LastPass breach exposes how US breach notification laws can leave consumers in the lurch

The U.S. famously does not have a federal privacy law and instead relies on 50 different state laws governing breach notification.

The post LastPass breach exposes how US breach notification laws can leave consumers in the lurch appeared first on CyberScoop.

Continue reading LastPass breach exposes how US breach notification laws can leave consumers in the lurch

LastPass breach exposes how US breach notification laws can leave consumers in the lurch

The U.S. famously does not have a federal privacy law and instead relies on 50 different state laws governing breach notification.

The post LastPass breach exposes how US breach notification laws can leave consumers in the lurch appeared first on CyberScoop.

Continue reading LastPass breach exposes how US breach notification laws can leave consumers in the lurch

SEC’s Gensler signals enhancement of cybersecurity, breach disclosure rules for financial sector

U.S. Securities and Exchange Commission Chairman Gary Gensler is exploring an expansion of the SEC’s core cybersecurity rules to cover a broader swath of entities and require public companies to improve disclosure of breaches and risks. Gensler said in a speech on Monday that he instructed staff to look into an update of the commission’s “Regulation Systems Compliance and Integrity,” or Reg SCI, which the SEC adopted in 2014. Staff will examine whether the regulation — under which trading organizations and others must take security steps like backing up data — should extend to include the largest market-makers and broker-dealers. Gensler also said he asked staff to consider recommendations on bolstering the financial sector’s cybersecurity hygiene and incident reporting, how customers and clients receive notifications of financial sector breaches and how public companies disclose cybersecurity practices and risks. And he wants staff to examine how to better address cyber risk […]

The post SEC’s Gensler signals enhancement of cybersecurity, breach disclosure rules for financial sector appeared first on CyberScoop.

Continue reading SEC’s Gensler signals enhancement of cybersecurity, breach disclosure rules for financial sector

Breach notification window, accountability are focus of coming fight on cyber legislation in Congress

Battle lines are drawn in Congress over legislation that would require companies to report some cyber incidents to the federal government, with industry groups lining up to support a House of Representatives bill poised to create fewer challenges for business leaders than a similar proposal in the Senate. The debate involves questions about how quickly companies would have to report attacks, what kinds of specific intrusions would trigger notification and whether failure to comply with the rules would lead to financial penalties. The idea of breach notification legislation gained momentum following last year’s discovery of the SolarWinds hack that compromised nine federal agencies and some 100 companies, as well as the Colonial Pipeline ransomware attack in May. At issue are such questions as whether companies have 24 or 72 hours to report an incident, along with who would be on the hook outside of critical infrastructure owners and operators, if […]

The post Breach notification window, accountability are focus of coming fight on cyber legislation in Congress appeared first on CyberScoop.

Continue reading Breach notification window, accountability are focus of coming fight on cyber legislation in Congress

T-Mobile breach climbs to over 50 million people

T-Mobile on Friday announced roughly 6 million additional accounts had data was swiped in a recent hack, bringing the total number of victims of the breach to over approximately 55 million individuals. The revelations come as lawmakers have ramped up scrutiny of the company. An additional 5.3 million subscriber accounts had addresses, names, dates of birth, and phone numbers accessed, T-Mobile said. The company also found that the data of 667,000 more accounts of former T-Mobile customers, including their names, phone numbers, addresses and dates of birth, had been accessed Unlike the first set of customers identified by T-Mobile on Wednesday, none of these additional accounts had their Social Security Numbers or ID information compromised, the company said. The new findings also reveal that phone data, IMEI and IMSIs were also accessed. IMEIs, which are often used for advertising purposes, are a unique fingerprint for a device that cannot be […]

The post T-Mobile breach climbs to over 50 million people appeared first on CyberScoop.

Continue reading T-Mobile breach climbs to over 50 million people

Japan’s Tokio Marine is the latest insurer to be victimized by ransomware

Ransomware struck Japan’s largest property and casualty insurer, Tokio Marine Holdings, at its Singapore branch, the company disclosed on Monday. Tokio Marine, which has a U.S. division and offers a cyber insurance product, said it did not have any immediate indication that any customer information was breached. Such data could be a smorgasbord for hackers who would use the data to extort victims based on their coverage amounts. It’s at least the third major insurer to disclose a ransomware attack in recent months, following CNA and AXA. And it’s the second insurer just this week, with Ryan Specialty Group — fresh off launching an initial public offering — to disclose a cyber incident. Cyber insurers have, of late, taken to asking more detailed questions about policyholders’ cybersecurity safeguards as a condition for providing coverage. But the spate of recent successful attacks suggests that insurers, too, might need to step up […]

The post Japan’s Tokio Marine is the latest insurer to be victimized by ransomware appeared first on CyberScoop.

Continue reading Japan’s Tokio Marine is the latest insurer to be victimized by ransomware

Senate bill proposes requiring cyber incident notification to feds within 24 hours

Senate Intelligence Chairman Mark Warner is sharing draft bipartisan legislation that would require critical infrastructure owners, cybersecurity incident response firms and federal contractors to report cyber intrusions to the Homeland Security Department within 24 hours. It’s one of the earliest bills to respond a spate of attacks that began with the SolarWinds breach and continued on through the Microsoft Exchange hack and ransomware incidents at Colonial Pipeline and meat supplier JBS. It won’t be the last, either in the House or Senate. Warner has been pushing the idea for months. At a February hearing of Warner’s committee the Virginia Democrat, other senators and witnesses from SolarWinds, Microsoft and FireEye discussed the thought Warner had been floating. The fear was that if FireEye hadn’t voluntarily disclosed that it was a victim of the SolarWinds supply chain hack that compromised nine federal agencies and many technology companies, the damage would’ve been more severe. […]

The post Senate bill proposes requiring cyber incident notification to feds within 24 hours appeared first on CyberScoop.

Continue reading Senate bill proposes requiring cyber incident notification to feds within 24 hours

McDonald’s discloses hack of customer data in South Korea and Taiwan

Hackers recently breached the IT systems of McDonald’s and accessed email addresses, phone numbers and delivery addresses for certain customers in South Korea and Taiwan, the fast food giant said Friday. “In the coming days, a few additional markets will take steps to address files that contained employee personal data,” McDonald’s said in an emailed statement. The burger chain said it quickly identified and contained the breach, which involved a “small number of files.” No customer payment information was affected, according to McDonald’s. The breach also involved business contact information of U.S. employees and franchisees, the Wall Street Journal reported. In some cases, the intruders also accessed data about restaurant seating capacity and the square footage of play areas, the Journal reported. It was unclear who was responsible for the hack. A McDonald’s spokesperson did not respond to an emailed question on who the culprit might be. McDonald’s, which reported […]

The post McDonald’s discloses hack of customer data in South Korea and Taiwan appeared first on CyberScoop.

Continue reading McDonald’s discloses hack of customer data in South Korea and Taiwan