The Target: Workforce Safety & Insurance, North Dakota’s division of workplace safety and worker compensation.
The Take: Exposure of 182 records of Personally Identifiable Information including: emails between claimants and WSI, voice-mails containing information about said claims, and emails between WSI and their business partners.
The Vector: The attacker penetrated Klaviyo’s internal systems by tricking an employee to give up their company credentials through a phishing attack, allowing the threat actor to access systems with all the privileges of the stolen login.
This breach highlights critical need for employee training to protect a firm against phishing attacks. By using the exposed credentials, the attackers were able to act with all the same permissions as the affected employee. The human component of cybersecurity is a very real and important piece of the overall picture of cybersecurity posture. Furthermore, the sensitive information breached can lead to highly targeted spear-phishing attacks as it lends credence.
Business Live: Mid-market private equity firm LDC has sold its minority stake in Nottingham-based managed IT and cyber services provider Littlefish to Bowmark Capital following a three-year partnership.
CoinDesk: Coinbase (COIN) failed to properly secure customers' accounts, leaving them vulnerable to theft and unauthorized transfers, a putative class action lawsuit filed against the crypto exchange last week alleges.
CNN: Twitter has major security problems that pose a threat to its own users’ personal information, to company shareholders, to national security, and to democracy, according to an explosive whistleblower disclosure obtained exclusively by CNN and The Washington Post.
IT World Canada: A specialty broker providing cyber insurance has found a way to attract business from Canadian small and medium-sized organizations: Partnering with a cloud provider that helps firms meet a cybersecurity standard.
The Washington Post: A ransomware gang is leaking documents revealing just how deeply they penetrated the systems of a U.K. water treatment plant that serves hundreds of thousands of customers, potentially gaining access to controls of the facility.
Fortune: With the pace of economic growth slowing and inflation at a multi-decade high, that has led many people living in the U.S. to start entertaining the “R” word: recession. In 2022 we’ve experienced what’s being coined a “technical recession,” or two consecutive quarters of negative growth in GDP (gross domestic product).
Reporter Wings: Many of Wall Street’s biggest banks are nearing agreements to pay as much as $200m each and admit that their employees’ use of personal messaging apps such as WhatsApp violated regulatory requirements, according to people familiar with the matter.
The Target: BharatPay, an India-based financial services firm providing cash deposits, fund transfers, and online purchasing.
The Take: Exposed 37,000 records of Personally Identifiable Information including: usernames, hashed passwords, mobile phone numbers, email addresses, transaction data (such as transaction ID and bank balance), and API keys.
The Vector: The cause of the attack was an outdated software version of PHP allowing the threat actor to inject malicious JavaScript code and have it executed. The firm had only last updated their software years ago in 2020. By exploiting a known issue, the attacker was able to penetrate the firm’s systems.
This breach highlights the ongoing and ever-present need for the regular and quick patching of all software relied upon by the firm for daily operation. When known vulnerabilities are fixed by the software company, and patches released to the public, it is incumbent upon the firm to take responsibility and deploy these patches immediately to avoid a loss of integrity and data which could have easily been prevented.
Verdict: Investment firm KKR has completed its $3.8bn deal to acquire cloud-first security company Barracuda as cybersecurity investments slow down.
Cyber Security News: The observations of “numerous” businesses ended up unveiled in a policy paper, released currently by the Department for Society, Media, and Sport (DCMS), which investigated the encounters of cyber attacks on UK firms.
SEC: The Securities and Exchange Commission announced charges against three individuals for illegally tipping and trading in the securities of Equifax, Inc. in advance of the company's public announcement on September 7, 2017 that it had experienced a massive cyber intrusion and data breach.
ZDNet: It's often said that the most important things you can do protect your accounts and wider network from hackers is to use multi-factor authentication (MFA).
Nasdaq: British cybersecurity firm Darktrace Plc DARK.L said on Monday it was in the early stages of discussions with tech investment firm Thoma Bravo regarding a possible cash offer.
SEC: The Securities and Exchange Commission today charged 18 individuals and entities for their roles in a fraudulent scheme in which dozens of online retail brokerage accounts were hacked and improperly used to purchase microcap stocks to manipulate the price and trading volume of those stocks.
Help Net Security: Abnormal Security released a report which explores the current email threat landscape and provides insight into the latest advanced email attack trends, including increases in business email compromise, the evolution of financial supply chain compromise, and the rise of brand impersonation in credential phishing attacks.
The Target: Klaviyo, an email marketing firm.
The Take: Exposure of client’s Personally Identifiable Information including: names, addresses, emails, phone numbers, and two internal customer lead lists.
The Vector: The attacker penetrated Klaviyo’s internal systems by tricking an employee to give up their company credentials through a phishing attack, allowing the threat actor to access systems with all the privileges of the stolen login.
This breach highlights critical need for employee training to protect a firm against phishing attacks. By using the exposed credentials, the attackers were able to act with all the same permissions as the affected employee. The human component of cybersecurity is a very real and important piece of the overall picture of cybersecurity posture.
Financial Advisor: When Elon Musk announced Tesla employees would be required to spend at least 40 hours per week in the company office, the world’s richest man raised eyebrows for overlooking employee needs and preferences.
Dark Reading: Amazon Web Services (AWS) and Splunk are leading an industry effort of 18 systems and security vendors to standardize how different monitoring systems share security alerts. The goal is to deliver a simplified and vendor-agnostic taxonomy to help security teams ingest and analyze security data faster.
BNN Bloomberg: Cisco Systems Inc. said it was the victim of a cyberattack in which a hacker repeatedly attempted to gain access to the Silicon Valley firm’s corporate network.
FINRA: The new Complex Investigations and Intelligence (CII) team and Cyber and Analytics Unit (CAU) are driving a shift in terms of how Member Supervision’s National Cause and Financial Crimes Detection Program comes at its work and leverages intelligence and analytics to drive decision making and operations.
World Economic Forum: Cyber risk is one of the main challenges that organizations face today. The World Economic Forum's Global Risks Report 2022 highlights how cyber threats have intensified through digital transformation and growing digital dependency.
Stuff: KiwiSaver and pension fund manager Booster is warning 7566 of its savers to be on alert for scam callers and phishing emails after a massive data breach.
Zawya: Inflation, cybersecurity and risk of a potential recession are key concerns for UAE investors, with as many as 45% of them holding off on big purchases and 72% concerned about the long-term impact on retirement savings, a report said.
The Target: Wiseasy, an Android based digital payments company.
The Take: Exposure of payment information, system admin credentials, plain-text passwords for WiFi networks the app was connected to, and client personal information including: names, phone numbers, email addresses.
The Vector: Compromised employee credentials were sold on the dark web, allowing the attackers to login and act as legitimate users to make configuration changes and view sensitive information.
As Wiseasy had no multi-factor authentication set up on employee accounts, the exposed credentials let attackers fully access their internal systems and perform actions with every permission the breached accounts had access to. This security lapse is a stark reminder of the importance of having proper multi-factor authentication enforced on any and all accounts that have access to critical internal services.
Tech Monitor: The way listed companies report on cybersecurity risk is not meeting the needs of investors, according to a new report from the UK’s Financial Reporting Council. Limited or ‘boilerplate’ disclosures are an indication that a company does not take cybersecurity seriously enough, investors told the Council.
The Hill: Cybercrime is now so ubiquitous that the question is not when an attack will occur on a business, individual, or government — It’s whetherthe victim is resilient enough to deal with the consequences.
BBC: The party said it had changed its plans for the contest, which will decide the next prime minister, after consulting with security agency GCHQ.
Tech Crunch: The U.K.’s Competition and Markets Authority (CMA) has provisionally greenlighted the proposed $8.1 billion merger of cybersecurity companies NortonLifeLock and Avast, with Microsoft emerging as an unlikely ally as the two companies seek to push the deal over the line.
Coin Desk: The Solana ecosystem appears to be the victim of crypto’s latest exploit, with users reporting their funds have been drained without their knowledge from major internet-connected “hot” wallets including Phantom, Slope and TrustWallet.
Help Net Security: As the stock market dropped more than 20% in 2022 and prices rise at the pump and grocery store, there are some markets that have shown their ability to weather the storm and retain strong demand and growth even amongst broader market turmoil. One example of this: the cybersecurity market.
Debevoise & Plimpton: On July 29, 2022, the New York Department of Financial Services (“NYDFS”) released Draft Amendments to its Part 500 Cybersecurity Rules, which include a mandatory 24-hour notification for cyber ransom payments, annual independent cybersecurity audits for larger entities, increased expectations for board expertise, and tough new restrictions on privileged accounts.
Castle Hall helps investors build comprehensive due diligence programs across hedge fund, private equity and long only portfolios More →
Montreal
1080 Côte du Beaver Hall, Suite 904
Montreal, QC
Canada, H2Z 1S8
+1-450-465-8880
Halifax
84 Chain Lake Drive, Suite 501
Halifax, NS
Canada, B3S 1A2
+1-902-429-8880
Manila
Ground Floor, Three E-com Center
Mall of Asia Complex
Pasay City, Metro Manila
Philippines 1300
Sydney
Level 36 Governor Phillip Tower
1 Farrer Place Sydney 2000
Australia
+61 (2) 8823 3370
Abu Dhabi
Floor No.15 Al Sarab Tower,
Adgm Square,
Al Maryah Island, Abu Dhabi, UAE
Tel: +971 (2) 694 8510
Copyright © 2021 Entreprise Castle Hall Alternatives, Inc. All Rights Reserved.
Terms of Service and Privacy Policy