Breaches – Page 15 – Cyber Law Watch

Abbott Labs makes a costly mistake as FDA targets cybersecurity deficiencies

Apr 19 2017

The Food and Drug Administration (FDA), after a previous warning in 2014, threatens legal action against Abbott Labs if the company fails to address safety and security issues in implanted cardiac devices sold by St Jude Medical – a recent subsidiary acquired by Abbott Labs. The internet of things takes a much more serious tenure when it’s a medical device compared to your fridge!

The company recently purchased St. Jude Medical, which makes implanted cardiac devices that have been the subject of cybersecurity concerns. A warning letter issued by the FDA gives Abbott Labs 15 days to submit a plan to address errors in the products’ design that could allow hackers to tamper with the settings and drain the batteries of the devices. Many of the cybersecurity concerns first came to light after medical device security research firm MedSec submitted a report outlining a variety of alleged security flaws in St. Jude products to investment firm Muddy Waters Research (MWR). MWR subsequently publically announced the product design failures while short-selling St. Jude Medical’s stock in order to capitalise on the expected market response.

As the public increases its awareness of cybersecurity issues it becomes apparent that a failure to adequately consider these issues – as a day to day function of operating a business or prior to the acquisition of a new business – can result in significant damage to a company’s bottom line. The recent short-selling by MWR indicates the necessity for cybersecurity considerations to form central in a company’s business model, otherwise risk having its inadequacies called out in a public forum. And we are not even thinking about what litigation liability risk these sorts of issues might raise.

McDonald’s India (inadvertently) delivering more than just burgers in India

Mar 28 2017

By Cameron Abbott and Allison Wallace

McDonald’s has fallen foul of customer expectations after its McDelivery app leaked the personal information of about 2.2 million users.

Access to the names, emails, home addresses and phone numbers of users was made readily available due to a poorly configured server, according to security firm Fallible.

The fast food giant told the Times of India that the app is safe to use – but Fallible tested the app again after McDonald’s said it had updated it to fix the issue, and found that it was still leaking data.

Old-school data breach sees hospital investigated

Mar 28 2017

By Cameron Abbott and Allison Wallace

While health institutions around the world work to secure patients’ personal information and prevent the hacking or leaking of data from their systems, one Melbourne hospital is being investigated after medical records were found lying in a gutter in a nearby street.

Fairfax Media reports Australia’s Privacy Commissioner Timothy Pilgrim is investigating how the paper records of 31 patients of the John Fawkner Private Hospital were removed from the premises last month.

The documents, which were found by a local resident, were sent to both the Privacy Commissioner, and Victoria’s Health Complaints Commissioner.

Under current legislation, there is no obligation for the hospital to notify the affected patients that their privacy has been breached. All this will change under the new data breach notification laws, which were passed by the Australian government last month, and are expected to come into force within the next 12 months.

This breach is a timely reminder for all businesses, government agencies and other organisations covered by Australia’s privacy laws to take stock of how they store personal information – whether it be in a filing cabinet, on a hard-drive, or in a cloud – and ensure it is secure.

Is your IoT device putting you at risk?

Mar 21 2017

By Cameron Abbott and Giles Whittaker

As the uptake of IoT (Internet of Things) devices increases, industry experts question whether adequate cybersecurity measures are in place. While we are not surprised with the results of a recent survey, it has been confirmed that IoT devices represent the next big cybersecurity threat.

A Tripwire study found 96% of surveyed IT pros expect to see an increase in security attacks on IoT. The study acknowledges the promise of these devices in facilitating tasks and bringing convenience, but also notes the risk they pose as they’re not always built with security in mind. The study found the industries facing the biggest threat include energy, utilities, government, healthcare and finance with devices connecting the Industrial Internet of Things viewed as susceptible to serious consequences. David Meltzer, COO at Tripwire, says there must be a change in the level of preparation for such attacks or the realization of these risks will be experienced.

You are not alone! Rasomware attacks increase

Mar 21 2017

By Cameron Abbott and Giles Whittaker

While no one likes to admit that they have been caught out or victimised by cyber-attacks such as ransomware, what appears to be true is that a lot of organisations are. The lesson is that it is quite likely to happen so design your IT systems to give you a recovery option. No good having your back up encrypted as well!

A survey (reg. req.) of IT security decision makers by CyberEdge found that a whopping 61% of respondents’ organizations were victimized by ransomware in 2016. Among those hit by ransomware, 33% paid the ransom to recover their data, 54% refused to pay but recovered their data anyway, and 13% refused to pay and lost their data. In general, the report found the percentage of organizations being hit by successful cyber-attacks continues to rise, from 62% in 2014 to 70% in 2015, 76% in 2016, and 79% in 2017. Three in five respondents believe a successful cyber-attack is likely in the coming year.

Australia’s new data breach notification laws: what they mean for you

Feb 15 2017

By Cameron Abbott, Rob Pulham and Allison Wallace

Further to our blog post yesterday, we’ve prepared a summary into the implications of the Privacy Amendment (Notifiable Data Breaches) Bill 2017 that has now been passed by both houses of Parliament. Read our article here.

Baseball team pays a big price for hacking

Feb 07 2017

By Cameron Abbott and Allison Wallace

You may not have followed this but the America’s Major League Baseball (MLB) St Louis Cardinals had an employee who accessed the Astros’ system around 60 times over two years, gaining access with a password similar to that used by a Cardinals colleague who left the club to work for the Astros in 2011. (Also a little lesson there about password management one would think.)

Anyway Correa was last year fined nearly USD280,000, and sentenced to 46 months in Federal prison. Enough said. Read More

India’s top court asks WhatsApp, Facebook to please explain over privacy policy

Jan 23 2017

By Cameron Abbott and Allison Wallace

A petition to challenge messenger service WhatsApp’s privacy policy in India is gaining momentum, with the Supreme Court this week issuing notices to WhatsApp, its owner Facebook, and the telecom regulator TRAI to respond to the court within two weeks.

The petitioners are incensed over WhatsApp’s changes to its privacy policy in September last year, which saw it begin sharing users information with Facebook, including their phone numbers. Those who didn’t agree with the new policy were given the option to “opt out” by deleting the app. This announcement came two years after WhatsApp was acquired by Facebook. Read More

Privacy Commissioner investigates alleged sale of telco customer information

Nov 21 2016

By Cameron Abbott and Allison Wallace

Australia’s Information and Privacy Commissioner Timothy Pilgrim is making enquiries into allegations that the personal information of customers of three Australian telcos is being sold online.

Fairfax uncovered an alleged rort involving ‘corrupt insiders’ at the offshore call centres of Telstra, Optus and Vodafone, which has allegedly seen details including customers’ addresses, dates of birth and billing statements leaked to at least one private company in India, which is then allegedly selling the information for up to $1000.

Commissioner Pilgrim has said in a statement that he is working to determine what further action may need to be taken.

All three telcos have also released statements, reiterating that they take the privacy of their customers seriously. Vodafone and Optus have met with the AFP, which has now passed the matter on to Indian authorities.

Mirai Botnet knocks Liberia offline

Nov 04 2016

By Cameron Abbott and Rebecca Murray

After launching attacks on security expert Brian Krebs and the servers at Dyn, it appears as though the Mirai botnet has knocked the entire country of Liberia offline. Yes the country. Given the paucity of protections on the Internet of Things with even weaker controls on adequate passwords, Mirai has a powerful base to co-opt and launch from. That said a country is no mean achievement, albeit only with a population of 4.5 million and fewer than 10% of its citizens having internet access, the target was a small one. However, it is possible this attack is only the beginning for a new display of Mirai botnet’s capabilities. The attack peaked at a 500Gbps, a relatively modest figure when compared with the Dyn and Brian Krebs attacks.

Judging from the quick succession of recent attacks, we won’t be waiting long before we see another target of this highly effective botnet. Forbes has covered this in more detail here.

Catagory:Breaches