March is the time of year when the days get longer, the weather gets warmer, the birds start singing, and people seem genuinely happier. Unfortunately, though, not everyone’s March was like a scene from a Disney movie. For many, it was more like a horror film. As the amount of data we house increases, the attack landscapes change, and security professionals do their best to keep up, information security news continues to fill the tabloids. Here are some of the stories that stole the show in the month of March!
- The breach in 2017 that hit Sonic restaurants will cost them $5M. Sonic is being sued by the American Airlines Federal Credit Union in an attempt to recoup money the credit union lost in the breach. This comes on the heels of a $4.3M class-action lawsuit that awarded impacted individuals between $10 and $40 each.
- A critical bug in Google Chrome’s software left millions of devices vulnerable earlier this month. Luckily, Google was able to release a software update very soon after, urging people to update their browser to avoid
- Zillow faces a $60M lawsuit thanks to a hacked mansion listing where attackers added fake sales to the property’s listing. Hackers figured out how to get past Zillow’s security questions and began manipulating information on the site. Zillow is facing the lawsuit due to its lack of safeguards and its negligence in pulling the plug on the hackers.
- Verifications.io, an email verification platform, has suffered a data breach exposing nearly 763 million records. The leak appears to be the second largest breach in history and the biggest-ever leak of data that traces back to a single source.
- Third-party security risk has been at the forefront of a lot of security discussions recently. With more vendors gaining access to more data, organizations have a daunting task in understanding what risk their vendors pose to their information security. Just ask Dow Jones, whose “authorized third party” exposed a database with more than 2.4 million records without password protection.
- One of the ways to reduce vendor risk is to limit the number of vendors in your environment. This becoming a more common practice among security professionals. A recent Cisco survey shows that 63% of respondents cited 10 or fewer vendors in their environment, which increased from 54% just two years ago.
- Zoll, which provides emergency medical products such as wearable heart defibrillators, therapeutic temperature management systems, and ventilation devices, announced a breach on March 18. The breach occurred while a third-party vendor was doing server migrations for Zoll, and it impacted 277,319 individuals.
- Starting in 2020, the United States Department of Defense will begin measuring contractor security when establishing relationships with third-party vendors. The DOD is developing metrics to help them gather the scope of each vendor’s security before onboarding them.
- People still represent our biggest risk in information security, and phishing is still the most effective way to compromise someone. Phishing attacks are on the rise, having increased an incredible 269 percent compared to 2017.
- If you’re in healthcare, banking, securities, or market infrastructure, you face the most financial risk from an attack. Moody’s, a U.S. credit ratings agency, conducted the study, which suggests these areas have the biggest risk due to their reliance on technology and confidential information. On a related note, 2018 was the biggest year ever for HIPAA enforcement.
- Want to stay current on information security news and trends? Sans recently announced their top cybersecurity journalists of 2018. Follow them to keep up with the industry happenings.
- A group of hackers was able to gain backdoor access to systems using the popular messaging app, Slack. While abusing legitimate services for malware command-and-control purposes is not new, this is the first time researchers have seen Slack being used for this purpose. Slack has been notified and disabled the workspace set up by the attackers for violating the company’s terms of service.
- Noticing a lot more fake profiles following and interacting with you on social media? You’re not alone. Facebook and Instagram launched their first lawsuit this month to combat fake profiles and likes.
- Speaking of Facebook, they can’t seem to stay out of our news roundups. Near the end of March, it was announced that Facebook stored hundreds of millions of users’ passwords in plain text for years. The passwords were searchable by employees for nearly seven years.
- 3 million cars globally were made vulnerable through their alarm systems this month. The vulnerabilities were found on a combination of Russian- and American-made alarms and allowed security researchers to remotely track, hijack, and take control of vehicles with the alarms installed. The security vulnerabilities have since been fixed.
- Do you feel like you don’t hear about the breaches that impact you as much as you like? That might be deliberate. Researchers suggest that nearly half of all data breach reports submitted to the Information Commissioner’s Office (ICO) were made on Thursday or Friday— a “deliberate tactic” to bury bad news.
- As a society, we’re obsessed with smart devices. Even things like our refrigerators are connected to the internet. The government has taken notice. The Internet of Things Cybersecurity Improvement Act was introduced this month, with the goal of bringing legislative action to improve cybersecurity in the emerging tech.
- Big patches were released this month to protect against vulnerabilities in Microsoft and Adobe products. If you have not yet administered these patches, now is the time to do so. The patches fixed vulnerabilities in hyper-popular products like Microsoft Office, Internet Explorer, Sharepoint, Photoshop, and more.
Understanding information security trends is important. It gives you an idea of what’s going on in the industry so you can continue to protect yourself and your business. Follow FRSecure on Twitter and LinkedIn for consistent updates on information security news like this, and visit our site to learn how your organization can continue to make improvements to its security measures.