The Most Comprehensive Data Protection Solution
Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.
First and Only Solution to Converge:
- Data Loss Prevention
- Endpoint Detection and Response
- User and Entity Behavior Analytics
If you follow this space regularly you know these days cryptocurrency mining (or cryptojacking) scams are a bit like Netflix shows: There’s almost too many to keep track of. There are a few twists, somewhat, to this one of this week's though. Attackers targeted Elon Musk's multi-billion dollar Tesla car company – no small target – by leveraging an Amazon cloud account belonging to the company. Once they had access they ran scripts to earn money leveraging computing power without the company's consent. The hack exposed Tesla telemetry, mapping, and vehicle servicing data in the process. News of the cryptojacking scam came the same week that researchers said they had uncovered a $3 million cryptocurrency mining scam in which attackers mined 10,829 Monero coins over the course of 18 months.
States are beginning to lay the groundwork for legislation designed to enhance protections for residents following a data breach. Spurred by last year’s Equifax breach, one such bill, introduced in Colorado in January, passed the state's House Committee on State, Veterans and Military Affairs last week. The bill, which would essentially mandate organizations report breaches 30 days after they happen, doubles down on laws currently on the book there. As HealthcareITNews noted this week, if the Colorado bill is passed, the state would join Florida in having the strictest laws in place around data breach reporting. Governor Rick Scott signed Florida's legislation - the Florida Information Protection Act - into law what seems like eons ago, in 2014.
Image of Colorado State Capitol via F Delventhal's Flickr photostream, Creative Commons
Universities have succeeded where all other industries have failed: educating users about phishing attacks. According to a study released this week via Wombat Security Technologies only 10 percent of simulated phishing emails sent to users at educational institutions were clicked through. That surpasses figures from a slew of other industries, including technology, entertainment, hospitality, government, consumer goods, retail and telecommunications. The company claims the report gathered data from tens of millions of phishing attacks staged over a 12-month period.
We'll have to wait a little bit longer for the first case involving a data breach to reach the Supreme Court. As FierceHealthcare's Evan Sweeney reported this week the court on Tuesday denied an appeal filed by CareFirst, the largest health care insurer in the Mid-Atlantic region, to review a 2014 case, CareFirst v. Attitas. The case revolves around a data breach that exposed 1.1 million records at the time. The crux of the case, as The National Law Review points out, is based around “whether fear of identity theft flowing from a data breach is an ‘injury in fact’ sufficient to trigger Article III standing.”
Those patiently waiting for a deep dive on the hacking group behind this month's Adobe Flash zero day got their wish this week when FireEye published a nine page screed on the advanced persistent threat (APT) group, a collective it calls "Reaper," a.k.a. ScarCruft a.k.a. Group 123. According to researchers the group mostly targets South Korea but has also set its sights on Japan, Vietnam, and the Middle East. Those looking for more on the group could learn a lot from ZDNet's recap of the research but it's worth pointing out that FireEye's report (.PDF) is replete with graphs, timelines, and maps, a handful of visuals that really tell the story.