Posts

Showing posts with the label mfa

A Hole in the Net: Massachusetts’s Six-Figure Penalty for Failure to Spot Phish

Massachusetts recently joined a growing number of states pursuing data privacy enforcement actions, announcing a $795,000 settlement with Peabody Properties, Inc., a Massachusetts-based firm. The property company oversees more than 200 residential properties, including housing for veterans and seniors. The Attorney General’s Office accused Peabody Properties of multiple data security failures that compromised the personal information of nearly 14,000 residents. The company allegedly mishandled sensitive data —such as Social Security numbers and bank account details—across five separate cybersecurity incidents that took place between November 2019 and September 2021 , and it failed to timely notify those impacted in two of the incidents. According to the Attorney General’s Office, the breaches were the result of phishing attacks that resulted in unauthorized access to Peabody’s systems. Under the terms of the proposed settlement, Peabody Properties will be required to pay the financial...

NYDFS Imposes $2M Penalty for Violations of its Cybersecurity Regulation

Consent order between New York state regulator and company highlights multi-factor authentication requirement and failure to timely report the Cyber Event. The New York State Department of Financial Services (NYDFS) announced on  August 14, 2025 , resolution of civil enforcement action requiring Healthplex, Inc., a licensed insurance agent and independent adjuster, to pay a $2 million civil penalty under a  consent order   for violations of the  NYDFS cybersecurity regulation  (23 NYCRR Part 500) . The NYDFS alleges in the consent order that a threat actor gained access to Healthplex’s information systems through a phishing attack on an employee’s email account, and that Healthplex’s cybersecurity program was not adequately calibrated to protect against, mitigate or respond to the incident. As a result, the threat actor gained access to the private health data and sensitive nonpublic information (NPI) of tens of thousands of consumers. The consent order states t...

The Growing Cyber Risks from AI — and How Organizations Can Fight Back

Artificial Intelligence (AI) is transforming businesses—automating tasks, powering analytics, and reshaping customer interactions. But like any powerful tool, AI is a double-edged sword . While some adopt AI for protection, attackers are using it to scale and intensify cybercrime. Here’s a high-level discussion at emerging AI-powered cyber risks in 2025—and steps organizations can take to defend. AI-Generated Phishing & Social Engineering Cybercriminals now use generative AI to craft near-perfect phishing messages—complete with accurate tone, logos, and language—making them hard to distinguish from real communications . Voice cloning tools enable “deepfake” calls from executives, while deepfake video can simulate someone giving fraudulent instructions. Thanks to AI,  according to Tech Advisors , phishing attacks are skyrocketing—phishing surged 202% in late 2024, and over 80% of phishing emails now incorporate AI, with nearly 80% of recipients opening them. These messages are b...

AI versus MFA

  Ask any chief information security officer (CISO), cyber underwriter or risk manager, or cybersecurity attorney about what controls are critical for protecting an organization’s information systems, you’ll likely find multifactor authentication (MFA) at or near the top of every list. Government agencies responsible for helping to protect the U.S. and its information systems and assets (e.g.,   CISA ,   FBI ,   Secret Service ) send the same message. But that message may be evolving a bit as criminal threat actors have started to exploit weaknesses in MFA.   According to a recent report in  Forbes , for example, threat actors are harnessing AI to break though multifactor authentication strategies designed to prevent new account fraud. “Know Your Customer” procedures are critical in certain industries for validating the identity of customers, such as financial services, telecommunications, etc. Employers increasingly face similar issues with recruiti...