An Alberta non-profit admits data theft, an insurance giant notifying victims of ransomware attack and a U.S. wireless carrier is fooled.
Welcome to Cyber Security Today. It’s Monday July 12th. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
Not-for-profit organizations are obliged in most places in Canada and the U.S. to protect personal data of clients and employees. But unlike commercial firms, privacy legislation may not force non-profits to notify regulators of a cyber breach. This issue hit the headlines Sunday with a report from CBC News that a backup hard drive belonging to the Alberta charity Meals on Wheels had been stolen in January. It had personal information on 27,000 clients, donors, volunteers and employees. They began being notified in June. While Meals on Wheels didn’t have to notify the Alberta privacy commissioner, it did, also in June. That was five months after the theft. The privacy commissioner’s office isn’t sure if it has jurisdiction. The charity initially believed the data was encrypted. It wasn’t. A privacy expert told the news agency privacy laws across Canada need to make non-profits have the same legal obligations as commercial firms.
In March I told you about a news report that CNA Insurance, an international insurance giant, had paid $40 million to crooks after a ransomware attack. Well, last week the company began sending out notices to an unknown number of people whose personal information was copied by the hackers. It included their names and social security numbers. The majority of victims being notified are current and former insurance company employees, contract workers and their dependents. They are being offered two years of free identity theft monitoring services.
The question of whether management should pay a ransomware gang is hotly debated. Not paying may put an organization out of business if its data is irreparably scrambled. But some experts say insurance companies are too quick to cover ransomware payments. Arguably, payment rewards crooks and encourages cyber attacks. That’s why some politicians say ransomware payments should be made illegal. At the beginning of July the American Property Casualty Insurance Association, an industry lobby group, issued guidance to U.S. insurers. Part of the statement complained that blaming insurers for increased ransomware attacks is simplistic. American law allows people to pay ransoms for other crimes including kidnapping, the group points out.
Meanwhile last month a number of insurance companies around the world created a company called CyberAcuView to help compile data about cyber attacks and spread the word about cyber defence best practices organizations should follow.
Someone has gotten into the accounts of subscribers at American mobile carrier Mint Mobile and switched some smartphone numbers to another carrier. By doing that the hacker got control of the phones. Crooks want to take over smartphones to access the victim’s bank account and work email. The Bleeping Computer news service reports that data breach notifications have been sent to an unknown number of Mint Mobile subscribers, saying that early in June a threat actor ported the phone numbers of a small number of people. The attacker also accessed the personal information of those subscribers including their names and passwords. It isn’t known how the attacker was able to deceive the carrier. One way mobile subscribers can protect themselves is by having a PIN number on their smartphone account so no one can get the company to switch their phone number to another carrier number without their knowledge.
Finally, Google has released its July security patches for devices running the Android operating system. They will be available quickly for those of you who have Samsung or Pixel phones and tablets. However, for the rest it will be up to your wireless carrier and device manufacturer updates are available. Carriers want to test the updates before putting them on their networks. And remember older devices don’t get updated at all. Android device owners should check once a month for Android updates if downloading updates isn’t automated. And if it’s been more than six months since you got an Android update think about buying a new device.
That’s it for now Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.