Tag Archives: Robert Maddox

Preparing for and Responding to Ransomware Attacks: Thirteen Lessons from the NIST Framework and Recent Events

by Luke Dembosky, Avi Gesser, H Jacqueline BrehmerRobert Maddox, Dr. Friedrich Popp, and Mengyi Xu

Ransomware attacks continue to plague businesses across the globe. As companies enhance their defenses, attackers increase the sophistication of their software and its deployment. Ransomware attacks used to be limited to the locking of a company’s computer system by encryption software and a demand to pay in order to obtain the key, but not anymore.

In early June 2020, for example, the REvil ransomware group auctioned off three databases containing approximately 22,000 stolen files that were associated with a Canadian agricultural firm, for a starting price of $50,000, after the victim refused or failed to pay the ransom. This sale reflects a growing trend of ransomware attacks that includes theft of sensitive company data, along with the usual locking up of computer systems, as a means of amplifying the pressure on victim entities. As a result, companies that have operational backup systems, and therefore do not need to pay the ransom to get access to their data, may still consider paying in order to prevent the public release of their stolen confidential information.

Continue reading

FBI Warns of a Rise in Business Email Compromise Scams — Tips for Preventing and Responding to BECs in Remote Work Environments

by Avi Gesser, Zila Reyes Acosta-Grimes, Christopher S. Ford, Robert Maddox, and Brenna Rae Sooy

On June 9, Calvin A. Shivers, Assistant Director of the Criminal Investigative Division of the FBI, testified before the Senate Judiciary Committee regarding a variety of frauds during COVID-19, including Business Email Compromise (“BEC”) frauds and the FBI’s response.

BECs are among the most successful and persistent forms of cyber attacks. Indeed, the FBI has seen increases in cyber-enabled financial fraud like BECs every year since 2013. In 2019 alone, the FBI reported (PDF: 2.87 MB) 23,775 BECs and email account compromise complaints that led to adjusted losses of over $1.7 billion. For example, on May 13, the Norwegian Investment Fund for developing countries, Norfund, announced it was the victim of a BEC fraud, whereby cyber criminals diverted a $10 million loan intended for a microfinance institution in Cambodia. The fraud took place on March 16, but it was not discovered until April 30 when the hackers attempted a second fraud. Further, on April 6 and April 13, the FBI warned that, due to COVID-19-related disruptions, many businesses have become more vulnerable to BECs.

Continue reading

COVID-19: Three Data Protection Tips for the EU and the UK

by Jeremy Feigelson, Avi Gesser, Jane Shvets, Ariane Fleuriot, Fanny Gauthier, Robert Maddox, and Dr. Friedrich Popp

As businesses adapt to the COVID-19 pandemic, the challenges of managing a remote workforce and its desire for information about the virus’s impact have significant data protection implications. While European Data Protection Board (“EDPB”) guidance (PDF: 211 KB) confirms that the GDPR should not impede the fight against the pandemic, even in these exceptional times, companies must continue to safeguard individuals’ data protection rights.

We share here our top three tips for those who oversee data protection compliance, drawing on guidance from the EDPB (PDF: 211 KB), UKFrenchGerman, and Irish supervisory authorities. Links to other authorities’ guidance are accessible here. Continue reading

U.K. and U.S. Sign Landmark Cross-Border Data Sharing Agreement

by Jeremy Feigelson, Karolos Seeger, Jane Shvets, Robin Lööf, Robert Maddox, and Alma M. Mozetič

On October 3, 2019, the United Kingdom and the United States signed a landmark data sharing agreement to give law enforcement agencies in one country faster access to digital evidence held by service providers, such as web hosts and social media companies, located in the other (the “Agreement”).[1]  The material scope of the Agreement is wide, including fraud, cyberattacks, corruption, and other serious offences.  The Agreement aims to provide an alternative, faster mechanism to the current system based on government-to-government requests pursuant to Mutual Legal Assistance Treaties (“MLATs”).  Under the Agreement, law enforcement authorities will be able to compel production directly from service providers.  The hope is that this will reduce waiting times to weeks or sometimes days.  The Agreement is expected to enter into force following review by the U.K. Parliament and the U.S. Congress, in early April 2020. Continue reading

New Guidance on the GDPR’s Territorial Scope – Are You Covered?

by Jeremy Feigelson, Jane Shvets, and Robert Maddox

The European Data Protection Board (“EDPB”)—a working group of representatives of the EU data protection authorities—has issued Guidelines (PDF: 255 KB) on the territorial scope of the EU General Data Protection Regulation (“GDPR”), which are open for comment until 18 January 2019. The Guidelines clarify one of the main areas of concern for non-EU companies: when will GDPR reach them?

There are five key takeaways from the Guidelines: Continue reading