At a glance.

  • US considers blacklisting world’s leading video surveillance manufacturer.
  • IU Health patients impacted in MCG Health data breach.
  • EU Parliament seeks answers from NSO Group.

US considers blacklisting world’s leading video surveillance manufacturer.

The MIT Technology Review offers an in-depth look at Hikvision, the world’s largest manufacturer of video surveillance equipment. Established in China over twenty years ago, the company’s affordable products and connections to the Chinese state have made its products ubiquitous in nearly two hundred countries. However, Hikvision’s role in the surveillance and oppression of Muslim minorities in China has resulted in sanctions from the US, and the US Treasury is considering adding Hikvision to the Specially Designated Nationals and Blocked Persons (SDN) List, which would prohibit anyone in the US from conducting business with the company. “It may basically turn Hikvision into a domestic company very quickly,” says Conor Healy, researcher at online surveillance trade publication IPVM. Hikvision’s international revenue would plummet, but it’s unclear whether those already using Hikvision cameras would be asked to immediately remove them, and it’s possible current Hikvision users might still be able to accept software updates from the company or use its cloud storage. Regardless, domestic business could keep the company alive. In response to the potential blocking, a Chinese foreign ministry spokesperson voiced the country’s support of Hikvision and accused the US of “abusing state power and domestic law to wantonly suppress Chinese companies.”

IU Health patients impacted in MCG Health data breach.

MCG Health, which provides healthcare organizations with clinical guidance through artificial intelligence and technology solutions, has begun notifying clients it suffered a breach that compromised the data of over one million patients all over the US, and the Herald-Times reports that nonprofit healthcare system Indiana University (IU) Health is among those impacted. MCG’s notification letter explains an “unauthorized party” accessed personal patient data including names, medical codes, street and email addresses, telephone numbers, dates of birth, and Social Security numbers, but it’s unclear when or how the breach occurred. “It is surprising how little information there is,” said Fred H. Cate, IU vice president for research, and former director of IU’s Center for Applied Cybersecurity Research. He added that the breach likely took place in March, despite patients only learning of it now. One victim is reportedly suing MCG for alleged negligence.

Roger Grimes, data-driven defense evangelist at KnowBe4 points, again, at the ways in with third parties affect an organization’s data protection. “This is another example of a trusted third party becoming the weak link,” he emailed, “which then ends up compromising a company’s data, even if the impacted company had all the necessary security controls. If a company has access to your data or networks, then they need to have the same or better security controls. It may not prevent a data breach, but it reduces the risk and likelihood of one happening.”

 Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, noted the ways in which threat actors work through network perimeters. “This illustrates the point that you can try to plug every single access point, but threat actors are always looking for the simple flaw that will gain them access to your sensitive enterprise data,” Shadabi wrote, and urged that organizations think in terms of protecting data, not networks. “Data is always the target and only more data-centric security measures, such as tokenization and format-preserving encryption, can thwart the bad actors’ attempts to steal sensitive information to use for their nefarious purposes and personal gain. With these data protection methods applied to data as soon as it enters the corporation, that sensitive information becomes unreadable and therefore unusable by threat actors, although business applications and workers can still process and work with the protected data. Data-centric security can be a care package of data breach mitigation for your organization.”

EU Parliament seeks answers from NSO Group.

As we noted yesterday, the European Parliament PEGA Committee’s investigation of Israeli spyware maker NSO Group’s infamous Pegasus software is culminating in a hearing in which members of Parliament (MEPs) have the opportunity to question NSO representatives. Euractiv reports that on Tuesday, the committee interviewed Chaim Gelfand, NSO’s General Counsel and Chief Compliance Officer, and MEP and rapporteur Sophie in ‘t Veld described Gelfand’s responses (or lack thereof) as “an insult to our intelligence.” Gelfand stated that Pegasus is only sold to governments for criminal and terrorist investigations, and that those governemnts must pass a “due diligence review” based on the country’s respect for human rights and rule of law before receiving access to the spyware. However, as MEPs pointed out, the clearly problematic political situations in certain Pegasus client countries like Hungary and Poland raise questions about this review process. Gelfand also insisted that NSO does not have access to the data collected by its clients, but still somehow ensures that the data is not abused. “But if you have no access to this information, how do you know this is not being abused? Or if it is used correctly? Do you have any information on how this intelligence is being used?” Polish lawmaker Bartosz Arłukowicz asked. Gelfand said abuse was disclosed through whistleblowers, and as Politico reports, NSO claims they have terminated at least one contract with an EU member country found to be abusing the software. “We’re trying to do the right thing and that’s more than other companies working in the industry,” Gelfand stated.