Thanks for stopping by to check out our latest NewsScam.
Fortunately the world slowed down a bit in terms of major disruptions and hacks, because we definitely needed a break after July’s Crowdstrike chaos.
In terms of news in August, the most impactful story was something the cybersecurity marketplace has been expecting for quite some time – the unveiling of the first set of Post-Quantum Cryptography (PQC) standards. The August 13th announcement from the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) unveiled the three new standards which are meant to protect sensitive information from advanced computational power of quantum computers. According to NIST’s website, “Quantum computing technology is developing rapidly, and some experts predict that a device with the capability to break current encryption methods could appear within a decade, threatening the security and privacy of individuals, organizations and entire nations.”
A lot of people were also talking about the fallout from a massive hack earlier this year. The incident I’m referring to is the hack at National Public Data. The company’s official data breach notice indicated 1.3 million records may have been exposed, while other reports suggest the numbers could be much greater, possibly more than 2.7 billion. Naturally, the lawsuits are pouring in. This will be expensive for the owners of National Public Data, Jerico Pictures.
Speaking of paying for a hack, on August 15th huge US telecoms provider T-Mobile was fined by the US government to the tune of $60 million. The fine stems from a breach that occurred in 2021.
As for new breaches, both defense contractor Halliburton and carmaker Toyota announced incidents at their respective companies this month.
Then, there’s the incident involving the UK government. It’s believed that it was a Russian government sponsored incursion. While it was revealed in August, the incident occurred in January, and was only reported to Britan’s data protection regulator on May 2nd.
An important development took place this month at Microsoft. In an August 16th blog post, the company announced plans to roll out mandatory Multifactor Authentication (MFA) for Azure products. The security measure will be mandatory beginning in October.
Finally, the United Nations recently approved a draft for what’s been described as a global cybercrime treaty. Better known as the United Nations Convention Against Cybercrime, the idea behind it is the creation of a unified approach combatting cybercrime. Let’s hope this effort takes some bite out the all activities of bad actors around the world.
NIST Unveils Much-Awaited PQC Standards
One of August’s most impactful stories was the unveiling of three new Post Quantum Cryptographic standards by the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST). The new cryptographic standards NIST announced include algorithms such as ML-KEM (originally known as CRYSTALS-Kyber), ML-DSA (originally CRYSTALS-Dilithium), and SLH-DSA (also known as SPHINCS+)34. NIST says these are the standards that will protect sensitive information from the advanced computational power of quantum computers. Tom Patterson, a former co-chair of the White House Cyber Moonshot working group, told Dark Reading that the announcement has become “the opening bell for many organizations around the world to really take this threat seriously and start working on it.”
Millions of Americans Impacted by Massive Hack
The class-action lawsuits are piling up after a colossal U.S. hack in April that may have impacted nearly 3 billion people. According to CNBC, “in an official data breach notice filed in Maine, National Public Data indicated 1.3 million records may have been breached.” While those are the official numbers provided by the company, it is feared the actual number could be much higher. A lawsuit filed by a man named Christopher Hoffman in southern Florida claims the number is actually around 2.9 billion. The group behind the attack, “USDoD”, loaded data onto a dark web forum and has demanded a ransom fee of $3.5 million. It is feared that Personally Identifiable Information (PII) from the hack has already been used - or will be in the future - to conduct a variety of crimes impacting those in the class action suit. This could include crimes such as opening new financial accounts, taking out loans, filing fraudulent tax returns – all using the names of victims of the breach and especially the people involved in the class action suit.
UK Home Office Says it was Breached by Russian Foreign Intelligence Cyber Spies
Officials in the UK recently discovered the Home Office was breached by Russian foreign intelligence service-affiliated cyber spies. The incident occurred in January, though it was not reported to Britan’s data protection regulator until May 2nd. The Russian hackers, tracked as Midnight Blizzard, actually stems from an incident at Microsoft, which also occurred in January. Midnight Blizzard – also known as Nobelium, APT29, or Cozy Bear – attacked its systems and gained access to emails of its senior leadership and some customers. If Midnight Blizzard sounds familiar, it’s probably because it’s the very same group behind the now infamous SolarWinds attack on the US government in 2020.
The UN Begins Work on a Global Cybercrime Treaty - Not Everyone is Happy About it
On August 8th, the United Nations approved a draft for a global cybercrime treaty, known as the United Nations Convention Against Cybercrime. The treaty aims to create a uniform, globally accepted approach to combatting cybercrime. The landmark draft agreement will go before the General Assembly in the fall, where 40 nations must vote to ratify it, per EuroNews. If that happens, it will become “the first global legally binding instrument on cyber crime,” per the Crime. The document calls for “adopting appropriate legislation, establishing common offences and procedural powers and fostering international cooperation to prevent and combat [cyber crime] more effectively at the national, regional and international levels.” Part of that entails instructing nations to establish domestic laws outlawing certain cybercrimes. While some see the treaty as a step forward, others view it as a human rights violation. Some critics have argued the treaty could be used by authoritarian regimes to stifle political dissent and infringe privacy rights.
After a Year of Big Hacks Due to Lack of Multifactor Authentication, Microsoft Says it’s Mandatory for Azure beginning in October
Following several recent high-profile attacks involving companies like Change Healthcare and Snowflake, who were not taking advantage of Multifactor Authentication (MFA), Microsoft announced mid-month that the security measure will be mandatory for Azure sign-ins beginning in October. The process of MFA will be rolled out in two phases. Initially customers will be required to implement MFA for Azure Portal, Microsoft Entra admin center and Intune admin center. Then, in early 2025, MFA will extend to include Azure Command Line Interface, Azure Powershell, the Azure mobile app and infrastructure as code tools. Microsoft says that making MFA is part of a larger company security initiative – the Secure Future Initiative – that focuses on protecting identities and secrets by implementing trusted security standards.
Top Telecoms Provider T-Mobile Forced to Pay a $60M Fine
Top U.S. telecoms provider T-Mobile has just been fined $60 million for negligence surrounding data breaches. Announced on August 15th, the fine was imposed by the U.S. Committee on Foreign Investment (CFIUS) for T-Mobile’s failure to prevent or disclose unauthorized access to sensitive customer data. The company might not have been fined had it not signed a national security agreement with CFIUS to protect consumer data when it finalized its merger with Sprint on April 1, 2020. Unfortunately, just one year later, T-Mobile suffered a major breach that impacted over 100 million users. That resulted in CFIUS determining T-Mobile violated the security agreement. Now T-Mobile must pay up.
But wait, there’s more…
Karakurt Ransomware Group Suspect Appears in US Courtroom – Data Breach Today
Azure Kubernetes Bug Lays Open Cluster Secrets – Dark Reading
Man Sentenced for Hacking State Registry to Fake His Own Death – Bleeping Computer
Swiss Manufacturer Schlatter Industries Recovers from Cyber Attack After 10 Days – Techzine.EU
Halliburton hit by cyberattack, certain systems impacted – Cybersecurity Dive
Helsinki braced for elevated cyber attacks – Computerweekly
The Wiretap: How Cops Got A Toyota Dealership To Spy On A Loaner Car For 3 Weeks - Forbes
Most Ransomware Attacks Now Happen at Night - Infosecurity
Antitrust lawsuit filed against CDK Global leads to $100 million payout for car dealers - Quartz
Future Ford Vehicles Could get IoT Interference Detection – Ford Authority