We bring to your attention a sampling of recent media stories involving cyber risk & privacy liability. Among the stories we’re highlighting this month: Researchers Uncover ‘Pink’ Botnet Malware, Facebook directed to pay $257 per victim over personal data breach, Facial recognition use found in breach of Australian privacy law, N.L. officials cagey on the source of health-care system disruption, Annual Cost of Child Identity Fraud Almost $1Bn, and more.

Business Interruption Exposure (DDoS)

Researchers Uncover ‘Pink’ Botnet Malware That Infected Over 1.6 Million Devices

Cybersecurity researchers disclosed details of what they say is the “largest botnet” observed in the wild in the last six years, infecting over 1.6 million devices primarily located in China, with the goal of launching distributed denial-of-service (DDoS) attacks and inserting advertisements into HTTP websites visited by unsuspecting users. Click to read entire article.

Sports/Media

DOJ: Pirated sports streamer hacked accounts, extorted MLB

The U.S. Attorney’s Office for the Southern District of New York has charged a man for illegally streaming MLB, NBA, NFL, and NHL games via the web and hacking into sports leagues’ customer accounts. Click to read entire article.

Breach Settlements

Kemper $17.6M Data Breach Settlement Wins Preliminary Court Approval

The dual breaches could have compromised the personal information of an estimated 6.1 million customers and employees. The breach incidents occurred on December 14, 2020 and March 25, 2021 and were announced by the insurer in March and May 25, 2021. Click to read entire article.

Healthcare

Data breach at US physical therapy center impacts more than 6,500 patients

Viverant PT, based in Minneapolis, Minnesota, said that the personally identifiable information (PII) of current and former patients and employees was affected in the breach. A wealth of healthcare information is reported to have been leaked, including patient names, addresses, dates of birth, Social Security numbers, driver’s license numbers, and medical record numbers. Click to read entire article.

California Health Network Reports Data Breach

Nonprofit Community Medical Centers (CMC), located in California, reported a data breach earlier this week. The agency shut down its entire network, including servers, computers, and phone lines, upon detecting the instruction. The phone lines were used by patients to access medical records, make appointments, and receive important information relating to Covid-19. Click to read entire article.

Bryan Health notifies some patients of 2020 breach of private records

According to a letter the health system sent to affected people last week, a staff member accessed information in the electronic medical records system “without a treatment purpose or other job-related reason.” Click to read entire article.

UMass Memorial notifies 209K patients 8 months after data breach discovery

Nearly eight months after discovering the hack of multiple employee email accounts, UMass Memorial Health is notifying about 209,000 patients that their personal and health information was potentially compromised. Click to read entire article.

Banking

FTC Tightens Safeguards for Consumer Data After Major Breaches

The agency is revising the rules that financial institutions must follow. The final rule provides more specific criteria for what safeguards financial institutions are required to implement to protect consumers’ financial data. Examples include limiting who can access the data and using encryption to secure it. Click to read entire article.

SEC rejects proposed amendment on CAT data breaches

The SEC has rejected a proposed amendment to the plan governing the consolidated audit trail that would have held industry members liable in the event of a data breach. Click to read entire article.

Public Entities

After security flaw found, State of Missouri hires data breach group

Two weeks after a newspaper discovered a security flaw on a state website, Gov. Mike Parson’s administration has hired a company that performs data breach and credit monitoring services. Click to read entire article.

Cloud/Vendor Breaches

40% of organizations suffered a cloud-based data breach in the past 12 months

Despite increasing cyberattacks targeting data in the cloud, 83% of businesses are still failing to encrypt half of the sensitive data they store in the cloud, raising even greater concerns as to the impact cyber criminals can have. 40% of organizations have experienced a cloud-based data breach in the past 12 months, according to a study conducted by 451 Research. Click to read entire article.

Fraud

Annual Cost of Child Identity Fraud Almost $1Bn

New research published today by Javelin Strategy & Research puts the annual cost of child identity theft and fraud in the United States at nearly $1bn. Click to read entire article.

Data Breach Legal/Law Updates

United States: Second Circuit Rules That Risk Of Future Identity Theft Not Enough To Support Standing In Data Breach Class Action

The Second Circuit recently joined a growing number of federal courts to decide when a data breach of personally identifiable information (“PII”) is actionable. Click to read entire article.

Canada

Toronto transit system hit by ransomware attack, TTC says no significant disruptions

The Toronto Transit Commission has been hit with a ransomware attack, it said in a statement on Friday. The TTC says the attack by hackers on its computer systems began Thursday night and expanded on Friday. Click to read entire article.

N.L. officials cagey on source of health-care system disruption

Sources have told CBC News that the computer network failure is due to a ransomware attack, a type of cybersecurity breach where hackers take control of a system and only let go once a ransom has been paid. Click to read entire article.

EU

German student app caught out in data breach

Scoolio’s API flaw has exposed the data of 400,000 German students. According to Bleeping Computer, Lilith Wittmann, a security researcher from the IT security collective “Zerforchung” discovered the bug and immediately disclosed their findings to the Scoolio team. Click to read entire article.

Art Basel’s parent company MCH Group warns of possible data breach after criminal cyber attack

Fair organiser is working with police and Swiss cyber security authorities to identify perpetrators of malware attack on 20 October Click to read entire article.

Asia Pacific

Facial recognition use found in breach of Australian privacy law

Australian privacy commissioner rules Clearview AI in breach of consumer privacy for facial recognition database and says multiple police forces are under investigation for employing the sensitive biometric database Click to read the entire article.

Disruption of services: NBP system still not restored after cyberattack

KARACHI: The National Bank of Pakistan (NBP) is yet to restore its banking system after it collapsed following a cyberattack on Saturday by an unknown source which could cause delays in the salaries of public servants and government employees among other issues. Click to read entire article.

Luxury hotel chain in Thailand reports data breach

A luxury hotel chain in Thailand, Centara Hotels and Resorts, has reported a cyberattack in which personal information pertaining to customers was breached. Click to read entire article.

Facebook directed to pay $257 per victim over personal data breach

The South Korean state watchdog on personal information protection on Friday recommended the operator of Facebook to pay 300,000 won ($256.70) in compensation to each of 181 users demanding damages for the provision of their personal information to third parties without consent. Click to read entire article.