In this edition of the Halcyon video/podcast series Last Month in Security, host Anthony M. Freed and panelists Ben Carr and Ryan Golden are joined by Mark Weatherford, VP of Policy and Standards at Gretel, Founding Partner of Aspen Chartered Consulting, who was formerly Deputy Undersecretary for Cybersecurity at the U.S. Department of Homeland Security.

We jump into the discussion with some recent news that fallout from the 2023 MOVEit exploit campaign fallout included the leak of 1000’s of companies’ exfiltrated records – including Amazon (2.8 million records), MetLife (585,000 records), and HSBC (280,000 records).
It was previously reported that ransomware operator Cl0p had compromised an undetermined number of victims with the exploit, although it is unclear how well they were able to monetize the attacks.
This comes on top of insurer Coalition releasing their 2024 Cyber Claims Report: Mid-Year Update which found that while the frequency of ransomware attacks slightly decreased in early 2024, their severity intensified as claims rose significantly. The report noted a 140% increase among businesses with over $100 million in revenue, with ransomware attacks now driving 18% of all cybersecurity claims.

Mark provides some keen insights into what this means as far as the relative maturity curve of the ransomware economy, how much more growth can we expect given the success of the RaaS model in enabling less skillful attackers, and whether the US government’s response being largely limited to the issuing of guidelines and frameworks is adequate.

We then take a look at mass data exfiltration events that are now a part of nearly every ransomware attack, such as the National Public Data attack that exposed 2.7 billion records and the Change Healthcare (UHG) attack that exposed the private data of 100 million people, and how potential legal and regulatory impact following an attack in essence is re-victimizing victim organizations.

For example, Lehigh Valley Health Network recently agreed to a $65 million settlement following a class-action lawsuit over a 2023 data breach, Enzo Biochem was ordered to pay $4.5 million to New York, New Jersey, and Connecticut following a 2023 ransomware attack, and the City of Columbus is facing a class-action suit following a ransomware attack that compromised the 6.5 TB of data including personal information of city employees.

We know that ransomware operators are clearly after sensitive data, and we know determined attackers will get in sooner or later. So, is every organization that handles private or regulated data basically on notice that when they are targeted by attackers, they will also be targeted by regulators, then they also will be targeted by shareholders and/or customers?
Is this a constructive approach to the ransomware problem? Can we do better?

About Our Guest:
Mark Weatherford occupies so many important positions, it's hard to know where to start. He is VP of Policy and Standards at Gretel and Founding Partner of Aspen Chartered Consulting, as well as sitting on the Board of Directors and Advisory Boards for dozens of leading and emerging cybersecurity and technology companies.

Mark also has an extensive background in executive-level cybersecurity roles, showcasing a distinguished career in both public and private sectors. He has served as Global Information Security Strategist at Booking Holdings, Chief Cybersecurity Strategist at vArmour, a Principal at The Chertoff Group, Chief Security Officer at the North American Electric Reliability Corporation (NERC), and Chief Information Security Officer for the state of Colorado.

In 2008, he was appointed by Governor Arnold Schwarzenegger as California’s inaugural Chief Information Security Officer. Later, in 2011, the Obama Administration selected him to serve as the Deputy Undersecretary for Cybersecurity at the U.S. Department of Homeland Securit