Table of Contents

1. Microsoft Forces Changes to Web Links in Outlook and Teams

2. Federal Trade Commission Accuses Meta of Data Privacy Settlement Breach

3. Numerous Public Salesforce Sites Exposing Private Information

4. DHS Pursues Legislation to Codify the Cyber Safety Review Board

5. Home-Care Provider That Violated Breach Notification Rules Owes Millions in Settlement

6. Videos, Photos, and Employee Interviews Reveal Security Vulnerabilities at TikTok Data Centers in Virginia 

7. Lead Singer of Smashing Pumpkins Paid Ransom to Hacker to Prevent Leak of New Album

8. Hacked Facebook Pages are Impersonating Major Tech Companies, Purchasing Ads and Distributing Suspicious Download Links

9. FCC Proposes to Integrate Satellite and Cellular Communications

10. U.S. Emerging Technology Standards

11. Merck’s Victory Serves As A Major Win For Cyber Security Insurance Policy Holders

1. Microsoft Forces Changes to Web Links Work in Outlook and Teams

What Happened:

Microsoft has announced that a new change will coerce Outlook and Teams users to use its Edge browser for all web links. When a link is clicked, default browser choices will be ignored, and the user will be forced into Edge.

What To Know:

• The change will take effect on June 15th, and will affect both Windows and Mac users.

• Microsoft is hoping that this will make Edge the go-to browser.

• This will likely cause issues for IT teams and employees who may be confused about why Edge is opening links.

• Some websites may not be optimized for Edge and, therefore, not load properly.

What to Do:

Make sure your IT & Security teams are aware of this change and plan for any user support issues that might come up.

Business Impact:

This new change is part of Microsoft’s larger plan to increase the use of Edge across its services. It is being marketed as a larger effort to increase the security of its users. They’re trying to position the Edge browser as being designed to be more secure than other browsers.

For more information, check out this article. 

2. Federal Trade Commission Accuses Meta of Data Privacy Settlement Breach

What’s Happening: 

• The Federal Trade Commission is accusing Meta of failing to comply with its $5 billion data privacy settlement from 2020. The main concern is that Facebook is giving app developers access to private user information, especially that of users under 18.

What to Know:

• Meta is being accused of:

1. Misleading parents about their ability to control who their children communicate with on the Facebook Messenger app

2. Misrepresenting the access it provided to app developers in violation of two previous FTC orders

• The FTC is looking to stop the launch of any new Meta projects without confirmation that the privacy program is in compliance 

• The FTC is proposing a ban on Meta profiting from the data it collects from users under 18 and wants to add additional protective measures to facial recognition technology.

What Happens Next: 

• Meta has 30 days to respond to allegations 

• If Meta acts in favor of the FTC, Meta would only be able to collect data for security purposes and would be prohibited from profiting off of the information even after users turn 18.

Business Impact: 

• Since the FTC is looking to halt the launch of any new products or services by Meta, this could disrupt Meta’s business operations and could thus have implications for businesses associated with Meta and its platforms. 

• Serves as a reminder for businesses to prioritize user privacy and implement robust privacy programs with the knowledge that failure to do so can result in significant penalties. Businesses operating in the digital space should monitor developments and ensure compliance with evolving privacy regulations.

For more information, check out this article.

3. Numerous Public Salesforce Sites Exposing Private Information

What’s Happening: 

A huge number of organizations have unknowingly been leaking private and sensitive information from their Salesforce Community websites due to a misconfiguration within the Salesforce Community that allows an unauthenticated user to access records that should only be available after logging in.

What to Know: 

• The mistake occurs when Salesforce administrators grant guest user access to internal resources.

• Sites granted guest access to sensitive data like names, Social Security numbers, addresses, phone numbers, and bank account numbers.

• The misconfigurations were often the result of rapid site deployment during the pandemic, which bypassed normal security review processes.

What To Do:

• If your business utilizes a Salesforce Community website, make it a priority to identify if any of the pages are misconfigured to make sure you’re not leaking private information.

• If your business utilizes a website created rapidly in response to the pandemic, take the time now to double-check safety protocols and conduct a formal security review process.

For more information, check out this article. 

4. DHS Pursues Legislation to Codify the Cyber Safety Review Board

What’s Happening: 

• The Department of Homeland Security is collaborating with Congress and the White House to develop legislation that would establish the Cyber Safety Review Board as a formal entity with authorized funding and subpoena power. 

• The CSRB would be responsible for investigating significant cybersecurity incidents and making recommendations.

What to Know: 

• If the legislative proposal is approved, it would give the foundation for more resources and subpoena power.

• If passed, the CSRB would become a formal entity for examining significant cybersecurity incidents and grant the board subpoena power. Legal framework and additional resources would be added to the CSRB, enhancing its ability to continue working towards cybersecurity at a large scale. 

Impact on Businesses If Legislation is Passed:

• Business owners may face increased accountability for their cybersecurity practices and incident responses as the CSRB evaluates major cybersecurity incidents and makes recommendations to remediate them.

• It may introduce new compliance requirements for businesses.

• Since the CSRB’s work involves gathering information about cybersecurity incidents there may be increased information sharing between businesses and the board. Sensitive information related to cybersecurity incidents may be requested to facilitate investigations. 

What to do: 

• Executives should stay current on the changing status of the CSRB. If legislation is passed, companies may need to stay updated with the board’s findings and recommendations to align their security measures with evolving standards

For more information, check out this article. 

5. Home-Care Provider That Violated Breach Notification Rules Owes Millions in Settlement

What’s Happening: 

• Home-care service provider SuperCare reached a multi-million dollar settlement with over 318,000 patients impacted by a 2021 systems hack.

What to Know:

• Hackers accessed personal data for a large group of patients and even accessed social security and driver’s license numbers for others.

• The breach notice wasn’t issued until eight months following the incident.

• SuperCare was claimed to have an inadequate security program that was responsible for the attack and that violated the Federal Trade Commission and The Health Insurance Portability and Accountability Act regulations in the process.

How to Prevent an Attack Like This: 

• To prevent a similar attack, businesses can conduct penetration testing and risk assessments to adjust and strengthen their existing cyber security protocols.

• Update soft authentication for a multi-factor authentication tool 

• Implement a cloud-based identity and access management system

• Update end-user cybersecurity awareness training

Business Impact: 

• Executives responsible for confidential client information should make enhancements to cybersecurity so they don’t find themselves with an inadequate security program like SuperCare.

For more information, check out this article.

6. Videos, Photos, and Employee Interviews Reveal Security Vulnerabilities at TikTok Data Centers in Virginia 

What’s Happening:

• As a result of TikTok trying to quickly grow data storage capacity, corners have been cut along the way.

• Evidence suggests that TikTok data operations are still intertwined with ByteDance’s business in China.

What to Know: 

• Security vulnerabilities include unmarked flash drives plugged into servers and unescorted visitors to boxes of hard drives left unattended in hallways

• TikTok has proposed a project in which it would remove private U.S. data from the Virginia servers and isolate them in Texas-based data centers. Additionally, TikTok plans to delete private posts, DMs, and other U.S. user data from the servers before the end of 2023.

What to do: 

• Don’t allow security to take a backseat within your organization.

• If your business utilizes a data center, conduct research about the efficacy of the center and ask direct questions to determine the security vulnerabilities that may be present.

Business Takeaway: 

• Executives should ensure that security protocols are up-to-date and that employees are undergoing the training necessary to prevent data breaches and vulnerabilities being seen at TikTok.

For more information, check out this article.

7. Lead Singer of Smashing Pumpkins Paid Ransom to Hacker to Prevent Leak of New Album

What’s Happening:

• Billy Corgan, the lead singer of the band Smashing Pumpkins, paid ransom to a hacker to prevent nine new songs from being leaked.

What to Know: 

• The FBI got involved in helping trace the hacker.

• The money came from Corgan’s personal finances.

• Corgan claims that the hacker has other leaks in their possession from other notable musicians.

What to Do:

• Re-evaluate safety protocols for online databases and implement heightened security to protect data and online files.

• Do not transfer files through mediums that can be easily breached: choose platforms or tools that offer end-to-end encryption, access controls, and user authentications to ensure file transmission.

• Use encryption methods to protect files during transmission to ensure data will be unreadable to unauthorized individuals.

• Utilize a secure file transfer protocol to employ encryption and provide stronger authentication mechanisms.

• Enforce strong password policies for file transfers.

• Implement data loss prevention solutions to detect and prevent unauthorized transfer of sensitive data.

Business Impact:

• Businesses for whom transferring data and files with third parties is inherent to operation should re-evaluate modes of transmission and storage and stay up to date on the newest cybersecurity measures.

For more information, check out this article. 

8. Hacked Facebook Pages are Impersonating Major Tech Companies, Purchasing Ads and Distributing Suspicious Download Links

What’s Happening: 

• Hacked and verified Facebook pages are posing as Meta, among other major tech companies, and using the Meta platform to purchase ads and spread harmful download links.

• These hacked pages exploit the trust associated with verified accounts to deceive advertisers.

What to Know: 

• Threats are mostly malware-related

What to do: 

• Executives should remind employees not to use personal social media accounts on company hardware in an effort to reduce opportunities for this type of attack.

• For businesses utilizing Facebook ads, be wary of verified accounts impersonating Meta that ask you to download new tools relating to their ad services.

• Check the history of name changes for verified accounts before clicking links from what appears to be a verified account.

Business Impact: 

• Businesses that use Facebook and Meta as an advertising platform should realize people are becoming increasingly wary of the authenticity and legitimacy of verified accounts and ads on the platform. 

• Businesses that fall victim to these fraudulent ads may incur financial losses that waste advertising budgets.

• Fraudulent ads may not reach the intended target audience and will undermine the effectiveness of advertising campaigns.

• Businesses may need to reevaluate security measures regarding advertising and explore other avenues for future advertisements other than social media.

For more information, check out this article.

9. FCC Proposes to Integrate Satellite and Cellular Communications

What’s Happening:

• The FCC has proposed to integrate satellite and cellular communications in such a way that would allow smartphones to communicate through either a cell tower or a satellite

• Recent technological innovations have finally made it cost-effective to merge these technologies

• About a dozen companies have announced interest in getting involved

What to Know:

• Up to this point, cell towers and satellites have been in separate regulatory environments

• People would be able to pay extra to access “satcom” to use when no cell service is available

• This merging could lead to eventual global access to seamless communication

• Sat-coms have a history of being internationally coordinated, and new regulations and international discussions would be needed to determine regulations for this new technology

What to do: 

• Businesses should stay updated on developments and monitor industry news

• Evaluate specific business needs and determine how satellite and cellular integration can address challenges or open up new opportunities

• Consider initiating pilot projects or proof-of-concept trials to test this integration in a controlled environment

Business Impact: 

• This has the potential to change how people engage in every single online activity 

• Partnerships between satellite operators, smartphone manufacturers, cellcom carriers, and new entrepreneurs emerging in this space will become much more common, so businesses in this environment should begin to consider how the introduction of this new technology could impact operations 

• With the potential to provide businesses with enhanced connectivity options, businesses could greatly benefit from improved connectivity in remote or underserved areas. Further, businesses could extend their reach on a global scale 

• Businesses can leverage merged networks to enhance connectivity, improve data collection and enable real-time monitoring and control

• In the event of natural disasters or network outages, satellite connectivity can serve as an alternative option ensuring uninterrupted business communications

For more information, check out this article. 

10. U.S. Emerging Technology Standards

What’s Happening: 

• The U.S. government released a standards strategy for critical and emerging technology (CET) spaces that will strengthen national economic and national security

What to Know:

• The U.S. wants to ensure that CET are developed and deployed in ways that benefit the U.S. while influencing international standards

• Competitors are seeking to influence international standards development to advance military-industrial policies and autocratic objectives by tilting what should be a neutral playing field to their own advantage

What to Do:

• Stay up to date with standards relating to quantum information technologies in order to protect your business from potential cybersecurity threats relating to quantum technologies

• Stay up to date with national cybersecurity and privacy standards as well 

Business Impact: 

• Part of the strategy is to educate and empower the domestic workforce: taking part in engagement opportunities can help you stay up to date on CET standards that can help you keep data protected

• Businesses that operate globally could potentially encounter challenges due to different standards across countries

To access the full strategy, see here. 

11. Merck’s Victory Serves As A Major Win For Cyber Security Insurance Policy Holders

What’s Happening:

A New Jersey appellate court has upheld a ruling in favor of Merck, a pharmaceutical company, in a legal battle with its insurance carrier, Ace American Insurance. The court found that Ace American Insurance must help cover the losses suffered by Merck during the 2017 global Notpetya cyberattack. The court determined that the cyberattack was not “hostile or warlike” as required by the exclusion clauses of Merck’s insurance policy, and therefore, coverage could not be excluded.

What to know: 

• Merck suffered significant losses during the NotPetya cyberattack, including production disruptions, manufacturing outages, third-party cyber firm fees, and the cost of replacing impacted systems. More than 40,000 machines in the network were infected, and losses to production disruptions totaled an estimated $1.4 billion. 

• The insurance policy held by Merck had an exclusion clause for “Acts of War,” but the company argued that the exclusion did not apply as a nation-state attack did not cause the cyberattack.

What to do: 

• Policyholders can take note of this case as a win for seeking insurance coverage for cyberattack-related losses. 

• Business owners should review existing insurance policies and fully understand the scope and interpretation of exclusion clauses. 

Business Impact:

• The court’s decision sets a precedent and provides clarity for policyholders seeking coverage for losses resulting from cyberattacks. 

• Reinforces the need for insurance companies to interpret exclusion clauses and resolve ambiguities

• Serves as a reminder for businesses to review insurance policies and discuss cyber coverage 

For more information, check out this article.