learn more
<https://castlehalldiligence.com>
shutterstock_490960141-1

Industry News: ESG5

Know Your Breach: Buchbinder

The target: Buchbinder, a German car rental company

The take: Personally Identifiable Information of 3.1 million customers including: names, emails, phone numbers, addresses, dates of birth, license numbers, bank details and payment info. In total, over 5 million files were exposed, with some of them being passwords belonging to employees which were stored in plain text.    

The attack vector: An unsecured backup database which was completely unprotected by any credentials and was freely accessibly to anyone with an internet connection. The database was discovered as part of routine scanning for unprotected databases.

This type of data is a prime target for threat actors seeking to carry out targeted phishing campaigns and BEC (business email compromise) attacks. Failure to implement robust practices can leave firms open to violations of data protection standards, and highlights the fact that protecting user data is the same as protecting the firm.

Read more...

UK Readies ‘National Cyber Force’ To Tackle Terrorists, Hostile Nations

2020-02-27

Silicon: The cyber force of hackers is due to be launched later in the spring, after many months of delays and turf wars between the Ministry of Defence and GCHQ, the Guardian newspaper reported.

Read more...

Email Scammers Are Savvier, and More Successful, Than Ever

2020-02-27

The Wall Street Journal: Email scams—often riddled with typos and written by non-native English speakers in Africa—were once crude attempts to steal money from inexperienced computer users. No more.

**Source may require registration/subscription

Read more...

'Almost 90% of it Could Have Been Prevented': How Wealth Managers can Fend Off Hackers

2020-02-26

City Wire: Former Federal Bureau of Investigation (FBI) special agent Scott Augenbaum offered his top tips for how wealth managers can protect their clients and their portfolios from hackers.

Read more...

Jupiter's de Blonay: the Financial Bet You Didn’t Expect to Boom

2020-02-25

City Wire:  In a commentary piece, de Blonay, who runs the Jupiter JGF Financial Innovation fund,  said the cyber security software market is estimated by industry experts to grow 8.6% per year to around $82bn by 2024.

Read more...

Seven Hackers Have Now Made a Million Dollars Each from Bug Bounties, Says HackerOne

2020-02-25

ZDNet: Hacking is growing, but in some cases, that's no bad thing. That's the main take-away from the annual report on the state of ethical hacking published by bug bounty platform HackerOne. As of 2020, the organization can boast a base of 600,000 white hat hackers; a community twice as big as the previous year, which altogether cashed in a record $40 million in bounties in the past 12 months. 

Read more...

FCA Admits Revealing Personal Details of 1,600 Consumers in Data Breach

2020-02-25

Evening Express: The Financial Conduct Authority (FCA) revealed the personal details of complainants on its website in response to a Freedom of Information (FOI) request, meaning the data was accessible by anyone between November 2019 and February this year.

Read more...

Australian Banks Targeted by DDoS Extortionists

2020-02-25

ZDNet: A threat group has been emailing victims with threats to carry out distributed denial of service (DDoS) attacks unless the organizations pay hefty ransom fees in the Monero (XMR) cryptocurrency.

Read more...

Know Your Breach: Crown Bank

The target: Crown Bank, a New Jersey based financial institution.

The take: $2 million USD

The attack vector: Cyber criminals impersonated the wife of the CEO using a fake email address and tricked the bank’s employees to transfer funds multiple times. Using fraudulently created signatures of the CEO’s wife attached to PDF files, the attackers convinced bank staff that the requests, and their urgency, were legitimate.

Failure to implement and follow internal validation procedures can have serious consequences, and where an attacker discovers and exploits a weakness, they are likely to attack again until they are discovered. Furthermore, failure to enforce a firm’s security and cash transfer control procedures can invalidate an attempt to recoup damages via an insurance claim.

Read more...

Are Your Clients Safe? Cybersecurity Expert Warns Wealth Managers Over Hacking Risks

2020-02-20

City Wire: Financial firms and their employees could be doing much more to protect their assets and those of their clients as cybercrime will become one of the biggest risks they face over the next decade, according to cybersecurity expert and former FBI agent Scott Augenbaum.

*Note full article may require free sign-up registration.

Read more...

Georgia, Backed by U.S. and Britain, Blames Russia for 'Paralyzing' Cyber Attack

2020-02-20

Reuters: Britain and the United States joined Georgia on Thursday in blaming Russia for a large-scale cyber attack last year that knocked thousands of Georgian websites offline and disrupted national television broadcasts.

Read more...

MGM Hack Exposes Personal Data of 10.6 Million Guests

2020-02-20

BBC: The data exposed included names, address, and passport numbers for former guests. MGM said it was "confident" no financial information had been exposed. The resort chain said it was unable to say exactly how many people were impacted because information that was exposed might be duplicated.

Read more...

Cybersecurity Strategies for the Adviser Industry

2020-02-20

Plan Adviser: Retirement plan advisers not only have rigorous cybersecurity responsibilities of their own—they also need to proactively help their plan sponsor clients establish airtight cybersecurity firewalls and procedures, industry experts say.

Read more...

ForgePoint Capital Raises $450M for its Second Cybersecurity Investment Fund

2020-02-19

Silicon Angle: The venture capital firm has been a prolific investor in cybersecurity startups. Investments included access control startup Remediant Inc. in August, app security startup NowSecure in June and IoT security provider Mocana Corp. in March. Fund II focus areas include cyber intelligence, privacy, security services and infrastructure protection.

Read more...

Dell Sells RSA to Consortium Led by Symphony Technology Group for Over $2B

2020-02-18

Tech Crunch: Dell Technologies announced that it was selling legacy security firm RSA for $2.075 billion to a consortium of investors led by Symphony Technology Group. Other investors include Ontario Teachers’ Pension Plan Board and AlpInvest Partners.

Read more...

Cybersecurity and Cannabis ETFs Launched by Former LGIM Team

2020-02-18

CityWireSelector: An ETF specialist boutique launched by four former Legal & General Investment Management (LGIM) employees has unveiled two thematic ETFs as it seeks to capitalise on future trends.

Read more...

Know Your Breach: United Nations

The target: The United Nations

The take: 400GB of data including: internal documents and emails, human resource records, database access, commercial information, and Active Directory access.

The attack vector: The threat actors used compromised 42 servers in total when they were able to exploit a known remote code vulnerability in Microsoft Sharepoint. This let the attackers move freely within all of the IT systems. A patch was released a few months prior to the breach, but the U.N’s IT department failed to deploy the patch when it was released, leaving a significant timeframe in which their systems were vulnerable.

This breach highlights the critical importance of maintaining an inventory of internal systems and software, and ensuring those systems are kept up-to-date. Security vulnerabilities can be exploited as soon as they’re identified, underlining the importance of adhering to a regular and frequent patching schedule.

Read more...

Nedbank Says 1.7 Million of its Clients May Have Been Hit by a ‘Data Incident’

2020-02-13

Business Insider: A company that sends out SMSes and emails on Nedbank’s behalf may have been hit by a data breach. The “data security incident” may have released the names, ID numbers, telephone numbers, physical and/or email addresses of 1.7 million Nedbank clients.

Read more...

Puerto Rico Loses US$2.6 Million in Phishing Scam

2020-02-13

CTV: Puerto Rico's government has lost more than US$2.6 million after falling for an email phishing scam, according to a senior official.

The finance director of the island's Industrial Development Company, Ruben Rivera, said in a complaint filed to police Wednesday that the agency sent the money to a fraudulent account.

Read more...

London Hedge Funds' Websites Cloned as Scammers Grow Bolder and More Ubiquitous

2020-02-13

Reuters: Some of London’s top hedge funds and asset managers are among those that have been targeted by rogue internet operators who clone their names and websites in an attempt to part unsuspecting investors from their cash.

Read more...

Leaked Report Describes Federal Parliament's Cyber Security as Having 'Low Level of Maturity'

2020-02-13

ABC: Federal Parliament failed to develop effective methods for preventing cyber intrusions and did not regularly update some sensitive information systems, according to a draft internal audit dated three months after a major cyber attack was uncovered.

Read more...

Personal Data of All 6.5 Million Israeli Voters Exposed by Security Flaw in App

2020-02-11

CNN: A security flaw in a mobile app used primarily by Prime Minister Benjamin Netanyahu's Likud party exposed the personal data of every eligible voter in Israel just three weeks before a national election.

Read more...

Equifax: US Charges Four Chinese Military Officers Over Huge Hack

2020-02-11

BBC: More than 147 million Americans were affected in 2017 when hackers stole sensitive personal data including names and addresses. Some UK and Canadian customers were also affected. China has denied the allegations and insisted it does not engage in cyber-theft.

Read more...

FBI: BEC Scams Accounted for Half of the Cyber-crime Losses in 2019

2020-02-11

ZDNet: The FBI received 467,361 internet and cyber-crime complaints in 2019, which the agency estimates have caused losses of more than $3.5 billion, the bureau wrote in its yearly internet crime report.

Read more...

Know Your Breach: Mitsubishi Electric

The target: Mitsubishi Electric, an electronics company based in Japan.

The take: Personal data of 8000 employees and trade secrets including technical, sales, and client information.

The attack vector: A zero-day vulnerability (a newly discovered vulnerability for which no patch/mitigation has yet been published) in antivirus software used by Mitsubishi compromised accounts and internal systems. Attackers gained access to forty servers and one hundred and twenty computers inside the company.

The unfortunate reality is that every company is potentially vulnerable, and this example only reinforces our position that cybersecurity is not a one-and-done, set-it-and-forget-it domain. While zero-day exploits are rare and extremely difficult to defend against, monitoring and assessment of redundant security measures and the defense-in-depth approach can limit the potential impact of a compromise of one layer of a firm’s defenses.

Read more...

IT boss Stole £500k from City Firm Before Splashing Out on Diamonds, Holidays and Cottage Conversion

2020-02-06

Evening Standard: Anthony Murrell, 44, siphoned off the money from Legal and General Investment Management over three years, buying non-existent computer cables and paying the money to a fake company in his wife’s name. 

Read more...

Pyne Under Fire for Comments About Cyber Attack on Parliament

2020-02-06

The Sydney Morning Herald: Speaker of the House of Representatives Tony Smith condemned Mr Pyne's comments about the hack on Parliament's computer network in January 2019, saying any suggestion the public had been kept in the dark about the extent of the hack was "false".

Read more...

Sydney Man Allegedly Stole Identities to Net $11M from Life Savings, Superannuation

2020-02-06

The Sydney morning Herald: A 31-year-old man has been charged over an $11 million cyber fraud in which he allegedly obtained the financial profiles and identities of more than 80 people to create fraudulent bank accounts and steal from their savings and superannuation accounts.

Read more...

Why Asset Managers Land in the Dog House

2020-02-04

Institutional Investors: Investment firms that get hacked, hike fees, or switch portfolio managers can expect to land in the hot seat with their institutional clients. 

Read more...

Cyber Firm Callsign Set to Unveil Bumper JP Morgan Backing

2020-02-04

City A.M.: Callsign, which uses AI to verify the identity of users, is signing off on a deal with JP Morgan Asset Management, which manages $2 trillion (£1.5 trillion) for global clients, Sky News reported.

Read more...

Israel's JVP Opens NYC Cyber Center, Looks for Similar Hub in Europe

2020-02-03

Reuters: Israeli venture capital firm Jerusalem Venture Partners (JVP) opened a cybersecurity center in New York City to help launch new companies, and said it was looking to build a similar hub in Europe.

Read more...

Avast Pulls Plug on Jumpshot After Data Privacy Scandal

2020-01-30

Financial Post: Avast allegedly collected data on what many of its users did online and sent it to Jumpshot, which then offered to sell the information to clients, media reports said. Avast denied the allegations and began a review.

Read more...