DOE Hit by Cyber Attacks; DHS Reports Efforts to Hack Critical Infrastructure; US and EU Data Deal Reached; DHS Awards $11M Info Sharing Grant; Cal State Hack Exposes 80k Students; 9th Cir. Rules for Sony on Data Retention; Fiat Chrysler Recalls 8000 More
Department of Energy Hit by Cyber Attacks
A review of federal records revealed that cyber attackers targeted U.S. Department of Energy (DOE) computer systems more than 1,100 times between 2010 and 2014, with 159 of those attacks successfully compromising the security of those systems. Incident reports submitted by federal officials and contractors to DOE’s Joint Cybersecurity Coordination Center show that systems containing sensitive data about the nation’s power grid (which DOE does not directly control), nuclear weapons and energy labs were targeted. However, DOE officials have not announced whether any sensitive data was accessed or stolen or any theories as to the parties involved. Over the same time period, the National Nuclear Security Administration, a semi-autonomous agency within DOE responsible for managing and securing the nation’s nuclear weapons stockpile, experienced 19 successful attacks.
DHS Report Reveals “Concerted Effort” to Hack Critical Infrastructure Systems
The U.S. Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued a report advising that skilled hackers made a “concerted effort” to access critical systems in the chemical, manufacturing and energy sectors over this past summer. In particular, the report focuses on the exploitation of a previously unknown flaw in Adobe Flash Player that was used to hijack victims’ computers after they visited compromised websites. The hackers behind this threat are also believed to have been behind a series of attacks in 2014, and ICS-CERT warns against advanced persistent Spear Phishing campaigns continuing against these sectors.
U.S. and EU Reach Data-Protection Deal
U.S. and European Union officials finalized a data-protection deal that will protect personal data exchanged between police and judicial authorities in the course of criminal or terrorist investigations, as well as between companies and law enforcement. The text of the agreement has reportedly been finalized, but the European Commission will not sign and formally conclude the matter until the “right to judicial redress” for EU citizens is enshrined in U.S. law. A bill addressing this issue was introduced by U.S. Congressman Jim Sensenbrenner in March and would reportedly address EU concerns if passed. For more information, see our alert.
DHS Awards UTSA $11 Million Grant to Set Information Sharing Standards
The U.S. Department of Homeland Security (DHS) selected a team led by The University of Texas at San Antonio (UTSA) as its Information Sharing and Analysis Organizations (ISAO) Standards Organization. The team will be responsible for setting standards for sharing cyberthreat information between the private sector and the government. The grant comes out of an executive order signed by President Obama in February that laid out a framework for expanded information-sharing both in the private sector and between it and the government to aid in quicker detection and prevention of cyberthreats and attacks. The executive order directed DHS to fund the creation of a nonprofit organization to develop a common set of voluntary standards for ISAOs to enable them to quickly demonstrate their policies and security protocols to partners. Several industries, including banking and retail, have already set up information sharing programs, ISAOs are intended to encourage the development of broader information sharing, such as across a region or in response to specific threats. In setting baseline standards, the goal is to reduce transaction costs and encourage greater company participation.
Cal State Vendor Breach Exposes Nearly 80,000 Students
We End Violence, a vendor hired by the Cal State system to provide an online sexual violence prevention class, was hacked, exposing the data of nearly 80,000 students across eight Cal State campuses. The exposed data included personally identifying information, as well as additional information such as sign-in names and passwords used for the class, campus-issued e-mail addresses, gender, race, relationship status and sexual identity. Two other vendors also providing the classes, which are required of all students under state law, were not compromised. Cal State officials offered few details on how the hack occurred other than that it was related to a vulnerability in the underlying code. Cal State has hired a forensics firm to investigate.
9th Circuit Rules for Sony on Video Data Retention
The Ninth Circuit ruled that a plaintiff could not sue two units of Sony Corporation for violations of the Video Privacy Protection Act’s (VPPA) data retention provision. The case focused on whether the VPPA’s enforcement provision allows an aggrieved person to bring suit only for violations of the law’s prohibition on disclosure of personally identifiable information without written consent or to violations of provisions of the VPPA more broadly. In its first time considering the VPPA, the court held that the law does not provide a private right of action to enforce its data retention requirements, citing previous decisions by the Sixth and Seventh Circuits.
Fiat Chrysler Recalling Nearly 8000 More SUVs Over Hacking Fears
Fiat Chrysler Automobiles NV issued its second recall in six weeks related to flaws that leave vehicles vulnerable to hacking. The flaw affects 7,810 Jeep Renegade SUVs and follows Fiat Chrysler’s previous recall of 1.4 million cars and trucks equipped with a UConnect radio system. The company will address the flaws with a software update and reports that it is not aware of any complaints, warranty claims or crashes related to this flaw.