Top news stories this week
- Ouch! Print management software PaperCut issues urgent patches for critical vulnerabilities.
- Listed. Personal data leaked after Yellow Pages Canada is hit by ransomware attack.
- Waste control. Data from decommissioned systems present an overlooked cyber risk.
- By the book. New EU cyber legislation could result in increased costs to UK businesses.
- On the hook. Finnish court finds former CEO guilty of negligence after data breach.
- Space race. Satellite technology shown to be increasingly vulnerable to cyber attack.
1. PaperCut announces critical application server vulnerabilities
Print management software provider PaperCut has issued urgent patches for two critical vulnerabilities impacting its Application Server. The vulnerabilities allow for unauthenticated remote code execution and unauthenticated information disclosure. Ransomware groups Cl0p and Lockbit 3.0 have already exploited these vulnerabilities to gain access to corporate data.
Malicious actors quickly move to exploit new vulnerabilities and conduct attacks. Check if your systems are vulnerable and patch known vulnerabilities immediately.
2. Black Basta publishes sensitive data from Yellow Pages Canada
Black Basta ransomware group has released personally identifiable information stolen from Yellow Pages Canada, including passport scans and social insurance numbers for employees and some customers, on their leak site. Yellow Pages has begun informing those who have been affected by the data breach.
Individuals impacted by a personal data breach can benefit from ongoing credit monitoring services to identify misuse of their data and reduce the risk of further harm.
3. Data from decommissioned systems present overlooked threat
Researchers have discovered that second-hand corporate networking equipment often still contains sensitive data. Having purchased a set of old routers they discovered complete configuration details plus data for allowing third-party network connections, which hackers could use to breach corporate environments.
Separately, the American Bar Association (ABA) confirmed that, during a cyber incident it suffered, a threat actor accessed login credentials for 1.4 million members from a legacy system decommissioned in 2018. According to the ABA, many members had reused these old credentials.
When decommissioning systems, it is essential to ensure secure data destruction and disposal, to avoid an unintentional data breach.
4. New EU cyber laws could result in increased costs to UK businesses
According to a UK parliamentary report, the European Union’s new Cyber Resilience Act (CRA), which introduces minimum security standards for internet-connected products, is likely to impact British businesses exporting to the European Union.
Other upcoming legislation to be aware of includes the Digital Operation Resilience Act (DORA), which will impose stringent new resilience requirements on EU financial services firms and their ICT service providers.
It is important to stay abreast of new legislation impacting cyber security, and ensure your organisation remains compliant across relevant jurisdictions.
5. CEO sentenced following data breach
A Finnish court issued a suspended jail sentence to the former CEO of Vastaamo, a chain of therapy clinics in Finland, for failing to protect patient data from a breach. The then-CEO did not inform authorities or other board members of two separate breaches at the clinic that saw patient notes leaked and clients extorted.
Executives may face personal liability for failing to safeguard sensitive data or implement the necessary cyber security measures.
6. Space technology becoming increasingly vulnerable to cyber attack
French defence contractor Thales conducted an authorised cyber attack on a European Space Agency satellite to raise awareness of satellite vulnerabilities. This follows recent comments made by the chief of the US Space Force that outlined an increasing number of threats affecting space technology, including China’s development of cyber capabilities that could seize control of satellites.
Incident response plans should provide for alternative communication channels in the event that normal communication channels are not available.