April is known for its unpredictable weather. Information security and information security news are actually a lot like the spring weather. It’s bright and refreshing when things are going well. Sometimes things are a little less than ideal— but manageable. And sometimes it storms. The frequency, type, and result of those storms often depend on where you live, and the measures you’re taking to protect yourself. Security is no different. When things are going well, it’s a beautiful thing. Every once in a while, we experience some difficulties that can be challenging, but they’re usually mild and pass quickly. Sometimes it storms. And the type of storm often depends on what type of information you have, what industry you belong to, and what you’re doing to protect yourself. Here’s a look at some of the beautiful sunny days, the gloomy overcasts, and the storms that were the information security news stories of April.
- One of the biggest concerns for healthcare companies is the security of their vendors and third parties. So far in 2019, business associates (vendors) were reported to be involved in more than a quarter of the major health data breaches added to the federal tally. Those 27 incidents involving vendors impacted a total of nearly 690,000 individuals this year.
- A recent report shows that healthcare companies were the top-targeted industry in terms of cyber attacks in 2018. The most common attack vector is still phishing— accounting for nearly 37 percent of all incidents. Some experts feel these things are due to an over-emphasis on compliance and not enough work to bolster procedures, practices, controls, and training.
- Microsoft revealed findings from a breach that occurred sometime between January 1st and March 28th. While it was only a single-digit percentage of accounts, Microsoft shared that the attackers who targeted its email services were able to access email content for some users. The full number of accounts is unknown, so Microsoft is suggesting users update their passwords.
- Serving as an important reminder both for the importance of physical security and to be wary of removable drives, an intruder was able to breach President Trump’s private club and was able to install files to its local PCs via infected flash drives.
Right in the Wallet
- APIs are popular tools developers use to pass data back and forth between platforms. Unfortunately, APIs are not as secure as we’d like them to be. Particularly vulnerable are mobile apps. Ex-black-hat hacker Alissa Knight provides a shocking testimonial about how secure our mobile financial apps are.
- Business leaders all over are stressing the importance of information security, stating cyberattacks as some of the biggest threats to organizations everywhere. J.P. Morgan Chase CEO Jamie Dimon is no different. Dimon was recently quoted saying that cyber attacks are the biggest threat to the U.S. financial system.
- HIPAA violations are long known for coming with hefty fines. Some organizations are starting to fight back, though. The University of Texas MD Anderson Cancer Center has filed a lawsuit arguing that a $4.3 million HIPAA penalty by the Department of Health and Human Services following three data breaches was unlawful.
- The cybercrime gang, Silence, that has targeted banks and ATMs in Russia and other Eastern European countries is beginning to expand its reach to other regions, security researchers warn. Using ATM jackpotting or “cash out” schemes, they have netted the group at least $800,000. The group is now shifting its focus to international markets.
- Business leaders are becoming increasingly worried about the data their employees are willing to share. 61% of CISOs believe that their employees have maliciously leaked data. A lot of this is stemming from employee chat programs such as Slack, where employers say their employees overshare.
- We’re closing in on the anniversary of the introduction of the General Data Protection Regulation going into effect. While this wide-spread regulation made an immediate impact on companies all over the globe, one of its most important contributions was its guidelines on incident response notification. Here’s a look at how this has affected the way we treat incident response and notification.
- Other regulatory bodies are following suit. Legislators in the US state of Washington have passed a bill that expands the requirements for notifying consumers of data breaches. The bill shortens the time organizations have to notify consumers and adds more to the types of personally identifiable information that require consumer notification if leaked.
- The best way to combat software-related breaches is by keeping your software up to date. Developers often add new security measures with each release that prevent bugs. If you’re not updating your software on your personal devices regularly, you may be leaving attackers vectors to obtain your information. It’s time to stop ignoring update notifications.
- Servers with nearly 3.1M Toyota customer records were compromised this month. Toyota is still unsure of what data had been accessed or exposed as of early April. This news is unsettling considering this is the second breach Toyota has experienced since February. It’ll be essential for Toyota to implement new security measures and policies moving forward.
- A new industry means new attack vectors. A Canadian medical cannabis company has revealed that the information of about 34,000 patients may have been exposed in a data breach incident.
- Is there a month where we haven’t talked about Facebook in recent memory? Regardless, they’re back at it again. This month, third-party apps left Facebook users’ data accessible in the cloud— including the millions found unsecured on Amazon Web Services (AWS).
- Google announced in mid-April that all phones running Android 7.0 and higher can now be used as security keys for two-factor authentication. Once a user has enrolled their Android phone as a Security Key, the user will need to approve logins via a prompt sent to their phone after submitting their username and password at a Google login page.
Following information security news and trends is important. It gives you an idea of what’s going on in the industry so you can continue to protect yourself and your business. Follow FRSecure on Twitter and LinkedIn for consistent updates on information security news like this, and visit our site to learn how your organization can continue to make improvements to its security measures.