German Hacker Uses Twitter to Leak Personal Data of German Politicians

A 20-year-old hacker has been using Twitter to leak private details belonging to hundreds of German politicians, celebrities and public figures, including German Chancellor Angela Merkel.

The Twitter Dump

Over several weeks last December, a Twitter account run by an individual calling themselves “G0d”, later identified as a 20-year-old German student,  posted links to the sensitive information, which included email addresses, phone numbers, and personal chats. The data dump was finally noticed by a German publican on January 3rd.

The account, which was quickly shut down, had more than 18,000 followers and described its activities as “security researching” and “satire and irony”. Google and Bitly also pulled the plug on the blogs and links the hacker had used to host files containing the information. Continue reading German Hacker Uses Twitter to Leak Personal Data of German Politicians

A Data Breach Can Cost a Small Business $2.5 Million

SMBs are attractive targets to cybercriminals because they typically have smaller cybersecurity budgets and may lack an internal security team dedicated to timely discovering and responding to cyberattacks. Critically, these organizations may also lack resources to train their employees to identify preventable breaches like phishing campaigns.

The Cisco Report

Late last year, Cisco published a special cybersecurity report (Cisco’s SMB Cybersecurity Report)(Report) focused how cyberattacks affect SMBs. The Report includes 1,816 survey respondents from 26 countries.

When surveyed, respondents listed these as the most concerning threats.

  • Targeted employee attacks (BEC and phishing)
  • Advanced persistent threats (new malware)
  • Ransomware

Continue reading A Data Breach Can Cost a Small Business $2.5 Million

Employers Have a Legal Duty to Protect Employee Data

The cybersecurity standard of care is getting clearer: if you collect sensitive data, you must take reasonable measures to protect it.

Recently, in Dittman v. UPMC, the Pennsylvania Supreme Court ruled that an employer has a common law duty to use reasonable care to safeguard its employees’ personal information stored on an internet-accessible computer. This decision paves the way for a much broader application because the case was decided based on the mere act of collecting and storing sensitive information (and not the employer/employee context).

The Facts

The case relates to a data breach of the University of Pittsburgh Medical Center’s (UPMC) network and the theft of sensitive personal information belonging to more than 60,000 employees (e.g., Social Security numbers, confidential tax information, and bank account information). The employees sued but lost in the trial court, which held that Pennsylvania law did not recognize a duty to secure employee data stored on internet-accessible computers. Continue reading Employers Have a Legal Duty to Protect Employee Data

HHS Publishes Cybersecurity Best Practice Guide

The U.S. Department of Health and Human Services (HHS) recently published voluntary cybersecurity best practices entitled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (Best Practice Guide). These best practices were compiled over a two-year period by 150 cybersecurity and healthcare experts from both the public and private sector and are a cybersecurity roadmap for healthcare organizations of all types and sizes, from small local clinics to large regional hospital systems.

All entities, especially those in the healthcare field, can learn from this valuable resource.

The Four-Part Best Practice Guide

The Best Practice Guide is four sections: a main document (entitled Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients); two technical volumes; and resources and templates. The Best Practice Guide’s goal is to increase awareness, provide sound practices, and consistently mitigate today’s most damaging cybersecurity threats in the healthcare industry. Continue reading HHS Publishes Cybersecurity Best Practice Guide

Florida Contractor Physician Group Pays $500K in HIPAA Settlement

A Florida-based contractor physician group will pay $500,000 to settle alleged HIPAA violations after data on more than 9,000 patients was posted online.

Advanced Care Hospitalists PL (ACH), which provides internal medicine doctors to hospitals and nursing facilities, has also agreed to a corrective action plan as part of the HIPAA settlement, the Department of Health and Human Services announced.

Alleged HIPAA Violations

Between November 2011 and June 2012, ACH worked with an individual who claimed to be a representative of Doctor’s First Choice Billings Inc. for billing services. This person provided services to ACH using First Choice’s website and its branding but operated without knowledge of the Florida-based company’s owner, according to HHS.  Continue reading Florida Contractor Physician Group Pays $500K in HIPAA Settlement

Marriott Announces One of Largest Data Breaches in History

Marriott recently announced that hackers stole information on as many as 500 million guests over a four-year span, obtaining credit card and passport numbers and other personal data. This breach is one of the largest breaches in history.

What We Know

When the Marriott-Starwood merger was first announced in 2015, Starwood had 21 million people in its loyalty program. The company manages more than 6,700 properties across the globe, most in North America.

The affected hotel brands were operated by Starwood prior to the merger in 2016. They include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Méridien and Four Points. Starwood-branded timeshare properties were also affected. None of the Marriott-branded chains were affected. Continue reading Marriott Announces One of Largest Data Breaches in History

5 Top Cybersecurity Myths Revealed! Protect Your Organization Today!

How much do you know about cyber risks? If the answer is, “Less than I should,” then your company may be at risk. A data breach can be costly. To minimize your cyber risks, learn the reality behind these cybersecurity myths!

Myth 1: IT is responsible for cybersecurity.

Reality: Everyone is responsible for cybersecurity.

IT may create and enforce cybersecurity policies and procedures, but everyone plays a role in keeping a company safe from cyber attacks. For example, phishing email attacks present a big risk. Effective employee training can reduce the chances of this type of breach and also reduce the harm it causes.

Myth 2: My organization doesn’t have anything of value to hackers.

Reality: Every organization is a target. Continue reading 5 Top Cybersecurity Myths Revealed! Protect Your Organization Today!

Online Privacy in Australia Takes a Major Hit. Who’s Next?

The latest law passed by Australian Parliament has outraged global privacy advocates. The Assistance and Access Bill (AA Bill) essentially allows Australian officials to access the content of end-to-end encrypted communications. While it may be an Australian law, global privacy advocates predict it will impact global privacy rights, and other countries may follow suit.

Here’s what you need to know. The most controversial parts of the AA Bill are the “frameworks for voluntary and mandatory industry assistance to law enforcement and intelligence agencies” that allow the Australian government to access encrypted communication content.

  • What does “industry assistance” mean?

It means the Australian government can force “designated communication providers” to use known capabilities to intercept communications or build a new interception capability.

  • Who is a “designated communication provider?”

In short, anyone who touches hardware, software, or data used in end-to-end communication, including online services like websites. Continue reading Online Privacy in Australia Takes a Major Hit. Who’s Next?

Agari Turns the Table on ‘London Blue’ Hacking Campaign

A hacker group known as “London Blue” has compiled a list of 35,000 chief financial officers, including some at the world’s biggest banks and mortgage companies, with the intent to target them with bogus requests to transfer money.

CFO-Targeting Phishing Campaign

The “London Blue” hackers are the latest group to specialize in “business email compromise” (BEC) campaigns, according to the cyber threat detection company Agari, which found a list of 50,000 targets, mostly accounting department employees.

This past July the FBI warned that this type of scam, where a chief financial officer is rushed into transferring money to an unknown account, is on the rise and had cost companies more than $12 billion since 2013; with the total number of victims reaching over 78,000. Continue reading Agari Turns the Table on ‘London Blue’ Hacking Campaign

OCR Announces Six-Figure HIPAA Settlement

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a $125,000 settlement with Allergy Associates of Hartford, P.C., a three-physician allergy practice in Connecticut, for HIPAA Privacy Rule violations.

Alleged HIPAA Violation

According to OCR’s press release and corrective action plan, a patient of Allergy Associates contacted a reporter about a dispute between the patient and a doctor regarding the patient’s service animal. The reporter contacted the doctor for comment and the doctor was alleged to have impermissibly disclosed the patient’s protected health information to the reporter.

While the allergy practice had HIPAA policies and procedures in place, the physician did not adhere to the policies.  Further, once OCR uncovered the issue, it also found that the practice failed to sanction the physician involved in accordance with its policies. Continue reading OCR Announces Six-Figure HIPAA Settlement