Questions Remain as to Extent of HBO Cyberattack

On Monday, HBO acknowledged that it had been the victim of a cyberattack. The hacker(s) claiming responsibility use the alias “little.finger66,” a reference to HBO’s hit show, Game of Thrones.

The hackers accessed an estimated 1.5 terabytes of data. They have leaked full episodes of Ballers and Room 104, as well as a script from the upcoming episode of Game of Thrones. They promise that more is to come. HBO is working with law enforcement and private security firms to examine the extent of the breach and to protect its data.

HBO has expressed an intent to offer its employees credit monitoring, which raises questions as to whether human resources records were accessed. Thankfully for subscribers, at this time, there is no indication that the hackers accessed subscribers’ login credentials or payment information.

Also, luckily for HBO, it appears that HBO’s email system was not compromised in its entirety, unlike with the Sony Entertainment breach in 2014. The release of confidential and proprietary information following the Sony breach – such as executives’ salaries and embarrassing email communications – sent ripples through the entertainment industry and led Sony’s then co-chairman to resign. It also resulted in a class action lawsuit brought by certain Sony employees.

We will continue to monitor this story as it unfolds.

DLA Piper Falls Victim to Latest Cyberattack

After last month’s WannaCry ransomware attack infected thousands of businesses and individuals across the globe, law firms were identified as likely targets of future, similar attacks. On Tuesday, multinational firm DLA Piper became the latest victim of a major cyber hack.

The Petrwrap/Petya attack, which was found to have originated in the firm’s office in Spain, caused DLA’s network and phone system to be shut down. Employees were instructed to turn off their computers and to unplug their laptops from the network as a precaution. During the shutdown, a DLA Piper spokesperson said in a statement: “The firm, like many other reported companies, has experienced issues with some of its systems due to suspected malware. We are taking steps to remedy the issue as quickly as possible.” DLA worked with external forensic experts, including the FBI and UK National Crime Agency, to get its systems back online and recover from the attack. Nonetheless, the firm’s lawyers were without access to company phones and email due to the lockdown.

In addition to DLA Piper, other large companies were hit, including Russian oil producer Rosneft and Danish shipping company Maersk. Though first reported in the Ukraine, where the most severe damage has been sustained, the virus quickly spread to the United States and Europe. United States-based pharmaceutical company Merck was also infected. DLA Piper has experienced effects of the attack in its offices globally.

While DLA Piper is the only law firm that has been reportedly attacked by the Petrwrap/Petya ransomware thus far, experts have indicated that law firms, generally, are attractive targets for hackers, as they maintain an abundance of highly-sensitive client information on their systems. Many smaller firms are vulnerable and easily exploited because they do not have the infrastructure to protect themselves against cyber threats. Yet, as can be seen, these increasingly pervasive attacks can cripple even the most prepared companies. In fact, DLA Piper, a firm with a global cybersecurity team, published an article in the wake of the WannaCry, titled “9 Things You Should Know to Protect Your Company from the Next Attack.”

Details about the Petrwrap/Petya ransomware, including how it is spread, are still being investigated. Researchers have reported that it is both similar to and different from WannaCry in various ways. Needless to say, in the face of another widespread attack, it is more important than ever for law firms to be vigilant against cyber threats.


Recent Massive Ransomware Attack Underscores Importance of Keeping Operating System Software Updated and Vigilance Against Suspicious Emails

On May 12, 2017, countless individuals and businesses worldwide were the targets of what experts deem the largest ransomware attack in history. In this attack, hackers sent emails containing encrypted .zip file attachments, which, when downloaded by the email recipient, infected the recipient’s computer with ransomware that commandeered and locked the computer’s files. The files were rendered inaccessible and released only upon payment of a bitcoin ransom to the hacker. According to reports, over 74 countries were hit by the attack, and hospitals and government agencies were among the victims. The damage, monetary or otherwise, resulting from the attack remains to be determined.

“Wannacry,” the name of the ransomware variant used in this attack, is reportedly derived from a stolen NSA hacking tool. The ransomware exploited Windows-based operating system vulnerabilities in computers that were not patched with the latest software update from Microsoft.

Although individuals and businesses in the United States remained largely unaffected, many experts say that this recent attack merely foreshadows future attacks of this scale that may potentially reach users stateside. As hackers become more sophisticated, attacks of this type may become the new normal. Given this new reality in the world of computing, it is increasingly important that computer users, particularly organizational users with databases and systems that house confidential and sensitive information, such as personally identifiable information (“PII”) or protected health information (“PHI”), ensure that computer systems are regularly updated with operating system software and security patches. Equally important is implementing organizational policies and procedures that require and encourage users to be vigilant against indiscriminate accessing and opening of suspicious emails with infected attachments and links.

Recent Study Reveals Interesting Trends in Cyber Attacks in First Quarter of 2017

A recent study issued by Navigant Global Technology Solutions has indicated that “2017 is poised to be a year of significant awareness and development in the area of cybersecurity regulation.” The study indicates that the ferocity of cybersecurity attacks has continued unabated since 2016 and that 2017 is shaping up to be another “watershed year” for cybersecurity threats and attacks.

Statistics (Q1 2017):

  • The overall average breach size decreased from 58,882 records in Q3 2016 to 49,877 in Q4 2016.
  • Healthcare accounted for the largest percentage of reported data breaches (42.77%).
  • Hacking incidents were the most common type of breach.
  • An average of more than 4,000 ransomware attacks occurred per day.
  • 73% of IT security professionals at critical infrastructure utilities say their organizations have suffered a breach.

Additionally, there has been a significant increase in the number of security incidents caused by remote desktop protocol (“RDP”) hacking in the first quarter of 2017. Not surprising in light of the increasing “work-from-home” trend, this hacking technique involves technology to allow users and system administrators to remotely access computers that they are not physically able to access. The attackers gain access to the network through phishing emails or other social engineering techniques. The study also noted that TeamViewer, a major RDP provider, has also seen a spike in the number of RDP security breaches. However, TeamViewer and Navigant both note that the exposure is not due to a “flaw” in the technology, but rather the usage of poor password policies by users. Once again, the findings indicate that human error appears to be one of the most difficult problems to safeguard against.

The second quarter of 2017 is poised to be no exception to the spike in cybersecurity breaches. The 2016 tax year is coming to a close and a plethora of sensitive personal information is available to hackers across multiple platforms. Recognizing that a majority of cyber attacks are the result of the usage of poor/duplicative passwords by users, the use of “two-factor authentication” on all account logins continues to be a focus in designing effective cyber security programs.

Two-factor authentication (also referred to as “2FA”) is a process requiring two different authentication methods to prevent unauthorized access of private and sensitive information. The three main categories of authentication factors are: something you know (password, pin code, social security number); something you have (USB security token, bank card, key); and something you are (fingerprint, eye, voice, face). The two-factor authentication process requires two of these factors.

According to Symantec’s 2016 Internet Security Threat Report, 80% of breaches can be prevented by using multi-factor authentication. Thus, by using basic, two-factor authentication, an organization can immediately reduce its cybersecurity threat profile in a fast and meaningful way.

As we continue in 2017, these statistics and studies must inform the development of practical, effective means of combating countless threats to cyber security. Being attacked is only a question of when, not if. In cyber security, the best offense is a strong defense, including accommodations for the likelihood of human error.

Arizona Voter Registration Database Hacked by Email Designed to Look Like Employee

In this contentious election year, foreign hackers have taken a keen interest in the U.S. electoral system. Perhaps most memorable was this summer’s high-profile assault on Democratic National Committee computers, which exposed a number of unsavory emails and forced DNC Chairwoman Debbie Wasserman Schultz to step down. But state voter registration databases have also become popular targets for hackers looking to disrupt confidence in this year’s elections; over two dozen states have seen some form of cyberattack on their election systems this year. An apparent hacking attempt in June 2016 caused Arizona’s voter registration system to shut down for almost a week while state and federal officials investigated the source of the hack. The FBI later attributed the breach to Russian hackers.

Speaking at the Cambridge Cyber Summit this month, Arizona Secretary of State Michele Reagan revealed that the malware was traced to a highly sophisticated email designed to look like it came from an employee. Hackers used the email to obtain the username and password for a single election official, giving them access to Arizona’s entire voter registration database, which houses the personal information of more than four million Arizona residents. According to Secretary Reagan, election officials have taken several steps to protect Arizona’s election system from additional cyberattacks, including requiring employees to implement new and stronger passwords and multifactor authentication. Although Secretary Reagan has been adamant that hackers did not gain access to any mechanism for tallying votes, the mere possibility that election results could be compromised may be enough to cast doubt on this election, which some (including one major party candidate) have already alleged is “rigged.” This latest revelation from Arizona officials serves as yet another example of the importance of creating a culture of data security in the workplace and training employee–in all industries–to recognize the signs of fraudulent emails.

See Secretary of State Reagan’s complete interview here.

Macaroni and Malware: Hundreds of Noodles & Company Locations Hacked, Exposing Consumer Financial Information

In the wake of Wendy’s announcement of a data breach in its point-of-sale system, Noodles & Company recently announced that it too was a victim of a cyber-attack, which may have resulted in access to thousands of customers’ debit and credit card data. Noodles & Company’s June 28, 2016 press release identifies restaurant locations in 27 states and Washington DC in which data security may have been breached.

In its press release, Noodles & Company states that it began investigating on May 17, 2016, after its credit card processor reported “unusual activity.” It immediately hired a third-party forensic expert to investigate, and on June 2, 2016, it discovered evidence of “suspicious activity on its computer system that indicated a potential compromise.”

Noodles & Company states that it is “moving forward on a number of fronts” in response to the data breach, including working with third-party forensic investigators, operating with the United States Secret Service, and providing guidance to guests who may have been affected. In a subsequent press release, Noodles & Company asserts that it “contained the incident once the malware was identified and credit and debit cards used at the affected locations identified are no longer at risk from the malware involved in [the] incident.” Nonetheless, it will not be a surprise if Noodles & Company suffers the same fate as Wendy’s: defending a federal consumer class-action lawsuit.

We will continue to monitor and report on this story as it develops.

The Use of Human Emotions

Organizations of all sizes, across all regions, and all sectors face an evolving risk from cyber criminals. Because businesses have become increasingly dependent upon technology, cyber criminals have shifted from theft of physical assets to the theft of electronic information. The growing use of technology-enabled processes exposes businesses to cybercrime – from direct theft of data (leading to financial assets) to the theft of personal data (that can be used to assemble an attack on financial assets). Cybercrime can threaten processes from point of sale purchases by debit/credit cards in the retail environment, to ATM transactions in the banking environment, to e-commerce or on-line sales, and to electronic business communications.

Cyber criminals have shifted their focus away from pure technological attacks and have increasingly attacked employees through techniques used to manipulate people into performing actions or divulging confidential information. Security is all about knowing who and what to trust. It does not matter how many locks you install if you trust the person at the gate lets in criminals. In the cyber world, the weakest link in the security chain is the human operator who accepts a person or scenario at face value. Thieves target this vulnerability. Securing hardware and software are relatively easy; it is the employees within an organization that sometimes fall prey to cyber attacks.

Criminals exploit human emotions (such as fear, curiosity, the natural desire to help, the tendency to trust, and laziness) to bypass the most iron-clad security measures and gain access to systems. The success of such schemes does not rely upon sophisticated technology. The success of these schemes depends upon human error. These schemes are one of the most difficult crimes to prevent, as it cannot be defended against through hardware or software.

Because there is no technology to protect against social engineering attacks, organizations should implement good security protocols. In order to build defenses against social engineering attacks, organizations need to design and implement comprehensive security practices:

  • Training Programs: Companies should invest in security training programs and update their employees on security threats.
  • Policies and Procedures: Well-defined policies and procedures provide guidelines for employees on how to go about protecting company resources from a potential cyber attack. Strong policies should include proper password management, access control, and handling of sensitive user information.
  • Risk Assessment: A risk assessment helps management understand risk factors that may adversely affect the company and track existing and upcoming threats. Determining security risks helps enterprises to build defenses against them.
  • Security Incident Management: To manage the incident, the help desk must be trained to track (among other things) the target, their department, and nature of the scheme. Such protocols will enable a company to actively manage the risk of the breach to mitigate potential losses.

Sony’s Interview Quagmire: A Watershed Moment for Cyberinsurance

Gordon & Rees Partner, Matthew Foy, recently co-authored an article published in DRI’s In-House Defense Quarterly, entitled “Sony’s Interview Quagmire: A Watershed Moment for Cyberinsurance.” The article addresses the implications of the November 2014 Sony data breach and discusses why companies of all sizes should be giving a hard look at the cyberinsurance market and not simply relying on their CGL policies. To learn more about this topic, please see the full article, which is available here.

Insurance industry takes protective stance against constant threat of data breaches

Over 1,000 Medicaid identification numbers may have been compromised in a recent breach of security protocol in North Carolina. An employee of the North Carolina Department of Health and Human Services inadvertently sent an email without first encrypting it, which contained protected health information for Medicaid recipients, including the individual’s first and last name, Medicaid identification number, provider name, and provider identification number. While the Department has no reason to believe that any information was compromised, the Department advised affected patients to take steps to protect themselves, such as putting a fraud alert on their credit files and monitoring their financial statements for unauthorized activity.

Individual insurance companies have also fallen victim to cyberattacks. The National Association of Insurance Commissioners (NAIC) has made efforts to strengthen the insurance industry’s security position by launching the Cybersecurity Task Force, which is creating a framework for insurance companies to follow in the event of a security breach. The NAIC recently proposed a Cybersecurity Bill of Rights, which outlines the expectations of insurers when a data breach occurs and remedies for consumers who have suffered harm due to a breach. Consumer advocates, as well as insurance groups representing life, health, and property/casualty carriers, support the Cybersecurity Bill of Rights, but are pushing for changes, arguing that the document may create confusion for consumers because currently it implies that certain rights, which are not contained in all applicable state and federal laws, exist for all consumers. While the Cybersecurity Bill of Rights will not likely become a binding document, the Cybersecurity Task Force has been working alongside state insurance regulators, conducting examinations of insurance carrier’s protocols to determine whether sensitive data and confidential information are properly protected. One thing is for certain – the increase in data breaches nationwide will lead to more regulations affecting all areas of industry and eventually leading to additional lawsuits in compliance with said regulations.

Seventh Circuit Revives Consumer Class Action Relating To Neiman Marcus Data Breach

On Monday July 20, 2015, the Seventh Circuit Court of Appeals weighed in on the hotly-contested issue of standing in data breach class action litigation. In so doing, the Court reversed the district court’s dismissal of a consumer class lawsuit against luxury department store Neiman Marcus, holding that the plaintiffs had successfully alleged the concrete, particularized injuries necessary to support Article III standing.

This lawsuit arose in January of 2014, when Neiman Marcus publicly disclosed that it had suffered a major cyberattack, in which hackers collected the credit card information of approximately 350,000 customers. Soon after this disclosure was made, a number of consumers filed a class action lawsuit in the United States District Court for the Northern District of Illinois, alleging that Neiman Marcus put them at risk for risk for identity theft and fraud by waiting nearly a month to disclose the data breach. In September 2014, the district court dismissed the case, ruling that both the individual plaintiffs and the class lacked standing under Article III of the Constitution.

On appeal, the Seventh Circuit analyzed the injuries the Neiman Marcus consumers claimed to have suffered in order to determine whether they constituted the type of “concrete and particularized injury” required to establish standing. In this instance, plaintiffs alleged lost time and money spent in protecting against fraudulent charges and future identity theft, as well as two “imminent injuries:” an increased risk of future fraudulent charges and greater susceptibility to identity theft. The Seventh Circuit ultimately determined that these allegations sufficiently established standing, as they showed a “substantial risk of harm” from the Neiman Marcus data breach. Importantly, the Court explained that the Neiman Marcus customers did not have to wait until hackers actually committed identity theft or credit-card fraud to obtain class standing, as there was an “objectively reasonable likelihood” that such an injury would occur. The full opinion is available here.

This ruling is consistent with decisions from several other courts across the country. See, e.g., In re Sony Gaming Networks and Customer Data Security Breach Litigation, 996 F.Supp.2d 942 (S.D. Cal. 2014); Moyer v. Michaels Stores, Inc., No. 14 C 561, 2014 U.S. Dist. LEXIS 96588, 2014 WL 3511500 (N.D. Ill. July 14, 2014); In re Adobe Systems Inc. Privacy Litigation, No 13-cv-05226-LHK, 2014 U.S. Dist. LEXIS 124126, 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014); Michael Corona, et al. v. Sony Pictures Entertainment, Inc., No. 2:14-cv-09600-RGK-E (C.D. Cal. June 15, 2015). Earlier this year, in a comprehensive article on standing in data breach cases (available here), our firm questioned whether opinions of this nature were indicative of a trend or anomalies. The Seventh Circuit’s ruling this week and the Central District of California’s ruling in Corona last month suggest it is in fact a trend. If the trend continues, consumers nationwide may find it easier to survive a motion to dismiss based on a lack of standing.

Please continue to monitor our blog for the latest news on data breach litigation and other privacy laws.