This county had to teach Millennials how to use fax machines & there is chaos at this grocery store
Go Back

This county had to teach Millennials how to use fax machines & there is chaos at this grocery store

In this week's Cyber Weekly:

  1. This county is going backwards
  2. Social media platform attack is worse than initially thought
  3. The chaos at this store after "IT issue"
  4. Social media platform fines 800,000 euros
  5. In case you didn't know...

Thanks to all 9517 subscribers. It really takes a community to fight against cyberattacks. By sharing these newsletters, we can reach more people and help others from becoming a statistic. Simply share the post in the top right corner.

Also, follow me on LinkedIn for daily tech discussions >> Luigi Tiano.

1. Millennials needing to learn how to use Fax Machine after this massive attack

On September 8, a ransomware attack hit the Long Island County. Over two months later, details are still being released and the full scope of the damage is still emerging, but it's clear that more personal information was exposed than had been previously announced. In additional to the personal information they thought was stolen, it was determined that driver's license numbers of over 470,000 people were also exposed.

But that isn't all.

Without immediately knowing the source of the attack, the county disabled 10,000 emails and scrubbed infected hardware when they were attacked. In fact, their antivirus alerted them of the attack. But without the proper cyber security tools in place, the county is still offline today.

Offline means:

  1. Police officers radioing in crime scene details instead of emailing reports to headquarters
  2. Office workers resorting to fax machines
  3. Teaching millennials how to use fax machines
  4. Paper checks personally signed to distribute to contractors - all manual
  5. Title searches back to being a manual process
  6. Decrease in 911 response times (nytimes)

Thoughts: What a disaster! This is exactly why antivirus cannot be your entire cyber security strategy. It’s not enough anymore. Antivirus is meant to let you know when something goes wrong. However, hackers have evolved. Knowing you were breached is not enough.

Here are some of the solutions you want to help prevent this from happening to you. You need to try to prevent the attack altogether, but as we say layering on your security is the best way to defend yourself. Firewalls, MFA, email web filtering, Endpoint Detection and Response (EDR) and for some daring and mature clients XDR. These are only a few! Many clients are required to implement EDR at a minimum in order to qualify for cyber insurance. Antivirus just won’t cut it anymore!

Ideally, you would invest in extended detection and response (XDR) that prevents and identifies attacks. XDR is a more holistic approach that identifies, monitors, investigates, responds to potential threats. If you have questions about this solution, schedule a 15-minute call with me directly in my calendar.

2. Twitter Ransomware Attack was Worse Than Reported

Earlier this year, personal information of 5.4 million Twitter users was stolen from a vulnerability in their API. The stolen data included Twitter IDs, names, login names, phone numbers and email addresses of subscribers. Initially, it was believed that one hacker stole the data.

Last week, security researchers identifies that many hackers used the same vulnerability to steal data. The data on the dark web also seems to be different than the 5.4 million users we already knew were exposed – up to 17 million users. And in addition to that, the data is being given away for free to hackers online. (bleepingcomputer)

Thoughts: This always happens. Data breaches are worse than we read in the news. This reveals two things.

First, if a service provider you use gets hacked, your data was compromised – you need to change your passwords and you need to be extra vigilant for fraud. They likely have your email.

Second, usually a cyber attack affects companies/institutions for months. You may also look into a dark web monitoring solution where your identity and credit requests are monitored. Avoiding a cyber attack is the goal. A great example is the next story.

3. Chaos at Sobey’s after Ransomware Attack

We reported on Sobey’s "IT issue" just two weeks ago. Employees are revealing the real aftermath of the cyber attack.

Here are some of the things happening:

  1. Running out of food because inventory is not properly maintained
  2. Pharmacies unable to fill new prescriptions
  3. Loyalty cards or gift cards are not working
  4. Payroll system is down
  5. No access to computer systems or handheld scanners
  6. Checkout machines unreliable

“It’s basically been a mess” one employee said.

“The company has not officially told employees the cause of the outage. They have been instructed to simply tell customers it's an IT issue.” (cbc)

Thoughts: Sobey’s is trying to cover up the extent of the cyber attack. In fact, they still haven’t confirmed it was a ransomware attack (although many speculate that it is Black Basta ransomware.) Clearly, the stores are being affected by something out of their control. Two weeks have gone by. We shall see what happens over the holidays. It will be chaos.

4. Discord fines 800,000 euros

The CNIL(Commission nationale de l'informatique et des libertés is an independent) is the body responsible for issuing sanctions. Earlier this month, they made it public that they were issuing one to Discord – a platform to talk over voice, video and text. In other words, it’s a community based-platform that is similar to Microsoft Teams for the non-business world.

The imposed fine is determined by a few factors including breaches identified, number of people concerned and efforts made to reach compliance.

Here is a list of the sanctioned breaches in laymen’s terms:

  1. No written data retention policy - In this specific case, there was a focus on French users from France – a total of 2,474,000 users that have been in their systems for over 3 years.
  2. No periods determining the data retention periods.
  3. No data protection by default – by default, leaving a voice room didn’t mean people couldn’t hear you anymore. It’s still possible for people to hear you, even when you leave the chat.
  4. Failure to ensure security of personal data- At the time of the investigation, a six character password was acceptable.
  5. No protection impact assessment – The company thought they didn’t need one but the committee thought they did. (cnil)

Thoughts: This is not looking good for a company worth $7billion. Imagine what the small companies are overlooking. I really want to stress the importance of protecting your personal information. It can lead to really awful things. Don’t just give away your information without asking if it is really necessary.

5. In case you didn't know...

I started Assurance IT with my childhood friend Ernesto Pellegrino in 2011. Our mission is to help 100,000 companies become cyber resilient through our services and free content. We focus on helping mid-sized organizations with data protection and data privacy. Our primary services include: endpoint management, cloud backup, DRaaS, Office 365 backup, and Quebec's Law 25 training.

Featured Posts
Cyber Talk

Access monthly conversations with IT & Tech Leaders about the hottest cyber security topics in the industry.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.