National Consumers League

The #DataInsecurity Digest | Issue 75

Breach costs continue to climb while worries of state-sponsored hacks go unheeded

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s note: As the average cost of a data breach climbs to $3.86 million, cyber experts continue to express alarm over our lack of security. Last week, a survey of leading cyber experts found that 94 percent thought that President Trump was not doing enough to deter cyberattacks. Meanwhile, an 11-year-old boy was able to hack a model election return website, and the FBI warned banks that a massive ATM hack is on the horizon. And if you needed any reminder that hacking is big business in Russia and Ukraine, WIRED has two must-reads on the $10 billion cost of the NotPetya malware and the indictment of three Ukrainians, who are estimated to have netted more than a billion dollars from payment card hacking.

And now, on to the clips!

-----------------

Average cost of data breach increases to $3.86 million. A new IBM Security study found healthcare breaches to be the most costly, with the average record loss costing $408 — nearly three times the average cost of a regular record ($141). The report also found that “the average time to detect and contain a mega breach was 365 days — 99 days longer than a smaller breach (266 days).” (Source: NBC News)

Quick hit: 94 percent of cyber experts agree that Trump Administration is not doing enough to deter Russian cyber attacks. (Source: Washington Post)

NotPetya: ‘The most devastating cyberattack in history.’ The release last summer of the NotPetya malware by Russian state-sponsored hackers was “an act of cyberwar by almost any definition,” writes @a_greenberg. “The result was more than $10 billion in total damages, according to a White House assessment confirmed to WIRED by former Homeland Security Adviser Tom Bossert, who at the time of the attack was President Trump’s most senior cybersecurity-­focused official.” (Source: WIRED)

The 2018 healthcare breach toll: 6.1 million individuals (and counting). The Department of Health and Human Services (HHS) maintains a “wall of shame” documenting breaches at healthcare facilities subject to the Health Insurance Portability and Accountability Act’s (better known as HIPAA) breach reporting rules. As of August 21, 229 breaches were added to the list, affecting more than 6 million individuals. “Since 2009, a total of 2,411 incidents impacting 187.7 million individuals have been posted to the wall of shame,” writes @HealthInfoSec. “Of those, 520 breaches involved hacking/IT incidents, impacting 141 million individuals, or about 75 percent of all victims affected by major health data breaches.” (Source: BankInfoSecurity)

Quick hit: Judge approves $114 million for victims of 2015 Anthem data breach. (Source: Bloomberg Law)

An 11-year-old was able to hack into a model election results website and change people's votes in 10 minutes. After the child hacked the replica of the Florida state election website and changed voting results, the National Association of Secretaries of State issued a statement commenting that, “while it is undeniable (that) websites are vulnerable to hackers, election night reporting websites are only used to publish preliminary, unofficial results for the public and the media. The sites are not connected to vote counting equipment and could never change actual election results.” (Source: PBS Newshour)

FBI warns banks of coming ATM hack that would allow cyber criminals to withdraw millions. According to an FBI alert, an “ATM cashout scheme is planned in the coming days. The FBI said ‘unspecified reports’ indicate that the attack is likely to involve a card issuer breach that enables cyber criminals to clone cards for gangs to use to make ATM withdrawals.” (Source: Computer Weekly)

Botnets take aim at banks. A “network of millions of hacked computers that do the bidding of criminals suddenly shifted its focus this morning: Normally it sends consumers spam email pushing pharmaceuticals and penny stocks, but now it's conducting a more targeted phishing campaign to hack into bank networks, according to new research by Cofense.” @joeuchill comments that this represents “a large operation to pivot — and almost certainly not one to change focus without some major goal in mind.” (Source: Axios)

Despite some efforts, political campaigns remain vulnerable to cyberattacks. @martinmatishak writes that “the Democrats' cyber-trauma of 2016 has inspired increased awareness — and some paranoia — about digital security. But experts say it's not enough.” Many “candidates and campaigns have yet to implement standard safeguards to prevent breaches of their computer networks, websites and emails.” (Source: Politico)

DOJ indicts three individuals linked to a billion dollars in hacking fraud. The hacking group FIN7 is believed to be responsible for “stealing more than 15 million credit card numbers from over 3,600 business locations.” Members of this organization made a name for themselves by “applying a level of sophistication that we’re not used to really seeing from financially motivated actors.” (Source: Wired)

Upcoming Events

October 2018 - National Cybersecurity Awareness Month
Every October, the National Cybersecurity Alliance organizes the National Cybersecurity Awareness Month to address specific challenges and identify opportunities for behavioral change. (Source: Stay Safe Online)

National Consumers League
Published August 23, 2018