The Risk Report
The Risk Report - Dec. 17
Ransomware attacks on HR and payroll platforms have been taking the world by storm. One widespread software vulnerability might be to blame...
BREACHES OF THE WEEK
💸 Where's my paycheck?
Kronos Software, an HR and payroll platform used by such major clients as Tesla, the New York City Subway, and Clemson University, has suffered a ransomware attack, resulting in a systemwide outage that could last for "several weeks", potentially resulting in delayed payroll for thousands of people. Speculation points to the recent Log4j vulnerability as the ultimate cause for the attack.
🇦🇺 HR troubles down under, too
The personal information of 38,000 employees of the South Australia state government has been leaked on the dark web after yet another ransomware attack on an HR and payroll platform this week. Frontier Software, the platform in question, which has been handling South Australia's payroll since 2001, immediately notified all customers of the attack, and released a fix just four days later. This news comes about 2 months after the unveiling of Australia's Ransomware Action Plan, a collection of laws relating to ransomware response in the country.
🕯️ Hope you stay warm
Superior Plus, a Canadian propane distributor has been hit with a ransomware attack, though early indicators show that no data was compromised in the process. The oil company has hired an outside cybersecurity company to help with recovery efforts and has "temporarily disabled certain computer systems". Superior Plus recorded $1.8 billion in revenue last year and has 4,300 employees.
🛸 Evil drones
Reports are circulating that DJI, the world's largest commercial drone manufacturer, has been blacklisted by the US Department of Commerce over its involvement in the Chinese military-industrial complex. As a result, Americans will be prohibited from investing in DJI, as well as in any other companies added to the "Entity List". This retaliatory move is the latest attempt by the US to punish China for its repression of the Uyghur people and other minority ethnic groups within the country.
🇳🇴 Norway swipes left
Grindr, an LGBTQ+ dating app, has been fined just over $7 million by Norway's Data Protection Authority ("NO DPO") for violations of GDPR. Specifically, Grindr was found to have shared user data with third-party advertisers without proper user consent. While sexual orientation was not among the data shared, the report determines that, given Grindr's place within the LGBTQ+ community, any user's privacy could be put particularly at risk. This fine is the largest ever issued for such an offense by the NO DPO, and sends a strong warning to tech companies operating within the EU.
SPECIAL BULLETIN
What is Log4j?
You may have recently heard from a number of companies about a Log4j (or Log4Shell) vulnerability that some warn could take down websites "for years to come". But what is it exactly? And how has it already managed to target 40% of all corporate networks worldwide?
Log4j is an open-source software development framework used to record user activity. Developed and maintained by Apache, Lo4j has been installed millions of times and is currently used by many large organizations around the world including Amazon, Google, and the US Cybersecurity and Infrastructure Security Agency.
The flaw, first discovered in late November of this year, allows for easy remote access of computer servers that use Log4j and, in turn, other computers interacting with those servers. This is the perfect opportunity for bad actors to install viruses, cryptocurrency mining tools, stage corporate shakedowns, and whatever other exploits their hearts desire.
Now, certainly, this is all very concerning. But, as with most bugs, patches are generally released fairly quickly. So what's the deal? Well, while the bug was first discovered not too long ago, it wasn't until last week—after Log4j made its way to Minecraft (owned by Microsoft)—that Apache shared the news with the public. But the bigger issue is that it is up to the companies that use Log4j to develop the fix themselves, many of which may not even know that they use the framework. All of this is adds up to why security researchers are so concerned about this vulnerability lasting, potentially, for years to come.
Want to receive this newsletter weekly? Subscribe for the latest news on data breaches and privacy legislation.
DOWNLOAD THE EBOOK
Shift Left: Turn Security into Revenue and join the security revolution.
Join 300+ companies using Trustpage to communicate security.
Following the acquisition of Trustpage by Vanta, the information collected by Trustpage is now governed by Vanta's Privacy Policy.