Top Stories
Progress Software faces federal class action lawsuits as MOVEit breach exposure widens | Cybersecurity Dive
Progress Software is facing two separate potential class action lawsuits in connection with a SQL injection vulnerability in MOVEit file transfer software. The lawsuits allege the company’s negligence led to the breach, which puts their personal financial data at risk.
Companies and Governments Disclose Data Theft From Attack on File-Sharing Tool
The attack on the MoveIt tool underscores the risk to companies from third-party suppliers, even if they aren’t customers but work with others who are. Cyberattacks on other little-known, yet ubiquitous, software have had similar ripple effects in the U.S. and Europe. These include the hacks on software providers SolarWinds in 2020, and Kaseya in 2021. A vulnerability in Log4j, also discovered in 2021, has been used by hackers in a similar fashion. This incident is different in that the gang doesn’t appear to have deployed ransomware on systems, analysts said, choosing instead to steal data and attempt to extort its owners.
Calpers Latest Hit by Attack on File-Sharing Tool
California Public Employees’ Retirement System said the personal information of about 769,000 of its retired members was compromised after it became the latest large organization to be hit by cyber attacks involving widely-used software.
Breaches
Healthcare Business Associate Faces Lawsuit Over March Cyberattack
The impacted files included names and Social Security numbers, as well as scheduling, billing, and clinical information regarding care at one of the previously mentioned healthcare facilities. The files also contained information that the company maintained for human resources purposes, such as names, Social Security numbers, health plan enrollment information, and direct deposit information.
Security
SEC Delays Final Rules on Breach Disclosure, Board Expertise
The U.S. Securities and Exchange Commission revealed the delay last week amid pushback to a proposal that publicly traded corporations disclose a "material cybersecurity incident" within four business days of discovery. Regulators had been expected to publish final rules as early as April 3, but now final action isn't expected until October.
Microsoft says early June service outages were cyberattacks | Reuters
Microsoft said on Friday that the outages that affected certain services of the company through some of the earlier days of this month were the result of cyberattacks, but said it saw no evidence of any customer data being accessed or compromised.
Privacy
Groups Urge HHS to Finalize Reproductive Health Data Changes
Major healthcare industry associations are urging federal regulators to finalize proposed changes to the HIPAA privacy rule that would bolster protections over reproductive healthcare data. In some cases, the groups are suggesting that regulators go even further in stretching privacy safeguards.
FTC Proposes Settlement With Genetic Testing Company Over Unsecured Health Data
The FTC charged that 1Health.io, also known as Vitagene, deceived customers about the deletion of their data, left health data unsecured, and changed its privacy policy retroactively without notifying consumers.