Feb 202019

Ding! Ding! Ding!

I think we have our first W-2 phishing report of this year, although of course I may have missed other ones. This one involves the Centinela Valley Union High School District in California.  From their notification to the state:

As a follow up to the email sent to you on January 31, 2019, we wanted to provide you additional information about the recent incident involving your personal information.

What Happened

On January 31, 2019, we learned that one of our employees received a phishing email designed to appear as if it came from one of our other employees. Upon discovery, we immediately began an investigation to determine the scope of the incident and to verify what information may have been affected. We also notified the IRS, state tax boards, and federal law enforcement authorities, and we are cooperating with their ongoing investigation.

As a result of this phishing incident, an unauthorized individual may have obtained IRS Form W-2 information for our employees, including employee names, addresses, Social Security numbers, and 2018 wage information.

Read more of the full notification here.

As of the 2008-2009 school year, the district had 614 employees. I do not yet know the current number, however.

Feb 202019

Ertuğrul Can Canbolat LL.M., Baran Can Yildirim, LL.M. and S. İrem Akin of Actecon write:

Article 12 of the Turkish Data Protection Law No. 6698 (“TurkishData Protection Law“) entitled “Obligations Regarding Data Security” deals with the obligations of the data controller.

Article 12/1 of the Turkish Data Protection Law states the data controller shall take all necessary technical and organizational measures to provide a sufficient level of security. In addition, Article 12/5 of the Law obliges the data controller to notify the Board of Protection Personal Data (“Board“) as well as data subjects in case personal data is acquired through unlawful means by stating that “in case processed personal data are acquired by others through unlawful means, the data controller shall notify the data subject and the Board of such situation as soon as possible. The Board, if necessary, may declare such situation on its website or by other means which it deems appropriate.”

Read more on Mondaq.

h/t, @CampusCodi

Feb 202019

Cameron Houston and Anthony Colangelo report:

A cyber crime syndicate has hacked and scrambled the medical files of about 15,000 patients from a specialist cardiology unit at Cabrini Hospital and demanded a ransom.

The attack is now the subject of a joint investigation by Commonwealth security agencies.

Melbourne Heart Group, which is based at the private hospital in Malvern, has been unable to access some patient files for more than three weeks, after the malware attack crippled its server and corrupted data.

So this is a situation in which we might understand why an entity would pay the demanded ransom, but in this case, the ransom may have been paid but the data were reportedly corrupted when the entity went to decrypt.

Read more on The Age.

Feb 202019

Saheli Roy Choudhury reports:

Microsoft said hackers targeted European think tanks and non-profit organizations which often have contact with government officials.

The attacks were carried out late last year through phishing campaigns to steal employee credentials and deliver malware, the tech giant said in a blog post on Wednesday.

The company said it detected attacks targeting employees of the German Council on Foreign Relations and European offices of The Aspen Institute and The German Marshall Fund through malicious websites and spoofed email addresses that looked legitimate.

Read more on CNBC.

Feb 202019

Michael P. Rellahan reports:

A breach of Chester County government’s computer system via an internet bug led to intense work by county computer specialists over the Presidents Day weekend, but apparently has not led to any compromise of users’ information, a county spokesperson said Tuesday.

Chester County’s Department of Computing and Information Services (DCIS) detected and late last week responded to potential malware activity on the county’s computer network, getting assistance from third-party cybersecurity consultants, said Chester County Communications Coordinator Rebecca Brain.

Read more on The Daily Local.  In response to the incident, the county sounds like it is really tightening up its security in some respects, and no longer allows employees to use county computers or the county network for personal use, etc.