Counting the Cost of a Cyber Attack: Litigation Cost
In the last 12 months, Canada has seen high-profile data breach class action lawsuit settlements. These data breach lawsuit settlements highlight the added cost of a cyber attack: cost of defense and a judgment or settlement.
Case #1: Lozanski v. The Home Depot
The Lozanski v. The Home Depot case rose from the data breach at Home Depot of Canada between the period of April 11, 2014 and September 13, 2014. Between this period, Home Depot’s payment card system was hacked by criminal intruders using custom-built malicious software.
After detecting the data breach on September 9, 2014, Home Depot notified the Office of the Privacy Commissioner of Canada, the Office of the Information and Privacy Commissioner of Alberta, the Office of the Information and Privacy Commissioner of British Columbia and the Commission d'accès à l'information du Québec about the data breach.
On September 16, 2014, Home Depot published notices of the data breach in The Globe and Mail and in La Presse. In the newspaper notices, the company confirmed the data breach. In the said newspaper notices, the company announced that it eliminated the malicious software that was responsible for the data breach. It also announced in the same newspaper notices that customers affected by the data breach will get free credit monitoring and identity theft insurance.
On September 21, 2014, Home Depot emailed its more than 500,000 Canadian customers, notifying them that payment card information of some customers might have been compromised. On November 6, 2014, the company also emailed 58,605 Canadian customers, advising them that their email addresses may have been stolen in the data breach.
A class action was filed against Home Depot as a result of the data breach. On April 25, 2016, the parties signed a settlement agreement. The agreement specifies two major points: 1) Home Depot denies any wrongdoing; and 2) The class action members will release their claims against Home Depot.
On August 29, 2016, Justice Perell of the Ontario Superior Court of Justice approved the Home Depot settlement agreement, awarding the data breach victims the total amount of $400,000 and approving the counsel fee of $120,000 despite the following findings:
“The case for Home Depot being culpable was speculative at the outset and ultimately the case was proven to be very weak. The real villains in the piece were the computer hackers, who stole the data. After the data breach was discovered, there was no cover up, and Home Depot responded as a good corporate citizen to remedy the data breach. There is no reason to think that it needed or was deserving of behavior modification.”
Case #2: Drew v. Walmart Canada
Ms. Drew in the Drew v. Walmart Canada case was a client of Walmart’s online photo center website. She provided Walmart’s photo center website her name, address, telephone number and credit card information.
On July 15, 2015 and October 30, 2015, Walmart informed Ms. Drew via email that “third parties” were able to access Walmart’s customers’ personal and financial information. As a result of the data breach, Ms. Drew initiated a class action against Walmart.
While Walmart made no admission of liability, in a settlement agreement, it agreed to the following:
Justice Perell of the Ontario Superior Court of Justice in the decision dated May 30, 2017 approved the above-mentioned costs that Walmart agreed to shoulder in the settlement agreement.
Landmark Case: Jones v. Tsige
While the Jones v. Tsige can’t be categorized as a high profile case, the ruling of this case may have sparked other litigation cases as a result of invasions of privacy. The Jones v. Tsige case, decided by the Ontario Court of Appeal in 2012, resulted in “a number of awards have been made in other cases based on common law and statutory tort claims for invasions of privacy, including situations where there was no economic harm,” lawyer Alex Cameron said in the article "Cybersecurity in Canada: Trends and Legal Risks 2017” published on the Ontario Bar Association website.
In the Jones v. Tsige case, the defendant used her workplace computer to access at least 174 times the private banking records of her spouse's ex-wife. The Ontario Court of Appeal ruled that even if the dependent didn’t publish, distribute or record the private banking records, she’s still liable for “moral” damages amounting to $10,000.
“The defendant committed the tort of intrusion upon seclusion when she repeatedly examined the plaintiff's private bank records,” Ontario Court of Appeal said. “Proof of harm to a recognized economic interest is not an element of the cause of action.”
Imran Ahmad, partner at Miller Thomson LLP, in the paper “Cybersecurity in Canada: What to Expect in 2017” (PDF) wrote, “At common law, Canadian courts, recognizing the rapid pace at which technology is evolving, have been receptive to recognizing new torts advanced resulting in cybersecurity and privacy breaches (e.g., intrusion upon seclusion, disclosure of private facts, etc.) that are being advanced by plaintiffs’ counsel.” Imran added, “We anticipate this trend to continue and to see the existing torts being further tested by the courts.”
Cases under Canada’s Digital Privacy Act
According to privacy lawyers David Fraser and David Wallace, violations under the Digital Privacy Act “once they take effect, can lead to quasi-criminal liability (it’s not a criminal offence but it’s subject to a penalty that’s similar to a criminal offence, although the court procedures are less complicated) for both organizations and for directors personally.”
The Digital Privacy Act amends Canada’s Personal Information and Protection of Electronic Documents Act (PIPEDA). Under the Digital Privacy Act, Canadian organizations are required to notify individuals and organizations of all breaches of security safeguards that create a “real risk of significant harm” and to report the incident to the Office of the Privacy Commissioner of Canada.
UK Organizations Could Face Huge Fines for Poor Cyber Security
Organizations offering essential services in the energy, transport, water, health and digital infrastructure sector play a vital role in our society. Loss of service as a result of an essential organization’s failure to implement effective cyber security measures affects not only the organization itself but the society as a whole.
For this reason, the UK Government proposes that an essential organization that fails to implement effective cyber security measures could be fined as much as £17 million or 4% of its annual global turnover, whichever is higher. The UK Government also proposes similar penalties for loss of data as a result of failure to implement effective cyber security measures.
Under the UK Government’s proposal, organizations are required to do the following:
UK Minister for Digital Matt Hancock said in a statement that the fines would be applied as a last resort. Hancock said that fines won’t apply to organizations that have taken appropriate cyber security measures but still suffered an attack.
“We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber attack and more resilient against other threats such as power failures and environmental hazards,” UK Minister for Digital said.
EU Cyber Laws
The proposal of the UK Government to subject organizations with huge fines for loss of service and loss of data is in line with 2 of EU’s cyber security laws: 1) Security of Network and Information Systems (NIS) Directive; and 2) General Data Protection Regulations (GDPR).
The NIS Directive was adopted by the European Parliament on 6 July 2016. EU’s member states have until 9 May 2018 to adopt the directive into domestic legislation. A few days after the directive was passed by the European Parliament – specifically on 23 June 2016 – the people in the UK voted to leave the European Union.
“Until exit negotiations are concluded, the UK remains a full member of the European Union and all the rights and obligations of EU membership remain in force,” the UK Government said in the document called “NIS Directive: pre-consultation impact assessment” (PDF). “It is the UK Government’s intention that on exit from the European Union this legislation [NIS Directive] will continue to apply in the UK.”
The NIS Directive specifically requires operators of essential services (energy, transport, banking, financial market infrastructures, health, water and digital infrastructure), whether private or public entities, to take the following appropriate cyber security measures:
General Data Protection Regulations (GDPR)
The GDPR was adopted by the European Parliament a few months before the adoption of the NIS Directive in April 2016. Unlike the NIS Directive, the GDPR doesn’t need an enabling legislation from EU member states. This means that this particular EU law will take effect after a two-year transition period, specifically it’ll be in force in May 2018 in all of EU member states.
When the GDPR takes effect in May 2018, organizations in all of EU member states can be fined a maximum €20 million or 4% of annual global turnover, whichever is bigger, for data breach.
The difference between the NIS Directive and the GDPR, according to UK Minister for Digital Matt Hancock, is that the NIS Directive relates to loss of service, while loss of data falls under the GDPR.
According to the “NIS Directive: pre-consultation impact assessment” document, the UK Government said that the GDPR will replace UK’s existing Data Protection Act in May 2018. “It is expected that the GDPR will bring about an improvement to organisations security measures to protect personal data due to the significant fines that can be given for data breaches, and also because guidance will be provided on the level of security required to comply with the regulation,” the UK Government said.
Companies Penalized under UK’s Data Protection Act for Poor Cyber Security
On 5 October 2016, UK’s Information Commissioner’s Office (ICO) issued telecom company TalkTalk a £400,000 fine for cyber security failings that allowed a cyber attacker to access the company’s customer data “with ease”.
The data breach on TalkTalk, which happened between 15 and 21 October 2015 accessed the personal data of 156,959 customers including their names, dates of birth, addresses, phone numbers and email addresses. The TalkTalk attacker was also able to access 15,656 bank account details and sort codes.
The ICO – UK government body that has the power under the Data Protection Act to impose a monetary penalty of up to £500,000 on a UK company for data breach – found that the TalkTalk attacker used a common technique known as SQL injection to access the data. “SQL injection is well understood, defences exist and TalkTalk ought to have known it posed a risk to its data,” the ICO investigation found.
“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations,” ICO Commissioner Elizabeth Denham said. “TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
On 27 June 2017, Berkshire-based Boomerang Video Ltd was fined £60,000 by the ICO for failing to take basic steps to stop its website from being attacked. The video game rental firm’s website was attacked in 2014 in which 26,331 customer details could be accessed. Similar to the TalkTalk attack, the attacker used the SQL injection to access the data.
5 Ways a Cyber Security Consultant Can Help Your Business
Businesses are constantly burdened with the risk of security breeches. Learn how working with a cyber security consultant can alleviate those headaches.
Think only large corporations get targeted? Think again.
In 43% of cyber security events, a small business was actually targeted.
In the event of a cyber attack, your small to medium sized business (SME) could experience multi-million dollar losses in financial, operational and data breaches, as well as, reputation damage. The average SME -- even one with insurance -- would take quite a blow from this type of attack.
A cyber security consultant can help you both prevent attacks and better manage attacks that occur to protect you and your customers.
Let's explore how.
Supplementing In-House Capabilities
The skill and scope of cyber attacks is ever-increasing. Even organized crime is getting in on the action.
As regulators work to keep pace with burgeoning events, even a dedicated department, team or individual may struggle to keep up. They may be bogged down with operations.
A cyber security consultant stays up-to-date. They can get a panoramic view of your organization and its vulnerabilities. They can help keep your business safer.
A cyber security consultant will go in depth to identify weaknesses in your systems and processes.
Have you safely integrated cloud storage into your systems? How strong are your encryptions? Can transferred data be intercepted?
And potentially the most elusive of all must be addressed. How are you protecting yourself in the event of inevitable human error?
Despite your best efforts to keep systems secure, could you see any of these scenarios happening in your organization? Someone:
A consultant can help you prevent attacks, including those that result from human error or ill-intent.
Data breaches happen. This may be the last thing you want to hear a consultant say. But we'd be dishonest if we said otherwise. And we're not telling you anything that you don't know already.
The difference between $10 thousand in losses and $200 million is largely based on how your organization has invested in the risk management of security breaches.
Through risk management you can put systems in place to spot an attack sooner and limit its scope. Without a consultant, you may not be doing all you should to mitigate damage.
Cyber security consultants help you protect your customers/clients. Without them, you don't have a business.
By taking the additional steps of bringing in cyber security consultants, you demonstrate that you care about protecting those who've helped you become what you are today.
That's good for business and your customers.
Cyber security consultants know how to handle the heat of an event. They're accessible and ready to help you execute your plan to mitigate damage, comply with regulation and keep your company safe.
Get the Right Cyber Security Consultant
A consultant will help you fill in the gaps in your own security plan and develop a plan to both prevent attacks and reduce damage. For more information on how our cyber security consultants can help your company, contact us today.
Small and Medium-Sized Businesses Not Investing in Cyber Security
The rise of global cyber attacks in recent years might have led many to believe that small and medium-sized businesses (SMBs) are investing in cyber security. But the reality is that majority of SMBs aren’t investing in cyber security.
In the study “Canadian Business Speaks Up: An Analysis of the Adoption of Internet-based Technology”, the Canadian Chamber of Commerce found that cyber security threats are underestimated by 64% of Canadian businesses, indicating they’ve no intention of investing in cyber security measures at this time. Eighty-one percent of the respondents of the Canadian Chamber of Commerce study classify themselves as small businesses and 7% classify themselves as medium. The study was conducted between December 2016 and January 2017.
In another paper “Cyber Security in Canada: Practical Solutions to a Growing Problem”, the Canadian Chamber of Commerce said that a “data breach costing $6 million would break many small businesses”.
In the UK, meanwhile, despite the recent global cyber attacks, insurance company Zurich revealed that close to half (49%) of SMEs in this part of the world only intend to spend less than £1,000 on cyber security in the next 12 months, while 22% of SMEs don’t know how much they will spend.
“While recent cyber-attacks have highlighted the importance of cyber security for some of the world’s biggest companies, it’s important to remember that small and medium sized businesses need to protect themselves too,” said Paul Tombs, head of SME Proposition at Zurich. “The results suggest that SMEs are not yet heeding the warnings provided by large attacks on global businesses."
Extent of Cyber Attacks on Small and Medium-Sized Businesses
Symantec’s 2016 global internet security threat report (PDF) showed that cyber criminals are more and more turning their attention to hacking small businesses. The Symantec report showed that spear-phishing attackers gradually targeted small businesses – defined by Symantec as enterprises composed of 1 to 250 employees – from 18% in 2011 to 31% in 2012; 30% in 2013; 34% in 2014 and 43% in 2015.
In the UK, results from the latest Zurich SME Risk Index showed that 875,000 or nearly 16% of SMEs have fallen victim to a cyber attack, costing 21% of the victims over £10,000.
In Canada, 23% of Canadian small business owners were certain they were the victim of a cyber attack in 2016, while another 32% suspected that they might have been breached according to an Ipsos survey (PDF).
Canada’s Digital Privacy Act
"There are a significant number of breaches that never get reported because there's no obligation to report them," Imran Ahmad, a partner at the law firm Miller Thomson – a firm that specializes in cyber security, told CBC News.
This practice of sweeping cyber attacks under the rug will start to change with the upcoming implementation of the Digital Privacy Act (PDF), a Canadian law that was passed in June 2015. The Digital Privacy Act requires organizations “to notify certain individuals and organizations of certain breaches of security safeguards that create a real risk of significant harm and to report them to the Privacy Commissioner”. Failure to report a data breach under this law could result in a fine of up to $100,000.
Matthew Braga of CBC News, in the article "Here's why reports of data breaches will skyrocket this year" wrote, "The hope is that more transparency will lead to better protections and fewer breaches in the long term.”
6 Reasons Why Cyber Criminals Attack Small and Medium-Sized Businesses
Here are 6 reasons why cyber criminals are attracted to small businesses:
1. Less Capable to Handle Cyber Attacks
SMBs are less equipped to manage a cyber attack due to lack of resources.
2. Less Likely to Guard Important Data
SMBs are less likely to protect their important data – intellectual property, personally identifiable information and credit card credentials.
3. Susceptible to Attack Due to Partnership with Large Businesses
The partnership between large businesses and SMBs provides hackers back-channel access to their true target: large businesses.
4. Less Likely to Have Key Security Defenses
According to Cisco, in its 2017 midyear cyber security report, as a result in lesser budget and expertise, SMBs have less key security defenses in place. For instance, only 34% of SMBs reported using email security compared with 45% of large businesses and only 40% use data loss prevention defenses compared with 52% of large businesses.
5. Less Likely to Have Written, Formal Cyber Security Strategies
Large businesses are more likely to have written, formal strategies in place compared to SMBs (66% versus 59%), Cisco reported.
6. Less Likely to Require Vendors to Have ISO Certifications
Large organizations, CISCO noted, are more likely than SMBs to require their vendors to have ISO 27018 certifications (36% versus 30%). ISO 27018 refers to the “commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.”
Ripple Effect of Cyber Attacks on SMBs to Canada’s Economy
In the 2016 Canadian Chamber of Commerce's "Top 10 Barriers to Competitiveness for 2016", the business organization ranked Canada’s vulnerability to cyber crime as the country’s number 2 barrier to global competitiveness. The country’s chamber of commerce said that digital security breaches and cyber theft hinder Canada’s global competitiveness.
Without taking into consideration the value of the data itself, the Canadian Chamber of Commerce said that the country’s internet economy accounted for 3.6% of its $1.83 trillion GDP.
Protecting small businesses, in particular, from cyber attacks is as important as protecting large enterprises, considering that the economy of Canada mostly comprised of small businesses. According to the Canadian Chamber of Commerce, out of the 1.2 million businesses in Canada, 98% have fewer than 100 employees, 55% have fewer than 4 and 75% have fewer than 10 employees. These over a million small enterprises in the country employ 60-80% of all jobs created in Canada and companies with fewer than 100 employees contribute about 51% to Canada’s GDP.
We invite you to connect with us to speak with one of our cyber security experts, and protect your small or medium business today.
4 Lessons Small Businesses Can Learn from WannaCry and NotPetya Cyber Attacks
WannaCry and NotPetya, also known as Petya, have been the most talked about cyber attacks in the past three months. WannaCry was released into the wild in May this year; NotPetya in June this year.
Their popularity is understandable given that the combined victims of these two cyber attacks reached hundreds of thousands worldwide, with WannaCry affecting over 300,000 computers in 150 countries; NotPetya affecting over 12,500 computers in 65 countries.
Most importantly, these two cyber attacks, labeled as ransomware – malicious software that encrypts computer data and asks for ransom money to unlock it – victimized big corporations and big government institutions worldwide.
WannaCry disrupted the operations of UK’s National Health Service, U.S. express delivery company FedEx and Renault's assembly plant in Slovenia. NotPetya, on the other hand, disrupted the operations of the Chernobyl nuclear plant, U.S.-based pharmaceutical company Merck and Danish shipping firm Maersk.
While big corporations affected by NotPetya such as Nuance, TNT Express, Saint-Gobain, Reckitt Benckiser Group and Mondelēz International publicly acknowledged that their operations have been disrupted, and they have suffered economic losses because of the attack, these big corporations have proven their resilience.
“If a public breach damages a brand and causes customers to switch to a competitor, a larger business can weather the impact better than a smaller business,” Cisco said in its 2017 midyear cyber security report. “When attackers breach networks and steal information, small and medium-sized businesses (SMBs) are less resilient in dealing with the impacts than larger organizations.”
Here are 4 lessons small businesses can learn from WannaCry and NotPetya cyber attacks:
1. Use the Latest Operating System
Users of old operating systems are vulnerable to cyber attacks.
Majority of NotPetya ransomware infections, according to Microsoft in a bulletin dated June 29, this year, were observed in computers using Windows 7. Windows 10, on the other hand, according to Microsoft is resilient against the NotPetya ransomware attack.
For WannaCry, users of old Microsoft operating systems – in particular, Windows XP, Windows 8 and Windows Server 2003 – fell victim to this malicious software. Microsoft ended its support for Windows XP on April 8, 2014; Windows Server 2003 on July 14, 2015; and Windows 8 on January 13, 2016.
For Windows XP, Microsoft issued this statement:
"After April 8, 2014, Microsoft will no longer provide security updates or technical support for Windows XP. Security updates patch vulnerabilities that may be exploited by malware and help keep users and their data safer. PCs running Windows XP after April 8, 2014, should not be considered to be protected, and it is important that you migrate to a current supported operating system – such as Windows 10 – so you can receive regular security updates to protect their computer from malicious attacks."
In the paper “The hackers holding hospitals to ransom” published in the British Medical Journal (BMJ) two days before the WannaCry attack, Krishna Chinthapalli, a doctor at the National Hospital for Neurology and Neurosurgery in London, found that a number of British hospitals were using Windows XP, an operating system introduced by Microsoft in 2001.
2. Install Security Update of the Latest Operating System
Even if you’re using the latest operating system and you fail to install the latest security update or patch, your computers are still vulnerable to cyber attacks.
Users of Windows 10 – the latest operating system from Microsoft – who failed to install the security update released by Microsoft on March 14, 2017 fell victim to WannaCry.
Microsoft said that its March 14, 2017 update resolves vulnerabilities in Microsoft Windows that “could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.” WannaCry exactly exploited this specific security vulnerability mentioned in the March 14th update by Microsoft.
3. Paying Ransom Isn’t a Guarantee that You’ll Get Your Data Back
In a typical ransomware, computer data is encrypted, a ransom note is shown on the computer screen of the victim, the victim pays and the victim recovers data as the data is decrypted.
WannaCry victims paid close to $100,000 – paid in bitcoins; NotPetya victims paid close to $10,000. These earnings are stark contrast to the number one top grossing ransomware Locky which earned $7.8 million, and the second top grossing ransomware Cerber which earned $6.9 million based on the data provided in a Google-led study (PDF).
The reason why these two didn’t earn that much bitcoins is that many victims early on knew that these malicious programs couldn’t restore their data despite paying ransom. According to the Google-led study, WannaCry and NotPetya are "impostors” as they are in reality “wipeware” pretending to be ransomware.
Matt Suiche from Comae Technologies concluded that NotPetya is a wiper as it “does permanent and irreversible damages to the disk”. Suiche differentiates a wiper and a ransomware, this way: “The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative.”
Victims of NotPetya also can’t pay ransom as the payment email address isn’t accessible anymore. The email address specified in the NotPetya ransomware notice was immediately blocked by the email provider Posteo. The perpetrator or perpetrators of NotPetya also didn’t replace the blocked address with another one.
In the case of WannaCry, McAfee researchers found that while WannaCry can decrypt files, “WannaCry attackers appear to be unable to determine which users have paid the ransom and they cannot decrypt on a per-user basis.”
4. Backup Your Data
Make your organization resilient to cyber attacks by backing up your critical data. You can always get back your operating system or other software applications by reinstalling them. It may, however, be impossible to recreate your data lost to cyber criminals. It’s important then to always backup your critical data.
Backing up data on a regular basis isn’t just helpful in case cyber attackers corrupt your data, it’s also valuable in case your computers are stolen or destroyed as result of fire or other disasters.
Ransomware Victims Have Paid $25 Million in the Span of 2 Years, Google-Led Study Shows
Since 2016, ransomware victims have paid over $25 million to cyber criminals, this according to a new Google-led study – with inputs from the University of California San Diego (UCSD), New York University (NYU) and Chainalysis researchers.
Google researchers – Elie Bursztein, Kylie McRoberts, Luca Invernizzi – in the study called “Tracking desktop ransomware payments end to end” found that over the period of 2 years, ransomware criminals have earned a total of $25,253,505.
"A niche term just two years ago, ransomware has rapidly risen to fame in the last year, infecting hundreds of thousands of users, locking their documents, and demanding hefty ransoms to get them back,” Bursztein, McRoberts and Invernizzi said. “In doing so, it has become one of the largest cybercrime revenue sources, with heavy reliance on Bitcoins and Tor to confound the money trail.”
According to Google, since 2016, there has been an 877% increase in the search queries of the keyword “ransomware” – the term used to refer to a malware that encrypts victims’ computers and demands a ransom payment for the key to unlock the computer.
The top 10 ransomware earners, according to the Google-led study, are Locky ransomware (with a total $7.8 million earning), followed by Cerber ($6.9 million), CryptoLocker ($2 million), CryptXXX ($1.9 million), SamSam ($1.9 million), CrytoWall ($1.2 million), AINamrood ($1.2 million), TorrentLocker ($1 million), Spora ($0.8 million) and CoinVault ($0.2 million).
According to the study, a ransomware goes through the following process:
Aside from being the top grossing ransomware since 2016, the Google-led study cited Locky as one of the notable ransomware for being the first ransomware to earn $1 million per month.
The Google-led study said Locky brought “ransoms to the masses”. This ransomware first appeared in February 2016. According to Symantec, cyber criminals aggressively spread this malware by using compromised websites and massive spam campaigns. This malware encrypts files on victims’ computers and demands ransom payment.
Allen Stefanek, president and CEO, Hollywood Presbyterian Medical Center, publicly admitted that as a result of Locky ransomware attack, the hospital paid 40 bitcoins – equivalent to nearly $17,000. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Stefanek said. “In the best interest of restoring normal operations, we did this.”
This ransomware is another notable ransomware cited by the study for its consistent income of $200,000 per month for over a year. This malware first appeared in February 2016.
According to Kaspersky Lab, this ransomware, also dubbed as a “multipurpose malware”, when executed via email attachment, encrypts files and demands money for their safe return. This ransomware, according to Kaspersky Lab, also infects computers for other purposes such as for a distributed denial of service (DDoS) attack or as a spambot.
Wipeware vs. Ransomware
Worthy to note is that the Google-led study didn’t include WannaCry and NotPetya (also known as Petya) as part of the top 10 top highest grossing ransomware in the past two years. WannaCry was only ranked 11th, with a total of $0.1 million earning.
The Google-led study classified WannaCry and NotPetya as ransomware “impostors”. The study found that even if WannaCry and NotPetya victims pay ransom, they still couldn’t unlock their computers. "Wipeware pretending to be ransomware is on the rise." the researchers noted.
Matt Suiche from Comae Technologies, who concluded that NotPetya is a wiper, not a ransomware, explained the difference between a wiper and ransomware:
"The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative. A ransomware has the ability to restore its modification such as (restoring the MBR like in the 2016 Petya, or decrypting files if the victim pays) – a wiper would simply destroy and exclude possibilities of restoration."
WannaCry first appeared last May 12; NotPetya first appeared last June 27. While WannaCry affected hundreds of thousands of computers around the world, NotPetya only affected tens of thousands of computers worldwide. The glaring similarity between WannaCry and NotPetya is how they affected major government institutions and big companies.
WannaCry disrupted the operations of UK’s National Health Service, Renault's assembly plant in Slovenia, U.S. express delivery company FedEx and Spanish telecommunications company Telefonica. NotPetya, meanwhile, disrupted the operations of the Chernobyl nuclear plant, Danish shipping firm Maersk, U.S.-based pharmaceutical company Merck, Cadbury and Oreo-maker Mondelez and Russian oil and gas giant Rosneft.
How to Protect Your Organization from Ransomware and Wipeware
Here are 4 tips on how to protect your organization from ransomware and wipeware:
1. Backup Your Data
According to the Google-led study, ransomware criminals were able to inflict significant damage to their victims as only 37% of computer users backup their data.
In today’s digital world, organizations’ effectively operate because of data availability. Given the importance of data in your organization, this important commodity should be protected at all cost.
When it comes to data backup, having one backup file may not be enough to safeguard your organization’s data. The United States Computer Emergency Readiness Team (US-CERT) recommends organizations to follow the “3-2-1 rule”:
2. Keep Your Operating System and Other Software Updated
Microsoft’s Windows 10 update, for instance, can help detect the latest batch of Cerber ransomware.
3. Disable Loading of Macros in Office Programs
“To help prevent malicious files from running macros that might download malware automatically, we recommend you change your settings to disable all except digitally signed macros,” Microsoft said.
4. Think before You Click
Refrain from opening emails from senders you don’t recognize. Don't click or open the following attachments:
Vulnerable IoT Devices Used to Carry out DDoS Attacks
A Briton man admitted in court this week that he carried out a cyber attack on Deutsche Telekom last year. He claimed that he was paid $10,000 by a competitor of the telecom company to do the job.
In November last year, Deutsche Telekom publicly acknowledged that internet access of its nearly 1 million customers was disrupted as a result of a cyber attack. “We saw attacks from the Mirai botnet that targeted customer routers globally,” Telekom Thomas Tschersich, head of IT security at Deutsche, said in a video message posted on Twitter. “The attack led to the devices crashing.”
DDoS, IoT and Botnets Explained
Distributed Denial of Service attacks (DDoS) is one of the most significant cyber threats to businesses today. In a DDoS attack, a cyber criminal infects hundreds of thousands of computers or Internet of Things (IoT) devices with a malicious software and turned them without the knowledge of their owners into “botnet”, also known as “zombie army”, that’s capable of launching powerful DDoS attacks against a particular website or email.
The attack is “distributed”, according to the United States Computer Emergency Readiness Team (US-CERT), because the attacker is using multiple computers to launch the denial of service attack.
Vulnerability of IoT Devices
IoT devices, which include webcams, routers, CCTV cameras and smart TVs, are emerging devices that are connected to one another via the internet. “IoT devices are particularly susceptible to malware, so protecting these devices and connected hardware is critical to protect systems and networks,” US-CERT said.
According to Symantec, IoT devices are being targeted due to the following reasons:
1. Poor Security
Many of today’s IoT devices use default usernames and default passwords, making it easy for cyber criminals to infect the device with malware. In addition, the Universal Plug and Play (UPnP) – a feature that opens a port on a router to allow it to be accessible to the internet – makes it an easy target for cyber criminals.
2. Processing Power Limitations
Many IoT devices use basic operating systems. This means that a lot of these devices don’t have advanced security features. Most of these devices are simply plugged in and owners don’t bother to apply security updates.
IoT Botnets: Zombie Armies of Cyber Criminals
Cisco, in its 2017 midyear cyber security report, cited 3 common features of IoT botnets:
1. Fast and Easy Setup
The setup can be completed within an hour.
2. Rapid Distribution
Cyber criminals can have a botnet of more than 100,000 infected IoT devices in just 24 hours. This rapid distribution results in exponential growth in the size of the botnet.
3. Low Detection Rate
It’s hard to get samples of an IoT botnet as the malicious code survives in the device’s memory. Once the infected device is restarted, this botnet is wiped out.
In late 2016, IoT devices have been used by the Mirai botnet to carry out crippling DDoS attacks.
In September 2016, Mirai botnet was used to carry out a DDoS attack – the size of 665 Gbps – on the website of cyber security blogger Brian Krebs. On the same month, shortly after the attack on Krebs’ website, Mirai was used to attack the web hosting operation of the French company OVH at a bigger attack size of 1-TBps. On September 30, 2016, the attacker known as “Anna-senpai” publicly released the source code of Mirai.
In October last year, Mirai waged its biggest attack on DynDNS – a DNS provider that’s used by a number of major websites. The DDoS attack on DynDNS caused an outage on hundreds of popular websites including PayPal, Twitter and Spotify.
"We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet,” DynDNS said in a statement. “We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack."
In November last year, Mirai once again tried to infect IoT devices, this time the routers of Deutsche Telekom. The telecom company said that internet access of over 900,000 customers – out of its 20 million customers – was disrupted.
“The attack attempted to infect routers with a malware [Mirai] but failed which caused crashes or restrictions for four to five percent of all routers,” the telecom company said. “This led to a restricted use of Deutsche Telekom services for affected customers.”
According to Cisco, Mirai works by connecting to an IoT device using over 60 factory default usernames and passwords. Once the device is infected, it locks itself against additional botnets. The malware then sends the compromised IP and credentials to a centralized ScanListen service. After which, the infected device then helps in harvesting new bots, producing a self-replicating pattern.
According to Imperva Incapsula, unique IP addresses which hosted Mirai-infected devices were mostly CCTV cameras. Other Mirai-compromised IoT devices included DVRs and routers. Incapsula added that IP addresses of Mirai-infected devices were seen in 164 countries, appearing even in remote locations such as Somalia, Tajikistan and Montenegro.
DDoS against Small Businesses
DDoS attacks aren’t limited to big companies. Sucuri reported about a DDoS attack that went on for days on the website of a small brick and mortar company. Similar to Mirai, the attacker uses infected CCTV cameras to launch a DDoS attack on the site of this small company. According to Sucuri, the attacker used compromised CCTV cameras from 105 countries.
How to Prevent the Spread of IoT Botnets
“With over a quarter billion CCTV cameras around the world alone, as well as the continued growth of other IoT devices, basic security practices … should become the new norm,” Imperva Incapsula said.
Basic security practices to prevent the spread of IoT botnets include:
Effects of Petya Cyber Attack Still Linger
Even as weeks have passed since the Petya ransomware attack, its negative effects still linger.
Operational and Financial Costs of Petya Cyber Attack
At the height of Petya’s global attack last June 27, Nuance – a company that offers transcription service to doctors – publicly acknowledged that certain systems within its network were affected by the global malware incident.
Bloomberg reported that nearly four weeks after the ransomware attack, many doctors still can’t use Nuance's transcription service. According to Bloomberg, hospital systems, including Beth Israel Deaconess in Boston, still can’t use Nuance’s transcription platform – one that allows doctors to dictate notes from a telephone. This forces doctors to revert to the old ways of making notes using a pen and paper. The company told Reuters that it expects within two weeks to have its transcription platform service restored to substantially all clients.
Nearly 50% of Nuance’s $1.95 billion in revenue in 2016 came from its health-care and transcription business, Bloomberg reported. As a result of the malware attack, Nuance expects an adjusted 3rd quarter revenue of $494 million to $498 million, short of the $509.8 million revenue that analysts expect, Reuters reported.
TNT Express, a small-package ground delivery and freight transportation company acquired by FedEx in May 2016, is another company that experienced disruption in its operation even after weeks of the Petya ransomware attack. FedEx publicly acknowledged last June 28 that TNT’s worldwide operations were significantly affected by the Petya cyber attack. According to FedEx, as of July 17, all TNT hubs, depots and facilities are operational. FedEx, however, said that customers are still experiencing widespread service and invoicing delays as a significant portion of TNT’s operations and customer service functions reverted to manual processes.
“We cannot estimate when TNT services will be fully restored,” FedEx said in a statement. The courier company added, “Given the recent timing and magnitude of the attack, in addition to our initial focus on restoring TNT operations and customer service functions, we are still evaluating the financial impact of the attack, but it is likely that it will be material.”
FedEx further said that while the company can’t yet quantify the amounts, it has experienced loss of revenue as a result of decreased volumes at TNT, remediation of affected systems and incremental costs associated with the implementation of contingency plans. FedEx added that it doesn’t have cyber or other insurance in place to cover the cost of the attack.
While FedEx still can’t quantify the cost of Petya cyber attack, other multinational companies like Saint-Gobain, Reckitt Benckiser Group and Mondelēz International were able to put a price on the June 27th ransomware attack.
Saint-Gobain, a French multinational corporation that produces a variety of construction and high-performance materials, said that based on its preliminary assessment, Petya’s financial effect on the company’s first half sales is limited to about 1%.
Reckitt Benckiser Group, a British multinational consumer goods company, for its part, said in a statement that Petya’s disruption meant that the company’s revenue growth in the second quarter would be down by 2%. Reckitt’s act of putting a price on cyber attack is a revelation in itself, Bloomberg said, as the company has just spent $18 billion in cash in acquiring baby formula producer Mead Johnson Nutrition Co.
For its part, Mondelēz International, a snacking company with 2016 net revenues of almost $26 billion, in a statement said, “Our preliminary estimate of the revenue impact of this event is a negative 300 basis points on our second quarter growth rate.”
“Any time there is a cyberattack and a company is exposed to that threat, that presents both reputational risk as well as the risk from disruption,” Bloomberg Intelligence analyst Mandeep Singh said. “Since a lot of the deals get signed toward the end of the quarter, the timing of it could have impacted certain deal closures.”
Secondary Effects of Cyber Attacks
Cyber attacks result in a number of potentially significant secondary effects. The following are 4 of the secondary effects of cyber attacks:
1. Property Damage and Loss of Life
Cyber attack may affect life-critical functions or databases. Affected remote surgery may result in loss of life; critical SCADA alarm systems may damage properties.
2. Reputational loss
Companies may voluntarily acknowledge or acknowledge out of necessity cyber attacks – when pressured by social media revelations from customers, third party revelation or as a disclosure requirement by certain governments. The practice of companies of sending apology notes to clients may have a negative effect on the company’s reputation.
When customers can’t access your company’s site or when your automated processes are disrupted, this automatically impacts the company. Stock prices are typically volatile after a cyber attack. Nuance shares, according to Bloomberg, have dropped almost 8 percent since June 27, when Petya ransomware attack began.
3. Litigation Cost
When a cyber attack disrupts your services and this, in turn, causes the disruption of the services of your customers, these may lead to a costly litigation. In the case of data breach, affected customers may sue your company for the breach. Ruby Corp., formerly known as Avid Life Media – the parent company of the dating site Ashley Madison, said that it will pay $11.2 million to settle a case brought on behalf of nearly 37 million Ashley Madison users whose personal details were exposed in a July 2015 data breach, CNBC reported.
4. Cost of Additional Security Controls
Another consequence of a cyber attack is the cost of additional security controls. The data breach on Ashley Madison prompted Ruby Corp. to spend millions of dollars to improve user privacy and security, according to CNBC. After a data breach, affected companies typically don’t just patch the specific vulnerability, they implement additional security controls such as:
Cyber risk is becoming more and more of a reality for many businesses in the 21st century. In the World Economic Forum’s Global Risks Report 2016, cyber attack was ranked in 11th position in both likelihood and impact.
Our team can help your business evaluate the cyber risks and recommend cyber defence strategy. Connect with us today and protect your business.
Global Cyber Attacks Could Be as Costly as Major Hurricanes
Hurricane Katrina and Sandy are two of the costliest hurricanes in the past three decades. The total damage from Katrina is estimated at $156 billion and $69 billion from Sandy. Lloyd's of London estimates that economic losses from global cyber attacks have the potential to be as big as those caused by major hurricanes.
2 Potential Cyber Attack Scenarios
Lloyd’s report called “Counting the cost: Cyber exposure decoded” showed two global cyber attack scenarios that could have the potential economic impact:
1. Cloud Service Provider Hack
According to Lloyd’s, the average losses in the cloud service disruption scenario could be $53.1 billion for an extreme event and could go as high as $121.4 billion.
2. Cyber Attacks on Mass Software
For the mass software vulnerability scenario, according to Lloyd’s, the losses could range from $9.7 billion for a large event to US$28.7 billion for an extreme event.
“This report gives a real sense of the scale of damage a cyber-attack could cause the global economy,” said Inga Beale, CEO of Lloyd’s. “Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economies ….”
Vulnerability of Cloud Service
“The Cloud” is the process of accessing data, computer resources and software over the web. It’s used as a substitute for accessing data from a local computer. Although cloud, also known as network-based computing, dates back in the 1960s, it was only in the early 2000s that its popularity soared as small and medium-sized businesses adopted this new method of accessing data.
In the second quarter of 2016, Synergy Research Group found that Amazon cornered 31% of the cloud infrastructure services market, followed by Microsoft (11%), IBM (7%), Google (5%), Next 20 including Alibaba and Oracle (26%) and others (20%). More than 90% of the over 2,000 cyber security professionals surveyed in McAfee’s “Building Trust in a Cloudy Sky” report stated that they were using some type of cloud service in their organization.
In February this year, Amazon’s cloud services suffered a costly outage. According to Amazon a typo caused the outage. Amazon said in a statement:
“The Amazon Simple Storage Service (S3) team was debugging an issue causing the S3 billing system to progress more slowly than expected. At 9:37AM PST, an authorized S3 team member using an established playbook executed a command which was intended to remove a small number of servers for one of the S3 subsystems that is used by the S3 billing process. Unfortunately, one of the inputs to the command was entered incorrectly and a larger set of servers was removed than intended.”
Amazons’ February 2017 outage cost companies in the S&P 500 index $150 million according to Cyence.
According to Lloyd’s, cloud infrastructure services like Amazon, Microsoft, IBM and Google rely upon a common cloud infrastructure. If a major security flaw were found in this common cloud infrastructure, cloud customers of these cloud services could suffer from a breach, Lloyd’s said.
Vulnerability of Mass Software
In April 2017, the hacker group known as ShadowBrokers published on the internet a compilation of hacking tools that was believed to be used by the National Security Agency (NSA). These publicly released hacking tools could give anyone with technical knowledge the capability to exploit certain computers running Microsoft Windows.
In March 2017, a month before the alleged NSA hacking tools were released to the wild, Microsoft released a free patch or security update for Windows 10. Microsoft, however, didn’t release free security updates for Windows XP, Windows 8 and Windows Server 2003. The company only released free patches for these old Windows operating systems at the height of WannaCry – a ransomware that affected more than 300,000 computers in 150 countries in May this year.
6 Trends that Contribute to Cyber Vulnerability
Lloyd’s report identified these 6 trends that cause further cyber vulnerability:
1. Old Software
Old software refers to software that’s abandoned by its maker. It also refers to software that’s patched by its maker but the end users fail to update the software. Failing to install a security update leaves a computer user vulnerable to hacks. This happened to WannaCry. Users of Windows 10 succumbed to the ransomware attack for failing to install Microsoft’s March 2017 free patch. Users of Microsoft’s older operating systems (Windows XP, Windows 8, and Windows Server 2003) also fell victim to WannaCry as Microsoft only released the free patch for these older Windows operating system after WannaCry spread around the world last May 12th.
2. The Number of Software Developers
The number of people developing software has grown substantially over the past 30 years. Each software programmer could potentially add vulnerability to the system whether unintentionally through human error or intentionally. Proprietary software, for instance, is developed by different teams and outsourced contractors who are spread across the globe. Linux Kernel – an open source software project which started in August 1991 – has over 13,500 developers as of August 2016.
3. Volume of Software
More programmers mean more codes are being developed each day. “More code means the potential for more errors and therefore greater vulnerability,” Lloyd’s said. A typical new car, for instance, has about 100 million lines of code.
4. Open Source Software
While the open source movement has resulted in unprecedented digital innovations, it has opened new digital vulnerabilities. Lloyd’s said, “Any errors in the primary code could then be copied unwittingly into subsequent iterations.” Most open source software don’t go through the same level of security scrutiny as custom-developed software.
5. Multi-layered Software
In multi-layered software, a new code is written over an existing code. Most programmers today work on maintaining existing codes, rather than creating new codes. Multi-layered software, Lloyd’s said, “makes software testing and correction very difficult and resource intensive.”
6. “Generated” Software
In generated software, the code is written by a computer program, instead of being written by human programmers. Lloyd’s said, “Code can be produced through automated processes that can be modified for malicious intent.”
Not understanding your technology vulnerabilities is no longer an option. Assess it today to gain a valuable insight, and take an immediate action to addresses the gaps. Connect with us today and speak with our vulnerability assessment and management experts.
Insider Data Breach: An Enemy Within
Last week, an international health insurance company publicly acknowledged that one of its employees stole information that affected records of 547,000 customers.
The affected company said that while the stolen records didn’t include financial or medical data, records including names, dates of birth, nationalities, contact and administrative details were stolen. The company said that the employee responsible was fired immediately after the breach was discovered and is taking appropriate legal action.
DataBreaches.net first reported the data breach of this international health insurance company when a vendor calling himself or herself on the dark web as “MoZeal” claimed that he or she has over 1 million records for sale.
When contacted about the pricing, according to DataBreaches.net, MoZeal allegedly replied:
"Thanks for your inquiry bro, but before i start talking about pricing i would just like to clarify that this medical database is the only unique db if not only one on the entire dark web market with over 1million entries and over 122 countries as a whole not to mention its come straight from one of the world class health insurance companies. so you can imagine the information is very sensitive but also exclusive."
The international health insurance company disputed the 1 million records claim, and said in a statement, “Our thorough investigation established that 108,000 policies, covering 547,000 customers, had been copied and removed. The disparity in numbers claimed and those taken, relates to duplicate copies of some records.”
This latest data breach incident shows the weakest link in cyber security: insider.
Who is an Insider
An “insider” can be anyone who has physical or remote access to your company's confidential data. Although an insider often refers to your employee, your business partner, client or maintenance contractor who has access to your company's confidential data can also be considered as an insider.
An insider can either be a malicious insider or an inadvertent insider. An inadvertent insider can be an employee who was tricked to download a malware-laden document which then gives cyber criminals access to a company’s confidential information. A malicious insider refers to anyone who snoop files, steal information, and those who appeared to have knowingly violated the law.
Extent of Insider Data Breach
IBM’s global threat intelligence report found that over 200 million financial services records were breached in 2016. Fifty-eight percent of the data breach in 2016 in the financial services sector was a result of insider attacks, while outsider attacks were only 42%. Of the 58% insider attacks, 5% of which were made by malicious insiders and 53% were made by inadvertent insiders.
The IBM report also found that in 2016 the healthcare sector was more affected by insider attacks (71%) than outsider attacks (29%). Out of the 71% insider attacks, 25% of which were malicious insider attacks and 46% were inadvertent insider attacks.
For its part, Protenus reported that 43% of the 2016 U.S. health data breaches – total of 192 incidents – were the handiwork of insiders. Of the 192 insider breaches, 99 of these incidents were a result of inadvertent insiders, 91 incidents were a result of malicious insiders, and in 2 incidents there was insufficient information to determine whether the incidents should be considered as inadvertent or malicious.
Health Data Malicious Insider Breaches Take 607 Days to Discover
According to Protenus, in 2016, the average days for healthcare organizations to discover they had a health data breach was 233 days. The most troubling part of breach discovery, according to Protenus, is in cases of malicious insiders in which the average discovery period was 607 days – more than double the typical data breach discovery period.
Protenus gives two explanations why it takes so long to discover a breach:
1. Limited Budgets and Resources
With limited budgets and resources, not all organizations will be able to detect breaches in an automated and precise manner.
3. Reactive Approach to Data Breach
Many organizations have taken a reactive approach to data breach – only worrying about breaches once they are brought to their attention by the affected party or third party like the media.
“Insiders are a very real risk to the security of patient data,” Protenus said. “The high number of breach incidents, and the fact that these small-scale breaches can often go undetected, make these breaches especially devastating.”
How to Prevent Insider Data Breach
Here are two ways to prevent insider data breach:
1. Educate Employees
According to IBM, the reality that the cyber insider attacks targeting the healthcare and financial service sectors were largely the result of inadvertent insiders may be due to these industries having a greater susceptibility to phishing attacks.
Phishing attack happens when cyber criminals try to trick you into sharing personal or work-related information online. Cyber criminals typically use email, ads, or sites that appear similar to sites you already use as common phishing methods. An email that appears like it’s from your bank requesting that you confirm your bank account number is an example of phishing.
One way to prevent inadvertent insider attacks is by educating employees – through in-person instruction, video, webinars – about phishing and how to avoid becoming a victim.
2. Automation and Preventative Controls
To prevent data breaches both from malicious and inadvertent insiders, it pays to invest in automated data breach detection tool. If an organization only depends on one or two persons to detect data breach, it will take some significant time before the breach can be discovered. With automation, the threat can be detected immediately and in a precise manner.
“We predict that 2017 will be the Year of Insider Breach Awareness, with organizations realizing that this constant and significant problem has gone unaddressed for too long, with the focus for the last couple of years being more about catching up on external threats,” Protenus said.
While the great majority of our business partners, employees, clients and contractors pose no threat, it pays to be proactive in detecting data breaches. While it takes only a few minutes to steal data, it can take months and years to recover data and rebuild positive business reputation.
When you need to protect your data against the insider threats, and don't have in-house expertise, please contact us and we will be happy to help.