This Month in Cybersecurity
When it comes to the new year, 2022 has a familiar ring to it in more ways than one. Just like the year before, cybersecurity risks continue, with ongoing threats to sensitive data, major logging frameworks vulnerable, and payouts to some impacted customers again being made. While you might have recommitted to your personal exercise or diet plan on Jan. 1, consider also recommitting to your organization’s data security initiatives in light of just a few of the big stories that kicked of the new year.
Log4Shell Vulnerabilities and Risk Continue
According to Microsoft and cybersecurity professionals worldwide, Windows and Microsoft Azure customers should continue to remain alert to potential cyberattacks related to the recent Log4Shell vulnerabilities in the popular Java logging framework Log4j.
The December zero-day vulnerability could take years to resolve according to Microsoft. The company rolled out a Log4j dashboard to help security teams find patches for software and devices affected by Log4Shell, which, according to Microsoft, could potentially lead to cyberattacks and data breaches on par or greater than the 2017 hack of Equifax. Organizations should heed Microsoft's advice when it comes to remaining vigilant.
REvil Ransomware Group Charged and Dismantled
According to the BBC, Russian authorities report the dismantling of ransomware crime group, REvil, with several members charged. While the US had offered a healthy reward for information, it doesn’t appear any Russian gang member will be extradited to the US for their organized malicious software and theft of cash and cryptocurrency.
The article notes that during last summer’s Geneva Summit, Russia's President Putin and US President Biden agreed to open discussions about how to combat the scourge of ransomware. The arrest of REvil, one of the most prolific ransomware gangs, is a significant step in addressing cybercrime.
Mobile Operators Under Pressure to Report Breaches
In a response to recent breaches, the US Federal Communications Commission (FCC) is proposing new rules requiring mobile operators to report network hacks. This move would better align mobile operators with national and state laws covering security lapses. Operators would be required to report data breaches to the FCC in addition to the US Secret Service and FBI. The seven-day waiting period between operators informing the public and government would also be eliminated, helping to reduce the time-frame fallout of sharing and collaborating risks.
Large Banking Firm to Pay Up
A prominent investment firm has agreed to dip into its own piggy bank to the tune of more than $55 million to settle a lawsuit from customers. Security lapses at the firm left their customers' personal data at risk. More than 15 million customers were affected by these security breaches, and they will receive at identity theft protection as well as be eligible to apply for reimbursement for their out-of-pocket losses. Substantial improvements to the firms data security practices have been made to help protect data going forward.
Related Reading: How Globalscape Fits into Your Data Security Suite
Healthcare Data Breach Has Millions of Patients Feeling Unwell
Nearly 1.5 million hospital patients at a large system in the United States were recently notified that their personal information was involved in an earlier data breach via a third-party medical provided with access to the healthcare system’s sensitive data. Names, addresses, Social Security numbers, bank account information, and more was included.
IT experts have noted that countries where healthcare is extremely expensive are the leading targets for cybercriminals to steal and monetize personal health information, which can be more valuable than stolen credit card information, selling for up to $500 or more on the dark web for fake medical claims, prescriptions or identities.
Related Reading: MFT for Healthcare eBook
Watch the Webinar: Top Four Ways That MFT Benefits Healthcare Organizations