This CISO is going to prison & Cyber Criminal Caught

In this week's Cyber Weekly:

1. This CISO was convicted - 20 years...
2. Two prison sentences for this cyber criminal
3. 800 Medical facilities attacked
4. Student information leaked

Thanks to all 7020 subscribers. It really takes a community to fight against cyberattacks. By sharing and commenting on these newsletters, we can reach more people and help others from becoming a statistic. Share your comments below or simply like the post.

Former Uber CISO Convicted

In 2016, Uber was hacked and lost the personal data of over 57 million passengers and drivers. They concealed the hack for over a year. In 2018, Uber paid $148 million to settles claims because they were too slow in disclosing a hacking incident. At that hearing, the prosecution came to a settlement and decided not to criminally charge the ride-sharing company because the new management had a stronger focus on ethics and compliance.

‍

Apparently, Joseph Sullivan, former Uber CISO in 2016, went above and beyond to conceal the hacking by arranging to pay the hackers $100,000 in Bitcoin and have them sign nondisclosure agreements that falsely stated they had not stolen data. Sullivan was originally indicted in September 2020.

‍

In court last week, information came out revealing that several employees at Uber were in on the payoff plan. However, since this was the second time they were breached, the company worked with the prosecutors to build a case against Sullivan.

‍

“Joe Sullivan was found guilty of obstructing justice for keeping the breach from the Federal Trade Commission, which had been probing Uber’s privacy protections at the time, and of actively hiding a felony.” (WashingtonPost)

‍

Read about who knew about the ransomware attack, how they got in and how the case unfolded here.

‍

“This case will certainly make executives, incident responders and anybody else connected with deciding whether to pay or disclose ransom payments think a little harder about their legal obligations. And that’s not a bad thing,” said Brett Callow, who researches ransomware at security firm Emsisoft.

‍

‍

My thoughts: They really wanted to set an example. Now, people dealing with personal data will think twice before paying a ransom and ensuring the proper disclosure takes place. No one wants to get convicted when their employer didn’t prioritize cyber resilience or allocate the proper cyber security budget which lead to making rash decisions.

‍

‍

Former Canadian Government Employee Got a Second Sentence

‍

Sebastien Vachon-Desjarsdins was an IT Consultant for Government Services in Canada. He was sentenced to 7 years in prison after pleading guilty to 5 charges related to theft of computer data, extortion, the payment of cyptocurrency ransoms and participating in the activities of a criminal organization.

‍

However, he was just extradited to the US where he faced more charges. He seemed to have participated in the ransomware group called NetWalker. His home in Gatineau, Quebec had 719 Bitcoin valued at $28.1 million and $790,000 in Canadian currency.

‍

The Florida judge was so furious with the 35-year-old criminal, he wanted to give him life in prison. In the end, the judge handed 240 months in prison.

‍

“Netwalker targeted as many as 400 victims in more than 30 countries and collected $40 million in ransom payments.” (CBC)

‍

‍

My thoughts: 400 victims…

‍

‍

Over 800 Medical Facilities Affected

‍

Second-largest nonprofit hospital chain in the US, CommonSpirit, revealed they were a victim of a “security issue” last week. Unfortunately, medical services were disrupted across the country. The chain operates more than 700 care sites and 142 hospitals in 21 states.

‍

It is still unknown as to what the “security issue” involves. It isn’t clear if data was leaked. However, their subsidiary, CHI Health, reported outages across their hospitals and MercyOne Des Moines Medical Center has shut down some of its IT Systems. (TechCrunch)

‍

‍

My thoughts: With over 800 facilities, there is no doubt that thousands of people will be affected. On another note, a smooth PR move to call it a “IT security issue” instead of a ransomware attack or cyber security attack.

‍

‍

Massive Attack on Second Largest School District in US

‍

Los Angeles Unified School District refused to pay ransom following last month’s ransomware attack. Last week, 500 gigabytes of data about students and employees were leaked. The Vice Society Ransomware gang claimed responsibility for the attack. With over 1000 schools, the district experienced disruptions they are still dealing with.

‍

Superintendent, Alberto M Carvalho insisted the data leaked was limited to academic record during a 6 year span. However, other experts are suggesting that the attack exposed over 248,000 files containing social security numbers, contracts, invoices, passports and more. (axios)

‍

My thoughts: To avoid this from happening, you need to prevent the criminals from ever getting in. Look into EDR, MFA, VPN and conduct regular penetration tests.

‍