Watching the news this past week was like drinking from a firehose. Speaking of which, you probably missed a busy week in cybersecurity, so here are the big stories from the past week.
THE BIG PICTURE
Blackbaud hack gets worse, as bank account data stolen
Blackbaud, a cloud technology company used by colleges, universities, nonprofits (and far-right organizations), was hit by a data-stealing ransomware attack earlier this year. The attack was one of the biggest of the year in terms of the number of organizations affected, hitting dozens of universities, hospitals and other high-profile organizations like NPR. Blackbaud said in July that it paid the ransom — but also claimed and received “confirmation” that the stolen personal data “had been destroyed,” fooling absolutely nobody.
This week Blackbaud confirmed in a regulatory filing that the stolen data also included bank account data and Social Security numbers — far more personally identifiable information than the company first thought. “In most cases, fields intended for sensitive information were encrypted and not accessible,” the company claimed.
Despite Blackbaud’s claim that the data was deleted, these are malicious hackers driven by financial reward. Hope for the best, but assume the worst — Blackbaud’s data is still out there.
Facebook shuts down malware that hijacked accounts to run ads
Hackers spent about $4 million to run scammy ads on Facebook by hijacking the accounts of unsuspecting users, reports Wired. The hackers used malware, dubbed SilentFade, to compromise Facebook accounts using stolen passwords to use whatever saved credit card details on those accounts to buy ads for diet pills and fake designer handbags.
The malware was sneaky, too: It hid Facebook notifications from the user about the ad campaigns that the hackers were running.
Facebook disclosed the malware this week, almost a year after it brought a civil suit against the hackers, who are accused of running the operation.
IRS under investigation for using location data without a warrant
Who needs a warrant for location data? The IRS. Who hasn’t been getting a warrant for location data? Also the IRS. But that might be a decision that could land the federal tax collector in hot water. As first reported by the Wall Street Journal, the IRS was buying smartphone location data on Americans from a private contractor without first obtaining a warrant.
That’s potentially a major problem, and one that the agency’s watchdog is investigating, per a new report by Motherboard. “We are going to conduct a review of this matter,” said IRS Inspector General J. Russell George, in a letter to senators.
The IRS isn’t the only government department buying location data off the private market. Motherboard reports that Customs and Border Protection also bought location data from a data firm, Venntel, allowing the U.S. border authority to track devices — even outside of U.S. borders.
MOVERS AND SHAKERS
Meet Twitter’s new security chief, Rinki Sethi. As the social media giant’s new chief information security officer, Sethi will oversee the company’s infosec posture.
Sethi hails from Rubrik where she served as CISO and previously worked in cybersecurity roles at IBM, Palo Alto Networks and Intuit. She also serves as an advisor to several startups, including LevelOps and Authomize, and cybersecurity organizations, including Women in Cybersecurity.
Hiring a new security chief can’t come at a more important time for the company, left reeling from a breach in August that saw hackers hijack the company’s internal “admin” tool to hijack high-profile accounts and spread a cryptocurrency scam. Twitter responded by doubling down on its internal security measures by requiring hardware keys, which can help prevent phishing attacks.
$ECURITY $TARTUPS
Eclypsium, a Portland-based hardware security startup founded in 2017, has raised $13 million. The company detects security issues at the firmware level.
Meanwhile, Israeli cybersecurity firm Illusive Networks has raised $24 million in its latest funding round, with participation from Spring Lake Equity Partners, Marker, Cisco, Microsoft and others. Illusive, which blankets a customer’s network with fake booby-trapped data to detect data breaches, said its revenue has doubled in the past year.
And, Crowdstrike has completed its acquisition of Preempt Security in a deal worth $93 million in cash and stock. Preempt, founded in 2014, detects and — as the name suggests — preempts threats and security issues before they happen.
Send tips securely over Signal and WhatsApp to +1 646-755-8849.