1-888-643-2217 Email ABEX
Keeping you updated

Category Archives: Cyber Risk Management

What the Accomod8u Data Leak Shows About Student Housing

Here’s the background you need in order to understand the data hack, what it says about student housing, and what’s being done about it, as published by CBC News.

Earlier this month, an anonymous Reddit user wrote a post titled: “Massive Data Leak of Accommod8u Maintenance Requests Over the Last Two Years.” In a public Google document, the author said they managed to log into Accommod8u’s online tenant portal and access two years worth of maintenance requests. (Reddit)

Leaked information from the popular student rental company Accommod8u appears to paint a picture of apartments plagued with vermin, mould and broken heating systems.

But some say the problem with student housing in Waterloo goes beyond just one company.

Here’s the background you need to understand the data hack, what it says about student housing, and what’s being done about it.

What was the leak?

Earlier this month, an anonymous Reddit user wrote a post titled: “Massive Data Leak of Accommod8u Maintenance Requests Over the Last Two Years.”

In a public Google document, the author said they managed to log into Accommod8u’s online tenant portal and access two years worth of maintenance requests.

“A close look at the 6000+ entries reveals an egregious disregard for the rights and wellbeing of the residents,” the user wrote in the post.

The report describes requests from tenants for help dealing with mold, vermin, carbon monoxide and fire alarm issues and faulty heating systems. It also criticizes Accommod8u’s response time, alleging that users often put in multiple requests for help that were ignored.

Who is involved?

The company

On its website, Accommod8u describes itself as a high-end apartment brand with eight high-rise buildings under its ownership. The web copy says each rental suite is clean, secure and “maintained to the highest standard.”

The company has been criticized before, after tenants had their move-in dates at an Accommod8u property delayed for weeks because construction wasn’t finished. Once the building was occupied, tenants said they still encountered problems with air conditioning, garbage chutes and laundry machines.

Student move-ins delayed again, this time for TheHub in Waterloo
CBC has reached out to Accommod8u for comment and has not yet heard back.

The company has been criticized before, after tenants had their move-in dates at an Accommod8u property delayed for weeks because construction wasn’t finished. (Submitted by Brooke Willis)

The hacker

In a Google document titled “Contact Information,” the person or people behind the hack said they will not reveal their identity, or whether one or multiple people were involved. CBC has not spoken to those responsible for the data breach.

The police

The Waterloo Regional Police Service has confirmed that they are investigating the hack, but have not said whether any charges are pending.

What the leak shows

Students at the University of Waterloo say the hack shows what many of them knew already: that students are easily taken advantage of, and often don’t know what recourse they have when that happens.

Colin Chu was one of about 20 students who joined a meeting of the Waterloo Undergraduate Students’ Association Sunday, where the Accommod8U hack was on the agenda.

He said poor maintenance — along with disputed leases and other problems — is an ongoing problem at many of the rental companies that target students in Waterloo.

“Especially a lot of international students that are coming into the region for the first time and don’t have a really good handle on renting procedures or ways that they can be scammed or misled,” said Chu.

Chu said many students don’t know what their rights are, or that agencies like the Landlord and Tenant Board exist, and hopes they’ll become more active in learning about possible scams and ways to get help.

What officials are saying

Tenille Bonoguore, who represents much of the university area as a city councillor for uptown Waterloo, called the contents of the Accomod8u report “disturbing.”

“The kinds of issues that were being dealt with and the long time it was taking to deal with these issues give me concerns both for residents’ health and for their mental health,” said Bonoguore.

Bonoguore and her fellow councillors discussed the leak at a committee meeting this week, and questioned city staff about what the municipality’s responsibility is.

Shayne Turner, the city’s director of municipal enforcement services, said the city doesn’t have the power to investigate buildings without first being invited by a tenant.

But if tenants are having problems with their unit and aren’t getting anywhere with their landlord, they can contact the property standards office, which will check to see if there’s really a problem.

An inspector can issue a work order requiring property owners to fix problems, or hire someone to make repairs and add the bill to the property owner’s taxes.

What’s next

The undergraduate students association says it will set up a committee to research student housing in Waterloo, and to look into the possibility of a class-action lawsuit against housing companies on behalf of students.

Turner said his team will be in touch with the universities to ensure students understand how his office works, and what they can offer to tenants.

And Bonoguore said she plans to speak to students about their housing rights during a scheduled day upcoming where she was planning to go door-to-door talking about street parties.

“I’m hopeful that residents and tenants become so aware of their rights and what’s expected and how to get help that they end up being able to very successfully advocate for their own health and safety,” said Bonoguore.

“I think anyone who has lived in rental accommodation knows that your state of living is as good as your landlord is,” said uptown Waterloo councillor Tenille Bonoguore.

Author: Paula Duhatschek · CBC News ·


Implementing Multi-Factor Authentication is Critical

The CFC Incident Response Team notes that the vast majority of claims for business email compromise (BEC) and the associated crimes that result from such a compromise (wire transfer fraud, data theft and further phishing attacks) could potentially be prevented by implementing multi-factor authentication (MFA) on email accounts and other accounts.

Due to the proliferation of modern attack methods used by cybercriminals, not using multi-factor authentication is akin to closing the door of your home but not locking it. To improve your security posture, and to bring it up to date to face current threats, the use of MFA is highly recommended.

 

So what is MFA? It’s an authentication process that requires more than just a password to protect an email account or digital identity and is used to ensure that a person is who they say they are by requiring a minimum of two pieces of unique data that corroborates their identity. This unique data comes in three forms – something you know (i.e. your password), something that you have (i.e. a one-time passcode generated by an app or hardware token), or something you are (i.e. fingerprint, retinal pattern, voice signature or facial recognition).

In the event of a password compromise, perhaps as a result of a phishing attack, it is very unlikely that the threat actor will also have the other piece of the authentication data. Therefore, the chances are that your email account or digital identity will not be compromised. It will increase your overall cyber security posture and will decrease your chances of reputational harm and negative business impact.

There are many free MFA apps and more comprehensive corporate solutions. Below are some additional resources:

We urge all brokers and their clients to take this critical security step as soon as possible.

Source: www.cfc.com

 

 


Look for These Points of Differentiation in Cyber Coverage

There is a slew of ways in which insurers are differentiating the policy wording in their cyber products. Some of these points of differentiation are described below.

  • Additional breach response limits. Look for whether, and how much, additional limits are available specifically for handling breach response costs.
  • Increasing, or eliminating entirely, sublimits for certain exposures. Fraudulent instruction is one particular exposure for which some insurers may be willing to either increase any available sublimits or remove the restriction of a sublimit entirely.
  • “Betterment” coverage. In the aftermath of a data breach, security failure, or other cyber claim, many cyber and privacy insurers are only willing to cover expenses incurred by the insured to get its networks back up to their prior level of adequacy. However, some insurers are willing to offer a degree of “betterment” coverage that allows insureds to work with a third-party vendor to not only restore their systems to their prior adequacy but also set them up with greater security, functionality, capacity, and so on.
  • Quality of service providers offered. The quality of third-party service providers (e.g., cyber-forensics specialists) can vary from insurer to insurer, and insureds and their representatives should do their due diligence to review their qualifications.
  • Number of service providers offered. Similarly, insureds should be aware of how many options may be at their disposal when selecting an insurer-approved service provider.
  • Use of “system failure” coverage trigger. A “system failure” coverage trigger can allow for more coverage for “accidental” exposures (e.g., nonmalicious failures or accidental data deletion), as opposed to a coverage trigger that requires “breach” or “compromise” of data or systems.
  • Trigger for regulatory fines and penalties coverage. Relatedly, many coverage triggers pertaining to regulatory fines and penalties insuring agreements may require a “breach.” However, some insurers may not include the breach requirement, potentially opening up coverage for scenarios in which regulators may “come knocking” even without a known data breach.

Keeping these points in mind can help insureds assemble better cyber and privacy insurance protection to complement their management and/or professional liability insurance portfolio.

Source: www.irmi.com


Trolling & catfishing: The social media fairy tale with no happy ending

Social media isn’t always a fairy tale, and the veil of anonymity that such channels provide can easily be used for evil, rather than good.

The ease with which channels like Instagram, Facebook and Twitter bring people together is extraordinary, and should be celebrated. However, we cannot ignore the darkness that lurks beneath the online world, particularly with regards to social networks. Social media isn’t always a fairy tale, and the veil of anonymity that such channels provide can easily be used for evil, rather than good.

Lady Gaga was recently quoted as saying that social media is “the toilet of the internet.” Of course, this scathing review disregards the many benefits of social networks, but it does adequately sum up how many users feel about what can, and does, happen within the confines of these sites.

The potential for misuse of online platforms like social networks is huge. It is therefore essential that organizations operating within this space have broad regulatory cover in an evolving legal landscape. Affirmative cover for user generated content is also key, as are policies covering emotional distress or bodily injury.

The digital world is evolving all the time, and with new changes come new pitfalls. Phenomenon like trolling and catfishing are just two examples of the ways in which social media anonymity is being exploited, causing serious harm to those who fall victim, and significant damage to the online platforms used to facilitate abuse.

Companies of course have a moral duty to stamp out such behavior, but their responsibilities extend further than that. Inaction over online harassment may equate to negligence in the eyes of the law, and this is something that tech companies need to be aware of.

Policies regarding digital responsibilities are now integral components in business insurance coverage, particularly in the tech industry. With issues such as trolling and catfishing becoming increasingly prevalent, comprehensive protection must be tailored to the exposures of social media organizations.

What is trolling?

A troll is a person who makes use of the anonymity that the internet provides, in order to share inflammatory, abusive remarks about specific people or groups. It’s a type of online bullying that has become increasingly prevalent with the advent of social networks.

Several high-profile causes have brought the devastating consequences of online bullying to the attention of the global press. In 2014, model and reality television star Charlotte Dawson took her own life, after a lengthy and well publicized battle with online trolls. One night of particularly bad abuse led to her being hospitalized, before her suicide. She said, “It just triggered that feeling of helplessness when the trolls got to me. They got the better of me and they won.’’

In 2017, 14-year-old schoolgirl Molly Russell also took her own life. In the following days and weeks, her family discovered distressing material about depression and suicide on her Instagram account. Parliamentary Under Secretary of State for Mental Health, Inequalities and Suicide Prevention Jackie Doyle-Price later said that harmful suicide and self-harm content online “has the effect of grooming people to take their own lives.”

What is catfishing?

A type of deception made possibly by anonymity on the Internet, catfishing is a targeted campaign of duplicity. In order to ‘catfish’ another person, a perpetrator creates a fake social networking presence, and designs an entire faux identity to be used online. Often, it is used to target vulnerable people for financial gain. It can also be used as a form of online trolling.

A New York Man who has fallen victim to catfishing harassment at the hands of his ex-boyfriend is now suing tech company Grindr for its part in the abuse. Matthew Herrick endured months of harassment, with fake profiles appearing on the network impersonating him, and strange men being sent to his home and workplace.

Herrick filed 50 complains with Grindr, 14 police reports, and even obtained a temporary restraining order, but it did not end the harassment. Herrick is now arguing that Grindr has violated product liability law. His lawsuit states, “This is a case about a company abdicating responsibility for a dangerous product it released into the stream of commerce. Grindr’s inaction enables the weaponization of its products and services.”

GDPR and the change in digital responsibilities

GDPR is a prime example of the way in which online platforms are coming under closer scrutiny than ever before. This legislation, which sets out a concrete list of data protection and privacy regulations, has been seen as a conscious attack on large tech companies.

In light of changes brought about by GDPR, social platforms must focus on users’ privacy protection, and it’s possible that more laws may be inforced to protect users. All it takes is one claim against a platform for reputations to be irrevocably damaged.

Large data collectors, such as social media sites, are likely to be most affected by the regulations of GDPR. These sites may now face increased regulation, with governments upping their input into what these sites must do. Take user-generated content, for example. Now, it’s down to individual websites to monitor user-generated content on their platforms and remove if necessary. It’s therefore essential that sites like these have the proper coverage to handle claims of negligence.

How are social networks combating online harassment?

Social networks like Facebook, Twitter, Instagram and online dating sites like Grindr have worked to reduce the impact of catfishing and trolling on their platforms. However, there has been admission that not enough work has been done to protect users. The problem is, of course, a difficult one to overcome.

Twitter chief executive Jack Dorsey admitted the social media giant had not done enough to banish trolls from the site. Dorsey said, “We’ve made progress, but it has been scattered and not felt enough. Changing the experience hasn’t been meaningful enough. And we’ve put most of the burden on the victims of abuse (that’s a huge fail).”

Users publishing abusive content can be easily banned and blocked, but this doesn’t stop perpetrators from simply creating another fake profile to continue their actions. On dating sites, profiles will often need to be linked to an active social media account, however this too can be easily circumvented by those intent on using the platforms in a negative way.

Some platforms are making changes to tackle abuse and remove harmful content. Instagram, for example, banned images of self-harm after the site received widespread condemnation following the death of Molly Russell. These are welcome changes, however such reforms by social networks tend only to come about as a result of public lobbying in the event of a high-profile case. Much more needs to be done.

The categories of negligence are never closed. Tech companies need be one step ahead in terms of protecting users against trolling, catfishing and other types of online harassment, whilst also ensuring that they themselves have adequate cover should an incident arise.

Source: www.cfcunderwriting.com

 


DDoS Attack Leads to Significant Online Sales Shortfall

The dawn of the internet has opened up a world of opportunity for businesses, allowing them to reach new markets and increase their revenues. Along with this, however, has come new risks. With many businesses now increasingly reliant on online sales, they are potentially vulnerable to financial losses should their websites become inaccessible to their customers.

One of the threats posed to businesses with an online presence are distributed denial of service (DDoS) attacks. DDoS attacks are used by cyber criminals to take down websites with many utilizing what is known as a botnet to do so. A botnet is essentially a network of “zombie” computers that are infected with malware that allows malicious actors to control them without their owners’ knowledge. When DDoS attacks are carried out in this way, the computers that make up the botnet are directed to access a particular website repeatedly and in rapid succession, flooding the website with more requests than it can handle and resulting in it appearing offline to normal internet users.

In the past, botnets were relatively difficult to assemble, but nowadays anyone can hire a botnet from the dark web and command all the computers within it to aim their access requests at a website of their choice. As a result, numerous organizations have fallen victim to DDoS attacks in recent years. For example, in late 2015 the BBC’s website was taken down for a whole morning following a DDoS attack initiated by a group of hackers, while in 2016, HSBC was hit by a DDoS attack that resulted in millions of customers being unable to access HSBC’s online banking services. Most recently, in mid-April 2019, the hacktivist group Anonymous claimed to have been behind DDoS attacks which brought down the websites of the National Crime Agency and the UK Supreme Court following the arrest of Julian Assange.

However, large, multinational corporations are not the only organizations that are targeted in this way. One of our policyholders affected by a DDoS attack was a small retailer of domestic goods. Although the majority of their sales are carried out in store, a sizable portion come from sales through their website.

Hacker fulfills promise of attack after missed email threat

The incident began when an unidentified hacker sent an email to one of the firm’s business email addresses, stating that the company’s website would be taken down within 24 hours unless a payment of $4,000 in Bitcoin was made. However, this email was caught in the company’s spam filters, meaning that it was not initially read by anyone at the company and so no reply was sent to the hacker.

Having not received any response to the threat after 24 hours, the hacker stayed true to his word and looked to initiate the next phase of the attack. Utilizing the massive number of computers under his control via a botnet, the cyber criminal directed the computers to send a vast amount of access requests to the company’s website. Without any DDoS protection in place and as this was only a small business, this flood of internet traffic was well in excess of what the their website could handle. The website was soon overwhelmed and became inaccessible to genuine internet users looking to browse products.

 

Repeated remedy attempts thwarted

It was the next morning when the policyholder became aware that the website was not appearing to external users. After some initial investigations, it was determined by the company’s IT department that the website was facing a sustained DDoS attack. In an attempt to overcome the issue, the IT team decided to block any internet traffic that came from outside the country in which they were based. This provided a very brief period of respite for the insured, with the website appearing back online, but the hacker responsible refused to give up that easily.

To overcome this new obstacle, the hacker made use of proxy servers. A proxy server acts as an intermediary between an end user and the internet, and essentially allows the end user to go online with a substitute IP address. In this case, the hacker simply switched the blocked IP addresses over to proxy servers that made it appear as if they were coming from the same country as the insured. This meant that the website was inundated with internet traffic once again, resulting in it appearing offline for a second time.

Having discovered that the website was down again, the insured’s IT department tried another tactic to help remedy the situation. This time they changed the website’s IP address, meaning that all of the DDoS related internet traffic was now being redirected to the old IP address. With the DDoS attack now focused on the old IP address, legitimate internet users could now access the insured’s website. However, this proved to be yet another short-lived victory. The attacker was determined to bring the website down and force the insured into making a ransom payment, so after realizing that the insured had changed the website’s IP address, the hacker simply switched the point of attack to the new IP address, swamping the website with internet traffic once more and bringing the site to its knees.

Policyholder enlists the helps of CFC’s cyber incident response team

After several further attempts to counter the attack meeting with little success, it was at this point that the insured got in contact with our incident response team. Our team swiftly directed the insured towards one of our incident response partners that specializes in providing DDoS mitigation services. This service works by providing organizations affected by a DDoS attack with access to a network of data centers with a much higher capacity to absorb the vast amounts of internet traffic being generated by the attack. In addition, the service is also able to establish the difference between legitimate and illegitimate web traffic, thereby blocking malicious requests and allowing genuine internet users to access the affected site. After submitting some key details, the company was able to gain access to this service and within a few minutes their website was up and running again without suffering any further disturbance.

Nevertheless, the company website had been down from 7 o’clock in the morning until just after 4 o’clock in the afternoon, with only a few brief moments of normality in between the hacker’s various attacks. During this time, customers had been unable to access their website and purchase any items online. Despite seeing a resumption of sales in the days after the attack, the insured still suffered a noticeable reduction in overall sales for the month. Having budgeted for $1,126,838 in online sales for the month in question, the insured only achieved sales of $951,632, a shortfall of $175,206. After adjusting the loss to reflect that the business had been slightly behind budget in the weeks preceding the DDoS attack, and following the application of a rate of gross profit of 41%, this resulted in a business interruption loss of $51,506, which was picked up by the insured’s cyber policy with CFC.

How to minimize the impact of a DDoS attack

This claim highlights a few key points. Firstly, it illustrates the importance of businesses investing in some form of DDoS protection, as these attacks are increasing in terms of size and power. Indeed, some hackers are exploiting the rise of connected devices (sometimes referred to as the Internet of Things or IoT), such as cameras, smart TVs, printers and even children’s toys and baby monitors, to increase the computing power at their disposal when carrying out DDoS attacks. Depending on the size of the business in question, DDoS protection can be a relatively inexpensive purchase and is often available to businesses via their web-hosting providers.  Having this protection in place can help reduce the likelihood of an organization’s website being taken down by malicious actors.

Secondly, it underscores the importance of policyholders notifying incidents to their insurer as soon as they can. In this case, the company’s internal IT department initially attempted to deal with the DDoS attack on their own, but unfortunately their attempts were unsuccessful. After the matter was referred to our incident response team, we managed to get the policyholder in touch with a specialist provider and get the website back online very quickly. Had they notified the incident earlier, it would likely have resulted in the incident being resolved without any meaningful interruption or reputational damage to their organization.

Finally, it highlights just how dependent modern businesses are on their digital assets and how important cyber insurance coverage is. The policyholder’s website was only out of action for a single working day yet it still resulted in a sizable business interruption loss. However, traditional insurance policies, such as standard property and business interruption cover, were designed to deal with threats to a company’s physical assets, rather than their digital assets like websites, software programs, data and electronic funds. Cyber insurance fills this gap, providing cover for digital assets against 21st century threats.

Source: www.cfcunderwriting.com

 

 


Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.



ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook

Connect with us on LinkedIn