January 2022 Cybersecurity News Roundup: $60 million settlement, ‘zero trust’ strategy, fall of REvil, and more

Top Cyber Stories for January 2022

Morgan Stanley’s $60 Million Settlement for Data Breach

Financial services giant Morgan Stanley has agreed to pay $60 million to settle a data security class-action lawsuit. The lawsuit brought by about a dozen customers claimed the company had exposed their personal information when on two occasions, it failed to correctly retire older information technology.

The breach was the result of a failure to delete from legacy systems the personally identifiable information (PII) of nearly 15 million past and present customers in 2016 and 2019. The legacy systems were sold to third parties while containing unencrypted data. Morgan Stanley started to inform customers about the breach in July 2020.

The company was separately fined $60 million by the Office of the Comptroller of the Currency (OCC) for the incident in October 2020.

White House Memo Instructs Adoption of ‘Zero Trust’

The White House rolled out a new cybersecurity strategy that seeks to reduce the threat of cyberattacks on government infrastructure. The strategy articulates the administration’s vision to move government agencies to a ‘zero trust’ cybersecurity model. Zero trust implies devices and users will be granted network access permissions limited to the role or task at hand only.

The strategy’s primary document was published as a memorandum by the Office of Management and Budget (OMB) addressed to heads of all agencies and executive departments. Government agencies have 30 days to appoint an implementation lead and 60 days to file an implementation plan.

Cyberattack on Ukraine

Amidst rising military tensions between Russia on the one hand, and Ukraine and NATO on the other, the government of Ukraine was the subject of a major cyberattack. The attack struck about 70 websites including those belonging to the cabinet, the treasury, the state service, seven ministries and the National Emergency Service. Harmful malware was also placed in government agencies.

Most of the affected sites had access restored hours after the attack. Ukraine’s government accused Russia of being behind the onslaught. According to a Ukrainian official, the hackers used the administrator credentials held by the websites’ developer.

The Fall of REvil?

REvil, the criminal group linked to some of the most significant ransomware attacks in recent years, was the target of a multi-government security operation led by Russia’s domestic intelligence service, the FSB. The operation saw 14 individuals arrested and more than 1 million dollars in assets seized.

Incidents the group has been associated include 2021 attacks on Colonial Pipeline, JBS USA and Kaseya. The FSB said it dismantled REvil and charged the members in response to information provided by the US.

Cybersecurity Review for Chinese Companies Before Overseas IPOs

The Cyberspace Administration of China (CAC), the country’s cyberspace regulator, announced it will require platform companies that hold data of a million users or more undergo a cybersecurity check before they can list their shares abroad. Companies are expected to apply for the review before they submit their listing application to overseas regulators.

The objective of the test is to assess the risk of company data being accessed, controlled, manipulated or otherwise affected by foreign governments. Organizations deemed to endanger national security will be barred from listing abroad. The new rules will be effective from February 15.