Dec 122018
 

Catalin Cimpanu reports:

Ships suffer from the same types of cyber-security issues as other IT systems, a recent document released by the international shipping industry reveals.


The document is the third edition of the “Guidelines on Cyber Security onboard Ships,” an industry-approved guide put together by a conglomerate of 21 international shipping associations and industry groups.


While the document contains what you’d expect to contain –rules and guidance for securing IT systems onboard vessels– it also comes with examples of what happens when proper procedure isn’t followed.


These examples are past cyber-security incidents that have happened on ships and ports, and which have not surfaced in the public eye before until now.

Read more on ZDNet, where Catalin provides some chilling examples from the report. The guideline can be accessed from hereherehere, or here.

Dec 122018
 

Michael Mayer of Faruki writes:

An Ohio federal district court recently handed down a ruling that will make companies storing client data breathe a sigh of relief.  In Williams-Diggins v. Mercy Health, Case No. 3:16-cv-1938 (N.D. Ohio), a patient sued a health system because of deficient patient information software.  (The defendant-health system certified that it subsequently completed updates and additional measures to address the issues with its software.)  The patient sought a nationwide class action lawsuit to pursue various claims, including breach of contract and violation of the Ohio Consumer Sales Protection Act.  The Court dismissed the lawsuit for lack of standing.

Read more on Faruki.  

Dec 102018
 

Heather Landi reports:

Hackers are using the Dark Web to buy and sell personally identifiable information (PII) stolen from healthcare organizations, and exposed databases are a vulnerable attack surface for healthcare organizations, according to a new cybersecurity research report.


A research report from IntSights, “Chronic [Cyber] Pain: Exposed & Misconfigured Databases in the Healthcare Industry,” gives an account of how hackers are tracking down healthcare personally identifiable information (PII) data on the Dark Web and where in the attack surface healthcare organizations are most vulnerable.


The report explores a key area of the healthcare attack surface, which is often the easiest to avoid—exposed databases. 

Read more on Healthcare Informatics.

Dec 102018
 

From the good folks at EPIC.org:

In a report released today, the House Committee on Oversight declared that the Equifax breach, which affected 148 million U.S. consumers, was “entirely preventable.” The breach, one of the largest in U.S. history, compromised the authenticating details, including dates of birth and social security numbers, of more than half of American consumers. The House report concluded that Equifax “failed to fully appreciate and mitigate” the cybersecurity risks and placed corporate growth over data security. Despite several agencies, such as the CFPB and the FTC, pledging to take action against Equifax, nonehave done so. The House Committee recommended that Equifax “provide more transparency to consumers” about data use and security practices and reduce the use of social security numbers as identifiers, longstanding priorities of EPIC. Following the Equifax data breach in 2017, EPIC President Marc Rotenberg testified before the Senate Banking Committee and recommended free credit freezes and other consumer safeguards to mitigate the risk of identity theft.

Dec 092018
 

Stuff reports on a case in New Zealand that was cited in a newly-released annual report by the Privacy Commissioner. Disturbingly, the unnamed government agency not only did not set a great example for data protection, but they demonstrated less than admirable response to the incident of insider-wrongdoing that harmed a member of the public.  Stuff reports: 

A government employee in dispute with his neighbour  snooped on him 73 times after accessing his employer’s “sensitive” records.


He also changed the man’s file to add allegations of “improper conduct”.


When the government agency  found out about the privacy breach  it reviewed its processes but was not willing to apologise to the neighbour or pay him compensation.

[…]


The commissioner has called for changes to the Privacy Act to introduce “meaningful consequences” for non-compliance, including for the commissioner to decide which cases should go to the tribunal and for the commissioner to take the claims.


Read more on Stuff.  That the agency didn’t even apologize for the anguish or harm to the individual is concerning.

It is one thing to argue that you had policies and procedures in place that you monitored, but despite that, an employee willfully managed to violate both, but then not to give the affected individual anything — even a “We agree with you with and have terminated the employee’s position with us,” well…. there has to be more redress and/or compensation for those whose complaints are founded.  And government agencies should be setting good examples instead of needing to be dragged before a tribunal or sued. 

More information on the Privacy Commissioner’s 2018 Report can be found on the Commission’s web site.

To jump directly to the annual report, go here