Executive Orders, Russian Ransomware Gangs & Social Account Takeovers: October 2022 Newsletter

In the October 2022 edition of our business privacy newsletter, you’ll find our take on:

• The New Executive Order Allowing Europeans to Complain to the U.S. About Data Collection;
  
• Russian Ransomware Gangs;
  
• Malicious Social Account Takeovers;

Under New Executive Order, Europeans Can Complain to the U.S. About Data Collection

In early October President Biden signed an executive order giving Europeans the ability to protest when they believe their personal information has been caught in America’s National Security online surveillance dragnet. The announcement brings the US and EU closer to a deal to let companies transfer digital data across the Atlantic without running afoul of Europe’s GDPR. While the rule nominally only affects data collected and used by Federal agencies, given the increased data sharing between private sector data brokers and the security state, questions about its scope will likely be a source of future litigation and debate.

Our Take

The lack of a US/EU data-sharing agreement has been a thorn in the side of U.S. companies for many years, and while this executive order may give a sense of temporary relief to large companies worried about litigation, it is likely to serve as a placeholder until Congress either passes comprehensive data privacy legislation (e.g. like the ADPPA) or imposes specific limits on data sharing between private entities and federal agencies, like what was previously proposed in “The 4th Amendment is Not For Sale Act”.

Airports, Hospitals, and Schools are Targeted by Ransomware Gangs Connected to Russia 

In early 2022 there were frequent warnings of the potential for coordinated state-sponsored cyber attacks against US infrastructure and businesses in retaliation for Western opposition to the Russian invasion of Ukraine. By summer, little of this had materialized and there was speculation that it would never be forthcoming. However, in recent months there has been a growing pattern of Russian cyber-criminal gangs targeting schools, hospitals, airports, and other public-private institutions that are causing real disruptions in civic and economic life. 

Our Take

It’s not clear if this is an extension of an existing pattern of ransomware groups targeting quasi-public institutions because their data sources are very lucrative targets or if it’s being actively coordinated and encouraged by the Russian state simply to wreak havoc in the US. In either case, it’s very concerning that ransomware groups that have been proven to use data broker sites like ZoomInfo and SignalHire for OSINT on their targets now seem to be equally motivated by remuneration AND sabotage. 

Malicious Social Account Takeover Epidemic

A recent report released by the Identity Theft Resource Center noted that consumer social media account takeovers have grown by more than 1,000% in the last 12 months. 

Our Take

We draw attention to this trend because it has implications for potential risks to employees who maintain social media profiles and may expose businesses to the reputational or financial risks that come from identity spoofing. The ecosystem of consumer fraud is always shifting from one format to another, often replicating the same types of scams via new platforms. We saw this over the past decade in a shift from robocalls, to e-mail spam and phishing, to smishing. The unique risk that social media presents compared to other communications technologies is the risk of ‘going viral’, where a misrepresentation doesn’t just reach a handful of targeted individuals but millions within a short scope of time. Since it’s still Cyber Security Awareness month; now is a good opportunity to discuss best practices for securing social media accounts with employees who might need a reminder about how to better manage their personal security and privacy.

DeleteMe In The News

Check out our log of where DeleteMe has been featured in the news in October.

Upcoming Events

CyberRisk Leadership Exchange: Chicago
We’re heading to Chicago on November 3rd for this one-day event designed by a community of cybersecurity leaders. We’re excited to participate and learn from the others attending. Let us know if you are attending and would like to meet up by reaching out to our sales team.