Ankura CTIX FLASH Update – December 13, 2022

Malware Activity

Uber Discloses New Data Breach Related to Third-Party Vendor

Uber has disclosed a new data breach that is related to the security breach of Teqtivity, a third-party vendor that Uber uses for asset management and tracking services. A threat actor named “UberLeaks” began leaking allegedly stolen data from Uber and Uber Eats on December 10, 2022, on a hacking forum. The exposed data includes Windows domain login names and email addresses, corporate reports, IT asset management information, data destruction reports, multiple archives of apparent source code associated with mobile device management (MDM) platforms, and more. One document in particular contained over 77,000 Uber employee email addresses and Windows Active Directory information. UberLeaks posted the alleged stolen information in four (4) separate postings regarding Uber MDM, Uber Eats MDM, Teqtivity MDM, and TripActions MDM platforms. The actor included one (1) member of the Lapsus$ threat group in each post, but Uber confirmed that Lapsus$ is not related to this December breach despite being previously linked to the company’s cyberattack in September 2022. Uber confirmed that this breach is not related to the security incident that took place in September and that the code identified is not owned by Uber. Teqtivity published a data breach notification on December 12, 2022, that stated the company is aware of “customer data that was compromised due to unauthorized access to our systems by a malicious third party” and that the third-party obtained access to its AWS backup server that housed company code and data files. Teqtivity also noted that its ongoing investigation identified the following exposed information: first name, last name, work email address, work location details, device serial number, device make, device model, and technical specs. The company confirmed that home address, banking information, and government identification numbers are not collected or retained. Uber and Teqtivity are both in the midst of ongoing investigations into this data breach. CTIX analysts will provide updates on the matter once available.

Threat Actor Activity

PLAY Ransomware Claims Responsibility for Antwerp Cyberattack

After last week’s ransomware attack on the city of Antwerp, a threat organization has claimed responsibility and has begun making demands. The threat group, tracked as PLAY ransomware, is an up-and-coming ransomware operation that has been posting leaked information since November 2022, according to an available posting on their leak site. Samples of the threat group’s ransomware variants have shown activity dating back to June 2022, which is around the time PLAY ransomware targeted the Argentina Court of Cordoba (August). While PLAY’s ransomware attack crippled several sectors of Antwerp, it appears to have had a significant impact on residential facilities throughout the city, as stated by officials. According to PLAY NEWS, PLAY’s ransomware leak site, the publication date for the exfiltrated data is Monday, December 19, 2022, if the undisclosed ransom is not paid. PLAY threat actors claim to have 557 gigabytes (GB) worth of Antwerp-related data including but not limited to personal identifiable information, passports, identification cards, and financial documents. CTIX continues to monitor the developing situation and will provide additional updates as more information is released.

Vulnerabilities

Fortinet Patches Critical RCE Vulnerability in FortiOS SSL-VPN Products

After observing active exploitation attempts in-the-wild, the network security solutions manufacturer Fortinet has patched a critical vulnerability affecting their FortiOS SSL-VPN products. The flaw, tracked as CVE-2022-42475, was given a CVSS score of 9.3/10 and is a heap-based buffer overflow, which could allow unauthenticated attackers to perform arbitrary remote code execution (RCE) if successfully exploited. Specifically, the vulnerability exists within the FortiOS sslvpnd product, which enables individual users to safely access an organization’s network, client-server applications, and internal network utilities and directories without the need for specialized software. The vulnerability was first discovered by researchers from the French cybersecurity firm Olympe Cyberdefense who warned users to monitor their logs for suspicious activity until a patch was released. Although very few technical details about the exploitation have been divulged, Fortinet did share lists of suspicious artifacts and IPs. Based on research by Ankura CTIX analysts, the IPs released by Fortinet are located around the globe and are not associated with known threat actors at this time. To prevent exploitation, all Fortinet administrators leveraging FortiOS sslvpnd should ensure that they download and install the latest patch. If organizations cannot immediately patch their systems due to the business interruption it would cause, Olympe Cyberdefense suggests “customers monitor logs, disable the VPN-SSL functionality, and create access rules to limit connections from specific IP addresses.” A list of the affected products and their solutions, as well as the indicators of compromise can be found in the Fortinet advisory linked below.

The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. 

Copyright © 2022 Ankura Consulting Group, LLC. All rights reserved.

FTC Commercial Surveillance and Data Security Forum Highlights Industry and Consumer Perspectives

On September 8, 2022, the Federal Trade Commission hosted a virtual public forum on its Advanced Notice of Proposed Rulemaking (“ANPR”) concerning “commercial surveillance and lax data security.” The forum featured remarks from FTC Chair Lina Kahn, Commissioner Rebecca Kelly Slaughter and Commissioner Alvaro Bedoya, as well as panels with industry leaders and consumer advocates.

Remarks from Chair Khan and Commissioners Slaughter and Bedoya focused on the need for public participation in the rulemaking process and the FTC’s role in privacy regulation in the absence of comprehensive federal legislation. Commissioner Slaughter noted that, until such federal legislation is passed, the FTC will continue to use its Section 5 authority to regulate unfair and deceptive practices related to privacy and data security.

The industry panel was moderated by FTC Senior Advisor Olivier Sylvain and focused in part on how the FTC should structure a potential rule. Multiple industry panelists emphasized the need for rules that limit out-of-context data use or tracking, while still allowing in-context use to as consumers expect. Industry panelists also highlighted the need for heightened rules for “dominant” industry players and financial penalties for bad behaviors.

The consumer advocate panel focused on issues surrounding meaningful consumer consent and the negative effects of commercial surveillance on consumers, such as one-click background checks and demographic-tailored advertising that disproportionately affects minority groups in negative ways. Similar to the industry panel, consumer advocate panelists also highlighted out-of-context data use and dominant industry actors as some of the major issues the FTC should address in its rulemaking.  The FTC will receive public comments on the ANPR until October 21, 2022.

For more antitrust and FTC legal news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Wegmans Settles With NYAG for $400,000 Over Data Incident

The New York Attorney General recently announced a data security-related settlement with Wegmans Food Markets. The issue arose in April 2021 regarding a cloud-based incident. At that time a security researcher notified Wegmans that the company had an Azure cloud storage container that was unsecured. Upon investigation, the company determined that the container had been misconfigured and that three million customer records had been publicly accessible since 2018. The records included email addresses and account passwords.

Of concern for the AG, among other things, were that the passwords were salted and hashed using SHA-1 hashing, rather than PBKDF2. Similarly, the AG found concerning the fact that the company did not have an asset inventory of what it maintained in the cloud. As a result, no security assessments were conducted of its cloud-based databases. The NYAG also took issue with the company’s lack of long-term logging: logs for its Azure assets were kept for only 30 days. Finally, the company kept checksums derived from customer driver’s license information, something for which the NYAG did not feel the company had a “reasonable business purpose” to collect or maintain.

The NYAG argued that these practices were both deceptive and unlawful in light of the promises Wegman’s made in its privacy policy. It also felt that the practices were a violation of the state’s data security law. As part of the settlement, Wegmans agreed to pay $400,000. It also agreed to implement a written information security program that addresses, among other things:

  1. asset management that covers cloud assets and identifies several items about the asset, including its owner, version, location, and criticality;
  1. access controls for all cloud assets;
  1. penetration testing that takes into account cloud assets, and includes at least one annual test of the cloud environment;
  1. central logging and monitoring for cloud assets, including keeping cloud logs readily accessible for 90 days (and further stored for a year from logged activity);
  1. customer password management that includes hashing algorithms and a salting policy that is at least commensurate with NIST standards and “reasonably anticipated security risks;” and
  1. policies and procedures around data collection and deletion.

Wegmans agreed to have the program assessed within a year of the settlement, with a written report by the third-party assessor provided to the NYAG. It will also conduct at-least-annual reviews of the program. As part of that review it will determine if any changes are needed to better protect and secure personal data.

Putting It Into Practice: This case is a reminder for companies to think not only about assets on its network, but its cloud assets, when designing a security program. Part of these efforts include clearly identifying locations that house personal information (as defined under security and breach laws) and evaluating the security practices and controls in place to protect that information. The security program elements the NYAG has asked for in this settlement signal its expectations of what constitutes a reasonable information security program.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.

Throwing Out the Privacy Policy is a Bad Idea

The public internet has been around for about thirty years and consumers’ browser-based graphic-heavy experience has existed for about twenty-five years. In the early days, commercial websites operated without privacy policies.

Eventually, people started to realize that they were leaving trails of information online, and in the early ‘aughts the methods for business capturing and profiting from these trails became clear, although the actual uses of the data on individual sites was not clear. People asked for greater transparency from the sites they visited online, and in response received the privacy policy.

A deeply-flawed instrument, the website privacy policy purports to explain how information is gathered and used by a website owner, but most such policies are strangely both imprecise and too long, losing the average reader in a fog of legalese language and marginally relevant facts. Some privacy policies are intentionally obtuse because it doesn’t profit the website operator to make its methods obvious. Many are overly general, in part because the website company doesn’t want to change its policy every time it shifts business practices or vendor alliances. Many are just messy and poorly written.

Part of the reason that privacy policies are confusing is that data privacy is not a precise concept. The definition of data is context dependent. Data can mean the information about a transaction, information gathered from your browser visit (include where you were before and after the visit), information about you or your equipment, or even information derived by analysis of the other information. And we know that de-identified data can be re-identified in many cases, and that even a collection a generic data can lead to one of many ways to identify a person.

The definition of data is context dependent.

The definition of privacy is also untidy. An ecommerce company must capture certain information to fulfill an online order. In this era of connected objects, the company may continue to take information from the item while the consumer is using it. This is true for equipment from televisions to dishwashers to sex toys. The company likely uses this information internally to develop its products. It may use the data to market more goods or services to the consumer. It may transfer the information to other companies so they can market their products more effectively. The company may provide the information to the government. This week’s New Yorker devotes several pages to how the word “privacy” conflates major concepts in US law, including secrecy and autonomy,1 and is thus confusing to courts and public alike.

All of this is difficult to reflect in a privacy policy, even if the company has incentive to provide useful information to its customers.

Last month the Washington Post ran an article by Geoffrey Fowler that was subtitled “Let’s abolish reading privacy policies.” The article notes a 2019 Pew survey claiming that only 9 percent of Americans say they always read privacy policies. I would suggest that more than half of those Americans are lying. Almost no one always reads privacy policies upon first entering a website or downloading an app. That’s not even really what privacy policies are for.

Fowler shows why people do not read these policies. He writes, “As an experiment, I tallied up all of the privacy policies just for the apps on my phone. It totaled nearly 1 million words. “War and Peace” is about half as long. And that’s just my phone. Back in 2008, Lorrie Cranor, a professor of engineering and public policy at Carnegie Mellon University, and a colleague estimated that reading and consenting to all the privacy policies on websites Americans visit would take 244 hours per year.”

The length, complexity and opacity of online privacy policies are concerning. The best alleviation for this concern would not be to eliminate privacy policies, but to make them less instrumental in the most important decisions about descriptive data.

Limit companies’ use of data and we won’t need to fight through their privacy options.

Website owners should not be expected to write out privacy policies that are both sufficiently detailed and succinctly readable so that consumers can make meaningful choices about use of the data that describes them. This type of system forces a person to be responsible for her own data protection and takes the onus off of the company to limit its use of the data. It is like our current system of waste recycling – both ineffective and supported by polluters, because rather than forcing manufacturers to use more environmentally friendly packaging, it pushes consumers to deal with the problem at home, shifting the burden from industry to us.  Similarly, if the legislatures provided a set of simple rules for website operators – here is what you are allowed to do with personal data, and here is what you are not allowed to do with it – then no one would read privacy policies to make sure data about our transactions was spared the worst treatment. The worst treatment would be illegal.

State laws are moving in this direction, providing simpler rules restricting certain uses and transfers of personal data and sensitive data. We are early in the process, but if the trend continues regarding omnibus state privacy laws in the same manner that all states eventually passed data breach disclosure laws, then we can be optimistic and expect full coverage of online privacy rules for all Americans within a decade or so. But we shouldn’t need to wait for all states to comply.

Unlike the data breach disclosure laws which encourage companies to comply only with the laws relevant to their particular loss of data, omnibus privacy laws affect the way companies conduct the normal course of everyday business, so it will only take requirements in a few states before big companies start building their privacy rights recognition functions around the lowest common denominator. It will simply make economic sense for businesses to give every US customer the same rights as most protective state provides its residents. Why build 50 sets of rules when you don’t need to do so? The cost savings of maintaining only one privacy rights-recognition system will offset the cost of providing privacy rights to people in states who haven’t passed omnibus laws yet.

This won’t make privacy policies any easier to read, but it will become less important to read them. Then privacy policies can return to their core function, providing a record of how a company treats data. In other words, a reference document, rather than a set of choices inset into a pillow of legal terms.

We shouldn’t eliminate the privacy policy. We should reduce the importance of such polices, and limit their functions, reducing customer frustration with the privacy policy’s role in our current process. Limit companies’ use of data and we won’t need to fight through their privacy options.


ENDNOTES

1 Privacy law also conflates these meanings with obscurity in a crowd or in public.


Article By Theodore F. Claypoole of Womble Bond Dickinson (US) LLP

Copyright © 2022 Womble Bond Dickinson (US) LLP All Rights Reserved.

Privacy Tip #335 – Health Care Sector Continues to Be Hit with Ransomware

According to the 2022 State of Ransomware Report issued recently by Sophos, it surveyed 5,600 IT professionals from 31 countries, including professionals in the health care sector. Those professionals in the health care sector shared that 66 percent of them had experienced a ransomware attack in 2021, which was an increase of 69 percent over 2020. This was the largest increase of all sectors surveyed.

If you look at the Office for Civil Rights data breach portal, you will see that a vast majority of breaches reported by health care providers and business associates are related to “Hacking/IT incident.” This confirms that the health care sector continues to be attacked by threat actors seeking to steal protected health information of patients.

If you are a patient who receives a breach notification letter from a health care provider or business associate, the letter will provide guidance on how to protect yourself following a data breach and may offer some protection guidance, including credit monitoring or fraud resolution. Such a letter has been sent to patients to comply with the breach notification requirements of HIPAA and state law. Part of those requirements includes that the patients be provided mitigation steps following the breach to protect themselves from fraud. Avail yourself of these protections in the event your information is compromised. Take the time to sign up for the mitigation offered. It is clear that these attacks will not subside any time soon.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

DOJ Limits Application of Computer Fraud and Abuse Act, Providing Clarity for Ethical Hackers and Employees Paying Bills at Work Alike

On May 19, 2022, the Department of Justice announced it would not charge good-faith hackers who expose weaknesses in computer systems with violating the Computer Fraud and Abuse Act (CFAA or Act), 18 U.S.C. § 1030. Congress enacted the CFAA in 1986 to promote computer privacy and cybersecurity and amended the Act several times, most recently in 2008. However, the evolving cybersecurity landscape has left courts and commentators troubled by potential applications of the CFAA to circumstances unrelated to the CFAA’s original purpose, including prosecution of so-called “white hat” hackers. The new charging policy, which became effective immediately, seeks to advance the CFAA’s original purpose by clarifying when and how federal prosecutors are authorized to bring charges under the Act.

DOJ to Decline Prosecution of Good-Faith Security Research

The new policy exempts activity of white-hat hackers and states that “the government should decline prosecution if available evidence shows the defendant’s conduct consisted of, and the defendant intended, good-faith security research.” The policy defines “good-faith security research” as “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”

In practice, this policy appears to provide, for example, protection from federal charges for the type of ethical hacking a St. Louis Post-Dispatch reporter performed in 2021. The reporter uncovered security flaws in a Missouri state website that exposed the Social Security numbers of over 100,000 teachers and other school employees. The Missouri governor’s office initiated an investigation into the reporter’s conduct for unauthorized computer access. While the DOJ’s policy would not affect prosecutions under state law, it would preclude federal prosecution for the conduct if determined to be good-faith security research.

The new policy also promises protection from prosecution for certain arguably common but contractually prohibited online conduct, including “[e]mbellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service.” Such activities resemble the facts of Van Buren v. United States, No. 19-783, which the Supreme Court decided in June 2021. In Van Buren, the 6-3 majority rejected the government’s broad interpretation of the CFAA’s prohibition on “unauthorized access” and held that a police officer who looked up license plate information on a law-enforcement database for personal use—in violation of his employer’s policy but without circumventing any access controls—did not violate the CFAA. The DOJ did not cite Van Buren as the basis for the new policy. Nor did the DOJ identify any another impetus for the change.

To Achieve More Consistent Application of Policy, All Federal Prosecutors Must Consult with Main Justice Before Bringing CFAA Charges

In addition to exempting good-faith security research from prosecution, the new policy specifies the steps for charging violations of the CFAA. To help distinguish between actual good-faith security research and pretextual claims of such research that mask a hacker’s malintent, federal prosecutors must consult with the Computer Crime and Intellectual Property Section (CCIPS) before bringing any charges. If CCIPS recommends declining charges, prosecutors must inform the Office of the Deputy Attorney General (DAG) and may need to obtain approval from the DAG before initiating charges.

©2022 Greenberg Traurig, LLP. All rights reserved.

WW International to Pay $1.5 Million Civil Penalty for Alleged COPPA Violations

In 2014, with childhood obesity on the rise in the United States, tech company Kurbo, Ltd. (Kurbo) marketed a free app for kids that, according to the company, was “designed to help kids and teens ages 8-17 reach a healthier weight.” When WW International (WW) (formerly Weight Watchers) acquired Kurbo in 2018, the app was rebranded “Kurbo by WW,” and WW continued to market the app to children as young as eight. But according to the Federal Trade Commission (FTC), Kurbo’s privacy practices were not exactly child-friendly, even if its app was. The FTC’s complaint, filed by the Department of Justice (DOJ) last month, claims that WW’s notice, data collection, and data retention practices violated the Children’s Online Privacy Protection Act Rule (COPPA Rule). WW and Kurbo, under a stipulated order, agreed to pay a $1.5 million civil penalty in addition to complying with a range of injunctive provisions. These provisions include, but are not limited to, deleting all personal information of children whose parents did not provide verifiable parental consent in a specified timeframe, and deleting “Affected Work Product” (defined in the order to include any models or algorithms developed in whole or in part using children’s personal information collected through the Kurbo Program).

Complaint Background

The COPPA Rule applies to any operator of a commercial website or online service directed to children that collects, uses, and/or discloses personal information from children and to any operator of a commercial website or online service that has actual knowledge that it collects, uses, and/or discloses personal information from children. Operators must notify parents and obtain their consent before collecting, using, or disclosing personal information from children under 13.

The complaint states that children enrolled in the Kurbo app by signing up through the app or having a parent do it on their behalf. Once on Kurbo, users could enter personal information such as height, weight, and age, and the app then tracked their weight, food consumption, and exercise. However, the FTC alleges that Kurbo’s age gate was porous, requiring no verification process to establish that children who affirmed they were over 13 were the age they claimed to be or that users asserting they were parents were indeed parents. In fact, the complaint alleges that the registration area featured a “tip-off” screen that gave visitors just two choices for registration: the “I’m a parent” option or the “I’m at least 13” option. Visitors saw the legend, “Per U.S. law, a child under 13 must sign up through a parent” on the registration page featuring these choices. In fact, thousands of users who indicated that they were at least 13 were younger and were able to change their information and falsify their real age. Users who lied about their age or who falsely claimed to be parents were able to continue to use the app. In 2020, after a warning from the FTC, Kurbo implemented a registration screen that removed the legend and the “at least 13” option. However, the new process failed to provide verification measures to establish that users claiming to be parents were indeed parents.

Kurbo’s notice of data collection and data retention practices also fell short. The COPPA Rule requires an operator to “post a prominent and clearly labeled link to an online notice of its information practices with regard to children on the home or landing page or screen of its Web site or online service, and, at each area of the Web site or online service where personal information is collected from children.” But beginning in November 2019, Kurbo’s notice at registration was buried in a list of hyperlinks that parents were not required to click through, and the notice failed to list all the categories of information the app collected from children. Further, Kurbo did not comply with the COPPA Rule’s mandate to keep children’s personal information only as long as reasonably necessary for the purpose it was collected and then to delete it. Instead, the company held on to personal information indefinitely unless parents specifically requested its removal.

Stipulated Order

In addition to imposing a $1.5 million civil penalty, the order, which was approved by the court on March 3, 2022, requires WW and Kurbo to:

  • Refrain from disclosing, using, or benefitting from children’s personal information collected in violation of the COPPA Rule;
  • Delete all personal information Kurbo collected in violation of the COPPA Rule within 30 days;
  • Provide a written statement to the FTC that details Kurbo’s process for providing notice and seeking verifiable parental consent;
  • Destroy all affected work product derived from improperly collecting children’s personal information and confirm to the FTC that deletion has been carried out;
  • Delete all children’s personal information collected within one year of the user’s last activity on the app; and
  • Create and follow a retention schedule that states the purpose for which children’s personal information is collected, the specific business need for retaining such information, and criteria for deletion, including a set timeframe no longer than one year.

Implications of the Order

Following the U.S. Supreme Court’s decision in AMG Capital Management, LLC v. Federal Trade Commission, which halted the FTC’s ability to use its Section 13(b) authority to seek monetary penalties for violations of the FTC Act, the FTC has been pushing Congress to grant it greater enforcement powers. In the meantime, the FTC has used other enforcement tools, including the recent resurrection of the agency’s long-dormant Penalty Offense Authority under Section 5(m)(1)(B) of the FTC Act and a renewed willingness to use algorithmic disgorgement (which the FTC first applied in the 2019 Cambridge Analytica case).

Algorithmic disgorgement involves “requir[ing] violators to disgorge not only the ill-gotten data, but also the benefits—here, the algorithms—generated from that data,” as then-Acting FTC Chair Rebecca Kelly Slaughter stated in a speech last year. This order appears to be the first time algorithmic disgorgement was applied by the Commission in an enforcement action under COPPA.

Children’s privacy issues continue to attract the attention of the FTC and lawmakers at both federal and state levels. Companies that collect children’s personal information should be careful to ensure that their privacy policies and practices fully conform to the COPPA Rule.

© 2022 Keller and Heckman LLP

Chinese APT41 Attacking State Networks

Although we are receiving frequent alerts from CISA and the FBI about the potential for increased cyber threats coming out of Russia, China continues its cyber threat activity through APT41, which has been linked to China’s Ministry of State Security. According to Mandiant, APT41 has launched a “deliberate campaign targeting U.S. state governments” and has successfully attacked at least six state government networks by exploiting various vulnerabilities, including Log4j.

According to Mandiant, although the Chinese-based hackers are kicked out of state government networks, they repeat the attack weeks later and keep trying to get in to the same networks via different vulnerabilities (a “re-compromise”). One such successful vulnerability that was utilized is the USAHerds zero-day vulnerability, which is a software that state agriculture agencies use to monitor livestock. When the intruders are successful in using the USAHerds vulnerability to get in to the network, they can then leverage the intrusion to migrate to other parts of the network to access and steal information, including personal information.

Mandiant’s outlook on these attacks is sobering:

“APT41’s recent activity against U.S. state governments consists of significant new capabilities, from new attack vectors to post-compromise tools and techniques. APT41 can quickly adapt their initial access techniques by re-compromising an environment through a different vector, or by rapidly operationalizing a fresh vulnerability. The group also demonstrates a willingness to retool and deploy capabilities through new attack vectors as opposed to holding onto them for future use. APT41 exploiting Log4J in close proximity to the USAHerds campaign showed the group’s flexibility to continue targeting U.S state governments through both cultivated and co-opted attack vectors. Through all the new, some things remain unchanged: APT41 continues to be undeterred by the U.S. Department of Justice (DOJ) indictment in September 2020.

Both Russia and China continue to conduct cyber-attacks against both private and public networks in the U.S. and there is no indication that the attacks will subside anytime soon.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

FBI and DHS Warn of Russian Cyberattacks Against Critical Infrastructure

U.S. officials this week warned government agencies, cybersecurity personnel, and operators of critical infrastructure that Russia might launch cyber-attacks against Ukrainian and U.S. networks at the same time it launches its military offensive against Ukraine.

The FBI and the Department of Homeland Security (DHS) warned law enforcement, military personnel, and operators of critical infrastructure to be vigilant in searching for Russian activity on their networks and to report any suspicious activity, as they are seeing an increase in Russian scanning of U.S. networks. U.S. officials are also seeing increased disinformation and misinformation generated by Russia about Ukraine.

The FBI and DHS urged timely patching of systems and reporting of any Russian activity on networks, so U.S. officials can assess the threat, assist with a response, and prevent further activity.

For more information on cyber incident reporting, click here.

Even though a war may be starting halfway across the world, Russia’s cyber capabilities are global. Russia has the capability to bring us all into its war by attacking U.S. government agencies and companies. We are all an important part of preventing attacks and assisting others from becoming a victim of Russia’s attacks. Closely watch your network for any suspicious activity and report it, no matter how small you think it is.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

Texas AG Sues Meta Over Collection and Use of Biometric Data

On February 14, 2022, Texas Attorney General Ken Paxton brought suit against Meta, the parent company of Facebook and Instagram, over the company’s collection and use of biometric data. The suit alleges that Meta collected and used Texans’ facial geometry data in violation of the Texas Capture or Use of Biometric Identifier Act (“CUBI”) and the Texas Deceptive Trade Practices Act (“DTPA”). The lawsuit is significant because it represents the first time the Texas Attorney General’s Office has brought suit under CUBI.

The suit focuses on Meta’s “tag suggestions” feature, which the company has since retired. The feature scanned faces in users’ photos and videos to suggest “tagging” (i.e., identify by name) users who appeared in the photos and videos. In the complaint, Attorney General Ken Paxton alleged that Meta,  collected and analyzed individuals’ facial geometry data (which constitutes biometric data under CUBI) without their consent, shared the data with third parties, and failed to destroy the data in a timely matter, all in violation of CUBI and the DTPA. CUBI regulates the collection and use of biometric data for commercial purposes, and the DTPA prohibits false, misleading, or deceptive acts or practices in the conduct of any trade or commerce.

Among other forms of relief, the complaint seeks an injunction enjoining Meta from violating these laws, a $25,000 civil penalty for each violation of CUBI, and a $10,000 civil penalty for each violation of the DTPA. The suit follows Facebook’s $650 million class-action settlement over alleged violations of Illinois’ Biometric Privacy Act and the company’s discontinuance of the tag suggestions feature last year.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.