Cybersecurity Roundup for 10/7/2022: the Uber Conviction, LAUSD Ransomware Attack, and New CISA Rules
This week brought us the Uber Conviction, new CISA rules on asset discovery scanning, and more details in the ransomware attack on the Los Angeles School District.
Uber’s former chief security officer convicted over cover-up of 2016 data breach where hackers stole millions of customer records
Nearly every media outlet reported on the Uber case, and the latest analysis comes from Fortune. As the outlet originally reported on 10/6/2022:The former chief security officer for Uber was convicted Wednesday of trying to cover up a 2016 data breach in which hackers accessed tens of millions of customer records from the ride-hailing service.A federal jury in San Francisco convicted Joseph Sullivan of obstructing justice and concealing knowledge that a federal felony had been committed, federal prosecutors said. Sullivan could face a total of eight years in prison on the two charges when he is sentenced, prosecutors said.“Technology companies in the Northern District of California collect and store vast amounts of data from users,” U.S. Attorney Stephanie M. Hinds said in a statement. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users.”It was believed to be the first criminal prosecution of a company executive over a data breach.However, many security executives have already taken issue with the ruling, voicing their concerns about whether or not the conviction makes sense.
As Traceable’s Chief Security Officer, Richard Bird, states:
“The uncomfortable truth about Joe Sullivans verdict is that it shows how woefully inadequate our laws and regulations are in the digital world. The government was able to pursue a case against a C-level executive while granting other C-executives in the company immunity for their testimony.
There is no way that a host of Uber executives should be protected from their collective decisions if we are truly serious about holding executives civilly and criminally liable for the actions that result.
I think what CISOs will be concerned about most is that the inadequacies of the law as it relates to executive liability could result in CISOs simply being the easiest target for the government to pursue. Having to look over our shoulders for fear of being sold out by our own executive team for leading or following a collective decision is not the way to create a high performance culture.”
More Details on the Los Angeles (LAUSD) Ransomware Attack
As originally reported by TechCrunch:The ransomware attack on the Los Angeles Unified School District (LAUSD) is now considered one of the largest data breaches of an educational institution in several years. This week it was reported that hackers stole approximately 500GB worth of sensitive data in the attack.Vice Society, a Russian-speaking group that last month claimed responsibility for the ransomware attack that disrupted the LAUSD’s access to email, computer systems and applications, published over the weekend the data stolen from the school district. The group had previously set an October 4 deadline to pay an unspecified ransom demand.The stolen data was posted to Vice Society’s dark web leak site and appears to contain personal identifying information, including passport details, Social Security numbers and tax forms. While TechCrunch has not yet reviewed the full trove, the published data also contains confidential information including contract and legal documents, financial reports containing bank account details, health information including COVID-19 test data, previous conviction reports and psychological assessments of students.LAUSD superintendent Alberto M. Carvalho confirmed the release of stolen data in a statement posted to Twitter on Sunday, along with announcing a new hotline starting Monday morning — (855) 926-1129 — for concerned parents and students to ask questions about the cyberattack.
CISA Directs Federal Agencies to Improve Cybersecurity Asset Visibility and Vulnerability Detection
This week, CISA announced directive to improve asset visibility and vulnerability detection on federal networks. It directs federal civilian agencies to better account for what resides on their networks.As CISA states, Over the past several years, CISA has been working urgently to gain greater visibility into risks facing federal civilian networks, a gap made clear by the intrusion campaign targeting SolarWinds devices. The Biden-Harris Administration and Congress have supported significant progress by providing key authorities and resources. This Directive takes the next step by establishing baseline requirements for all Federal Civilian Executive Branch (FCEB) agencies to identify assets and vulnerabilities on their networks and provide data to CISA on defined intervals.“Threat actors continue to target our nation’s critical infrastructure and government networks to exploit weaknesses within unknown, unprotected, or under-protected assets,” said CISA Director Jen Easterly. “Knowing what’s on your network is the first step for any organization to reduce risk. While this Directive applies to federal civilian agencies, we urge all organizations to adopt the guidance in this directive to gain a complete understanding of vulnerabilities that may exist on their networks. We all have a role to play in building a more cyber resilient nation.”
CISA is committed to using its cybersecurity authorities to gain greater visibility and drive timely risk reduction across federal civilian agencies. Implementation of this Directive will significantly increase visibility into assets and vulnerabilities across the federal government, in turn improving capabilities by both CISA and each agency to detect, prevent, and respond to cybersecurity incidents and better understand trends in cybersecurity risk.
---
About Traceable
Traceable is the industry’s leading API security platform that identifies APIs, evaluates API risk posture, stops API attacks, and provides deep analytics for threat hunting and forensic research. With visual depictions of API paths at the core of its technology, its platform applies the power of distributed tracing and machine learning models for API security across the entire software development lifecycle. Book a demo today.
The Inside Trace
Subscribe for expert insights on application security.