All posts by Cole Lunz

Microsoft Annual Security Report: Phishing Attacks Jump 250%

Alerts, Best Practices, Data Breaches, Data Security Tips, Phishing, Ransomware, Social Engineering, Surveys, Studies and Reports, Uncategorized, , , ,

In 2018, Microsoft’s Security team analyzed more than 6.5 trillion security signals a day to identify security trends that expose organizations to significant cyber risks. Here’s what they found!

Phishing is Way Up!

After scanning more than 470 billion email messages sent and received in its Office 365 platform, Microsoft found that the number of phishing emails grew an alarming 250 percent. Making matters worse, techniques used by scammers are becoming more proficient and harder to detect because scammers are beginning to diversify the phishing attack techniques.

Diverse Attack Methods

According to the report, techniques used by attackers include domain spoofing & impersonation, user impersonation, text lures, credential phishing links, phishing attachments, and links to fake cloud storage locations. These sophisticated techniques make phishing emails appear legitimate, while presenting malicious files and links for a user to access. Continue reading Microsoft Annual Security Report: Phishing Attacks Jump 250%

Popular Music Video App Agrees to Record COPPA Settlement

Alerts, COPPA, Did You Know, Enforcement Actions, FTC, , , ,

Musical.ly, the popular social media app for children known as TikTok, and the FTC recently settled allegations of violations of the Children’s Online Privacy Protection Act (COPPA). The settled amount was  $5.7 million, the largest civil penalty the agency has collected for a children’s data privacy case.

Musical.ly

The Musical.ly app allows users to make short lip-syncing videos that can be shared on the platform. Over 200 million users have downloaded the Musical.ly app worldwide, according to the FTC, with 65 million of those accounts being in the United States.

COPPA Rule

COPPA prohibits the unauthorized or unnecessary collection of children’s personal information online by internet website operators and online services, and requires that verifiable parental consent be obtained prior to the collecting, using, and/or disclosing of personal information of children under 13. Continue reading Popular Music Video App Agrees to Record COPPA Settlement

European Standards Body Publishes New Internet of Things Standard

Alerts, Enforcement Actions, European Union, Guidance & Best Practices, InfoSec, Internet of Things, ,

In February 2019, the European Telecommunications Standards Institute (ETSI) published ETSI TS 103 645 V1.1.1 —a high-level outcome-focused standard for the security of  internet-connected consumer products or Internet of Things (IoT) devices. IoT devices covered by the new standard include connected children’s toys and baby monitors; IoT-enabled smoke detectors and door locks; smart cameras; TVs and speakers; wearable health trackers; connected home automation and alarm systems; and connected appliances.

ETSI and the New Standard

ETSI is an independent not-for-profit standards organization based in France with about 800 members in over 60 countries across the world and is a European Standards Organization (ESO). Continue reading European Standards Body Publishes New Internet of Things Standard

FTC Keeps CAN-SPAM Unchanged

Alerts, Did You Know, FTC, Uncategorized,

The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) is here to stay, the Federal Trade Commission (FTC) recently announced after completing its review.

What is CAN-SPAM?

Effective January 1, 2004, CAN-SPAM establishes requirements for commercial messages, gives recipients the right to make you stop emailing them, and outlines tough penalties for violations. For example, each email in violation of CAN-SPAM is subject to penalties of up to about $40,000. That can quickly add up!

On February 12, 2019, the FTC announced that it had completed its first review of CAN-SPAM. Based on its review, the FTC announced its decision to retain the rule in its present form. Continue reading FTC Keeps CAN-SPAM Unchanged

OCR Sets HIPPA Enforcement Record with Cottage Health Settlement

Alerts, Best Practices, California, Data Breaches, Did You Know, Enforcement Actions, HIPAA, OCR, , , ,

OCR Sets HIPPA Enforcement Record with Cottage Health Settlement

California-based Cottage Health agreed to pay $3 million and implement a corrective action plan as part of a HIPAA settlement to resolve allegations it had unintentionally disclosed electronic patient information. This settlement, in December 2018, brought the annual total of collections from OCR enforcement actions to $28.7 million, setting a new annual record.

Two Breaches

Cottage Health, which operates four hospitals in California, notified HHS’ OCR about two breaches of unsecured electronic protected health information (ePHI), one in December 2013 and another in December 2015, affecting more than 62,500 individuals.

The first incident occurred when the security configuration settings of the health system’s Windows operating system reportedly permitted access to files containing ePHI without requiring a username and password. As a result, patient information was available to anyone on the internet with access to Cottage Health’s server. Continue reading OCR Sets HIPPA Enforcement Record with Cottage Health Settlement

Indiana Argues Companies are Deceptive if They Suffer a Data Breach

Alerts, Best Practices, Data Breaches, Data Security Tips, Did You Know, Enforcement Actions, Indiana, Legal, , ,

The Indiana Attorney General recently lodged a claim under the Indiana Deceptive Consumer Sales Act (Indiana Deception Act) that might allow data breach victims to file class action lawsuits against companies and recover $500 or more per person in damages and attorney’s fees.

If successful, this could open the floodgates of litigation against companies who suffer data breaches exposing personally identifying information.

The Indiana Deception Act

The Indiana Deception Act protects consumers from companies who commit deceptive and unconscionable sales acts. Under the Indiana Deception Act, a company “may not commit an unfair, abusive, or deceptive act, omission, or practice in connection with a consumer transaction.” For the first time, the Indiana Attorney General recently argued that this Act should apply to data breaches. Continue reading Indiana Argues Companies are Deceptive if They Suffer a Data Breach

Google Hit with Biggest Ever GDPR Fine

Alerts, Data Breaches, Did You Know, Enforcement Actions, France, GDPR, , , ,

The biggest GDPR fine was recently issued by France’s National Data Protection Commission (CNIL) to Google  for multiple GDPR violations, the regulator recently announced. The fine? A whooping 50 million euros (about $57 million).

Two Types of GDPR Violations

First, CNIL found that Google provided information to users in a non-transparent way, saying, “The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions,” according to the CNIL.

Second, CNIL concluded that Google was not validly obtaining users’ permission for data processing and ads personalization purposes. The users’ consent, CNIL claims, “is not sufficiently informed,” and it’s “neither ‘specific’ nor ‘unambiguous’.”

Confirming Customer Sentiment

The CNIL’s findings echo what many users have felt when dealing with privacy settings of large online companies, such as Google and Facebook; essentially stating that while it may be possible to opt out of various ads personalization and data processing schemes, the process and settings are too convoluted for many users to understand.  Continue reading Google Hit with Biggest Ever GDPR Fine

Oklahoma Government Suffers Massive Data Leak

Alerts, Best Practices, Data Breaches, Data Security Tips, Guidance & Best Practices, , ,

Another massive data leak has been discovered.

This latest leak involves an open Oklahoma Department of Securities storage server exposing millions of records, including confidential files linked to FBI investigations, 17 years of email archives and thousands of Social Security numbers.

The breach was discovered by a researcher from cybersecurity specialist UpGuard, while scanning the web with Shodan, a search engine that lets the user find specific types of devices (webcams, routers, servers, etc.) connected to the internet using a variety of filters.

The data was exposed through an unsecured rsync service, a utility for synchronizing files across computer systems. With the IP address, registered to the Oklahoma Office of Management and Enterprise Services, anyone could download the publicly accessible files stored on the server. Continue reading Oklahoma Government Suffers Massive Data Leak

GDPR Complaints Filed Against Netflix & Amazon

Alerts, Best Practices, Data Security Tips, Did You Know, Enforcement Actions, GDPR, Guidance & Best Practices, , , ,

GDPR Complaints Filed Against Netflix & Amazon

Video steaming leaders including Netflix, Amazon, and Apple have been accused of breaking the EU’s data regulations.

General Data Protection Regulation (GDPR) rules mandate EU individuals have the right to access a copy of the personal data companies collect about them through the regulation’s right of access. However, Max Schrems’ privacy group NOYB (None Of Your Business) has said it found that most of the big streaming companies have not fully complied and has filed formal complaints – which, if upheld, could result in substantial fines for the streaming giants.

Lack of Compliance

After GDPR went into effect in May 2018, many of the biggest names in tech including Amazon, Apple, Google and Spotify began allowing customers to download a copy of their data. NOYB, however, has said it found many of these streaming industry leaders did not do enough to comply with the new law. Continue reading GDPR Complaints Filed Against Netflix & Amazon

Australian Parliament Hacked!

Alerts, Australia, Data Breaches, ,

Australian Parliament Hacked!

Australia’s parliament had to reset and change its computer network passwords after an unknown hacker tried to infiltrate and bypass its systems, according to a Reuter’s report.

As stated in the report, both Tony Smith, the speaker of the lower House of Representatives, and Scott Ryan, president of the upper house Senate, said there’s no evidence that any data had been accessed or stolen.

No Stolen Data

“We have no evidence that this is an attempt to influence the outcome of parliamentary processes or to disrupt or influence electoral or political processes,” Smith and Ryan responded in a joint statement.

“Accurate attribution of a cyber incident takes time and investigations are being undertaken in conjunction with the relevant security agencies.” Continue reading Australian Parliament Hacked!