In September 2022, Uber got breached. An 18-year-old attacker bought a contractor's password on the dark web for a few dollars. The contractor had MFA enabled. Uber's MFA required pushing "approve" on a mobile app. The attacker couldn't push the button. So he pushed...
In February 2024, Change Healthcare, a subsidiary of UnitedHealth Group, got hit with ransomware that shut down a big chunk of the U.S. healthcare payment infrastructure for weeks. Pharmacies couldn't process prescriptions. Medical practices couldn't submit claims....
In July 2020, Garmin got hit with WastedLocker ransomware. Their website, their fitness apps, their pilot flight planning tools, their customer service, all of it was offline for about a week. Reuters covered the outage. Users couldn't sync their watches. Pilots...
In October 2023, 23andMe disclosed in an SEC filing that attackers had gained access to about 6.9 million customer accounts. The word "breach" got used a lot in the coverage. It's not really the right word. 23andMe themselves pushed back on it. They didn't get hacked....
In September 2023, MGM Resorts and Caesars Entertainment both got owned by the same threat group inside of ten days. Caesars paid a ransom that reporting later put at around $15 million. MGM refused to pay, took their systems offline, and disclosed to the SEC that the...
Business email compromise at a law firm or CPA practice doesn't always start with your firm. About half the time, from what the FBI's IC3 reports show, the attacker compromises a vendor or a client first, and then uses that mailbox to defraud you. Which means your own...
In January 2024, Microsoft filed an 8-K with the SEC disclosing that a Russian state-sponsored group called Midnight Blizzard had breached their corporate network and read the email of members of their senior leadership team. The attackers were in the environment for...
If your firm's idea of multi-factor authentication is "we get a text message with a code," you don't really have MFA. You have something that feels like MFA, and that feeling is worth less than you think. NIST deprecated SMS as a second factor back in 2016 in their...
The FBI's 2023 Internet Crime Report logged $2.9 billion in business email compromise losses. That's the line that gets quoted. What doesn't get quoted is the mechanism. Almost all of that loss runs through a tiny, boring piece of Microsoft Outlook called an inbox...
In December 2023, the FTC finalized updates to the Safeguards Rule under the Gramm-Leach-Bliley Act that apply to tax preparers, accountants, and any business that handles consumer financial information. The rule now requires specific technical controls: encryption,...