AXEL.org

cybersecurity

The Jones Day Law Firm Data Breach Serves as a Warning for Others

In December and January, the technology company Accellion experienced a hack to the Accellion FTA (File Transfer Appliance), a file-sharing program aimed at enterprise customers. Since then, multiple organizations have reported data breaches linked to the software, including the large law firm Jones Day. This created quite the storm for the firm and some high-profile customers like the City of Chicago. Here, we’ll go over the hack and discuss the lessons organizations should learn from the situation.

How it happened

According to a report by the cybersecurity company FireEye[1], the initial attacks occurred via a malicious SQL injection that allowed the criminals to install a web shell on Accellion servers. Then, the hackers could run malware programs at will via the web shell. If you remember, this is very similar to the methods employed by the group behind the infamous SolarWinds hack, covered by us here and here.

Who was behind it?

Cybersecurity experts attribute the attack to the CL0P ransomware gang[2] due to increased activity on the group’s dark website that shames organizations into paying the ransom. Analysts conclude that the victims implicated on the site line up with the known victims of this breach.

The threat actors used the Accellion FTA exploits to steal data from over 100 organizations, including the Australian Securities and Investments Commission, grocery store chain Kroger, the University of Colorado, and the Jones Day law firm. We’ll be specifically looking at the Jones Day state of affairs, as it has become a juicy story.

Jones Day

The Jones Day Law Firm is a major firm headquartered in Cleveland, Ohio, employing over 2500 attorneys and serving thousands of clients globally. In February 2021, representatives confirmed the company was one of those affected by the Accellion FTA breach. Law firms have significantly more to worry about from data breaches than, say, Kroger. This is due to the sheer amount of confidential information that passes between attorneys, legal assistants, clients, and court officials. Jones Day says its internal systems weren’t compromised, but the distinction is a bit moot, given what ended up being leaked.

The City of Chicago

The most interesting insights revealed in breach so far come from leaked correspondence between Jones Day and Chicago government officials. The City of Chicago was not a formal client of the firm, but Jones Day attorneys offered advice on many legal situations. The hackers stole over 85GB of emails, images, and documents sent between the two entities.

Neither Jones Day nor the City of Chicago paid the ransom, and these files were made available on the Dark Web. The Wikileaks-esque whistleblower website DDOSecret.com released a small portion of the haul publicly and has sent the complete data set to journalists. What has been reported on offers a fascinating look behind the political curtain of America’s third-largest city:

  • The Chicago Police Department created a secret drone surveillance program using money from seized assets sold after criminal investigations[3]. The budget for the drone initiative totaled nearly $8 million. The police used it to aid in missing persons cases and anti-terrorism strategies.
  • Mayor Lori Lightfoot attempted to distance herself from a campaign promise regarding police reformation[4].
  • Mayor Lightfoot and Illinois Governor J.B. Pritzker clashed on COVID lockdown restrictions on indoor dining.

Clandestine drone programs aside, there haven’t been many earth-shattering bombshells. Still, it’s embarrassing for both the City of Chicago and Jones Day. Mayor Lightfoot has called into question the authenticity of the emails[5], stopping short of outright denial.

It seems unlikely that a hacker group would go through the trouble of fabricating hundreds of thousands of documents to expose what amounts to normal everyday political shenanigans, but we’ll see how it shakes out.

The lesson

Jones Day and 100+ other affected organizations could have saved themselves the public embarrassment and loss of trust if they used better data transfer solutions. The Accellion FTA was a legacy file-sharing platform left largely unsupported. However, the inertia of technological adoption resulted in massive companies leaving themselves open to a data breach. Given the resources these organizations have at their disposal, the risks of sticking with old tech are unacceptable.

It’s especially objectional for a law firm like Jones Day. Their entire business is keeping confidential legal information away from the public’s eyes. While they may have the clout to recover from this issue, smaller firms would be devastated.

The takeaway for law firms and solo practices should be; take data security very seriously! Don’t rely on outdated platforms or downright insecure solutions like email attachments to share and store documents. Vet the provider you end up going with to ensure they will support the solution for the foreseeable future and continue to provide security patches along with new privacy features. Not doing so leaves you susceptible to catastrophic scenarios.

The right choice

Our file-sharing and cloud storage platform AXEL Go prevents data breaches. It’s the perfect solution for those working within targeted industries such as the legal sector. Our development team built AXEL Go from a framework of security and privacy. It combines secure blockchain technology, decentralized IPFS implementation, and military-grade file encryption to keep the most sensitive files safe.

To learn more, please visit AXELGo.app and sign up for a free 14-day trial of our Premium service. You get to try out all of the innovative features, such as Secure Fetch and storage encryption. Our team is always hard at work improving the platform and releasing updates. Once you see the AXEL difference, you’ll never go back to insecure data transfer systems again.

[1] Andrew Moore, Genevieve Stark, Isif Ibrahima, Van Ta, Kimberly Goody, “Cyber Criminal Exploit Accellion FTA for Data Theft and Extortion”, FireEye.com, Feb. 22, 2021, https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html

[2] Tara Seals, “Accellion FTA Zero-Day Attacks Show Ties to Clop Ransomware, FIN11”, ThreatPost.com, Feb. 22, 2021, https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/

[3] Tom Schuba, Frank Main, “CPD launched secret drone program with off-the-books cash”, Chicago Sun Times, May 12, 2021, https://chicago.suntimes.com/city-hall/2021/5/11/22425299/cpd-chicago-police-drone-secret-emails-hack-lori-lightfoot-dodsecrets-city-hall

[4] Gregory Pratt, “Computer hackers stole thousands of Lightfoot administration emails. Here’s a look at some of what they leaked online.”, Chicago Tribune, May 14, 2021, https://www.chicagotribune.com/politics/ct-lightfoot-administration-hacked-emails-closer-look-20210514-havyv352lfegrklmfi76a25wfi-story.html

[5] Bernie Tafoya, “Lightfoot questions legitimacy of city emails made public after hack”, WBBM NewsRadio 780 AM, May 11, 2021, https://www.audacy.com/wbbm780/news/local/mayor-questions-legitimacy-of-emails-made-public-after-hack

Ransom-Wars: The Task Force Awakens

Ransomware is a significant societal problem. If you’re unaware of how it works, read our previous blog on the topic.  2020 was a banner year for ransomware gangs, as analysts estimate they brought in approximately $350 million, with the average payment exceeding $315,000[1]. It’s gotten so concerning that 60+ government agencies and industry leaders formed a task force to tackle the situation.

Key members include the United States Department of Justice, the FBI, the Department of Homeland Security, Europol, Microsoft, Amazon, Cisco, and more. They recently published an 81-page document that discusses the issue and creates a framework for dealing with ransomware[2]. Lucky for you, we read it, so you don’t have to. Here’s the easily digestible summary.

Definition of ransomware

The first quarter or so of the report focuses on defining ransomware and the tactics threat actors use. These are covered in our previous blog if you’re interested. To summarize quickly, ransomware is a type of malware malicious agents install on high-priority computer systems, typically governmental organizations or successful businesses.

Once they infect these networks, the malware moves throughout them and encrypts or exfiltrates the files it finds. A ransom is given that the organizations must pay to decrypt their data or prevent the hackers from leaking it on the internet.

Some rather nasty gangs require double ransoms, one for decryption, the other for not leaking the information. It’s known as double-extortion and is becoming a popular tactic. Now, onto the proposed framework.

The framework for fighting ransomware

We should note that this document’s crux lies in the need for international cooperation for its implementation. Although the United States suffers the majority of ransomware attacks, it is a global problem. The perpetrators come from many different countries such as Russia, Iran, and North Korea, which have zero incentive to stop. This means the rest of the global community needs to agree to the framework for it to work.

Goal 1: Deter

The first goal of the framework is to prevent as many ransomware infections as possible. The document outlines various steps the world must take to do so:

Establish an international ransomware coalition. Governments and corporations around the world have to come together. The document suggests that leaders must communicate regularly about the threats to keep the global community informed about new groups and malware variants. It outlines that nations should create “investigation hub” networks for data sharing and analysis.

The U.S. Government should prioritize ransomware policy. The task force wants the United States, in particular, to get tough on ransomware. It proposes the intelligence community designate it as a formal national security threat and for the DoJ to prosecute ransomware cases more aggressively. Furthermore, it wants the U.S. to levy sanctions against countries that harbor ransomware gangs to increase pressure for cooperation.

Goal 2: Disrupt

The second objective is to disrupt the current business of ransomware gangs and make it a less profitable endeavor. The task force recommends:

Crack down on cryptocurrency markets. Ransomware groups force victims to pay nearly all ransom payments in cryptocurrency.  They do this because cryptocurrencies are borderless and can be challenging to track. There are anonymous exchanges, privacy coins, and techniques to exchange the assets from cryptocurrency to cryptocurrency to obfuscate the origins. The report suggests governments provide more of a regulatory framework to this market. It wants exchanges to follow current anti-money laundering laws to which other financial institutions must adhere.

Create an insurance company consortium. Insurance companies do offer protective plans against ransomware. The task force would like to see collaboration and data sharing between these organizations. It claims this could reduce payments to sanctioned or terrorist bodies since they could use the mass amount of information to get a clearer picture of the groups demanding the ransoms.

Target infrastructure used by criminals. Ransomware campaigns require significant computer infrastructure. The report proposes international cooperation that targets these systems and brings them down.

Goal 3: Help

Unfortunately, many organizations aren’t well prepared for ransomware attacks. The fact is that most organizations over a certain size will be targeted sooner than later. The task force recognizes this and wants to provide these organizations with more information and better toolsets to deal with attacks. It advises:

Create and highlight complementary materials for the framework’s adoption. There are a significant amount of readily available materials about ransomware prevention and mitigation. The task force wants to promote these existing materials and create new ones to fill in any information gaps. The new materials should be geared toward organizational leaders and include specific implementation procedures.

Require government agencies to follow guidelines and incentivize private businesses. The task force wants to include ransomware-specific guidelines in existing cyber-hygiene standards and require government agencies to follow them. Furthermore, it supports creating more grants while alleviating fines and taxes for private companies that follow the framework. This would make a strong incentive for everyone to be on board.

Goal 4: Respond

Organizations need a more effective response after a ransomware infection. This goal aims to aid businesses and agencies after an incident. The task force recommends:

Increased support for victims. Ransomware is destructive and could be incredibly dangerous if it affected critical infrastructure or health-based organizations such as hospitals. The task force wants to set up a relief fund that would help funnel resources quickly if such a situation ever occurs.

Encouragement to report ransomware.  Ransomware attacks are embarrassing for companies, and many don’t even report them. This stops the flow of information and hinders future efforts to predict and prevent attacks. The task force feels proper encouragement and education materials are crucial to getting an accurate, holistic picture of the insidious malware.

Educate organizations about payment alternatives. The truth is, if organizations stopped paying the ransoms, the income would dry up for ransomware gangs, and it would no longer be a worthwhile endeavor. This is easier said than done, as some data is very sensitive and perhaps not backed up offline. Still, the task force urges companies to look at the alternatives to paying whenever possible.

Potential roadblocks

These all sound like good suggestions and would actually go a long way in fighting ransomware if implemented adequately. However, there are some weaknesses to consider:

Privacy concerns. If the world at large enacts this framework, governments and businesses will share a lot of data. As with most scenarios regarding Big Data collection, this has a good chance of going awry from a privacy standpoint. Is it worth it? A detailed cost-benefit analysis would have to be done, but AXEL believes the possibility of abuse is too great as-is. The fact is, even if governments gave privacy guarantees, they don’t mean much.

Inefficient bureaucracy. The task force recommends multiple new governmental and private-public partnership organizations created to combat ransomware. It’s admirable to put so much thought into methods to take on the problem, but additional levels of bureaucracy may prove (as they typically do) to be inefficient.

Data security

AXEL believes that basic education about cybersecurity best practices for all members of an organization is the best way to prevent ransomware infections currently. While all systems have technical weaknesses, the biggest weakness tends to be the human factor. Teaching employees to be vigilant about ransomware and understand the risks entirely is effective.

Another part of the equation is data security. Are you storing and sharing data securely? If not, or you aren’t sure, you should try AXEL Go. AXEL Go utilizes multiple layers of security to protect data from malicious agents. You can read more about our use of technology and download the app to try for yourself at AXELGo.app. Sign up today and receive a free 14-day trial of our Premium service.

[1] “Ransomware Skyrocketed in 2020, But There May Be Fewer Culprits Than You Think”, ChainAnalysis.com, Jan. 26, 2021, https://blog.chainalysis.com/reports/ransomware-ecosystem-crypto-crime-2021

[2] Ransomware Task Force, “Combatting Ransomware”, SecurityAndTechnology.org, April 2021, https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force-Report.pdf

What Else We’ve Learned About the SolarWinds Data Breach

In January, we covered a massive supply-chain data breach known as the SolarWinds attack. To get a broad overview of the incident, how the malicious agents carried out the hack, and the known victims, please read our coverage. Over the past four months, there have been new developments in the story that warrant a follow-up. Here, we go over these updates and discuss the potential for lasting fallout.

A brief synopsis

In December 2020, cybersecurity firm FireEye reported a significant flaw in the SolarWinds Orion database management software suite. When the dust settled, experts found that over 18,000 organizations had inadvertently installed a backdoor for an Advanced Persistent Threat (APT) group, likely Russian in origin. These state-sponsored actors infiltrated major corporations and high-level United States governmental agencies alike. Officials believe it to be the most widespread digital espionage campaign ever carried out against the United States. So, what have we found out since then?

More sophisticated than initially thought

From the very beginning, cybersec professionals knew the culprits were sophisticated and that the program’s scope was enormous. As it turns out, however, initial estimates seemed to have underestimated it. According to a recent analysis by RiskIQ, the infrastructure used by the threat actors was at least 56% larger than originally thought[1].

This implies the state hackers had access to significantly more computing power and probably targeted even more organizations than the known 18,000 victims. The same report also concluded that the use of United States-based infrastructure during the initial attack stage prevented the National Security Agency (NSA) from noticing the situation due to stricter laws against domestic surveillance.

Russians officially blamed

United States intelligence agencies have always blamed Russia for the attack, but it turned into more than an accusation when President Joe Biden and the United States formally sanctioned the adversarial country on March 15[2]. Provisions of the sanctions include:

  • Forbidding U.S. banks from buying bonds from or lending money to Russia’s national financial institutions after June 14.
  • Expelling 10 Russian diplomats accused of being intelligence agents from the United States.
  • Sanctioning six technology companies in Russia accused of supporting intelligence agencies.

The sanctions significantly ratchet up tensions between the two nations and mark a major departure from standard espionage protocol. Previously, the United States and other countries assumed cyber espionage campaigns were always underway from their enemies, and their enemies were under similar assumptions. This meant that there was an implicit understanding that everyone is spying on everyone else, and nobody felt real consequences for it. The sanctions set a new precedent that could result in escalation rather than diplomacy. Although, Russia pulled back troops from the Ukrainian border after the sanctions[3], so perhaps the message landed as intended. Only time will tell what ramifications this act has, but hopefully, it doesn’t increase the divide between the two largest nuclear powers.

Concurrent Chinese involvement

Although analysts blame Russia for the initial breach, it appears like Chinese state hackers also took advantage of the situation[4]. According to a report by Secureworks, some malicious agents used tactics similar to those employed by the Chinese APT, SPIRAL[5]. Furthermore, during the intrusion, the group accidentally revealed its IP, which originated from China. So, while sanctions only targeted Russia, there is evidence that China played a role too.

Of course, as we talked about in the original SolarWinds blog, it’s exceedingly difficult to analyze blame with a hundred percent certainty. State-sponsored digital espionage groups are adept at covering their tracks and obfuscating origins. And, while the United States government seems positive the Russians were the main culprits, hard evidence of this assertion hasn’t been made public. Not to mention the United States government has been wrong about some pretty bold claims before. We may never know the full truth.

Congress grills Microsoft

Interestingly, the company in the hottest water over the whole snafu isn’t SolarWinds; it’s Microsoft. Probably due to its high-profile nature, the U.S. Congress set its sights on the tech behemoth[6]. This is because, after the breach’s first stage, the hackers exploited Microsoft products and stole sensitive emails and other data from thousands of organizations.

Microsoft itself had its source code exposed to the hackers. Since source code is the lifeblood of a tech company, it shows exactly how all-encompassing the breach was. It also proves a crucial point; no matter how secure a system is, nothing can be completely safe from ill-intentioned cyberspies with the backing of an entire country’s resources. So, although House members assuredly loved grandstanding about the holes in Microsoft’s security, the truth is more complex and nuanced.

White House ramps down recovery efforts

This brings us to the conclusion of the saga. On April 19, the White House announced that several national agencies such as the FBI, CISA, and NSA would soon begin ramping down their efforts regarding SolarWinds. Combined with the Russian sanctions, it signals that the U.S. Government considers the incident largely settled. China appears unlikely to receive any formal retaliation. Hopefully, the most significant data breach of our times serves as a lesson for the future of cybersecurity. Undoubtedly similar incidents will occur in the future, but perhaps mitigation policies will improve, and potential damages will be reduced.

Security is a personal responsibility

If there’s one takeaway everyone should have about SolarWinds, it’s that relying on Big Tech’s security policies is a mistake. People should do a bit of research to find redundant cybersecurity methods for their sensitive data.

You can protect your confidential files by ditching cloud drives like Dropbox, OneDrive, and Google Drive and switch to AXEL Go. AXEL Go utilizes our decentralized, distributed files sharing network backed by blockchain and the InterPlanetary File System. This ensures your documents aren’t stored in one place with a single point of failure.

Additionally, every file you transfer via the AXEL Network gets “digitally shredded” and distributed to scattered server nodes. This means even if a malicious agent compromised a server, they wouldn’t have access to the complete file. Documents are only reconfigured for the initial user and any recipients. This system, combined with military-grade encryption, provides multiple layers of security for AXEL Go users.

You can try AXEL Go Premium with all features unlocked free for 14-days. Sign up today and see how AXEL can improve your workflow and harden your organization’s cybersecurity.

[1] “SolarWinds: Advancing the Story”, RiskIq.com, April 22, 2021, https://community.riskiq.com/article/9a515637

[2] Morgan Chalfant, Maggie Miller, “Biden administration sanctions Russia for SolarWinds hack, election interference”, April 15, 2021, https://thehill.com/homenews/administration/548367-biden-administration-unveils-sweeping-sanctions-on-russia?rl=1

[3] “Russia to pull troops back from near Ukraine”, BBC, April 22, 2021, https://www.bbc.com/news/world-europe-56842763

[4] Dan Goodin, “Chinese hackers targeted SolarWinds customers in parallel with Russian op”, Ars Technica, March 8, 2021, https://arstechnica.com/gadgets/2021/03/chinese-hackers-targeted-solarwinds-customers-in-parallel-with-russian-op/

[5] Counter Threat Unit Research Team, “SUPERNOVA Web Shell Deployment Linked to SPIRAL Threat Group”, Secureworks.com, March 8, 2021, https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group

[6] Frank Bajak, “SolarWinds hacking campaign puts Microsoft in the hot seat”, The Associated Press, April 17, 2021, https://apnews.com/article/business-technology-government-and-politics-f51e53523312b87121146de8fd7c0020

Privacy Labels Reveal Interesting Insights About Popular Cloud Drives

In late 2020, Apple launched its Privacy Label initiative[1]. Now, all apps sold through the App Store need to include a privacy label with future updates. These labels inform consumers about how the application collects and uses consumer data. Since millions of people use file-sharing and cloud storage platforms to transfer and store their personal content, we believed it’d be interesting to compare the privacy labels of the Big Tech offerings to AXEL Go.

A primer on terminology

Before getting into the comparison, it’s important to define the terms you’ll see often. Apple separated the data the apps collect into three different categories.

Data Used to Track You. This is the most troublesome category. It means that the app tracks personal information explicitly to form a coherent picture of your identity. This could stretch across your entire internet usage or even into your real-life shopping habits. It’s a tactic Facebook notoriously employs[2], and it’s by far the most invasive type of data collection.

Companies engaged in these activities link data generated from the app with information from third parties for targeted advertising or analytics. These organizations potentially even share their data sets (including your exact location) with shady data brokers. If possible, we recommend ditching apps that track you like this.

Data Linked to You. This includes much of the same types of data as the previous category, except it is not tracked across your full web experience. It’s still linked to your identity, however, and is still sold to third parties regularly. Avoid it when you can.

Data Not Linked to You. This is data that the company has explicitly anonymized. It could mean removing direct identifiers like user ID/Name/Device ID and data manipulation to prevent re-linkage or de-anonymization. To claim this, you must not ‘fingerprint’ or use other data sets to establish a potential identity.

Now, onto the comparison.

Dropbox

This image has an empty alt attribute; its file name is dropBox2-1.jpg

Source: https://apps.apple.com/us/app/dropbox-cloud-storage-backup/id327630330

DropBox comes out the worst in this comparison. It’s the only one with entries in the ‘Data Used to Track You’ category, making it a significant threat to the privacies of over 600 million users worldwide. It also collects a vast amount of data, including:

  • Contact Info (Name, email address, phone number, physical address, etc.)
  • Identifiers (Screen name, handle, account ID, etc.)
  • Purchases (Purchase history)
  • Contacts (List of your phone’s contacts, address books, social graphs, etc.)
  • Search History (information regarding searches you made in-app)
  • Usage Data (App launch info, taps, scrolling data, clicks, views, biometric eye data, etc.)
  • User Content (in this case, content stored on DropBox servers)
  • Diagnostics (crash logs, performance metrics, etc.)

Obviously, some of this data is more sensitive than other types. For instance, diagnostic information is potentially less harmful than giving up the contents of your cloud storage to what amounts to corporate surveillance. Regardless, it’s all info that they can link to you for identification purposes.

Google Drive

Source: https://apps.apple.com/us/app/google-drive/id507874739

Google isn’t known for its commitment to privacy. Although its cloud service, Google Drive, fares a bit better than Dropbox, there’s still not much to like. It collects the same types of data and adds “Location” into the mix. Why would a cloud storage application need to know your location? Unknown, but it likely isn’t a valid reason. It’s unspecified whether they monitor your ‘Precise Location’ or ‘Coarse Location,’ but Google doesn’t deserve the benefit of the doubt. Assume they know exactly where you are at all times when you’re using any of their services, including Drive. They also collect the nebulously-termed “Other” data, which Apple doesn’t define. If you’re one of the over one billion users[3] of Drive, consider alternatives.

Microsoft OneDrive

This image has an empty alt attribute; its file name is onedrive.jpg

Source: https://apps.apple.com/us/app/microsoft-onedrive/id477537958

Of the Big Tech offerings, Microsoft’s OneDrive is the least offensive. It collects the least amount of data and doesn’t track you across websites. However, the personal information it does collect is still sensitive—especially Contact Info, Identifiers, and User Content. So, Microsoft not only collects your personally identifying information but, like its major competitors, it still mines user content. It’s an inexcusable invasion of privacy that anyone who cares about such matters can’t look past.

AXEL Go

This image has an empty alt attribute; its file name is axelGo.jpg

Source: https://apps.apple.com/us/app/axel-go/id1462043114

The Silicon Valley mainstays don’t value your privacy. At the end of the day, they make a lot of money from your data alone. However, that doesn’t mean there aren’t any good options. Privacy-based alternatives like AXEL Go exist.

Our team designed the entire platform to promote privacy, security, and data custody.  And that starts with the fact that AXEL doesn’t collect any data linked to its users. In fact, AXEL is the only competitor in this comparison that doesn’t link data to your identity. Most of the information we manage is diagnostic, and usage data, which helps our developers see how you’re using the app to inform future improvements. Any contact info we store is sufficiently anonymized so that nobody can link it back to you. We respect everyone’s right to privacy.

Try AXEL Go

If you’re used to sharing and storing data online with platforms such as Google Drive or Dropbox, AXEL Go is a breath of fresh air. Our simple, intuitive user interface is a breeze to navigate while still offering industry-leading security and privacy features.

The platform is backed by secure technology like the InterPlanetary File System, blockchain, and military-grade encryption. Together with the fact that only AXEL emphasizes users take control of their personal information, you’ve got an application that stands above the competition. Try it out today and see the AXEL difference. Basic accounts are free, and you can upgrade to a Premium account with all features for only $9.99/month. Help usher in a better internet. Join the AXEL Revolution.

 

[1] Nick Statt. “Apple launches new App Store privacy labels so you can see how iOS apps use your data”, The Verge, Dec. 14, 2020, https://www.theverge.com/2020/12/14/22174017/apple-app-store-new-privacy-labels-ios-apps-public

[2] Aaron Holmes, “Facebook knows what you’re doing on other sites and in real life. This tool lets you see what it knows about you.”, Business Insider, Mar. 17, 2020, https://www.businessinsider.com/facebook-clear-history-offline-activity-tracker-tool-how-to-use-2020-1

[3] Shoshana Wodinsky, “Google Drive is about to hit 1 billion users”, The Verge, Jul. 25, 2018, https://www.theverge.com/2018/7/25/17613442/google-drive-one-billion-users

The Ethical Responsibility for Data Security in Finance, Law, and Healthcare

It’s difficult to argue that the vast majority of businesses today don’t have an ethical responsibility to adequately protect and secure their customers’ data. However, it’s an even more crucial aspect for organizations with known fiduciary duties to their clients or consumers, such as those in the Finance, Legal, Healthcare, and Insurance sectors. Let’s dig into each of these industries in the United States, look at their unique ethical demands regarding data security, and find some common solutions.

Finance

The financial industry includes banks, investment firms, real estate companies, and insurance organizations. According to the International Monetary Fund, it is the sector targeted most by hackers[1]. It makes sense. In a 2020 survey by Verizon Communications, researchers found that 86% of data breaches are primarily for money[2]. Who has more money than the financial industry?

Hackers target these institutions in a variety of ways. One of their most common tactics is attempting to gain access to customer login info. Direct attacks against an organization’s reserves gain immediate attention and mitigation, but hackers can take over a user account and move around smaller sums for much longer periods.

Another method they use is stealing sensitive financial documents. It provides the malicious agents with a treasure trove of confidential data to use for identity theft.

So, what ethical obligation do they have to their clients for securing this data? Since they’re such huge targets, financial institutions tend to employ data protection strategies that are more sophisticated than average. In 2020, the Federal Trade Commission proposed amendments to the Safeguards Rule and the Privacy Rule in the Gramm-Leach-Bliley Act. Under these proposals:

  • Financial institutions would need to safeguard customer data more robustly, such as utilizing encryption for all information.
  • Customers could opt-out of data sharing policies between banks and third-parties.
  • Banks would require employees to pass multi-factor authentication (MFA) to access client data.

The FTC has not ratified these amendments yet, but they would serve as a much-needed update to the current regulatory framework.

Law

Legal professionals now face an even greater risk to their clients’ personal information. Being the processors of strictly confidential information always put large targets on them. But, the COVID-19 pandemic forced many lawyers out of the office and courtroom and into their den. Working from home is the new normal for legal pros, and that means more cybersecurity risks. Whereas they probably worked in a closed system at the office that IT experts monitored daily, it’s much more challenging to evaluate weaknesses in everyone’s home networks. Coupled with the fact that lawyers, on the whole, aren’t the most technically literate people in the world, and you’ve got a recipe for data breaches.

The American Bar Association gives broad ethical expectations for data security throughout its Model Rules of Professional Conduct[3]. A recent formal opinion published by the organization outlines them in greater detail[4], specifically for those engaged in a virtual practice. This opinion has the following provisions:

  • Lawyers must make “reasonable efforts to prevent inadvertent or unauthorized access [to client data].” Today, a reasonable attempt goes well beyond attaching a confidential document to an email and sending it off with nothing but the hope that it doesn’t fall into the wrong hands.
  • Virtual practitioners should look into setting up Virtual Private Networks (VPNs), keeping the computer’s operating systems updated so that security patches stay current, utilizing file encryption, using MFA, setting strong passwords, and changing them regularly.
  • Legal professionals must vet software and hardware providers to ensure proper security.
  • Lawyers should never use smart speakers (Alexa, Google Home, etc.) or virtual assistants (Siri) when conducting confidential business. These “helpers” listen to every word that is said and can be hacked easily by malicious agents.

Hopefully, The ABA codifies the recommendations given in this opinion into its formal standards.

Healthcare

The medical industry also deals with extremely private, confidential information and is susceptible to drawing attention from hackers. 2020 was an especially bad year for this, as the rise of COVID-19 caused a 55% spike in data breaches compared to 2019[5]. It’s a chilling reminds of how opportunistic threat actors can be. Sensing healthcare providers were stretched to the max and short on resources, they attacked.

Common reasons to target the healthcare industry include stealing patient medical records for resale on the Dark Web, identity theft purposes, or extortion schemes, and ransomware attacks to cripple critical systems until the organizations pay a hefty fee.

The United States Department of Health and Human Services set national regulations about healthcare data security through the HIPAA Security Rule. Here are some of the guidelines:

  • Organizations must have physical and technical security measures enacted for hosting sensitive health data. Examples include facility access limits, computer access controls, and strict limitations on attempts to transfer, remove, or delete patient records.
  • Technical systems must have automatic log-off settings, file encryption capabilities, regular audit reporting, and detailed tracking logs of user activity.

With COVID cases declining and vaccinations increasing, the healthcare sector could soon return to normal and start allocating more cybersecurity resources. At least for the first time in over a year, there’s cause for optimism.

Conclusion

With cyberattacks on the rise, there’s still much room for improvement in these industries. Organizations should go above and beyond legal requirements if adequate cybersecurity is a priority. Combining the right technical solutions with a plan of ongoing education is crucial. Usually, the weakest links in a network are the employees themselves. Train them regularly on the basics of phishing techniques and how to spot them. You’ll have a more resilient workforce who won’t fall for common scams that can put your organization at serious risk.

AXEL Go

Part of the equation is still using suitable technical systems. If your company transfers or stores confidential data, you need to ensure it’s locked down. AXEL Go is a decentralized, private and secure file-sharing and storage platform. It offers industry-leading security features that set it apart from the typical Big Tech applications. It uses blockchain technology, advanced file sharding, the InterPlanetary File System, and military-grade encryption to keep important documents away from hackers. Try AXEL Go and gain access to all of its premium features for only $9.99/mo. It’s the safest way to share and store online.

 

[1] Jennifer Elliott and Nigel Jenkinson, “Cyber Risk is the New Threat to Financial Stability”, IMF.org, Dec. 7, 2020, https://blogs.imf.org/2020/12/07/cyber-risk-is-the-new-threat-to-financial-stability/

[2] “2020 Data Breach Investigations Report”, Verizon, May. 19, 2020, https://enterprise.verizon.com/resources/reports/dbir/?CMP=OOH_SMB_OTH_22222_MC_20200501_NA_NM20200079_00001

[3] American Bar Association, “Model Rules of Professional Conduct”, Americanbar.org, https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/model_rules_of_professional_conduct_table_of_contents/

[4] American Bar Association Standing Committee On Ethics And Professional Conduct, Formal Opinion 489, Americanbar.org, March 10, 2021, https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba-formal-opinion-498.pdf

[5] “Healthcare Breach Report 2021: Hacking and IT Incidents on the Rise”, Bitglass, Feb. 17, 2021, https://pages.bitglass.com/rs/418-ZAL-815/images/CDFY21Q1HealthcareBreachReport2021.pdf?aliId=eyJpIjoiOE54NGRRTkhCZDY3aUxGMiIsInQiOiJ0RTZ1QVZXbnFPUGRhZXhVbmhyMmVnPT0ifQ%253D%253D

Why the Data Localization Movement is Misguided

Data localization, or data residency, is the concept of storing certain data collected on a nation’s citizens within the country of origin at all times. It gained steam after whistleblower Edward Snowden revealed the scope of government mass surveillance in 2013[1]. Governments worldwide enacted data localization legislation to protect state secrets and their citizens’ personal information from the watchful eyes of perceived competitors.

Governments expected and hoped these regulations would bring a host of benefits, including domestic IT job growth, more-hardened national cybersecurity, and increased data privacy. The truth is a bit murky, however, as the desired advantages haven’t materialized.

Countries and regions with data localization laws

First, let’s look into some examples of countries with data residency laws on the books. It is not a comprehensive list but illustrates how many nations are concerned about their data security.

The European Union

The EU’s sweeping data privacy law, the GDPR, sets many expectations for handling sensitive information, such as:

  • Profile data
  • Employment data
  • Financial data
  • Medical and health information
  • Payment data

The GDPR specifies that the above data types stay secured within the EU.  If any transfers are required out of the European Union, the countries receiving the information must have similar privacy regulations.

China

Unsurprisingly, China wants to keep a tight grip on its data. Basically, domestic network operators must store all data within China. They can transfer info across borders, but anything deemed “important” by the government must undergo a security clearance beforehand. What the CCP considers important is fairly broad. It includes:

  • Anything related to national security
  • Information that could identify Chinese citizens

As the country embraces Big Data collection on its citizens[2], you can expect the CCP to strengthen these laws.

Russia

The Russian Federation requires any personal identifying information about its citizens to be stored locally. This could mean:

  • Profile data
  • Financial information
  • Medical and health records

Interestingly, as long as companies initially stored the data in a Russian database, they can send it out of the country for further processing.

Their regulations don’t only apply to domestic organizations. Anyone doing business in the country is subject to the law, so multinational corporations there must have Russia-specific data centers.

These three regions alone account for over a quarter of the world’s population, and there are many more countries with data localization laws.  So, it’s pretty widespread. But what’s the United States’ opinion on the matter?

The United States viewpoint

The United States’ general belief is that data residency laws unduly stifle commerce and don’t offer the expected benefits. Analysts estimate half of the services trade depends on cross-border data flows[3]. With the United States being a service-dominant economy, it makes sense the government would oppose such regulation.

And oppose it, they have! In fact, it has been a point of contention in nearly all of its recent trade deal negotiations, though the EU and Korea have pushed back on outright bans. The USMCA, the North American trade agreement replacing NAFTA, formally prohibits the practice as a condition of doing business[4]. There are similar provisions in the U.S.-Japan Digital Trade Agreement[5] and the U.S.-Kenya Trade Agreement of 2020[6].

So, what are the downsides of data localization that countries like the United States want to avoid?

Technical issues

There is a multitude of technical headaches accompanying data localization. For instance, what if tech personnel in other countries access it regularly for debugging or maintenance purposes? Or, a company uses foreign backup databases for redundancy?

It’s challenging to build separate data centers in all applicable territories, even for large companies with sizable revenues. That makes it downright impossible for even the pluckiest startup to consider. But that should open up markets for smaller, domestic companies, right?

Lack of domestic stimulus

Unfortunately, significant job growth does not occur due to data localization. There are short-term construction jobs available if the data center requires a new building. After that, however, jobs are scarce. This is because the modern data center is mostly automated. The CBRE’s Data Center Solutions Group estimates that the average data center results in between 5-30 permanent, full-time positions[7]. Given the investment required for implementing data residency, it hardly seems worth it based on employment opportunities.

Privacy and security

Well, it has to be more secure and offer more data protection, though! That’s the biggest piece of the benefit pie. Not so fast.

In reality, the exact opposite appears to be true. Regarding privacy, you’d hope that housing data in the country of origin would benefit the citizens. But think back to some of the countries passing data localization laws. Is a full data set of personal information housed in a single jurisdiction good for the people in China? Or Russia? Very debatable. These nations are already surveillance states. Any data housed within their borders is at the control of their totalitarian governments.

Cybersecurity is another issue where expectations don’t match up with the real-world. Consider that these implementations aren’t in a vacuum and that they’ll inevitably cost a significant amount of money. That’s money the company will need to divert from other areas of the business. Cybersecurity could be one of those areas.

Additionally, data residency results in server centralization. This provides a larger attack surface for malicious agents and could ultimately mean more data breaches, not less.

So, paradoxically, data localization could make it easier for state-sponsored threat actors to carry out successful attacks. Combined with the economic inefficiencies, privacy concerns, and technical problems, it becomes plain to see that decentralization is a better path forward. Companies can employ other, less-expensive methods such as end-to-end encryption to protect sensitive information.

The AXEL Network

The AXEL Network is a decentralized, distributed system of servers backed by blockchain technology and the InterPlanetary File System. It gives users a secure, private way to share and store files on the internet. With server nodes located throughout the world, the AXEL Network offers both resiliency and performance. AXEL Go a the next-generation file-sharing platform using the AXEL Network. It combines all of the advantages listed above with optional AES 256-bit encryption to provide exceptional privacy and security. Download it today for Windows, Mac, Android, or iOS and receive a free 14-day trial of our unrestricted Premium service. Enjoy the power of a decentralized, distributed network.

 

[1] Jonah Force Hill, “The Growth of Data Localization Post-Snowden: Analysis and Recommendations for U.S. Policymakers and Business Leaders”, ResearchGate, Jan. 2014, https://www.researchgate.net/publication/272306764_The_Growth_of_Data_Localization_Post-Snowden_Analysis_and_Recommendations_for_US_Policymakers_and_Business_Leaders#:~:text=Abstract,geographies%2C%20jurisdictions%2C%20and%20companies.

[2] Grady McGregor, “The world’s largest surveillance system is growing- and so is the backlash”, Fortune, Nov. 3, 2020, https://fortune.com/2020/11/03/china-surveillance-system-backlash-worlds-largest/

[3] United States International Trade Commission, “Global Digital Trade 1: Market Opportunities and Key Foreign Trade Restrictions”, usitc.gov, Aug. 2017, https://www.usitc.gov/publications/332/pub4716_0.pdf

[4] Agam Shah, Jared Council, “USMCA Formalizes Free Flow of Data, Other Tech Issues”, The Wall Street Journal, Jan. 29, 2020, https://www.wsj.com/articles/cios-businesses-to-benefit-from-new-trade-deal-11580340128

[5] “FACT SHEET ON U.S.-Japan Digital Trade Agreement”, Office of the United States Trade Representative, Oct. 2019, https://ustr.gov/about-us/policy-offices/press-office/fact-sheets/2019/october/fact-sheet-us-japan-digital-trade-agreement

[6] ITI, “ITI: U.S.-Kenya Trade Agreement Can Set New Global Benchmark for Digital Trade”, itic.org, Apr. 28, 2020, https://www.itic.org/news-events/news-releases/iti-u-s-kenya-trade-agreement-can-set-new-global-benchmark-for-digital-trade

[7] John Lenio, “The Mystery Impact of Data Centers on Local Economies Revealed”, areadevelopment.com, 2015, https://www.areadevelopment.com/data-centers/Data-Centers-Q1-2015/impact-of-data-center-development-locally-2262766.shtml