Cyber Tips

Jack’s Hacks: Volume 6

This month Jack goes over some best practices that will help you stay safe over the holiday season. We also cover some of the major breaches that have caused service outages and the latest cybercrime trends.

The Last 30 Days in Cybersecurity: Notable Breaches, Outages & Ransom Demands

23andMe User Data Stolen in Targeted Attack

The genetic testing company 23andMe confirmed that data from a subset of its users has been compromised Cybercriminals leaked samples of stolen data, offering to sell data packs belonging to 23andMe customers revealing full names, usernames, profile photos, sex, date of birth, genetic ancestry results, and geographical location. BleepingComputer reports that criminals used exposed credentials from other breaches to access 23andMe accounts to steal the sensitive data. Results from the company’s preliminary investigation suggest recycled login credentials are at least in part to blame. If this proves to be the case, it’s a terrible cybercrime that may have been avoided with proper password management.

Toronto Public Library Suffers Major Technology Outage after Cyberattack

On October 28th, The Toronto Public Library (TPL) experienced a cyber attack, impacting the availability of public computers, printing services, user online accounts, and digital collections. Despite this, the branches remain open with certain services still accessible. The library, the largest lending library globally, has engaged third-party cybersecurity experts to mitigate the situation and stated there’s no evidence of compromised personal information. The incident highlights that public libraries, often part of municipal governments, can be vulnerable to cyber attacks.

Cyberattack Disrupts International Retailer Ace Hardware

US multinational retailer Ace Hardware confirmed its IT systems were disrupted by a cyberattack that impacted 196 servers and more than 1,000 network devices. A letter reportedly sent by Ace Hardware to retailers warned of two different scams possibly circulating with information gathered from the breach. The letter mentions a spoof email pretending to be from Ace’s finance department requesting payment and a fake phone call from someone posing as an Ace contractor asking for passwords to access store computer systems. This is more bad news for Ace Hardware and is a real-world example of how cyberattacks can damage an organization’s reputation. And for the retailers dealing with these phishing and vishing aftershocks, it highlights just how important it is to provide cybersecurity training for employees. Monthly training and phishing tests for all employees are a clear and effective prevention method and should be standard business practice for both corporations and small to medium-sized enterprises.

Cyberattack affecting 5 Ontario hospitals

Five southwestern Ontario hospitals serviced by TransForm, a non-profit shared services organization, are experiencing disruptions due to a cyberattack that has affected email and patient records. The attack has led to delays and cancellations for patients. TransForm is working with third-party cybersecurity experts to restore systems and assess whether patient data has been compromised. The Information and Privacy Commissioner of Ontario has been in touch with the hospitals regarding the incident. Meanwhile, patients have been asked to avoid emergency departments unless necessary, and healthcare providers are attempting to reschedule appointments directly. The incident is currently under criminal investigation involving police, and the timeline for full restoration remains uncertain.

The Latest Cybercrime Trends

RICO Class-Action Suit Goes After H&R Block, Google, Meta for Alleged Tax Data Sharing

A law firm in California has invoked a law usually reserved for organized crime to go after tech giants Meta and Google for allegedly colluding with H&R Block to profit off taxpayer information. The lawsuit stems from a Congressional report that revealed H&R Block (among other tax prep companies) had used advertising and analytics tools from Meta and Google to collect and then share users’ tax information to the tech companies. Since the report, others have filed class-action lawsuits, but the law firm Wisner Baum is the first to claim that the three companies’ conduct amounts to a “pattern of racketeering activity” covered under the Racketeer Influenced and Corrupt Organizations Act (RICO) a tool usually used to prosecute multiple individuals in a criminal enterprise, like Mafia organizations.

Imagine if regulators simply went after some of these more egregious instances and fined companies appropriately. Deficits could be reduced dramatically. It’s time for governments to go after the megaliths that treat consumers as the product. If that makes free “social” media platforms financially unviable, I think we’ll survive. The sad reality is our data is rarely safe online. It’s time to get serious about data protection and hold our institutions accountable for their actions and inactions.

EU Cybersecurity Body Warns of Potential AI-driven Disruptions to European Elections

EU cybersecurity agency ENISA’s 2023 Threat Landscape report warns that powerful new AI models could disrupt EU elections next June. The report cautions that malicious actors could use AI to run large-scale information manipulation campaigns. Ever-evolving Artificial Intelligence models have the capacity to produce human-like text and voices as well as deepfake images and videos that can be used to psychologically manipulate voters. With upcoming elections in the USA, UK, and India in 2024, experts warn the public, policy makers and governments to beware of AI-generated propaganda.

In early November, US President Biden’s administration released an Executive Order on the “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence” that sets “new standards for AI safety and security, protects Americans’ privacy, advances equity and civil rights, stands up for consumers and workers, promotes innovation and competition, advances American leadership around the world.” And in the EU, policy makers are finalizing the AI Act, the world’s first comprehensive regulation on Artificial Intelligence. But despite these important steps to get a handle on AI, managing generative AI and deepfakes remains a question mark. And it’s an unknown worth our attention. We can’t put all our faith in policy makers. In an era of powerful generative AI, critical thinking skills and learning ways to become more vigilant with the technologies we use will likely be our best way forward.

 

FTC Requires Non-Bank Financial Institutions to Report Data Security Breaches Under Amended Safeguards Rule

On October 27, the Federal Trade Commission (FTC) amended the Safeguards Rule to make it mandatory for non-banking institutions like mortgage brokers, motor vehicle dealers, and payday lenders, to report certain data breaches and other security events to the agency. Any event where unencrypted customer information involving 500 or more consumers is acquired without authorization must be reported and include certain information, such as the number of affected or potentially affected consumers. And the notifications must be made no later than 30 days after discovering the security breach.

The FTC’s Safeguards Rule already requires non-banking financial institutions to develop, implement, and maintain a comprehensive cybersecurity program to keep customer information safe. The new amendment is meant to provide additional incentive for companies to handle our data with care.

And this is good news. When it comes to our sensitive financial data, it’s good to know that governments are holding corporations accountable. However, as consumers and people living digital our own digital lives, there’s a lot we can do to protect ourselves. Here are a few simple and inexpensive ways to avoid being a victim:

  • Stay vigilant and informed about today’s online risks and cyber threats
  • Put MFA (multi-factor authenticator) on everything—yes, everything
  • Practice proper password hygiene and use a password manager
  • Invest in online safety tools, training and cyber insurance

Jack’s Top Monthly Hacks

For Businesses:

Keep Your Business Cyber-Safe During Cyber5

Black Friday to Cyber Monday, known as Cyber5, lures bargain-hunters worldwide—including your employees. Office and remote workers often hunt for deals using work devices, making businesses vulnerable to cyberattacks. According to Stanford University, roughly 88% of data breaches are caused by a mistake made by an employee. To safeguard your business this Black Friday, share these crucial tips with your team:

Beware of suspicious emails: In 2022, 69% of ransomware attacks on businesses started with an email. With all the promotions hitting inboxes during Cyber5, it’s easier for these scams to make it past even the more cyber security-savvy. Before clicking any links, scrutinize the email’s authenticity. Be wary of phishers impersonating well-known brands using questionable Gmail accounts for personal data requests.

Steer Clear of Fake Websites: Scammers frequently clone websites, offering unbeatable prices on popular items. So, not only will that thing you definitely don’t need never arrive, cyberthieves help themselves to your money and personal data.  Stick with reputable online stores. Ensure websites use “https://” and display a padlock icon for security.

Prioritize Strong Passwords: It’s disheartening how many people recycle passwords, even on work devices. In fact, 62.9% of people only change passwords when prompted. Passwords, no matter how complex, will never be secure. This is why I continue to talk about the importance of password hygiene that includes MFA, managed EDR/XDR and monthly training and phishing simulations for all staff—leadership, too.

Be Cautious with Adverts and Pop-ups: Don’t be enticed by flashy Black Friday ads or pop-ups on social media. These can lead to phishing sites or malware downloads, risking data theft, identity theft, or ransomware. Go directly to the brand’s website to verify deals.

Keep Software Updated: Ensure your device’s security software is up-to-date before starting your online shopping spree. Software updates contain vital patches for vulnerabilities cybercriminals exploit. Get a Managed Patching service for your computers and servers. Automatic updates fail a lot more than you think.

 

For Individuals:  

Phishing Attacks: Don’t Take the Bait, Pick Up the Phone
We’re nearing the end of 2023, and phishing scams are still trying to ruin the digital party. As in, scammers are firing off an estimated 3.4 billion malicious emails every day. One popular trick involves sketchy emails or texts that ask you to alter your payment details. When one of those “update your payment” emails lands in your inbox, don’t get click-happy. Stop and follow these simple steps to make sure you’re not falling for a scam:

  1. Take a Breather: Don’t rush. Scammers want you in a frenzy. Chill out and stay cool.
  2. Remember this: No company or government branch or ANY legitimate entity will ask you to update your financial information via email or text. If you’re asked to do so, it’s a scam.
  3. Call, Don’t Click: Don’t click any links. Instead, make a call to the company using a trusted phone number – not the one in the email.

Protect yourself and be politely skeptical. It’s as easy as 1-2-3.

Related posts

Cyber Tips How to stay safe from today’s digital travel scams

How to stay safe from today’s digital travel scams

Planning your next vacation? Minimize digital travel scams and risks with our tips to keep your data and devices safe when you’re on the go.

19/04/2023
Cyber Tips How to protect yourself from tax season scams

How to protect yourself from tax season scams

Around the world, tax scams cost taxpayers millions of dollars. Learn how to protect yourself from increasingly sophisticated cybercriminals and scammers during tax season.

27/03/2023

Sign up for the BOXX Insurance Newsletter

Get the latest updates about Cyber Insurance and Protection with our newsletter.