Christopher Wray, the F.B.I. director, warned in April that Russian election interference continued to pose a “significant counterintelligence threat” and that Russian efforts in the 2016 and 2018 elections were “a dress rehearsal for the big show in 2020.”

A bill introduced last month by Senator Ron Wyden, a Democrat from Oregon, would have allowed political parties to provide greater cybersecurity assistance to candidates. But it stalled in the Senate after the majority leader, Mitch McConnell, said he would not bring any election security bills to the floor for a vote.

The 2020 campaigns themselves are unlikely to have the expertise to track disinformation campaigns or to build sophisticated defenses needed to ward off hackers. In most cases, they cannot afford to pay outside experts market rates for such services, as required by federal election laws.

To thwart digital threats and phishing attacks, multinational corporations spend hundreds of thousands of dollars, at minimum, on security. Jamie Dimon, the chief executive of JPMorgan Chase, has said the bank spends nearly $600 million a year on security. Bank of America’s chief executive has said the bank has a “blank check” when it comes to cybersecurity. Security experts note that — despite significantly smaller head counts — presidential candidates and their campaigns are among the most targeted organizations in the world.

“Expecting campaigns to do this on their own is asking for failure,” said Laura Rosenberger, the director of the Alliance for Securing Democracy, a group that seeks to track and expose efforts by authoritarian regimes to undermine democratic elections.

Liz Upton from the Raspberry Pi Foundation made a shocking revelation, someone has offered cash to install a malware into its tiny computers.

Turkish systems are suffering a major cyber attack which is causing serious problems to organizations in the country. Is is an act of Information warfare?

Security researchers from ESET uncovered the Roaming Tiger hacking campaign, bad actors in the wild are targeting Russian organizations.

A honeypot set up by researchers at the SANS institute has shown that hackers have already attempted to exploit the Juniper backdoor.

Who planted the Authentication Backdoor in the Juniper ScreenOS? Security experts are making their speculation, but interesting revelations are coming out.

One day after Quest Diagnostics reported that nearly 12 million of its patients were potentially affected by a malicious breach of third-party bill collection vendor American Medical Collection Agency (AMCA), fellow clinical testing firm LabCorp acknowledged that roughly 7.7 million of its customers may be affected by the same incident.

Burlington, North Carolina-based LabCorp publicly disclosed the disturbing news yesterday in a Securities and Exchange Commission 8-K filing, warning that patient data it supplied to AMCA was exposed in the incident, which took place from Aug. 1, 2018 through March 30, 2019. Such information may include names, birth dates, addresses, phone numbers, dates of service, providers and unpaid balances.

Making matters worse, roughly 200,000 customers who paid LabCorp bills using AMCA’s web portal had their payment card information compromised, the LabCorp continued. According to the SEC filing, AMCA did not share the identities of these particular victims, but assured the diagnostics company that it had already begun to notify these individuals, and would offer them two years of identity protection and credit monitoring services.

This revelation appears to correspond to a May 10 DataBreaches.net report that said analysts from Gemini Advisory had found a database for sale on the dark web that contained information on about 200,000 individuals. Through their investigative work, Gemini’s analysts eventually linked the stolen data to AMCA.

Social Security numbers, insurance identification information, laboratory tests and results, and diagnostic information were not impacted in the breach, asserted LabCorp, which officially goes by the name Laboratory Corporation of America Holdings.

“AMCA has indicated that it is continuing to investigate this incident and has taken steps to increase the security of its systems, processes and data,” the filing said, later adding that in response to the incident LabCorp “ceased sending new collection requests to AMCA and stopped AMCA from continuing to work on any pending collection requests involving LabCorp consumers.”

Between Quest Diagnostics and LabCorp alone, nearly 20 million lab patients have now had their information imperiled, and it’s possible many more victims will come to light as other companies using AMCA as a third-party service provider discover their customer data was affected as well.

Security researcher Brian Krebs wrote on his website that a review he conducted of the Consumer Financial Protection Bureau’s complaint web page turned up nearly 700 complaints lodged against AMCA, which also operates under the name Retrieval-Masters Credit Bureau. These complaints revealed current or previous business relationships between AMCA and New Jersey’s EZPass system as well as American Traffic Solutions, which services rental car companies and processes millions of toll transactions and violations.

“Due to the interconnectedness of modern business, I will be surprised if we do not soon learn about other companies affected by this breach,” said George Wrenn, founder and CEO of CyberSaint Security, in emailed comments. “Organizations must be responsible for tracking their third parties, knowing the real-time status of their cybersecurity, data protection, and privacy postures, and identifying their risk tolerance, using this information to request remediation activities and make the most informed partnership decisions possible.”

Kevin Gosschalk, CEO of Arkose Labs, said that every third-party vendor is an “added access point” that requires attention, because “as hackers continue to evolve, they will target the endpoints that companies might not actively think of protecting.”

The fact that Question Diagnostics said certain medical information (unrelated to lab tests) was exposed and LabCorp acknowledged that insurance and provider information was affected is “troubling,” said Brad Keller, program director at Shared Assessments, because “there is no mechanism in place to prevent [the] misuse” of health care information.

“Action can be taken to freeze information at the credit bureaus and indicate that financial information has been compromised. In addition, financial institutions have programs in place to take corrective action to prevent the unauthorized use of credit cards and accounts once information has been compromised,” Keller continued. But, “no such centralized process exists for health care or insurance information, making it extremely difficult to prevent the unauthorized use of this information.”

Some cybersecurity and privacy experts have already begun speculating on the regulatory implications of this incident.

“This breach will undoubted bring a hefty fine from [the Department of Health and Human Services’] Office of Civil Rights to ACMA…” predicted Michael Magrath, director of global regulations and standards at OneSpan. “However, what is necessary is for HHS to revisit the HIPAA Security and Privacy [Rules and] tighten the security controls for third parties.” Magrath suggested that the New York Department of Financial Services’ new Cybersecurity Regulation for financial institutions (23 NYCRR 500)  “could serve as the model.”

But Tom Garrubba, senior director and CISO of Shared Assessments, suggested that HIPAA already has clear-cut expectations for third-party business associates, under its Omnibus Rules. “Business associates are by law… to handle data with the same care as covered entities… and these B.A.s are to undergo proper due diligence from the covered entity,” said Garrubba in comments sent after the Quest disclosure but before LabCorp had made its announcement.

“I’m curious to see how swiftly the Office of Civil Rights… moves in to review the details of the breach with this particular business associate…who was performing the scope of work, and to see what negligence, if any, is on the hands of Quest,” Garrubba remarked. “I’m also curious as to the size of the fines to both entities, as the OCR has historically been under a lot of pressure to levy fines of health care breaches.”

Following the Quest Diagnostics disclosure, AMCA sent the following statement to SC Media: “We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system. Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page. We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident.”

 

Lost and stolen devices account for 45 percent of all breaches in Verizon's new health care data breach report.

"Want to keep using the pacemaker? "" pay us 2 bitcoins" Experts fear that ransomware will start targeting medical devices.

EMC and Hartford Hospital have agreed to pay US$90,000 to Connecticut in connection with the loss in 2012 of an unencrypted laptop containing patient information of 8,883 residents of the state, according to the state's attorney general.

Healthcare has become a favorite target for criminals, and some medical organizations are reacting by looking at outside providers to keep their data secure.But jumping to the cloud without first taking some precautions can be a mistake, experts say.

A survey of major industries reveals health care organizations are below average in secure coding.

Ad injection and other "man-in-the-middle" techniques will have a tougher time installing themselves onto PCs.

44 per cent of Internet users admit having shared their passwords or stored them in visible places.

Frankly, I'm surprised. Is it the revelation that Juniper had "unauthorized code" in their Netscreen product? Is it that a third party could reportedly remotely access these systems? Is it that VPN traffic could be decrypted?

I'm seeing in the news today that a subset of Twitter users have been receiving notifications that they may well be the targets of surveillance by nation state actors. Step one, let's all take a deep breath.

A group of computer scientists at the Massachusetts Institute of Technology has developed the most secure SMS text messaging system.

Tens of millions of users would be unable to access HTTPS websites that only use SHA-2-signed certificates, Facebook and Cloudflare have warned
Millions of Web users could be left unable to access websites over the HTTPS protocol if those websites only use digital certificates signed with the SHA-2 hashing algorithm.

A vital part of the Commodity Futures Trading Commission’s Data Protection Initiative has been completed, CFTC Commissioner Dawn Stump announced this week.

Cryptographic key reuse is rampart in European payment terminals, allowing attackers to compromise them en masse.

Security firm Zscaler discovered a malicious campaign based on a new strain of the Spy Banker banking malware.

FireEye says it has discovered a type of malware designed to steal payment card data that can be very difficult to detect and remove.
The cybercriminal group behind the malware, which FireEye nicknamed "FIN1," is suspected of being in Russia and has been known to target financial institutions.

The malware, which FIN1 calls Nemesis, infected an organization that processes financial transactions, which FireEye did not identify.

A criminal named Hacker Buba after asking UAE bank for $3 million ransom started leaking customer data online.

A new strain of PoS malware dubbed Pro PoS Solution is available for sale in the underground forums.