Hillicon Valley — Feds issue Thanksgiving cybersecurity warning

Today is Monday. Welcome to Hillicon Valley, detailing all you need to know about tech and cyber news from Capitol Hill to Silicon Valley. Subscribe here: thehill.com/newsletter-signup.

Follow The Hill’s cyber reporter, Maggie Miller (@magmill95), and tech team, Chris Mills Rodrigo (@millsrodrigo) and Rebecca Klar (@rebeccaklar_), for more coverage.

Hope everyone is getting ready for a wonderful holiday weekend! To kick off the festive week, the FBI and CISA sent out a warning reminding organizations to be mindful of increased risks of cyberattacks over holidays. 

ADVERTISEMENT

In tech news, a trio of Democratic lawmakers are keeping the pressure on Facebook over its rules around teenage and children users.

Let’s jump into the news.

Give thanks for IT staff 

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) on Monday warned organizations to be on guard against cyber threats, particularly ransomware attacks, over the Thanksgiving holiday. 

In a joint alert, the agencies noted that while there were currently no “credible threats” identified, hackers had previously launched attacks during holiday weekends when workers are often at home and less likely to be paying close attention to network security. 

“Recent 2021 trends show malicious cyber actors launching serious and impactful ransomware attacks during holidays and weekends, including Independence Day and Mother’s Day weekends,” the alert said.

Previous track record: The ransomware attack that crippled Colonial Pipeline this year was discovered just ahead of Mother’s Day weekend, while meat producer JBS USA was hit by a separate attack over Memorial Day weekend. IT company Kaseya was hit by a ransomware attack, potentially compromising up to 1,500 other businesses, during the Fourth of July holiday weekend.  

ADVERTISEMENT

The FBI and CISA previously put out an alert ahead of Labor Day weekend this year urging organizations to be on the lookout for cyber threats, with the holiday ultimately seeing no major cyberattacks on U.S. businesses.

Read more here. 

BIOMANUFACTURING UNDER ATTACK

Large biomanufacturing companies, including those that produce medications and vaccines tied to the COVID-19 pandemic, are being targeted by hackers potentially tied to Russia, researchers disclosed Monday.

The Bioeconomy ​​Information Sharing and Analysis Center (BIO-ISAC) revealed the ongoing effort, which involves a type of malware labeled “Tardigrade” that was first detected following a ransomware attack on an unnamed major biomanufacturing facility this spring.

The same malware was found at a second biomanufacturing facility last month, leading to the release of the information Monday in an effort to raise awareness among other companies in the sector to step up their cybersecurity efforts. 

Researchers at BioBright, a member of BIO-ISAC, described the hacking effort to The Hill as “A-level,” and cited potential involvement by a foreign government. 

While the researchers declined to formally attribute the attacks, they noted that the efforts were similar to previous attacks by a hacking group linked to Russia. 

Read more here.

PILING ON THE PRESSURE

A trio of Democrats in Congress are pushing Facebook to address accusations that the company misled lawmakers and the public about its new policy banning advertisers from targeting young users on the platform.

Sen. Ed MarkeyEd MarkeySenators seek to curb counterfeit toys and goods sold online Senate GOP blocks defense bill, throwing it into limbo Equilibrium/Sustainability — Presented by Southern Company — Pledged money not going to Indigenous causes MORE (D-Mass.) and Reps. Kathy CastorKatherine (Kathy) Anne CastorHillicon Valley — Feds issue Thanksgiving cybersecurity warning Democrats press Facebook over 'inconsistency' on ad targeting for teens House climate panel chair: 'We just don't have any more time to waste' MORE (D-Fla.) and Lori TrahanLori A. TrahanHillicon Valley — Feds issue Thanksgiving cybersecurity warning Democrats press Facebook over 'inconsistency' on ad targeting for teens Four big takeaways from a tough hearing for Facebook MORE (D-Mass.) sent the social media giant a letter Monday asking the company to address an “apparent inconsistency” about its ad targeting policy for teens after a recent report indicated the company was still collecting data from teenage users, which comes after the company announced publicly it would limit advertisers' ability to target teens.

“Facebook’s announcement that it would limit ad targeting to users under the age of 18 implicitly acknowledged the harms that targeted advertisements pose to young people, and Facebook explicitly stated it was committed to taking a ‘more precautionary approach’ in its advertising practices when it announced its policy change. Unfortunately, new research suggests that harmful advertising practices on Facebook continue,” the lawmakers wrote. 

Read more here

ADVERTISEMENT

 

GODADDY BREACHED

Internet domain host GoDaddy on Monday disclosed a recent data breach that the company said impacted the customer data of around 1.2 million individuals.  

In a document filed to the Securities and Exchange Commission (SEC) on Monday, GoDaddy noted that the company had discovered its Managed WordPress hosting environment had been compromised by an “unauthorized third party,” resulting in emails and 1.2 million Managed WordPress users being exposed. 

GoDaddy warned that data breach, which had been ongoing since September, increased the chances of email phishing attacks against impacted customers. 

GoDaddy Chief Information Security Officer Demetrius Comes wrote in the disclosure that GoDaddy had contacted authorities, brought in an unnamed IT security firm to investigate the incident, and had blocked the perpetrator from the system. 

Read more here.

ADVERTISEMENT

 

PRIVACY UPDATE

WhatsApp is providing more details to users in Europe about the data it collects after Irish regulators fined the Facebook-owned messaging platform $267 million over allegations of violating privacy regulations. 

A spokesperson for Meta, the new name of WhatsApp's parent company, said the Monday update will not be made for users outside of the European region because the update doesn’t change “the way we operate our service, including how we process, use or share your data with anyone, including Meta.”

The update comes more than two months after Ireland’s privacy watchdog fined WhatsApp $267 million over what it determined were violations of the European Union’s data privacy rules. It was the largest fine issued since the rules took effect in 2018. 

Read more here


DoorDash ordered to pay up

ADVERTISEMENT

Restaurant-delivery service DoorDash will pay $5.3 million to San Francisco-based couriers in a settlement in a dispute over health care benefits, the San Francisco Chronicle reported.

According to the settlement announced on Monday, DoorDash drivers will receive most of the money from the settlement, with most getting amounts up to $500 to $1,000 even though awards can go up as high as $17,000. 

San Francisco’s city government will receive $187,953 to cover its expenses, a fraction of the 25 percent contingency fees and expenses private attorneys would charge.

The settlement agreement applies to former employees who worked for DoorDash in the San Francisco area between 2016 and 2020, according to the Chronicle. 

“We believe [DoorDash couriers] were misclassified and should have been employees for years,” Attorney David Chiu told the Chronicle. “That is not part of the settlement but it is the perspective of the city.”

Read more.

BITS AND PIECES

An op-ed to chew on: Why science and religion come together when discussing extraterrestrial life

Lighter click: He got muscles for no reason, Eric Bledsoe

Notable links from around the web:

Facebook’s race-blind practices around hate speech came at the expense of Black users, new documents show (Washington Post / Elizabeth Dwoskin, Nitashu Tiku and Craig Timberg)

North Korean hackers caught snooping on China’s cyber squad (The Daily Beast / Shannon Vavra)

Online shopping scams are rampant. Are Washington’s fixes enough? (Protocol / Issie Lapowsky)

Scholarship application vendor exposed millions of files, researchers find (EdScoop / Benjamin Freed)

One last thing: Section 230 confusion? 

The Department of Justice logo is seen at their headquarters in Washington, D.C., on Thursday, August 5, 2021 prior to a press conference regarding a civil rights matter.

The Justice Department stepped into former President TrumpDonald TrumpBaldwin calls Trump criticism following 'Rust' shooting 'surreal' Haley hits the stump in South Carolina Mary Trump files to dismiss Trump's lawsuit over NYT tax story MORE’s lawsuit against Facebook Monday to defend Section 230, an internet communications law criticized by both Trump and his successor.

The department intervened in a lawsuit that Trump brought against the social media giant for suspending his account in the wake of the Jan. 6 insurrection at the Capitol.

Monday’s filing notes that the government is stepping in “for the limited purpose of defending the constitutionality of Section 230c.”

The 1996 law, which protects online platforms from liability for content posted by third parties and allows them to conduct good faith content moderation, was a favored target of Trump during his term.

He argued that the law gives cover for platforms to discriminate against conservatives, an allegation that has yet to be substantiated.

The former president signed an executive order aimed at dismantling the law but the order was revoked early into President BidenJoe BidenManchin to vote to nix Biden's vaccine mandate for larger businesses Congress averts shutdown after vaccine mandate fight Senate cuts deal to clear government funding bill MORE’s term before any concrete action was taken.

Read more.

That’s it for today, thanks for reading. Check out The Hill’s technology and cybersecurity pages for the latest news and coverage. We’ll see you Tuesday.