Cybersecurity News Roundup: Ransomware, Accellion hack, IoT security law

Ransomware Group Threatens to Release Sensitive Information on D.C. Police

The global ransomware headache is not letting up. And it turns out law enforcement is not immune to the menace. This time, Washington D.C.’s Metropolitan Police Department found itself in the crosshairs of an attack.

The department announced its network had been breached. Babuk, a Russian-speaking ransomware group, posted screenshots on the dark web that suggested they had gained access to confidential data on criminal gang activity and raw police intelligence. The hackers claimed to have stolen over 250GB of data.

The group was allegedly threatening to release data on police informants if it was not contacted quickly. They would make good their threat weeks later when they dumped hundreds of pages of internal police documents after talks broke down.

The FBI is reportedly investigating the full extent of the breach.

In mid-April, the NBA’s Houston Rockets announced their network systems had been breached by Babuk. The hackers accessed financial data, player contracts, and other sensitive information.

Accellion Hack Continues to Claim More Victims

The data breach disclosures in the aftermath of the Accellion hack continue unabated.

One of the latest is the University of California, Berkeley, whose employees received an email from an unknown source that stated their stolen data would be released. The email included a sample of UC Berkeley employees’ personal details. The university confirmed the data breach was a result of the intrusion suffered by Accellion discovered early this year.

Accellion, a firewall vendor, saw a cluster of vulnerabilities in its secure file transfer equipment software exploited by hackers. Dozens of organizations including Stanford University, Royal Dutch Shell, Qualys, grocery chain Kroger, the Reserve Bank of New Zealand, Bombardier, and the Australian Securities and Investments Commission have so far announced they were breached due to the flaws.

Several have confirmed receiving extortion threats as the ransomware group Clop threatens to publish the sensitive data if the targeted organization fails to pay up.

Accellion quietly released fixes in December and January to address the gaps. The company retired the software on April 30.

UK’s Proposed IoT Security Law Gathers Speed

With the number of Internet of Things (IoT) devices projected to exceed 40 billion by 2023, the scale of the IoT is expected to rapidly dwarf the size of traditional, non-IoT Internet connections. IoT objects range from vending machines and microwaves to connected cars and jet engines. As smart devices proliferate across homes, businesses, and vehicles, security concerns abound.

It is in this context that the UK government is developing new cybersecurity laws focused on the IoT. The planned legislation aims to address the shortfall in smart device security.

It will compel suppliers to disclose to buyers how long the product will receive security patches and updates. The law will also ban suppliers from shipping devices with universal preset default passwords.

The Department of Digital, Culture, Media and Sport (DCMS) wants the new law to cover smartphones as well. Research shows about a third of the population keeps their smartphones for four or more years, yet brands typically offer security updates for no more than two years.

Given how far-reaching the IoT will be in the future, it is only a matter of time before other countries follow suit.