It’s been the usual mix of data breaches this month, with lots of mistakes being made and lots of ransoms being paid. This month’s total number of known leaked records is 44,701,278.It’s time for the month’s list of breaches and cyber attacks, and it’s a big one.
$600,000 stolen in business email compromise
BEC (business email compromise) has certainly gained traction in the past couple of years, although that’s not too surprising seeing as cyber criminals will compromise corporate email accounts for $150.
Henderson ISD, a school district in Texas, recently lost more than $600,000 in a BEC attack.
On 26 September, the district sent a payment of $609,615.24to RPR Construction Company Inc., the organisation overseeing the building of a stadium. It wasn’t until 1 October that Henderson realised the funds had been sent to a fraudulent account.
BEC scams pose a serious threat to all organisations. The FBI estimates that $12 billion has been lost in these scams globally over the past five years.
“Buckets of thumb drives”
New Hampshire law firm Weibrecht Law has released information about a data breach it suffered after an employee posted an unencrypted USB stick containing a “client file” via the USPS (US Postal Service). Let’s call that issue number one.
The USB stick never arrived, but the envelope it was sent in did. Weibrecht Law contacted the USPS and was told by a representative that this was a “common occurrence” and that there were “buckets of thumb drives” they could search through. There’s issue number two.
The representative did a “visual review” of the buckets, as USPS’s internal policy is not to plug any USB sticks into a computer (not all bad practice, eh?), but couldn’t see Weibrecht Law’s missing device. The representative concluded that the USB was most likely destroyed in the mail processing machine.
First, who sends data via a posted USB stick? There’s absolutely no reason why this was seen as the best option.
Second, a bucket of USB sticks seems rather odd. Yes, it’s good that the USPS representative followed internal policies and didn’t use any of the USB sticks – but can we be sure that all USPS employees are as good at following instructions?
Decision to pay $20,000 ransom raises eyebrows
It’s always shocking when an organisation pays a ransom to a cyber criminal – but this case is more interesting.
According to CBC, the FSIN (Federation of Sovereign Indigenous Nations) paid about $20,000 to an anonymous cyber criminal.
The crook gained control of FSIN’s internal files and email system and stole data including:
- Information on residential school survivors
- Youth athletes and coaches
- Internal land claims
- Social insurance numbers
- Treaty card numbers
It’s not known how long the hack went undetected, but the story came to light days before hundreds of delegates gathered to elect a new FSIN chief and two vice-chiefs.
The criminal emailed a member of staff, demanding a ransom of more than $100,000.
The FSIN treasury board and its audit committee, made up of chiefs and others from across the province, met to discuss the situation. Some wanted an immediate notice sent to all employees, parents, organisations and others affected. They said police should be called and a public statement issued. None of that happened.
The board told the FSIN staff and executive not to pay the criminal, as it wouldn’t guarantee the crook would delete the stolen files.
Despite the board’s instructions, a few days after the meeting someone authorised a bitcoin payment worth more than $20,000.
Committee members demanded an explanation and a report, but none were supplied.
And… good news! California passes law that bans default passwords in connected devices
California has passed a law banning default passwords such as ‘admin’, ‘123456’ and ‘password’. In fact, the law specifically says that passwords must be “unique to each device.”
The law will apply to consumer electronics from 2020.