Today a DDOS attack disrupted major websites reportedly including Twitter, Spotify, Reddit and even Major League Baseball on the U.S. east coast. By mid-day a second wave of attacks appeared underway against Dynamic Network Services, Inc. (Dyn), a domain host company or DNS server. The first attack started at about 7:00am EST and lasted for more than two hours. The source of the attacks is presently unknown.
A DNS server links a website address to the website’s domain name, so users can search for a travel website by its name, not its 10-digit IP address.
This attack may signal a new approach. Instead of shutting down one website, attackers prevented end-users from reaching a wide swath of websites.
For insurers, this type of disruption heightens fears of an aggregated loss: one incident over a discrete period of time disrupts website traffic for multiple companies, any number of which may be insureds. Business interruption for Amazon is bad enough unless you also insure Disqus’ technology risks. And it appears that today’s attacks cut across all sorts of business lines. The accumulation risk for insurers who endorse cyber risks to multiple lines of business is a genuine one. Knowing your portfolio is key.
Data breach claims are often referred to as the new EPL claims: high volume, high intensity, low impact on most insurers’ bottom line. But a more apt analogy is product recall litigation.
Product recall and data breach claims have a lot in common:
- they involve a problem with a major “brand,” whether cars, food or confidential data;
- the problem is often discovered internally before it is known by the public;
- lawyers and third parties investigate immediately, leading to privilege issues later on;
- governmental agencies require prompt notification and can levy fines and penalties;
- state and federal laws apply;
- the company’s reputation takes a hit;
- class action litigation is nearly inevitable; and
- someone usually loses his job.
Product recall cases differ from data breaches because they may involve criminal prosecution and/or bodily injury claims, although IOT can implicate bodily injury.
But product recall litigation is ahead of privacy cases when it comes to privilege attaching to pre-suit investigation by lawyers and third parties. For an interesting opinion on privilege and work product in the pre-suit stage, take a look at this opinion in the GM ignition switch recall litigation. GM Ignition Switch Litigation (01303157xAE57E)
On September 12, the 6th Circuit Court of Appeals concluded that members of a class action have Article III standing to sue Nationwide Insurance for negligence after hackers breached Nationwide’s computer network and stole personal information. Galaria/Hancox v. Nationwide Mut. Ins. Co., Nos. 15-3386/3387, 2016 WL 4728027 (6th Cir. Sep. 12, 2016).
As with the P.F. Chang and Neiman Marcus opinions, this court found that plaintiffs alleged a substantial risk of harm and reasonable mitigation costs to satisfy the injury-in-fact standard. And like those cases, Galaria noted that Nationwide’s offer to pay for credit monitoring and its recommendation (but not reimbursement) for other protective measures were evidence of concrete and imminent harm.
This rationale causes a dilemma for an entity that has a breach and is required to notify its customers or clients. Most breached entities offer credit monitoring, although no state law requires credit monitoring (California law creates a duration for credit monitoring, but only if it is offered in the first instance). Companies that offer protection typically do so out of a sense of responsibility or to regain customer loyalty or to mitigate long-term damages if credit monitoring works to reduce identity theft.
Companies may think twice about offering remediation services because the services may become evidence of concrete and imminent harm. But whether the company offers mitigation relief or not, a customer’s reasonable belief that a breach threatens his financial identity may be proof enough of concrete and imminent injury. A company’s notification requirements are governed by statute but it can still weigh for itself whether offering credit monitoring becomes too sharp of a double-edged sword.
Missed call notifications in Microsoft Outlook are the latest delivery mechanism for viruses. Tricksters are using recorded voicemail messages that appear in emails as another route for ransomware and malware.
The attack email arrives with an attachment that seems to contain a voice message compressed in a zip folder. But the folder actually contains hidden malicious code that will install ransomware. Once unzipped, ransomware will encrypt files on your computer, and maybe the entire network. These attacks are also happening in residential systems, not just businesses.
Hacking voice mails is not new, and there have been voicemail notification breaches before, too. Nor does this attack have to be limited to voicemail – why not phishing emails posing as legitimate notifications from printers and faxes?
Professional athletes may be used to the public knowing the terms of their multi-million dollar contracts, but Milwaukee Bucks organization received a surprise when the team announced last week that it had fallen victim to a phishing scam.
On April 26, a hacker posing as the NBA team’s owner Peter Feigin e-mailed team employees and requested 2015 IRS documents for all the organization’s employees, including players. An employee sent the requested documents, including W-2 forms containing names, addresses, social security numbers, compensation and dates of birth. The Bucks did not discover that the request came from an impersonator until May 16, when they notified the IRS and FBI.
After the incident, the Bucks announced that they will “provide additional privacy training to our staff and implementing additional preventative measures.” The team also will offer three years of credit monitoring and non-expiring identity restoration services.
One might expect a professional sports organization worth hundreds of millions or even billions of dollars to have better security measures in place. But this incident shows that many businesses, large and small, do not have internal security policies that might prevent these types of scams.
This incident is a good reminder that we all should pay attention to emails requesting personal, sensitive, or financial information:
- Be sure you recognize the email address. Most phishing scam artists do not create a fake email address, even if they change the sender’s name.
- Call the person who allegedly sent the email to verify the request.
- Use common sense – why would the person need the information requested?
For the second time in less than a year, the 7th Circuit has found standing by plaintiffs seeking class certification for a data breach.
On April 14, 2016 the 7th Circuit issued its opinion in Lewert v. P.F. Chang’s China Bistro, Inc. PF Chang Opinion (7th Circuit April 14, 2016) (01168901xAE57E)
P.F. Chang had a credit card breach in 2014 involving 33 restaurants in the Chicago area. Customers affected by the breach sought class certification which the district court denied on grounds plaintiffs had no standing.
The Court of Appeals reversed the lower court, finding that class representatives alleged sufficient harm by way of fraudulent credit card charges, $106 in credit monitoring costs and time monitoring potential identity theft.
This is the second time the 7th Circuit has found standing for data breach claimants, the first being the Neiman Marcus decision issued last summer. Rejimilas v Neiman Marcus 7th Circuit Opinion (2015) (01129892xAE57E) P.F. Chang tried to distinguish Neiman Marcus because its breach involved only credit cards so there was no risk of wider identity theft. In rejecting this argument, the court said that it is unknown whether a stolen credit card can lead to identity theft.
Plaintiffs argued that they were damaged in the amount of their meal because they would not have eaten at P.F. Chang’s had they known data security was ineffective. The court’s response was tepid.
Plaintiffs also alleged that their identity has value, just as a stolen car has value. The court stated that a court that previously found value in personal identity had limited scope.
P.F. Chang highlights (again) the importance of an insured’s first response to a breach. The fact that Neiman Marcus offered credit monitoring helped persuade the court that the store anticipated harm to its customers. And P.F. Chang’s suggestion that customers monitor credit reports also raised the specter of future
On February 17, Hollywood Presbyterian Medical Center announced that it had paid cyber extortionists a ransom of 40 bitcoins in order to restore control over its systems and administrative functions. While the number might not seem high at first glance, it equates to roughly $17,000. The hospital first noticed malware on its system on February 5, but waited ten days before deciding that payment was the fastest way to regain control of their systems. The hackers had introduced malware into the hospital’s system that encrypted the hospital’s files, making them inaccessible. The FBI is still investigating how the hackers were able to install the malware.
Bitcoin is a completely digital currency that attracts cyber extortionists because bitcoin transactions do not go through any intermediary such as a bank. There is a lower chance that an illegal payment can be tracked. The extortionist usually sets the amount just low enough for the infected entity to consider payment.
While cyber extortion is popular among some criminals in eastern Europe, the Hollywood Presbyterian Medical Center episode is one of the higher profile examples in the U.S. The publicity about the paid ransom may encourage others looking for a fast payout. Cyber experts believe that about 3% of users with infected systems pay ransom.
It is difficult to say whether the rate of cyber extortion incidents will increase in the US. Not all cyber criminals are willing to shut down operations at a facility where access to files can mean the difference between life and death. But the healthcare industry presents an easy target for attacks because its technology is often outdated and electronic medical records are available on laptops and I-Pads used throughout the hospital and often within easy reach.
Password manager SplashData has announced the 2015 edition of its annual “Worst Passwords List.” As has been the case since 2011, “123456” and “password” remain the most commonly used password.
SplashData’s annual report is compiled from more than 2 million leaked passwords during the year from around the globe. Even though some web users are using longer passwords, their simplicity undercuts any security. SplashData recommends a 12-item password with a mix of 5 types of characters.
So, here’s hoping no one contributing to this list is responsible for nuclear launch codes: Worst Passwords of 2015 (01130454xAE57E)
This year’s Super Bowl is at Levi’s Stadium in Santa Clara, California. Organizers are touting free, open and fast-paced wireless service. According to The Atlantic, the stadium will have 13,000 Wi-Fi access points, about one every 10 feet. (Click here for The Atlantic)
An estimated 100,000 devices are expected to be connected to the stadium network, including devices belonging to high ranking corporate officials who may be carrying a lot of sensitive data on their I-Phones and I-Pads. The FBI is warning fans not to be tricked into logging on to the wrong wireless network. Other security experts recommend cash payments when buying that beer or foam finger.
Russian hackers are suspected in a cyber attack on a Ukrainian electrical grid which would be the first time a cyber attack caused widespread electrical outage. U.S. firm blames Russian ‘Sandworm’ hackers for Ukraine outage.
On December 23, a large swath of the Ukraine involving about 700,000 homes was without power for several hours. It would be the first documented case of a cyber attack on an electrical power facility that caused an electrical blackout. The suspected malware is a virus called Black Energy. It is believed to have entered the system through a mundane phishing attack on email.
“It is a milestone,” said John Hultquist, director of cyber espionage analysis at iSight Partners. “We’ve definitely seen targeted destructive events against energy before – oil firms for example – but never the event which causes a blackout.”
Attempted cyber attacks on power infrastructures are not a new concern, but a successful one is, even for US power sources that are well defended. Among the many issues raised by such an event is whether the next phase of cyber problems has arrived and will eventually overtake claims for privacy breaches.