KrebsOnSecurity in Upcoming Hulu Series on Ashley Madison Breach

KrebsOnSecurity will likely have a decent amount of screen time in an upcoming Hulu documentary series about the 2015 megabreach at marital infidelity site Ashley Madison. While I can’t predict what the producers will do with the video interviews we shot, it’s fair to say the series will explore compelling new clues as to who may have been responsible for the attack.

The new docuseries produced by ABC News Studios and Wall to Wall Media is tentatively titled, “The Ashley Madison Affair,” and is slated for release on Hulu in late Spring 2023. Wall to Wall Media is part of the Warner Bros. International Television Production group.

“Featuring exclusive footage and untold firsthand interviews from those involved, the series will explore infidelity, morality, cyber-shaming and blackmail and tell the story of ordinary people with big secrets and a mystery that remains unsolved to this day,” reads a Jan. 12, 2023 scoop from The Wrap.

There are several other studios pursuing documentaries on the Ashley Madison breach, and it’s not hard to see why. On July 19, 2015, a hacker group calling itself The Impact Team leaked Ashley Madison internal company data, and announced it would leak all user data in a month unless Ashley Madison voluntarily shut down before then.

A month later, The Impact Team published more than 60 gigabytes of data, including user names, home addresses, search history, and credit card transaction records. The leak led to the public shaming and extortion of many Ashley Madison users, and to at least two suicides. It’s impossible to say how many users lost their jobs or marriages as a result of the breach.

I’m aware that there are multiple studios working on Ashley Madison documentaries because I broke the story of the breach in 2015, and all of those production houses approached me with essentially the same pitch: It would be a shame if your voice wasn’t included in our project.

What stood out about the inquiry from Wall to Wall was that their researchers had already gathered piles of clues about the breach that I’d never seen before.

I’d assumed that participating in their documentary would involve sitting for a few interviews about known historical facts related to the breach. But when Wall to Wall shared what they’d found, I was hooked, and spent several weeks investigating those leads further.

The result was a collaborative research effort revealing key aspects of the breach that have somehow escaped public notice over the years.

I won’t go into detail on what we discovered until the Hulu series is ready for release. Also, I am not privy to what they will produce with the interviews I gave. I can’t say that what we found untangles everything about the breach that was previously unknown, but it sure explains a lot.

Cato SASE Cloud Named “Leader” and “Outperformer” in GigaOm Radar Report for SD-WAN

Cato Networks today announced that it was named as a “Leader” and “Outperformer” by GigaOm in the analyst firm’s Radar for SD-WAN Report. This is the first year that Cato was included in the report, alongside 19 other notable vendors in the SD-WAN market. Despite Cato’s “freshman” status, GigaOm rates Cato an Outperformer overall and at the top of the list in both Key Criteria capabilities and Evaluation Metrics.

Figure 1: The GigaOm SD-WAN Radar

“GigaOm has made a thorough and practical evaluation of the market and we’re honored that Cato has been named a Leader and Outperformer in the SD-WAN Radar Report,” says Eyal Webber-Zvik, Vice President of Product Marketing and Strategic Alliances at Cato Networks. “Cato’s leadership position underscores the strength and maturity of Cato SD-WAN and shows the importance of considering SD-WAN as part of a broader SASE offering.”

Cato’s SD-WAN is Rated Exceptional in Nearly Every Aspect

GigaOm outlined the “table stakes” features that are the baseline capabilities for SD-WAN vendors. Among them are a virtual overlay network, centralized orchestration, built-in resilience, integrated security, and dynamic traffic engineering. Beyond those features, the analyst firm evaluated vendors according to several key criteria considered to be differentiators as well as the primary features for customers to consider as they compare solutions. Cato Networks is the only one of 20 vendors rated as “Exceptional” in every category.

Figure 2: Only Cato scored “Exceptional” across every one of GigaOm’s Key Criteria

 In a similar manner, GigaOm lists eight Evaluation Metrics that provide insight into the impact of each vendor’s product features and capabilities on the customer organization, reflecting fundamental aspects, including infrastructure support, manageability, and total cost of ownership (TCO). Cato rated amongst the top 3 in GigaOm’s Evaluation Metrics, scoring “Exceptional” in 6 of the 8 categories.


Figure 3: Cato scored among the top 3 in GigaOm’s Evaluation Metrics

SPACE: The Cato Differentiator

GigaOm attributed this achievement to Cato’s unique architecture, the Cato’s Single Pass Cloud Engine (SPACE). “Cato SASE Cloud is a converged cloud-native, single-pass platform connecting end-to-end enterprise network resources within a secure global service managed via a single pane of glass,” says the report.

“By moving processing into the cloud using thin edge Cato Sockets, Cato SASE Cloud is easier to maintain and scale than competitive solutions, with new capabilities instantly available. Leveraging an expanding global SLA-backed network of over 75 PoPs, Cato is the only SD-WAN vendor currently bundling a global private backbone with its SD-WAN. Moreover, Cato offers both a standalone SD-WAN solution and a security service edge solution – Cato SSE 360 – for securing third-party SD-WAN devices.”

The post Cato SASE Cloud Named “Leader” and “Outperformer” in GigaOm Radar Report for SD-WAN appeared first on IT Security Guru.

UK second most targeted nation behind America for Ransomware

After closely monitoring the most active ransomware groups in 2022, the KrakenLabs team at Outpost24 are sharing their latest report that delves deep into the significant ransomware trends, threat groups, victim profiles, and motives behind these attacks from the past year. In total, the researchers identified 2,363 disclosed victims by various ransomware groups on Data Leak Sites (DLS) in 2022.

Key facts from the report include:

  • Most active ransomware groups: Existing entities like LockBit, BlackCat, Hive, and Karakurt have demonstrated exponential growth and have surpassed previous records despite the disappearance of prominent threat groups such as CONTI and the old REvil

The total of victims per ransomware group during the year 2022

The total of victims per ransomware group during the year 2022 (Top 10)
  • Most attacked countries: From the 101 different countries that registered victims, 42% of them are from the United States. The UK second on the list followed by Canada, Germany, and France. In fact, 28% of victims were from Europe.

Top 20 countries with the highest number of victims

Top 20 countries with the highest number of victims
  • Worst offender: Last year, the ransomware group known as LockBit exhibited a significantly higher level of activity compared to other groups. They were responsible for 34% of all recorded attacks in 2022.
  • Sector most at risk: While critical infrastructure sectors accounted for just over half of the attacks perpetrated (51%), construction was the most targeted sector overall.

Breakdown of non-Critical sectors

Breakdown of non-Critical sectors that were most at risk

“The recent clampdown of Hive, following REvil, is a positive sign for all however organizations must ensure they keep their guards up against this constant evolving threat by prioritising cyber hygiene through regular vulnerability assessment, security testing and combining detection with threat intelligence to surface risk signals that can help prevent infection,” said Alejandro Villanueva, Threat Intel Analyst at Outpost24 and author of the report.
Further analysis by Outpost24 also revealed time periods in which the tables were turned, and ransomware groups were under DDOS (distributed denial of service) attack. In week 35 of 2022 LockBit group claimed that they were being attacked as a consequence of leaking stolen data from Entrust, a cybersecurity company that was attacked previously by them. Outpost24 KrakenLabs detected that not just LockBit, but many other ransomware DLSs were suffering DDOS attacks during this period. It is likely the attackers were aiming to cause disruption for the ransomware groups during the extortion process.

Ransomware groups suffering from DDOS

Ransomware groups suffering from DDOS in the last week of August 2022

To view the full report, click here

The post UK second most targeted nation behind America for Ransomware appeared first on IT Security Guru.

Will Emphasising App Security Lead to More App Installs?

The app industry is incredibly competitive. There are millions of apps available today, with many more being released all of the time. As a developer, making a fantastic app is one thing; ensuring it gets lots of downloads is another.

There are a number of ways in which developers can boost their app’s download numbers. Some choose to buy app installs; others focus on implementing an effective marketing strategy. One important factor that is crucial for boosting download numbers is app security. Let’s find out more.

email security

What are the Threats?

Our modern lives are increasingly dependent on mobile apps. We use them for everything from socialising to financial management, and as a result, apps often hold personal and sensitive information about users. Cybercriminals are well aware of this and have devised various methods to compromise the security of apps and access this data.

Mobile apps functions are executed by a server hosted by the developer. These servers are often a target for cybercriminals, who can exploit weaknesses in the code or structure to access sensitive information. Poor data handling and storage is another way in which user information can be targeted, with mistakes of this kind often coming with serious legal and regulatory ramifications for the developer. How can developers protect their apps and users against threats posed by scammers and hackers? Find out below.

How are Apps Secured?

Protecting the server is a fundamental part of proper app security. The server code should be regularly reviewed and maintained by a dedicated team, allowing for the rapid identification of emerging issues that can be addressed before they develop any further.

All user data must be properly stored and encrypted, and all regulatory rules regarding data storage practices must be strictly adhered to. Writing data to a device’s internal storage can be an effective way of protecting it from external threats.

Your overall security strategy must be regularly reviewed and updated. Cybercriminals are constantly finding new ways to target apps, so you need to be prepared to overhaul your security systems to adapt to new threats.

Why is Security Important?

Why is app security so important? Your users will often divulge incredibly sensitive information when using your app, including things like contact details and financial information. If they feel like their data is not safe and that they could be at risk of identity theft or fraud, they are far less likely to download and use your app. What’s more, unsafe apps can result in bad reviews, which will push your app down the app store charts and seriously impact download figures.


Emphasising your app’s security will almost certainly lead to more installs. Safety is a top priority for many app users. They will not want to use any app that they feel could pose a potential security risk. Make security the number one priority in the development process and watch installs increase and your app rise in the charts. 

The post Will Emphasising App Security Lead to More App Installs? appeared first on IT Security Guru.

$400,000 Fine for Stalkerware App Developer

A fine of over $400,000 has been handed to the developer of several stalkerware apps, alongside an order to modify the software.

A consortium of 16 companies owned by Patrick Hinchy produced apps that snooped users, including DDI Utilities, PhoneSpector, TurboSpy, Surepoint, Easy Spy, and Auto Forward.

These apps enabled customers to secretly monitor a range of activities on other devices, including text messages, photos, location, WhatsApp and Skype. Browsing history and other social media activity was also accessible.

The Stalkerware Problem

The US is among the top three countries in the world for stalkerware downloads. Research by Comparitech found that the US search for apps related to ‘stalkerware’ the most globally. While, generally, “mobile tracker” was the most searched related term overall with 6.3 million global searches each year.

Hinchy promoted the software as legal, despite it being a requirement for users to install it onto other adults’ mobile devices. According to attorney general Leticia James, this breaks federal and New York state laws.

Rooting or jailbreaking devices invalidates the manufacturer’s warranty. Hinchy failed to inform customers of the potential damage that installing the products could cause to a device.

Alongside this, it was found that Hinchy misled customers about refund policies, made false claims about the security of data obtained by the apps, and created fake review sites to convince potential customers, the New York attorney general disclosed.

Likewise, he misled customers by creating multiple sites purporting to provide technology advice, however they were found to have been made with the sole intention of selling products.

The Legality of Stalkerware Apps

The attorney general stated: “Snooping on a partner and tracking their cell phone without their knowledge isn’t just a sign of an unhealthy relationship, it is against the law.”

“These apps and products put New Yorkers at risk of stalking and domestic abuse, and were aggressively promoted by Patrick Hinchy through 16 different companies. Today’s agreement will block these companies from allowing New Yorkers to be monitored without their awareness, and will continue our ongoing fight to protect New Yorkers’ rights, safety and privacy.”

Hinchy was given a $410,000 fine and is legally required to update the apps so that the device owners know that their devices are being monitored.

In 2020, Google placed a ‘formal’ ban on stalkerware apps. Google updated its Developer Programme Policy so that stalkerware apps required ‘adequate notice or consent’ as well as ‘persistent notifications’ if downloaded. There was some concern around large loopholes when this was introduced.


The post $400,000 Fine for Stalkerware App Developer appeared first on IT Security Guru.

Finland’s Most-Wanted Hacker Nabbed in France

Julius “Zeekill” Kivimäki, a 25-year-old Finnish man charged with extorting a local online psychotherapy practice and leaking therapy notes for more than 22,000 patients online, was arrested this week in France. A notorious hacker convicted of perpetrating tens of thousands of cybercrimes, Kivimäki had been in hiding since October 2022, when he failed to show up in court and Finland issued an international warrant for his arrest.

In late October 2022, Kivimäki was charged (and “arrested in absentia,” according to the Finns) with attempting to extort money from the Vastaamo Psychotherapy Center. In that breach, which occurred in October 2020, a hacker using the handle “Ransom Man” threatened to publish patient psychotherapy notes if Vastaamo did not pay a six-figure ransom demand.

Vastaamo refused, so Ransom Man shifted to extorting individual patients — sending them targeted emails threatening to publish their therapy notes unless paid a 500-euro ransom.

When Ransom Man found little success extorting patients directly, they uploaded to the dark web a large compressed file containing all of the stolen Vastaamo patient records.

But as documented by KrebsOnSecurity in November 2022, security experts soon discovered Ransom Man had mistakenly included an entire copy of their home folder, where investigators found many clues pointing to Kivimäki’s involvement. From that story:

“Among those who grabbed a copy of the database was Antti Kurittu, a team lead at Nixu Corporation and a former criminal investigator. In 2013, Kurittu worked on an investigation involving Kivimäki’s use of the Zbot botnet, among other activities Kivimäki engaged in as a member of the hacker group Hack the Planet (HTP).”

“It was a huge opsec [operational security] fail, because they had a lot of stuff in there — including the user’s private SSH folder, and a lot of known hosts that we could take a very good look at,” Kurittu told KrebsOnSecurity, declining to discuss specifics of the evidence investigators seized. “There were also other projects and databases.”

According to the French news site, Kivimäki was arrested around 7 a.m. on Feb. 3, after authorities in Courbevoie responded to a domestic violence report. Kivimäki had been out earlier with a woman at a local nightclub, and later the two returned to her home but reportedly got into a heated argument.

Police responding to the scene were admitted by another woman — possibly a roommate — and found the man inside still sleeping off a long night. When they roused him and asked for identification, the 6′ 3″ blonde, green-eyed man presented an ID that stated he was of Romanian nationality.

The French police were doubtful. After consulting records on most-wanted criminals, they quickly identified the man as Kivimäki and took him into custody.

Kivimäki initially gained notoriety as a self-professed member of the Lizard Squad, a mainly low-skilled hacker group that specialized in DDoS attacks. But American and Finnish investigators say Kivimäki’s involvement in cybercrime dates back to at least 2008, when he was introduced to a founding member of what would soon become HTP.

Finnish police said Kivimäki also used the nicknames “Ryan”, “RyanC” and “Ryan Cleary” (Ryan Cleary was actually a member of a rival hacker group — LulzSec — who was sentenced to prison for hacking).

Kivimaki and other HTP members were involved in mass-compromising web servers using known vulnerabilities, and by 2012 Kivimäki’s alias Ryan Cleary was selling access to those servers in the form of a DDoS-for-hire service. Kivimäki was 15 years old at the time.

The DDoS-for-hire service allegedly operated by Kivimäki in 2012.

In 2013, investigators going through devices seized from Kivimäki found computer code that had been used to crack more than 60,000 web servers using a previously unknown vulnerability in Adobe’s ColdFusion software.

KrebsOnSecurity detailed the work of HTP in September 2013, after the group compromised servers inside data brokers LexisNexis, Kroll, and Dun & Bradstreet.

The group used the same ColdFusion flaws to break into the National White Collar Crime Center (NWC3), a non-profit that provides research and investigative support to the U.S. Federal Bureau of Investigation (FBI).

As KrebsOnSecurity reported at the time, this small ColdFusion botnet of data broker servers was being controlled by the same cybercriminals who’d assumed control over ssndob[.]ms, which operated one of the underground’s most reliable services for obtaining Social Security Number, dates of birth and credit file information on U.S. residents.

Multiple law enforcement sources told KrebsOnSecurity that Kivimäki was responsible for making an August 2014 bomb threat against former Sony Online Entertainment President John Smedley that grounded an American Airlines plane. That incident was widely reported to have started with a tweet from the Lizard Squad, but Smedley and others said it started with a call from Kivimäki.

Kivimäki also was involved in calling in multiple fake bomb threats and “swatting” incidents — reporting fake hostage situations at an address to prompt a heavily armed police response to that location.

Kivimäki’s apparent indifference to hiding his tracks drew the interest of Finnish and American cybercrime investigators, and soon Finnish prosecutors charged him with an array of cybercrime violations. At trial, prosecutors presented evidence showing he’d used stolen credit cards to buy luxury goods and shop vouchers, and participated in a money laundering scheme that he used to fund a trip to Mexico.

Kivimäki was ultimately convicted of orchestrating more than 50,000 cybercrimes. But largely because he was still a minor at the time (17) , he was given a 2-year suspended sentence and ordered to forfeit EUR 6,558.

As I wrote in 2015 following Kivimäki’s trial:

“The danger in such a decision is that it emboldens young malicious hackers by reinforcing the already popular notion that there are no consequences for cybercrimes committed by individuals under the age of 18.

Kivimäki is now crowing about the sentence; He’s changed the description on his Twitter profile to “Untouchable hacker god.” The Twitter account for the Lizard Squad tweeted the news of Kivimäki’s non-sentencing triumphantly: “All the people that said we would rot in prison don’t want to comprehend what we’ve been saying since the beginning, we have free passes.”

Something tells me Kivimäki won’t get off so easily this time, assuming he is successfully extradited back to Finland. A statement by the Finnish police says they are seeking Kivimäki’s extradition and that they expect the process to go smoothly.

Kivimäki could not be reached for comment. But he has been discussing his case on Reddit using his legal first name — Aleksanteri (he stopped using his middle name Julius when he moved abroad several years ago). In a post dated Jan. 31, 2022, Kivimäki responded to another Finnish-speaking Reddit user who said they were a fugitive from justice.

“Same thing,” Kivimäki replied. “Shall we start some kind of club? A support organization for wanted persons?”

Ransomware attack halts London trading

Ion Markets, a financial data group crucial to the financial plumbing underlying the derivatives trading industry, has fallen prey to the cybercrime group Lockbit

The company has revealed that 42 clients have been affected by the attack, which has caused major disruption in its cleared derivatives division. 

Reports suggest that some clients have been unable to contact Ion by phone since Tuesday, with some travelling to the company’s office at St Pauls to seek more information.

“The incident is contained to a specific environment, all the affected servers are disconnected, and remediation of services is ongoing,” according to a post on Ion’s website. 

It’s understood that the incident has impacted other trade processing systems, even forcing some companies to process trades manually. 

Lockbit has been especially active recently, claiming responsibility for the attack on Royal Mail last month, which forced the company to suspend international postal deliveries. 

The cybercriminal group has reportedly used its’ signature ransomware, which encrypts files and issues a ransom note, typically demanding payment in cryptocurrency before the decryption key is provided.

Expert Insight: 

Jonathan Knudsen, head of global research at the Synopsys Cybersecurity Research Centre:

Software is the critical infrastructure for all other critical infrastructure. The attack on the Ion Markets illustrates not only the interconnected nature of the financial system, but also a crucial dependence on software. 

Software is a powerful tool for productivity but must be managed properly. In particular, security must be a top priority in all phases of software, from its conception through to its deployment. This applies equally to builders and buyers. Builders must include security at every phase of their software development life cycle, using a combination of expert analysis and automated testing to flush out as many vulnerabilities as possible before software is put into production use. Buyers, similarly, should carefully evaluate the security practices of their vendors, then apply meticulous and repeatable processes for configuring, deploying, and operating the software they acquire. 

Every piece of software is, in essence, an incredibly complicated machine. To secure such a machine against attack, builders and buyers alike must examine the entire supply chain of infrastructure, tools, open source components, source code, and configurations in a ceaseless quest to locate and mitigate vulnerabilities. When an incident occurs, such as the Ion Markets attack, existing processes must be examined to understand what went wrong and how the processes can be improved to reduce risk in the future.”

Sam Curry, chief security officer at Cybereason:

“While specific details are scant at this time, with dozens of Ion’s customers potentially impacted by this latest shameless ransomware attack, you can’t just snap your fingers and restore disrupted services. Let me be clear that LockBit is a criminal organisation and their brazen attack raises their profile and spreads more fear, uncertainty and doubt across many industries. In time, we will learn if a ransom demand was issued and paid, or whether Ion refused to negotiate with this criminal organisation.

Organisations can’t pay their way out of ransomware, and those that do only embolden the criminals to launch future attacks. For Ion and other organisations that improve their network resiliency, the cyber criminals will quickly move onto softer targets because they are looking for the path of least resistance. Most gangs want to maintain a low profile and avoid being caught in the cross hairs of law enforcement agencies. In general, companies should prepare for ransomware attacks in peacetime and ensure redundancy in network connectivity and have mitigation strategies ready. Practise good security hygiene and regularly update and patch operating systems and other software. Also, conduct periodic table-top exercises and drills including people beyond the security team and all the way to the Executive Suite.”

Jamie Cameron, security consultant at Adarma:

“Money is the biggest motivator for cyber threat groups like Lockbit, who are becoming ever more sophisticated in their attacks, which is why financial organisations need to be hyper focused on building their cyber resilience. It’s important they are aware that Lockbit is currently in a state of flux, and that previous defences against Lockbit’s signature ransomware is no longer applicable. Lockbit is evolving and it’s vital that businesses update their defences accordingly. 

We’ve observed that Lockbit have been bringing in developers from the BlackMatter ransomware group to write a new version of their software (Lockbit Black), which is now free on the open market due to a leak from a disgruntled developer over a pay dispute. Most recently, Lockbit has had a developer, believed to be from the now defunct Conti group, write new malware, known as Lockbit Green or they’ve utilised the leaked toolset from the two prominent Conti leaks of last year to develop this new variant. 

Lockbit have been launching attacks using both the original version of their ransomware and Lockbit Black and we see no reason why they wouldn’t throw Lockbit Green into the mix. Organisations should be aware of this due to how prolific the group are.”

Ziv Dines, CTO, Cyber at Armis:

“The majority of organisations see PII, critical infrastructure and operational downtime as the most at risk in the event of a cyberwarfare attack, and Lockbit’s recent activity encompasses all three. It’s clear from attacks on critical services such as the Royal Mail and ION Group, a major supplier of services to the financial system, that criminals are gathering pace.

The affected company confirmed the incident has been contained to a specific environment, but the operational inefficiencies caused by having to switch to manual processes introduce a significant amount of risk in both the short and long term. Organisations should be on high alert, making sure they have oversight of their internal systems and any assets that may be connected to them in order to spot and remediate anomalies quickly.”

Jamie Akhtar, CEO and co-founder of CyberSmart: 

“This incident and its attribution demonstrate that we aren’t dealing with run-of-mill cybercriminals or threats. Instead, this looks like a calculated attack on the very infrastructure that supports the UK’s financial system. What’s more, it’s a signal that the ‘cyber cold war’ being conducted as part of the conflict in Ukraine has begun to heat up.

We’ve been seeing a pattern of escalation in these attacks over the past few months, so we urge all businesses, even SMEs, to be as vigilant as possible in updating and patching software, employing good cyber hygiene, and treating anything unusual with suspicion.”






The post Ransomware attack halts London trading appeared first on IT Security Guru.

Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk

With the proliferation of cyber attacks in all industries, organizations are beginning to grasp the growing significance of cyber risk and how this is an integral part of protecting and maintaining an efficient business. Ransomware is the single biggest cyber threat to global businesses; in fact, during the first half of 2022 alone, there were a total of 236.1 million cases of ransomware, which reflects the immense risk to which companies of all sizes are exposed. Digital transformation is only increasing the risk associated with cyber failures.

Typically, the expectation has been that chief information security officers (CISOs) are solely responsible for protecting the entire asset base and ensuring that all security needs are met. However, chief financial officers (CFOs) are just as vital to managing cyber risk, which is now inherently also business risk.

Given their visibility into every business unit, CFOs are assuming new strategic roles. As such, they are tasked with guiding the growth of their companies along with developing and maintaining the digital transformation and finance function. To do so efficiently and safely, however, they must be aware of where their cyber risk lies and how to manage it.

The distributed workforce and hybrid working model have contributed to the expansion of the threat landscape, and defenders still struggle to keep pace. For leaders to properly secure their businesses and have robust systems in place, they must include financial advisors and CFOs in conversations around ransomware and cybersecurity, or risk not being adequately prepared. This is because cybersecurity now touches all aspects of a business; the responsibility to protect the organization no longer solely lies with the security teams.

Using FAIR™ (Factor Analysis of Information Risk) the international model designed to measure information security and operational risk, information security teams can quantify cyber risk in financial terms. As a result, they can convey risk to business leaders in a way they will understand and that is impactful: in specific dollar amounts. In doing so, CISOs and CFOs can collaborate more effectively as they factor cyber risk into their budgets. They must ask themselves whether they are investing in the most cost-effective ways to reduce risk and better protect the organization as a whole.

How reporting has changed

Financial regulators, too, are beginning to take cybersecurity more seriously, viewing it as more of a strategic priority. In the U.S. particularly, the SEC recently proposed amendments to its original rules around cybersecurity risk management, in which the expectation is for companies to evaluate their existing cyber policies and procedures.

According to those guidelines, businesses would have four days to report material cyber incidents, must provide more in-depth company reports, and regularly file cyber risk reports. As the CFO is responsible for disclosures of material interest, it is vital they are aware of all regulatory standards with which they must comply, as well as the risk to which they have been exposed. Cybersecurity standards and reporting requirements vary from country to country, and, in the U.S., from state to state as they continue to evolve.

Part of the new regulations also call for organizations to outline how cybersecurity is part of their business strategy and financial plan, and what role their boards play in securing the company against cyber threats. CFOs, CISOs, security teams and C-suite executives will need to actively work together to not only adhere to the new rules but ensure their business is protected from significant threats such as ransomware and other data breaches.

The importance of the CFO

The CFO is vital to determining whether certain cybersecurity incidents will become material and affect the business more seriously. They must also report on financial analysis for cyber incidents to those responsible for review and remediation, such as IT teams and the board and C-suite executives. More importantly, CFOs play a vital role in disclosing any concerning risk management policies and any oversight of cybersecurity risk that is not accounted for in original budgets.

The CFO’s expertise and input are crucial in ensuring that the organization’s cybersecurity capabilities align with the overall business strategy. This is only truly possible if a business is quantifying its cyber risk by following a risk quantification model such as the FAIR standard. By placing a monetary value on the risk to which an organization is exposed, the CFO can support C-suite executives and business leaders in making vital decisions to help secure the business.

The CFO’s insight is critical across many areas of cybersecurity including:

  1. Ransomware: The CFO is responsible for approving funding and advising the company on significant issues such as whether cybercriminals should receive their desired ransom. They play a pivotal role in ensuring the organization is fully prepared for all potential outcomes.
  2. Cyber insurance: Considering the trend that premiums are increasing while insurance coverage is decreasing, the CFO’s input on cost and value are critical. They are in the best position to understand where the risks lie and the potential financial losses that could be incurred.
  3. Regulatory compliance: Regulatory compliance is key to not incurring unnecessary and costly fines. Using a quantified value, CFOs can translate cyber risk into a universally understood concept and determine thresholds for when specific incidents can be considered material threats. In working together, information security teams and CFOs can determine the most cost-efficient plan to reach their compliance goals.
  4. Managing budgets: Collaboration with the CFO can help CISOs produce efficient spending benchmarks and evaluate how current investments are being used. Consequently, they can better allocate budgets where the risk is higher, depending on the dollar value previously calculated.

Cyber risk isn’t going to disappear soon. Ransomware is on the rise, as are other cyber threats, and cyber criminals are continuously developing new tactics, which creates more risk. It is vital that organizations adequately prepare themselves by taking all necessary measures to secure their company from any kind of breach, including the involvement of the CFO in vital conversations and decision-making processes.

To sufficiently prepare for ransomware and other large-scale cyber attacks, C-suite executives must consider budgets not only for compliance, but also for their risk appetite. In this way, they will be able to better protect themselves, while maximizing efficiency of budget spend. They must actively collaborate with information security teams as well as chief financial officers to be prepared for today’s cyber risk landscape.

By Dave Sutor, CFO at RiskLens

The post Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk appeared first on IT Security Guru.

JD Sports admits data breach

JD Sports has warned customers that bought items on its website, as well as those of Size?, Blacks and Millets, between November 2018 and October 2020 may have been impacted in the breach.

The company has urged customers to be wary of potential phishing emails, calls and texts in the aftermath of the breach, while claiming they were proactively contacting those whose details were confirmed to be stolen. Paul Bischoff, Consumer Privacy Advocate at Comparitech echoed this sentiment, warning that “customers of JD and its affiliated brands should be on the lookout for targeted phishing messages from JD or a related company. These emails will attempt to get victims to click on a link or malicious attachment. The links might go imitation login pages where victims are tricked into handing over their passwords or payment info. Never click on links or attachments in unsolicited messages!”

While it is not believed that passwords or full payment card data was exposed, JD Sports has admitted that cybercriminals may have gained access to the final four digits’ of customers’ payment cards.

Neil Greenhalgh, CFO at JD Sports, apologised to affected customers and confirmed that the company is working to mitigate damages.

“We are continuing with a full review of our cyber security in partnership with external specialists following this incident. Protecting the data of our customers is an absolute priority for JD,” he said.

A spokesperson for the Information Commissioner’s Office later confirmed it was working with the retailer to get to the bottom of the breach.

“We have been made aware of a cyber incident involving the retailer JD Sports and we are assessing the information provided,” they said.

The breach comes amidst a spate of high-profile cyberattacks in recent weeks, including on the UK newspaper The Guardian and email marketing service Mailchimp. Jamie Akhtar, CEO and co-founder of CyberSmart, notes that “JD Sports is the latest British household name to fall prey to a cyber attack. And this really fits the trend we’re seeing; the current economic downturn has led to cybercriminals redoubling their efforts to steal potentially valuable personal data.” 

Aside from economic downturn, some experts have cited a fluctuating technology landscape as key factor in these high-profile cyberattacks.

“The JD Sports cyber incident is a reminder for all organisations that globally we can expect an increase in breaches due to our digital dependence, especially as businesses recover from the COVID technology shifts, and continuing threat shifts. Sadly, whilst companies spent years solidifying their capabilities for GDPR, in the last couple of years data has become far more fragmented by quick shifts to the cloud,” said Greg Day, SVP and Global CISO at Cybereason.

Erfan Shadabi, Cybersecurity Expert  at comforte AG, argued that cyberattacks on large retail and e-commerce businesses should come as no surprise, considering the enormous amount of sensitive personal data (PII) about existing and prospective customers, as well as their dependence on transactions to drive their business forward.

Retailers and e-commerce organizations must absolutely assume that their environment is currently under attack and protect this sensitive data accordingly. Businesses in these sectors need to apply data-centric protection to any sensitive data within their ecosystem (PII, financial, and transactional) as soon as it enters the environment and keep it protected even as employees work with that data. By tokenizing any PII or transactional data, they can strongly protect that information while preserving the original data format, making it easier for business applications to support tokenized data within their workflows,” he said. 







The post JD Sports admits data breach appeared first on IT Security Guru.

Acronis seals cyber protection partnership with Fulham FC

Acronis, a global and visionary cyber protection company, today announced a three-year partnership with London´s oldest professional football club, Fulham FC. will support Acronis as its ‘Strategic #Cyberfit’ delivery partner providing its cutting-edge cyber protection solutions and cloud backup service to the club.

Under the Strategic #Cyberfit delivery partner, Acronis will provide Premier League side Fulham FC with a full suite of cyber protection solutions.

Arturs Banks, Head of IT of Fulham FC, said “We are very pleased to be working with Acronis and EveryCloud UK, and we look forward to incorporating them into our cloud backup and file security infrastructure. Their support and expertise will be invaluable to Fulham FC and the Fulham FC Foundation as we continue to prioritise data and cyber security at the club.”

Ronan McCurtin, VP of Sales Europe, Israel and Turkey, Acronis, said “We are proud to be partnering with Fulham FC, a club that understands the importance of keeping their data protected. With we have the right partner who will support us in providing the team with a full suite of Acronis cyber protection solutions to protect the team’s data assets and optimise data workflow, facilitating the team performing at its best both on and off the pitch.”

Paul Richards, Director of Technology,, added “ is delighted to partner with Fulham FC alongside our partner Acronis to deliver a complete suite of Cyber Protection services. Our proven track record of working with Acronis will enable Fulham FC to further protect their data, systems and infrastructure with the reliability and performance of Acronis’ products and services. Even the strongest defence needs backup.”

The post Acronis seals cyber protection partnership with Fulham FC appeared first on IT Security Guru.