Jan 102019

Lucie Edwardson reports:

The United Conservative Party‘s privacy policies are being questioned after a party laptop was stolen out of an employee’s car in a parkade.

The laptop contains the names, addresses and contact information of 40,000 UCP members.

Experts say the language used in the memo to inform members was confusing and didn’t answer important questions.

“This is clearly a matter that the party needs to improve their information protection practices,” said Sharon Polsky, president of the Privacy and Access Council of Canada, adding the party will have to regain public trust.

Read more on CBC.

I don’t see where there’s a serious risk of identity theft here. We’re talking about names, addresses, and contact info. That could be a phone book. Or a phone book with email addresses.  Either way, it’s not like SIN with DOB and additional details.

That said, there is no reason that the whole drive wasn’t encrypted when the laptop was off. And if it wasn’t encrypted, why on earth was it left in an unattended vehicle? Yes, people should be asking the UCP specific questions about the training and policies they give employees. But who’s going to require them to answer those questions?  No one?

Dec 282018

BBC reports:

Almost 1,000 North Korean defectors have had their personal data leaked after a computer at a South Korean resettlement centre was hacked, the unification ministry said. 

A personal computer at the state-run centre was found to have been “infected with a malicious code”.

The ministry said this is thought to be the first large-scale information leak involving North Korean defectors.

The hackers’ identity and the origin of the cyber-attack is not yet confirmed.

Read more on BBC.

Dec 262018

Liisa M. Thomas and Shanna M. Pearce of Sheppard, Mullin, Richter & Hampton LLP write:

In another change to US state breach notice laws in 2019, South Carolina will have new breach notice requirements for insurance companies. The requirements follow the National Association of Insurance Commissioners’ Insurance Data Security Model Law. South Carolina was the first to adopt the model text into law, and it is this law that is going into effect on January 1, 2019.  South Carolina joins others states, including Connecticut and New York, to have breach notice requirements for insurance companies. The law will be a supplement to the requirements that financial companies, including insurance companies, already face under Gramm-Leach-Bliley Act. 

Companies must promptly investigate potential breaches under this new law. If a breach has occurred, they will often also have to notify the Director of Insurance within 72 hours. This notification must happen either if the company is regulated by the director or if the information of 250 South Carolina residents is affected.  The same obligations apply when a vendor is impacted.

Read more on The National Law Review.

Dec 232018

Davey Winder writes:

It hasn’t been the greatest week for the non-profit sector with the revelation that two well-known charities have fallen victim to less than charitable cyber con-artists. In the same week that the Save the Children Federation confirmed it had been scammed out of $1 million by email fraudsters, so the Wellcome Trust has revealed the email of four senior executives was compromised and sensitive information monitored for several months. Without wishing to be uncharitable, both of these cyber-attacks fall firmly into the ‘oldest trick in the book’ category.

Let me start by saying that I am not in the habit of victim shaming; the focus must be on the threat actor when it comes to attributing bad guy status. That said, as we fast approach 2019, I also think the time for pussy-footing around the lack of security awareness issue within many large organizations has long since passed. The Wellcome Trust is most certainly a large organization any which way you look at it; in fact, with some £26 billion of assets, it is the biggest charity in Britain. So, when I read in my copy of the Times today that no less than four senior executives were “misled into entering their passwords when sent a link to click on” my will live to live starts fading away. 

Read more on Forbes.

Dec 142018

Todd Wallack reports:

Save the Children Federation, one of the country’s best-known charities said it was the victim of a $1 million cyberscam last year.

The Connecticut-based nonprofit said hackers broke into a worker’s e-mail, posed as an employee, and created false invoices and other documents, to fool the charity into sending nearly $1 million to a fraudulent entity in Japan. The con artists claimed the money was needed to purchase solar panels for health centers in Pakistan, where Save the Children has worked for more than 30 years.

Read more on Boston Globe.