From the cyber breach front, Federal News Network informs us
Victims of one of the largest data breaches to ever hit the federal government are one step closer to a payout, more than seven years later.
A federal judge on Friday finalized the Office of Personnel Management’s settlement agreement with current and former federal employees, as well as federal job applicants, impacted by a major data breach in 2015.
District Judge Amy Berman Jackson, in a fairness hearing at the U.S. District Court for the District of Columbia, said the $63 million settlement for breach victims was “fair, reasonable and adequate.” * * *
Court documents show nearly 20,000 individuals have already signed onto the class-action lawsuit, but individuals breach have until Dec. 23 to submit a claim to join the class-action lawsuit.
The law firm Girard Sharp, which represents plaintiffs in the lawsuit, said in June that the settlement will provide a minimum payment of $700 for individuals who suffered a financial loss as a result of the hack, “even for those with minor expenses.”
Reuters adds
[District Judge Amy Berman Jackson] on Friday said she will slash thousands of dollars in proposed “incentive” awards for plaintiffs who settled data-breach claims against the U.S. Office of Personnel Management, as the court prepares to issue a final order approving the $63 million deal.
U.S. District Judge Amy Berman Jackson in Washington, D.C., at a hearing said she will approve a “nominal” amount of $1,000 for 36 named plaintiffs who led the privacy case against the Office of Personnel Management (OPM), the primary human resources agency in the federal government.
From the cyberpolicy front —
This coming week is
Cybersecurity Career Awareness Week, a week-long campaign in the middle of Cybersecurity Awareness Month focused on raising awareness around cybersecurity job opportunities and how building a cyber workforce enhances our nation’s security. Hosted by National Institute of Standards and Technology (NIST), this week runs from October 17-22 this year.
CyberScoop informs us
The White House National Security Council will announce plans Tuesday for a consumer products cybersecurity labeling program intended to improve digital safeguards on internet-connected devices, a senior White House official told CyberScoop.
About 50 representatives from consumer product associations, manufacturing companies and technology think tanks will convene at the White House on Oct. 19 for a workshop on the voluntary effort ahead of an expected spring 2023 launch.
The White House briefly described the effort in a document it released Tuesday outlining various cybersecurity initiatives. The administration plans to start with recommending three or four cybersecurity standards that manufacturers can use as the basis for labels that communicate the risks associated with using so-called internet of things devices.
The FEHBlog ran across CISA’s 2023 to 2025 Strategic Plan that was released in September. Here is a Homeland Security Today article on the new plan.
Health IT Analytics reports
The White House [earlier this month] unveiled its Blueprint for an AI Bill of Rights earlier this week, which identifies five guidelines for the design, use, and deployment of automated and artificial intelligence (AI)-based tools to protect Americans from harm as the use of these technologies continues to grow in multiple industries.
The blueprint outlines five core principles: safe and effective systems, algorithmic discrimination protections, data privacy, notice and explanation, and human alternatives, consideration, and fallback. These are intended to serve as practical guidance for the US government, tech companies, researchers, and other stakeholders, but the blueprint is nonbinding and does not constitute regulatory policy.
The guidelines apply to AI and automated tools across industries, including healthcare, and are part of a larger conversation around the ethical use of AI.
From the cyber vulnerabilities front
Cybersecurity Dive tells us
The Cybersecurity and Infrastructure Security Agency on Tuesday added multiple Fortinet products to its Known Exploited Vulnerabilities Catalog, one day after the company warned an authentication bypass vulnerability was being actively exploited.
The vulnerabilities, listed as CVE-2022-40684, allow for authentication bypass, which enables an attacker to perform operations on the administrative interface. The vulnerability, which has a CVSS score of 9.6, involved FortiOS, FortiProxy and FortiSwitchManager.
The company initially disclosed the vulnerability on Oct. 3 and urged customers to immediately perform a software upgrade. Late last week, Fortinet sent an internal email to select customers providing a confidential warning along with mitigation advice.
Security Week reported last Tuesday
Microsoft on Tuesday released software fixes to address more than 90 security defects affecting products in the Windows ecosystem and warned that one of the vulnerabilities was already being exploited as zero-day in the wild.
The exploited vulnerability – documented as CVE-2022-41033 – affects the Windows COM+ event system service and has been exploited in elevation of privilege attacks, suggesting it was used as part of an exploit chain detected in the wild.
The latest zero-day was reported anonymously to Microsoft.
The new warning comes less than a month after Microsoft’s security response team scrambled to issue mitigations for a pair of Exchange Server flaws targeted by a nation state-level threat actor.
Those two Exchange Server vulnerabilities – CVE-2022-41040 and CVE-2022-21082 — remain unpatched.
From the ransomware front, Health IT Security relates “As suspected and validated by local news reports, the CommonSpirit “IT issue” was in fact a ransomware attack. CommonSpirit confirmed the nature of the attack in a recent update posted on its website. Hospitals across the country are still feeling the impacts of the attack that began as early as October 3.”
Cybersecurity Dive adds
CommonSpirit has [informed law enforcement and] launched a forensics investigation to determine the data impacts and said it tapped leading cybersecurity specialists to help.
“The fact that this has turned out to be a ransomware incident is not at all surprising,” Brett Callow, a threat analyst at security firm Emsisoft, said. “What remains to be seen is how quickly CommunitySpirit can recover its systems and resume normal operations and whether or not any data was stolen during the attack. If data was stolen, the attackers will likely use the threat of releasing it online as additional leverage to try to extort payment.”
Here’s the latest Bleeping Computer “The Week in Ransomware.“
From the cyber defenses front
- Cybersecurity Dive considers phishing resistant mult-factor authentication and offers “four tips to protect IT employees from phishing attacks.”
- CISA suggests actions to help prevent against advanced persistent threat cyber activity.