CyBIR: Cyber and Privacy Breaches – Insurance and Reinsurance

Data Privacy Lawyers: Walker Wilcox & Matousek Law Firm

Orbitz Breach

Posted in Data Breach

According to SC Media UK, in March, 2018, online travel company Orbitz revealed that it had suffered a major data breach, potentially exposing the personal information of up to 880,000 customers.  Orbitz is owned by parent company Expedia. Though it is unclear from the statement issued by Orbitz, it appears that customers who made purchases during certain time frames may have had their data compromised by a breach, which was discovered on March 1, 2018.  Orbitz said the intrusion most likely occurred between October 1, 2017 and December 22, 2017, and is said to affect data from purchases made from January 1, 2016 to June 22, 2016 on Orbitz, and those made between January 1, 2016 and December 22, 2017 on sites that partner with Orbitz.

The compromised data may include the full name, payment card information, date of birth, phone number, email address, physical or billing address, and gender of the Orbitz customers. The company said that, despite the breach, it has not yet found not direct evidence that this personal information was actually taken from the platform. Experts expect that the data was accessed through an older booking platform.

Read more about the breach here.

Tags: credentials, data breach


Ninth Circuit Finds Standing in Zappos Breach

Posted in Class Action, standing

Continuing the split among federal courts, the Ninth Circuit found that plaintiffs in a consumer data breach class action against Zappos have Article III standing based on the hacking incident, not subsequent criminal activity.  (Read opinion here  In re Zappos.Com., Inc. Customer Data Security Breach Litigation (01565871xAE57E).  Standing is determined at the time of the breach, not when the lawsuit is filed.

The decision reversed a ruling from the U.S. District Court of Nevada.  In so doing, the Ninth Circuit ruled that its 2010 decision in Krottner v. Starbucks Corp. is compatible with  Clapper v. Amnesty International issued by the U.S. Supreme Court in 2013.  Both cases addressed whether a reasonable likelihood of future harm is enough to establish standing: Krottner found there was; Clapper did not.

In the March 8, 2018 Zappos case, the Ninth Circuit ruled that the “imminent” risk of identity theft is  enough to establish standing by those customers who had not yet been the victim of fraud.

Along with the Ninth Circuit,  the Sixth, Seventh and D.C. circuits have found that a risk of future harm from the theft of consumer data is enough for standing.  The Second, Third, Fourth and Eighth circuits  have reached opposite conclusions in similar data breach disputes.


Cryptojacking: An Emerging Cybersecurity Threat

Posted in Cryptojacking, cryptomining, cyberjacking

A new form of cyber intrusion has emerged in recent months:  cryptojacking.

Unlike hacking that steals software or a user’s data, cryptojacking occurs when a computer is unknowingly hijacked to extract or  “mine” data for cryptocurrency.

The rise of cryptojacking can be traced to  Monero, a digital currency introduced in 2014 as an alternative to bitcoin.   Digital currency is not controlled by a central bank but instead is generated by computers using sophisticated number-crunching calculations.  This is expensive because it requires banks of high-powered computers that consume massive amounts of electricity.   One way to avoid such costs is to use someone else’s processing powers.

Designed to be mined on normal PCs, Monero led to the development of off-the-shelf Monero cryptomining tools, such as Coinhive and Crypto-Loot.  These tools transform unsuspecting visitors’ computers into mines for cryptocurrency.

This new threat does not only come from nefarious hackers.  CBS’s Showtime channel used a surreptitious code to hack into its viewers’ personal computers and turn those computers into cryptomining devices.  The unauthorized code was removed within a few days.

Similar code was found on the websites of soccer star Cristiano Ronaldo and The Pirate Bay,  which tested cryptomining software without informing users.  Pirate Bay said it tested the code as an alternative to running ads to finance the website.   Its users said the mining consumed up to 85% of their processing power, compared to a typical 20%-30% usage level.

If users are concerned about such intrusions, they can take  steps to block cryptomining tools.   For example, a “blocker” extension on an internet browser—such as Malwarebytes or minerBlock—can stop such intrusions from taking root.  As always, users should stay vigilant and keep all antivirus software up to date.



WWM to Present at PLUS Conference

Posted in Ransomware

Please Join Jeremy Kerman at the 2017 PLUS Conference in Atlanta on November 2nd, at 3:45pm for the panel “Ransomware Attacks! A Survival Guide.”

Moderator: Matt Prevost, RPLU, Senior Vice President, Chubb

Jeremy Batterman, Associate Director Incident Response, Navigant
Dan Burke, Vice President, Technology Product Head, Hiscox
Shannon Groeber, Senior Vice President, JLT Specialty USA
Jeremy Kerman, Attorney, Walker Wilcox Matousek LLP

Ransomware Demand for Something Other than Bitcoin

Posted in Bitcoin, Ransomware

The increase in ransomware attacks over the past few years shows no signs of abating, with cybercriminals continuing to develop new methods of extorting businesses and consumers.

We are used to hackers’ demands for payment in cryptocurrencies such as Bitcoin or threats to release compromising names or even photos in exchange for release of data.  Last month, researchers at MalwareHunterTeam discovered a new form of malware.

Once infected with the malware, a user’s machine displays a message that “Your computer has been locked. After we reply, you must send at least 10 nude pictures of you. After that we will have to verify that the nudes belong to you.”

The message is displayed over a tiled, smiling image of the popular fictional children’s character Thomas the Tank Engine.  Oddly, the malware plays background music  which matches the theme from the HBO television series “Curb Your Enthusiasm.”

Fortunately, the ransomware does not appear to actually encrypt files, and instead operates as a screenlocker.  Thus, the malware may be intended as a prank.  But it is another example how  consumers and business need to remain vigilant to protect themselves against cyber-blackmail threats, which continue to multiply and become more novel and sophisticated.


From Kerman’s Korner: How Much Is Too Much Data?

Posted in Data Breach, Data Storage

A common data breach is not by hackers and is not targeted towards big businesses.  It happens to a small to medium sized business or government agency or school that looses a laptop through theft or carelessness.  What is remarkable is the  amount of data that these small entities keep.  Take a recent claim involving a governmental entity that stored employee data dating back to 1982 on microfilm.  The entity sent the microfilm by mail to be imaged so data could be downloaded. Sure enough, the box with the microfilm fell apart in transit, and the microfilm with 30 years of employee data was either lost or stolen.

What’s the take home lesson here?  Destroying all data is not an option.  So  sit down with the risk manager and lawyers to (1) find out if any regulations  tell your business how long to store data, and (2) think about what data you really need and how many years of data you should retain.  Develop a written policy about how long to store data and what format to keep it in.  With modern technology, it does not cost as much to store or destroy data as when data was on paper in boxes in warehouses.  Think about what data you need and how long you need it for, because the next time you loose a laptop or microfilm,  you may save yourself a lot of exposure by limiting the amount of data.



The Long Reach of ‘WannaCry’ Ransomware

Posted in Bitcoin, Ransomware, WannaCry Virus

 The ransomware trend of 2016 shows no signs of slowing down in 2017.  If anything, this favorite tool of hackers seems to be gaining steam domestically and internationally.  Preying on a vulnerability in Microsoft systems that was reportedly first discovered (but not confirmed) by the NSA , hackers last week infected hundreds of thousands of computers with interconnected ransomware attacks in almost 100 countries.  The attack spread quickly – targeting, locking out  and blackmailing a broad swath of users such as the UK’s  public health system,  Russia’s Interior Ministry and FedEx in the U.S.  A second-wave of attacks crippled more computers, but not at the rate seen on May 12. 

The cost to unlock individual computers was about $300 per computer paid in hacker-preferred Bitcoin, an amount that doubled if the ransom was not paid within 3 days.   Had most affected users paid up, the hackers would have had a good payday.  But reports put their collections at about $70,000.   It is still unclear how many victims paid ransom, accepted their fate or had back-up systems in place.  

Why was this particular attack so pervasive?  Some experts point to the hackers’ use of an encrypted file that, once downloaded, allowed the ransomware to take over the host computer, locking access to data until ransom was paid.   The encrypted file was particularly crafty because the ransomware was undetected until  opened and downloaded by the user.  By that point, it was too late to react because the ransomware was replicating across the already-infiltrated network.

This latest attack is a sobering wake-up call about the vulnerability of all systems and yet another reminder that it is better to have cyber insurance before you need it. 


How the Cyber Insurance Market is Changing

Posted in Coverage

The cyber insurance market has been around since the 1990s.  It started to pick up steam in 2003 after California passed the nation’s  first privacy law.  Now 48 states have privacy protection laws – New Mexico joined the groupin April 2017, leaving Alabama and South Dakota as the remaining hold-outs.

For the past several years, the cyber insurance market has grown, although the rate of growth slowed in 2016 to “only” 7%, compared to a 18% increase between 2014 and 2015.

So what does the future of the cyber insurance market look like?  First, insurers will look beyond traditional risks such as health care and retail services to emerging risks such as manufacturing and homeowners coverage, two areas that  are solidly connected to  the Internet of Things.  Second, traditional privacy protection coverage is fairly standard now: its pricing is predictable and the claims handling is good.   But business interruption losses are going to ramp up.   These types of losses will involve time delays, forensic accountants and maybe on-site inspections for insurers.  Third, reinsurers are going to start to feel the cyber market and begin to look more closely at claims.

A brave new world.  Again.

Why Ransomware and Bitcoin Go Together

Posted in Bitcoin, Ransomeware

Continuing from our earlier post, it is no surprise that hackers demand that ransomware be paid in Bitcoin.    Since wallets do not require users to share their identities, Bitcoin is untraceable so long as a hacker keeps his ransom in Bitcoin form.  And since the blockchain only shows amounts and wallet account numbers, there is no way to tell why Bitcoin was paid for any given transaction.  The appeal to  criminals is obvious:  simply viewing the blockchain does not reveal whether Bitcoin was paid for a legitimate reason or for illegal purposes like purchasing drugs, funding terrorist activities or paying off a ransomware attack.

Other appealing features of Bitcoin for criminals include:

•lack of central authority overseeing the transactions.  This means that Bitcoin can be used in any country without fear of authorities attempting to freeze Bitcoin accounts that may be suspected of funding illegal activities; 

•even though the blockchain is public, the lack of a central authority means only the user with a private key matching a specific wallet can access the Bitcoin;

•because Bitcoin transactions are processed without a bank or other authority–all that is required is the ten-minute verification process by miners; 

•each transaction is non-reversible and final so a hacker is guaranteed to keep any ransom payment without fear of confiscation.

•”Bitcoin-to-other” currency exchanges are paid to launder Bitcoins.  They convert hundreds of Bitcoin transactions to other forms of currency while ignoring the identity of the criminal seeking the exchange.

Bitcoin was not created for criminal enterprise, but it is clear why it has become a perfect vehicle for ransomware attacks.  Bitcoin has many benefits, but as long as it remains untraceable, ungoverned by a central authority and with irreversible transfers, ransomware hackers will continue to exploit its virtues.


Bitcoin: What Is It and Why Do Hackers Love it?

Posted in Bitcoin, Ransomeware

With 2014 coined “the year of the retail breach” and 2015  “the year of the health care breach,” the trend looks to tag 2016 “the year of ransomware.” 

In a typical ransomware attack, hackers use software to block access to a computer system until party pays a ransom amount, usually in the form of “Bitcoins.” 

But what is a Bitcoin and why is it so popular in ransomware attacks?   Bitcoin has two hacker-friendly features:  (1) transfers are anonymous and (2) no central bank or agency oversees the transactions.

For starters, Bitcoin is digitally created currency that exists  electronically.  Unless it is converted into another form of currency through an exchange, Bitcon only exists on-line.  Unlike currency which is printed by a government, Bitcoin is created through a process called “mining.”  Bitcoin “miners” solve complex math problems with randomized input data, and when the problem is solved and verified by other miners, the miner who solved the problem is rewarded with Bitcoins (usually 25, but the number can vary).

 A Bitcoin miners’ work serves another function: it verifies each Bitcoin transaction.  In other words, the “complex math problem,” that a miner solves is the verification of prior transactions.  As a result, the verification process necessarily involves prior Bitcoin transactions as part of the data needed to solve the problem.  When a series of transactions (called a “block”) occur, miners put the information in that block through a publicly available mathematical formula to convert it into a more compact, random series of numbers and letters called a “hash.”  A critical portion of each hash is produced using the hash of the block that preceded it.  This allows miners to track the history of transactions back to the very first Bitcoin transaction. 

This entire history of Bitcoin transactions is called the “blockchain,” a public ledger for the whole Bitcoin system.  Since miners can look at each block and check it against each preceding block as well as the entire block chain, they can confirm that each transaction is legitimate.  Otherwise, it could not be reconciled with the  blockchain. 

A miner who verifies a block submits his solution (called a “proof of work”) to other miners who essentially double check the result.  The other miners stamp the proof of work as a notary would stamp the recording of a deed, publicly verifying that each transaction, and therefore the whole blockchain, is trustworthy.  It takes only about ten minutes for a miner to submit a proof of work and for other miners to verify it, thus finalizing the Bitcoin transaction.

Bitcoin users store their Bitcoins in a digital “wallet” on a computer or mobile device.  The amount of Bitcoins in each wallet is visible to everyone since the blockchain (and every transaction within it) is public, but each user has a “private key” that only they know.  The private key is what allows users to exchange or transfer Bitcoins within their wallet.  Think of the wallet as a safety deposit box made of glass so everyone can see how much is in it, but only the safety deposit box owner has the key to access the contents inside.

Importantly, wallets do not require users to identify themselves by name or any other type of identifying information.  The wallet is simply an account identified by a series of random numbers and letters.  When a pure Bitcoin transaction is made, the real names of buyers and sellers are not revealed in the wallet or anywhere on the blockchain.  The exception to the anonymous exchange occurs if someone wants to exchange a Bitcoin for a good or service, or wants to convert the Bitcoin into another type of currency through an exchange.

In Part II, I will talk about why Bitcoin is a favorite form of ransom.