Week in Review: IRS PIN available, AI ransomware group, UK ransomware ban - Cybersecurity Headlines

Summary8 min read

Cyber Security Headlines: Week in Review Summary

Hosted by CISO Series
Release Date: January 17, 2025
Episode: Week in Review: IRS PIN available, AI ransomware group, UK ransomware ban

Overview

In this episode of Cyber Security Headlines, the host Rich and returning guest Phil Beyer, Head of Security at Flex, delve into the most pressing cybersecurity stories of the week. Covering topics from IRS security measures to the latest developments in ransomware tactics, the discussion provides in-depth analysis, expert opinions, and actionable insights for information security professionals.

Key Stories Discussed

1. IRS Identity Protection PIN Now Available

Summary:
The IRS has relaunched its Identity Protection Personal Identification Number (IP PIN) program for the current filing season. This six-digit number is assigned annually to individual taxpayers to prevent fraudulent tax filings using stolen Social Security numbers (SSNs).

Discussion Highlights:

Purpose & Importance:
Rich explains that the IP PIN is designed to combat the increased threat of scammers filing tax returns with stolen SSNs, especially in light of a massive data breach exposing over 100 million SSNs.
Rich: "With over 100 million people's Social Security numbers exposed... this program is even more critical this year."
Effectiveness & Concerns:
Phil acknowledges the program’s potential benefits but expresses uncertainty about its effectiveness in deterring opportunistic criminals. He emphasizes that while the IP PIN adds a layer of security, it may not be foolproof against determined attackers.
Phil (03:27): "I'm not sure that it's any worse as much as just we should again continue to try to help IT support all this..."
Community Feedback:
Michael Vindig from the chat raises a concern about the need for a stronger, more secure national ID system to reduce identity-based attacks, aligning with Phil's thoughts on the limitations of current protections.

2. UK Mulling Public Sector Ransomware Payment Ban

Summary:
The UK Home Office has launched a consultation proposing a ban on ransomware payments by public sector entities, including hospitals, schools, and railways. The goal is to make these critical services less attractive targets by eliminating the potential financial gains from ransomware attacks.

Discussion Highlights:

Intent & Implementation:
Rich outlines that the proposed ban aims to protect essential services by discouraging ransomware attacks through policy and guidance on alternative response strategies.
Rich: "The proposal would also offer guidance to ransomware victims on how to respond and would also help block payments to known criminal groups..."
Expert Opinion:
Phil is skeptical about the ban's effectiveness, questioning the practicality of blocking crypto payments and highlighting the challenges in enforcing such measures. He points out that criminals might still find ways to transact outside sanctioned channels.
Phil (06:35): "Cryptocurrency is the vast majority of ransomware style payments and we can't really block those now when we know things are happening now."
Broader Implications:
The discussion touches on the historical challenges of deterring ransom-based crimes and the potential for the UK ban to inadvertently harm the very public services it aims to protect.
Rich: "Good luck stopping nation states with a payment ban."

3. New Ransomware Group Leverages AI

Summary:
A new ransomware group named Funk SEC has claimed responsibility for over 80 attacks in December 2024, utilizing AI to enhance their ransomware operations. The group operates on a ransomware-as-a-service (RaaS) model, engaging in double extortion and selling stolen data.

Discussion Highlights:

AI Integration in Ransomware:
Rich highlights the innovative use of AI by Funk SEC to develop more sophisticated ransomware tools, including a DDoS utility and an AI chatbot for data leaks.
Rich: "Using a rust based ransomware likely created with AI by inexperienced threat actors."
Defensive Strategies:
Phil emphasizes the need for CISOs to adopt proactive measures, including leveraging AI for defense to match the attackers' technological advancements. He advocates for resilience and defense-in-depth strategies to counter evolving threats.
Phil (09:47): "We have to be able to defend against something that we don't know is out there."
Future Outlook:
The conversation anticipates an increase in AI-enabled ransomware groups, underscoring the importance of continuous adaptation in cybersecurity defenses.
Phil: "We've been seeing this kind of progression already and this now is just an indicator of their product or their service..."

4. Allstate Accused of Selling Consumer Driving Data

Summary:
Texas Attorney General Ken Paxton filed a lawsuit against Allstate and its subsidiary Arity, alleging the illegal collection, use, and sale of cell phone location data from over 45 million Americans. The data was used to create a driving behavior database to adjust insurance premiums without consumers' consent.

Discussion Highlights:

Legal Implications:
Rich outlines that this lawsuit is the first state-level enforcement of Texas's comprehensive Data Privacy and Security Act, with potential broader implications for other industries and states.
Rich: "This legal action marks the first state level enforcement of a comprehensive data privacy law..."
Privacy Concerns:
Phil criticizes Allstate for violating privacy policies by collecting data without transparency, emphasizing the need for unified data protection laws to prevent such abuses.
Phil (15:12): "The problem is when we don't know about it... ensuring that there's clarity between the consumer and the company is the important part."
Industry Impact:
The discussion explores how disparate state laws create challenges for companies operating nationally and the likelihood of increased litigation driving up costs for businesses.
Rich: "Might it simply motivate companies like Allstate to hike these rates to cover the inevitable litigation?"

5. Illinois to Get Mobile Driver's License in Apple Wallet

Summary:
Illinois plans to launch digital IDs compatible with Apple Wallet by the end of 2025, allowing residents to add their driver's licenses and state IDs to their iPhones and Apple Watches. Google Wallet support will follow, joining other states offering similar digital ID solutions.

Discussion Highlights:

Adoption & Convenience:
Rich discusses the growing trend of digital IDs, highlighting the convenience of real-time address updates and seamless integration with mobile devices.
Rich: "Allowing residents to add driver's licenses and state IDs to iPhones and Apple watches."
Privacy & Security Concerns:
Phil debates the potential privacy implications, questioning whether individuals will feel comfortable handing over their phones for routine verifications. He stresses the importance of robust security measures to prevent misuse.
Phil (18:52): "Is something that people worry about?... the benefits of digital IDs vastly outweigh the concerns."
Civil Rights Implications:
The conversation touches on the balance between technological advancements and civil liberties, emphasizing the need for safeguards to protect individuals from potential privacy infringements.
Rich: "There's a whole lot of civil rights implications for that."

6. Law Firm Discloses Data Breach from 2023

Summary:
Law firm Freeman and Hers disclosed a data breach that occurred on December 13, 2023, affecting approximately 3.4 million individuals. The breach exposed sensitive information, including SSNs and medical diagnoses. The firm delayed notifying affected parties due to digital forensic complications.

Discussion Highlights:

Incident Response Failures:
Rich criticizes the law firm's delayed disclosure, highlighting the importance of having a robust incident response strategy that includes timely communication with affected individuals.
Rich: "Forensic complications leading to a year long delay in disclosure here... shouldn't that be part of your incident response strategy?"
Legal and Ethical Considerations:
Phil reflects on the ethical obligations of firms to protect client data and the potential negligence displayed by the delayed response. He underscores the need for transparency and swift action in breach situations.
Phil (22:20): "A year later is way too much. I'm not really sure that there's anything I can think of."
Impact on Trust:
The discussion emphasizes how such breaches and poor handling can erode client trust and the broader implications for the legal industry's reputation regarding data security.
Phil: "We have to be able to react and respond faster and faster. And that's just a reality of this profession."

Insights and Opinions

Ransomware Incentives:
Both Rich and Phil express skepticism about the UK's proposed ransomware payment ban, suggesting it may not effectively deter attackers and could inadvertently harm public services.
AI as a Double-Edged Sword:
The integration of AI in both offensive (ransomware) and defensive (cybersecurity) strategies is seen as inevitable. Phil advocates for leveraging AI to enhance resilience and defense mechanisms.
Data Privacy Enforcement:
The lawsuit against Allstate highlights the growing enforcement of data privacy laws at the state level, signaling a shift towards greater accountability for companies handling consumer data.
Digital Transformation vs. Privacy:
The rollout of digital IDs raises important questions about privacy and security, balancing technological convenience with the need to protect individual rights.

Conclusion

This week's episode of Cyber Security Headlines provides a comprehensive overview of significant developments in the cybersecurity landscape. From governmental efforts to enhance taxpayer security and combat ransomware to corporate missteps in data privacy, the discussions underscore the evolving challenges and the imperative for robust, proactive security measures. Phil Beyer's expert insights offer valuable perspectives on navigating these complex issues, making the episode a must-listen for information security professionals seeking to stay informed and ahead of emerging threats.

Notable Quotes:

Phil Beyer (03:27): "I'm not sure that it's any worse as much as just we should again continue to try to help IT support all this..."
Phil Beyer (06:35): "Cryptocurrency is the vast majority of ransomware style payments and we can't really block those now when we know things are happening now."
Phil Beyer (09:47): "We have to be able to defend against something that we don't know is out there."
Phil Beyer (15:12): "Ensuring that there's clarity between the consumer and the company is the important part."
Phil Beyer (18:52): "Is something that people worry about?... the benefits of digital IDs vastly outweigh the concerns."
Phil Beyer (22:20): "A year later is way too much. I'm not really sure that there's anything I can think of."

For more detailed insights and daily updates, visit CISOseries.com and tune into Cyber Security Headlines every weekday.

Loading summary

Transcript31 lines

[00:00]
Phil Beyer
From the CISO series, it's Cybersecurity Headlines.
[00:07]
Rich
IRS Identity Protection Pin now available for Filing Season UK Mulling Public Sector Ransomware Payment Ban and New Ransomware Group Leverages AI these are some of the stories that my colleagues and I have selected from this past week's cybersecurity headlines. And now we're eager for some insight opinion and expertise from our returning guests. Making his third appearance, Phil Buyer, head of security over at Flex. Phil, you joined us back in May. It's been a little while. So I got to ask you, how was your week in cybersecurity loving this new year.
[00:43]
Phil Beyer
Getting excited for all the crazy stuff we're going to see. I've already seen a few things that are keeping us on our toes.
[00:51]
Rich
Well, one thing to keep on your toes is the three stars that we just awarded you in the video chat. Our producer Steve putting up the three star salute for our three time guest. Phil, thrilled to have you here. Also thrilled to have another sponsor back DropZone AI tired of alert overload? Drop Zone AI join us on YouTube live. Do so go to cisoseries.com, hit the events dropdown and look for the Cybersecurity Headlines Week in Review image. Just click on it to join us and be sure to contribute your comments in our chat. Oh my gosh, we're already getting some craziness going on here. Of course we got the big boss man David Spark in there, but we got Michael Vindig, we got ccl, we got Tom Ken in there who appreciates my cat shirt that I am wearing if you're not watching the video feed. Also, you are missing out ciso series on YouTube for all of that good stuff. Get in there and join the chat. Let us know what you think of these stories. As we are going along with these, we're going to be sharing all of our opinions. And just a quick reminder that the opinions that Phil is about to share are not necessarily those of his employer, but we appreciate them nonetheless. Now the Supreme Court just upheld the TikTok ban today which is still set to go into effect now on January 19th. But we've got plenty of other news to dig into, to discuss, to dissect and get the details of. We got about 20 minutes though, so let's get going. First up here, the IRS Identity Protection PIN is now available for filing season. The IRS has relaunched its Identity Protection Personal Identification Number IP PIN program. It's a mouthful. The IP PIN is a six digit number assigned to an individual taxpayer and must be used when filing a tax return, the number is only valid for the current year. A new one will be assigned each tax year. The goal is to prevent scammers from filing a tax return using a stolen Social Security number and personal information. As Bleeping Computer points out, this program even more critical this year with over 100 million people's Social Security numbers exposed in the massive national public data data breach. Of course, given the number of data breaches with Social Security numbers out there, potato, potato here. But Phil, given the enormous amount of personal data that's just been floating around for years, appears to be a good idea. However, given how many people every year are duped by scammers through phishing and smishing, do you worry that opportunistic criminals will immediately step in? As for an example, I don't know an authorized assistant. When you're, when you're filing with your IP PIN here, like, is this just a new target or does this help make things better?
[03:28]
Phil Beyer
I'm sure that it's making things better. I, I know we've seen some efforts to take it, to take advantage of this in the past. It's just relatively new, right? So we'll see if this year is bringing more exciting and, and creative attacks. Ultimately, the IRS is in a tough spot, have to serve a lot of different, you know, massive constituency, all sorts of different people who still don't want to pay their taxes and have to pay them again, yada yada. So it's not like we love this process, but they're trying to do their best to give us a little bit of options at work for everybody. So you know, as always, they're trying to do their best. And I think that it's still better than the alternative, which is not having this at all like we've had in previous years. So I'm not sure that it's any worse as much as just we should again continue to try to help IT support all this, communicate out how important these kinds of PIN things are to maintain security for our own submissions and try to get the word out for folks.
[04:32]
Rich
Michael vending in the chat here says, am I the crazy person in the corner thinking we need a strong cryptographically secure national ID to remove, slash reduce all these identity based attack vectors. And that kind of got me thinking like, I'm thinking along the same lines here, Michael, because this almost seems like grafting on like, like two factor Social Security numbers basically, right? That you know, it's like a one time expiring single purpose.
[04:56]
Phil Beyer
You're right. ID number and we in this community knows for sure that those kinds of protections are massively flawed in terms of how you can take advantage of them. And yet it's not like everybody's using multi factor for everything already anyway. So this is better than nothing across the board. I mean, Michael's point is a good one though. If they were different, like IRS should at least be considering here different stages, right, for, for everybody making this pin available and maybe for those of us who are, who are slightly on the more sophisticated part of the spectrum, maybe something a little bit more, a little bit stronger.
[05:36]
Rich
All right, next up here, UK mulling public sector ransomware payment ban. This is part of a home office consultation, essentially a survey launched January 14 and running until April 8. The proposed ban is intended to protect hospitals, schools, railways and other essential public services from the growing ransomware threat by making these critical services unattractive targets for ransomware. The proposal would also offer guidance to ransomware victims on how to respond and would also help block payments to known criminal groups and sanctioned entities. So Phil, this is seems like one of those well intentioned ideas whose leverage is based on dissuading ransomware actors from attacking hospitals before they decide to do it. Kind of take away, you know, the, the pot of gold at the end of the rainbow. The general public tends not to think like that and will likely be thinking only about whether they can get immediate help when they need to get to their hospital. Like that's, that's what they're there for. That's what their focus is on there. I'm curious, what are your thoughts about these kind of proposed bans and the.
[06:36]
Phil Beyer
Third group, right, the people who are actually responsible for these institutions, the healthcare professionals, the teachers and education folks and what have you, those folks also want to just want to just do their job or they just want to just deliver the service that they're, that they're trying to do. The. It strikes me as, I don't know how you like block payments to unsanctioned crypto wallets though. Like, I mean, I get it, sure. Let's not, let's block the payment to the, the organized crime bank account that we knew about, but we weren't able to. I mean, I'm not really sure how that works there. Right. Because we're not paying crypto ransoms to, you know, governments that are sanctioned, even though I realized that paths are used that way. But the point is that cryptocurrency is the, is vast majority of ransomware style payments and we can't really Block those now when we know things are happening now. So I'm not understanding exactly how they're going to expect to connect that now. Typically, these kinds of things which we've seen also either floated as possibilities or actually trying to institute in other areas of the world. It really just comes back to bite the people that are trying to do the right thing, which is what you alluded to already. Like folks who on the government side want to try to do the right thing by putting a block in place. Folks in delivering the services want to try to do the right thing by, look, we can't figure anything else out, so let's pay the ransom and get services restored. So those are the folks that are going to suffer. Right. The people that are making the decision to make the payment. I am 100% in favor of trying to eliminate the incentive for ransomware, but we haven't been able to do it in a variety of other fashions. Not the electronic variety, but, you know, ransom for other activities across the world has been going on for centuries, millennia, I don't know, for a long time. Right. And we still can't stop that. So I'm not sure that this is going to really be an effective use of people's time.
[08:39]
Rich
Yeah. And as CCL points out, good luck stopping nation states with a payment ban.
[08:43]
Phil Beyer
Exactly.
[08:44]
Rich
Yeah, that's, that's. So we will, we will see if that makes any headway in the uk. So keep an eye on cybersecurity headlines for updates on that next up here. Hey, speaking of ransomware, I think we've talked about that once or twice on this show. New Ransomware Group Leverages AI Emerging ransomware group Funk SEC has claimed responsibility for over 80 attacks in December 2024. Yes, that's what they've claimed. 80 in a month. Using a rust based ransomware likely created with AI by inexperienced threat actors. As a ransomware as a service model, the group engages in double extortion and sells stolen data at discounted prices. A well worn model for threat actor revenue. It's also launched a data leak site featuring custom tools including a DDoS utility and an AI chatbot. So, Phil, this group is just one of many that exists or will exist soon. Leveraging the ease and power of AI to create tools of their trade. I'm curious, what should CISOs be doing to prepare for this seemingly unprecedented advance in technology available to threat actors now?
[09:48]
Phil Beyer
I don't. It's more probably a democratization of this. You know, the folks who've been wanting to do this for A while now have more tools available to write cool software. I mean if you all haven't Sidebar. But very related. If you haven't started to play with AI to write software on your own, you really should. It's a really nifty way of trying to visualize something or create a proof of concept for yourself before taking it to a team or going into the design phase for professionals, as opposed to people like me who try to play one on tv. In this case though, I think this is just the bad actors doing the exact same thing. So they've just lowered the bar to actually creating the ransomware, the activities. And while they do have a cool name and probably maybe even cooler than the Typhoons or, or Pandas of the world, I do think that we're just going to see more and more and more of this. And that's not rocket science. We've been seeing this kind of progression already and this now is just an indicator of their product or their service or whatever they're preparing is going to get better and better and they're enabled or made faster with AI just like the rest of us.
[11:04]
Rich
Phil, is this like the, you know, the idea with AI tools for threat actors and for on the defense is, you know, this can be a force multiplier. This can increase efficiency of this can allow us to upskill a lot of people. Right, like in terms of on both sides. Right. Like I'm, you know, I'm an okay coder, but with Copilot or a similar tool like that, I'm able to create more productive code, more meaningful code and stuff like that. I'm curious though, for specifically on what threat actors getting this capability. Is that why we're seeing the conversation around resilience becoming like such a drumbeat in cybersecurity in terms of like if we can focus on that, it almost. It matters less that those capabilities are scaling on the attacker side. If we can be, if we can really just focus on resilience.
[11:50]
Phil Beyer
I'm just, I'm curious, I would say like this. We've always known that at some point the time between vulnerability, exploit and actual exploitation, right. So the time between zero day or announcement or discovery and exploitation in the wild and activity and then again the kind of like lower bar, a script kiddie version of exploit at that time is always decreasing. It always has been since the original kind of exploits were ever discovered. And in the wild and, and that cycle or that life cycle of the development of discovery and development to exploit is going to continue to decrease. So whether we call it resilience or defense in depth as, as the, the, the the series implies or, and then or zero trust or whatever strategy we're using, the strategy has to assume that there will always be attackers who are trying to innovate faster than our defenses. And it doesn't matter how we pursue that objective, but the objective remains the same, which is we have to be able to defend against something that we don't know is out there. As soon as we have a sense that this vector is available or this attack service is made available to the outside or what have you, we have to be able to react and respond faster and faster. And that's just a reality of this profession.
[13:24]
Rich
All right, well, before we move on to our next story, we have to spend a few moments and thank our sponsor for today, DropZone AI. What if your SoC could handle 10 times the alerts without burning out your team? DropZone AI automates tier one investigations and frees your analysts to tackle bigger challenges. It's how smart teams are staying ahead. See how it works. Schedule a demo today at dropzone AI. That's D R O P Z O N E AI Allstate Accused of Selling Consumer Driving Data Texas Attorney General Ken Paxton has filed a lawsuit against Allstate and subsidiary Arity, accusing them of illegally collecting, using and selling cell phone location and movement data from over 45 million Americans without their knowledge. Harvested through embedded software and mobile apps, the data was used to create a massive driving behavior database that ensures access to adjust premiums and price quotes. The collection of the data violates Texas's new Data Privacy and Security act. And this legal action marks the first state level enforcement of a comprehensive data privacy law with automakers and popular mobile apps also implicated in the alleged scheme. So Phil, other states have already enacted privacy laws in areas such as healthcare or talking about biometrics like Illinois. But as we start to see litigation happening, how do you see this aligning with the fact that no state is an island and people and data travel pretty freely, particularly within the US but pretty much everywhere? Is the Balkanization of data security even feasible? And might it simply motivate companies like Allstate to hey, we need to hike these rates to cover the inevitable litigation?
[15:13]
Phil Beyer
Yeah, it's interesting angle. I don't know that that that's really what I'm concerned about. I'm certainly poo poo on Allstate here because this is why we have privacy policies, right? It's not because they can't collect this data to then provide better Insurance premiums to people. That's a wonderful idea. And certainly other auto insurance companies have either been doing that or intend to do that more in the future. The problem is when we don't know about it. Right. Is when there's a disconnect between the consumer and the practice of the company. And exposing those activities and ensuring that there's clarity between the consumer and the company is the important part. I think what's, you know, whether this is kind of a problem of disparate security and privacy laws between states and things, I'm certainly a proponent of more unified coverage in that regard. Or clarity again, for the rest of us, enacting or in charge of responsibly being responsible for complying with regulations is a freaking nightmare. All of the patchwork of things we have today. But ultimately the goal we're trying to achieve is the same, which is protection for the data and privacy for our constituents or consumers. So I'm more excited here that someone's going after a company that really is doing it the wrong way, even if it did have the right intentions. So I think this is a good thing. But I'm not exactly sure what it marks on our progress towards like, are we making. Does this mean we're making more progress? I don't know. Does this mean that we have sufficient security and privacy laws in place around the country? No, that definitely doesn't seem to be the case. So I'm still kind of unsure what milestone this marks.
[17:07]
Rich
You know, the FCC just made in the last couple of years, made a big deal with all of their, like broad broadband, like nutrition label kind of things. This is, this is where I feel like we're lacking that when it comes to privacy policies where it's like, you're absolutely right. Like, I wouldn't be surprised, right, if I. If this happens. Like they sell you a product that you can plug into your car. At least they used to. I'm sure there's a phone, they use the phone apps for this now. But you plug into your car and get a real time quote so that if you were had a risky driving, you know, behavior, but you were driving safe, now maybe you could get like more of a real time quote or something like that. Like that was a very explicit thing. We are going to track your driving and, you know, concept. Exactly. Yeah. No one had a problem with that. You could choose to not do that and just go off the historical data. But yeah, the, you know, show it to me up front. Don't let me get to the outrage stage. Because this had to have not passed the smell test on this for sure. All right, next up here, speaking of staying on the road here, Illinois to get mobile driver's license in Apple Wallet by the end of 2020. Illinois plans to launch digital IDs and Apple Wallet by year's end, allowing residents to add driver's licenses and state IDs to iPhones and Apple watches. And then Google Wallet support is to follow, as is the way Illinois joins 10 other states and territories offering IDs in Apple Wallet. New Jersey is also pushing for mobile driver's license, citing convenience with real time address updates. Misconceptions persist, but officials stress that these don't enable government tracking. So Phil, I have a simple question. How comfortable are. Do you think the average citizen will be just handing over their phone, you know, to, to a police officer for a routine traffic stop?
[18:52]
Phil Beyer
I hadn't thought about that angle. Was that even in our show notes? I don't remember. But, but the, I'm an early adopter. I'm bullish on these kinds of things. I wouldn't mind handing things over. I do think it's a good question to ask though, like, is this something that people worry about? I'm sure that there, that there will be lawyers on the, on the case, so to speak, in ensuring that no, you can't, you know, just put this nifty new Breathalyzer thing just right out in front of your, of, of somebody without, without some sort of reasonable assurance. Because I mean tech technology is always increasing, so we're always improving. Why wouldn't you be able to put some detector in the, the front code button of an officer and it's able to detect whether Phil is driving impaired or something. In this case though, I think the benefits of digital IDs vastly outweigh the concerns. I've always been generally in that camp here. I don't know that I agree with the national ID concept that Michael and others that Michael was talking about earlier and then others have proposed for quite some time. We'll see. But, but we have state that state IDs now and it works just fine. We just need to get them digitized and make them more available. I don't know that that's necessarily really a privacy or tracking concern as much as the concern instead that you put out that rich, that people might really want to not be handing over a phone on a regular basis because you would have to, I guess theoretically you may or may not have to unlock it to show the id. And if you have unlocked it and handed it over. Wait a minute, hold on. What's going on here?
[20:38]
Rich
Yeah, there's a, there's a whole lot of civil rights implications for that.
[20:41]
Phil Beyer
It's a good, it's a good use case or a good scenario to be thinking through. So that's interesting. Yeah.
[20:47]
Rich
Well, and Michael vending in the chat points out, you know, they have these in California, but you know, getting on a flight, you still have to carry a physical id. He was trying to go to ces. No luck. Michael, I hope you had a good ces. By the way, it looked like, looked like a fun show. All right, moving on to our last story of the day. Law firm disclosed a data breach from 2023 the firm, Wolf Halderstein, Alder Adler, excuse me, Freeman and hers disclosed it suffered a data breach on December 13, 2023, impacting the personal information of roughly 3.4 million people. This included names, Social Security numbers, medical diagnoses and claim information. Even though the incident was detected over a year ago, the firm said digital forensic complications made its delayed its investigation. While it has published a general breach notice on its website and informed Maine's attorney General of the incident, it hasn't been able to send notices to many impacted individuals due to a lack of contact information. So this is, this is where I feel like I have to look over the bridge of my metaphorical glasses in somewhat of a school Marmie style. Does that pass the smell test here? The forensic complications leading to a year long delay in disclosure here? Like I'm sure there are, there are reasons that this could be very complicated. But isn't that, shouldn't that be part of like your incident response strategy, like knowing that you're going to have to contact people in the event of a breach? Right, Phil?
[22:20]
Phil Beyer
Right. I don't know. This, this feels a little bit like classic lawyer. You know, I, hopefully some of my, some of my lawyer friends are listening because they will appreciate that when I ask them questions, I never get an answer. I try to be responsive. I'm also a security person, so I don't always give thorough responses all the time. I'm swamped just like many of you I'm sure are with your day to day. But I try. I'm not sure my lawyer colleagues in the past or the present even really try. So, so this almost, I mean I'm just chuckling because this, this almost feels like just what lawyers do, right? Lawyers just kind of put off and put off as long as possible the thing. And, and, and this next part here isn't funny. Shame on them. Because that's not, that's not how we do things. Right. We, we've. I totally get that you want to be accurate and forthright and clear and, and deliver updates that are, that don't unnecessarily alert or in danger or whatever. Like, I understand, but a year, I mean, come on, that is even for me, who I'm almost always, my first reaction is empathy for the responders. Always. I've done that on this show before. I've done it in private and in public communities to say that, hey, our first reaction should be, how can we help? Our first reaction should be fellow security professional, fellow person who is, who is undergoing trial and tribulation and stress right now. Is there anything I can do to help be healthy for you as a person? As a person, all those things. That's the most important part of this. But a year later is way too much. I'm not really sure that there's anything I can think of. I'm not that creative of a person. So perhaps there are legitimate scenarios and reasons why you would wait a year or more really to disclose what's going on, but I would think that that's, that that's really negligence on, on, on this person, on this firm's part.
[24:34]
Rich
The scariest part about this, though, was they did the typical move of we're going to offer credit monitoring services, but instead, because they don't know yet who to alert. They said it like in the press release, they said that they, like anyone that believes that they were impacted can approach. And I was like, and like, that's the most intimidating. You have to approach a law firm with evidence that you think that you deserve this service from.
[24:59]
Phil Beyer
And it's distinctly possible the reason why they waited a year is because they knew they were going to have to say that. And they're like, man, that sounds really bad. Can we get any better data here? And as, as anybody who's done forensics or response knows if, if the right circumstances or the right environment wasn't, wasn't positioned, then no, you really can't like, say for sure what happened. So they may find themselves in a position where, hey, we kind of have to say, everybody can be, can get protected. And then we just don't want to have to say that. Well, I mean, sorry folks, but that's, that's how, that's how this, that's how this game works. I don't like it either, but it's, it's what you got to do.
[25:37]
Rich
Well, as Tomcat says in the chat here cyber lawyers are great at giving non answers and I just got to give a big shout out to the chat because there was a fantastic conversation. Unfortunately we had to move on from the story but involving the ransomware. I know this is something CCL in our chat is passionate about. This topic has come up about not paying the ransomware actors, stop giving them the incentive or trying to cut off that incentive to be able to go after organizations. And a really interesting conversation in our chat, chat kind of from everybody over there about, you know, some of the, some of the difficulties in that, some of the nuances in there. Just a really intelligent, fun conversation. That's what you can get if you join us live each and every Friday at 3:30pm Eastern. So good stuff. Thank you chat for that. Much appreciated for that. Before we get out of here for you though, Phil, was there any story this week in the rundown or just the news of the week that was a thumbs up or an eye roller for you?
[26:35]
Phil Beyer
I'm going to go thumbs down to the UK ban again mostly because of the chat here. I think being also I agree with you Rich. Very creative and very informed here about some options right in terms of insurance, cyber insurance coverage and not paying a claim and all these kinds of things. But ultimately we do need to figure out a way to de incentivize ransomware. I'm 100% in favor of that and I just don't think the UK ban is the way to do it. I don't think that that's going to really address the need or the idea. So whether that's eye roller or thumbs down or, or, or, or deprioritize or whatever. Like no, that's, that's, that's not the way to do it.
[27:15]
Rich
Well, thank you so much Phil Beyer, head of security over at Flex. I love it every time you're on. Always a great time. We will, we will have to have you on again before too long because this was just too much fun. Where can people find you online if they are so inclined to follow you on the cyberspace?
[27:32]
Phil Beyer
LinkedIn is great. I promise I'm not ghosting people who reach out to me. I really do intend to reach out to you. I have the best of intentions and life happens. But yes, but still LinkedIn continues to be the place to try to reach out. Try.
[27:46]
Rich
Thanks also to our sponsor for today, dropzone AI. Tired of alert overload? Dropzone AI Also thanks to our audience today. We can't always get to every single comment up on the screen. That whole conversation, it was flown too fast to highlight each one and we had moved on. But I love seeing it helps inform us what you're interested in. Like that's what we want to bring to you is the stories that you're interested in so we know those things resonate with you. That means a lot to us. Thank you each and every one of you for participating. A reminder, you can join us next Friday, January 24th for Super Cyber Friday. It's back in 2025. Our topic is going to be Hacking Platformization. An hour of critical thinking of how stitching together data, tools and processes is necessary for the success of your cyber security program. Then come back for another episode of the week in review that starts at 3:30pm Eastern. You can register for both and get in on all the fun chat for both of those shows. Just go to the events page@cisoseries.com and if you still haven't checked it out the regular show, you should definitely check out cybersecurity headlines every single day. Give us about six minutes, we'll get you all caught up. Regardless of how fast you listen. If you're a 0.5 listener, if you're a 3x listener, anywhere in between you can get your daily News fix. Until the next time we meet. For myself, for Phil for our producer Steve Prentice is always does an amazing job for all of us here on the CISO Series team. Here's wishing you and yours to have a super sparkly day.
[29:19]
Phil Beyer
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.