Change Healthcare breach affected 100 million Americans, marking a new record

The company notified the Health and Human Services Department about the figure this week, the first it has specified.

The post Change Healthcare breach affected 100 million Americans, marking a new record appeared first on CyberScoop.

Continue reading Change Healthcare breach affected 100 million Americans, marking a new record

Marriott agrees to pay $52 million settlement, improve data security practices 

The actions will settle investigations into security failures that led to overlapping data breaches affecting hundreds of millions of customers.

The post Marriott agrees to pay $52 million settlement, improve data security practices  appeared first on CyberScoop.

Continue reading Marriott agrees to pay $52 million settlement, improve data security practices 

T-Mobile reaches $31.5 million settlement with FCC over past data breaches 

The telecom will pay half in the form of a fine, while the other half will serve as a down payment for improvements to data security and cybersecurity.

The post T-Mobile reaches $31.5 million settlement with FCC over past data breaches  appeared first on CyberScoop.

Continue reading T-Mobile reaches $31.5 million settlement with FCC over past data breaches 

Biden’s cybersecurity legacy: ‘a big shift’ to private sector responsibility

Over the course of his term, Joe Biden has presided over an ambitious agenda on regulation and more, to both praise and criticism.

The post Biden’s cybersecurity legacy: ‘a big shift’ to private sector responsibility appeared first on CyberScoop.

Continue reading Biden’s cybersecurity legacy: ‘a big shift’ to private sector responsibility

French privacy regulator slaps Facebook, Google with fines totaling nearly $240M

France’s privacy watchdog fined Google nearly $170 million and Facebook almost $70 million on Thursday for making it harder for users to refuse cookies — which store user information — than to accept them. The National Commission on Informatics and Liberty, or CNIL, also ordered Google and Facebook to fix that issue within three months or face daily fines of more than $100,000 from the restricted committee, the CNIL body that handles sanctions. “The restricted committee considered that this process affects the freedom of consent: since, on the Internet, the user expects to be able to quickly consult a website, the fact that they cannot refuse the cookies as easily as they can accept them influences their choice in favor of consent,” the CNIL wrote. That puts the two companies in violation of the French Data Protection Act, the commission said. On Facebook, YouTube and Google sites, one click can […]

The post French privacy regulator slaps Facebook, Google with fines totaling nearly $240M appeared first on CyberScoop.

Continue reading French privacy regulator slaps Facebook, Google with fines totaling nearly $240M

Banks must report major cyber incidents within 36 hours under finalized regulation

Banks must report major cybersecurity incidents to federal officials within 36 hours under a rule that U.S. financial regulators finalized on Thursday. Beginning in May 2022, financial executives will need to be more forthcoming about computer system failures and interruptions, such as ransomware or denial-of-service attacks that have the potential to disrupt customers’ ability to access their accounts, or impact the larger financial system. The rule, dubbed the Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, was cemented by the Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation. There is currently no specific window that banks must repot such incident to the agencies in question. The final approval comes as Congress weighs broader reporting rules for critical infrastructure owners and operators, and as the Transportation Security Administration has begun imposing reporting requirements on […]

The post Banks must report major cyber incidents within 36 hours under finalized regulation appeared first on CyberScoop.

Continue reading Banks must report major cyber incidents within 36 hours under finalized regulation

SolarWinds hack spotlights a thorny legal problem: Who to blame for espionage?

Every massive breach comes with a trail of lawsuits and regulatory ramifications that can last for years. Home Depot, for instance, only last month settled with a group of state attorneys general over its 2014 breach. The SolarWinds security incident that U.S. officials have pinned on state-sponsored Russian hackers is unlike anything that came before, legal experts say, meaning the legal liability could take even longer to resolve in court. As Congress, federal government departments and corporations reckon with the vast sweep of the SolarWinds breach, there are still many more questions than answers. Fewer pieces of it are less certain than how it might play out in court, where companies and individuals alike stand to gain or lose. Many millions of dollars, corporate blame and years of finger-pointing are on the line. That’s because the targets — government agencies, and some major companies — aren’t the usual kind of […]

The post SolarWinds hack spotlights a thorny legal problem: Who to blame for espionage? appeared first on CyberScoop.

Continue reading SolarWinds hack spotlights a thorny legal problem: Who to blame for espionage?

Grid regulator warns utilities of risk of SolarWinds backdoor, asks how exposed they are

The North American electric grid regulator has asked utilities to report how exposed they are to SolarWinds software that is at the center of a suspected Russian hacking operation, and the regulator advised utilities that the vulnerability “poses a potential threat” to parts of the power sector. The North American Electric Reliability Corp. (NERC), a not-for-profit regulatory authority backed by the U.S. and Canadian governments, said in a Dec. 22 advisory to electric utilities that there was no evidence indicating that the malicious tampering of SolarWinds software had impacted power systems. But the fact that software made by Texas-based firm SolarWinds is used in the electric sector has made vigilance important, according to NERC. “At this time, NERC is not aware of any known impacts to bulk power system (BPS) reliability or system outages related to the SolarWinds compromise,” reads the advisory, which CyberScoop obtained. “However, the presence of SolarWinds […]

The post Grid regulator warns utilities of risk of SolarWinds backdoor, asks how exposed they are appeared first on CyberScoop.

Continue reading Grid regulator warns utilities of risk of SolarWinds backdoor, asks how exposed they are

Twitter fined nearly $550,000 in Europe for response to bug that exposed private tweets

Regulators in Ireland have fined Twitter for failing to report a data breach promptly and not adequately documenting the incident, marking the first time the regulator has penalized a “big tech” company for violations of Europe’s data protection law. The fine of 450,000 euros, or about $550,000, stems from a bug that allowed thousands of people’s private tweets to be made public between late 2014 and early 2019, when Twitter reported the problem to European authorities. The social media company said it could only identify specific users affected by the breach from September 2017 onward — about 89,000 total over that stretch. The bug only affected users of Twitter’s Android app. Ireland’s Data Protection Commission issued the decision Tuesday on behalf of the European Union, under the EU’s General Data Protection Regulation (GDPR). Twitter’s European headquarters are in Ireland, as are those of Google, Facebook and several other multibillion-dollar U.S. […]

The post Twitter fined nearly $550,000 in Europe for response to bug that exposed private tweets appeared first on CyberScoop.

Continue reading Twitter fined nearly $550,000 in Europe for response to bug that exposed private tweets

Insurer’s huge data exposure draws charges from New York state

New York regulators have charged an insurer with violating state cybersecurity law for allegedly exposing hundreds of millions of documents that included Americans’ personal data, including Social Security numbers and financial information. The New York State Department of Financial Services announced legal action Wednesday against the First American Title Insurance Company, the second-largest real estate title insurer in the U.S. The company is accused of exposing customers’ Social Security numbers, bank account information, driver’s license numbers and mortgage and tax records through a software vulnerability that went undetected between May 2014 and December 2018. Upon discovering the flaw during a routine security test, the insurance company failed to fix it, DFS alleged. “After the data exposure was discovered by an internal penetration test in December 2018, First American failed to conduct a reasonable investigation into the scope and cause of the exposure, reviewing only 10 of the millions of documents exposed and […]

The post Insurer’s huge data exposure draws charges from New York state appeared first on CyberScoop.

Continue reading Insurer’s huge data exposure draws charges from New York state