Approximately 773 Million Records Aggregated from Data Breaches Made Publicly Available
Last week, it was discovered that hackers made publicly available aggregated records collected from various data breaches that included unique email addresses (totaling 772,904,991) and unique passwords (totaling 21,222,975). Researcher Troy Hunt, who is also a Microsoft Regional Director, helped alert the public to this breach and said, “Last week, multiple people reached out and directed me to a large collection of files on the popular cloud service, MEGA (the data has since been removed from the service). The collection totaled over 12,000 separate files and more than 87GB of data.” According to Wired, “That sort of Voltron breach has happened before, but never on this scale. In fact, not only is this the largest breach to become public, it’s second only to Yahoo’s pair of incidents—which affected 1 billion and 3 billion users, respectively—in size.”
Massachusetts Data Breach Notification Law Amended
Governor Charlie Baker recently signed a law that amends data breach notification law requirements for the state of Massachusetts. According to Bleeping Computer, the new law “amends the state's data breach law removing the fees imposed by credit reporting agencies for security disclosures and freezes of consumer credit reports. […] One of the most important amendments for individuals affected by data breaches is that companies will be required by law to ‘contract with a third party to offer to each resident whose social security number was disclosed in the breach of security or is reasonably believed to have been disclosed in the breach of security, credit monitoring services at no cost to said resident for a period of not less than 18 months.’ […] The new amendments to the Massachusetts law also forbid companies that have experienced security attacks that have led to data breaches from waiving the individuals affected by that incident to waive their right to a ‘private right of action as a condition of the offer of credit monitoring services.’” These amendments will take effect on April 11, 2019.
Palo Alto Networks Unit 42 Discovers Malware That Evades Cloud Security Detection
On Thursday, Palo Alto Networks Unit 42 reported the discovery of malware that evades detection by cloud security products. According to Unit 42, “During our analysis, we realized that these samples used by the Rocke group adopted new code to uninstall five different cloud security protection and monitoring products from compromised Linux servers. In our analysis, these attacks did not compromise these security products: rather, the attacks first gained full administrative control over the hosts and then abused that full administrative control to uninstall these products in the same way a legitimate administrator would.” The Hill noted “The report is particularly concerning as more and more private and public groups move toward using the cloud for online data storage purposes. This research indicates that the protections in place could be disabled.”
World Economic Forum Ranks Cyberattacks a Top 10 Global Risk
According to the recently released “Global Risks Report 2019” by the World Economic Forum, cyberattacks were ranked a Top 10 global risk in terms of both likelihood and impact. The report states “Last year […] provided further evidence that cyber-attacks pose risks to critical infrastructure, prompting countries to strengthen their screening of cross-border partnerships on national security grounds. […] A large majority of respondents expected increased risks in 2019 of cyber-attacks leading to theft of money and data (82%) and disruption of operations (80%). The survey reflects how new instabilities are being caused by the deepening integration of digital technologies into every aspect of life.”
Cybersecurity Reports and Surveys Roundup
We’ve rounded up a few of the best cybersecurity reports and surveys released last week: