Insider Negligence Allows Ransomware Attacks 10:40, December 16, 2016

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Our Resources

Insider Negligence Allows Ransomware Attacks

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

On Friday, November 25, 2016, the San Francisco Municipal Transit Agency (SFMTA) was the victim of a ransomware attack. Ransomware is malicious software that infiltrates computer systems or networks and uses tools like encryption to hold data “hostage” until the victim pays a ransom, which is frequently payment in Bitcoin. According to the San Francisco Examiner, the hackers reportedly demanded 100 Bitcoin (worth about $73,000) to release control of the SFMTA’s computer network. On Friday and Saturday, computers in SFMTA’s Muni station agents’ booths displayed the message: “You Hacked, ALL Data Encrypted. Contact For Key ( ID:681 ,Enter.”

The Examiner contacted the email address displayed on hacked Muni screens and was told by the alleged hacker, self-identified as Andy Saolis (a name that has been linked to other ransomware attacks), that the attack was made possible because “someone at SFMTA downloaded a torrented computer file.”

Torrent files can be used to share large files across peer-to-peer networking. Cyberattackers use ad networks on torrent search websites to infect visitors’ devices with malware (a practice called “malvertising”).  

An SFMTA news release stated that the attack primarily impacted approximately 900 office computers, that the SFMTA network “was not breached from the outside,“ and that customer payment systems were not hacked.

The SFMTA turned off the ticket machines and fare gates in the Muni Metro subway stations on Friday and Saturday, leading to free rides for passengers.

The SFMTA said that it “never considered paying the ransom” and that it had “an information technology team in place that can restore our systems, and that is what they are doing.”

FTC Examines Ransomware

In a November 2016 blog post called “Ramsomware—A closer look,” the Federal Trade Commission (FTC) called ransomware “one of the most serious online threats facing businesses.”

The FTC noted that businesses holding consumers’ sensitive information must be concerned about the threat of ransomware, which can disrupt operations or entirely shut down a business.  In addition, said the FTC, “a company’s failure to update its systems and patch vulnerabilities known to be exploited by ransomware could violate Section 5 of the FTC Act.”

We wrote earlier this year about the FTC’s treatment of failure to protect data as an unfair practice under the FTC Act and about the US Department of Health and Human Services’ discussion of HIPAA disclosure requirements when ransomware results in a data breach.  

The FTC guidance states that in a workshop it conducted on ransomware, one panelist stated that 91% of all ransomware arrives through email phishing campaigns, which typically require the user to take some kind of action such as clicking on a link or downloading a malicious attachment. Other panelists discussed the increase in “malvertising” and how it can occur even on trusted websites through third-party ad networks that redirect the user to an infected server.

The FTC says that organizations can protect themselves against the threat of ransomware by:

  •         Implementing training and education
  •         Practicing good cyber hygiene
  •         Backing up data early and often
  •         Planning and preparing for an attack

Organizations that have good data security habits can lessen the risk that a cyberattacker will gain access to company data. Employers should recognize that insider negligence is the leading cause of data loss or theft. In addition, as the SFMTA case shows, a company that has backed up its data won’t have to pay a ransom to get itself back on track.  

Hacker Gets Hacked

In an interesting twist, the KrebsOnSecurity blog heard from a researcher who was able to compromise the email inbox of the SFMTA ransomware hacker by guessing the answer to his secret question and then resetting the attacker’s email password.

Brian Krebs said that the story proved, once again, that “truthfully answering secret questions is a surefire way to get your online account hacked.” When he’s required to supply such answers in order to use a service, Krebs said that:

I always choose a gibberish or completely unrelated answer that only I will know and that cannot be unearthed using social media or random guessing.

This is advice that LawRoom’s Checkpoint Data Security course also recommends.

LawRoom (powered by EverFi) delivers online compliance courses to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethicsanti-harassmentdata security and employee conduct courses.

You might also be interested in...

  • Don’t “WannaCry”? Take Charge & Raise Cybersecurity AwarenessJune 1, 2017 Don’t “WannaCry”? Take Charge & Raise Cybersecurity Awareness If even the National Security Administration (N.S.A.) can have its secrets stolen and exploited, what about private companies that have profit (not data security and intelligence) as their prime directive? According to the New York Times, cybercriminals turned stolen N.S.A. hacking tools […] Posted in data security
  • Unauthorized Sharing undermines Data SecurityApril 27, 2017 Unauthorized Sharing undermines Data Security Data breaches don’t just happen when some malicious outsider orchestrates a massive hack or absconds with company secrets. They also happen when ordinary workers don’t see the harm of improperly sharing confidential information with one another or of innocent but unsafe practices. […] Posted in data security
Christine Day
Christine Day is a legal editor at EverFi. She writes about employment law issues and tracks case law and legislative and regulatory updates. Before joining EverFi she worked in legal publishing, researching and writing about tax law, business law, and employment law. She earned her JD from the University of San Diego Law School and her BA from the University of Southern California.

Leave a Reply

Leave a Reply

White Paper
Data Security training
for employees

  |   Download White Paper


Compliance Course Catalog
  |   Download Catalog