Author Archives: Travis Taylor

The Worldwide Failure to Comply with Payment Security Standards

Payment security continues to decline worldwide, with almost two-thirds of organizations failing to meet and maintain compliance standards, according to a new report released by Verizon.

The 2019 Payment Security Report (PSR) measured worldwide compliance with the Payment Card Industry Data Security Standard (PCI DSS), and found a 36.7% decline. Verizon’s 2018 PSR showed 52.5% compliance. The Americas had the lowest compliance with just 20.5% meeting the global standard. 

“We see an increasing number of organizations unable to obtain and maintain the required compliance for PCI DSS, which has a direct impact on the security of their customers’ payment data,” said Rodolphe Simonetti, Global Managing Director for Security Consulting at Verizon.

PCI DSS was introduced by several major credit card companies in 2004 as an industry-wide standard for securing electronic payment data directing best practices regarding data storage and data transmission. While the standards for compliance vary according to an organization’s annual volume of credit card transactions, they generally require the following:

  • A secure network
  • Protection of cardholder data
  • A vulnerability management program
  • Access control measures
  • Regular network testing and monitoring
  • An information security policy

The decline in PCI compliance is a matter for concern as the frequency and cost of data breaches continue to rise. According to the 2019 PSR, not a single organization that experienced a breach was found to be fully compliant with PCI DSS.

“For years, we have discussed the close correlation between the lack of PCI DSS compliance and cyber breaches… Our data shows that we have never investigated a payment card security data breach for a PCI DSS compliant organization,” said Simonetti.

The post The Worldwide Failure to Comply with Payment Security Standards appeared first on Adam Levin.

Google’s Project Nightingale Health Data Practice Raises Privacy Concerns

Google is collecting the health record data of millions of U.S. citizens, raising serious concerns about patient privacy.

According to a recent story published in The Wall Street Journal, Google has partnered with Ascension, the nation’s second largest health care system for Project Nightingale. 

The partnership gives Google full, non-anonymized access to “lab results, doctor diagnoses and hospitalization records… and amounts to a complete health history, including patient names and dates of birth” for millions of patients in 21 states.

The stated intention of Project Nightingale is “ultimately improving outcomes, reducing costs, and saving lives,” according to Google Cloud president Tariq Shaukat, who also see it helping developers “design new software, underpinned by advanced artificial intelligence and machine learning, that zeros in on individual patients to suggest changes to their care.”

Google’s access to patient data raises concerns among privacy advocates, particularly because at least 150 of the company’s employees have full access to highly personal information without patient consent or notification. 

Of perhaps even greater concern is the fact that Google’s apparent data mining is legal according to federal law, specifically the Health Insurance Portability and Accountability Act of 1996, or HIPAA. According to the U.S. Department of Health and Human Services, medical providers “may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions.”

Google has recently made similar moves to expand its access to health and medical data, including its acquisition of Fitbit and that company’s data sharing partnership with the University of Chicago Medical Center. That move resulted in a class action lawsuit.

The post Google’s Project Nightingale Health Data Practice Raises Privacy Concerns appeared first on Adam Levin.

Desjardins Data Breach Worse Than Originally Reported

The June data breach of Canadian financial institution Desjardins was wider in scope than initially reported and compromised the data of all 4.2 million of its individual members.

The breach, initially detected in December 2018 and announced in July 2019, was originally estimated to have affected 2.7 customers and 173,000 businesses. Desjardins announced the revised figure based on information shared by the Sûreté du Québec (SQ), the Quebec province’s police force. It is possible more businesses were impacted by the breach than originally estimated.

Compromised member data included names, addresses, birthdates, social insurance numbers, email addresses and transaction histories.

“This is not a new breach, this is the same breach with the same employee who did the same pattern [sic], but the bad news today is that the SQ is sure that it’s for the whole group and all the 4.2 million members,” said Desjardins chief executive Guy Cormier.

While Desjardins attributed the data breach to a single employee, no arrests have been made and an investigation is still ongoing.

The post Desjardins Data Breach Worse Than Originally Reported appeared first on Adam Levin.

North Korean Malware Found on Indian Nuclear Plant Network

Malware associated with North Korean state-sponsored hackers has been identified on the network of an Indian nuclear power plant.

Security researchers discovered the presence of a variant of Dtrack malware on the networks of the Kudankulam Nuclear Power Plant (KNPP) following an unexpected outage of one of its reactors. Dtrack is a Trojan-style malware program purportedly created by the elite North Korean hacking team known as the Lazarus Group.

Despite initially denying reports of a malware infection, the Nuclear Power Corporation of India Limited (NPCIL) confirmed the attacks October 30 in a press release.

“Identification of malware in NPCIL system is correct,” stated the release, concluding that investigations of the event confirmed “that the plant systems are not affected.”

Investigation of the malware deployed found hard-coded credentials for the KNPP, suggesting that the infection was a targeted attack.

Dtrack has traditionally been associated with attacks on financial systems, including banks in South Korea and India. It was also deployed as part of the WannaCry ransomware strain. 

The post North Korean Malware Found on Indian Nuclear Plant Network appeared first on Adam Levin.

Nation of Georgia Hit By Major Cyberattack

The entire nation of Georgia has been hit by a cyberattack, the largest in that country’s history.

Indications are that the attack was politically motivated, thousands of websites suddenly featuring an image of former President Mikheil Saakashvili with the message “I’ll be back.” Additionally, at least two television stations were rendered non-functional as were the websites of several governmental agencies.

Local web hosting provider Pro-Service confirmed that it had been the target of the attack and that one of its servers had been successfully breached. In all, Pro-Service said that “some 15,000” websites had been affected by the attack.

The company later posted an update on its website stating that the “effects of the most massive cyberattack have been eliminated.” 

“With the scale and the nature of the targets, it’s difficult not to conclude that this was a state-sponsored attack,” said cybersecurity expert Alan Woodward to BBC News.

Georgia had previously been targeted by cyberattacks during the country’s 2008 conflict with Russia over the disputed region of South Ossetia. 

Despite the scope of the attack, no major utilities or critical services were affected.

The post Nation of Georgia Hit By Major Cyberattack appeared first on Adam Levin.

Leaked Memo Warns of Poor Cybersecurity in White House

A leaked memo from the Office of the Chief Information Security Officer (OCISO) delivered alarming news about the state of cybersecurity at the White House.

Acquired and published online by Axios, the memo was included in a resignation letter from Branch Chief of White House Computer Network Defense Dimitrios Vastakis. In the document, Vastakis details several concerns about staffing and organizational policies that he felt were harming cybersecurity at the White House and causing personnel to leave “at an alarming rate.”

Vastakis took particular issue with the recent decision to fold the OCISO into the Office of the Chief Information Officer.

“This is a significant shift in the proprieties of senior leadership where business operations and quality of service take precedence over securing the President’s network,” Vastakis wrote.

The memo comes in the wake of several resignations or terminations from the office, which was established in 2014 in response to a successful Russian cyberattack.

“It is my express opinion that the remaining incumbent OCISO staff is being systematically targeted for removal from the Office of Administration (OA) through various means,” wrote Vastakis, concluding that “the White House is posturing itself to be electronically compromised once again.”

Other former cybersecurity officials for the White House have expressed similar concerns and misgivings with the current administration’s cyber policies.

“The termination of the cyber czar position compounded with placing individuals like Giuliani in charge of cyber has created the perfect storm,” wrote Tom Kellermann, the former cybersecurity commissioner for the Obama administration. “We are under siege by an axis of evil in cyberspace and we must appreciate that American cybersecurity is tenuous as we fight an ongoing cyber insurgency.”

The post Leaked Memo Warns of Poor Cybersecurity in White House appeared first on Adam Levin.