TikTok Slapped with €345 Million Fine for Child Privacy Violations
The Data Protection Commission (DPC) in Ireland has fined TikTok €345 million ($368 million) for multiple violations of the General Data Protection Regulation (GDPR) related to the processing of children’s personal information and other child privacy issues. The DPC initiated an investigation of TikTok to determine if the company was fulfilling its obligations under the GDPR to protect the privacy of child users of the platform. The...
Bulletproof Hosting Service Utilized by Ransomware Gangs Seized by Authorities
A ‘Bulletproof’ hosting service that was utilized by ransomware gangs and other cybercriminals has been seized by law enforcement, five individuals have been arrested, and its founder has been indicted in federal court. The LolekHosted.net domain was registered by Polish national, Artur Karol Grabowski, 36, in 2014. The LolekHosted service was billed as bulletproof, offering a hosting service with 100% privacy. The owner and operator...
U.S. State Department Offers $10 Million Reward for Information on Clop Ransomware Group
The U.S. Department of State is offering a reward of up to $10 million for information that links the recent attacks by the Clop ransomware group to a foreign government. The reward is also being offered for information about any other malicious cyber actors that are targeting US critical infrastructure that links their attacks to a foreign government. The Clop ransomware group is a Russian-speaking organized criminal group that has...
Russian National Charged for Babuk, Hive, and LockBit Ransomware Attacks
The federal government in the United States has formally charged a Russian national that is alleged to have been a key member of the Babuk ransomware-as-a-service operation – The group responsible for an attack on the Washington, D.C. Metropolitan Police Department in 2021 shortly before the group was disbanded. Mikhail Pavlovich Matveev, 31, also known as Wazawaka, m1x, Boriselcin, and Uhodiransomwar, has been charged in a four-count...
International Law Enforcement Operation Takes Down NetWire RAT
An international law enforcement operation has resulted in the seizure of the infrastructure used to support the NetWire remote access Trojan (RAT). NetWire was first detected in 2012 and has been sold on cybercrime forums for more than a decade. NetWire has consistently been one of the most popular and widely distributed RATs for several years due to its low cost and reliability. The RAT is primarily distributed via email using...
Suspected Core Members of the DoppelPaymer Ransomware Gang Arrested
Europol has announced that two individuals suspected of being core members of the DoppelPaymer ransomware group have been arrested in a coordinated law enforcement operation involving the Federal Bureau of Investigation (FBI), the Dutch Police, and law enforcement agencies in Germany and Ukraine. DoppelPaymer ransomware first appeared in 2019 and has been used in many attacks on critical infrastructure organizations and the public and...
Fortnite Developer Agrees to Pay $520 Million to Settle FTC Complaint
Epic Games, the developer of the hugely popular battle royale game Fortnite, has agreed to pay $520 million to settle claims that it violated the Children’s Online Privacy Protection Act (COPPA) and used “dark patterns” to obtain payments from players. COPPA was signed into law in 1998 and compliance has been mandatory since April 21, 2000. COPPA imposes restrictions on operators of websites and online services regarding...
U.S. Healthcare Provider Confirms Unauthorized Disclosure of 1.36 Million Patient Records to Meta
A healthcare provider has confirmed the impermissible disclosure of patient information to Meta through the misconfiguration of Meta Pixel tracking code on its website. Earlier this year, The Markup published a report on an investigation into the use of Meta Pixel tracking code on the websites of hospitals. Meta Pixel is used to track user activity on websites and advertising performance; however, the data collected through Meta Pixel...
Meta Facing Class Action Lawsuit over Use of Health Data for Serving Targeted Advertisements
Another lawsuit has been filed against Meta by a patient who claims her private healthcare information was collected without consent and was used to serve targeted advertisements related to her medical condition. The plaintiff, Jane Doe, was a patient of UCSF Medical Center and the Dignity Health Medical Foundation, who have also been named in the lawsuit. The case stems from the inclusion of Meta Pixel on web pages behind a login on...
Police in Europe Dismantle Multi-Million-Euro Phishing Operation
An organized criminal gang that was operating a multi-million-Euro phishing operation has been dismantled by police forces in Belgium and the Netherlands, according to Europol. The operation involved raids at 24 addresses in the Netherlands on June 21, and police arrested 9 individuals suspected of involvement in the operation. They also seized cash, cryptocurrency, jewelry, firearms, and ammunition. Europol assisted in the operation...
Thousands Arrested in Interpol-Led Operation Targeting Social Engineering Scammers
An international law enforcement operation led by Interpol that involved police forces in 76 countries has seen more than $50 million seized and thousands of people have been arrested in connection with social engineering scams such as telecommunication fraud, business email compromise scams, and the money laundering activities in relation to those operations. The operation – called First Light 2022 – ran for two months between...
EU Reaches Agreement on New Cybersecurity Regulations for Critical Infrastructure Organizations
New legislation is being introduced in the European Union (EU) to ensure critical infrastructure organizations are better protected against destructive cyberattacks. Current legislation covering the security of network and information systems – the NIS Directive – was introduced in 2016 and was the first piece of EU-wide cybersecurity legislation. The NIS Directive required all EU member states to have national cybersecurity...
Man Convicted for Phishing Scam Resulting in Theft of $23.5 Million from DoD
The losses to phishing scams can be considerable. What starts with a single phishing email can easily result in a costly data breach, malware infection, or the fraudulent transfer of millions of dollars to an attacker-controlled account. Last week, the U.S Department of Justice announced that one of the perpetrators of a phishing scam has been convicted on six counts for his role in a complex phishing scheme and vendor email...
OCR Annouces 4 Financial Penalties to Resolve HIPAA Violations
The Department of Health and Human Services’ Office for Civil Rights has imposed four financial penalties on healthcare providers to resolve violations of the Health Insurance Portability and Accountability Act (HIPAA). Three dental practices were hit with sizable fines, one for a violation of the HIPAA Right of Access and two for impermissible disclosures of patients’ protected health information (PHI). The HIPAA Right of Access is a...
SEC Proposes 4-Day Cybersecurity Incident Reporting Deadline for Publicly Traded Companies
New data breach reporting rule amendments have been proposed by the U.S. Securities and Exchange Commission (SEC) that require all publicly traded companies to report a material cybersecurity incident within 4 business days of discovery that a material cybersecurity incident has occurred. A material cybersecurity incident is any cybersecurity incident that shareholders would likely consider important. There are existing state and...
Alleged REvil Hacker Extradited to U.S. to Face Charges Over Kaseya Ransomware Attack
One of the alleged affiliates of the notorious REvil/Sodinokibi ransomware-as-a-service (RaaS) operation has been extradited to the United States to face charges related to the ransomware attacks on Kaseya and other entities in the United States. The U.S. Department of Justice believes Yaroslav Vasinskyi, 22, a Ukrainian national, is a long-standing affiliate of the REvil ransomware gang who was responsible for breaching corporate...
Inmediata and CaptureRx Agree to Settle Class Action Data Breach Lawsuits
It is common for victims of healthcare data breaches to take legal action against healthcare organizations that have experienced cyberattacks and data theft incidents. In order for lawsuits to have standing, the plaintiffs must usually demonstrate they have suffered actual harm as a result of the breach. Recently, a federal judge recommended a lawsuit against Practicefirst Medical Management Solutions, which experienced a ransomware...
Accellion Proposes $8.1 Million Settlement to Resolve Class Action Data Breach Lawsuit
Accellion has proposed an $8.1 million settlement to resolve a class action data breach lawsuit related to the December 2020 cyberattack on its legacy File Transfer Appliance. In December 2020, two Advanced Persistent Threat groups linked to FIN11 and the CLOP ransomware gang exploited vulnerabilities in the Accellion File Transfer Appliance (FTA) and exfiltrated a large about of customer data. Customers included law firms, insurance...
14 REvil Ransomware Gang Members Arrested by Russian Government
The Federal Security Service (FSB) of the Russian Federation has announced 14 individuals suspected of being part of the notorious REvil ransomware operation have been arrested in coordinated raids on 25 properties in the Leningrad, Lipetsk, Moscow, and St. Petersburg regions of Russia. The FSB said the arrests were made after information was passed to the FSB from U.S. authorities about the leader of the REvil operation, along with a...
FBI Seizes $2.3 Million in Ransomware Payments from Russian Affiliate of REvil and GandCrab RaaS Operations
The Federal Bureau of Investigation (FBI) has seized 39.89 Bitcoins with a current value of around $2.3 million from a Russian national alleged to be an affiliate of the REvil (Sodinokibi) and GandCrab ransomware-as-a-service (RaaS) operations. According to a complaint that was unsealed on November 30, 2021, the funds were seized on August 3, 2021, from an Exodus wallet, which is used by individuals to store a range of different...
Operator of Botnet Used for DDoS and Password Spraying Attacks Arrested in Ukraine
A hacker alleged to be the creator and manager of a powerful botnet consisting of more than 100,000 devices has been arrested by law enforcement officers in Ukraine. The unnamed hacker was arrested at his home in Prykarpattia and computer equipment was seized that was being used to control the botnet. The botnet was used by paying customers for a variety of attacks, including Distributed Denial of Service (DDoS) attacks, spamming,...
Hospital Faces Lawsuit Over Alleged Ransomware-Related Death
A lawsuit has been filed against an Alabama hospital over the death of a baby, who is alleged to have died as a consequence of a ransomware attack that wiped out critical hospital monitoring systems. Had those systems been operational, the lawsuit alleges complications with the birth would have been identified and action would have been taken that would have saved the baby’s life. Hospitals have long been a target for ransomware gangs...
Europol Breaks up Major Cybercrime Ring
A major cybercrime gang operating in the Canary Islands has been broken up by the Spanish National Police, with assistance provided by the Italian National Police and Europol. The gang generated more than $12 million in profit through phishing scams and other forms of fraud such as SIM swapping and business email compromise scams. The scams mostly targeted Italian nationals but also claimed victims in Spain, Ireland, Germany and the...
FIN7 Pen Tester Sentenced to 7 Years in Jail
A high-level member of the FIN7 organized crime group has been sentenced to 7 years in jail. The U.S. Department of Justice recently announced that Ukrainian national Andreii Kolpakov has been convicted in the Western District of Washington on one count of wire fraud and one count of conspiracy to commit computer hacking related to payment card theft. In addition to the lengthy jail term, Kolpakov was ordered to pay $2.5 million in...
Lawsuit Filed Against Humana & Cotiviti Following 63,000+ Record Data Breach
Following the discovery of a data breach in December 2020, the health insurance and healthcare provider Humana and its business associate Cotiviti are facing legal action. A lawsuit was filed naming both companies on May 26, 2021 in the U.S. District Court for the Western District of Kentucky. The lawsuit alleges Humana mismanaged the records of members of its health insurance plans. The group had outsourced the duty of processing...
Alleged TrickBot Malware Developer Facing Decades in Jail
The U.S. Department of Justice has announced a Latvian malware developer has been arraigned on a 19-count indictment for her role in the creation and operation of the TrickBot Trojan. The TrickBot Trojan first appeared in 2016 and was initially a banking Trojan used to steal bank account credentials; however, the malware has undergone significant development since and has had many more features added. Latterly, the malware has been...
United States Data Protection and Privacy Laws
Although not the first state law to address data protection and consumer privacy, the passage of the California Consumer Privacy Act (CCPA) made the headlines in 2018 due to being closely modeled on the EU´s General Data Protection Regulation (GDPR). The CCPA requires organizations with revenues of more than $50 million, organizations that buy, receive, or share the personal data of more than 100,000 Californian residents or...
Verkada Hacker Indicted on 8 Counts of Computer Crimes and Fraud
The hacktivist who gained access to the systems of the cloud-based enterprise security camera platform provider Verkada in March 2021 has been indicted on criminal hacking charges and faces up to 27 years in jail. A federal grand jury charged Till Kottmann, 21, for a string of computer intrusion and identity and data theft activities that started in 2019 and continued until the hacking of Verkada in March. Kottmann, who goes by the...
Retaliation Against Company Over Complaint Sees IT Worker Jailed for 2 Years
It may be satisfying taking retaliatory action against a company that complains about the quality of your work and gets you fired, but consider the repercussions for such an action, as Deepanshu Kher, 32, from Delhi, India will be doing for the next two years while he serves his sentence in Federal prison. Kher worked as an IT contractor for a US IT consulting firm from 2017 to May 2018. His employer won a contract to assist a...
AMCA Medical Debt Collection Agency Settles Multistate Action over 21 Million-Record Data Breach
A settlement has been reached between a coalition of 41 state Attorneys General and American Medical Collection Agency (AMCA) to resolve a case stemming from a data breach involving the protected health information of 21 million Americans. The data breach was the largest healthcare data breach to be reported in 2019. AMCA specializes in small debt collections from patients of medical testing facilities. From August 1, 2018 until March...
Virginia Signs GDPR-Like Consumer Data Protection Act into Law
Residents of the Commonwealth of Virginia have been given new rights over their personal data now that state Governor Ralph Norman has added his signature to the Virginia Consumer Data Protection Act (CDPA). Virginia is the latest state to introduce new privacy legislation. 10 U.S. states introduced their own data protection laws last year, and many more are expected to follow including Minnesota, New York, Oklahoma, New York, and...
US. Department of Justice Indicts 3 Alleged Members of North Korean Lazarus Hacking Group
This week, the U.S. Department of Justice announced that three North Korean intelligence officials have been indicted for their role in a slew of destructive cyberattacks on U.S. and global organizations spanning many years. The cyberattacks allowed the hackers to steal and extort more than $1.3 billion in money and cryptocurrencies from companies and financial institutions around the world. The three individuals are alleged members...
BEC Gang Members who Scammed More Than 50,000 Organizations Arrested
Image source: INTERPOL Three members of a cybercriminal gang that has attacked more 50,000 organizations have been arrested in Lagos, Nigeria. The arrests come at the end of a year-long investigation into the prolific business email compromise scammers by INTERPOL, Group-IB, and the Nigerian Police Force. The three gang members arrested are believed to be responsible for phishing scams, BEC attacks, and malware distribution on tens of...
Member of The Dark Overlord Hacking Group Sentenced in the United States
A Federal court in Missouri has sentenced a British member of the Dark Overlord hacking group to 60 months in jail and has been ordered to pay $1.4 million in restitution for the role he played in several attacks on organizations in the United States. Nathan Francis Wyatt, 39, of Wellingborough, UK, who used monikers such as Crafty Cockney and Mas, was indicted by a grand jury in November 2017 for the role he played in cyberattacks on...
Ransomware Victim Takes Legal Action Against Attackers and ISP Hosting its Stolen Data
Southwire, one of the largest manufacturers of cabling and wire in the United States, has taken legal action against the unknown individuals behind the attack and an internet service provider hosting a website where its stolen data has been published. The threat actors infiltrated Southwire’s network in December 2019, stole 120 GB of company data, and then deployed Maze ransomware on 878 computers. A ransom demand of 850 Bitcoin ($6...
Former Facebook Content Moderators Sue Facebook for Psychological Injuries
Former Facebook content moderators have taken the decision to sue Facebook for psychological injuries and are seeking compensation from the social media network after developing post traumatic stress disorder (PTSD) from viewing extremely disturbing violent content and other graphic material at work. Working for Facebook may seem like a dream job for many people, but not all work that needs to be performed for the social media network...