DLA Piper Falls Victim to Latest Cyberattack

After last month’s WannaCry ransomware attack infected thousands of businesses and individuals across the globe, law firms were identified as likely targets of future, similar attacks. On Tuesday, multinational firm DLA Piper became the latest victim of a major cyber hack.

The Petrwrap/Petya attack, which was found to have originated in the firm’s office in Spain, caused DLA’s network and phone system to be shut down. Employees were instructed to turn off their computers and to unplug their laptops from the network as a precaution. During the shutdown, a DLA Piper spokesperson said in a statement: “The firm, like many other reported companies, has experienced issues with some of its systems due to suspected malware. We are taking steps to remedy the issue as quickly as possible.” DLA worked with external forensic experts, including the FBI and UK National Crime Agency, to get its systems back online and recover from the attack. Nonetheless, the firm’s lawyers were without access to company phones and email due to the lockdown.

In addition to DLA Piper, other large companies were hit, including Russian oil producer Rosneft and Danish shipping company Maersk. Though first reported in the Ukraine, where the most severe damage has been sustained, the virus quickly spread to the United States and Europe. United States-based pharmaceutical company Merck was also infected. DLA Piper has experienced effects of the attack in its offices globally.

While DLA Piper is the only law firm that has been reportedly attacked by the Petrwrap/Petya ransomware thus far, experts have indicated that law firms, generally, are attractive targets for hackers, as they maintain an abundance of highly-sensitive client information on their systems. Many smaller firms are vulnerable and easily exploited because they do not have the infrastructure to protect themselves against cyber threats. Yet, as can be seen, these increasingly pervasive attacks can cripple even the most prepared companies. In fact, DLA Piper, a firm with a global cybersecurity team, published an article in the wake of the WannaCry, titled “9 Things You Should Know to Protect Your Company from the Next Attack.”

Details about the Petrwrap/Petya ransomware, including how it is spread, are still being investigated. Researchers have reported that it is both similar to and different from WannaCry in various ways. Needless to say, in the face of another widespread attack, it is more important than ever for law firms to be vigilant against cyber threats.

 

Recent Massive Ransomware Attack Underscores Importance of Keeping Operating System Software Updated and Vigilance Against Suspicious Emails

On May 12, 2017, countless individuals and businesses worldwide were the targets of what experts deem the largest ransomware attack in history. In this attack, hackers sent emails containing encrypted .zip file attachments, which, when downloaded by the email recipient, infected the recipient’s computer with ransomware that commandeered and locked the computer’s files. The files were rendered inaccessible and released only upon payment of a bitcoin ransom to the hacker. According to reports, over 74 countries were hit by the attack, and hospitals and government agencies were among the victims. The damage, monetary or otherwise, resulting from the attack remains to be determined.

“Wannacry,” the name of the ransomware variant used in this attack, is reportedly derived from a stolen NSA hacking tool. The ransomware exploited Windows-based operating system vulnerabilities in computers that were not patched with the latest software update from Microsoft.

Although individuals and businesses in the United States remained largely unaffected, many experts say that this recent attack merely foreshadows future attacks of this scale that may potentially reach users stateside. As hackers become more sophisticated, attacks of this type may become the new normal. Given this new reality in the world of computing, it is increasingly important that computer users, particularly organizational users with databases and systems that house confidential and sensitive information, such as personally identifiable information (“PII”) or protected health information (“PHI”), ensure that computer systems are regularly updated with operating system software and security patches. Equally important is implementing organizational policies and procedures that require and encourage users to be vigilant against indiscriminate accessing and opening of suspicious emails with infected attachments and links.

Wendy’s May Face Liability for Failing to Upgrade Payment Systems

As was previously reported, October 1, 2015 signaled a fraud “liability shift” between credit card issuers and merchants, in which liability for fraudulent credit card transactions began falling on whichever party used the lower level of security and compliance with EMV standards. While merchants are not required to adopt EMV technology (which reads chip cards, as opposed to the less secure magnetic strip cards), in the event of a data breach, their failure to do so can now render them responsible for the costs associated with the fraudulent use of stolen credit card information. This liability shift has created a very strong incentive for merchants to implement EMV chip card readers.

For companies that have not opted to make the EMV transition, lawsuits may begin to abound. One of the first suits targeting a retailer for its failure to keep up with industry standards was filed on February 8, 2016, in the wake of a possible data breach at the nationwide fast food chain, Wendy’s.

On January 27, 2016, Wendy’s announced that it was investigating a possible breach of its point of sale systems, after the company was alerted of “unusual activity” involving customers’ credit or debit cards at some of its locations. Wendy’s hired a cybersecurity firm to investigate the potential breach – which involved transactions in late 2015 – who discovered malware designed to steal customer payment data on computers that operate Wendy’s payment processing systems in certain locations.

An Orlando, Florida man purporting to be a victim of the Wendy’s breach initiated a class action lawsuit against the company on February 8, 2016, claiming that Wendy’s “lackadaisical” and “cavalier” security measures allowed his debit card data to be stolen and used to purchase nearly $600.00 of merchandise from various retailers. The lawsuit alleges that Wendy’s could have prevented the breach, yet maintained a system that was insufficient and inadequate to protect customers’ data. An attorney representing the plaintiff suggested that Wendy’s failed to incorporate technology allowing for use of chip-enabled cards, and that the lawsuit may expose the danger of failing to adopt such a system.

The threat of similar class action litigation may serve as a wake-up call for retailers who have failed or otherwise delayed in implementing up-to-date security measures. The suit, Jonathan Torres vs. The Wendy’s Company, can be found here.

The Use of Human Emotions

Organizations of all sizes, across all regions, and all sectors face an evolving risk from cyber criminals. Because businesses have become increasingly dependent upon technology, cyber criminals have shifted from theft of physical assets to the theft of electronic information. The growing use of technology-enabled processes exposes businesses to cybercrime – from direct theft of data (leading to financial assets) to the theft of personal data (that can be used to assemble an attack on financial assets). Cybercrime can threaten processes from point of sale purchases by debit/credit cards in the retail environment, to ATM transactions in the banking environment, to e-commerce or on-line sales, and to electronic business communications.

Cyber criminals have shifted their focus away from pure technological attacks and have increasingly attacked employees through techniques used to manipulate people into performing actions or divulging confidential information. Security is all about knowing who and what to trust. It does not matter how many locks you install if you trust the person at the gate lets in criminals. In the cyber world, the weakest link in the security chain is the human operator who accepts a person or scenario at face value. Thieves target this vulnerability. Securing hardware and software are relatively easy; it is the employees within an organization that sometimes fall prey to cyber attacks.

Criminals exploit human emotions (such as fear, curiosity, the natural desire to help, the tendency to trust, and laziness) to bypass the most iron-clad security measures and gain access to systems. The success of such schemes does not rely upon sophisticated technology. The success of these schemes depends upon human error. These schemes are one of the most difficult crimes to prevent, as it cannot be defended against through hardware or software.

Because there is no technology to protect against social engineering attacks, organizations should implement good security protocols. In order to build defenses against social engineering attacks, organizations need to design and implement comprehensive security practices:

  • Training Programs: Companies should invest in security training programs and update their employees on security threats.
  • Policies and Procedures: Well-defined policies and procedures provide guidelines for employees on how to go about protecting company resources from a potential cyber attack. Strong policies should include proper password management, access control, and handling of sensitive user information.
  • Risk Assessment: A risk assessment helps management understand risk factors that may adversely affect the company and track existing and upcoming threats. Determining security risks helps enterprises to build defenses against them.
  • Security Incident Management: To manage the incident, the help desk must be trained to track (among other things) the target, their department, and nature of the scheme. Such protocols will enable a company to actively manage the risk of the breach to mitigate potential losses.

Insurance Coverage for Social Engineering Losses

11-4Cyber criminals employ a variety of tactics—such as hacking, phishing or baiting schemes—to steal a business’s money, property or proprietary information. The term “social engineering” is applied to schemes that use technology, not to steal directly from the business, but to manipulate employees unwittingly to perform acts, transfer assets or divulge confidential information. A common social engineering loss scenario involves a trusted employee who is induced, by a spoof email or forged written instructions from someone impersonating a customer, a vendor or a senior officer of the company, to instruct the employer’s bank to wire funds to the imposter’s account.

Many businesses mistakenly believe that traditional commercial crime policies cover all such cyber-related losses. Although commercial crime policies have traditionally included computer fraud and funds transfer fraud, courts interpreting the scope of such coverages have generally distinguished between: (1) losses where a thief hacks the insured’s computer systems; and (2) losses where the insured voluntarily transfers funds. Courts have generally allowed coverage for the first category of loss. In contrast, losses from the voluntary transfer of funds, including social engineering losses, are generally not covered because they do not arise “directly” from the use of a computer to fraudulently cause a transfer of property; they arise from an authorized transfer of funds.

Social engineering loss is difficult to prevent; it cannot be defended against through hardware or software. Insurance coverage against social engineering risks, however, is available, usually by endorsement to commercial crime policy forms. Such coverage typically covers direct loss resulting from the intentional misleading of an employee through electronic or written instruction sent by a person who purports to be a vendor, client or employee, that directs the employee to transfer, pay or deliver money or property, and contains a misrepresentation of material fact which is relied upon by the employee.

Corona Class Action Against Sony Pictures Survives Motion to Dismiss

After the highly publicized cyber-attack on Sony Pictures Entertainment, Inc., which has been attributed to the so-called Guardians of Peace, Michael Corona, and eight other former Sony employees whose personal information was stolen, filed a class action asserting claims for: (1) Negligence; (2) Breach of Implied Contract; (3) Violation of the California Customer Records Act; (4) Violation of the California Confidentiality of Medical Information Act; (5) Violation of the Unfair Competition Law; (6) Declaratory Judgment; (7) Violation of Virginia Code § 18.2-186.6, and (8) Violation of Colorado Revised Statutes § 6-1-716.

Sony filed a motion to dismiss arguing that the Central District of California lacked subject matter jurisdiction over the action. Specifically, Sony argued that the plaintiffs lacked Article III standing, because they failed to allege a current injury or threatened injury that was certainly impending. Sony further argued that, even if plaintiffs had standing, the suit must be dismissed for failure to state a claim.

On June 15, 2015, the court ruled on the motion to dismiss. The court disagreed that plaintiffs’ allegations were insufficient to establish standing. Relying on Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), Clapper v. Amnesty International USA, Inc., 133 S.Ct. 1138 (2013), and In re Adobe Systems, Inc. Privacy Litigation, 2014 WL 4379916, the court determined that the plaintiffs need only allege a credible threat of real and immediate harm, or certainly impending injury—not a current injury—which they had done by alleging their information was stolen, posted on file-sharing websites for identity thieves to download, and was used to send emails threatening physical harm to employees and their families.

The court’s ruling is consistent with other recent rulings in California, which suggests this is a trend in the prosecution of data breach claims rather than just an outlier. (To read more on this subject, please see our article published in DRI’s For the Defense in February 2015, available here.)

The court then turned to the merits of plaintiffs’ claims. It dismissed four of plaintiffs’ claims and a portion of plaintiffs’ negligence claim. The court dismissed the plaintiff’s negligence claim to the extent it was based on an increased risk of future harm, as there was no cognizable injury. The court also dismissed plaintiffs’ breach of implied contract claim, finding that, while there was an implied employment contract, that there was no indication Sony intended to frustrate the agreement by consciously and deliberately failing to maintain an adequate security system. The court dismissed the California Customer Records Act claim as the plaintiffs were not damaged as Sony customers. Further, the court dismissed plaintiffs’ claims for violation of the Virginia Code and the Colorado Consumer Protection Act, because plaintiffs failed to allege injury resulting from the alleged untimely notification.

Plaintiffs’ negligence claim survived to the extent it was based on actual damages, such as costs associated with credit monitoring, password protection, freezing/unfreezing of credit, obtaining credit reports, and penalties resulting from frozen credit, even though they were prophylactic in nature because they were reasonable and necessary. The court denied the motion to dismiss with respect to plaintiffs’ claim for violation of California Business and Professions Code Section 17200 on the same basis.

Finally, the motion was denied with respect to the California Confidentiality of Medical Information Act claim, because negligent maintenance of records, which allows someone to gain unauthorized access, may constitute a negligent release of medical information within the meaning of the Act. The plaintiffs did not need to allege an affirmative act to maintain this cause of action.

Please continue to monitor our blog for more updates on the Corona case and other news on privacy and data security.

20 Million Californians Impacted By Data Breaches in 2013

PVCY BLOG_Harris, KamalaThis week, California Attorney General Kamala Harris released the second annual Data Breach Report, which detailed the 167 data breaches reported to her office in 2013. These data breaches collectively impacted nearly 20 million Californians, reflecting the growing menace of cybercrime.

The AG’s Data Breach Report reflects an increase of over 600 percent in the number of affected Californians since the 2012 report. This was largely due to the high-profile Target and Living Social data breaches, which exposed more than 7.5 million Californians. More than half of the 2013 breaches (53 percent) were caused by computer intrusions, described in the report as “malware” and “hacking.” The remaining breaches resulted from the physical loss or theft of laptops (26 percent) or other devices containing unencrypted personal information as well as unintentional errors (18 percent) and intentional misuse by insiders (4 percent).

The AG’s office provides key recommendations to California retailers to prevent future data breaches. Retailers should:

  • update their point-of-sale systems to the safer “chip-enabled” technology;
  • implement appropriate encryption solutions to devalue payment card data; and
  • respond promptly to data breaches.

These recommendations are significant, as the AG report indicates that the retail sector is most heavily targeted by cybercriminals, with 88 percent of that sector’s data breaches the result of criminal enterprises.

Full details can be found in the AG’s report here at pages16-24.

Image courtesy of Wikipedia.