News Alerts and Break Report for Week of November 7, 2022

Legislators Express Concern About ANPR to FTC

Last week, U.S. Senators Kevin Cramer (R-ND), Cynthia Lummis (R-WY), and Marco Rubio (R-FL) sent a letter to Federal Trade Commission (FTC) Chair Lina Khan, urging her to reevaluate the FTC’s Proposed Rulemaking on Commercial Surveillance and Data Security. The senators wrote: “Without federal preemption, any new privacy rules issued by the FTC would only add to the existing ‘patchwork’ of state privacy laws and create an additional layer of requirements for businesses.” Their proposed solution? Wait for a federal privacy law.

Joint Advisory Warns Healthcare Sector of Extortion Scheme

The Cybersecurity & Infrastructure Security Agency, the FBI and the U.S. Department of Health & Human Services released a Joint Advisory last week warning the healthcare sector about ransomware and extortion schemes being perpetrated by a group known as the Daixin Team. The group has targeted the healthcare sector since at least June 2022. Their tactics include eliciting ransom payments by encrypting their targets’ servers, holding data hostage, and threatening to release personal information to the public. According to the report, Daixin typically gains credentials via phishing schemes, or by exploiting vulnerabilities in unpatched VPN servers. “After obtaining access to the victim’s VPN server, Daixin actors move laterally via Secure Shell (SSH) and Remote Desktop Protocol (RDP). Daixin actors have sought to gain privileged account access through credential dumping and pass the hash. The actors have [also] leveraged privileged accounts to gain access to VMware vCenter Server and reset account passwords for ESXi servers in the environment. The actors have then used SSH to connect to accessible ESXi servers and deploy ransomware on those servers. Read the full alert here.

Texas Sues Google Over Biometric Data Collection

Last week Texas Attorney General Ken Paxton filed a lawsuit against Google, alleging that the tech firm has violated Texas’s biometric privacy law. The suit notes, “For more than a decade, Texas has prohibited companies from capturing Texans’ biometric data—including the unique characteristics of an individual’s face and voice—without their informed, advance consent. In blatant defiance of that law, Google has, since at least 2015, collected biometric data from innumerable Texans and used their faces and their voices to serve Google’s commercial ends.” These commercial ends, the suit claims, involve Google’s facial recognition tools and the faces it collected to improve that tool.

Breach Report:

• Dropbox

• Medibank Private Ltd

• Morrison Products Inc.

• St. Luke’s Health 

• Vodafone

* * * * * * *

To read our article on ADCG’s explainer on the European Union’s recently published details of the Digital Services Act (DSA), click here.

To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.

ADCG’s podcast returns this week. In our newest episode (to be released Thursday), two incredible guests, Gary Corn and Jamil Jaffer, join our host, Jody Westby, to discuss Cyber Command, its role and jurisdiction, and what it can do in cyber conflict situations and how it may help the private sector when under nation state attacks.

Gary Corn is director of the Technology, Law & Security Program at American University’s Washington College of Law and former career military with his last position as the Staff Judge Advocate (General Counsel) to U.S. Cyber Command. 

Jamil N. Jaffer is the Founder and Executive Director of the National Security Institute, and an Assistant Professor of Law and Director of the National Security Law & Policy Program and the nation’s first Cyber, Intelligence, and National Security LLM at the Antonin Scalia Law School at George Mason University.

Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts. Our most recently released episodes:

Our most recently released episodes:

79 | Understanding 5G Cybersecurity Issues (with guest Carlos Solari)

78 | The Nexus Between Privacy, Cybersecurity & National Security (with guest, Corey Simpson)

77 | Privacy & Cybersecurity Whistleblowers: A New Trend? (with guest, Andrew Grosso)

Don’t forget to subscribe!