At a glance.

  • US DOJ investigating Federal court records data breach.
  • CNIL ends investigation into Facebook’s cookie settings.
  • Daughter of Rwandan activist testifies in spyware hearing.
  • New report on consumer identity theft.

US DOJ investigating Federal court records data breach.

Matt Olsen, head of the Justice Department’s National Security Division, yesterday informed the US House of Representatives Judiciary Committee that the Department of Justice is investigating a data breach involving the federal court records management system. Reuters reports that although it’s unclear who the perpetrators might be, Olsen alluded to the possibility of foreign cyberaggression from China, Russia, Iran and North Korea, and called the incident a “significant concern.” 

The panel’s Democratic chairman, Representative Jerrold Nadler alleged that “three hostile foreign actors” had attacked the courts’ document filing system and that the committee had only learned about the scope of the beach in March. Olson responded, “While I can’t speak directly to the nature of the ongoing investigation of the type of threats that you’ve mentioned regarding the effort to compromise public judicial dockets, this is of course a significant concern for us given the nature of the information that’s often held by the courts.” Early last year the Administrative Office of the U.S. Courts announced plans to improve its security procedures after an apparent data exposure, and the federal judiciary has been working to revamp its outdated electronic case management and filing system and the connected online portal PACER.

Tim Marley, VP Audit, Risk & Compliance, Field CISO at Cerberus Sentinel, provided the following comments on the distinctive challenges a breach of this kind presents:

“We’ve learned to measure risk by examining threats, vulnerabilities and the potential impact to our assets, including systems and data. When you look at the “startling breadth and scope” of the breach and the references to adversaries including Russia and China, it does make you question whether anyone evaluated the risk associated with this system ahead of time. If the risks were adequately identified and scored, then what sort of decision was made in response?

“The impacts in this case are particularly challenging to measure. It isn’t a simple matter of lost credit card data, health information or other personal data. The comments by Rep. Sheila Jackson Lee would indicate substantial operational impacts that may very well have led to the dismissal of court cases without trial. Again, with impacts this significant, it’s difficult to understand why stronger preventative measures weren’t already in place.”

“According to the statement by the US Courts system in 2021, the breach was tied directly to the SolarWinds compromise. We’re seeing situations like these far too often. We depend on the services and products of third parties to manage our information systems in today’s environment. It is still our responsibility to ensure that these products and services are secure. Further, we need to have a response plan for when those products and services fail to meet our expectations.

“A mature Third-Party Risk Management (TPRM) program requires that we assess those vendors that could directly impact the confidentiality, integrity or availability of our systems and data. These assessments should be conducted prior to engaging with a new vendor and no less than annually for existing vendors. Over the last few years, we’ve observed significant growth and demand in the third-party audit and/or certification market. Service providers are voluntarily pursuing third-party attestation to appease their client base and maintain a mature security program.”

CNIL ends investigation into Facebook’s cookie settings. 

French privacy regulator CNIL hit Facebook with a €60 million fine last December for failing to allow users to easily opt out of cookies, and gave the tech giant three months to remedy the issue or face further penalties. Security Week reports that CNIL yesterday closed its investigation into the matter, concluding Facebook had sufficiently revamped its user data collection processes to comply with the law by installing an “only allow essential cookies” button. Parent company Meta said Facebook’s cookie consent controls now “provide people with meaningful options over their data, and the ability to revisit and manage their decisions at any time.” Google was hit with a €150 million fine for similar reasons at the same time, and although Google confirmed in April they had “completely overhauled” their cookie controls, CNIL says that investigation is still ongoing.

Daughter of Rwandan activist testifies in spyware hearing. 

Researchers discovered earlier this year that the phone of Carine Kanimba, the youngest daughter of Rwandan political activist Paul Rusesabagina, had been infected with infamous surveillance software Pegasus, and that the spyware had been triggered during meetings negotiating the release of her father. Months before the discovery, Rusesabagina had been convinced to return to Rwanda, where he was imprisoned and is now serving a twenty-five-year prison sentence for charges he says are politically motivated. 

Now, Security Week reports, Kanimba and technology experts are urging US Congress to prohibit the use of commercial spyware like Pegasus and discourage investment in the firms that sell it. Organizations like the Oregon state employee pension fund and the Alaska Permanent Fund Corporation were found to be investing in a private equity firm that held majority ownership of NSO Group, maker of Pegasus. During her testimony before the US House Intelligence Committee on Wednesday Kanimba stated, “Unless there are consequences for countries and their enablers which abuse this technology, none of us are safe.” While the Biden administration last year imposed export limits on NSO Group and three other spyware makers, the Federal Bureau of Investigation has admitted it purchased a license for Pegasus to conduct “product testing and evaluation only,” and the committee has stated that such activities only legitimize the use of commercial spyware. According to the public version of its latest bill authorizing intelligence activities, the committee is asking US intelligence agencies to “decisively act against counterintelligence threats posed by foreign commercial spyware” by giving the director of national intelligence the authority to prohibit individual US agencies from acquiring or using such surveillance software. 

New report on consumer identity theft.

Identity and access management software company ForgeRock has released its Consumer Identity Breach Report, and the results show that two billion records containing usernames and passwords were compromised in 2021, a 35% increase over 2020. Accounting for 50% of all breaches, unauthorized access was the top breach vector, demonstrating that login credentials continue to be a hot commodity among cyber thieves. And the average cost of a single breach in the US retail sector climbed to $3.27 million, a nearly 66% increase.

Gunnar Peterson, CISO of Forter, observes that organizations relying on automated access controls while overlooking what’s going on in their networks set themselves up for data loss:

“Breaches have resulted in terabytes of stolen proprietary data and untold financial cost. The simplest of defenses in our toolbelt, credential and identity management, can be the difference between a secure system or an unimaginable incident.

“Most of the breaches are a result of businesses relying on automated access control and realizing too late when a user has been hijacked. Once an account is compromised, identity-based fraud can be extremely difficult to detect. 

“To succeed against dynamic cybercriminals and account takeover (ATO) attacks, organizations must build robust identity management systems and invest resources into building a learning system that evolves to identify anomalous user activity. These techniques can ebb and flow with the sophisticated threat landscape we’re witnessing today.”