WEBVTT 1 00:00:00.000 --> 00:00:02.280 Anna Delaney: Hello, and thanks for joining us for the ISMG 2 00:00:02.280 --> 00:00:05.310 Editors' Panel. I'm Anna Delaney, and here on a weekly 3 00:00:05.310 --> 00:00:08.520 basis, we discuss and debate the top information and 4 00:00:08.520 --> 00:00:12.060 cybersecurity news stories and trends that you need to know 5 00:00:12.060 --> 00:00:16.200 about. We are a merry gang today with Mathew Schwartz, executive 6 00:00:16.200 --> 00:00:19.650 editor of DataBreachToday and Europe; Marianne Kolbasuk McGee, 7 00:00:19.710 --> 00:00:22.680 executive editor of HealthcareInfoSecurity; and 8 00:00:22.680 --> 00:00:26.820 Michael Novinson, managing editor for ISMG business. Glad 9 00:00:26.820 --> 00:00:27.750 you could all join me. 10 00:00:28.740 --> 00:00:29.760 Mathew Schwartz: Thanks for having us. 11 00:00:31.430 --> 00:00:33.920 Anna Delaney: So, Michael, we've got to start with you. You're 12 00:00:33.920 --> 00:00:35.570 deep diving in with the fish. 13 00:00:35.990 --> 00:00:38.420 Michael Novinson: I am indeed! I am at the Mystic Aquarium in 14 00:00:38.450 --> 00:00:42.080 Mystic, Connecticut, one of the premier aquariums in North 15 00:00:42.080 --> 00:00:44.900 America. What brought us there was they had a mermaids at 16 00:00:44.900 --> 00:00:47.960 Mystic Aquarium. I am personally a fan of mermaids, but my 17 00:00:47.960 --> 00:00:51.290 two-year old daughter is an even bigger fan. So we went there. 18 00:00:51.290 --> 00:00:53.810 And if you wonder how do you realize mermaids actually swim? 19 00:00:53.810 --> 00:00:56.840 What they do actually have a person with them with a scuba 20 00:00:56.840 --> 00:00:59.600 tank. And then they take the little mouthpiece and breathe 21 00:00:59.600 --> 00:01:03.740 into it. And then she would like make harps and blow kisses to 22 00:01:03.740 --> 00:01:06.680 all the children watching her. So my daughter kept talking 23 00:01:06.680 --> 00:01:09.170 about how the mermaid was wearing a black pacifier all 24 00:01:09.170 --> 00:01:09.440 day. 25 00:01:11.150 --> 00:01:14.090 Anna Delaney: Doesn't miss a trick! That is magical, though. 26 00:01:16.730 --> 00:01:19.160 Marianne, you're out in the cold as well. 27 00:01:19.619 --> 00:01:22.499 Marianne McGee: Yeah, this is actually a lake not far from 28 00:01:22.499 --> 00:01:26.009 where we live. Took the dog for a walk. I didn't see any 29 00:01:26.000 --> 00:01:33.320 Anna Delaney: Weren't tempted to dive in like Michael. Mathew, 30 00:01:26.009 --> 00:01:26.849 mermaids though. 31 00:01:33.320 --> 00:01:36.950 I'm guessing this is, as you always never failed to impress 32 00:01:36.950 --> 00:01:41.780 us, but something artistic that maybe water on a screen or if I 33 00:01:41.780 --> 00:01:42.710 have totally got that wrong? 34 00:01:42.830 --> 00:01:46.490 Mathew Schwartz: No, no, you're absolutely right. With Marianne, 35 00:01:46.700 --> 00:01:50.030 there's no mermaids here that I was able to see. But this is a 36 00:01:50.630 --> 00:01:53.180 local carwash. So you know you're stuck in the car. There's 37 00:01:53.180 --> 00:01:57.170 not much to do. I just got my camera out. I thought, yeah, 38 00:01:57.200 --> 00:01:58.850 let's play with pretty water patterns. 39 00:01:59.090 --> 00:02:01.160 Anna Delaney: I love that, I love going through a carwash. 40 00:02:04.130 --> 00:02:06.350 Mathew Schwartz: A moment of zen, a moment of calm in one's 41 00:02:06.350 --> 00:02:06.800 day. 42 00:02:07.200 --> 00:02:09.240 Anna Delaney: Well, you brought the artistic element out. That's 43 00:02:09.240 --> 00:02:12.360 great. Well, last year, I had the pleasure of visiting the 44 00:02:12.360 --> 00:02:16.260 University Club in Manhattan. And I got a glimpse of this 45 00:02:16.260 --> 00:02:20.520 sensational library, nearly as grand as the libraries in the 46 00:02:20.520 --> 00:02:25.620 U.K. in London. Well, Michael, let's start with you this week. 47 00:02:26.040 --> 00:02:29.670 For some time now, financial pundits and commentators have 48 00:02:29.670 --> 00:02:33.300 been predicting turbulent economic times. And we certainly 49 00:02:33.300 --> 00:02:35.790 had a taste of that, at the end of last week going into the 50 00:02:35.790 --> 00:02:40.170 weekend, with the collapse of Silicon Valley Bank. And of 51 00:02:40.170 --> 00:02:42.840 course, reading the headlines today as well, we see the impact 52 00:02:42.840 --> 00:02:47.370 on the global markets. So whilst this might not be repeat of 53 00:02:47.490 --> 00:02:52.890 2008, it certainly has echoes of the panic of that time. So for 54 00:02:52.890 --> 00:02:56.730 now, take us back to last week. Recap events. What do we need to 55 00:02:56.730 --> 00:03:00.000 know? And, you know, how does this impact the cybersecurity 56 00:03:00.000 --> 00:03:00.480 industry? 57 00:03:01.260 --> 00:03:03.660 Michael Novinson: Absolutely. And thank you for having me. So 58 00:03:03.660 --> 00:03:06.390 as you alluded to, this is the second biggest bank failure of 59 00:03:06.390 --> 00:03:09.420 all time in the United States behind only Washington Mutual, 60 00:03:09.420 --> 00:03:13.380 which was indeed back in 2008. So Silicon Valley Bank, for our 61 00:03:13.380 --> 00:03:17.670 global audience, it's the 16th largest bank in America, little 62 00:03:17.670 --> 00:03:22.440 over $200 billion in assets. And so what had happened was that 63 00:03:22.440 --> 00:03:26.340 with the economic boom in 2020-2021, they got a ton of 64 00:03:26.340 --> 00:03:30.150 money flowing in. They're really focused on serving the startup 65 00:03:30.150 --> 00:03:32.880 community, particularly technology startups, as well as 66 00:03:32.880 --> 00:03:35.520 the venture capitalists that back them. So when there was a 67 00:03:35.520 --> 00:03:38.280 lot of funding flowing into these companies during the 68 00:03:38.280 --> 00:03:42.900 2020-2021 days, the amount of deposits that SVB had, 69 00:03:42.900 --> 00:03:45.750 skyrocketed. What they ended up doing because it's a low 70 00:03:45.750 --> 00:03:47.910 interest rate environment is they put the money into 71 00:03:47.910 --> 00:03:51.180 long-term bonds. Lot of the money got locked in. And then in 72 00:03:51.210 --> 00:03:54.600 2022, the economy didn't want to add and they kind of got a 73 00:03:54.600 --> 00:03:58.170 double whammy. So the first was with the rising interest rates, 74 00:03:58.350 --> 00:04:00.720 the concentration of their investment in the long term 75 00:04:00.720 --> 00:04:04.110 bonds, left them at a curious situation. And then with all of 76 00:04:04.110 --> 00:04:07.500 these startups not being in a position to raise money because 77 00:04:07.500 --> 00:04:09.720 the economy wasn't as good they would have needed to take a hit 78 00:04:09.720 --> 00:04:12.600 to their valuation, all of these startups started taking more 79 00:04:12.600 --> 00:04:17.310 money out of the bank. So this left SVB with a bit of a 80 00:04:17.310 --> 00:04:21.660 precarious situation around deposits. So last Wednesday, a 81 00:04:21.660 --> 00:04:25.170 week ago, they went in and they attempted to raise a little over 82 00:04:25.200 --> 00:04:29.670 $2 billion by issuing stock. They put out a release on this. 83 00:04:29.940 --> 00:04:33.060 People panicked. SVB maybe didn't do a good job of 84 00:04:33.060 --> 00:04:35.010 communicating the reason that they needed the additional 85 00:04:35.010 --> 00:04:38.850 money. So what you saw last Thursday was just a massive run 86 00:04:38.850 --> 00:04:41.640 on the side. DCs were directing their portfolio to companies to 87 00:04:41.640 --> 00:04:44.940 pull all their money out. The stock plummeted. A week ago 88 00:04:44.940 --> 00:04:48.420 Friday, the shut it down essentially. They didn't have 89 00:04:48.420 --> 00:04:52.230 enough money to continue operating. So you had this 90 00:04:52.950 --> 00:04:56.940 really nerve-wracking situation for startups in cybersecurity 91 00:04:56.940 --> 00:05:01.410 and elsewhere for about 90 hours or so. So, the way it works in 92 00:05:01.410 --> 00:05:05.580 the U.S. is in last year one of the big four banks Chase or 93 00:05:05.580 --> 00:05:08.850 Citibank or Bank of America, or Wells Fargo, if you're anybody 94 00:05:08.850 --> 00:05:11.370 else, the good thing is you didn't have as much regulation. 95 00:05:11.370 --> 00:05:15.390 But the bad thing was that your customers' deposits were only 96 00:05:15.390 --> 00:05:19.710 insured up to $250,000. Anything beyond that was uninsured. The 97 00:05:19.710 --> 00:05:22.260 reason this is relevant here was in order for startups to work 98 00:05:22.260 --> 00:05:25.620 with SVB is the terms of their contract. SVB required them to 99 00:05:25.620 --> 00:05:28.680 consolidate all of the banking there. So these startups had all 100 00:05:28.680 --> 00:05:32.250 of their money with SVB. But we're in a situation where it 101 00:05:32.250 --> 00:05:35.220 wasn't clear if they would defer when they would be able to get 102 00:05:35.220 --> 00:05:39.300 anything beyond that first turn $50,000 back. So people were 103 00:05:39.300 --> 00:05:43.440 panicking, there was really a question and two, because the 104 00:05:43.440 --> 00:05:47.220 15th of the month is often the day that employees in America 105 00:05:47.220 --> 00:05:50.310 get paid. So there was a question, will companies be able 106 00:05:50.310 --> 00:05:55.380 to make their payroll, will they have to sell off assets, or lay 107 00:05:55.380 --> 00:05:59.820 people off for finding alternate source of funding. So it was a 108 00:05:59.820 --> 00:06:04.110 really nerve-wracking period until about Sunday evening, when 109 00:06:04.110 --> 00:06:07.050 the U.S. government came forward, it did two very 110 00:06:07.050 --> 00:06:10.080 important things. The first is that they agreed to make 111 00:06:10.170 --> 00:06:12.930 depositors whole not only its Silicon Valley Bank, but also 112 00:06:12.930 --> 00:06:16.470 its Signature Bank, which is a bank out of New York that failed 113 00:06:16.470 --> 00:06:19.830 on Sunday. They do a lot around cryptocurrencies, but they do 114 00:06:19.830 --> 00:06:23.250 actually have some cybersecurity services, customers as well. So 115 00:06:23.250 --> 00:06:26.970 they told depositors that don't come Monday morning, you can 116 00:06:26.970 --> 00:06:29.460 take all of your money out, you have access all of your money. 117 00:06:30.000 --> 00:06:32.100 So that was a sigh of relief. And then the second thing which 118 00:06:32.100 --> 00:06:34.950 they did is they provided a federal backstop, meaning that 119 00:06:34.950 --> 00:06:38.400 for any other particularly a regional bank, who was worried 120 00:06:38.430 --> 00:06:41.670 about having a run at this, the government said that you can 121 00:06:41.670 --> 00:06:44.460 have access to our liquidity. So anybody who comes to you and 122 00:06:44.460 --> 00:06:47.220 says, I want to take my money out that the bank would always 123 00:06:47.220 --> 00:06:50.280 be able to meet that need, which was essentially a way of 124 00:06:50.310 --> 00:06:53.910 preemptively trying to stop a bank run folks taking their 125 00:06:53.910 --> 00:06:57.690 money from these regional banks, where the word deposits might be 126 00:06:57.690 --> 00:06:59.460 uninsured, to the larger national ones, where the 127 00:06:59.460 --> 00:07:02.400 deposits will be fully insured. So in the United States, it's 128 00:07:02.400 --> 00:07:05.880 really did have the intended effect. First Republic, I had 129 00:07:05.970 --> 00:07:08.790 their stock sank, because they did take advantage of the 130 00:07:09.780 --> 00:07:11.970 liquidity from the Federal Reserve, but then their stock 131 00:07:11.970 --> 00:07:14.910 recovered on Tuesday. Globally, it's a bit of a different story, 132 00:07:14.910 --> 00:07:19.830 as you were alluding to Anna. We do see Credit Suisse today that 133 00:07:19.830 --> 00:07:22.680 are based out of Switzerland. So they're in a different 134 00:07:22.680 --> 00:07:26.160 regulatory structure. They've had backing from the Saudis. And 135 00:07:26.190 --> 00:07:28.470 I know that Saudis have indicated they're not looking to 136 00:07:28.470 --> 00:07:31.680 continue to back them. So that's a bit of an uncertain situation, 137 00:07:31.680 --> 00:07:35.760 which is affecting the global markets on Wednesday. I think 138 00:07:35.760 --> 00:07:38.910 the thing to watch, in terms of cybersecurity startups, the 139 00:07:38.940 --> 00:07:41.850 short-term crisis is over, everybody has access to their 140 00:07:41.850 --> 00:07:44.790 money, that's not an issue. The longer-term question really 141 00:07:44.790 --> 00:07:48.360 remains around access to capital. And in particular, for 142 00:07:48.360 --> 00:07:51.960 early stage startups who are losing a lot of money, perhaps 143 00:07:51.960 --> 00:07:54.540 don't even have a product in market yet. What was unique 144 00:07:54.540 --> 00:07:58.890 about Silicon Valley Bank is that they were very willing to 145 00:07:58.890 --> 00:08:01.980 extend credit lines are essentially pools of money that 146 00:08:01.980 --> 00:08:04.380 companies could tap into companies who really didn't 147 00:08:04.830 --> 00:08:08.490 necessarily have had a proven business model or revenue stream 148 00:08:08.490 --> 00:08:12.780 yet. And so the question now becomes for these essentially 149 00:08:12.870 --> 00:08:15.630 early stage startups who use these kind of rainy day funds as 150 00:08:15.630 --> 00:08:18.300 a contingency fund and use the money from the venture 151 00:08:18.300 --> 00:08:21.270 capitalists to fund day-to-day operations, but then in case of 152 00:08:21.270 --> 00:08:24.270 emergency brake class, they would then take the money from 153 00:08:24.840 --> 00:08:28.530 the private line that they got from SVB. So depending on who 154 00:08:28.530 --> 00:08:31.200 ultimately buys SVB is been run by the federal government right 155 00:08:31.200 --> 00:08:33.510 now. But federal government is going to be in the banking 156 00:08:33.510 --> 00:08:37.890 business. So at some point, it's going to get sold and in all or 157 00:08:37.890 --> 00:08:41.460 in part. So then the question really becomes what's their 158 00:08:41.460 --> 00:08:45.030 attitude towards extending credit lines to seed a Series A 159 00:08:45.030 --> 00:08:48.690 startups? And if whoever the eventual owner is, is less 160 00:08:48.690 --> 00:08:51.840 willing to do that. How do these companies make sure that they 161 00:08:51.840 --> 00:08:54.570 have enough capital in case of emergency to the VCs just make 162 00:08:54.570 --> 00:08:58.230 larger rounds, to try to either alternate institutions that step 163 00:08:58.230 --> 00:09:00.930 forward? So that's really from the standpoint of the cyber 164 00:09:00.930 --> 00:09:03.000 industry, the thing I'm watching for and going forward. 165 00:09:03.780 --> 00:09:05.400 Anna Delaney: That was an excellent summary of events, 166 00:09:05.400 --> 00:09:08.490 Michael, and what's the chatter in the cybersecurity community? 167 00:09:08.490 --> 00:09:11.880 Do you think they think this will stifle innovation in the 168 00:09:11.880 --> 00:09:12.360 space? 169 00:09:12.000 --> 00:09:14.626 Michael Novinson: I think there certainly is a fear that SVB was 170 00:09:14.683 --> 00:09:18.224 just very unique, I mean, just in terms of the ease of working 171 00:09:18.281 --> 00:09:21.364 with them, and then the willingness to make deals that 172 00:09:21.421 --> 00:09:24.905 conventional banks when because conventional banks, it's they 173 00:09:24.962 --> 00:09:28.045 just have different views on risk. When the economy is 174 00:09:28.102 --> 00:09:31.528 moving, they have a greater risk appetite, when the county's 175 00:09:31.585 --> 00:09:34.669 contracting, then they are under orders to take a more 176 00:09:34.726 --> 00:09:38.152 conservative approach, which means essentially just ditching 177 00:09:38.209 --> 00:09:41.521 the startups. So the difference with SVB is that there are 178 00:09:41.578 --> 00:09:44.947 always startups that are so central to their business, that 179 00:09:45.004 --> 00:09:48.202 they're willing to work with them on both sunny days and 180 00:09:48.259 --> 00:09:51.685 rainy days and try to make deals with them. So yeah, I think 181 00:09:51.742 --> 00:09:55.111 there is concern I know about the new CEO who was put in by 182 00:09:55.168 --> 00:09:58.537 the FDIC is signaling to them, the VCs, like it's up to you 183 00:09:58.595 --> 00:10:02.249 like, what you do the next week is going to determine whether we 184 00:10:02.306 --> 00:10:06.018 survive or not. Do you tell your portfolio companies to put money 185 00:10:06.075 --> 00:10:09.501 back with us if they withdrew it or do you just cut and run? 186 00:10:09.558 --> 00:10:12.642 Because if deposits are fractional, if they used to be 187 00:10:12.699 --> 00:10:16.011 then it's not an appealing asset to buy. So, yeah, I think 188 00:10:16.068 --> 00:10:19.494 certainly people are relieved that they have access to their 189 00:10:19.551 --> 00:10:22.977 money. But I think there are questions in terms of what does 190 00:10:23.034 --> 00:10:26.517 this mean for companies that are just kind of getting off the 191 00:10:26.574 --> 00:10:29.430 ground in the early part of that incubation phase. 192 00:10:29.930 --> 00:10:31.940 Anna Delaney: Sure. Well, we knew events like these changes 193 00:10:31.940 --> 00:10:34.820 by the minute, but for now, that's excellent reporting on 194 00:10:34.820 --> 00:10:39.830 the topic. Thank you, Michael. So Matt, you are looking at an 195 00:10:39.860 --> 00:10:43.700 SEC ransomware lawsuit this week. So Blackbaud, a company 196 00:10:43.700 --> 00:10:47.090 that provides software and cloud hosting solutions for K-12 197 00:10:47.090 --> 00:10:52.490 schools has agreed to pay a $3 million fine to settle charges 198 00:10:52.520 --> 00:10:57.290 in relation to a 2020 ransomware attack. So as the reps of 199 00:10:57.290 --> 00:10:59.840 ransomware reporting, what do we need to know about this? 200 00:11:01.130 --> 00:11:03.740 Mathew Schwartz: Well, this is a fascinating case, as you say, it 201 00:11:03.740 --> 00:11:08.720 came to light in 2020, in July 2020, when Blackbaud, which as 202 00:11:08.720 --> 00:11:13.310 you say it works with K-12 schools, it also handles a lot 203 00:11:13.310 --> 00:11:17.600 of firms that get donations from different organizations. It's 204 00:11:17.600 --> 00:11:22.370 got a really deep customer base, and stores a lot of really 205 00:11:22.400 --> 00:11:26.630 sensitive information on people who make donations, for example. 206 00:11:26.750 --> 00:11:31.670 So it is widely used, lots of sensitive data, what could go 207 00:11:31.670 --> 00:11:36.080 wrong? Well, enter some ransomware wielding attackers, 208 00:11:36.200 --> 00:11:40.970 which hit the organization, as we said in the middle of 2022, 209 00:11:41.120 --> 00:11:43.700 or at least that's when the breach came to light, seems to 210 00:11:43.700 --> 00:11:47.930 have happened maybe starting in May. Blackbaud had a little 211 00:11:47.930 --> 00:11:53.720 problem when it came to publicizing the details of the 212 00:11:53.720 --> 00:11:57.740 breach. Specifically, the U.S. Securities and Exchange 213 00:11:57.740 --> 00:12:02.930 Commission, the SEC, accused the company of making misleading 214 00:12:02.930 --> 00:12:06.680 disclosures about the ransomware attack that impacted, it says, 215 00:12:06.740 --> 00:12:12.020 more than 13,000 customers. I'll just pause here to note and say, 216 00:12:12.230 --> 00:12:16.100 each of those customers is an organization that was hiring 217 00:12:16.130 --> 00:12:20.240 Blackbaud; each of those customers was storing data on 218 00:12:20.240 --> 00:12:25.010 hundreds, thousands or more individuals. So this was a 219 00:12:25.010 --> 00:12:29.090 breach that had a massive impact when it comes to the amount of 220 00:12:29.090 --> 00:12:33.230 personal information that got exposed. So the SEC has accused 221 00:12:33.230 --> 00:12:38.120 Blackbaud of not being straight with investors, which as we 222 00:12:38.120 --> 00:12:41.870 know, the SEC, doesn't like. It tends to go after organizations 223 00:12:42.020 --> 00:12:47.030 witness this $3 million agreement. As is typical with 224 00:12:47.030 --> 00:12:51.410 such agreements. The organization that it's focused 225 00:12:51.410 --> 00:12:55.070 on - Blackbaud - hasn't confirmed or denied any of the 226 00:12:55.070 --> 00:12:59.360 allegations. But the SEC says that more than 1 million files 227 00:12:59.360 --> 00:13:04.400 being stored by Blackbaud works post and when the company issued 228 00:13:04.400 --> 00:13:09.080 its data breach notification. At first, it said that no donors, 229 00:13:09.230 --> 00:13:12.800 bank account details or social security numbers appear to have 230 00:13:12.800 --> 00:13:17.510 been stolen. Unfortunately for the company, a different part of 231 00:13:17.510 --> 00:13:20.420 the organization, the one that didn't prepare the filing for 232 00:13:20.420 --> 00:13:24.950 the SEC had found that in fact, donors bank account information 233 00:13:24.950 --> 00:13:30.170 was exposed social security numbers were also exposed. This 234 00:13:30.230 --> 00:13:35.510 put the company afoul of the SEC's rules, which require that 235 00:13:35.510 --> 00:13:40.700 organizations don't omit material facts. The regulator 236 00:13:40.700 --> 00:13:44.450 also says the company failed to maintain disclosure controls and 237 00:13:44.450 --> 00:13:48.380 procedures, as evidenced by the fact that one part of the 238 00:13:48.380 --> 00:13:51.290 organization didn't seem to know what the other part of the 239 00:13:51.290 --> 00:13:57.680 organization knew. So what happens? At least 250 U.S. based 240 00:13:57.680 --> 00:14:02.060 organizations appear to have been affected. As my colleague 241 00:14:02.060 --> 00:14:05.540 Marianne has reported. This led to a number of health data 242 00:14:05.540 --> 00:14:09.230 breaches, affecting at least 6 million individuals in the 243 00:14:09.230 --> 00:14:12.230 United States. We know there were also victims in Canada, 244 00:14:12.260 --> 00:14:19.190 Europe, New Zealand and probably beyond. Irate customers have 245 00:14:19.220 --> 00:14:23.300 filed a consolidated now class-action lawsuit alleging in 246 00:14:23.300 --> 00:14:26.450 part, the company's "security program was woefully inadequate" 247 00:14:26.450 --> 00:14:29.810 - their words. The company has also been reprimanded by the 248 00:14:29.810 --> 00:14:31.850 privacy watchdog here in Britain, the Information 249 00:14:31.850 --> 00:14:36.230 Commissioner's Office, back in September 2021. It wasn't fines, 250 00:14:36.440 --> 00:14:40.760 but the ICO made some recommendations, which is 251 00:14:40.760 --> 00:14:44.150 British speak for "do this" or "if we have to come look at you 252 00:14:44.150 --> 00:14:47.870 again and we find badness, we're going to find you really really 253 00:14:47.900 --> 00:14:52.130 badly." So the writing's on the wall for it to get its act 254 00:14:52.190 --> 00:14:55.460 together. One of the things I want to know just because it's 255 00:14:55.460 --> 00:15:00.260 so bizarre is when Blackbaud came clean about this ransomware 256 00:15:00.260 --> 00:15:04.730 incident, one of the things it said was, you know, how when a 257 00:15:04.760 --> 00:15:08.150 company says, protecting our customers data is our top 258 00:15:08.150 --> 00:15:12.770 priority, and that's only ever a phrase uttered by organizations 259 00:15:12.770 --> 00:15:15.380 that have suffered a data breach. Well, it got even 260 00:15:15.380 --> 00:15:19.670 stranger. The company said that because protecting our customers 261 00:15:19.670 --> 00:15:23.870 data is our top priority, we paid the cybercriminals' demand 262 00:15:24.440 --> 00:15:28.160 with confirmation that the copy of the data that they had stolen 263 00:15:28.160 --> 00:15:33.290 and removed from our systems had been destroyed. So as someone 264 00:15:33.290 --> 00:15:36.440 who covers data breaches, the first thing you learn, never 265 00:15:36.440 --> 00:15:40.130 trust criminals. The second thing you learn is nobody can 266 00:15:40.130 --> 00:15:43.850 ever be trusted. And in fact, security experts say there's no 267 00:15:43.880 --> 00:15:48.410 proof that a group has ever honored a promise to delete 268 00:15:48.410 --> 00:15:53.240 stolen data. So bizarre breach, affects a lot of people, you 269 00:15:53.240 --> 00:15:55.700 have this triumphal sounding language and the data breach 270 00:15:55.700 --> 00:15:58.820 notification saying, "Aren't we great? We really care about you. 271 00:15:58.820 --> 00:16:01.940 So we've given even more money to the criminal ecosystem, 272 00:16:02.420 --> 00:16:05.660 because they've promised us certain things." And this was in 273 00:16:05.660 --> 00:16:09.110 fact, one of the things cited in the lawsuit against them about 274 00:16:09.110 --> 00:16:11.780 just how much they'd screwed up, allowing this breach to have 275 00:16:11.780 --> 00:16:15.980 happened. And their response to it. Again, allegations, I don't 276 00:16:15.980 --> 00:16:20.210 know if it'll end up in court, or if they're settled, or if 277 00:16:20.210 --> 00:16:23.000 it'll have an impact on this class-action lawsuit that's been 278 00:16:23.000 --> 00:16:25.700 filed, but it's a big bad breach, for sure. 279 00:16:26.080 --> 00:16:28.540 Anna Delaney: Massive stories! They have a lot of it down to a 280 00:16:28.540 --> 00:16:32.380 lack of internal processes and procedures. Marianne, do you 281 00:16:32.380 --> 00:16:34.750 want to add anything to this? You've obviously reported 282 00:16:34.750 --> 00:16:35.650 extensively on it. 283 00:16:36.020 --> 00:16:40.220 Marianne McGee: Well, yeah, as Matt said, there were dozens of 284 00:16:40.250 --> 00:16:43.730 healthcare organizations that were impacted by the Blackbaud 285 00:16:44.000 --> 00:16:48.350 incident, at least a few dozen come to mind that reported 286 00:16:48.350 --> 00:16:51.710 breaches to the Department of Health and Human Services, as 287 00:16:51.710 --> 00:16:56.870 involving Blackbaud. But even those reports are sort of hard 288 00:16:56.900 --> 00:17:01.400 to gather, because as far as I know, Blackbaud never really 289 00:17:01.430 --> 00:17:05.630 issued one report that listed all the organizations, rather 290 00:17:05.630 --> 00:17:08.330 than, you know, it was a situation of oh, there's a big 291 00:17:08.720 --> 00:17:11.180 breach that's posted on the Department of Health and Human 292 00:17:11.180 --> 00:17:15.110 Services, breach reporting website, and then you go, you 293 00:17:15.110 --> 00:17:18.170 know, digging around to see if you can find the breach notice, 294 00:17:18.170 --> 00:17:23.090 and that's when Blackbaud gets mentioned. So I think people 295 00:17:23.090 --> 00:17:25.910 would be surprised how many healthcare organizations are 296 00:17:25.910 --> 00:17:31.400 actually impacted. These are healthcare organizations that 297 00:17:31.400 --> 00:17:34.580 have fundraising, you know, activities within their 298 00:17:34.580 --> 00:17:37.910 organization, your donations, that were maybe named, you know, 299 00:17:37.910 --> 00:17:40.430 invade in people's names, and you know, that sort of thing. 300 00:17:41.780 --> 00:17:44.210 Mathew Schwartz: Sensitive communications, if you are a 301 00:17:44.210 --> 00:17:47.660 healthcare organization soliciting these donations from 302 00:17:47.660 --> 00:17:49.790 people, this is not the sort of information you want to see go 303 00:17:49.790 --> 00:17:50.210 missing. 304 00:17:50.600 --> 00:17:51.830 Marianne McGee: No, absolutely. 305 00:17:52.910 --> 00:17:55.940 Anna Delaney: Great teamwork there. Marianne, you have a 306 00:17:55.940 --> 00:17:59.300 story now, which sort of echoes themes from that story that 307 00:17:59.300 --> 00:18:02.330 harks back to an incident from 2020. There's some underhand 308 00:18:02.330 --> 00:18:06.830 behavior and a rather hefty fine. So the Feds just issued a 309 00:18:06.830 --> 00:18:10.940 fine to a Florida-based web hosting firm, stemming from 2020 310 00:18:10.940 --> 00:18:14.000 hacking incident that revealed the PII of hundreds of thousands 311 00:18:14.030 --> 00:18:16.130 of minors. Talk us through the case. 312 00:18:17.260 --> 00:18:20.530 Marianne McGee: Well, the Department of Justice this week 313 00:18:20.560 --> 00:18:26.530 announced this nearly $300,000 False Claims Act settlement with 314 00:18:26.530 --> 00:18:30.790 a small Florida-based web design and hosting company called Jelly 315 00:18:30.790 --> 00:18:36.010 Bean Communications Design and its owner, and the company only 316 00:18:36.010 --> 00:18:38.890 had like one employee. So the owner and the employee, you 317 00:18:38.890 --> 00:18:42.610 know, it's all kind of one and the same. But the settlement 318 00:18:42.610 --> 00:18:46.360 involves a data breach, as you said, that affected about a half 319 00:18:46.360 --> 00:18:51.160 a million individuals who entered their information on a 320 00:18:51.160 --> 00:18:57.250 website healthykids.org which was for kids' dental and health 321 00:18:57.250 --> 00:19:03.310 insurance, run by a Florida state Medicaid program for which 322 00:19:03.310 --> 00:19:09.910 Jelly Bean was contracted in 2013 to create host and maintain 323 00:19:10.300 --> 00:19:13.540 and that contract, of course required the website to be 324 00:19:13.540 --> 00:19:21.520 secure. But from 2013 to 2020, the Justice Department says a 325 00:19:21.520 --> 00:19:25.810 Jelly Bean did not patch software vulnerabilities or 326 00:19:25.810 --> 00:19:30.250 apply other security practices for securing the healthykids.org 327 00:19:30.280 --> 00:19:36.790 - the healthykids.org website. And then in December of 2020, it 328 00:19:36.790 --> 00:19:40.990 was discovered that during those seven years, hackers were able 329 00:19:40.990 --> 00:19:44.650 to access and alter personal information that was entered 330 00:19:44.650 --> 00:19:48.820 into the website by parents and individuals applying for dental 331 00:19:48.820 --> 00:19:52.330 and health insurance for their children. The Justice Department 332 00:19:52.330 --> 00:19:57.670 says that of the 500,000 applicants who had their 333 00:19:57.730 --> 00:20:03.850 information compromised that included names, addresses, date 334 00:20:03.850 --> 00:20:06.790 of birth, social security numbers and also sensitive 335 00:20:06.790 --> 00:20:09.970 family financial information such as alimony and child 336 00:20:09.970 --> 00:20:16.360 support payments. Now, the false claim settlement with Jelly Bean 337 00:20:16.750 --> 00:20:20.050 is part of the Justice Department's Civil Cyber-Fraud 338 00:20:20.080 --> 00:20:25.270 initiative, which was launched in October of 2021. That program 339 00:20:25.270 --> 00:20:28.930 is essentially a government crackdown on federal contractors 340 00:20:28.930 --> 00:20:33.070 and grant recipients ... God! The dog's barking. 341 00:20:33.580 --> 00:20:34.360 Anna Delaney: No worries, go on. 342 00:20:35.230 --> 00:20:37.090 Marianne McGee: That program is essentially a government 343 00:20:37.090 --> 00:20:40.630 crackdown on federal contractors and grant recipients that 344 00:20:40.630 --> 00:20:44.680 misrepresent their cybersecurity practices and protocols or 345 00:20:44.680 --> 00:20:48.100 knowingly deliver it lacks cybersecurity products or 346 00:20:48.100 --> 00:20:52.090 services that put U.S. information or systems at risk. 347 00:20:52.990 --> 00:20:55.660 Other violations under the program include failure to 348 00:20:55.660 --> 00:20:59.860 monitor and report cybersecurity incidents or breaches. Now, the 349 00:20:59.860 --> 00:21:03.340 legal experts that I spoke to about this case, tell me that 350 00:21:03.610 --> 00:21:06.820 the Jelly Bean settlement is just another wake up call really 351 00:21:06.820 --> 00:21:10.930 from vendors of all sizes and types that handle sensitive 352 00:21:10.930 --> 00:21:15.070 information, especially in the healthcare sector. For example, 353 00:21:15.100 --> 00:21:19.030 if these vendors are under federal contracts, or build 354 00:21:19.030 --> 00:21:22.240 government programs, such as Medicare and Medicaid, 355 00:21:22.690 --> 00:21:26.050 supposedly for HIPAA compliance services, but then failed to 356 00:21:26.050 --> 00:21:29.260 deliver on their security promises, those companies or 357 00:21:29.260 --> 00:21:32.740 individuals could be exposed to federal criminal liability under 358 00:21:32.740 --> 00:21:36.190 the False Claims Act if there is a breach or hacking incident, 359 00:21:36.190 --> 00:21:40.240 such as in the Jelly Bean case. And, you know, we've seen a lot 360 00:21:40.240 --> 00:21:42.760 of big breaches in the healthcare sector in recent 361 00:21:42.760 --> 00:21:46.570 years involving vendors. So this action by the Department of 362 00:21:46.570 --> 00:21:50.920 Justice is yet another reminder to vendors, that they not only 363 00:21:50.920 --> 00:21:54.910 face potential liability under HIPAA and the Federal Trade 364 00:21:54.910 --> 00:22:00.340 Commission's, you know, on Unfair Business Practices Act, 365 00:22:00.430 --> 00:22:04.510 as well as state privacy laws, but also now potentially, under 366 00:22:04.510 --> 00:22:07.540 the Federal False Claims Act if they provide shoddy 367 00:22:07.540 --> 00:22:11.230 cybersecurity, resulting in serious data compromises, and, 368 00:22:11.410 --> 00:22:14.830 you know, as Matt was just speaking about, maybe even the 369 00:22:14.830 --> 00:22:19.000 SEC, if it's a public company, so, you know, that's all the 370 00:22:19.000 --> 00:22:23.230 other worries on top of the inevitable civil class-action 371 00:22:23.530 --> 00:22:26.740 lawsuits that also get filed against these companies when 372 00:22:26.830 --> 00:22:28.990 individual sensitive information is breached. 373 00:22:30.100 --> 00:22:33.280 Anna Delaney: So it's just proof that the U.S. government really 374 00:22:33.280 --> 00:22:37.930 is targeting federal contractors with poor security? 375 00:22:38.560 --> 00:22:41.890 Marianne McGee: Yeah, there's again this initiative by the 376 00:22:41.890 --> 00:22:44.320 government, where the Justice Department was launched in 377 00:22:44.320 --> 00:22:49.570 October of 2021. And, you know, this is one of a few cases that 378 00:22:49.570 --> 00:22:52.600 I'm aware of that involved healthcare. But I think, you 379 00:22:52.600 --> 00:22:55.030 know, there's like so many of these fraud cases, you know, the 380 00:22:55.030 --> 00:22:56.890 government kind of picks and chooses which ones to make 381 00:22:56.890 --> 00:23:00.310 examples of, but I think this one was particularly egregious 382 00:23:00.310 --> 00:23:03.640 because it involves kids' information and their parents' 383 00:23:03.640 --> 00:23:05.860 sensitive information pertaining to the kids. 384 00:23:05.000 --> 00:23:09.740 Anna Delaney: As you say, a wake up call to all organizations. 385 00:23:10.370 --> 00:23:14.360 Thank you, Marianne. Well, finally, as we had the Oscars 386 00:23:14.390 --> 00:23:18.260 here last week, or their last week, and various other 387 00:23:18.260 --> 00:23:21.530 entertainment award ceremonies in the weeks prior, which 388 00:23:21.530 --> 00:23:25.400 stories have you worked on recently, that have the makings 389 00:23:25.400 --> 00:23:30.050 of an Oscar winning screenplay? There's always drama every week 390 00:23:30.740 --> 00:23:32.390 on the Editors' Panel. So Michael, go ahead. 391 00:23:32.000 --> 00:23:35.150 Michael Novinson: I will be boring and take the Silicon 392 00:23:35.150 --> 00:23:38.690 Valley Bank collapse, a couple of things, which I think are fun 393 00:23:38.690 --> 00:23:43.100 to focus on, would be the mass exodus of money on Thursday, you 394 00:23:43.100 --> 00:23:46.700 had stories of venture capitalists and owners of 395 00:23:46.700 --> 00:23:49.310 portfolio companies who are in the back and bathrooms are on 396 00:23:49.310 --> 00:23:52.550 top of ski lifts, just trying to test what they use the mobile 397 00:23:52.550 --> 00:23:55.340 banking app to pull their money out. And then the final point I 398 00:23:55.340 --> 00:24:00.380 would add is there is some pushback on Twitter, venture 399 00:24:00.380 --> 00:24:03.860 capitalists to head yeah, Orzhov is companies to pull their money 400 00:24:03.860 --> 00:24:06.830 ASAP. And Thursday morning, and then that very afternoon 401 00:24:06.860 --> 00:24:09.620 thought, Oh, well, I think they'll recover and the CEOs and 402 00:24:09.680 --> 00:24:11.750 their former CEOs, and that's correct. So I'm going to go buy 403 00:24:11.750 --> 00:24:14.900 their stock, and see if I can get some money on the bounce 404 00:24:14.900 --> 00:24:19.190 back. So definitely some very colorful stories from the 405 00:24:19.190 --> 00:24:20.930 Thursday to Sunday period of last week. 406 00:24:20.000 --> 00:24:23.193 Anna Delaney: Yeah, you don't really want to make light of the 407 00:24:20.000 --> 00:24:34.580 Mathew Schwartz: It might be really too similar. But the FTX 408 00:24:23.259 --> 00:24:27.184 situation. But, you know, in a few years' time, perhaps and 409 00:24:27.250 --> 00:24:30.710 Moneyball esque film I can see on the horizon, Matt? 410 00:24:34.580 --> 00:24:38.750 meltdown offers a wealth of dramatic opportunities. And just 411 00:24:38.750 --> 00:24:42.020 some, I don't want to demean, but some bizarre seeming 412 00:24:42.020 --> 00:24:46.160 characters involved at the nexus of all of this money going 413 00:24:46.160 --> 00:24:51.170 missing, wonderful flourishes as well, that we sometimes get from 414 00:24:51.200 --> 00:24:55.220 affidavits and indictments, things like WhatsApp groups, I 415 00:24:55.220 --> 00:24:57.590 don't remember the exact name but you know, don't call it the 416 00:24:57.590 --> 00:25:00.830 fraud group in terms of how they're attempting to deal all 417 00:25:00.830 --> 00:25:05.330 of this sort of fallout that's happening. Again, that's not the 418 00:25:05.330 --> 00:25:08.900 actual name, not a lawyer. But I think there's just so much 419 00:25:08.900 --> 00:25:12.770 interesting human drama there. And also bizarreness. It seems 420 00:25:12.830 --> 00:25:17.270 looking from the outside, not just, you know, the on tap 421 00:25:17.420 --> 00:25:21.590 master chefs and you get your nails done anytime you want, 422 00:25:21.590 --> 00:25:24.590 because otherwise, how can you maintain, you know, peak 423 00:25:24.590 --> 00:25:29.030 efficiency down in the Bahamas was it, right? Bahamian entity? 424 00:25:29.300 --> 00:25:31.760 So lots to work with there from a dramatic standpoint. 425 00:25:32.000 --> 00:25:33.950 Anna Delaney: Oh, absolutely. I'm sure the screenplay is well 426 00:25:33.950 --> 00:25:35.630 underway, Marianne? 427 00:25:36.680 --> 00:25:40.550 Marianne McGee: My idea is basically a compilation of the 428 00:25:40.550 --> 00:25:43.880 various ransomware attacks that we've seen on hospitals. You 429 00:25:43.880 --> 00:25:46.850 know, there might be fodder there for a thriller. You know, 430 00:25:46.850 --> 00:25:49.730 patients' lives at stake. Maybe there's something bigger 431 00:25:49.730 --> 00:25:54.290 happening in the community. Always a lot of drama with those 432 00:25:54.290 --> 00:25:55.340 sorts of incidents. 433 00:25:56.020 --> 00:25:58.690 Anna Delaney: Drama, indeed is the word. Well, thank you so 434 00:25:58.690 --> 00:26:01.720 much, Marianne, Matt, Michael. As always, it's been fun, a 435 00:26:01.720 --> 00:26:04.270 pleasure, and extremely educational. So thank you. 436 00:26:05.200 --> 00:26:05.770 Michael Novinson: Thank you, Anna. 437 00:26:06.040 --> 00:26:06.730 Mathew Schwartz: Thanks, Anna. 438 00:26:07.690 --> 00:26:09.400 Anna Delaney: And thank you so much. Until next time.