New state privacy laws start in the U.S., an international train parts manufacturer starts notifying data breach victims and more.
Welcome to Cyber Security Today. It’s Wednesday, January 4th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
The New Year started with new privacy laws coming into effect in two U.S. states. Companies doing business in the U.S. should pay attention. In California, a new Privacy Protection Agency is now the lead authority on violations of the state’s privacy law. In addition to the rights consumers have under the existing law individuals can ask businesses to correct inaccurate personal information and tell businesses to only use their sensitive personal information for limited purposes. Regulations that organizations will have to follow are expected to be released around the end of this month, and begin taking effect perhaps in April. Enforcement of those regulations would start in July. Until then existing regulations prevail. Also on January 1st, Virginia’s Consumer Data Protection Act came into force.
A U.S.-headquartered manufacturer of parts for trains called Wabtec has started notifying employees in four countries about a data theft. A ransomware gang copied personal data in an attack that started last March. The incident was detected in June, and the theft of personal information was confirmed in November. Data stolen includes names, dates of birth, employee photos, biometric information, social insurance numbers or their equivalents for U.S. and non-U.S. employees, passport numbers and more. Staff in the U.S., Canada, the U.K. and Brazil are being notified. The LockBit ransomware gang has taken credit for this attack.
LockBit has also taken credit for recently stealing data from the Housing Authority of the City of Los Angeles. According to a cybersecurity news site The Record, on New Year’s eve LockBit said it stole 15TB of data. It has given the housing authority until January 12th to pay a ransom.
Attention IT administrators with Synology VPN Plus Servers in their environments: The company has issued upgrades to close a critical vulnerability. The upgrades are for SRM 1.3 and 1.2. If this hole isn’t closed an attacker could execute remote commands. This warning was published four days ago so action should have been taken by now. Separately, Netgear issued security patches for nine of its Nighthawk and AC home and small business wireless routers. If you have one of these check here.
I don’t report a lot on cryptocurrency thefts because digital currencies are high-risk. I don’t want to be seen as encouraging that kind of investment. But an organization that sets up a crypto exchange better have top security because it will be a prime target for attackers. The latest victim is an Estonian-based cryptocurrency trading service called 3Commas. According to a news site called Decrypt, 3Commas’ CEO has now acknowledged someone stole about 100,000 security API digital keys used by customers and offered them for sale. The story says 44 3Commas customers lost more than US$44 million worth of cryptocurrencies because of the stolen digital keys.
Finally, another helpful internet-connected home device has been found to have a security vulnerability. This time it’s the Google Home smart speaker. The vulnerability allows an unapproved user to be added to the device’s account. If not patched a nearby attacker can wirelessly install a backdoor and take control of the device — including turning on its microphone and getting the Wi-Fi password. A security researcher says he was paid over US$107,000 by Google under its bug bounty program for discovering the vulnerability.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.