Security News Survey – July 12, 2019

This week, we look at an update on Tesla’s insider threat issues, the latest GDPR fines, and a phishing attack at a popular healthcare contractor.

Welcome back, readers! We took a break last week in favor of some patriotic celebration with our Canadian and American friends and families. A happy belated Canada Day and Fourth of July to all!

Now that we’re back in the swing of things, it’s time to dive into the exciting world of cybersecurity news. July seems to be off to a busy start with several security incidents. Let’s take a look.

Former Tesla engineer admits to uploading company source codes

Palo-alto-based automotive and energy company Tesla is still grappling with its most recent insider threat saga. According to a new court filing, a former Tesla engineer admitted to uploading 300,000 files and directories containing source code relating to Tesla’s Autopilot program to his personal iCloud account before leaving the company. Tesla sued the engineer earlier this year for stealing trade secrets for the benefit of a Chinese startup—a claim the engineer had previously denied. While the engineer now admits to uploading company files onto his personal account, he insists no “misconduct” took place, arguing that he attempted to delete all sensitive files and any source-code information remaining on his personal account was purely accidental. 

Tesla seems to have its hands full proving that this incident is not just a matter of “routine employee offboarding issues,” as the engineer’s lawyers claim. 

Of course, insider threats continue to rear their ugly heads. If you haven’t already, be sure to read our recent blog on the need for insider threat programs

New GDPR fines sets record for data protection regulator

Major data breaches are coming home to roost for Marriott and British Airways. The U.K. Information Commissioner’s Office (ICO)’s investigations of recent security breaches have resulted in fines of $123 million and $229 million for Marriott and British Airways, respectively. 

Marriott’s Starwood properties suffered a cyber attack on its central reservation database and resulted in the exposure of 383 million guests—about 30 million of which are E.U. residents. To make matters worse, the breach started in 2014 and wasn’t discovered until late 2018. 

British Airways fell victim to hackers last summer when roughly half a million customers visiting the airline’s website were diverted to a fraudulent site. Hackers were able to swipe a wealth of personal and financial information, including names, addresses, login details, payment details, and more. 

The latter fine has set a new record for the U.K. data protection authority, signaling that GDPR is growing serious teeth. In justification of the fine, Information Commissioner Elizabeth Denham declared, “People’s personal data is just that—personal. When an organization fails to protect it from loss, damage or theft, it is more than an inconvenience.” 

Healthcare contractor suffers data breach

Health data management contractor Nemadji Research Corp. has disclosed unauthorized access to medical data of 14,591 patients. According to Nemadji, an employee fell victim to a phishing attack in late March 2019 that allowed third party access to company data. While the data was encrypted, the email account included encryption keys. Compromised information includes contact information, dates of birth, medical record numbers, and some Social Security numbers. Nemadji claims no information had been misused, but the company is offering credit monitoring and identity protection for those impacted. 

Los Angeles County and Minnesota-based Essentia Health, both of whom contract with Nemadji, have confirmed publicly that some of their patients have been affected by Nemadji’s data breach.