Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Stay Safe on Google Play
In two separate incidents last week alone, researchers discovered apps on Google Play that contain multiple serious vulnerabilities or are in fact malware masquerading as helpful utilities. You can take steps to help protect yourself from insecure or dangerous applications on Google Play (or the Apple App Store for that matter): Check the reputation and website of the software developer, look for negative reviews (or obviously fake positive ones), review the app’s privacy policy and update history. Any red flags should prompt you to look elsewhere for an application. Other tips to help keep you safe and secure: always keep your apps up to date, and ensure that you remove any unused apps – and delete their associated accounts – once you no longer need them. Reducing your digital footprint will help limit your exposure if those developers or applications are ever breached.
LastPass announces security incident
On November 30, password storage service LastPass disclosed that they had suffered a security incident involving their customer data. According to a posting on their website also communicated directly to customers via email, LastPass “recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo.”
Referring to another cyber incident earlier this year (in which an unidentified threat actor gained access to their development environment for up to four days, leading to the theft of source code and technical information), LastPass “determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information,” according to LastPass CEO Karim Toubba. Toubba sought to reassure customer by advising that customer “passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.”
The scope of the data breach has not been revealed. However, LastPass advises that they “are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional. “
City of Edmonton issues statement on privacy breach
In a media statement made November 30, Daryl Croft, Branch Manager of Open City and Technology for the City of Edmonton announced that the personal information of over 5000 City employees had been compromised in a May 2021 data breach.
After a lengthy investigation by the City’s Corporate Access and Privacy Office and third-party resources, the City determined that more than 157,000 data records had been transferred from City-owned computers to the personal cloud-based account of the unidentified staff member (who is “no longer employed with the City”).
The official announcement on the City’s website explained that, while the full extent of the breach has still not been confirmed, personal records dating from 2018 to 2020 had been extracted, including such details as discipline reports, fraud and misconduct investigation reports, human rights complaints, settlements, staff lists, and more. Personal staff information involved included name, address, employment histories and details.
“Since the privacy breach was first reported in May of 2021, there has been no evidence of misuse or further disclosure of any of the information involved. There is also no evidence to suggest that specific employees’ information was targeted; rather the information appears to have been uploaded based on opportunity,” according to the disclosure statement.
The City has reported to breach to the Office of the Information Privacy Commissioner of Alberta, and “immediately strengthened its processes and safeguards to make a similar breach less likely in the future,” according to the release.
Report: Cost of cyber crime to approach $24 trillion by 2027
According to new estimates from research firm Statista announced December 2, the global cost of cyber crime is expected to grow steadily over the next five years, rising from $8.44 trillion (all figures USD) in 2022 to $23.84 trillion by 2027, at a steady rate of just over $300M per year.
The report attributes the rising costs to the expanding attack surface – as more people and services go online – in addition to the growing sophistication of cyber criminals.
“The COVID-19 crisis led to many organizations facing more cyberattacks due to the security vulnerability of remote work as well as the shift to virtualized IT environments, such as the infrastructure, data, and network of cloud computing,” according to Statista’s Outlook analysts.
Statista also released a new report tracking the number of data records worldwide disclosed from 2020 and 2022. After a peak in the first year of the COVID-19 pandemic (cresting in the fourth quarter of 2020, with nearly 125 million data records exposed), the number of records per quarter had settled to a period low of 3.33 million reported in Q1 2022. However, the report indicates that Q3/2022 numbers have increased sharply to 14.78 million records breached.