Yahoo Says Hackers Stole Info from 500 Million User Accounts

Yahoo said hackers stole personal information from 500 million of its user accounts, a massive security breakdown it attributed to a “state sponsored actor.” The breach disclosed Thursday, the latest setback for the beleaguered internet company, dates back to late 2014.

That’s when high-tech thieves hacked into Yahoo’s data centres, the company said. But Yahoo only recently discovered the break-in as part of an ongoing internal investigation.

The stolen data includes users’ names, email addresses, telephone numbers, birth dates, hashed passwords, and the security questions _ and answers _ used to verify an account holder’s identity.

Last month, the tech site Motherboard reported that a hacker who uses the name “Peace” boasted that he had account information belonging to 200 million Yahoo users and was trying to sell the data on the web.

Yahoo recommends that users change their passwords if they haven’t done so since 2014. The Sunnyvale, California, company said its investigation so far hasn’t found any evidence that information about users’ bank accounts or credit and debit cards were swiped in the hacking attack. It said it has “no evidence” that the attacker is still in Yahoo’s network.

News of the security lapse could cause some people to have second thoughts about relying on Yahoo’s services, raising a prickly issue for the company as it tries to sell its digital operations to Verizon Communications for $4.8 billion.

That deal, announced two months ago, isn’t supposed to close until early next year. That leaves Verizon with wiggle room to renegotiate the purchase price or even back out if it believes the security breach will harm Yahoo’s business. That could happen if users shun Yahoo or file lawsuits because they’re incensed by the theft of their personal information.

Verizon said it still doesn’t know enough about the Yahoo break-in to assess the potential consequences. “We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities,” the company said in a statement.

 

Canada: Cyber Risk: Tips For Staying Safe

Canada: Cyber Risk: Tips For Staying Safe

Dentons Privacy and Cybersecurity group has developed a Cyber Risk awareness poster and check list to ensure you and your company can take the necessary steps to ensure protection from unwanted cyber attacks. It covers recommendations for both corporates and individuals.

Cyber attacks are on the rise and most of the time catch individuals and companies by surprise. The impact can be detrimental to individuals and companies, alike.

Cyber attackers use various methods to access individual and company data. We have created 5 easy-to-follow steps to ensure you and your company’s data can be protected.

At Dentons, our Global Privacy and Cybersecurity team are experienced in helping individuals and companies put policies and procedures in place to deal with events like cyber attacks.

In an increasingly connected world, Cyber Security will undoubtedly require close attention and vigilance and the team at Dentons are here to help you stay protected.

Download the Article

About Dentons

Dentons is the world’s first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world’s largest law firm, Dentons’ global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.

Source: Mondaq

Aon: Business interruption due to a breach is top cyber risk concern

Aon: Business interruption due to a breach is top cyber risk concern

Findings underscore importance of conducting a cyber risk assessment, Aon outlines three-step approach for assessing cyber risk

Press Release:

CHICAGO (April 11, 2016) – Aon Global Risk Consulting, the risk consulting business of Aon plc (NYSE:AON), the leading global provider of risk management and human resource consulting and outsourcing, today released its 2016 Captive Cyber Survey report, which finds that the costs of business interruption due to a breach is the top cyber risk concern for businesses across all industries.

As Aon’s first cyber captive survey,  the findings offer a better understanding of organizations’ current attitude towards cyber threats, risk assessment, insurance purchasing trends and loss adjustment concerns and provides insight into current retail market trends, including captives and other risk financing solutions.

“Our findings also indicate that there is a disparity between companies recognizing that cyber is one of the fastest growing and permeating risks, and actually understanding what their individual exposures and coverage needs are,” said Peter Mullen, chief executive officer of Aon Risk Solutions’ Aon Captive and Insurance Management practice, who spearheaded the report. “Captives are a great alternative risk transfer solution for bridging this gap while the industry’s approach to cyber risk management catches up to the evolving pace of technology.”

The survey findings indicate that 94 percent of companies would share risk with others in their industry as part of a captive facility writing cyber. What’s more, Aon experts anticipate alternative risk transfer options to become increasingly sought after as these solutions give companies some control over underwriting, coverage scope and claims adjustment, while providing an opportunity to share best practices, experience and data in a private setting.

Additional highlights of the report include:

  • 61 percent of survey respondents buy cyber limits in the $10-25 million range, but overall 60 percent of large companies do not buy cyber insurance
  • Of those that do, 68 percent of companies surveyed buy cyber for balance sheet protection closely followed by ensuring due diligence comfort for the board
  • Only 25 percent of respondents that buy limits are confident that they comply with international best practices and standards for information security  governance
  • 95 percent of companies surveyed state clear policy wording as the most important issue in the cyber risk market, and 75 percent of large companies express concerns about the loss adjustment process

“Given the evolving nature and complexity of cyber exposures, we found that the use of cyber risk assessments is surprisingly low,” said Kevin Kalinich, global practice leader for cyber/network risk at Aon Risk Solutions. “Conducting such an assessment is a useful tool for improving risk understanding and maturity as well as for helping organizations better prepare for potential business interruption during or after a breach. Aon is at the forefront of assisting clients to develop and implement a risk assessment approach that is cross departmental and can translate cyber exposures into financial impact.”

Aon recommends the following three steps to begin a cyber risk assessment:

  1. Scenario Analysis: Benchmark the existing cyber risk profile and work with business stakeholders to prioritize cyber risk scenarios
  2. Financial Modeling: Leverage advanced financial simulation tools using deterministic modeling to quantify first and third party costs of select cyber scenarios. Consider performing an analysis on non-damage business interruption scenarios using forensic accounting capabilities.
  3. Insurability Risk Review: Test the adequacy of limits against the assessed cyber risk as well as review the optimization of the proposed insurance program

About the 2016 Aon Captive Cyber Survey

Aon’s 2016 Captive Cyber Survey is designed to offer analysis of top cyber risk concerns, risk assessment approaches, attitudes toward cyber insurance and policy cover and structure. The survey, conducted for the first time in fall 2015, gathered input from risk managers and directors of more than 125 captive insurance companies. The 2016 findings will allow organizations to gain insight into the mounting threat of cyber risk, benchmark their risk management practices and identify approaches that may increase their preparedness.

More information about the 2016 Aon Captive Cyber Survey can be found here: http://www.aon.com/risk-services/cyber.jsp

Edmonton casino victim of cyberattack; employee, customer information stolen

Edmonton casino victim of cyberattack; employee, customer information stolen

The Canadian Press

EDMONTON — Officials at an Edmonton-area casino are doing damage control after finding out they were the target of a cyberattack that put employee and customer information at risk.

Over the weekend, computer systems at the River Cree Resort and Casino went down, but what happened wasn’t made clear until this week.

General manager Vik Mahajan says at first they thought it was a technical failure but later realized it was an actual attack.

He says there was theft of customer and employee information — though he won’t say how many people are involved — but the incident didn’t affect the casino floor.

Officials say as soon as the attack was discovered, police were contacted, along with cyber security experts at a private company.

Mahajan wouldn’t say what type of cyberattack took place, or what information was compromised.

“We’re trying to sift through all that,” Mahajan says. “I know there’s some personal information in our system that would relate to associates as well as customers and how much of that information is gone, we are trying to determine that.”

River Cree has been contacting people whose information may have been compromised.

The Alberta Gaming and Liquor Commission has been contacted, and is investigating as well.

canada-press

(CTV Edmonton)

Canada: Legal Trends 2016: Cybersecurity

Article by Blake, Cassels & Graydon LLP

New privacy torts have recently emerged in certain Canadian jurisdictions, including intrusion upon seclusion and publicity given to private life. Intrusion upon seclusion allows a plaintiff to sue if (1) a person has intentionally or recklessly invaded his/her private affairs without justification and (2) a reasonable person would view the invasion as highly offensive. In Ontario, damages of up to C$20,000 are available, even if the plaintiff suffered no economic harm. Publicity given to private life allows a plaintiff to sue for publication of private facts when there is no legitimate public interest. Courts are increasingly certifying class actions for such privacy claims, even absent proof of harm. We expect the number of privacy class actions to continue to grow given the increasing number of data breaches.

TWO | PENDING FEDERAL MANDATORY BREACH NOTIFICATION REQUIREMENTS

Currently, Alberta is the only Canadian jurisdiction that has mandatory requirements to report data breaches outside the health-care context. New mandatory breach notification provisions of the Personal Information Protection and Electronic Documents Act, the federal statute that applies to collection, use and disclosure of personal information for commercial purposes, received Royal Assent on June 18, 2015. However, the act will not become effective until regulations are approved, which is expected to occur in 2016. These regulations will require organizations to notify the Privacy Commissioner of Canada if there is a breach of data security involving personal information in an organization’s control that poses a “real risk of significant harm” to affected individuals. Organizations will also be required to notify government institutions and other organizations of the breach in certain circumstances, including when those other entities may be able to reduce or mitigate the risk of harm to the affected individuals. Additionally, organizations will have to keep records of all sufficiently serious data breaches, even those that do not meet the harm threshold. Knowingly failing to report or record a data breach is an offence punishable by a fine of up to C$100,000.

When the new notification duties become effective, the number of privacy class actions will inevitably increase, as more information about data breaches will be available to plaintiff class counsel.

THREE | BOARD AND MANAGEMENT AWARENESS AND INVOLVEMENT

The rash of recent high-profile cyber breaches, including that of Canadian-based AshleyMadison.com, has made cybersecurity a top concern for Canadian boards. Boards want to better understand not only their role in managing cyber risks in their organizations, but also their exposure for failing to do so. When there is a breach, shareholders and others may sue directors and officers directly for the breach. Under the Canada Business Corporations Act, directors and officers are required to exercise the care, diligence and skill that a reasonably prudent person would exercise in comparable circumstances. As a result, Canadian boards are increasingly trying to determine how to provide effective oversight of cyber risks within their organizations. Questions that Canadian boards are frequently asking relate to the board’s role in ensuring that effective governance structures for managing cyber risks are established, top-level security and privacy policies are put in place, security programs are implemented and regularly assessed, and security incident response protocols are established and regularly tested.

FOUR | THIRD-PARTY SERVICE PROVIDERS

It is no longer sufficient for organizations to focus only on the security of their own internal networks. As a result of cloud computing, data is increasingly in the custody of third-party service providers. Recognizing the risks posed by working with external providers, Canadian organizations are taking steps to better understand their external providers’ security practices and business continuity programs. While pre-engagement security assessments are currently quite common for organizations that entrust sensitive data to external providers, in light of information security management industry standards, the trend is moving toward regular, in-term security assessments.

An organization should consider imposing information security obligations in its contract with an external provider, where the provider has custody of the organization’s sensitive data or where the provider’s network “connects” to the organization’s network. Careful thought should be given to the appropriate security controls to apply to the provider, which may include a requirement for the provider to comply with one or more (or a combination) of the organization’s own security policies, the provider’s security policies and/or applicable ISO or other industry security standards. Rights to conduct security audits or assessments of the provider’s operations and receive audit reports or other regular reporting on security events from the provider should also be considered and spelled out in the contract. The contract with the provider should also specifically address how security breaches suffered by the provider should be reported, handled and managed. Of course, the contract should include sufficient provider obligations to enable the organization to comply with its data breach notifications and any other privacy and security obligations under applicable laws. Liability for data breaches should be allocated between the organization and the provider.

An organization should also consider whether a provider should be required to purchase cyber-liability insurance (if practicable) and whether the organization itself should obtain additional coverage to further mitigate its cyber-risk exposure.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Canada: Cyber Security: What The Hack?

Posted in Corporate finance

The cyber security risk

Although businesses have been ramping up their information security systems, the pace of cyber security breaches is not slowing down. One study estimates that cybercrime will cost businesses $2.1 trillion globally by 2019. And, as recent security breaches have taught us, a security breach can have reputational, moral, and deeply political complications. The 2014 hack of Sony Pictures cost the company $100 million, derailed plans for the distribution a movie concerning North Korea, and raised ethical questions about the appropriate response to cyber terrorism.

Safety concept: data security on digital background

On top of this, businesses will soon face stricter legal requirements around the disclosure of security breaches in Canada. New rules regarding the mandatory disclosure of security breaches were approved by Parliament in June 2015 and may come into force at any point. The Digital Privacy Act amends the Personal Information Protection and Electronic Documents Act and requires that an organization report any breach of security safeguards that reasonably creates a real risk of significant harm to an individual. Notification must be made to the Privacy Commissioner and to the individual involved. Significant harm under the statute includes financial loss, bodily harm, damage to reputation or relationships, and loss of employment, business or professional opportunities.

Cyber security breaches and their associated financial, reputational, and regulatory risks are here to stay.

Insurance as part of the solution

While the key to managing cyber security breaches will always be to implement strong data protection systems, cyber security insurance is becoming a popular way to address the financial consequences of cyber security breaches. A cyber security policy insures against risks to a company’s information technology and data assets, and leaves the insurance company with the uncertainty of actual damages in the case of a breach.

In the context of M&A, the problem with cyber security risk is valuing and allocating risk among parties. Similar to reps and warranty insurance (which we discuss here), cyber security insurance allows a company to allocate risk by transferring some to the insurance company and leaving the buyer and seller to allocate any remaining risk that falls outside the policy. Cyber security insurance is also valuable before M&A. Having a policy in place may help ease concerns of acquirers as the insurance would cover security breaches that may have already occurred prior closing but have yet to materialize. This has been found to hold true in jurisdictions that have data breach notification laws like the ones currently pending in Canada. Coverage can be a standalone product or can be built into existing policies such as business continuity insurance or supplier chain insurance.

Cyber security risk represents a new and significant risk to businesses. Simply being aware of this risk is critical in an M&A deal. Once recognized, however, placing appropriate security measures, conducting IT due diligence, and allocating risk by way of negotiation or insurance will help all parties cut through data breach uncertainty and settle material issues efficiently.

Norton Rose Fulbright Canada LLP

Norton Rose Fulbright is a global legal practice. We provide the world’s pre-eminent corporations and financial institutions with a full business law service. We have more than 3800 lawyers based in over 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia.

Recognized for our industry focus, we are strong across all the key industry sectors: financial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and life sciences and healthcare.

Wherever we are, we operate in accordance with our global business principles of quality, unity and integrity. We aim to provide the highest possible standard of legal service in each of our offices and to maintain that level of quality at every point of contact.

Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP, Norton Rose Fulbright South Africa (incorporated as Deneys Reitz Inc) and Fulbright & Jaworski LLP, each of which is a separate legal entity, are members (‘the Norton Rose Fulbright members’) of Norton Rose Fulbright Verein, a Swiss Verein. Norton Rose Fulbright Verein helps coordinate the activities of the Norton Rose Fulbright members but does not itself provide legal services to clients.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest