Vizio to Pay Millions After Secretly Spying on Customers*:
- Vizio has agreed to pay $2.2 million to settle a lawsuit with the Federal Trade Commission after the television manufacturer was caught gathering customer data without permission for years.
- Vizio began making TVs in 2014 that automatically tracked what people were watching.
- Older devices were retrofitted remotely through software updates, and all of the data was gathered without telling consumers and without their consent.
- Vizio eventually accumulated “as many as 100 billion data points a day from millions of TVs,” which it then sold to advertisers.
- Aside from the monetary penalty, Vizio must stop the tracking, delete most of the data collected before March 2016, and require consumers to give consent before collecting information.
- The company released a statement following the settlement announcement, saying it “never paired viewing data with personally identifiable information such as name or contact information.
*Source: Fuffington Post, February 07, 2017
InfoSec Teams Share Keys to CISO Success*:
- CISOs (Chief Information Security Officers) promise to protect critical business data, but many lack the influence they need to be effective.
- High-performing infosec teams combine technical expertise and organizational engagement to do their jobs well.
- A new report from IANS highlights five high-level lessons CISOs should adopt as they aim to build greater influence within their organizations.
- CISOs must connect the dots across businesses, goals, strategies, and results, and build authority to get groups to work together.
- The seond key is to embrace the role of change agent – CISOs and their teams are responsible for changing many things and need to be prepared for pushback.
- The third lesson is to be responsive and demonstrate the iportance of security.
- High performing CISOs also develop a cohesive team of employees who convey the same messages to everyone in the business, which requires proficiency in interpersonal skills.
- Fifth, CISOs must be patient – getting organizations to value their security teams takes time.
*Source: Dark Reading, February 09, 2017
UK Retailer Accused of Sweeping Major Breach Under the Carpet*:
- The UK's largest sporting retailer, Sports Direct, reportedly suffered a data breach last year but has been accused of failing to tell its workforce that their personal details may have been accessed by a hacker.
- The attack allegedly hit the firm in September after a hacker was able to exploit software bugs in an unpatched content management system platform.
- Despite Sports Direct’s breach monitoring systems detecting an attack at the time, one source said it was not until December that the firm realized the extent of the hacking.
- It is not known whether the staff has been alerted that their personal information may have been put at risk.
- The Information Commissioner’s Office, the UK’s data breach watchdog, will be making inquiries regarding the incident from 2016 involving Sports Direct.
- A spokesperson for Sports Direct said, “We cannot comment on operational matters in relation to cybersecurity…where appropriate we keep the relevant authorities informed.”
- The company has over 450 stores in the UK, with roughly 18,000 staff.
*Source: International Business Times, February 8, 2017
Cloud Storage the New Favorite Target of Phishing Attacks*:
- Phishing continued to be the top attack vector in 2016, as it has been for some time.
- The big difference was that instead of targeting financial services companies, phishers increasingly targeted cloud storage service providers like Google and DropBox.
- Compared to 2013, when barely 10% of phishing attacks targeted cloud storage services, about 22.5% of phishing attacks last year involved such companies.
- The number of phishing sites in 2016 was 23% higher than the year before, while the volume of phishing emails grew by an average of 33% across financial services, cloud storage/file hosting, webmail/online, payment services, and ecommerce sites.
- In 2016, phishing also continued to be by far the most prevalent method for delivering ransomware.
- Driving the surge in phishing-related threats in 2016 was the broad acceptance of email addresses as the username by a growing number of websites.
- The easy availability of phish kits, or ready-to-use templates for creating working phishing sites, contributed to the problem.
- Unlike in the past where phishers were focused on immediate gains by going after financial accounts, they are now trying to maximize the information they can compromise with the least effort.
- The goal is to sell the information for a higher price on the underground market or use the information to attack secondary targets.
*Source: Dark Reading, February 07, 2017
New IoT Cybersecurity Alliance formed*:
- A group of businesses from across the IoT value chain have formed the IoT Cybersecurity Alliance, aiming to use their combined expertise to allay business concerns about the Internet of Things and solve its security challenges.
- The founding members of the group include AT&T, IBM, Nokia, Palo Alto Networks, Symantec, and Trustonic.
- Security is a major concern for businesses as they research and implement IoT infrastructure, and for good reason: AT&T noted that in the past three years it has seen a 3,198% increase in attackers scanning for vulnerabilities in IoT devices.
- In a survey the company conducted last year, 58% of business leaders said they were not confident in the security of their IoT devices.
- The new group outlined a number of specific goals, starting with conducting collaborative research on IoT security challenges across verticals such as health care, automotive, and industrial.
- The group also aims to influence the development of security standards and policies surrounding IoT.
- The tech revolution is spreading to every corner of the earth with the Internet of Things, and it's enabling data analytics and automation in ways never before imagined in business.
*Source: ZDnet, February 08, 2017