learn more
<https://castlehalldiligence.com>
shutterstock_490960141-1

Industry News: ESG5

Know Your Breach: SpiceJet

The target: SpiceJet, one of India’s largest privately owned airlines.

The take: Private information of more than 1.2 million passengers including: Full names, phone number, email address, date of birth and a month’s worth of flight information.

The attack vector: SpiceJet’s IT systems were cracked through a brute-force attack of an extremely weak password. Once the system was penetrated, an unencrypted database backup file was discovered containing the millions of readable records.

This breach highlights the importance of secure password practices which should be applied at all levels across a firm. In addition, wherever personally identifiable information is concerned, extra care is advised as their compromise can enable highly effective phishing campaigns and identity theft.

Read more...

UK’s Cybersecurity Sector Now Worth £8.3 Billion, But Is a Skills Gap Looming?

2020-01-30

CBR: The UK’s cybersecurity sector is now estimated to be worth more than £8.3 billion, a significant rise of 46 percent from £5.7 billion in 2017, but a skills gap could be a major disrupter in the coming years.

Read more...

ForgePoint Capital Strengthens Investment Team By Adding Leading Cybersecurity Experts And Promotes Manoj Ramachandran to Vice President

2020-01-28

Cision: ForgePoint Capital announced the promotion of Manoj "MJ" Ramachandran to Vice President and that Shane Shook, an expert in the field of cyber forensics, and former Cyxtera Technologies CIO Leoncio "Leo" Casusol have joined the firm as venture consultants.

Read more...

CEOs are Deleting Their Social Media Accounts to Protect Against Hackers

2020-01-28

ZDNet: Professional services firm PwC surveyed over 1,600 CEOs from around the world and found that cyberattacks have become the most feared threat for large organisations – and that many have taken actions around their personal use of technology to help protect against hackers.

Read more...

2019 Saw More Cryptocurrency Hacks Than Any Other Year

2020-01-28

ZDNet: In 2019, hackers have successfully breached 11 major cryptocurrency exchanges and have stolen more than $283 million worth of cryptocurrency, according to blockchain analysis firm Chainalysis.

Read more...

SEC Office of Compliance Inspections and Examinations Publishes Observations on Cybersecurity and Resiliency Practices

2020-01-27

SEC: The observations highlight certain approaches taken by market participants in the areas of governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness.

Read more...

NFL Twitter Accounts Hacked, Including Those of Super Bowl-bound Chiefs and 49ers

2020-01-27

NBC News: OurMine, a Saudi hacking account that promotes its own cybersecurity services, said it hacked a number of the league's accounts on its Twitter page. The first team to be exposed appeared to be the Chicago Bears.

Read more...

Hackers Acting in Turkey's Interests Believed to Be Behind Recent Cyberattacks

2020-01-27

Reuters: Sweeping cyberattacks targeting governments and other organizations in Europe and the Middle East are believed to be the work of hackers acting in the interests of the Turkish government, three senior Western security officials said.

Read more...

Know Your Breach: Microsoft

The target: Microsoft

The take: 250 million Call Centre records which included full conversations between service agents and customers, as well as a portion of customer emails, internal notes and IP addresses.

The attack vector: Cloud databases across five different online servers were left unsecured, as a misconfigured security group left them exposed to the internet. These records could be used in extremely targeted and effective phishing campaigns against customers, impersonating Microsoft support agents and referencing internal case numbers and topics discussed.

This breach again raises the critical consideration that effectiveness of an organization’s security relies on vigilant processes and validations where cloud technology is concerned no matter the scale of the infrastructure or the pedigree of the firm.

Read more...

EY Survey: LPs Think You Overestimate Your Cybersecurity Strength

2020-01-23

Private Equity International: The increasing use of technology by private equity funds seems to have struck a chord with LPs, who disagree with their managers over how prepared the latter are for cyberattacks, according to the seventh annual EY Global Private Equity Survey.

**Access to article requires a subscription**

Read more...

Greek Top Court Approves Extradition of Cybercrime Suspect

2020-01-23

Reuters: Greece’s top administrative court has ruled in favor of extraditing to France a Russian man suspected of laundering billions of dollars in digital currency, a judicial official said.

Read more...

Drawbridge Partners Appoints VP of Business Development

2020-01-23

Hedge Week: Drawbridge Partners, a cybersecurity software and services firm specialising in the needs of hedge fund and private equity managers, has appointed Lyons as Vice President of Business Development. 

Read more...

UN Calls for Investigation After Saudi Crown Prince Implicated in Hack of Jeff Bezos' Phone

2020-01-23

CNN: UN experts said they are "gravely concerned" by information they have received suggesting that a WhatsApp account belonging to Saudi Crown Prince Mohammed bin Salman was used to deliver spyware to the mobile phone of Amazon CEO Jeff Bezos.

Read more...

Cybercrime Laws Need Urgent Reform to Protect UK

2020-01-22

The Guardian: Britain’s cyber-defences are being endangered by the outdated Computer Misuse Act, which prevents investigators from dealing effectively with online threats while over-punishing immature defendants, according to a legal report.

Read more...

Dubai Financial Services Authority Supports National Cybersecurity Strategy by Launching a Cyber Threat Intelligence Platform

2020-01-22

Mondovisione: The Dubai Financial Services Authority (DFSA) launched the first financial regulator-led Cyber Threat Intelligence Platform (Platform) in the region in collaboration with the Dubai Electronic Security Center (DESC), the National Computer Emergency Response Team for the UAE (aeCERT), the Computer Incident Response Center Luxembourg (CIRCL) and the Open Source Threat Intelligence and Sharing Platform Project (MISP). 

Read more...

Equifax Must Spend ‘A Minimum of $1 Billion’ for Data Security

2020-01-22

Compliance Week: Last year, Equifax agreed to pay up to $700 million in a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and a coalition of 50 attorneys general.

Read more...

Know Your Breach: LimeLeads

The target: LimeLeads, a San Francisco-based business-to-business leads generator.

The take: 49 million user records including: full name, title, user email, employer/company name, company address, company total revenue and estimated number of employees.

The attack vector: LimeLeads did not set up a password for the internal database which was hosted on a publicly accessible server, meaning anyone with an internet connection was able to access the data and scrape a copy. The highly specific personal details of the data could lead to extremely effective spear-phishing campaigns targeting high level individuals.

The security of intended internal systems is as critical as external facing ones. Adopting stringent cybersecurity policies across all areas of access, whether internal or external, is crucial to maintaining the integrity, confidential and availability of data.

Read more...

Cyber Security Firm McAfee Hires New CEO

2020-01-16

Reuters: McAfee LLC told Reuters it has hired Peter Leav, the former CEO of BMC Software, as its new CEO, replacing Chris Young, who created the cyber security company in its current form by carving it out of Intel Corp four years ago.

Read more...

Skyview Capital Acquires Fidelis Cybersecurity

2020-01-15

Cision: Skyview Capital, LLC ("Skyview") a global private investment firm, announced that it has acquired Fidelis Cybersecurity, Inc. ("Fidelis") from a consortium of investors. Terms were not disclosed.

Read more...

Ransomware, Phishing and Cyberattacks Scare Business Chiefs the Most

2020-01-14

ZDNet: Cyber incidents are considered the top risk to businesses globally, according to a survey of 2,718 executives across 100 countries, including CEOs, risk managers, brokers and insurance experts, with 39% listing this as their biggest worry.

Read more...

Smart, Savvy and Strategic Cyber Risk Management

2020-01-13

BusinessWorld: We regularly hear and read about hacks, security breaches and similar cybersecurity incidents that expose vulnerabilities in corporate and government digital security systems.

Read more...

Cybersecurity Threats Call for a Global Response

2020-01-13

IMF Blog: Last March, Operation Taiex led to the arrest of the gang leader behind the Carbanak and Cobalt malware attacks on over 100 financial institutions worldwide. This law enforcement operation included the Spanish national police, Europol, FBI, the Romanian, Moldovan, Belarusian, and Taiwanese authorities, as well as private cybersecurity companies. Investigators found out that hackers were operating in at least 15 countries.

Read more...

Banks Challenge Canadian Post-secondary Students to Create Cyber Solutions

2020-01-13

IT World Canada: Five of the country’s biggest banks are offering cash prizes to post-secondary students and recent graduates for creating possible solutions to improve the cyber security responses of financial institutions.

Read more...

Cybersecurity Startup Exits Total $11.3 Billion in 2013-2019

2020-01-13

The Times of Israel: There are 436 cybersecurity companies operating in Israel at various stages of development a new report by IVC Research Center, which tracks Israel’s tech industry, shows.

Read more...

Know Your Breach: North Carolina County

The target: Cabarrus County, a district of North Carolina in the United States

The take: $1.7 million dollars

The attack vector: A BEC, or Business Email Compromise. The attackers posed as one of the county’s contractors and requested their bank account be updated in time for the next payment. They spoofed legitimate documents including an electronic funds transfer form (EFT) and signed bank documentation. After receiving the bogus documents, Cabarrus County staff changed the vendor’s account to this new, fake one and continued with their scheduled payments.

This attack highlights the importance of security awareness campaigns that test and train employee’s abilities to spot and report suspicious emails. Additionally, controls should be in place wherever payments are processed to ensure that any requests to change payment instructions are reviewed and validated outside of an e-mail correspondence string.

Read more...

Interpol Leads Operation to Tackle Cryptojacker Infecting Over 20,000 Routers

2020-01-09

Yahoo Finance: International crime fighting agency Interpol has taken action to stem a plague of cryptocurrency mining malware afflicting computer routers across Asia.

Read more...

Barclays, Lloyds, RBS and HSBC All Hit by Travelex Cyber Attack

2020-01-08

Mirror: Some of the UK's biggest high street banks have been hit by a cyber attack on Travelex - with Royal Bank of Scotland, HSBC and Barclays among those left with no online travel money services.

Read more...

Anticipating the First Cybersecurity Enforcement Action by NYDFS

2020-01-06

Law.com: The question gets asked quite frequently in regulatory circles: “Will the New York State Department of Financial Services bring an enforcement action under its cybersecurity regulation, and if so, when?” The probable answers are “yes” and “soon.”

Read more...

Insight Partners to Buy Cybersecurity Firm Armis at $1.1 Billion Valuation

2020-01-06

Reuters: Insight Partners in April participated in a $65 million funding round for Armis that brought the company’s total funding to $112 million. That round was led by Sequoia Capital.

Read more

London Stock Exchange Denies Cyber Attack as UK Probes Trading Outage

2020-01-06

City A.M.: A British intelligence agency contacted the London Stock Exchange (LSE) in the past two months to request additional information about the outage on 16 August, the Wall Street Journal reported.

Read more...

UK Cyber Security Boss Ciaran Martin to Step Down

2020-01-06

Computer Weekly: Ciaran Martin, CEO of the UK’s National Cyber Security Centre (NCSC), is to step down later in 2020 after nearly seven years in charge of the government’s cyber security efforts.

Read more...

Department of Financial Services Issues Alert to Regulated Entities Concerning Heightened Risk of Cyber Attacks

2020-01-04

Department of Financial Services: There is currently a heightened risk of cyber attacks from hackers affiliated with the Iranian government. The Iranian government has vowed to retaliate against the United States for the death of Qassem Soleimani.  Given Iranian capabilities and history, U.S. entities should prepare for the possibility of cyber attacks. 

Read more...

Know Your Breach: Wyze

The target: Wyze, a Seattle-based smart home device maker.

The take: Email addresses, IP addresses, WiFi SSID’s and device information of 2.4 million customers.

The attack vector: During the deployment of a new database, a mistake by an employee removed all of the security protocols governing the system, thus exposing the information. In total, two exposed Elasticsearch databases and one MySQL production database were freely accessible and the attackers were then able to access and download the leaked information.

Deployment of new technology is a potentially critical point of vulnerability. Any changes intended for the production environment should be tested in a private staging environment and audited/tested wherever possible to avoid introducing gaps into a firm’s security posture.

Read more...

French Businessman Detained for Stealing €1.2 Million in Crypto From His Partners

2020-01-03

Bitcoin.com: An investigation launched on the request of a French startup has led to the indictment of a 37-year-old entrepreneur accused of stealing 182 BTC from the company he cofounded. Embezzlement of money is one the charges brought against him by the public prosecutor’s office in Paris.

Read more...

AI Offers an Edge as Cybersecurity Sector Consolidates

2020-01-02

The Wall Street Journal: The cybersecurity-vendor sector is set to trim some of its fat in 2020, venture-capital executives say, and companies that weave sophisticated technologies such as artificial intelligence into their products are the ones likely to succeed.

Read more...

FX and Payment Technology Expert Finablr Issues Statement Regarding Travelex IT Issues

2020-01-02

Finance Feeds: Travelex Ltd confirmed that a software virus was discovered on New Year’s Eve which compromised some of its online services. Travelex has taken all its systems offline as a precautionary measure and is currently providing foreign exchange services on a manual basis.

Read more...

Ghosts in the Clouds: Inside China’s Major Corporate Hack

2019-12-30

The Wall Street Journal: In one of the largest-ever corporate espionage efforts, cyberattackers alleged to be working for China’s intelligence services stole volumes of intellectual property, security clearance details and other records...

**Access to article may require a subscription**

Read more...

DIFC's Regulator Rolls Out Platform to Help Reduce Cyber-security Risks

2019-12-29

The National: The Dubai Financial Services Authority (DFSA) is planning to roll out a platform to help companies in the Dubai International Financial Centre implement appropriate safeguards to mitigate cyber risks.

Read more...

The Financial Conduct Authority and Cyber Resiliency

2019-12-27

JDSUPRA: The Financial Conduct Authority (FCA) aims to guide regulated firms on its expectations of their cyber resiliency. In 2018, the FCA warned regulated firms of the risks of outdated IT systems and the lack of effective cyber controls as a key area of vulnerability in an environment where it said that the threat level for cyber-attacks is “remarkable.

Read more...

UN Gives Green Light to Draft Treaty to Combat Cybercrime

2019-12-27

AP News: The U.N. General Assembly approved a resolution Friday that will start the process of drafting a new international treaty to combat cybercrime over objections from the European Union, the United States and other countries.

Read more...