#CyberFLASH: Cybersecurity Cooperation And Canadian Law Firms

10712553Canadian law firms have been closely watching the cybersecurity collaboration developments between the financial industry and law firms happening south of the border. The push for law firms to provide greater levels of cybersecurity assurances to financial institutions has been driven to a large degree by the US Treasury Department, which has identified law firms for specific scrutiny. These developments have led Canadian financial institutions and the Office of the Superintendent of Financial Institutions (OSFI) to closely follow what is happening in the US and begin making similar moves regarding cybersecurity in Canada.

Collaboration amongst Bay Street law firms in Canada already occurs today, in large part through regular informal meetings that CIOs and security leads hold in order to discuss various topics, including cybersecurity. Currently, however, there is no formal cybersecurity information sharing or collaboration, although discussions about setting up this type of organization have been ongoing.

Cooperation and information sharing on cybersecurity also was enhanced when, in June 2013, the US-based International Legal Technology Association held its first ever LegalSEC summit in the Chicago area, in recognition of the growing need for law firm IT departments to respond to and collaborate on cybersecurity. The summit was an entire day and McCarthy Tetrault was one of the only Canadian firms represented.

In 2014 the summit expanded to two days and a number of CIOs and security leads from major Canadian firms attended to learn what security challenges their US colleagues were facing and how they were addressing them. The Canadian firms also used time at the summit to have their own informal meetings on cybersecurity. LegalSEC will again take place this year on June 8th and 9th in Baltimore, MD and the initiative amongst Canadian law firms is expected to develop further

Canadian law firms are exploring ways in which they can provide their financial institution clients and other clients enhanced cybersecurity assurance by adopting common industry standard information security best practices, including IT and cyber risks in firm risk management, and by developing more formal information security governance with regular briefings to firms’ management teams and boards of partners.

Read more here

#CyberFLASH: FBI watched as hacker dumped Bell Canada passwords online

10712553When Bell Canada’s website was hacked last year — and the accounts and passwords of more than 12,000 Canadians posted online — the Federal Bureau of Investigation was not only watching, but letting the hackers stage the attack from what was secretly an FBI server.

The bureau had spent more than a year keeping tabs on the 15-year-old Canadian teenager, who discovered the vulnerability then passed it to an American counterpart. It was the American who carried out the cyberattack on behalf of a collective calling itself NullCrew.

The details emerged in an Ottawa courtroom last month after the Canadian teen pleaded guilty to a single count of unlawfully using a computer.

The 15-year-old teen, who used the online nickname “Null”, discovered a weakness in a Bell Canada login page. It allowed someone to gain access to the usernames and passwords of small and medium-sized business customers that were contained within a database maintained by a third-party supplier to Bell.

The teen didn’t post the data, but instead shared how to access it using what is known as a SQL injection attack with another NullCrew member named “Orbit.”

Read more here

#CyberFLASH: Dalhousie University says Instagram sex scandal ‘not acceptable’

ns-dalhousie-facebook-20150109Dalhousie University says it took “immediate and appropriate action” in light of a social media sex scandal that happened in the fall at the university that is independent of the dentistry school’s Facebook scandal.

The Chronicle Herald first reported the story on Friday evening.

The scandal revolved around an Instagram account called The Dal Jungle where the photos posted included a female student giving oral sex to a male student while another male student took a smiling selfie with the couple visible in the frame, the Chronicle Herald reported.

The photos on the account were mostly pictures of guys doing “naked, drunk, stupid shit,” said Hanna, a female student who saw pictures from the account. Her name was changed in the Herald story to protect her privacy.

Hanna told the Chronicle Herald another photo was of a couple having sex, but she was unsure whether the photo had been taken or posted with consent.

Read more here

#CyberFLASH: Lawyer wants case involving nude photos of judge thrown out

sheila_block.jpg.size.xxlarge.letterbox-2WINNIPEG—A lawyer for the senior Manitoba judge facing removal over nude photographs her husband posted of her on the Internet compared her Monday to celebrity hacking victims who have faced the same fate.

Sheila Block, who represents Associate Chief Justice Lori Douglas, argued the case should be thrown out because it punishes the victim.

Block said it doesn’t make sense to subject Douglas to another lengthy disciplinary tribunal, which equates to “state-sponsored victim-blaming.”

She told a panel of judges that they shouldn’t put Douglas through more trauma because she has been a victim twice over: the victim of her husband, who died of cancer last spring, and of a man bent on extortion and revenge.

“You are not responsible for pushing this boulder down the hill but you are in the position to do the right thing,” she told the judges. “Our system of justice does not punish the victim. It does not rob the victim of their dignity and privacy. It does not treat the victim as damaged goods.”

Read more here

#CyberFLASH: Privacy breach: Six GTA hospitals gave patient info to photographers


Six GTA hospitals compromised their patients’ personal health data by routinely handing it over to baby photographers who paid for access to maternity wards — breaches revealed by extra scrutiny following a major breach at Rouge Valley Health System.

As far back as 2009, Mount Sinai, North York General, St. Joseph’s Health Centre, Humber River, Toronto East General and Rouge Valley Health System hospitals inappropriately gave up the information of tens of thousands of new mothers.

In some cases, the records included the patients’ name, age, length of hospital stay, attending physician, type of diet, reason for admission to hospital, type of delivery and baby’s birth date.

“It wasn’t the proper process. We should have simply been providing the name and room number,” said Elizabeth McCarthy, a spokesperson for North York General.

McCarthy estimated more than 5,000 patients at North York General alone may have been affected between March 2013 and February 2014.

Read more here

#CyberFLASH: Paddy Power say 650,000 customers affected by 2010 cyber attack

Quebec hacker

Paddy Power is contacting almost 650,000 punters today after their personal information was leaked in a 2010 cyber attack.

The Irish bookmaker say they are ‘pro-actively’ getting in touch with customers whose names, addresses, and phone numbers may have fallen into the wrong hands.

Close to 120,855 Irish customers, 461,154 UK users and 67,052 international punters have been affected.

It’s understood that the attack originated in Ontario, Canada where the bookmaker is liaising with police.

The gambling giants have also commenced legal proceedings in Toronto to secure possession of computer equipment owned by the person who was holding the Paddy Power data.

Read more here

#CyberFLASH: Mounties charge Quebec teen for hacking Bell customer data, posting it online


The Mounties have charged a young offender in Quebec after the user names, passwords and credit-card information from some of Bell Canada’s small-business customers were posted online.

The RCMP say they started investigating after one of Bell’s third-party IT suppliers was cyberhacked.

As a result of the hacking, investigators say, 22,421 user names and passwords and five valid credit-card numbers were displayed for anyone to see on the Internet.

A young offender, who cannot be identified because of his age, was arrested at a Bagotville, Que., residence early Friday and charged with one count of unauthorized use of a computer and two counts of mischief in relation to data.

Police said the accused is believed to be a member of a hacktivist group NullCrew, alleged to be responsible for hacking into computers of businesses, schools and government agencies.

Read more here

#CyberFLASH: Canadian cyberspy agency CSEC fretted about staff after Snowden leaks


Canada’s secret eavesdropping agency feared for the personal safety of staff following the leak of sensitive intelligence by a former U.S. spy contractor, newly declassified memos show.

The Ottawa-based Communications Security Establishment Canada combed through personnel files to assess risks to employees whose name, agency affiliation or specific duties may have been disclosed by Edward Snowden, says an internal note from the head of the spy service.

In the September 2013 memo, CSEC chief John Forster urged staff with concerns to speak with a manager or personnel security officials.

“There should not be any conversation that is too difficult to have, or any question that is too difficult to ask,” says the memo, originally classified top secret for Canadian eyes only.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.