Cyber Law Watch – Page 38 – Insight on how cyber risk is being mitigated and managed across the globe

New Petya Ransomware Attacks Global Law Firm

Jun 27 2017

Just a month after the WannaCry ransomware infected devices around the globe, a new strain calling itself Petya has struck overnight. Petya looks and operates the same way as WannaCry, locking out users from their systems and demanding a ransom of US$300 in order to decrypt files stored on the device. To spread across devices, Petya utilises exactly the same vulnerability used in WannaCry, patched by Microsoft in March 2017.

Organisations in Europe have been the worst hit, with the ransomware slowly spreading to the United States, and to Australia this morning as organisations boot up their computers. The Prime Minister of Ukraine has called the attack on his country “unprecedented”, with the government’s computer network going down, and the state power distributor being disrupted.

A global law firm has also been hit by Petya, with its offices in the UK, Europe, the Middle East and the US all affected by the attack. This continues a worrying trend of law firms being breached as of late, potentially exposing thousands of clients to commercial and legal risk.

We cannot emphasise enough the importance of keeping all devices and systems patched and up-to-date. Unfortunately, it seems that organisations around the globe, even those professing to be experts in cybersecurity, are still unprepared to deal with cyber-attacks and mitigate their risks.

The UK National Cyber Security Center has released guidance to help both home users and organisations limit the impact of ransomware attacks. It can be read here.

Time is Running Out – Compliance with new EU Data Protection Rules (GDPR)

Jun 22 2017

By Cameron Abbott and Edwin Tan

Companies are failing to prepare adequately for the new EU General Data Protection Regulation (GDPR) coming into effect on 25 May 2018, less than a year from today.

A partner at Crowe Horwarth was quoted in the Financial Times as saying that a recent survey found that over 60% of financial services companies were only just starting to get ready for GDPR, or were still trying to understand the gaps they needed to address. This is a particular concern as long timeframes may be needed to remedy any identified gaps, particularly where legacy IT systems are used. In addition, other companies are viewing the GDPR as a “nuisance”, treating it as a check-box ticking exercise rather than a serious compliance issue.

The GDPR will require companies to adopt much stricter procedures and processes when handling customer data. The maximum fine for non-compliance is 4 percent of the previous year’s annual global turnover, or €20 million, whichever is the greater. In addition, company executives can also face criminal penalties if deemed responsible for data breaches.

Companies must start work immediately on implementing changes required by the GDPR in order to avoid exposure to significant liability. Read more about the GDPR here.

DDoS Attacks On The Rise

Jun 20 2017

By Cameron Abbott and Edwin Tan

Distributed Denial of Service (DDoS) attacks leverage compromised devices to generate a flood of traffic, overwhelming online services and rendering them unresponsive. DDoS services are widely available on the internet, with research by Trend Micro finding that the small cost of US$150 can buy a DDoS attack for a week. (It also brings organised crime into your life – but that’s a different point!)

The latest statistics from Cisco reveal that the number of DDoS attacks grew by 172% in 2016. Combine this with an average DDoS attack size of 1.2Gbps, capable of taking most organisations offline, and there is real cause for concern among cyber security experts. It is hard to trace DDoS attacks to their proprietors, as the majority of devices used in attacks belong to innocent users.

Organisations must understand the risk and impact posed by DDoS attacks, and implement mitigation strategies that promote business continuity in the face of these attacks. Industry peers must share knowledge where appropriate, and keep government agencies adequately informed, to deter hackers from launching a DDoS attack.

Cisco expects that the number of DDoS attacks in the future will only get worse, with 3.1 million predicted attacks in 2021 globally. Read Cisco’s press release here.

Apple Distributors Arrested for Allegedly Selling Customer Personal Information

Jun 09 2017

By Cameron Abbott and Edwin Tan

On Wednesday, police in China’s Zhejiang province released a statement reporting the arrest of 22 third-party Apple distributors for allegedly selling customer data on the black market. Officials claim that the suspects searched an internal Apple database to obtain sensitive information, such as names, Apple IDs and phone numbers.

Each sale was for between 10 yuan to 180 yuan (A$1.95 to A$35.17). The entire scam was reportedly worth more than 50 million yuan (about A$9.8 million).

It is presently unclear whether there were victims outside of China, or how many people were affected by the breach.

No doubt these events will raise concerns worldwide about distributors’ access to customer data when it flows through the supply chain. Companies will need to have strong guarantees in place with their distributors, in relation to the handling and security of data, in order to reduce their risk of breaches when data leaves their control.

Users wishing to add an extra layer of security to their Apple ID can try utilising two-factor authentication, as set out by Apple here.

Together we are stronger – Australia and Singapore partner up on cybersecurity

Jun 06 2017

By Cameron Abbott and Allison Wallace

A freshly inked Memorandum of Understanding between Australia and Singapore will see the two countries strengthen their cybersecurity through a joint effort to build a secure and resilient cyber space.

The two-year partnership which was signed last week, will see Singapore’s Cyber Security Agency work with the Australian government to conduct regular information exchanges on cyber threats, share best practices to promote innovation in cyber security, and build cyber security capabilities. Read More

Law Firms Must Step Up Security or Risk Exposure: $8,895,560 Fine for Law Firm Hackers

May 24 2017

By Cameron Abbott and Edwin Tan

On 5 May 2017, a federal district court in New York ordered four people involved in breaching the networks of two law firms and stealing confidential information to pay approximately $8.9 million in fines.

According to the Securities and Exchange Commission, the hackers installed malware on the law firms’ networks, enabling them to view and copy data held by the law firms. The stolen data included emails revealing the details of clients considering mergers or acquisitions. Armed with this information, the hackers purchased shares in those companies ahead of public announcements, quickly amassing profits of almost $3 million.

There are concerns that hackers consider law firms as “low risk, high reward” targets, as a successful breach can reveal sensitive information about a multitude of clients such as trade secrets and financial data. These breaches can result in firm clients being exposed to massive commercial and legal risk.

One can be cynical at expenditure on security, let’s face it, it means less money in partners’ pockets – but cases like this are a salient warning of the hidden costs of getting security wrong!

Australia and China to Cooperate Against Cybercrime

May 24 2017

By Cameron Abbott and Edwin Tan

On 21 April 2017, Australian and Chinese Government representatives attended the inaugural Australian-China High-Level Security Dialogue. The Dialogue was launched to promote discussion between the two countries in the areas of counter-terrorism, cybercrime and other important security issues.

According to a joint statement by both parties, Australia and China reaffirmed their commitment to cooperate on cybersecurity issues. The key commitments include:

supporting the work of the UN Group of Governmental Experts and to act in accordance with its reports;
establishing an information-sharing mechanism to assist in combating cybercrime and preventing cyber incidents that could cause problems between the countries;
working together against internet distribution of child sex abuse material, e-mail scams and other transnational cybercrime activities;
discussing options for joint operations against cybercrime; and
exchanging cybersecurity delegations and regulatory documents to enhance understanding, cooperation and mutual trust.

The second High-Level Security Dialogue session will be held in China in the first half of 2018. One imagines that this is a tricky dialogue to foster, but clearly Australia takes the view of better off having China “in the tent than out”. Read the joint statement here.

“WannaCry” Ransomware Attack Causes Disruption Globally – with the worst yet to come

May 15 2017

By Cameron Abbott and Edwin Tan

A ransomware known as “WannaCry” affected 200,000 people in 150 countries over the weekend, locking computer files and demanding payment to release them. As of this morning, Australia and New Zealand users seem to have avoided the brunt of the attack, with the Federal Government only confirming three reports of Australian companies being affected. Not that ransomware attacks tend to be the subject of reporting – there is quite a high rate of payment of affected users as the pricing is deliberately cheaper than most alternatives unless your back-up process is very good.

The ransomware utilises vulnerabilities in out-of-date, unpatched versions of Microsoft Windows to infect devices. It spreads from computer for computer as it finds exposed targets, without the user having to open an e-mail attachment or click a link as is commonplace in most attacks. Ransom demands start at US$300 and doubles after three days.

The U.K. National Health Service (NHS) was among the worst hit organisations, forcing hospitals to cancel appointments and delay operations as they could not access their patients’ medical records. The Telegraph suggested that 90 percent of NHS trusts were using a 16 year old version of Windows XP which was particularly vulnerable to the attack. More attacks are anticipated throughout the working week as companies and organisations turn on their devices.

The U.K. National Cyber Security Center has released guidance to help both home users and organisations limit the impact of the attacks. It can be read here.

No Cybersecurity? No Business, Banks Say

May 12 2017

By Cameron Abbott and Edwin Tan

A recent survey by leading analytics company FICO revealed that 75 percent of senior fraud managers in Asia Pacific banks were prepared to stop working with business partners that fail cybersecurity audits. 65 percent of respondents confirmed that preventing cybercrime is a key focus in 2017, with the majority nominating cybercrime as having the largest potential financial impact on banks.

Large retailers and telecommunications companies were identified as the greatest data breach risks for banks. Dan McConaghy, president of FICO Asia-Pacific, explained that the problem was compounded in the Asia Pacific by a huge growth in sales by poorly protected companies.

Companies are going to have to realise that data security is now a sales issue and not simply an afterthought.

New Mexico’s New Data Breach Notification Laws

May 05 2017

By Cameron Abbott and Edwin Tan

New Mexico has followed other U.S. states in enacting data breach notification laws coming into effect on 16 June 2017. The statute will only apply to computerised data, which is narrower in scope compared to Australian laws that also apply to physical records.

The key provisions from the new data breach laws include:

Companies must notify New Mexico residents, the Attorney General and Consumer Reporting Agencies as appropriate within 45 days of discovery of data breaches that pose “a significant risk of identity theft or fraud”;
Companies that disclose Personal Identifying Information to third party vendors must contractually require the vendors to implement and maintain reasonable security procedures; and
Civil penalties of $10 per instance of failed notification up to a maximum of $150,000.

There are concerns that this adds another layer of complexity for companies trying to remain compliant, as they will now have to comply with data breach notification laws of 48 states and 3 territories. We think that there may be a big push for a unified federal law on this issue in the near future.