Hillicon Valley — Feds issue Thanksgiving cybersecurity warning
Today is Monday. Welcome to Hillicon Valley, detailing all you need to know about tech and cyber news from Capitol Hill to Silicon Valley. Subscribe here: thehill.com/newsletter-signup.
Follow The Hill’s cyber reporter, Maggie Miller (@magmill95), and tech team, Chris Mills Rodrigo (@millsrodrigo) and Rebecca Klar (@rebeccaklar_), for more coverage.
Hope everyone is getting ready for a wonderful holiday weekend! To kick off the festive week, the FBI and CISA sent out a warning reminding organizations to be mindful of increased risks of cyberattacks over holidays.
In tech news, a trio of Democratic lawmakers are keeping the pressure on Facebook over its rules around teenage and children users.
Let’s jump into the news.
Give thanks for IT staff
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) on Monday warned organizations to be on guard against cyber threats, particularly ransomware attacks, over the Thanksgiving holiday.
In a joint alert, the agencies noted that while there were currently no “credible threats” identified, hackers had previously launched attacks during holiday weekends when workers are often at home and less likely to be paying close attention to network security.
“Recent 2021 trends show malicious cyber actors launching serious and impactful ransomware attacks during holidays and weekends, including Independence Day and Mother’s Day weekends,” the alert said.
Previous track record: The ransomware attack that crippled Colonial Pipeline this year was discovered just ahead of Mother’s Day weekend, while meat producer JBS USA was hit by a separate attack over Memorial Day weekend. IT company Kaseya was hit by a ransomware attack, potentially compromising up to 1,500 other businesses, during the Fourth of July holiday weekend.
The FBI and CISA previously put out an alert ahead of Labor Day weekend this year urging organizations to be on the lookout for cyber threats, with the holiday ultimately seeing no major cyberattacks on U.S. businesses.
BIOMANUFACTURING UNDER ATTACK
Large biomanufacturing companies, including those that produce medications and vaccines tied to the COVID-19 pandemic, are being targeted by hackers potentially tied to Russia, researchers disclosed Monday.
The Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) revealed the ongoing effort, which involves a type of malware labeled “Tardigrade” that was first detected following a ransomware attack on an unnamed major biomanufacturing facility this spring.
The same malware was found at a second biomanufacturing facility last month, leading to the release of the information Monday in an effort to raise awareness among other companies in the sector to step up their cybersecurity efforts.
Researchers at BioBright, a member of BIO-ISAC, described the hacking effort to The Hill as “A-level,” and cited potential involvement by a foreign government.
While the researchers declined to formally attribute the attacks, they noted that the efforts were similar to previous attacks by a hacking group linked to Russia.
PILING ON THE PRESSURE
A trio of Democrats in Congress are pushing Facebook to address accusations that the company misled lawmakers and the public about its new policy banning advertisers from targeting young users on the platform.
Sen. Ed Markey (D-Mass.) and Reps. Kathy Castor (D-Fla.) and Lori Trahan (D-Mass.) sent the social media giant a letter Monday asking the company to address an “apparent inconsistency” about its ad targeting policy for teens after a recent report indicated the company was still collecting data from teenage users, which comes after the company announced publicly it would limit advertisers’ ability to target teens.
“Facebook’s announcement that it would limit ad targeting to users under the age of 18 implicitly acknowledged the harms that targeted advertisements pose to young people, and Facebook explicitly stated it was committed to taking a ‘more precautionary approach’ in its advertising practices when it announced its policy change. Unfortunately, new research suggests that harmful advertising practices on Facebook continue,” the lawmakers wrote.
Internet domain host GoDaddy on Monday disclosed a recent data breach that the company said impacted the customer data of around 1.2 million individuals.
In a document filed to the Securities and Exchange Commission (SEC) on Monday, GoDaddy noted that the company had discovered its Managed WordPress hosting environment had been compromised by an “unauthorized third party,” resulting in emails and 1.2 million Managed WordPress users being exposed.
GoDaddy warned that data breach, which had been ongoing since September, increased the chances of email phishing attacks against impacted customers.
GoDaddy Chief Information Security Officer Demetrius Comes wrote in the disclosure that GoDaddy had contacted authorities, brought in an unnamed IT security firm to investigate the incident, and had blocked the perpetrator from the system.
WhatsApp is providing more details to users in Europe about the data it collects after Irish regulators fined the Facebook-owned messaging platform $267 million over allegations of violating privacy regulations.
A spokesperson for Meta, the new name of WhatsApp’s parent company, said the Monday update will not be made for users outside of the European region because the update doesn’t change “the way we operate our service, including how we process, use or share your data with anyone, including Meta.”
The update comes more than two months after Ireland’s privacy watchdog fined WhatsApp $267 million over what it determined were violations of the European Union’s data privacy rules. It was the largest fine issued since the rules took effect in 2018.
DoorDash ordered to pay up
Restaurant-delivery service DoorDash will pay $5.3 million to San Francisco-based couriers in a settlement in a dispute over health care benefits, the San Francisco Chronicle reported.
According to the settlement announced on Monday, DoorDash drivers will receive most of the money from the settlement, with most getting amounts up to $500 to $1,000 even though awards can go up as high as $17,000.
San Francisco’s city government will receive $187,953 to cover its expenses, a fraction of the 25 percent contingency fees and expenses private attorneys would charge.
The settlement agreement applies to former employees who worked for DoorDash in the San Francisco area between 2016 and 2020, according to the Chronicle.
“We believe [DoorDash couriers] were misclassified and should have been employees for years,” Attorney David Chiu told the Chronicle. “That is not part of the settlement but it is the perspective of the city.”
BITS AND PIECES
An op-ed to chew on: Why science and religion come together when discussing extraterrestrial life
Lighter click: He got muscles for no reason, Eric Bledsoe
Notable links from around the web:
Facebook’s race-blind practices around hate speech came at the expense of Black users, new documents show (Washington Post / Elizabeth Dwoskin, Nitashu Tiku and Craig Timberg)
North Korean hackers caught snooping on China’s cyber squad (The Daily Beast / Shannon Vavra)
Online shopping scams are rampant. Are Washington’s fixes enough? (Protocol / Issie Lapowsky)
Scholarship application vendor exposed millions of files, researchers find (EdScoop / Benjamin Freed)
One last thing: Section 230 confusion?
The Justice Department stepped into former President Trump’s lawsuit against Facebook Monday to defend Section 230, an internet communications law criticized by both Trump and his successor.
The department intervened in a lawsuit that Trump brought against the social media giant for suspending his account in the wake of the Jan. 6 insurrection at the Capitol.
Monday’s filing notes that the government is stepping in “for the limited purpose of defending the constitutionality of Section 230c.”
The 1996 law, which protects online platforms from liability for content posted by third parties and allows them to conduct good faith content moderation, was a favored target of Trump during his term.
He argued that the law gives cover for platforms to discriminate against conservatives, an allegation that has yet to be substantiated.
The former president signed an executive order aimed at dismantling the law but the order was revoked early into President Biden’s term before any concrete action was taken.
That’s it for today, thanks for reading. Check out The Hill’s technology and cybersecurity pages for the latest news and coverage. We’ll see you Tuesday.
Copyright 2023 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.