🛢️ Leaky pipeline
Transneft, a Russian state-owned (and the world’s largest) oil pipeline company, suffered a data leak this week in what appears to be a hacktivist attack. In total, 79 gigabytes of stolen emails were published on the whistleblower website Distributed Denial of Secrets. The anonymous attacker dedicated the leak, perhaps jokingly, to Hillary Clinton, who encouraged hacktivism back in February during an MSNBC interview.
🚑 Hospital of the week
South Denver Cardiology Associates (”SDCA”), a medical group in Colorado, has suffered a data breach impacting 287,000 people. In its official statement, SDCA outlined that the breach was identified on January 4th of this year. Its investigation determined that an unauthorized third party had accessed PII during that time including Social Security numbers and health insurance information. SDCA has since secured its systems and notified law enforcement.
💺 Just a little turbulence
KrisShop, the in-flight shopping portal of Singapore Airlines has suffered a data breach that exposed the financial information of almost 5,000 travelers. It all started with a phishing attack on March 8th that led to unauthorized access by (preventable) human error. Personal information exposed includes KrisShop voucher codes, bank account numbers, frequent flyer numbers, and more. Singapore Airlines has since reported that the incident was isolated and that its systems are secure.
🇺🇸 New rule
Earlier this week, U.S. President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which imposes new cyber incident reporting requirements for “critical infrastructure entities”. Specifically, this new law will require such entities to disclose incidents to the CISA within 72 hours of discovery. For ransom attacks, that reporting window is shortened to 24 hours. The bill can be read in its entirety on the US Congress website.
💸 Drop in the bucket
Meta has been fined nearly $19 million by Ireland’s Data Protection Commission (”DPC”) in response to a series of 12 data breaches against that company that occurred between June and December 2018. The DPC wrote in a statement that Facebook and Meta “failed to have in place appropriate technical and organizational measures” necessary to protect EU citizens, violating GDPR in the process. Based on Meta’s nearly $118 billion revenue in 2021, it’s safe to say that this will have zero impact on the American company.