The Week in Breach News: 03/09/22 – 03/15/22
We’re going on a world tour this week as anime and gaming fans get a few nasty surprises from Ubisoft and Toei Animation hacks, Lapsus$ keeps up the bad work, Anonymous continues hammering Russia and the U.S. federal government makes a few cybersecurity moves that MSPs will want to follow closely.
Get ready to pack your bags for Connect IT 2022! Join us June 20-23 in Las Vegas for the industry’s premier event! REGISTER NOW>>
South Denver Cardiology Associates
https://www.databreaches.net/287652-south-denver-cardiology-associates-patients-notified-of-breach/
Exploit: Hacking
South Denver Cardiology Associates: Medical Clinic
Risk to Business: 2.214 = Severe
South Denver Cardiology Associates apparently kicked off 2022 with a data breach that they’ve just disclosed to their patients on their website. The medical practice believes that an unauthorized party gained access to its systems between January 2, 2022, and January 5, 2022. During that time, certain files stored on the system were accessed that contained the protected health information of patients. They were careful to note that there was no impact to the contents of patient medical records and no unauthorized access to the patient portal.
Individual Risk: 2.371 = Severe
Information potentially exposed includes names, dates of birth, Social Security numbers and/or drivers’ license numbers, patient account numbers, health insurance information, and clinical information, such as physician names, dates/types of service and diagnoses. South Denver Cardiology Associates is offering credit monitoring to impacted patients who have been informed by mail.
How It Could Affect Your Customers’ Business: This incident could end up being very expensive even if no real damage was done to the practice after regulators get finished with them.
ID Agent to the Rescue: Learn why high cyber resilience is the ticket to a safer future for your clients (plus more MRR for you) and what you can do to help them build it. GET THIS EBOOK>>
Give your clients 7 lucky tips to secure their data & remind them that they can’t rely on luck to stay safe! GET THE INFOGRAPHIC>>
Argentina – Mercado Libre
Exploit: Ransomware
Mercado Libre: E-commerce & Payments
Risk to Business: 1.872 = Severe
E-commerce giant Mercado Libre has confirmed that an unauthorized party accessed its systems last week, snatching up a part of its source code. The ransomware gang Lapsus$ has claimed responsibility. Mercado admitted that threat actors had accessed data of around 300,000 of its users but stopped short of disclosing that this was a ransomware attack, clarifying what data was stolen or sharing ransom demands. The company said that they do not believe “any users’ passwords, account balances, investments, financial information, or credit card information were obtained”.
Individual Impact: No information about consumer/employee PII, PHI or financial data exposure was available at press time.
How It Could Affect Your Customers’ Business Ransomware gangs have been quick to snatch data from large repositories, especially personal data or payment card information.
ID Agent to the Rescue: Share The Computer Security To-Do List with your clients to help them find vulnerabilities and you’ll start profitable conversations! DOWNLOAD IT>>
Learn the secret to making compromised credentials your biggest money maker! WATCH WEBINAR>>
United Kingdom – Vodafone
https://www.securityweek.com/vodafone-investigating-source-code-theft-claims
Exploit: Ransomware
Vodafone: Telecom
Risk to Business: 2.311 = Severe
Lapsus$ was busy this week. The group also claimed responsibility for a hack at Vodafone. In a Telegram message to its subscribers, Lapsus$ claimed to have 200GB of Vodafone source code in its possession, allegedly the fruit of 5,000 GitHub repositories. No word on the specifics of the stolen data. Lapsus$ is reportedly a South American gang that also claimed responsibility for recent attacks on Nvidia and Impresa.
Individual Impact: No information about consumer/employee PII, PHI or financial data exposure was available at press time.
How It Could Affect Your Customers’ Business: Source code can be very profitable for ransomware gangs, and companies need to ensure that they’re protecting their proprietary resources well.
ID Agent to the Rescue: Cybersecurity horrors lurk around every corner, lying in wait for unwary organizations. Learn how to defeat them in our eBook Monsters of Cybersecurity. DOWNLOAD IT NOW>>
France – Ubisoft
Exploit: Ransomware
Ubisoft: Video Game Studio
Risk to Business: 1.867 = Severe
French video game company Ubisoft has admitted that a cyber security incident knocked many games, services and systems offline. Guess who claimed responsibility? If you answered “Lapsus$”, you’re right! Ubisoft says that no customer information was accessed, and games should be operating normally now. Credential compromise appears to have been a factor as Ubisoft employees have reportedly been required to change their passwords.
Individual Impact: No information about consumer/employee PII, PHI or financial data exposure was available at press time.
How it Could Affect Your Customers’ Business Protecting proprietary digital assets is especially important for companies like this who rely on them completely to do business.
ID Agent to the Rescue: Help your clients reduce their cybercrime risk by building a security culture that helps spot and stop threats with the Building a Strong Security Culture Checklist. GET IT>>
Russia – Roskomnadzor (Federal Service for Supervision of Communications, Information Technology and Mass Media)
https://www.hackread.com/anonymous-hacks-roskomnadzor-russia-agency/
Exploit: Nation-State Hacking
Roskomnadzor (aka Federal Service for Supervision of Communications, Information Technology and Mass Media): Government Agency
Risk to Business: 1.661 = Severe
Hacktivist collective Anonymous is still hard at work disrupting Russia’s technology infrastructure in response to that country’s continued aggression in Ukraine. This week, Anonymous chose to hit Roskomnadzor (Federal Service for Supervision of Communications, Information Technology and Mass Media). That agency is the watchdog that censors media outlets within Russia. The group leaked around 820 GB of data, available on the website Distributed Denial of Secrets (aka DDoSecrets). Roskomnadzor was recently tasked by the Putin regime to block Facebook, Twitter, and other online platforms within Russia. Anonymous had been loud, open and very busy in its support of Ukraine, claiming attacks on more than 300 Russian strategic targets within the first 72 hours of the Russian invasion of Ukraine.
Individual Impact: No information about consumer/employee PII, PHI or financial data exposure was available at press time.
How it Could Affect Your Customers’ Business Nation-state cybercriminals are highly likely to strategically attack Government, Utilities and Infrastructure targets during times of trouble but every business is at risk.
ID Agent to the Rescue Ransomware is the preferred tool of nation-state cybercrime. Get an in-depth look at how ransomware is evolving and who profits from it in our hit eBook Ransomware Exposed. GET THIS EBOOK>>
Russia – PJSC Rosneft Oil Company (Rosneft)
Exploit: Nation-State Cyberattack
PJSC Rosneft Oil Company (Rosneft): Oil Company
Risk to Business: 2.601 = Severe
The German subsidiary of the Russian energy company Rosneft has disclosed that they’d experienced a cyberattack. The attack snarled operations from last Friday night through the weekend. Reuters reports that German news outlet Die Welt points to “Anonymous” as the source behind the attack as part of its ongoing campaign against Russia in opposition to its invasion of Ukraine.
Individual Impact: No information about consumer/employee PII, PHI or financial data exposure was available at press time.
How it Could Affect Your Customers’ Business Political upheaval can place organizations within hacktivist sights, creating unforeseen security complications.
ID Agent to the Rescue Find and slay dastardly vulnerabilities in your clients’ security strategy and emerge victorious with the Cybersecurity Monster Hunter’s Checklist! GET IT>>
Insider risk is swamping your clients. Learn to mitigate it quickly & profitably. WATCH WEBINAR>>
Japan – Denso
https://www.channelnewsasia.com/business/japans-denso-hit-apparent-ransomware-attack-report-2561246
Exploit: Ransomware
Denso: Automotive Parts Manufacturer
Risk to Business: 1.402 = Extreme
Cybercrime group Pandora released a statement on Sunday saying it had snatched sensitive data from Denso, a supplier to Toyota. Just two weeks ago, Toyota had been forced to halt production in Japan because of a supply chain cybersecurity incident and this appears to be it. The company disclosed that it had detected unauthorized access to its network using ransomware at DENSO Automotive Deutschland GmbH, an associated firm in Germany. No information about the ransom or specifics on stolen data were available.
Individual Impact: No information about consumer/employee PII, PHI or financial data exposure was available at press time.
How it Could Affect Your Customers’ Business Supply chain issues have plagued businesses as cybercriminals seek fast ransom payments from manufacturers or critically needed goods.
ID Agent to the Rescue Help your clients navigate the tricky straits of third party and supply chain risk with great ways to mitigate the danger and stay safe in a dangerous world. GET EBOOK>>
Japan – Toei Animation
Exploit: Ransomware
Toei Animation: Animation Studio
Risk to Business: 1.436 = Extreme
Major Japanese animation studio Toei announced that there will be delays in the release of several popular anime series, including the long-awaited episode 1000 of ONE PIECE, because of a cyberattack. The anime studio said that they detected unauthorized access to their systems on March 6th, 2022, forcing a system-wide shutdown that impacted their production schedule. In a statement, Toei revealed that new releases for series including Dragon Quest Dai no Daibouken, Delicious Party Precure, Digimon Ghost Game and ONE PIECE will be delayed until further notice.
Individual Impact: No information about consumer/employee PII, PHI or financial data exposure was available at press time.
How it Could Affect Your Customers’ Business Cybercriminals love to hit organizations that are under time pressure or handle time-sensitive products because of the higher chance they’ll get paid.
ID Agent to the Rescue Ransomware 101, our most popular eBook, is full of tips and expert advice to guide you through securing your clients effectively from today’s scariest risk. READ IT>>
Our partners typically realize ROI in 30 days or less. See why nearly 4,000 MSPs in 30 countries choose to grow with ID AGENT solutions and support. BECOME A PARTNER>>
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
Risk scores for The Week in Breach are calculated using a formula that considers a wide range of factors related to the assessed breach.
Go Inside the Ink to see how today’s biggest threats can impact your MSP and your customers in our blog.
- Ukraine Charity Phishing Scams Are Hitting Employee Inboxes
- 8 Reasons Why Security & Compliance Awareness Training is the Perfect Investment
- Security Awareness Training Can Save Your Company
- Cybercrime Proves to Be an Unreliable Weapon for Russia in Ukraine Conflict
- The Week in Breach News: 03/02/22 – 03/08/22
Just getting started in cybersecurity? This resource bundle will help you get up to speed to protect your clients fast! GET IT>>
Brew the Perfect Blend for Success with These Resources
Top 5 Ingredients in the Recipe of MSP Success – MSP Expert Charles Henson shares his proven, battle-tested strategy that’s made MSPs successful all over the world. WATCH NOW>>
Security Awareness Training: Your Best Investment – See why security and compliance awareness training is a sure-fire win for both your MSP and your clients’ business. GET EBOOK>>
6 Tips for Creating a Security Awareness Training Policy – Use this infographic to help your clients start a security and compliance training program. DOWNLOAD IT>>
Did you miss this? A strong security culture stops cyberattacks. Help your clients build one with the Building a Strong Security Culture Checklist. DOWNLOAD IT>>
See how cyber insurance is changing and how to protect your clients from trouble. WATCH NOW>>
A Flurry of U.S. Government Cybersecurity Action Creates Opportunities for MSPS
It’s Time to Have a Profitable Conversation with Your Clients
Major cybersecurity incidents including infrastructure attacks and a new awareness of the dangers presented by nation-state cybercrime drew a massive surge of attention from the media and commensurately, average citizens, about cybersecurity standards for U.S. businesses and infrastructure. That surge was followed by a flood of new federal rulemaking, proposals, executive orders and legislation to strengthen cybersecurity requirements in many industries and locations. There’s been some recent activity in that vein that MSPs may want to keep an eye on, as it will not only impact their clients it will also create profitable new opportunities for them.
See why security awareness training is a security and revenue superstar that you & your clients need to invest in now. GET EBOOK>>
NIST RFI (87 Fed. Reg. 9,579)
These recent changes are just the newest steps in the process that agencies are taking as they move toward compliance with the requirements set forth in Executive Order 14028, Improving the Nation’s Cybersecurity, the order that codifies the U.S. federal government’s push toward a zero-trust architecture. As part of that process, the U.S. National Institute of Standards and Technology has published a Request for Information (87 Fed. Reg. 9,579), entitled “Evaluating and Improving NIST Cybersecurity Resources: The Cybersecurity Framework and Cybersecurity Supply Chain Risk Management”. The NIST Cybersecurity Framework and Incident Response Cycle are commonly used as industry standards. The comment period for this RFI ends on April 25, 2022. Among the many topics addressed in this wide-ranging RFI, NIST is seeking input on:
- The “use, adequacy, and timeliness” of NIST’s existing Cybersecurity Framework (CSF)
- Current and anticipated “supply chain-related cybersecurity needs,” for NIST’s National Initiative for Improving Cybersecurity in Supply Chains (NIICS)
- The challenges presented by using NIST CSF “that may prevent organizations from using the NIST Cybersecurity Framework or using it more easily or extensively (e.g., resource considerations, information sharing restrictions, organizational factors, workforce gaps, or complexity).”
- Proposed changes, additions and subtractions to NIST CSF. The Federal Register notes that this could include: “additions or modifications of: Functions, Categories, or Subcategories; Tiers; Profile Templates; references to standards, frameworks, models, and guidelines; guidance on how to use the Cybersecurity Framework; or references to critical infrastructure versus the Framework’s broader use.”
Why this is relevant to MSPs: Many companies, localities and industries base their cybersecurity regulations, standards and practices wholly or in part on NIST CSF. Changes here could have far-reaching implications. NIST will almost certainly be modernizing the framework and tightening security provisions wherever possible. NIST intends to publish its additional guidelines on May 6, 2022.
See how security awareness training grows your MRR + get tips for selling it! WATCH NOW>>
CMMC 2.0
The Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) program, established in 2020 sets stringent requirements about cybersecurity architecture for federal contractors. Complex and exacting, CMMC compliance has been a bugbear for companies and IT professionals alike. Meeting the current requirements can be challenging for small and midsize businesses (SMBs) in the federal contracting space, especially the process for gaining the certification itself. Now that difficulty may be easing, thanks to adjustments to CMMC spurred by feedback from business associations and experts.
Dubbed CMMC 2.0, the retooled version of DoD’s requirements aim to make the certification process less expensive and less onerous for SMBs in the defense contracting space, a much-needed change. Originally, CMMC required all DoD contractors and subcontractors to undertake mandatory third-party assessments of their cybersecurity procedures, regardless of the sensitivity level (if any) of any information that they handled or accessed. That requirement alone was enough to make certification too pricey for many SMBs, provoking an outcry from business associations.
The Guide to Reducing Insider Risk can help IT pros stop security incidents before they start! GET IT>>
DoD agreed to reconsider the provisions of CMMC based on feedback about the difficulty that SMBs would have in fulfilling its requirements and the probability that the stringent security asessment requirements would reduce opportunities for small businesses. and after a 6-month review, decided to implement some changes. Most importantly, CMMC 2.0 does not require certification for every company holding a DoD contract, just those companies that handle controlled unclassified information (CUI). CMMC’s 5 tier system will be reduced to 3 tiers, foundational, advanced, and expert.
Level 1: Foundational Companies will be asked to perform self-assessments of their security and implement 15 specific controls DoD calls “basic”. Contractors who store, process or transmit federal contract information but do not handle CUI would be subject to this level of scrutiny.
Level 2: Advanced This level is for contractors who handle more sensitive data and CUI, equivalent to NIST SP 800-171. That information is split into two categories, “Prioritized Acquisitions” and “Non-Prioritized Acquisitions.” Contractors who handle information in the “prioritized acquisitions” category will be required to seek and comply with third-party assessments. This would be a company that manufacturers military technology for example. Information in the “Non-Prioritized Acquisitions” is less sensitive while still technically CUI. That would include contractors who provide things like medical supplies.
Level 3: Expert This is the most stringent level, applied to contractors handling CUI of the highest sensitivity and highest priority. Contractors at this level will be required to obtain government-led assessments of their security based on the requirements outlined in NIST’s SP 800-172.
Why this is relevant to MSPs: Some of the required cybersecurity controls include things like two factor authentication (2FA) and security awareness training. Clients will also need to retrain employees for compliance with these rules.
Learn how to spot and stop malicious insiders and educate users with this handy infographic! GET IT>>
The Strengthening American Cybersecurity Act
The US House and Senate have passed the Strengthening American Cybersecurity Act (S. 3600) by unanimous consent on March 10, 2022. The legislation is a package of three cybersecurity-related bills sponsored by senators Gary Peters (D-Mich.) and Rob Portman (R-OH). The bill is expected to be signed into law quickly by US President Joseph R Biden. Many of this act’s regulatory functions fall to the Cybersecurity and Infrastructure Security Agency (CISA).
This bill has several provisions that MSPs will want to be aware of.
- Companies that are designated as components of the country’s critical infrastructure including organizations in finance, transportation, energy and other sectors are mandated to report “significant” cybersecurity breaches to CISA within 72 hours and within 24 hours if the operator has paid a ransom. The Director of CISA will define “substantial” in this case through notice-and-comment rulemaking.
- The Director of CISA will engage in notice-and-comment rulemaking to determine which if any of the 16 critical infrastructure sectors identified in Presidential Policy Directive 21 will be designated “covered entities” and subject to the requirements of this bill.
- CISA is empowered to subpoena companies that fail to report relevant incidents or ransomware payments. Companies that remain non-compliant with a subpoena could be referred to the Justice Department for investigation and possible legal action
- Most interestingly for businesses, “covered entities” that submit required reports enjoy liability protection from any action brought against the covered entity just by submitting the required report.
A great deal of classification and administrative control is extended to CISA The agency warmly welcomed the passage of the bill in a statement. The U.S. Justice Department (DoJ) was not very happy about the bill’s passage, with DoJ officials making that clear according to Politico. That’s likely due to a territorial dispute over the involvement of the U.S. Federal Bureau of Investigation (FBI) in the reporting process. Experts say that this bill represents the first step on the road to establishing a national data breach notification requirement in the US, something cybersecurity experts have been suggesting for years.
Why this is relevant to MSPs: If you have clients in these sectors (or a sector that may potentially be effected), they’re about to need to shore up their security or risk regulatory meddling if they experience a qualifying incident. It’s almost certain that this is just the first in a series of statutes tightening cybersecurity requirements. Customers that take action to make improvements in identity and access management and security awareness will be ahead of the curve.
Learn the secret to conjuring up amazing stress-free marketing campaigns in 5 Ways to Make Marketing Magic! GET IT>>
SEC Cybersecurity Risk Management Rules
In February the US Securities and Exchange Commission announced that it would be proposing “new cybersecurity risk management rules and amendments to enhance cybersecurity preparedness and improve the resilience of investment advisers and investment companies against cybersecurity threats and attacks.” The Rule Proposal sets forth several new rules and requirements under both the Investment Advisers Act of 1940 (the Advisers Act) and the Investment Company Act of 1940 (the 1940 Act) and have entered the federal rulemaking process. The SEC’s new proposed rules include:
- A reporting requirement under new rule 204-6 that would require advisers to report significant cybersecurity incidents to the Commission, including on behalf of a fund or private fund client.
- Amending Form ADV Part 2A to require disclosure of cybersecurity risks and incidents to an adviser’s clients and prospective clients.
- Require advisers to maintain records related to the proposed cybersecurity risk management rules and the occurrence of cybersecurity incidents under rule 204-2.
- Rule 38a-2 under the Investment Company Act would require that a fund maintain copies of its cybersecurity policies and procedures and other security related records.
Dive into how to reduce your client’s risk of phishing fast with the tips in The Phish Files. DOWNLOAD NOW>>
Get Your Clients in the Right Place to Handle Rule & Regulatory Changes
A strong cybersecurity foundation sets your clients up for success in a rapidly shifting regulatory atmosphere. ID Agent’s solutions can help you make sure that your clients are up to speed and unlikely to experience any nasty compliance surprises.
Many regulatory updates have a security awareness training component. Plus, new standards means updating compliance training for employees. BullPhish ID is the perfect, scalable solution for companies of any size
- Consistently updated compliance training videos in subjects like CMM, HIPAA, PIPEDA, GDPR, PCI-DSS, Zero Trust Security and more ensure that employees are familiar with the latest regulatory changes.
- Fun, engaging animated videos teach employees about cybersecurity best practices like data handling email safety, spotting ransomware, nation-state cybercrime threats and more, with new videos added every month.
- Run memorable phishing simulations your way with plug-and-play kits or fully customizable kits to reflect your company’s unique need and threats.
- Content in 8 languages with built-In quizzes and automated performance reports to prove value and see who needs more help
- A host of fresh management and deployment features that make the training process painless for training administrators and pupils.
Don’t just take our word for it, see what these MSPs have to say: https://www.idagent.com/case-studies/
It’s a bird, it’s a plane, it’s your revenue rising into the stratosphere with 6 Power-Ups That Will Make You a Sales Superhero. GET IT>>
Mar 21 – 22: Midsize Enterprise Summit REGISTER NOW>>
Mar 23: Dark Web Defence Guide #3 REGISTER NOW>>
Mar 24: Critical Components of a Profitable and Effective Security Awareness Program REGISTER NOW>>
Mar 30 – 31: Cybersecurity Expo REGISTER NOW>>
Jun 20-23 – Connect IT Global in Las Vegas REGISTER NOW>>
U.S. Federal Cybersecurity Changes Are Coming
A flurry of federal cybersecurity requirements, changes and rulemaking is on the way in response to public outcry from infrastructure attacks and heightened awareness of the real danger presented by nation-state cybercrime. It pays for businesses to be compliance-ready even if they don’t think they’ll be impacted
One of the biggest changes ahead has already started. The US federal government will be sontinuing its move toward a fully implemented zero trust security strategy for federal agencies. A zero trust secririty strategy willalso be required for many federal contractors and the companies that serve them.
Take action now to ensure that you’re good to go when these changes impact your business by consulting with your MSP to determine if you’re meeting the requirements for security tools like two factor authentiction (2FA) and security awareess and compliance training. Getting those bulding blocks in place now will help you feel confident that your business is secured to face whatever comes next.
Do you have comments? Requests? News tips? Compliments? Complaints (or compliments)? We love to hear from our readers! Send a message to the editor.
ID Agent Partners: Feel free to reuse this post (in part or in its entirety) When you get a chance, email [email protected] to let us know how our content works for you!
Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!
Check out an on-demand video demo of BullPhish ID or Dark Web ID WATCH NOW>>
See Graphus in action in an on-demand video demo WATCH NOW>>
Book your demo of Dark Web ID, BullPhish ID, RocketCyber or Graphus now!