Oregon highlights a key struggle with cyber security

Oregon highlights a key struggle with cyber security

What’s going on in Oregon is more than likely typical of most governments and companies – a patchwork of systems that not only have difficulty talking to one another but also gaps that leave the government, company or other institution vulnerable to an cyber threat. Simply throwing money at the cyber security problem leads to silo solutions not a shrewd, cohesive cyber security system that is both proactive and reactive that protects the institution in full. Granted, cyber attacks are a moving target, but that also means their evolving nature combined with the growing adoption of our Digital Lifestyle and expanding access points under our Digital Infrastructure investing theme mean cyber security will likely remain a key growth driver for our Safety & Security investing theme. No wonder Broadcom is looking to scoop up Symantec.

Auditors say Oregon’s central administrative agency lacks basic controls to protect its information and systems from a cyber attack.

That means the Department of Administrative Services’ information and systems are at risk for “unauthorized use, disclosure, or modification,” according to a report released Wednesday, July 3, by Secretary of State Bev Clarno.

Auditors said a fragmented organizational structure and approach to managing security concerns may be parts of the problem. The agency’s roughly 30 subdivisions “receive varying levels of support” from the agency’s IT department, which supports only 16 of the 85 applications that workers use. The rest are supported by non-IT employees scattered throughout those divisions, and don’t receive oversight or involvement from the agency’s IT department, auditors said.

That has created inconsistency, and means the agency’s subdivisions may not be aligning with best practices when it comes to security.

Auditors said cyber-threats are a growing worry. “Cyberattacks, whether big or small, are a growing concern for both the private and public sector,” auditors wrote. “Recent breaches at Oregon state agencies have only escalated this concern.”

Source: Audit: Oregon still struggles with cyber security needs | Salem Reporter | News about Salem – In-depth, Accurate, Trusted

Marriott’s Starwood Data Breach Affects Up to 500 Million People

Marriott’s Starwood Data Breach Affects Up to 500 Million People

We’ve got another cyber attack being reported, this time for Marriott International and its Starwood business to the tune of up to 500 million guests. This puts it around the third worst attack in recent history. What will make this latest compromise even more noteworthy is it’s being one of the larger attacks since the European Union’s General Data Protection Regulation privacy law took effect in May. That’s a new development that Marriott and others will need to contend with, which could result not only in fines but also drive a pronounced pick up in cybersecurity spending. In thematic speak, that’s a potential tailwind for our Safety & Security investing theme.

Marriott International Inc. on Friday disclosed one of the biggest data breaches in history, a hack in the reservation database for its Starwood properties that may have exposed the personal information of up to 500 million guests.

News of the attack—rivaled only by the theft of information in 2013 and 2014 from internet company Yahoo—roiled customers of the world’s largest hotel company and lowered its stock price.

In addition to the size of the Marriott exposure, security analysts say the range of customer data potentially compromised—such as passport numbers, travel details and payment-card data—make the breach even more sensitive. Numerous regulators in the U.S. and abroad said they are monitoring the situation.

Marriott will face scrutiny from regulators, particularly in Europe where the European Union’s General Data Protection Regulation privacy law took effect in May, said Travis LeBlanc, a partner with Boies Schiller Flexner LLP. Although the Starwood breach predates GDPR, Mr. LeBlanc said because the unauthorized activity continued after the law went into effect, the incident would likely be subject to it.

Britain’s Information Commissioner’s Office, which can fine companies for failing to protect customers’ personal data, also is investigating. This year, the office fined major companies including Facebook Inc. and Uber Technologies Inc. for mishandling data.

The Marriott hack joins a list of breaches to hit the hospitality industry in recent years. Security analysts say the industry is a ripe target for criminal actors because of the wealth of financial and other information flowing through payment and reservation systems. It also is a highly fragmented business, in which large companies such as Marriott and Hilton Worldwide Holdings Inc. largely license their brands to property owners who manage the hotels.

Source: Marriott Says Starwood Data Breach Affects Up to 500 Million People – WSJ

JP Morgan’s Jamie Dimon says cyber is the biggest vulnerability the financial system

JP Morgan’s Jamie Dimon says cyber is the biggest vulnerability the financial system

When Jamie Dimon, CEO of JPMorgan Chase one of the largest banking entities, speaks investors and the markets tend to listen and digest what he is saying. This week, Dimon reminded that cybersecurity, one of the tentpoles of our Safety & Security investing theme, is an area that individuals, institutions and the government need to “focus on.” Intermixed with his comments was that JPMorgan has spent “a lot of money” and is “secure” but as we know this is an evolving landscape that likely means cyber spending should be considering an ongoing aspect of capital spending plans rather than a “fix it and forget it” type of spend. We’re already witnessing the shift in spending categories at the Pentagon, and odds are it will only be a matter of time before we see the same at more of Corporate America as well. All it will take is another high profile cyber attack or two, but that will be reactive (defense) rather than proactive (security).

 

Banks may be in sound condition post-Lehman Brothers, but the financial system could crack again if hit with a devastating cyber attack, J.P. Morgan Chief Executive Jamie Dimon warned on Thursday.

“I think the biggest vulnerability is cyber, just for about everybody” he told CNBC’s Indian affiliate CNBC TV-18 on Thursday. “I think we have to focus on it, the United States government has to focus on it.”

“We have to make sure because cyber — terrorist and cyber countries — they could cause real damage. We’re already spending a lot of money and J.P. Morgan is secure but we should really worry about that,” Dimon told CNBC-TV18’s Shereen Bhan in New Delhi.

Source: JP Morgan’s Jamie Dimon says cyber is biggest risk to the financial system

The next financial crisis will likely be  induced by a cyber attack

The next financial crisis will likely be  induced by a cyber attack

According to JP Morgan, one of its models that “calculates outcomes based on the length of the economic expansion, the potential duration of the next recession, the degree of leverage, asset-price valuations and the level of deregulation and financial innovation before the crisis” sees the next financial crisis occurring in 2020.  We recognize this current economic expansion is long in the tooth, but to us what is more worrisome is how the next financial crisis might start. Several new reports point to cyber threats as the likely culprit. Perhaps companies will take heed of these findings and perspectives, which would serve as the latest catalyst for our Safety & Security investing theme.

On Wednesday, the Depository Trust & Clearing Corp., which provides clearing and settlement for the financial markets in the U.S., released a report, entitled “The Next Crisis will be Different: Opportunities to Continue Enhancing Financial Stability 10 Years After Lehman’s Insolvency.” It discusses several macroeconomic and market-related risks to the financial system but specifically said that cybersecurity threats “have grown to a point where they may have become the most important near-term threat to financial stability.”

Cyberthreats have consistently been ranked as the number one concern by respondents to Depository Trust’s Systemic Risk Barometer since the survey began in 2013: “The motivation of cyber-attackers is shifting from purely achieving financial gains to disrupting critical infrastructures, such as through nation-state attacks, which threatens the basis for confidence in the financial system and even national or international stability.”

They aren’t the only ones worried. After the financial crisis, the Dodd-Frank Act established the Financial Stability Oversight Council to identify and monitor excessive risks to the U.S. financial system. The chairman is the secretary of the Treasury.

The Office of Financial Research provide financial data and research to the council and each year publishes a Financial Stability Report on risks to the financial system.

The most recent report, published in December, came to the same conclusion as the Depository Trust: “A large-scale cyberattack or other cybersecurity incident could disrupt the operations of one or more financial companies and markets and spread through financial networks and operational connections to the entire system, threatening financial stability and the broader economy.”

 

Source: A cyberattack could trigger the next financial crisis

More than just cyber problems at British Airways

More than just cyber problems at British Airways

It’s been a rough week for Tematica Research’s Chief Macro Strategist, Lenore Hawkins. Not only has British Airways once again lost her bags TWICE and offered little to no customer service help, which if you’ve traveled internationally you know is quite the bear, but she was also informed that her payment information was among the 380,000 card payments that were compromised in what was the latest cyber attack on British Airways. Yes, the company has a history of being hacked and losing bags, not a recipe for success in a business that is increasingly focused on the consumer experience. One can only hope these repeated offenses on both fronts leads to the parent company International Airlines Group to open its wallets and spend on both fronts lest it risks alienating consumers – not a recipe for success in a business that relies on putting customer bottoms in seats.

 

British Airways was forced to apologize on Friday after the credit card details of hundreds of thousands of its customers were stolen over a two-week period in the worst ever attack on its website and app.

The airline discovered on Wednesday that bookings made between Aug. 21 and Sept. 5 had been infiltrated in a “very sophisticated, malicious criminal” attack, BA Chairman and Chief Executive Alex Cruz said. It immediately contacted customers when the extent of the breach became clear.

Around 380,000 card payments were compromised, the airline said, with hackers obtaining names, street and email addresses, credit card numbers, expiry dates and security codes – sufficient information to steal from accounts.

The attack came 15 months after the carrier suffered a massive computer system failure at London’s Heathrow airport, which stranded 75,000 customers over a holiday weekend.

Data security expert Trevor Reschke said that like any website which sees large volumes of card transactions, British Airways was a ripe target for hackers.

“It is now a race between British Airways and the criminal underground,” said Reschke, head of threat intelligence at Trusted Knight.

After the computer system failure in May 2017, BA said it would take steps to ensure such an incident never happened again, but in July it was forced to cancel and delay flights out of the same airport due to problems with a supplier’s IT systems.

 

Source: British Airways apologizes after 380,000 customers hit in cyber attack | Reuters

Adidas is added to the growing list of retail cyber hacks

Adidas is added to the growing list of retail cyber hacks

Amid all the talk of trade wars and tariffs, the new war that is cyber attacks continues to advance, threatening companies and consumers alike. We have long said that cyber security, an aspect of our Safety & Security investing theme and index, is much like insurance – you may not think you need it, but you’ll be glad you have it when you do.

With each additional high profile attack, and we’ve had a few in the last few months, there is an increasing likelihood of IT budget shifts toward cyber spending for both defensive measures (reactive) as well as security (proactive). As we move deeper into the Digital LIfestyle, we see no slowdown in this cyber spending.

 

Another day, another (possible) data breach: Adidas revealed that it has come under attack from cybercriminals looking to steal personal information.

The breach could potentially affect millions of customers, who were notified on Thursday (June 28) about the incident on the Adidas U.S. website.

The company said it discovered the problem on Tuesday (June 26), when “an unauthorized party” claimed to have acquired some of its consumer data. The company is conducting a forensic review, as well as alerting customers who could be affected.

The investigation so far has found that the leaked data includes contact information, usernames and encrypted passwords. The retailer does not believe any credit card or health and fitness information was affected.

Adidas isn’t the first retailer affected by a breach. Earlier this year, Under Armour revealed that it suffered one of the biggest hacks in history after data from 150 million users of its MyFitnessPal diet and fitness app was compromised in February.

“On March 25, the MyFitnessPal team became aware that an unauthorized party acquired data associated with MyFitnessPal user accounts in late February 2018,” the company wrote in a statement. “The company quickly took steps to determine the nature and scope of the issue and to alert the MyFitnessPal community of the incident.

And in April, retailer Hudson’s Bay disclosed that customers at Saks and Lord & Taylor stores in North America have had their payment cards compromised. The breach, which is believed to involve 5 million cards, would be one of the largest involving payment cards over the past year.

Source: Adidas Warns Customers Of Data Breach | PYMNTS.com

Equifax reports data breach possibly affecting 143 million U.S. consumers 

Equifax reports data breach possibly affecting 143 million U.S. consumers 

Another day, another company compromised through a cyber attack. With this latest high profile attack on Equifax (EFX), personal information, such as Social Security numbers, birth dates, addresses and driver’s license numbers as well as credit card numbers for tens of thousands of people. Given the sensitivity of the information, we strongly suspect IT budgets at Equifax, Experian (EXPGY) and TransUnion (TRU) will see a shift to favor cyber security, a key aspect of our Safety & Security investing theme.

Credit-reporting company Equifax Inc. said Thursday that hackers gained access to some of its systems, compromising the personal information of about 143 million U.S. consumers.

Atlanta-based Equifax—one of three major credit-reporting firms—said an internal investigation revealed hackers exploited a vulnerability in a U.S. website application to gain unauthorized access to files from mid-May through July. The company, which also offers credit-monitoring and identity-theft protection products to guard consumers’ personal information, said it discovered the breach on July 29.

Equifax said hackers gained access to systems containing customers’ Social Security numbers, birth dates, addresses and driver’s license numbers. The company said credit-card numbers for approximately 209,000 U.S. consumers were accessed, as well as dispute documents with sensitive information for another 182,000 people.

Source: Equifax Reports Data Breach Possibly Affecting 143 Million U.S. Consumers – WSJ

With 2017 Poised to be the Year of Ransomware, More Cyber Spending is on the Way

With 2017 Poised to be the Year of Ransomware, More Cyber Spending is on the Way

With headlines swirling following the WannaCry attack that hit more than 230,000 computers across more than 150 countries in just 48 hours, on this episode of Cocktail investing we spoke with Yong-Gon Chon, CEO of cyber security company Focal Point to get his insights on that attack, and why ransomware will be the cyber threat in 2017. Before we get into that Safety & Security conversation, Tematica’s investing mixologists, Chris Versace and Lenore Hawkins broke down last week’s economic and market data as well as the latest relevant political events. With all the controversy in D.C., there was a lot to discuss concerning the likelihood that the Trump Bump, which was based on assumptions around tax reform, regulatory roll-back, and infrastructure spending is evolving into the Trump Slump as investors realize the anticipated timeline for such was decidedly too aggressive. With mid-term elections looming, we expect the Trump opposition will be emboldened by the controversy surrounding the administration and will put in best efforts to appeal to their constituents. For the market, it’s another reason to see the Trump agenda likely slipping into late 2017-early 2018, and that realization is likely to weigh on robust GDP and earnings expectations for the balance of 2017.

The markets on May 17th suffered their biggest losses in 2017, with the Nasdaq taking the biggest one-day hit since Brexit, as the turmoil in Washington dampens investors’ appetite for risk while raising questions over GDP and earnings growth. While some Fed banks are calling for 2Q 2017 GDP as high as 4.1 percent (quite a jump from 1Q 2017’s 0.7 percent!), the data we’re seeing suggests something far slower. We continue to think there is more downside risk to be had in GDP expectations for the balance of 2017, and the latest Trump snafu is only likely to push out team Trump’s reforms and other stimulative efforts into 2018. If 2Q growth is driven in large part by inventory build, which is what the data is telling us, expect the second half to be significantly weaker than the mainstream financial media would lead you to believe.

While the global financial impact of the WannaCry ransomware attack may have been lower than some other high profile attacks such as ILOVEYOU and MyDoom, the speed at which it moved was profound. We spoke with Yong-Gon Chon, CEO of Focal Point Data Risk about the incident to get some of the perspective and insight the company shares with its c-suite and Board level customers. While many are focusing on WannaCry, Yong-Gon shares that as evidenced by recent content hijackings of Disney (DIS) and Netflix (NFLX), ransomware is poised to be the cyber threat of 2017. Those most likely to be targeted are those organizations that prioritize uptime and whose businesses tend to operate around the clock, making backups and software updates extremely challenging.

While in the past IP addresses may have been scanned once every four to five hours, in today’s increasingly Connected Society, IP addresses are scanned one to ten times every second. As consumers and businesses in the developed and emerging economies increasingly adopt the cloud and other aspects of Connected Society investing theme, we are seeing an explosion in the amount of data as more and more of our lives are evolving into data-generating activities. From wearables to appliances to autos, our homes, offices, clothing and accessories are becoming sources of data that goes into the cloud. With the Rise of the New Middle Class in emerging markets, we are seeing the number of households participating in this datafication grow dramatically, exposing new vulnerabilities along the way. That increasingly global pain point is fodder particularly for cyber security companies, such as Fortinet (FTNT), Splunk (SPLK) and Cisco Systems (CSCO) that are a part of our Safety & Security investing theme.

During our conversation with Yong Gon we learned that companies need to understand that breaches must be viewed as inevitable in today’s Connected Society, network boundaries are essentially a thing of the past. Security can no longer about preventing nefarious actors from gaining entrance, but rather is now about managing what happens once a company’s network has been invaded. From a sector perspective, with all the regulation and reporting requirements in financial services, many of these firms are leading the way in how to best deal with such breached.Uber

For investors who want to understand the potential impact of cybercrime, Yong-Gon Chon suggests looking at how much data a company is generating and how the company is managing the growth of that data, with companies such as Facebook (NASDAQ:FB), Alphabet (NASDAQ:GOOGL) and Uber examples of heavy generators. Investors need to look at a company’s cyber risk as a function of the magnitude of its data generation and the company’s level of maturity in addressing that risk. By comparison, companies not affected by attacks such as WannaCry need to be asking themselves why didn’t they get hit? Was it luck or did we do something right? If so, what did we do right and what is the scope of protection we have given what we’ve learned about the latest attack strategies?

We also learned about the new efforts underway globally to develop attribution of cyber threats so as to differentiate between those threats from professional cyber criminals versus the capricious tech savant engaging in ill-advised boundary exploration. Along with this shift is also a change in the boardroom, where cybersecurity is viewed in the context of its potential impact on the business, rather than as a function of a company’s IT department.

One thing we can be assured of is that hackers are watching each other and the good ones are learning what makes attacks fail and where organizations are weakest. As the Connected Society permeates more and more of our lives, these risks become more pernicious and their prevention more relevant to our everyday lives. The bottom line is we are likely to see greater cyber security spending in preventative measures as well cyber consulting as those responsibilities become a growing focus of both the c-suite and board room.

Companies mentioned on the Podcast

  • Amazon.com (AMZN)
  • Apple (AAPL)
  • CVS Health (CVS)
  • Disney (DIS)
  • Facebook (FB)
  • Focal Point
  • JC Penny Co (JCP)
  • Kohl’s (KSS)
  • Macy’s (M)
  • Microsoft (MSFT)
  • Netflix (NFLX)
  • Nordstrom (JWN)
  • TJX Companies (TJX)
  • Twitter (TWTR)
  • Uber
  • United Parcel Service (UPS)
  • Walgreens Boots Alliance (WBA)

Resources for this podcast:

Recently confirmed Myspace hack could be the largest yet, dwarfing @LinkedIn and @Tumblr breaches $HACK @SophosLabs @Time

Recently confirmed Myspace hack could be the largest yet, dwarfing @LinkedIn and @Tumblr breaches $HACK @SophosLabs @Time

While the myspace data breach may data back a few years, it’s size (roughly 427 million passwords!) serves as a reminder that not every breach/attack is immediately detected let alone thwarted. This serves as a harsh reminder on the ever evolving need for cyber security that fuels our Safety & Security investing theme.

Time, Inc. didn’t confirm how many user accounts were included in this data set, but a report from LeakedSource.com says that there are over 360 million accounts involved. Each record contains an email address, a password, and in some cases, a second password. As some accounts have multiple passwords, that means there are over 427 million total passwords available for sale.Despite the fact that this data breach dates back several years, the size of the data set in question makes it notable. Security researchers at Sophos say that this could be the largest data breach of all time, easily topping the whopping 117 million LinkedIn emails and passwords that recently surfaced online from a 2012 hack.

Source: Recently confirmed Myspace hack could be the largest yet | TechCrunch