Welcome to another weekly cybersecurity news wrap-up.
IoT security for the US government took a big step with the US Senate unanimously passing the Internet of Things Cybersecurity Improvement Act of 2020. The legislation, which already passed the hurdle in the House of Representatives on September 14, is now waiting to be signed into law by President Trump. IoT device security has increasingly been a concern of the government with US agencies needing increased fleets of IoT devices for everything from tracking assets and monitoring ships to controlling access to buildings.
Also this week, we learned that global eyewear brand Luxottica is still being victimized by its attackers, months after an attack and an ensuring data breach was announced. The vendor reportedly first fell victim to a ransomware attack in August, leading to the shutdown of operations in Italy and China, as well as website disruptions for some popular Luxottica brands, such as EyeMed and Ray-Ban. Then, the data breach hit. Now it turns out the hackers have continued to leak information from the company as recently as November 7.
A cold storage firm that may distribute COVID-19 vaccines filed an SEC document on Monday saying that it's dealing with a cybersecurity incident affecting its network. Americold Realty Trust SEC 8K filing states "As a precautionary measure, the company took immediate steps to help contain the incident and implemented business continuity plans, where appropriate, to continue ongoing operations." Americold says it has notified law enforcement officials, cybersecurity experts and legal counsel.
“Resident Evil” game creator Capcom released more details about a significant breach at the beginning of this month. A November 16th company press release stated it was the victim of a "customised ransomware attack" and confirmed that personal information had been compromised. To date Capcom has acknowledged the comprised information includes sales reports, financial information, and nine items of personal information from current and former employees. Also concerning is that up to 350k items of personal information from customers, business partners, applicants and employees may have been compromised.
American Bank Systems (ABS), which provides services to US financial institutions and banks, has also recently been hit by ransomware. Avaddon, the ransomware group behind the attack, had earlier alleged they had acquired over 50 GB of the company’s proprietary data but had leaked a partial 4 GB dump earlier this month. Based on the timestamps on the screenshots below of the leaked files, it appears the incident occurred sometime last month. At this time it’s not clear how many customers have been impacted.
That’s the re-cap for the week’s biggest security stories. Thanks again for stopping by our blog. Have a great weekend.
Top Security News
BankInfoSecurity (November 19, 2020) Senate Passes IoT Cybersecurity Improvement Act
"The US Senate took a step forward this week on IoT security. The chamber unanimously passed without amendments the Internet of Things Cybersecurity Improvement Act of 2020, the latest iteration of legislation that has been in the works for three years. It was approved by the House of Representatives on Sept. 14.
The bill will now go to President Donald Trump to be signed into law - the first to address IoT.
Two states already have IoT legislation. California's law - SB-327 - which went into effect in January, forbids the sale of devices that do not have reasonable baseline security measures. Oregon's IoT law, which also became effective in January, is similar to California's."
Health IT Security (November 19, 2020) Luxottica Data Leaked by Hackers After Ransomware Attack, Breach
"Luxottica of America recently reported a patient data breach, which impacted 829,454 patients. However, while its public notice stressed officials were 'unaware of any misuse of personal information,' Nefilim ransomware threat actors have leaked data allegedly stolen from the vendor on the dark web in a number of installments.
Based in Italy, Luxottica is a global eyewear conglomerate that designs, manufactures, distributes, and retails eyewear brands, like LensCrafters, Sunglass Hut, and Pearle Vision, along with the EyeMed vision care plan. The vendor reportedly fell victim to a ransomware attack in August, leading to the shutdown of operations in Italy and China and website disruptions for some popular Luxottica brands, such as EyeMed and Ray-Ban."
Healthcare Info Security (November 17, 2020) Cold Storage Firm Reports Cybersecurity Incident
"A cold storage firm that was reportedly in talks to help in the effort to distribute COVID-19 vaccines filed a Securities and Exchange Commission document on Monday saying that it's dealing with a cybersecurity incident that affected its network.
Atlanta-based Americold Realty Trust says in its SEC 8K filing: 'As a precautionary measure, the company took immediate steps to help contain the incident and implemented business continuity plans, where appropriate, to continue ongoing operations.'
Americold says it has notified law enforcement officials, cybersecurity experts and legal counsel."
Ars Technica (November 16, 2020) Capcom: Up to 350,000 people could be affected by ransomware leak
"Earlier this month, Capcom revealed that there had been 'unauthorized access carried out by a third party' on its internal computer systems, but the company added that "at present there is no indication that any customer information was breached." This morning, though, Capcom revealed more details of the "customized ransomware attack" affecting its internal systems, potentially including the leak of personal information for up to 350,000 people."
Security Report (November 14, 2020) American Bank Systems hit by ransomware attack, full 53 GB data dump leaked
"American Bank Systems (ABS), a company that provides services to U.S. financial institutions and banks helping them 'operate efficiently and confidently in a rapidly evolving – highly regulated – environment' has been hit by a ransomware attack this month.
Avaddon, the ransomware group behind the attack had earlier alleged they had acquired over 50 GB of the company’s proprietary data but had leaked a partial 4 GB dump earlier this month, part of which has been analyzed by Security Report News."
Other Industry News
Like what you’re reading? Head to the Subscriber form in the sidebar to get insightful GlobalSign content delivered directly to your inbox.