While the SolarWinds hack has been public for some time, its repercussions continue to reverberate. The hackers, allegedly working on Russia’s behalf, broke into the IT-management firm’s system and added malicious code into a system called “Orion,” which thousands of companies and U.S. government agencies use to manage IT.
It’s estimated that some 33,000 SolarWinds customers could be impacted after the hackers installed malware into various systems to “spy on companies and information,” Business Insider reported.
Security experts are calling the hack the worst breach in U.S. history, noting it will take millions of dollars and a long time — years — for impacted agencies and organizations to fortify their systems again.
The additional nightmare here is that the long recovery ahead is obvious to companies who directly use SolarWinds. But it gets trickier to detect if someone in your supply chain uses SolarWinds.
In general, vendors don’t include a list of their sub-processors in contracting with clients. While asking for such a list before signing is becoming more commonplace, it isn’t generally part of the transaction. Are you sub-processors using SolarWinds? You should find out.
The hack is a super unfortunate reminder for all organizations to be cautious when choosing vendors and be vigilant about with whom they choose to work.
Enjoy reading, and see you next week!
- It wasn’t just Russia: China also hacked SolarWinds
Two months ago, a Russian hack into network-management company SolarWinds made headlines all over the world. Once the hackers infiltrated SolarWinds’ system, they launched a supply-chain attack that could ultimately affect “close to 18,000 of the company’s customers,” The Wall Street Journal reported. But it appears that China also hacked into SolarWinds through a different vulnerability than the Russians found, targeting the U.S. Department of Agriculture’s National Finance Center, Wired reports.
- Virginia likely to pass privacy law soon
Virginia looks ready to pass consumer privacy legislation, “which would make the commonwealth the latest domino to fall in a state-by-state push for data protections,” The Wall Street Journal reports. The state’s Senate and House of Delegates passed versions of the bill recently and will now work to bridge any gaps between the two texts. The bill would allow Virginia residents to correct and delete data, as well as grant them the right to opt-out of the sale of their personal data by the companies that collect it.
- Canadian privacy commissioners say Clearview AI collected data illegally
Clearview AI has been in trouble for some time over its facial recognition technology, facing lawsuits and investigations around the world. This week, Canada’s privacy commissioners said the technology is “illegal” in Canada and called on the company to delete any photos of Canadians’ faces from its database, The Verge reports. The commissioners released a report this week stating their investigation found Clearview “collected highly sensitive biometric data without consent” and used the data inappropriately.
- Human rights body launches petition against Singapore’s student laptop monitoring
Singapore’s government plans to ensure every secondary student has a computer for at-home learning during the COVID-19 pandemic, Reuters reports. But the computers will contain software that allows teachers to view and control their students’ screens remotely. The monitoring software's vendor says its product would not track location data or passwords, but Human Rights Watch has launched an online petition against the plan, citing student privacy concerns.
- Stakeholders call for updated definition of “personal information” in Privacy Act
As Australia’s attorney general reviews the country’s Privacy Act of 1988, stakeholders weigh in on what should change. Many public comments call for a law similar to the EU’s General Data Protection Regulation, which should include a revised definition of “personal information” under the law. Microsoft, among others, said the definition should include data that “relates to an identified or identifiable individual,” ZDNet reports.
- EU antitrust commissioner to Apple: Treat all apps the same
The EU’s antitrust enforcer, Margrethe Vestager, has warned Apple it must treat all apps on its platform equally after it recently announced it would ask iPhone users for consent to track their data so it can serve them personalized ads. The move will “limit apps’ ability to gather data from people’s phones that can be used for targeted advertising,” Reuters reports. Facebook has called the move anti-competitive.