Romanian Skimmer Gang in Mexico Outed by KrebsOnSecurity Stole $1.2 Billion

An exhaustive inquiry published today by a consortium of investigative journalists says a three-part series KrebsOnSecurity published in 2015 on a Romanian ATM skimming gang operating in Mexico’s top tourist destinations disrupted their highly profitable business, which raked in an estimated $1.2 billion and enjoyed the protection of top Mexican authorities.

The multimedia investigation by the Organized Crime and Corruption Reporting Project (OCCRP) and several international journalism partners detailed the activities of the so-called Riviera Maya crime gang, allegedly a mafia-like group of Romanians who until very recently ran their own ATM company in Mexico called “Intacash” and installed sophisticated electronic card skimming devices inside at least 100 cash machines throughout Mexico.

According to the OCCRP, Riviera Maya’s skimming devices allowed thieves to clone the cards, which were used to withdraw funds from ATMs in other countries — often halfway around the world in places like India, Indonesia, and Taiwan.

Investigators say each skimmer captured on average 1,000 cards per month, siphoning about $200 from individual victim accounts. This allowed the crime gang to steal approximately $20 million monthly.

“The gang had little tricks,” OCCRP reporters recounted in their video documentary (above). “They would use the cards in different cities all over the globe and wait three months so banks would struggle to trace where the card had originally been cloned.”

In September 2015, I traveled to Mexico’s Yucatan Peninsula to find and document almost two dozen ATMs in the region that were compromised with Bluetooth-based skimming devices. Unlike most skimmers — which can be detected by looking for out-of-place components attached to the exterior of a compromised cash machine — these skimmers were hooked to the internal electronics of ATMs operated by Intacash’s competitors by authorized personnel who’d reportedly been bribed or coerced by the gang.

But because the skimmers were Bluetooth-based, allowing thieves periodically to collect stolen data just by strolling up to a compromised machine with a mobile device, I was able to detect which ATMs had been hacked using nothing more than a cheap smart phone.

One of the Bluetooth-enabled PIN pads pulled from a compromised ATM in Mexico. The two components on the left are legitimate parts of the machine. The fake PIN pad made to be slipped under the legit PIN pad on the machine, is the orange bit, top right. The Bluetooth and data storage chips are in the middle.

Several days of wandering around Mexico’s top tourist areas uncovered these sophisticated skimmers inside ATMs in Cancun, Cozumel, Playa del Carmen and Tulum, including a compromised ATM in the lobby of my hotel in Cancun. OCCRP investigators said the gang also had installed the same skimmers in ATMs at tourist hotspots on the western coast of Mexico, in Puerto Vallarta, Sayulita and Tijuana.

Part III of my 2015 investigation concluded that Intacash was likely behind the scheme. An ATM industry source told KrebsOnSecurity at the time that his technicians had been approached by ATM installers affiliated with Intacash, offering those technicians many times their monthly salaries if they would provide periodic access to the machines they maintained.

The alleged leader of the Riviera Maya organization and principal owner of Intacash, 43-year-old Florian “The Shark” Tudor, is a Romanian with permanent residence in Mexico. Tudor claims he’s an innocent, legitimate businessman who’s been harassed and robbed by Mexican authorities.

Last year, police in Mexico arrested Tudor for illegal weapons possession, and raided his various properties there in connection with an investigation into the 2018 murder of his former bodyguard, Constantin Sorinel Marcu.

According to prosecution documents, Marcu and The Shark spotted my reporting shortly after it was published in 2015, and discussed what to do next on a messaging app:

The Shark: Krebsonsecurity.com See this. See the video and everything. There are two episodes. They made a telenovela.

Marcu: I see. It’s bad.

The Shark: They destroyed us. That’s it. Fuck his mother. Close everything.

The intercepted communications indicate The Shark also wanted revenge on whoever was responsible for leaking information about their operations.

The Shark: Tell them that I am going to kill them.

Marcu: Okay, I can kill them. Any time, any hour.

The Shark: They are checking all the machines. Even at banks. They found over 20.

Marcu: Whaaaat?!? They found? Already??

Throughout my investigation, I couldn’t be sure whether Intacash’s shiny new ATMs — which positively blanketed tourist areas in and around Cancun — also were used to siphon customer card data. I did write about my suspicions that Intacash’s ATMs were up to no good when I found they frequently canceled transactions just after a PIN was entered, and typically failed to provide paper receipts for withdrawals made in U.S. dollars.

But citing some of the thousands of official documents obtained in their investigation, the OCCRP says investigators now believe Intacash installed the same or similar skimming devices in its own ATMs prior to deploying them — despite advertising them as equipped with the latest security features and fraudulent device inhibitors.

Tudor’s organization “had the access that gave The Shark’s crew huge opportunities for fraud,” the OCCRP reports. “And on the Internet, the number of complaints grew. Foreign tourists in Mexico fleeced” by Intacash’s ATMs.

Many of the compromised ATMs I located in my travels throughout Mexico were at hotels, and while Intacash’s ATMs could be found on many street locations in the region, it was rare to find them installed at hotels.

The confidential source with whom I drove from place to place at the time said Intacash avoided installing their machines at hotels — despite such locations being generally far more profitable — for one simple reason: If one’s card is cloned from a hotel ATM, the customer can easily complain to the hotel staff. With a street ATM, not so much.

The investigation by the OCCRP and its partners paints a vivid picture of a highly insular, often violent transnational organized crime ring that controlled at least 10 percent of the $2 billion annual global market for skimmed cards.

It also details how the group laundered their ill-gotten gains, and is alleged to have built a human smuggling ring that helped members of the crime gang cross into the U.S. and ply their skimming trade against ATMs in the United States. Finally, the series highlights how the Riviera Maya gang operated with impunity for several years by exploiting relationships with powerful anti-corruption officials in Mexico.

Tudor and many of his associates maintain their innocence and are still living as free men in Mexico, although Tudor is facing charges in Romania for his alleged involvement with organized crime, attempted murder and blackmail. Intacash is no longer operating in Mexico. In 2019, Intacash’s sponsoring bank in Mexico suspended the company’s contract to process ATM transactions.

For much more on this investigation, check out OCCRP’s multi-part series, How a Crew of Romanian Criminals Conquered the World of ATM Skimming.

Atlassian launches new DevOps features

Atlassian today launched a slew of DevOps-centric updates to a variety of its services, ranging from Bitbucket Cloud and Pipelines to Jira and others. While it’s quite a grab-bag of announcements, the overall idea behind them is to make it easier for teams to collaborate across functions as companies adopt DevOps as their development practice of choice.

“I’ve seen a lot of these tech companies go through their agile and DevOps transformations over the years,” Tiffany To, the head of agile and DevOps solutions at Atlassian told me. “Everyone wants the benefits of DevOps, but — we know it — it gets complicated when we mix these teams together, we add all these tools. As we’ve talked with a lot of our users, for them to succeed in DevOps, they actually need a lot more than just the toolset. They have to enable the teams. And so that’s what a lot of these features are focused on.”

As To stressed, the company also worked with several ecosystem partners, for example, to extend the automation features in Jira Software Cloud, which can now also be triggered by commits and pull requests in GitHub, GitLab and other code repositories that are integrated into Jira Software Cloud. “Now you get these really nice integrations for DevOps where we are enabling these developers to not spend time updating the issues,” To noted.

Indeed, a lot of the announcements focus on integrations with third-party tools. This, To said, is meant to allow Atlassian to meet developers where they are. If your code editor of choice is VS Code, for example, you can now try Atlassian’s now VS Code extension, which brings your task like from Jira Software Cloud to the editor, as well as a code review experience and CI/CD tracking from Bitbucket Pipelines.

Also new is the “Your Work” dashboard in Bitbucket Cloud, which can now show you all of your assigned Jira issues, as well as Code Insights in Bitbucket Cloud. Code Insights features integrations with Mabl for test automation, Sentry for monitoring and Snyk for finding security vulnerabilities. These integrations were built on top of an open API, so teams can build their own integrations, too.

“There’s a really important trend to shift left. How do we remove the bugs and the security issues earlier in that dev cycle, because it costs more to fix it later,” said To. “You need to move that whole detection process much earlier in the software lifecycle.”

Jira Service Desk Cloud is getting a new Risk Management Engine that can score the risk of changes and auto-approve low-risk ones, as well as a new change management view to streamline the approval process.

Finally, there is new Opsgenie and Bitbucket Cloud integration that centralizes alerts and promises to filter out the noise, as well as a nice incident investigation dashboard to help teams take a look at the last deployment that happened before the incident occurred.

“The reason why you need all these little features is that as you stitch together a very large number of tools […], there is just lots of these friction points,” said To. “And so there is this balance of, if you bought a single toolchain, all from one vendor, you would have fewer of these friction points, but then you don’t get to choose best of breed. Our mission is to enable you to pick the best tools because it’s not one-size-fits-all.”

Pitch deck teardown: The making of Atlassian’s 2015 roadshow presentation

In 2015, Atlassian was preparing to go public, but it was not your typical company in so many ways. For starters, it was founded in Australia, it had two co-founder co-CEOs, and it offered collaboration tools centered on software development.

That meant that the company leaders really needed to work hard to help investors understand the true value proposition that it had to offer, and it made the roadshow deck production process even more critical than perhaps it normally would have been.

A major factor in its favor was that Atlassian didn’t just suddenly decide to go public. Founded in 2002, it waited until 2010 to accept outside investment. After 10 straight years of free cash flow, when it took its second tranche of investment in 2014, it selected T. Rowe Price, perhaps to prepare for working with institutional investors before it went public the next year.

We sat down with company president Jay Simons to discuss what it was like, and how his team produced the document that would help define them for investors and analysts.

Always thinking long term

Remote work helps Zoom grow 169% in one year, posting $328.2M in Q1 revenue

Today after the bell, video-chat service Zoom reported its Q1 earnings. The company disclosed that it generated $328.2 million in revenue, up 169% compared to the year-ago period. The company also reported $0.20 per-share in adjusted profit during the three-month period.

Analysts, as averaged by Yahoo Finance, expected Zoom to report $202.48 million in revenue, and a per-share profit of $0.09. After its earnings smash, shares of Zoom were up slightly Update: Zoom shares are now up 2.3% ahead of its earnings call; investors had priced in this outsized-performance, it seems.

Zoom grew 78% in its preceding quarter on an annualized basis. The company’s growth acceleration is notable.

Investors were expecting big gains. Before its earnings, shares in the popular business-to-business service were up by more than 3x during the year; Zoom has found itself in an updraft due in part to COVID-19 driving workers and others to stay home and work remotely. Zoom’s software has also seen large purchase amongst consumers hungry for a video chatting solution that was simple and that works.

If the company could sustain its valuation gains going into this earnings report was an open question that has now been answered.

Gains

Zoom’s growth in its Q1 fiscal 2021 generated some notable profit results for the firm. The firm’s net income, an unadjusted profit metric, rose from $0.2 million in the year-ago quarter to $27.0 million in its most recent three months.

And Zoom’s cash generation was astounding. Here’s how the company described its results:

Net cash provided by operating activities was $259.0 million for the quarter, compared to $22.2 million in the first quarter of fiscal year 2020. Free cash flow was $251.7 million, compared to $15.3 million in the first quarter of fiscal year 2020.

It’s difficult to recall another company that has managed such growth in cash generation in such a short period of time, driven mostly by operations and not other financial acts. Zoom’s customer numbers were similarly sharp, with the firm reporting that it had 265,400 customers with more than 10 seats (employees) at the end of the quarter, which was up 354% from the year-ago period.

Though not all news for Zoom was good. Indeed, the company’s gross margin fell sharply in the quarter, compared to its year-ago result. In is Q1 fiscal 2020, Zoom reported a gross margin of around 80%. In its most recent quarter that number slipped to around 68%. In short, the company managed to convert many free users to paying customers, but still had to carry the costs of free usage of its product, something that has exploded in recent months.

Looking ahead, Zoom expects the current quarter to be another blockbuster period. The company noted in its release that it expects “between $495.0 million and $500.0 million” in revenue for Q2 of its fiscal 2021 (the current period). Looking ahead for the full fiscal year, Zoom anticipates revenues “between $1.775 billion and $1.800 billion,” numbers that take into account “the demand for remote work solutions for businesses” and “increased churn in the second half of the fiscal year” when some customers might no longer need Zoom if they can return to their offices.

Its shares might have priced in these results, but the numbers themselves are simply massive. Just three months ago Zoom turned in revenues of just $188.3 million. That’s less than it generated in free cash flow during its next three months.

Watchful is a mobile product intelligence startup that surfaces unreleased features

Meet Watchful, a Tel Aviv-based startup coming out of stealth that wants to help you learn more about what your competitors are doing when it comes to mobile app development. The company tries to identify features that are being tested before getting rolled out to everyone, giving you an advantage if you’re competing with those apps.

Mobile app development has become a complex task, especially for the biggest consumer apps, from social to e-commerce. Usually, mobile development teams work on a new feature and try it out on a small subset of users. That process is called A/B testing as you separate your customers in two buckets — bucket A or bucket B.

For instance, Twitter is trying out its own version of Stories called Fleets. The company first rolled it out in Brazil to track the reaction and get some data from its user base. If you live anywhere else in the world, you’re not going to see that feature.

There are other ways to select a group of users to try out a new feature — you could even take part in a test because you’ve been randomly picked.

“When you open the app, you’ll probably see a different version from the app I see. You’re in a different region, you have a different device,” co-founder and CEO Itay Kahana told me. He previously founded popular to-do app Any.do.

For product designers, it has become a nightmare as you can’t simply open an app and look at what your competitors are doing. At any point in time, there are many different versions of the same app as there are multiple A/B tests going on at the same time.

Watchful lets you learn from competition by analyzing all those different versions and annotating changes in user flows, flagging unreleased features and uncovering design changes.

It is different from other mobile intelligence startups, such as App Annie or Sensor Tower. Those services mostly let you track downloads and rankings on the App Store and Play store to uncover products that are doing well.

“We’re focused on everything that is open and visible to the users,” Kahana said.

Like other intelligence startups, Watchful needs data. App Annie acquired a VPN app called Distimo and a data usage monitoring app called Mobidia. When you activate those apps, App Annie captures data about your phone usage, such as the number of times you open an app and how much time you spend in those apps.

According to a BuzzFeed News report, Sensor Tower has operated at least 20 apps on iOS and Android to capture data, such as Free and Unlimited VPN, Luna VPN, Mobile Data and Adblock Focus. Some of those apps have been removed from the stores following BuzzFeed’s story.

I asked a lot of questions about Watchful’s source of data. “It’s all real users that give us access to this information. It’s all running on real devices, real users. We extract videos and screenshots from them,” Kahana said.

“It’s more like a panel of users that we have access to their devices. It’s not an SDK that is hidden in some app and collects information and do shady stuff,” he added.

You’ll have to trust him as the company didn’t want to elaborate further. Kahana also said that data is anonymized in order to remove all user information.

Images are then analyzed by a computer vision algorithm focused on differential analysis. The startup has a team in the Philippines that goes through all that data and annotates it. It is then sent to human analysts so that they can track apps and write reports.

Watchful shared one of those reports with TechCrunch earlier this year. Thanks to this process, the startup discovered that TikTok parent company ByteDance has been working on a deepfake maker. The feature was spotted in both TikTok and its Chinese sister app Douyin.

But Watchful’s customers aren’t news organizations. The company sells access to its service to big companies working in the mobile space. Kahana didn’t want to name them, but it said it is already working with “the biggest social network players and the biggest e-commerce players, mainly in the U.S.”

The startup sells annual contracts based on the number of apps that you want to track. It has raised a $3 million seed round led by Vertex Ventures.

REvil Ransomware Gang Starts Auctioning Victim Data

The criminal group behind the REvil ransomware enterprise has begun auctioning off sensitive data stolen from companies hit by its malicious software. The move marks an escalation in tactics aimed at coercing victims to pay up — and publicly shaming those who don’t. But it may also signal that ransomware purveyors are searching for new ways to profit from their crimes as victim businesses struggle just to keep the lights on during the unprecedented economic slowdown caused by the COVID-19 pandemic.

Over the past 24 hours, the crooks responsible for spreading the ransom malware “REvil” (a.k.a. “Sodin” and “Sodinokibi“) used their Dark Web “Happy Blog” to announce its first ever stolen data auction, allegedly selling files taken from a Canadian agricultural production company that REvil says has so far declined its extortion demands.

A partial screenshot from the REvil ransomware group’s Dark Web blog.

The victim firm’s auction page says a successful bidder will get three databases and more than 22,000 files stolen from the agricultural company. It sets the minimum deposit at $5,000 in virtual currency, with the starting price of $50,000.

Prior to this auction, REvil — like many other ransomware gangs — has sought to pressure victim companies into paying up mainly by publishing a handful of sensitive files stolen from their extortion targets, and threatening to release more data unless and until the ransom demand is met.

Experts say the auction is a sign that ransomware groups may be feeling the financial pinch from the current economic crisis, and are looking for new ways to extract value from victims who are now less likely or able to pay a ransom demand.

Lawrence Abrams, editor of the computer help and news Web site BleepingComputer, said while some ransomware groups have a history of selling victim data on cybercrime forums, this latest move by REvil may be just another tactic used by criminals to force victims to negotiate a ransom payment.

“The problem is a lot of victim companies just don’t have the money [to pay ransom demands] right now,” Abrams said. “Others have gotten the message about the need for good backups, and probably don’t need to pay. But maybe if the victim is seeing their data being actively bid on, they may be more inclined to pay the ransom.”

There is some evidence to suggest that the recent economic downturn wrought by COVID-19 has had a measurable impact on ransomware payouts. A report published in mid-April by cryptocurrency research firm Chainalysis found that ransomware payments “have decreased significantly since the COVID-19 crisis intensified in the U.S. and Europe in early March.”

Abrams said other ransomware groups have settled on different methods to increase victim payouts, noting that one prominent gang is now doubly extorting targets — demanding one payment amount in return for a digital key that can unlock files scrambled by the malware, and another payment in exchange for a promise to permanently delete data stolen from the victim.

The implied threat is that victims who pay to recover their files but don’t bite on the deletion payment can expect to see their private data traded, published or sold on the Dark Web.

“Some of these [extortion groups] have said if they don’t get paid they’re going to sell the victim’s data on the Dark Web, in order to recoup their costs,” Abrams said. “Others are now charging a few not only for the ransomware decryptor, but also a fee to delete the victim’s data. So it’s a double vig.”

The FBI and multiple security firms have advised victims not to pay any ransom demands, as doing so just encourages the attackers and in any case may not result in actually regaining access to encrypted files. In practice, however, many cybersecurity consulting firms are quietly urging their customers that paying up is the fastest route back to business-as-usual.

Here are a few tips that can help reduce the likelihood that you or your organization will fall victim to a ransomware attack:

-Patch, early and often: Many ransomware attacks leverage known security flaws in servers and desktops.

-Disable RDP: Short for Remote Desktop Protocol, this feature of Windows allows a system to be remotely administered over the Internet. A ridiculous number of businesses — particularly healthcare providers — get hit with ransomware because they leave RDP open to the Internet and secured with easy-to-guess passwords. And there are a number of criminal services that sell access to brute-forced RDP installations.

-Filter all email: Invest in security systems that can block executable files at the email gateway.

-Isolate mission-critical systems and data: This can be harder than it sounds. It may be worth hiring a competent security firm to make sure this is done right.

-Backup key files and databases: Bear in mind that ransomware can encrypt any network or cloud-based files or folders that are mapped and have been assigned a drive letter. Backing up to a secondary system that is not assigned a drive letter or is disconnected when it’s not backing up data is key. The old “3-2-1” backup rule comes into play here: Wherever possible, keep three backups of your data, on two different storage types, with at least one backup offsite.

-Disable macros in Microsoft Office: Block external content in Office files. Educate users that ransomware very often succeeds only when a user opens Office file attachment sent via email and manually enables Macros.

-Enable controlled folder access: Create rules to disallow the running of executable files in Windows from local user profile folders (App Data, Local App Data, ProgramData, Temp, etc.)

Sites like nomoreransom.org distribute free decryptor tools that can help some ransomware victims recover files without paying a ransom demand.

The Stopwatch Is Ticking | How Ransomware Can Set a Breach Notification In Motion

As we have seen recently with Maze, Sodinokibi and other ransomware actors, the latest criminal trend in cybercrime is to extort enterprise victims not only by denying them access to their own corporate data but also by threatening to dump that data in the public domain. While that presents the danger of leaking IP that could be useful to competitors, it also puts the enterprise at risk of running afoul of legislation designed to protect consumer data as well as from litigation by affected customers.

The situation presents a number of difficulties for organizations regarding data breach notification laws. Do companies have to report a data breach? Who do you have to report a data breach to? When do you have to report a data breach and under what circumstances? In this post, we’ll cover these questions and discuss the challenges of handling a data breach incident.

What are Data Breach Notification Laws?

Widely referred to as Security breach notification laws or Data breach notification laws, these are legal requirements based on either state or governmental legislature that require an organization to inform customers or other affected parties about a breach of data and to take action specified in the legislation to remedy the situation.

In 2018, the EU introduced GDPR, which affected all firms trading with the European community and processing information of EU residents. In the U.S., the similar California Consumer Privacy Act (CCPA) became effective on 1st January 2020, but such laws have been around for nearly two decades, in some form or another. However, the rapidly rising number of breaches along with the increasing amount of personally identifiable information (PII) stored by organizations has led to more widespread enactment and rapid evolution of these laws. Despite this, the actual requirements placed on organizations differ from one jurisdiction to another.

This great disparity is also one of the reasons the DOJ is calling congress to enact a uniform, nationwide legislation concerning data breach disclosure laws.

Is a Ransomware Attack a Data Breach Incident?

We’re midway through 2020 and the ransomware epidemic is far from subsiding. After causing estimated damages of over $7.5 billion in 2019, ransomware operators have continued to target organizations even during the COVID019 pandemic and have even stepped up their game to ensure a ransom payout. Attackers are also targeting everyone from small business enterprises to the largest MSPs. The latest Data Breach Investigations report shows that ransomware is “the third most common Malware breach variety” and the “second most common Malware incident variety”.

Their latest tactic? In addition to encrypting the data that resides inside the organization, ransomware strains like Sodinokibi and Maze exfiltrate files to remote resources under the attacker’s control. At this point, they can not only demand money to decrypt the data on compromised endpoints but also extort the victim in return for not leaking the exfiltrated data to the public.

7 Common Ways Ransomware Can Infect Your Organization
Understanding how ransomware infects devices and networks is crucial to ensuring that your organization does not become the next victim of an attack.

Do Companies Have to Report a Data Breach?

To notify or not to notify? It’s no longer a question. Until now, ransomware victims were faced with the challenges of gaining access to their data and the dilemma of whether to pay the criminals. Now, they have another concern: companies are obliged by law to report the data breach.

In some incidents, ransomware victims have been able to recover encrypted data without having to succumb to the demands of the malware authors. In those cases, it is quite plausible to assume that the data was not exposed to outsiders, and therefore no breach notification was necessary. But recent campaigns are not so lenient. Even if the data residing on the victims’ network is safely restored (decrypted, or restored from backup) and the extortionist never publishes the stolen data, the victims are no longer exempt from notifying the authorities, their clients or both that data has been stolen.

When Do You Have to Report A Data Breach?

Both private and governmental organizations are required by legislation to inform individuals of a data breach involving PII (personally identifiable information). The ‘trigger’ for notification changes from one state to another depending on the type of stolen PII, but these generally include breach of names, and one other unique identifier such as SSNs (Social Security Numbers), drivers license or state ID, account numbers, credit card numbers and sometimes medical information.

In California, for example, organizations are required to inform affected parties with a “Notice of Data Breach” that should provide answers to questions such as what happened, what information was involved, what the organization is doing about it, and what, if any, action the individual can or should take.

In addition to informing individuals, some state legislation (e.g., Florida) require that the state’s Department of Legal Affairs is informed of any breach affecting 500 or more individuals.

Crucially, organizations need to be aware that there are laws related to the timing of notice (i.e., the time between the detection of the breach and the notification of potential victims) as well as the number of affected individuals, and that these can vary from state to state. Since GDPR came into effect, many companies have struggled with the 72-hour notice provision while still trying to understand the nature of the incident.

In the U.S, the exact requirements of the law can differ widely depending on the state. For example, Texas requires businesses to notify affected individuals within 60 days of determining that a breach occurred, while Illinois and Oregon require to notify the state attorney. A guide to the different requirements in all 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands can be found here.

Companies Need to Keep Up with Changing Data Breach Laws

It’s also important that your organization keeps up with the latest changes, as Data breach notification laws are constantly changing to adapt to the new breach-rich environment. New data breach laws came into effect in Texas, Illinois, and Oregon on January 1st, 2020. Meanwhile the District of Columbia (D.C) updated its Data Breach Notification law on March 26, 2020, and the State of Vermont followed by updating its own data breach law.

D.C. requires organizations to report the breach if it affects 50 D.C. residents or more, Oregon and Texas require businesses to report a breach if 250 customers or more are affected, while the threshold for reporting in Illinois is any breach which has an impact on 500 people or more. Since there is no universal law here, every organization needs to identify the law relevant to the location of its operations and plan accordingly.

Who Do You Have to Report a Data Breach To?

What all that means is that if your organization has customers in multiple states, there may be multiple regulations that you have to comply with, and multiple authorities to report to. If your organization is trading in non-US jurisdictions, there may well be local legislation there that you have to comply with as well, in order to avoid fines or other legal sanctions.

For example, companies that process the information of EU citizens could also fall under the GDPR regulation. On May 25, 2018, new data breach notification laws came into force across Europe. Between May 2018 and March 2019, over 59,000 personal data breaches had been notified to regulators, with the Netherlands, Germany and the UK leading the list. Some of the fines were substantial; for example, British Airways were fined £183.39m (approx. $223 million) for a data breach affecting 500,000 customers, and Marriott International were fined more than £99m (approx. $122 million) for exposing 339 million guest records, out of which 31 million were residents of the EU.

Other breach notification laws exist in Israel, China, Hong Kong and Singapore, and some of these could be relevant for US companies.

Under What Circumstances Do You Have to Report a Data Breach?

But the real problem may not be when to report or even to whom. When your entire database (and sometimes your servers and endpoints) have been encrypted in an attack, preventing you from accessing them, you may have no idea what data may have been exposed. You might also have no idea whether data was merely encrypted or also exfiltrated.

This is a serious cause of concern for companies that handle masses of private data. Should you assume the data has been compromised and notify all the potential victims? Should you wait for the criminals to dump your data, sift through it and only notify the people who are listed there? Should you assume that no PII has been stolen and that the data will be safely released, and report to no one?

That is a risky course of action, since that sensitive data could be out there, making the enterprise liable to fines and lawsuits. To date, hundreds of companies have been fined under the EU GDPR, and this number will only increase. And the worse part is that when ransomware hits, you don’t have the time so sit and evaluate the situation: the clock is ticking and if you fail to meet the notification deadline, you risk being fined in one jurisdiction or more.

Recommendations for Dealing With Data Breaches

As the above discussion makes clear, the legal duties imposed on enterprises are complex and various. Before a data breach happens, have your legal team assess which jurisdictions you would be required to report to, under what circumstances and within what timeframe. Make sure that this assessment is conducted periodically to check for changes both in your business operations and changes to legislation. Ensure that you have a business disaster recovery plan; many businesses from small to large have been forced to go out of business due their inability to recover from cyber attacks. In some cases, these forced closures were a consequence of breach costs and unrecoverable data loss.

The ultimate preparation, of course, is to ensure that your organization is protected from ransomware, malware, and intrusions by a proven security platform. Many of the victims of recent attacks from ransomware to APT groups believed they were protected, only to find out that legacy AV Suites are no real hindrance to modern cybercriminals.

7 Lessons Every CISO Can Learn From the ANU Cyber Attack
ANU had AV & a security plan, but a sophisticated threat actor still breached the network. We review the crucial lessons from their incident response report

Conclusion

As if ransomware wasn’t bad enough by itself, and the damages it incurred for organizations were limited to downtime and other ‘local’ costs, contemporary ransomware forces companies to deal with the breach and its impacts, including the uneasy necessity of dealing with authorities and angry customers who insist on being informed about what has happened to their data. As always, an ounce of prevention and a robust endpoint security solution is worth a ton of explaining and reacting.

If you would like to see how SentinelOne can help protect your business from ransomware and other threats, contact us today or request a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

India’s richest man built a telecom operator everyone wants a piece of

As investors’ appetites sour in the midst of a pandemic, a three-and-a-half-year-old Indian firm has secured $10.3 billion in a month from Facebook and four U.S.-headquartered private equity firms.

The major deals for Reliance Jio Platforms have sparked a sudden interest among analysts, executives and readers at a time when many are skeptical of similar big check sizes that some investors wrote to several young startups, many of which are today struggling to make sense of their finances.

Prominent investors across the globe, including in India, have in recent weeks cautioned startups that they should be prepared for the “worst time” as new checks become elusive.

Elsewhere in India, the world’s second-largest internet market and where all startups together raised a record $14.5 billion last year, firms are witnessing down rounds (where their valuations are slashed). Miten Sampat, an angel investor, said last week that startups should expect a 40%-50% haircut in their valuations if they do get an investment offer.

Facebook’s $5.7 billion investment valued the company at $57 billion. But U.S. private equity firms Silver Lake, Vista, General Atlantic, and KKR — all the other deals announced in the past five weeks — are paying a 12.5% premium for their stake in Jio Platforms, valuing it at $65 billion.

How did an Indian firm become so valuable? What exactly does it do? Is it just as unprofitable as Uber? What does its future look like? Why is it raising so much money? And why is it making so many announcements instead of one.

It’s a long story.

Run up to the launch of Jio

Billionaire Mukesh Ambani gave a rundown of his gigantic Indian empire at a gathering in December 2015 packed with 35,000 people including hundreds of Bollywood celebrities and industry titans.

“Reliance Industries has the second-largest polyester business in the world. We produce one and a half million tons of polyester for fabrics a year, which is enough to give every Indian 5 meters of fabric every year, year-on-year,” said Ambani, who is Asia’s richest man.

Salesforce names Vlocity founder David Schmaier CEO of new Salesforce Industries division

When Salesforce announced it was acquiring Vlocity for $1.33 billion in February, it was a deal that made sense for both companies. Today, the company announced that the deal has closed and Vlocity CEO David Schmaier has been named CEO of a new division called Salesforce Industries.

Vlocity has built several industry-specific CRM tools such as media and entertainment, healthcare and government on top of the Salesforce platform. While Salesforce has developed some of its own industry solutions, having a division devoted to verticalized tools creates additional market opportunities for the company.

Schmaier sees the new division as a commitment from the company on the value of an industry-focused approach.

“As Vlocity becomes part of what we’re calling Salesforce Industries, this will be a larger group within Salesforce to really focus on bringing these industry-specific solutions to the customer, helping them go digital and working in a whole new way,” Schmaier told TechCrunch.

Salesforce president and COO Bret Taylor will be Schmaier’s boss. Writing in a blog post announcing the new division, Taylor said that like so many aspects of technology solutions these days, the industry focus is about helping companies with digital transformation. As the world changes before our eyes during the pandemic, companies are being forced to move operations online, and Salesforce wants to provide more specific solutions for customers who need it.

“Companies in every industry have a digital transformation imperative like never before — and many are accelerating their plans for a digital-first, work-from-anywhere environment. With Salesforce Customer 360 and Vlocity, our customers have the most advanced industries platform as well as tools and expert guidance completely tailored to their specific needs,” Taylor wrote.

Schmaier says the fact that his company’s tooling was already built on top of Salesforce allows them to really hit the ground running without the integration challenges that combining organizations typically face after an acquisition like this one.

“I’ve been involved in various mergers and acquisitions over my 30-year career, and this is the most unique one I’ve ever seen because the products are already 100% integrated because we built our six vertical applications on top of the Salesforce platform. So they’re already 100% Salesforce, which is really kind of amazing. So that’s going to make this that much simpler,” he said.

It’s likely that Salesforce will continue to build on the new division and add additional applications over time given the platform is already in place. “We basically have a platform now inside Salesforce to build verticals. So the cost to build new verticals is a fraction of what it was for us to build the first one because of this industry cloud platform. So we are going to look at opportunities to build new ones but we’re not ready to announce that today. For starters, we are forming this one organization,” Schmaier said.

The company reported a record quarter last Thursday, but light guidance for next quarter spooked investors and the stock was down on Friday (it is up .77% today as of publication). The company does not rest on its laurels though, and having a division in place like Salesforce Industries provides a more focused way of dealing with verticals and another possible source of revenue.

Is Zoom the next Android or the next BlackBerry?

In business, there’s nothing so valuable as having the right product at the right time. Just ask Zoom, the hot cloud-based video conferencing platform experiencing explosive growth thanks to its sudden relevance in the age of sheltering in place.

Having worked at BlackBerry in its heyday in the early 2000s, I see a lot of parallels to what Zoom is going through right now. As Zooming into a video meeting or a classroom is today, so too was pulling out your BlackBerry to fire off an email or check your stocks circa 2002. Like Zoom, the company then known as Research in Motion had the right product for enterprise users that increasingly wanted to do business on the go.

Of course, BlackBerry’s story didn’t have a happy ending.

From 1999 to 2007, BlackBerry seemed totally unstoppable. But then Steve Jobs announced the iPhone, Google launched Android and all of the chinks in the BlackBerry armor started coming undone, one by one. How can Zoom avoid the same fate?

As someone who was at both BlackBerry and Android during their heydays, my biggest takeaway is that product experience trumps everything else. It’s more important than security (an issue Zoom is getting blasted about right now), what CIOs want, your user install base and the larger brand identity.

When the iPhone was released, many people within BlackBerry rightly pointed out that we had a technical leg up on Apple in many areas important to business and enterprise users (not to mention the physical keyboard for quickly cranking out emails)… but how much did that advantage matter in the end? If there is serious market pull, the rest eventually gets figured out… a lesson I learned from my time at BlackBerry that I was lucky enough to be able to immediately apply when I joined Google to work on Android.