Data Privacy + Security Insider

Leveraging Knowledge to Manage Your Data Risks

The Department of Homeland Security (DHS) issued a warning on April 15, 2019, entitled “VPN Applications Insecurely Store Session Cookies” (Vulnerability Note VU#192371) stating that “[M]ultiple Virtual Private Network (VPN) applications store the authentication and/or session cookies insecurely in memory and/or log files.” The affected products identified by DHS are: Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573) Pulse Secure Connect Secure prior to 8.1R14, 8.2,…
I have been alerting clients that I know use Wipro, but may have missed some of you. It is being reported that IT outsourcing company Wipro Ltd. has been hacked through several phishing campaigns from what is believed to be a state-sponsored attacker. According to recent reports, including KrebsonSecurity, sources have stated that “Wipro’s systems were seen being used as jumping-off points for digital fishing expeditions targeting at least a dozen Wipro customer systems.” Apparently,…
On April 8, 2019, The University of Texas MD Anderson Cancer Center (MDA) filed a petition with the U.S. Court of Appeals for the Fifth Circuit seeking review of a decision by the Department of Health & Human Services’s (HHS) Departmental Appeals Board (DAB) Appellate Division to uphold $4.35 million in civil money penalties (CMPs) assessed against MDA by HHS for alleged violations of HIPAA’s Security and Privacy Rules. The DAB’s decision, issued on February…
The Ponemon Institute recently completed research, sponsored by IBM Resilient, entitled “The 2019 Cyber Resilient Organization,” which surveyed more than 3,600 security and IT professionals around the world to determine organizations’ ability to maintain their core purpose and integrity in the face of cyber-attacks. According to IBM, the research found that “a vast majority of organizations surveyed are still unprepared to properly respond to cybersecurity incidents, with 77 percent of respondents indicating they do not…
On April 14, 2019, Microsoft alerted some account owners that Microsoft Outlook and Hotmail email addresses had been compromised over a three-month period. According to Microsoft, “We have identified that a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account.” It also said “[U]pon awareness of this issue, Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorized access.” The unauthorized access occurred…
Following in the footsteps of the New York Department of Financial Regulation (NYDFS) in enacting cybersecurity requirements for the financial services industry, and in response to massive data breaches in the insurance industry, a wave of states have either enacted or are pursuing legislation aimed at regulating the cybersecurity measures of insurance companies. In 2017, the National Association of Insurance Commissioners (NAIC) published a model rule that follows many of the NYDFS cybersecurity requirements, and…
A few weeks ago, I pondered whether the California Consumer Privacy Act of 2018 (CCPA) is still a bit of a work in progress with the introduction of a proposed amendment. Recently, another amendment was proposed by Assembly Member Edwin Chau in the form of Assembly Bill 25. Assembly Bill 25 would exclude employees and job applicants from the definition of “consumer.” The new amendment states: “Consumer does not include a natural person whose personal…
I was with a bunch of CFOs this week talking about cybersecurity and I told them how easy it is for hackers these days. They can infiltrate a company’s system by compromising an O365 account that doesn’t have multi-factor authentication, and according to a Ponemon study, are in the company’s system for over 200 days. They monitor literally everything that is happening in the company, since all companies rely on email communication, and then strike…
The Federal Aviation Administration (FAA) is expected to award its first license to operate a drone airline in May. Last year, the FAA determined that large-scale commercial package delivery drone operations would require certain safety and economic certification standards like other licensed U.S. airlines. The FAA has not yet announced which company will receive that certificate,  but to date, the only air carrier certificate application for a drone carrier listed on the applicant website has…
I try to keep my spam filter on the most restrictive setting, which has dramatically decreased the amount of spam I receive in my email box every day. But every once in a while, I receive an email that makes my gut twitch and my eyebrows raise. I got one today from a well-known bank, logo and all, looking very official and authentic. Those of you who know me know that I am “wicked paranoid,”…