Cyber Week in Review: December 23, 2022

There will be no Cyber Week in Review next Friday, December 29. The Week in Review will return on Friday, January 6. Happy Holidays! 

Chris Inglis set to step down as National Cyber Director 

National Cyber Director Chris Inglis is likely to step down as National Cyber Director sometime in January or February 2023, according to press reports, although a firm timeline has not yet been set. Kemba Eneas Walden, the Principal Deputy National Cyber Director, is expected to serve as acting National Cyber Director once Inglis retires. Inglis joined the Office of the National Cyber Director (ONCD) in June 2021 after it was established in the National Defense Authorization Act in 2020. The ONCD has grown significantly during Inglis’ tenure, reaching seventy employees earlier this year. The Office is also slated to release its national cyber strategy in early 2023. 

Epic Games fined $520 million for privacy breaches 

The Federal Trade Commission announced it is fining video game company Epic Games over $520 million dollars for deceptive advertising practices and breaching children’s privacy rights. The fine is split into two parts, with $275 million directed to the FTC for violating children’s privacy rights, and $245 million in refunds Epic Games must issue to customers who were deceived into making extra purchases by what are known as “dark patterns,” deceptive configurations of user interfaces designed to get consumers to unintentionally spend money. The $275 million fine stems from Epic’s violations of the Children’s Online Privacy Protections Act: failing to acquire parental consent when it collected data from children, and creating unfair barriers when parents sought to have their child’s data deleted. 

Cyber Command conducted offensive operations before U.S. midterm elections 

General Paul Nakasone, the chief of Army Cyber Command and director of the National Security Agency, said that his command conducted both offensive and defensive operations in the lead up to the 2022 U.S. midterm elections. Cyber Command conducted cyber operations to secure U.S. elections in 2018 against the Russian troll farm Internet Research Agency, and in 2020 against Iranians posing as members of the far-right group Proud Boys in an attempt to intimidate American voters. Nakasone declined to elaborate on who the 2022 operations were directed against, or what kind of action Cyber Command took. Nakasone also said that Cyber Command saw fewer threats against this midterm election than it had previously, which could be a consequence of several factors, including increased domestic turmoil in Russia, Iran, and China. 

Senate passes bill banning TikTok from federal government devices 

The U.S. Senate unanimously passed a bill last week banning TikTok from being used or downloaded onto devices issued by the federal government. Several states have passed similar bans, including Texas, Iowa, North Dakota, and Maryland. TikTok, and its Chinese parent company ByteDance, has been a major focus of U.S. regulators for the past two years after former President Donald Trump signed an executive order banning the app from the United States. A federal judge blocked the ban, and,  TikTok has been embroiled in negotiations with the U.S. government over data storage and content moderation concerns ever since. Four ByteDance employees were recently fired for accessing TikTok user data, including location history, without consent, with the goal of tracking the location of journalists reporting on TikTok and identifying potential sources those journalists may have communicated with. 

Chinese electric car company NIO hit by data breach and extortion attempt

Chinese electric vehicle company NIO appears to have been targeted by a data breach and extortion campaign. NIO issued a statement  saying that hackers were claiming to have gained access to user and sales data, and were threatening to leak the information unless the company paid $2.25 million in Bitcoin. After conducting an internal investigation, the company found that part of NIO’s user and vehicle sales information prior to August 2021 had indeed been compromised. In a follow-up statement, NIO’s founder and CEO William Li Bin apologized to customers, pledging to rectify the situation by assuming responsibility for losses, working with law enforcement, and remaining defiant about resisting hacker demands. Despite ransomware attacks grabbing a lion’s share of the headline, data extortion remains a serious threat. Attacks against Australian companies Medibank in November and Optus in September, for example, led hackers to leak the personal data of nearly half of Australia’s population.