The “business compromise email”  is what the FBI calls the “$5 billion scam,” but apparently an insurance company did not agree with an insured company that they had been the victim of a crime.

A federal court recently found that a crime policy afforded coverage for a $4.8 million wire transfer that an insured company was duped into making.  See Medidata Solutions, Inc. v. Federal Ins. Co., 15-CV-907 (SDNY July 21, 2017).   In this case, the thief took advantage of “real” facts, posing as the insured’s attorney for a corporate transaction.   More specifically, the insured was contemplating an acquisition and, as part of that process, the president instructed the finance department to be prepared, on an urgent basis, to assist with the transaction.  Continue Reading Court Holds Crime Policy Covers Business Compromise Email Loss

Written by Amy Malone

Last week the FBI released a fraud alert warning financial institutions that cyber criminals have been using tactics such as spam and phishing emails to obtain employee log-in credentials.  After obtaining the credentials the hackers initiated wire transfers oversees.  A few days after the alert, Bank of America, JPMorgan Chase  and Wells Fargo suffered service outages that prevented access to their websites.  According to security experts, such outages were likely caused by denial of service attacks that disrupt the service to websites by overloading the servers with traffic so that they cannot respond to legitimate requests.

These attacks have been aimed at financial institutions, but are a good reminder to all organizations that cyber security remains an important aspect of your company’s overall security.  Technology is constantly changing and hackers are always finding new ways to penetrate systems so it’s important for organizations to analyze their systems and make updates as necessary.

Where do you start?  Below are a few tips for combating cyber security threats:

1) Remain vigilant.  No security system is 100% secure so it’s important to review the safety measures you have in place and identify gaps.  A good way to identify such gaps is by hiring a third party to perform penetration tests on your systems.  Malicious attacks are simulated in penetration tests which will enable your organization to identify how your protections fail.  It’s also important to run regular scans of your network for vulnerabilities and make sure your firewalls are as strong as possible.  Investing in security technology before you have a breach will save your organization time and money in the long run.

2) Train your employees.  According to a recent article published by Computerworld, most data breaches are inadvertently caused by employees.  An organization can have the most robust cyber security system available, but if employees are not trained and re-trained about the importance of protecting sensitive information then there are going to be data breaches.  It’s important to educate employees on how to protect information, including the threats posed by spam and phishing emails.

3) Encrypt, encrypt, encrypt.  Encryption of information at all stages will  information useless if it is obtained during a hack.

4) Vet your vendors.  Is your company providing sensitive information to third parties (storing documents offsite?  That counts!)?  If so, it’s essential that your company conduct reviews of vendors to ensure their security measures meet your standards.   What about your vendor’s vendors?  See our previous blog here discussing that topic.

Protecting your company’s personal information is an on-going challenge.  If you need help building your data security program contact any member of your Mintz Levin service team, or one of Mintz Levin’s privacy lawyers.

Written by Stephen Bentfield

Today’s Washington Post includes a front page article that should serve as a warning to any employer about increasingly sophisticated social engineering attacks that exploit one key vulnerability that is essentially immune to technical solutions:  their employees.  Social engineering attacks work by exploiting the natural human tendency to trust and thereby tricks the recipient into believing the contents of the communication is safe.  Using bogus emails and phony websites, hackers can install programs to steal information, spy on the organization, or even disrupt operations.  This is the fourth story in the Post’s ongoing cybersecurity series, Zero Day: The Threat in Cyberspace.

The backdrop for the article is a series of recent spear phishing attacks that have targeted specific employees of intelligence contractors, utility executives, and industrial-control security specialists.  For many of the attacks, seemingly innocuous email messages that appeared to originate from trusted contacts were, in fact, cyberweapons that were part of a sophisticated and large-scale social engineering attack intended to trick the recipient into circumventing the organization’s security controls.

In a typical spear phishing attack, hackers employ email messages and similar communication methods that appear to come from a colleague or friend but which actually contain malicious code buried in a phony web site link or email attachment.  Once the recipient clicks on the link or opens the attachment, the malicious code (often a remote access tool or “RAT”) is delivered and buries itself within the targeted network.  Such malware often will reach out to the hacker, typically through an encrypted message or cloaked in what appears to be run-of-the-mill internet browsing, who then uses this secret back-door to install other malicious software to take control of the target company’s computers.  These attacks can persist for months or even years in some instances, and allow the hacker to steal customer financial information, take sensitive corporate data, or even hijack industrial control systems.

 

Two main characteristics really distinguish this new wave of spear phishing attacks.  First, hackers are starting to target specific individuals within a specific organization (sometimes high-level executives, but often low-level employees), who the hacker then studies to gather personal information that can be used to manipulate him or her.  The target profile can be derived from an array of sources, including social media sites like Twitter, Facebook, and LinkedIn, as well as through other data mining techniques.  Using this target profile, the hacker then includes specific details relating to the targeted individual in an effort to lower their guard and entice them into launching the hidden malware.

Companies spend fortunes on technical solutions to protect their networks, but ignoring this human vulnerability can render the technology investment utterly worthless.  Even the best security technology must be supported by solid security policies and practices.  Here are a few recommendations:

  • Ensure that employee security training programs include information on social engineering and how to identify a potential spear phishing attack.
  • Require all new hires to go undergo comprehensive security training as part of onboarding process, and provide periodic security reminders to all employees (which is an “addressable standard” (not required) under HIPAA, but is required under Massachusetts law).  Building employee awareness of security threats can help prevent complacency.
  • Ensure that employees know the proper procedures for reporting suspected security incidents and the individual(s) to whom they should report such events.
  • If a spear phishing attack is detected, immediately issue an organization-wide alert so that other employees will watch for and identify suspicious communications.
  • Integrate social engineering and spear phishing attacks into the organization’s security incident response plan and training practices.

Written by Kevin McGinty

Nearly as predictable as the sun coming up in the morning, the recent theft of 6.5 million LinkedIn user passwords has resulted in the filing of a class action lawsuit in a California federal court.  In her complaint, a LinkedIn premium subscriber asserts claims on behalf of all LinkedIn users for breach of implied and express contractual obligations, negligence and violation of California’s Unfair Competition Law, Cal. Bus. & Prof. Code § 17200.

Although the attack affected the passwords of just over 5% of LinkedIn’s approximately 120 million users, plaintiff purports to assert claims on behalf of all LinkedIn users.  Although plaintiff alleges classwide damages in excess of $5,000,000 (the jurisdictional threshold for federal court jurisdiction over the state law claims advanced in the complaint) it is unclear what damages plaintiff alleges that the class actually sustained by reason of merely losing passwords.  Some commentators have hypothesized that the propensity to use a single password for multiple online accounts could result in losses where non-LinkedIn accounts are accessed using an individual’s LinkedIn password.   Proving that such losses have occurred, however, would require highly individualized showings that would likely preclude adjudicating plaintiff’s claims as a class action.  Even less clear is what conceivable damages were allegedly sustained by LinkedIn users whose passwords were not stolen.  Thus, as with most privacy class actions, damages issues appear to pose the greatest obstacle to the success of the claims against LinkedIn.

4:44 PM — LinkedIn has confirmed reports of hacking –

http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/

 

It’s time for a little password hygiene.

ZDNet reports that a Russian organization claims to have downloaded over 6.4 million passwords from LinkedIn.  They also report that some 300,000 of them may have already been accessed.  LinkedIn has yet to confirm these details and continues to investigate if any security breach has occurred.

All LinkedIn users are encouraged to change their passwords —  and, as we’ve advised with respect to other hacks,  if you use your LinkedIn password for multiple sites you may want to update passwords for those sites as well.  Users should also be aware that the hackers may send phishing emails in attempts to gain more information about them or may use the information accessible on LinkedIn to exploit in social engineering attacks.

Read more about this latest hack –

Los Angeles Times

Forbes

The Guardian

The Sun