In this week’s Cyber Blurbs Roundup, we take a look at Congress’ latest attempt at reeling in some of big tech’s oft-untethered power, a massive ransomware payout, and the final days for one of the more recognized internet browsers of all time.
Congress Proposing Data Privacy Bill
Congress is going after big tech again, this time with — wait for it — your best interests in mind. Wild stuff, I know. Sen. Amy Klobuchar (D-Minn.) and a bipartisan (!) trio of her colleagues have reintroduced a bill aiming to protect user privacy. Dubbed the Social Media Privacy Protection and Consumer Rights Act, the bill would require tech companies to provide its users with an option to opt out of data collection.
This isn’t the first time we’ve seen a bill of this nature. Klobuchar has previously attempted to propose this bill twice, first in 2018 and then 2019. The bill struggled to get any traction in either of the first two attempts, though circumstances are a little different this time around.
For starters, a few of the concepts proposed in the bill aren’t necessarily new anymore, largely thanks to Apple’s pro-privacy decisions over the last year. Bringing us one of those “wait, we can do that?” moments, Apple flipped the script against application developers when it enabled its users to deny activity tracking across other applications. This latest bill also proposes an opt-out ability to data collection (and Android users can join in on the fun too).
“For too long, companies have profited off of Americans’ online data while consumers have been left in the dark,” Klobuchar said in a statement to ArsTechnica. “This legislation will protect and empower consumers by allowing them to make choices about how companies use their data and inform them of how they can protect personal information.”
An opt-out ability would likely need to be spelled out in an app’s terms of service. Don’t worry — the bill is proposing a fix to that historically ignored issue too, stating that TOCs must become “easily accessible, of reasonable length… and uses language that is clear, concise, and well organized and follows other best practices appropriate to the subject and intended audience.”
For more on the proposed legislation, take a look at the original report from The Verge.
Internet Explorer is Going Away
It’s official: Internet Explorer is going away. Microsoft announced earlier this month that IE will officially be decommissioned on June 15, 2022 — approximately 15 years too late.
Microsoft is making a full-fledged push toward Edge, a cross-platform web browser that runs circles around its seemingly ancient predecessor. The company lists improved capability, streamlined productivity, and enhanced browser security as the primary reasons for its transition — the first of which served as a primary reason why IE lasted as long as it did. Plenty of web developers were/are reluctant to update their pages to play nice with modern browsers, but Microsoft says Edge will be capable of handling all types of pages.
“Not only is Microsoft Edge a faster, more secure and more modern browsing experience than Internet Explorer, but it is also able to address a key concern: compatibility for older, legacy websites and applications. Microsoft Edge has Internet Explorer mode (“IE mode”) built in, so you can access those legacy Internet Explorer-based websites and applications straight from Microsoft Edge,” the company wrote in a blog post.
Organizations looking to make the transition from IE to Edge can take a look at the tailend of Microsoft’s blog post here, where the company describes in detail how to prepare for the summer 2022 change.
Report: US Insurance Giant Pays $40M in Ransomware
Ransom demands are on the rise in the cyber industry, with the latest instance coming out of CNA Financial, one of the largest insurance firms in the United States and the seventh-largest in the world.
News of the attack isn’t anything new, first surfacing about a week after it took place back in March. But the dollar amount CNA had to pay? That’s new — and it’s a lot. According to Bloomberg, CNA reportedly paid $40 million to regain access to its network, negotiating down from $60 million a week after talks first started.
According to BleepingComputer, the attack targeted more than 15,000 devices on the company’s network, even some of which were logged into CNA’s VPN.
“The attack caused a network disruption and impacted certain CNA systems, including corporate email,” according to a CNA statement from March.
If you had to double-take at that $40 million amount, it’s because you should have. It serves as one of the highest known payouts in ransomware history.
Average ransomware payments increased 171% in 2020, jumping up to $312,493 during the pandemic year after sitting at $115,123 in 2019, according to a report from Palo Alto Networks. Last year saw one company pay $30 million in response to a ransomware attack, double the highest payout ($15 million) seen between 2015-19.