Act” expands data breach reporting requirements and requires organizations to implement an information security program to protect the “private information” of New York State residents, including employee and consumer data. Click to read entire article.

The only certainties in life used to be death and taxes. In 2020, it would be safe to add California Consumer Privacy Act (CCPA) class actions to that “distinguished” list. Click to read entire article.

Canada

Canadian ISP Rogers Communications has begun to notify customers of a data breach that exposed their personal information due to an unsecured database. Click to read entire article.

UK/Europe

…Following the failed extortion attempt, the hackers are now selling the company’s data for an asking price that varies between 0.5 and 3 bitcoin ($3,500 and $22,000). Click to read entire article.

Up to 100,000 customers in Britain, including businesses and some military organisations, have had 343 gigabytes worth of documents exposed online. Click to read entire article.

Asia/Pacific

Government Services Minister Stuart Robert has backflipped on claims the MyGov website was subject to a crippling cyberattack which caused it to crash. Click to read entire article.

Chinese microblogging giant Sina Weibo has now made it to the news owing to a security incident. Weibo suffered a data breach exposing 538 million records. What’s concerning is that the stolen data is now for sale on the dark web. Click to read entire article.