The Risk Report - March 19

The average salary in the US was $51,168 in 2021. If that was your salary last year, and you were issued a $5 fine by the government for breaking the law, would you stop breaking laws? Something similar just happened to one of the biggest names in tech.

‍

BREACHES OF THE WEEK

🛢️ Leaky pipeline

Transneft, a Russian state-owned (and the world’s largest) oil pipeline company, suffered a data leak this week in what appears to be a hacktivist attack. In total, 79 gigabytes of stolen emails were published on the whistleblower website Distributed Denial of Secrets. The anonymous attacker dedicated the leak, perhaps jokingly, to Hillary Clinton, who encouraged hacktivism back in February during an MSNBC interview.

Read the full story

🚑 Hospital of the week

South Denver Cardiology Associates (”SDCA”), a medical group in Colorado, has suffered a data breach impacting 287,000 people. In its official statement, SDCA outlined that the breach was identified on January 4th of this year. Its investigation determined that an unauthorized third party had accessed PII during that time including Social Security numbers and health insurance information. SDCA has since secured its systems and notified law enforcement.

Read the full story

💺 Just a little turbulence

KrisShop, the in-flight shopping portal of Singapore Airlines has suffered a data breach that exposed the financial information of almost 5,000 travelers. It all started with a phishing attack on March 8th that led to unauthorized access by (preventable) human error. Personal information exposed includes KrisShop voucher codes, bank account numbers, frequent flyer numbers, and more. Singapore Airlines has since reported that the incident was isolated and that its systems are secure.

Read the full story

NOTEWORTHY THIS WEEK

🇺🇸 New rule

Earlier this week, U.S. President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which imposes new cyber incident reporting requirements for “critical infrastructure entities”. Specifically, this new law will require such entities to disclose incidents to the CISA within 72 hours of discovery. For ransom attacks, that reporting window is shortened to 24 hours. The bill can be read in its entirety on the US Congress website.

Read the full story

💸 Drop in the bucket

Meta has been fined nearly $19 million by Ireland’s Data Protection Commission (”DPC”) in response to a series of 12 data breaches against that company that occurred between June and December 2018. The DPC wrote in a statement that Facebook and Meta “failed to have in place appropriate technical and organizational measures” necessary to protect EU citizens, violating GDPR in the process. Based on Meta’s nearly $118 billion revenue in 2021, it’s safe to say that this will have zero impact on the American company.

Read the full story

Want to receive this newsletter weekly? Subscribe for the latest news on data breaches and privacy legislation.

‍