Excerpt from the U.K. Information Commissioner Office's monetary penalty notice against Equifax

Why Was Equifax So Stupid About Passwords?

Mathew J. Schwartz • September 24, 2018

Massive, well-resourced companies are still using live customer data - including their plaintext passwords - in testing environments, violating not just good development practices but also privacy laws. That's yet another security failure takeaway from last year's massive Equifax breach.

Cybercrime

Protecting the Grid: How IIoT Changes the Game

Latest

Data Loss

Twitter Bug Sent Direct Messages to External Developers

Jeremy Kirk • September 24, 2018

Twitter has fixed a bug that sometimes sent a user's direct messages not only to the specified recipient, but also to unrelated external developers. The social networking service is notifying more than 3 million affected users and has requested that unintended recipients delete the messages.

Fraud

Winning the Battle Against New Account Fraud

Nick Holland • September 24, 2018

With the abundance of PII available on the dark web, there has been an explosion of synthetic identity fraud. Michael Lynch of InAuth discusses how device and user data can be leveraged to combat the fraudulent opening of new accounts.

Electronic Healthcare Records

Opioid Crisis Raises Tough Privacy Issues

Marianne Kolbasuk McGee • September 21, 2018

As CISOs, CIOs and privacy officers look for ways to boost the timely, secure sharing of healthcare information to improve treatment, one obstacle that potentially stands in the way is CFR-42 Part 2, a 1970s-era regulation. Dozens of healthcare organizations are pushing Congress to change that regulation.

Business Continuity Management / Disaster Recovery

Scotland's Arran Brewery Slammed by Dharma Bip Ransomware

Mathew J. Schwartz • September 21, 2018

Scotland's Arran Brewery fell victim to a Dharma Bip ransomware attack that infected its Windows domain controller and crypto-locked files and local backups, leading to the loss of three months' worth of sales data. The brewery refused to pay the attackers' two bitcoin ransom demand.

Business Email Compromise (BEC)

Business Email Compromises Fuel Procurement Fraud

Nick Holland • September 21, 2018

Business email compromises have been at the center of a number of procurement fraud scams, says Allan Stojanovic, a security architect and analyst at the University of Toronto, who describes the fraud and why it's so difficult to thwart.

Cybersecurity

Defending Against Next-Generation DDoS Attacks

Nick Holland • September 21, 2018

DDoS attacks have increased significantly in scale via IoT botnet attacks. Gary Sockrider of Netscout Arbor discusses best practices for dealing with this significant threat.

Anti-Fraud

Using Machine Data Analysis to Detect Fraud

Nick Holland • September 21, 2018

Connecting the dots between disparate forms of machine data can prove to be valuable in discovering fraud patterns, says Jade Catalano of Splunk, who explains how.

Application Security

Securing Software Automation, Orchestration

Varun Haran • September 21, 2018

Seeking better operational efficiency and ROI, many enterprises have begun significant software automation and orchestration efforts without accounting for the inherent security risks they may bring, says Jeffery Kok of CyberArk.

General Data Protection Regulation (GDPR)

When Will GDPR Show Its Teeth?

Nick Holland • September 21, 2018

The latest edition of the ISMG Security Report takes a look at the EU's General Data Protection Regulation, including the outlook for enforcement and common misconceptions about its provisions.

Governance

Hospitals Fined $1 Million After TV Crews Film Patients

Marianne Kolbasuk McGee • September 20, 2018

HIPAA privacy violations can come in many forms. Case in point: Federal regulators have smacked three Boston hospitals with settlements totaling nearly $1 million for allowing crews for the documentary TV show "Save My Life: Boston Trauma" to film on their premises without obtaining authorization from patients.

Application Security

Equifax Hit With Maximum UK Privacy Fine After Mega-Breach

Mathew J. Schwartz • September 20, 2018

Credit bureau Equifax has been hit with the maximum possible fine under U.K. law for "multiple failures" that contributed to its massive 2017 data breach, including its failure to act on a critical vulnerability alert issued by the U.S. Department of Homeland Security.

Data Breach

'Magecart' Card-Sniffing Gang Cracks Newegg

Jeremy Kirk • September 20, 2018

Online retailer Newegg is investigating a malware attack that may have stolen customers' payment card details for more than a month. Security firms have traced the heist to Magecart, a loose affiliation of cybercrime gangs also tied to payment card data breaches at British Airways and Ticketmaster.