Tuesday, June 4, 2019
In the wake of new and pervasive malware intrusions and distributed denial-of-service attacks against supply chains and large data repositories, local and federal jurisdictions in North America are proposing stronger enforcement of existing laws and enacting new legislation to impose more severe consequences on parties that alter and steal data. Meanwhile, security analysts are urging service providers and merchants to improve security practices and response times.
The Canadian government introduced regulations to combat cybercrime and protect personal information in the private sector. Security journalist Brian Krebs said the measures are part of Canada's Anti-Spam Legislation (CASL), initially passed in 2015 and updated in May 2019. Overseen by the Canadian Radio-television and Television Communications Commission (CRTC), the new regulations make altering data a punishable offense, Krebs stated.
A May 30, 2019 post on Krebs on Security stated that CRTC was "flexing relatively new administrative muscles gained from the passage of Canada's Anti-Spam Legislation (CASL)." The regulations make altering data and installing malicious programs on computers a civil offense, whether by bot net attacks, malware and/or spyware, according to Krebs.
Noting that CRTC can fine individuals up to $1 million and businesses as much as $10 million, Krebs expressed hope that anti-spam regulations and massive penalties will discourage other Canadian hackers from pursuing this type of work. The CRTC fined Datablocks Inc. and Sunlight Media Network Inc. in 2018 for circulating online ads that triggered malicious code, he stated.
A breach at Checkers and Rally's fast-casual restaurants was reported May 29, 2019, but hackers had been quietly harvesting data at some restaurant locations for years. Exposure windows in some Las Vegas locations went as far back as January 2017, according to the company's statement about the breach.
The restaurant chain disclosed that POS malware at some Checkers and Rally's locations appeared to have enabled unauthorized parties to obtain payment card data from magnetic stripe cards. David Vergara, director of security product marketing at OneSpan, said nothing is surprising about POS malware stealing company data, but he expressed shock at the time that had elapsed between the first infection and eradication.
"Every business needs to do better to improve visibility between departments, customer communications and the payment network to minimize the impact of malware," Vergara said. "And today, good security hygiene is everyone's responsibility across the retail payment ecosystem."
Michael Magrath, director, global regulations and standards at OneSpan, said third-party vendors are a leading cause of security breaches. This is supported by Ponemon Institute's 2018 Data Risk in the Third-Party Ecosystem, which revealed that 59 percent of companies surveyed experienced a data breach caused by a third-party vendor, he stated.
Quest Diagnostics is an example that just came to light. American Medical Collection Agency, a third-party billing collections service employed by Quest contractor Optum360, informed Quest a data breach may have exposed the financial and medical information of 11.9 million of Quest's patients. Quest reported the incident on June 3, 2019, noting that an unauthorized user had access to the system between Aug. 1, 2018 and March 30, 2019. The system contained sensitive data, including credit card numbers, bank account information, medical information and Social Security numbers, but lab results were not exposed, Quest added.
"The Quest Diagnostics breach will undoubtedly bring a hefty fine from the Health and Human Services' Office of Civil Rights to the American Medical Collection Agency (ACMA) for failing to protect consumer data," Magrath said. He also advised HHS to revisit HIPAA Security and Privacy guidelines and tighten security controls for third parties. "The New York Department of Financial Services' Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) could serve as the model with strong requirements for third parties including requirements pertaining access controls, including multi-factor authentication to protect data," he said.
Tom Garrubba, senior director and CISO at Shared Assessments, called the Quest Diagnostics breach "a motherlode" attack that involved three critical components of customer data: PII, credit card data and health information. "I'm curious to see how swiftly the Office of Civil Rights, that oversees HIPAA compliance, moves in to review the details of the breach with [the third-party vendor] who was performing the scope of work, and to see what negligence, if any, is on the hands of Quest," he said.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.