US, Canada ranked among top countries for data theft, more careless employees lead to data exposure and watch for this possible sign of cyber espionage
Welcome to Cyber Security Today. It’s Wednesday December 2nd. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To hear the podcast click on the arrow below:
You might expect the United States is the country affected most by data theft in the past seven years. A British consumer website called USwitch came up with that nugget by calculating the amount of publicly-announced data stolen per 100,000 of a country’s population. In second place, South Korea. And number three: Canada. The United Kingdom was in fourth place, followed by Australia. That ranking gives weight to big data thefts rather than the number of breaches. Canada has a lot fewer data breaches than the U.S., but many of them were big — for example last year’s hack of medical laboratory LifeLabs led to the exposure of personal data belonging to 15 million people in Ontario and B.C. The hack in 2015 of the Toronto-based adult dating website Ashley Madison exposed personal data of over 30 million people in several countries.
Employees are still being careless with corporate data. Here’s two of the latest examples: Reporters at the TechCrunch news site recently found unprotected data on a server holding thousands of patient records and lab reports for American psychiatrists and therapists. The data belonged to a customer of NTreatment, a San Francisco-based provider of a cloud-based medical practice management software suite. Not only was the database not password-protected, the data wasn’t encrypted. After being alerted NTreatment said the server was being used for general purpose storage by the user.
Meanwhile The Register reports that a Cayman Island investments fund left its entire data backups open to anyone after failing to properly configure data left on Microsoft Azure, a cloud-based storage service. The fund’s register of members, correspondence with investors, photocopies of passports and other documents could be read. An investment fund staffer told a reporter that Azure was its secondary storage site for disaster recovery in case its primary backup failed. The unnamed fund’s IT provider suggested using a cloud provider for the extra backup, but apparently either didn’t properly configure the storage right or didn’t tell the fund’s staff how to do it.
Canadian mobile app developers have been reminded by three regulators they have to comply with this country’s anti-spam legislation. That includes clearly telling users how personal information is being used, not sending out unsolicited messages to friends and contacts without permission, not making false or misleading product representations and not downloading other programs without consent. Failure to follow these and other violations of the Canadian Anti-Spam Law can result in fines of up to $10 million per violation for an organization and $1 million per violation for an individual.
Has your organization found evidence of a cryptocurrency mining app on its computer systems? It may not be from a criminal. Microsoft reported this week that an unnamed country has been running cyber espionage attacks since the summer that included deploying Monero software coin miners. Coin mining is a way of getting free digital currency by solving algorithmic puzzles. It’s free, but you need to invest in heavy computing power. So scammers infect computers of others to use their calculating power. Microsoft says these attackers are trying to take advantage of the fact that most computer security software sends out low-priority alerts about cryptomining infections. The hope is IT staff will pay less attention to these alerts and miss what’s really going on — attempts at deeply infiltrating corporate computer networks to steal data. And the attackers don’t mind if they make money by mining digital currency as well. The attackers get into victim organizations by sending emails to targeted employees with infected attachments. Email filtering, watching for suspicious network traffic and password control for administrator accounts are ways to combat attacks like this.
In court news, a citizen of India was sentenced to 20 years in a U.S. prison for running call centres from his home country. They defrauded Americans out of missions of dollars. Hitesh Patel was also ordered to pay close to $9 million to victims. Patel had been extradited from Singapore in 2019 to face charges of telefraud and money laundering. Others in the scheme have already been sentenced. Masquerading as officials from the Internal Revenue Service and U.S. Citizenship and Immigration, the gang threatened people with arrest, imprisonment and fines if they didn’t pay phony monies owed to the government.
And a North Carolina man has been sentenced to almost eight years in a U.S. prison for online and phone crimes. Timothy Dalton Vaughn launched distributed denial of service attacks on websites, made threatening phone calls, sent bogus reports of violent school attacks by email and possessed child pornography. He was a member of the ‘Apophis Squad,’ a worldwide collective of computer hackers.
That’s it for Cyber Security Today. Links to details about these stories are in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals.
Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.