ChatGPT Breach: What You Need to Know

/in /by

It took less than 5 months for a significant ChatGPT breach. This is not surprising, given the incredible pace of the software’s adoption. On February 1, Reuters reported that ChatGPT had reached 100 million active monthly users in the two months since its launch, citing data from UBS.

Any platform as new as ChatGPT with a userbase the size of ChatGPT’s will be a target for cyber criminals hoping to find new vulnerabilities to exploit. Businesses and individuals who use ChatGPT need to understand the risks, and to recognize that the unprecedented growth of ChatGPT may make the platform uniquely vulnerable in the short term as its developers rush to keep up with demand.

What Happened in the ChatGPT Breach?

Around March 20,  payment information for some ChatGPT Plus subscribers was exposed, including names, emails, billing addresses, card expiration dates and the last four digits of the card used to subscribe to the service. OpenAI, the creators of ChatGPT, contacted the affected users, estimated at 1.2% of the overall subscriber base. OpenAI patched the vulnerability that enabled the breach.

There is no reason to stop using ChatGPT, and unless you were notified of the breach, there is no immediate cause for concern. Those who were impacted by the ChatGPT breach may want to consider canceling and replacing affected credit cards, as the exposed digits and expiration date could be combined with other data on the Dark Web to commit identity fraud.

Is ChatGPT Safe to Use?

If you use ChatGPT as a standalone application, it should not present a risk to your overall cyber security. If you attempt to integrate ChatGPT with other systems, do so with caution.

Security researchers identified a vulnerability in a ChatGPT plugin that allows the software to collect information by connecting directly to third-party systems. In this case, the threat came not from ChatGPT but from outdated code used to facilitate communications. ChatGPT integrations with existing business systems or databases should only be undertaken by a developer with considerable experience in cross-platform vulnerabilities and up-to-date awareness of cyber threats. Cyber criminals love software integrations, because they create complex vulnerabilities and may rely on communication methods with known exploits. Remember that data must be protected at every stage of its use: storage, processing and communication between systems.

Chat GPT as a Phishing Lure

The greater danger of ChatGPT to most organizations may be its use in phishing scams. We have seen this previously with every popular platform and service online: Users receive an email claiming to be from a service provider, asking them to click a link to solve a phony problem. Examples include:

  • Your (Gmail, Yahoo, Microsoft) account has been suspended. Please click this link to restore access.
  • We were unable to deliver your package. Please click this link to reschedule delivery.
  • Your (PayPal) payment has been rejected. Please click this link to update your payment method.
  • Please log in to update your password.

Popular services inevitably find themselves targeted in these spoofing attacks, where criminals send official-looking emails, often with company branding and some legitimate links, in an attempt to steal usernames and passwords. As one of the fastest-growing services in history, it is inevitable that ChatGPT will be targeted as well.

Fortunately, there is a simple way to avoid these phishing attacks: Never click on links in emails. If you get an email indicating a problem with an online account or service, go directly to the provider’s web page and log in to your account directly. Do not click on any link that you receive via email, even if it looks legitimate.

Protect Now offers cyber security employee training that changes attitudes toward cyber security by making it personal for every employee. With in-person, virtual and eLearning options, our employee training programs offer an effective and affordable solution for every business and organization. Contact us online to learn more, or call us at 1-800-658-8311 to learn more.

Protect Now Announces Agreement to Bring Cyber Social Identity (CSI) and Personal Protection Certification to RE/MAX University®

/in /by

Comprehensive Program Includes Personal Security and Cyber Security Certification

DENVER, CO – April 4, 2023 – Protect Now, a leading provider of cyber security training and solutions, today announced an agreement with RE/MAX, LLC, a global real estate franchisor with more than 140,000 agents in almost 9,000 offices and a presence in more than 110 countries and territories.

Through this agreement, RE/MAX will add Protect Now’s Cyber Social Identity (CSI) and Personal Protection Certification to the programs offered through RE/MAX University, an exclusive-to-RE/MAX learning hub designed to help each agent level-up their professional expertise. Through this new security awareness training program, real estate professionals will have the opportunity to learn strategies to keep themselves, their businesses and the clients’ data safe.

Developed by Protect Now, the CSI Protection Certification training offers the most current best practices in cyber security to prevent wire fraud, identity theft and breaches, paired with practical advice real estate professionals can use to stay safe in the field. CSI Certification helps to meet FTC Safeguards Rule compliance and delivers a marketing tool to help professionals grow market access, reputation and sales. REALTORS® with a professional designation earn a median income 74% higher than those without, according to an NAR Member Survey.

“We are proud to bring this exceptional safety and cyber security program to the real estate professionals we support,” said Bryson Creighton, Vice President, RE/MAX University Learning & Education. “This is a critical tool that will help our agents and franchisees build trust with their clients and provide the exceptional service that RE/MAX is known for.”

The 2021 National Association of Realtors Annual Safety Report found that 5% of REALTORS® had been a victim of a crime while working as a real estate professional. Cyber-attacks are a growing threat to the real estate industry, where many agencies operate as small- or mid-sized businesses, and where regular email, text and telephone contact with buyers and sellers occurs daily. Criminals have stepped up their attacks on smaller businesses in recent years. Data from 2019 showed that cyber criminals made small businesses their top target, accounting for 43% of data breaches.

“Criminals will always go after the easiest targets,” said Protect Now Co-Founder and Head Security Awareness Trainer Robert Siciliano. “They’ve learned that they can’t make the ‘big hits’ going after large companies, so they now look for small business with lower levels of cyber security. They launch thousands of attacks each month, because it’s a numbers game. They can make a good amount of money from a few hundred breaches with far less risk and effort.”

Protect Now closes the gap between small- and large-business cyber security awareness with training that emphasizes the individual role each employee plays in cyber security. Brokers and agents are taught to see their personal role in protecting access and data, which has proven an effective tool in changing organizational attitudes toward cyber security.

“Wire fraud has surpassed a $200 million a year, which decimates the buyer’s bank account, kills the sale, shatters commissions, ruins the agency’s reputation and can lead to lengthy, expensive lawsuits for everyone involved in the transaction. We are also entering an era where the Federal government will demand more accountability from everyone who handles financial information. These are powerful reasons for real estate professionals to attend this training,” Siciliano said.

###

About Protect Now
Protect Now is a leading provider of cyber security training and solutions for business, municipal and nonprofit clients, with an emphasis on organizations that process sensitive information from the general public. Protect now delivers a suite of cyber security services, including Virtual CISOs, Dark Web Monitoring and FTC Compliance, backed by personal security, cyber security and anti-phishing training that creates meaningful change in employee attitudes toward cyber security by emphasizing the importance of personal security. To learn more about Protect Now’s cyber security solutions, visit https://protectnowllc.com/.

Mobile Provider Data Breaches: Know Your Risks

/in , /by

Last week, AT&T reported the latest in a series of high-profile data breaches. The company announced that approximately 9 million customer records, including names, email addresses, phone numbers and account numbers, were stolen from a third-party marketing firm that had been given access to the data by AT&T.

How do these large-scale data breaches happen?

In several recent cases, criminals targeted marketing firms that provide advertising to mobile carriers or that develop campaigns for mobile users. In the AT&T case, it was noted that the stolen data included eligibility for phone upgrades, making it reasonable to assume that the data breach was related to customer marketing. AT&T gave its customer data to a marketing firm to sell upgrades. The marketing firm was breached.

In other cases, companies that display ads on mobile devices have suffered significant data breaches exposing millions of customer records. In all of these cases, criminals did not target the mobile provider itself, but the third-party agency. Mobile providers typically have strong cyber security practices; the third parties they share your data with may not, making you vulnerable.

What are the risks from mobile data breaches?

Mobile data breaches can carry a particular risk for customers. As reported by Axios, criminals can use personal data from these breaches to launch SIM-swapping attacks, where a criminal clones a SIM card and then uses it to steal multifactor authentication codes. Ordinarily, a criminal who steals your username and password cannot access your accounts if you have two-factor authentication that sends a confirmation code to your phone. If the criminal can clone your phone number with information stolen from a data breach, they can then get the code and access your accounts.

In other words, criminals can defeat two-factor authentication, log in to your accounts and steal or wreak havoc at will. If you see authentication code requests that you did not initiate, log in to the affected accounts immediately and change your password, because it could mean someone is trying to gain access.

A lower level of risk comes from the exposure of phone numbers and email addresses. These will be sold to criminals for spam emails and phishing attempts. If you are a high-value target for hackers, you need to change your passwords and your multifactor authentication method.

What should I do to protect myself from criminal misuse of my data?

Assume that some of your personal data has been compromised. More than 74 million personal records have been posted to the Dark Web so far in 2023, according to Cyble. Next, think like a criminal.

Criminals gather several types of personal information to carry out hacks and phishing attacks. They need your name, address, email and phone number to start. Any additional information they can gather, including passwords or usernames, makes it easier for them to launch an attack.

The best defense is to change your passwords frequently and to be vigilant. Set up two-factor authentication with immediate alerts to your mobile device. The safest way to do this is to have a separate email that you use only for authentication that you never share or use for any other purpose. Have alerts sent to you whenever there is an authentication request sent, rather than having text alerts sent directly to your phone. In many cases, this thwarts SIM swapping.

If you have significant concerns, you may need to get a new phone number, which renders information stolen from data breaches useless. This poses a significant challenge for most people. Acquiring a low-cost second phone that you use solely for authentication can solve the problem without requiring you to change your primary number.

Whenever you can, opt out of data-sharing programs with your mobile provider. They will attempt to discourage this, but doing so removes one avenue that criminals can use to compromise your cyber security.

Are you vigilant with your personal data? Are you vigilant with data on the job? Would you be able to stop a phishing attack launched by a phone call from a criminal? Explore our CSI Protection Certification to develop the skills you need to stop cyber criminals at home and on the job.

New National Cybersecurity Policy Is a Step, Not a Solution

/in , /by

The new National Cybersecurity Policy from the Biden Administration holds lofty ideas, but little that is actionable. As reported by The New York Times, the policy, unveiled on March 2, seeks to push greater responsibility for cyber attacks and data breaches toward those who own, operate or use online infrastructure. The policy also outlines a formal strategy for the United States Government to take action against professional cyber criminals and state-sponsored hackers.

With regard to national standards, the new cybersecurity policy is a long-overdue step in the right direction. One of the greatest challenges in convincing organizations to adopt stronger cyber security has been a lack of regulations. In cases where Federal or state governments have mandated security rules, adoption has been swift. Both the Gramm-Leach-Billey Act, which mandates protection of consumer financial data, and the California Consumer Privacy Act, which gives individuals the right to delete their data, as well as the European Union’s General Data Protection Act led to widespread changes in the ways businesses of all sizes collected, protected and stored personal data.

Biden’s Cybersecurity Policy Is Not Regulation

Many cyber security professionals have argued for national standards for years, yet this is where the Biden National Cybersecurity Policy comes up short. Outside of executive orders that narrowly target some Federal agencies, there is no mechanism to create or enforce mandates. Congress would need to pass legislation outlining standards and penalties for noncompliance. There also remains a question of who would investigate and enforce national guidelines.

Simply setting those guidelines will be difficult, given the ever-changing nature of the Internet and the software that powers it.  Internet infrastructure developers have fought standards and regulation on the grounds that mandates deter innovation. A balance must be struck between the needs of a better Internet and a safer one, and any policy that emerges will do well to require a reasonable level of security to exist in new tools and services without stifling innovation solely to deter cyber attacks.

What Does the Policy Mean for Business Owners?

Absent Congressional action to set standards and mandate compliance in the private sector, the new National Cybersecurity Policy has no immediate functional impact on any private or state-operated organization’s cyber security. However, this policy, taken with the Federal government’s more aggressive stance on common-sense cyber security practices, suggests that more executives could be found liable for cyber security lapses until formal regulations are passed.

The new policy may also embolden cyber insurance underwriters to deny claims if, in their assessment, reasonable care has not been taken to protect systems and data.

This policy is likely to lead to several years of uneven enforcement, insurance denials and court challenges that will ultimately prompt Congress to step in and pass broad-based rules. Until then, business leaders should understand that the burden of preventing cyber attacks continues to shift toward individual organizations. In this environment, good cyber security practices and cyber security employee training are more important, and potentially more cost effective, than they were before.

Gartner Survey Explains Why Cyber Security Employee Training Fails

/in , /by

Sobering data from Gartner illustrates the shortcomings of cyber security employee training. The company predicts that more than half of cyber attacks by 2025 will result from :lack of talent or human failure.”

This is in spite of ongoing efforts by businesses to provide employee training on cyber security. What stands out is the reason why that training fails.

According to their survey of 1,310 employees in mid 2022, “69% of employees have bypassed their organization’s cybersecurity guidance in the past 12 months.” More concerning, 74% said the would ignore cyber security practices “to achieve a business objective.”

The problem is clear: employees may know an organization’s rules for cyber security, but they willingly ignore those rules to get their jobs done. As long as this situation persists, cyber criminals will have the advantage they need to carry out attacks.

Cyber Security Employee Training Must Be Personal and Ethical

Every organization has a to-do list for compliance and a general set of employee rules. Most employees know they cannot treat others unfairly because of their background, race or identity, that they cannot steal from the company coffer and that they have a set time for lunch and breaks. Many employees bend these rules at times, while some bend them pathologically.

When cyber security becomes just another set of flexible company rules, disaster follows. The employee who takes an extra half hour for lunch only harms productivity in the short term. The employee who denies promotions to certain co-workers may trigger a lawsuit. The employee who shares passwords with teammates risks a costly data breach or an intrusion that takes all systems offline.

In all of these cases, organizations tend to train on the whats instead of the whys. Employees learn that they can be suspended or terminated for long lunch breaks, then see if that rule is actually enforced. The same applies to discrimination and cyber security. Employees may understand the consequences of breaking rules, but if they see co-workers getting away with things, or they consider some rules flexible, the training they received is useless.

It should be no secret to organizational leaders that employees behave very differently in their private lives. Most people would not brush off a friend or discriminate against a family member, and they tend to take great care with their personal cyber security. They are motivated to do this because they face lasting, personal repercussions in valuable relationships if they behave selfishly.

Leaders expect this behavior to carry over on the job, but Gartner’s data disputes that belief, painting cyber security as just another obstacle employees try to overcome. This occurs because most cyber security employee training, like other forms of employee training, lays out facts and broad hypothetical situations without asking the question that would really motivate employees: What would your friends and family think if you were responsible for a major cyber security attack?

The answer to that question is the key to effective employee cyber security training. Most people would be horrified and ashamed if their actions caused harm to a friend or family member. They would be similarly ashamed and horrified to have to tell people that they were involved in a cyber attack that made headlines. Those emotions provide a powerful incentive to follow cyber security rules, but they are absent from nearly all of the training programs available. Training based on ethics and personal attitudes toward responsibility delivers better results, because it connects with the protective instincts people practice in their personal lives.

Choose Training That Works

The CSI Protection Certification cyber security employee training program created by Protect Now changes employee attitudes toward security by tapping into their personal desire for safety. Created by cyber security speaker and author Robert Siciliano, this program is empowering and entertaining, and it now qualifies for CE credits for real estate professionals in many states. The program is available via in-person seminars, virtual seminars or through a library of eLearning modules. To learn more, contact us online or call us at 1-800-658-8311.

The Software Patch is a Nuisance and a Necessity

/in , /by

Valentine’s Day kicked off a big week for software patch fans, as Apple sent out a patch for its operating systems and Microsoft pushed a flurry of patches for Windows.

The Software Patch is a Nuisance and a NecessityIf you are not a software patch fan, you should be. The seconds you spend patching work and personal devices can save thousands of dollars and dozens of hours cleaning up from cyber criminals who exploit vulnerabilities. Yes, patches are a nuisance and more common than most would like them to be, but they are also a necessity if you care about cyber security.

Why Do I receive so many software update requests?

Responsible software makers continually evaluate threats to their systems and issue software patches to fix them. Apple was tipped off to a flaw in its operating systems that could allow hackers to install and execute code on an unpatched device. This patch fixed what is known as a Zero-Day Flaw or Zero-Day Exploit, which is a flaw that exists in software when it ships. Hackers carefully review every new piece of software to find vulnerabilities in security, as do researchers familiar with vulnerabilities. Apple issued its software patch in response to findings by a researcher who recognized the potential risk.

Microsoft, as usual, is furiously patching its most recent Windows release to close 75 security gaps, including some that would allow a hacker to bypass Windows malware filters or access system functions.

Patching Protects Against Phishing

Everyone who uses Windows or iOS should apply these software patches immediately. Doing so, on personal devices as well as work-issued devices, delivers two real benefits. First, it blocks a potential risk to cyber security that is known to and in use by criminal hackers. Second, it nullifies some phishing attacks by making it impossible for hackers to deliver malicious software.

The exploits patched by Apple and Microsoft may require users to visit a compromised website or download software that can exploit the known vulnerability. A software patch removes the vulnerability, so even if an employee clicks on a compromised link, the hacking attempt fails.

Every business should make software patches mandatory for all personal and work devices, particularly personal smart phones and laptops, which may access business WiFi or networks when employees come to the office. Software patches are usually sent out by software manufacturers automatically, but users may find them a nuisance and ignore them. Businesses can assist with updates by emailing staff when security patches are sent out. Ask employees to update their devices and provide links to download sites and additional information from manufacturers.

Patches may arrive at inconvenient times and employees may consider them a bother, but they are an essential piece of overall cyber security. Be aware that failure to patch can violate a cyber liability policy or expose a business to government fines if an unpatched exploit leads to a data breach.

Installing software patches is good cyber hygiene and part of employee cyber security awareness. Protect Now has developed an employee training program that changes culture by changing the way employees consider cyber security. We go beyond concepts and hypotheticals to help employees understand their attitudes about cyber security and the need to apply the same standards they use in their personal lives to data protection in the workplace. Contact us online to learn more, or call us at 1-800-658-8311.

Tax Season Is Cyber Crime Season

/in , /by

As tax season begins, cyber crime targeting W-2 forms is on the rise. Criminals want W-2 forms so they can file fraudulent tax returns and cash the refund checks. Victims find out about these scams when they attempt to file their legitimate returns, only to be told that a return has already been filed.

tax securityThe U.S. Justice Department, citing Internal Revenue Service data from 2013, reported that 5 million tax returns were filed fraudulently, seeking $30 billion in refunds. Cases of this fraud are believed to be much higher today, leaving victims to wait out a lengthy process of reconciliation before they can get the tax refunds they deserve.

Anyone who issues or distributes W-2 forms needs to take exceptional care with them. Because they contain Social Security numbers and personally identifying information, they are considered protected personal information under state laws.

How to Protect and Safely Distribute W-2 Forms

Criminals attempt to steal W-2 forms in two ways: online and in person. In-person theft simply involves stealing W-2 forms from someone’s mailbox. Criminals know when to look, but they may not know what they are looking for.

You can prevent mailbox theft by distributing W-2 forms online, or by handing them to employees in the office. If you must mail W-2 forms, it is best to do so in a plain envelope with a handwritten return address that looks like a personal letter. Avoid envelopes that look corporate, and absolutely avoid windowed envelopes that show the form or that have printed messages stating that a W-2 is inside.

If you distribute W-2 forms electronically or provide self service for your employees, follow these tips:

  1. Give employees a link instead of emailing a W-2 form. Most payroll providers include password-protected individual employee accounts as part of their service. Take advantage of these so that employees have to download their forms, rather than sending them via email.
  2. If you must email, be sure the email is encrypted. This prevents thieves from capturing the documents in transit. Send W-2 forms only to employee email accounts that you manage, not third-party accounts or free email services that are more easily compromised.
  3. Encourage employees to file early. Early filing is the best defense against a fraudulent claim, and criminals tend to file very early in the season.
  4. Beware of phishing and social engineering scams. Criminals may attempt to harvest W-2 forms by pretending to be accountants, representatives of online filing services such as TurboTax or state or Federal tax agents. Remember that no one will ever contact you by phone, email or text with a legitimate request for someone’s tax documents.
  5.  Warn employees of tax season scams. Send a reminder email that no one from the company and no legitimate government agent will ever contact them to ask for a copy of a W-2, and advise them to be careful responding to requests from trusted contacts, such as their own lawyers and accountants. Follow one simple rule whenever you receive a request for personal information: Call to verify.

Many employees and a large number of business professionals are unaware of the growing number of scams targeting tax documents. These forms contain one of the most valuable pieces of personal information: an individual’s Social Security number. If an attempt to steal employee tax forms from an organization succeeds, it must be treated as a data breach and reported to law enforcement. Employees will need to inform the Social Security Administration of the compromise as well.

W-2 theft is another aspect of phishing and social engineering that businesses can fight with cyber security awareness training. Our CSI Protection Certification succeeds where other programs fail by tapping into the personal desire employees have to keep their own data safe and showing them how those instincts apply in workplace situations. Contact us online to learn more or call us at 1-800-658-8311.

Cyber Insurance Companies Go to Court to Block Claims

/in /by

Cyber insurance may not offer the protection you expect. In a case that has far-reaching implications for all policyholders, leading cyber insurance providers challenged a New Jersey court ruling ordering them to pay damages for the 2017 “NotPetya” attack that led to $1.4 billion in losses for pharmaceutical company Merck & Co, The Wall Street Journal reports.

Insurers claim that the attack is not covered because it was an act of war committed by a foreign adversary. U.S. government officials attributed NotPetya, a Windows ransomware attack that encrypts operating systems and data, on the Russian government. Insurance companies believe this triggers the “war exclusion” common to many types of insurance policies that blocks claims resulting from military action. Though written to cover damage from bullets and bombs, cyber insurance underwriters now seek to apply that exclusion to damage from state-sponsored cyber attacks.

Should insurers prevail, businesses of all sizes could find themselves without protection for any cyber attack attributed to a foreign government.

Read the Fine Print on Your Cyber Insurance Policy

Few insurance buyers take the time to fully read their policies, and fewer inquire about the extra coverage, which comes at a higher cost, that protects against uncommon risks. This can leave businesses vulnerable if they file a claim in the wake of a cyber attack.

Foreign adversaries may be the least of your cyber worries, but you should understand that a cyber policy is not guaranteed protection, but a relationship between your business and your insurer that demands certain actions on your part to keep the policy in effect. These inevitably include the following:

  1. You will take reasonable steps to secure your cyber infrastructure. This includes setting up secure systems, maintaining security certificates and updating software regularly to apply security patches. A recent attack that brought down servers worldwide took place because some users did not apply a security patch issued in February 2021. Those who failed to apply the patch could have their insurance claims denied.
  2. You will limit access to your systems to essential personnel. This includes password security as well as role-based authorizations. As a rule, employees should only have access to the systems and data they need to do their jobs. Shared passwords, poor password security or unchecked access to data could leave you paying out of pocket if you suffer a data breach.
  3. You will take steps to protect customer data. This includes how you collect data, how you transmit it online, how you store it and how long you retain it. Best practices vary depending on the type of data collected, with the strongest protections required for sensitive personal data such as credit card numbers and financial information.
  4. You will verify security with all third-party providers. This requires you to understand the security practices of your vendors and, in some cases, to get regular statements from them attesting to their cyber security. Vendors include your phone company, your Internet service provider, web hosts and software vendors. Expect a request for cyber security documentation from all vendors if you ever need to file a claim.
  5. You will train your employees in cyber security awareness and phishing protection. This requires annual or semiannual in-depth training on recognizing and stopping social engineering and phishing attacks. Your policy may mandate training within a certain period of time for all new employees, as well as regular refresher courses.

Know What Your Insurer Expects of You

If sitting down to untangle the language in your cyber policy is too daunting, speak to your insurance agent and ask for a full list of your responsibilities and the agent’s recommendations. Recognize that things like training and software updates are in your control, while natural disasters and acts of war are not. Insurance policies protect against everyday risks, not exceptional ones, but that protection is only available if you do your part to comply with your policy’s requirements.

A hack or data breach is stressful enough without worrying over whether your insurance policy covers the damage.

Protect Now provides Cyber, Social and Individual (CSI) Protection Certification, a cyber awareness training program that changes employee attitudes toward security by making data protection personal. This affordable program was built to serve businesses that have significant public interactions and need to protect their clients’ personal data. Learn more by calling us at 1-800-658-8311 or contacting us online.

Feds Take Down Ransomware Gang, Aid Victims

/in /by

In a sign of its aggressive new posture against cyber criminals, the United States government infiltrated and compromised the Hive ransomware gang, blocking hundreds of millions in ransomware payments and seizing control of the gang’s website. No arrests were announced, but authorities in Germany and The Netherlands were able to seize the ransomware gang’s servers.

Hacking the Ransomware Hackers

Ransomware attacks are among the most costly for businesses and organizations. These attacks typically begin with criminals using stolen passwords found on the Dark Web or acquired through phishing attacks. Once ransomware hackers have access to online systems, they encrypt all of an organization’s data and lock it behind a password. They then demand a ransom in cybercurrency, such as Bitcoin, in exchange for a key that will unlock the encrypted data.

To shut down Hive, U.S. investigators infiltrated the gang’s network. They learned about planned attacks, including a Texas school district and a Louisiana hospital, then stole the ransomware decryption keys and gave them to the targets. When the ransomware attacks began, organizations were able to immediately restore their systems with the encryption keys, saving millions in ransomware payments.

The operation represents a significant shift in how Federal authorities approach cyber gangs. In the past, U.S. authorities attempted to recover ransoms after payment, with limited success. The move against Hive ransomware represents a significant escalation in response, known to be part of the Biden Administration’s draft cyber security plan,  that sees law enforcement partner with victims ahead of an attack to prevent damage and financial loss.

Ransomware Risks Remain

While Hive was one of the better-known ransomware gangs. there are many more carrying out these attacks who will not be deterred by a single U.S. government success. A Verizon report on cyber crime in 2022 found that ransomware attacks rose by 13%, a larger increase than the past 5 years combined. Criminals can now buy ransomware online, in late 2022 a Microsoft study found criminals using it to steal data and wipe systems clean, removing all traces of their activity, without making a ransom demand.

Regardless of the nature of the attack, ransomware victims tend to have a few things in common:

  • They operate critical infrastructure used by the public.
  • They appear to have budgets that support multimillion-dollar ransom requests.
  • Their cyber defenses have vulnerabilities ripe for exploitation.

Verizon reported that 20% of data breaches resulted from social engineering. Public-facing organizations face greater risks for intrusions and compromise due to the nature of their work, which makes cyber security awareness training essential.

Aggressive action from the Federal Government against cyber criminals is a positive development, but businesses and organizations cannot rely on it to ensure security. Employee training, strong cyber defenses and advance warnings from Dark Web monitoring still provide the best protection against intrusions and fraud. Protect Now provides support for small- and medium-sized business that work extensively with the public. Contact us online or call us at 1-800-658-8311 to improve your cyber security.

Data Privacy Week Is a Time to Consider What You Share

/in /by

This is Data Privacy Week, when everyone who uses the Web is encouraged to think about, and limit, the amount of personal data they share online. We often think of data privacy and data breaches in terms of someone stealing information we have shared. During this week, that thinking should be reversed: Ask what you share, where you share it and whether sharing is even necessary.

Data Privacy Begins with You

Thieves cannot steal what you do not share. If you never give your credit card number, name, address or phone number to any website, you have zero data privacy risk. This is impractical if you want to shop online or use services such as email and social media. Most people get so used to sharing personal information to do things online that they share freely in all spaces online, making them targets for data theft and phishing attacks. Some sites, such as Linkedin and Facebook, encourage a level of sharing that creates significant risks to your personal information. Companies may share more than necessary if they try to market their employees, as detailed in Is Your Website a Bait Shop for Phishing Attacks?

Cyber crime would be much lower if everyone followed the rule taught to all children: Do not talk to strangers. Do not tell them your name, where you live or the route you take home. Do not share where you went to high school and college, what you studied, or your employment history. Never give them your mother’s maiden name, your pet’s name, your birthday, the name of your prom date, the name of your favorite teacher, or your favorite grocery items.

By now you should have a window into all the ways you deliberately (social profiles) and casually (social media quizzes) surrender your digital privacy. While sharing online can feel normal, it invites predators. Cyber criminals will gather as much information as they can about potential victims through your posts and profiles. They then use this information to target attacks against you or people you know.

Easy Ways to Improve Data Privacy

Data privacy should be protected on two fronts: Limit what you share initially, then limit how long it remains online. “Online” includes both publicly available information and information you share with others to shop or use services.

  • Use guest checkout. Nearly every shopping site now offers a guest checkout option. When you choose this instead of setting up an account, the business should not build a profile about you or store your information permanently. Use this feature whenever you buy something online for the first time. If you come back, consider opening the account. If you never come back, you will have less risk if that business suffers a breach.
  • Never respond to online quizzes. Facebook has significant, ongoing problems with data-harvesting scams masquerading as quizzes. Because Facebook requires people to give their real names when they sign up, even the most innocent-looking quizzes can yield meaningful data. Criminals often look for clues to passwords or try to fill gaps in an individual’s data profile, or get information they can use to commit fraud. In one example, an image shows several food staples, such as eggs, milk, cereal, orange juice and bacon, then asks which one you dislike the most. Choose eggs and a criminal now knows not to buy eggs when they try your stolen credit card number at the grocery store.
  • Skip the optional fields when you sign up. Whenever you sign up for a service, your goal should be to give as little personal information as possible. This can be challenging if your browser automatically fills in all of your data, or if you fill out forms without looking to see what is actually required. Be wary of businesses that ask for credit card information for a “free” trial, or that want your email, phone and mailing address for services that do not require physical mail.
  • Only post recent, relevant information on social sites. No one needs to know your entire work history, or that you got a Masters Degree from Harvard unless that experience is highly relevant to your current work. This is challenging for thought leaders and those with specialized skills who market their abilities based on experience. Consider using less-specific descriptions, such as “Ivy League educated” instead of “Harvard Class of ’92.” Criminals need specific data points for social engineering fraud. The more you provide, the easier you make it for them.
  • Never post your personal email or phone number. Many small businesses believe posting emails and phone numbers increases the number of contacts they receive. There is no real data to support this. Contact information on a website should go to a generic inbox, such as “info@mysite.com,” and phone numbers should forward to an unpublished office line. One of the leading scams right now harvests personal phone numbers, matches them with company email addresses, then targets employees with texts that appear to come from senior executives, often asking for gift cards or passwords. This scam exploits the abundance of seemingly innocent information that individuals share.
  • Never post photos or videos from your workplace. If you or your company must Instagram what it does, set up a location in the lobby and only allow photos and videos to be shot there. Photos and videos should never be allowed in work areas for any business, because they can give away private or proprietary information. Criminals can learn about your security procedures and your workplace layout, and sometimes find passwords on notes or white boards in the background. Those who work in health care have an additional duty to protect patient privacy, as well as their own.
  • Remove anything personal in the background of your video conferencing space. The rise of video calls and videoconferencing has encouraged people to treat their home office like a television set, with strategically placed books, awards and mementos, information that is valuable to criminals. Another risk, once again, is the whiteboard or bulletin board with sensitive information. Something as simple as a diploma or family photo can be the hook a criminal uses in a targeted attack. Keep anything identifiable out of frame, or use a generated background for your calls.
  • Close all outdated accounts and subscriptions, then ask for your data to be removed. This one is last because it is a little harder. If you have ever canceled a Netflix subscription, you know how easy it seems. They turn off your service and stop billing, but they keep your information by default. Under data privacy laws in the United States, you have the right to have that information removed, which is what you must do to protect your personal data. Every online business has a process for this, and you may need to hunt for it in their Terms of Use or Privacy Policy statements. Get in the habit of reviewing and removing unused accounts at least once a year.

If you maintain strong data privacy, you will be at a far lower risk from breaches and targeted attacks. This is part of the personal approach to data protection that Protect Now promotes through its CSI Protection Certification program, which boosts cyber security by teaching employees the importance of personal as well as professional data privacy. To learn more, contact us online or call us at 1-800-658-8311.