Author: Rafael Moscatel, CIPM, CRM, IGP

Data Governance Privacy

Data Governance: How to Tackle 3 Key Issues The Importance of Accountability, Data Inventory and Automation – Full Interview with Rafael Moscatel

By Rafael Moscatel, CIPM, CRM, IGP on

I was recently interviewed for an article on Data Governance & Privacy for a number of periodicals including Info Risk Today on “Data Governance: How to Tackle 3 Key Issues: The Importance of Accountability, Data Inventory, and Automation. Below is the full text of my interview for additional context.

With privacy law getting stronger by the day, it has become all the more important for companies to know where the data lies. The problem is not new but I am not sure if companies have been able to find a solution to this. What are the two main challenges of data governance?

While global privacy regulations like the GDPR and CCPA have greatly impacted contemporary data governance discussions, enterprise projects, and software solutions, we often forget that privacy itself is far from a novel concept and, in fact, one with deep roots in centuries-old ethics and social mores. What’s different now, or even from twenty years back, and what does that mean for data governance today?

The truth is that many companies have had to comply with at least some privacy requirements for decades, but the ease of digitally storing and monetizing personal information has now run up against the rights of consumers to access and in some sense, reclaim ownership of that data. That’s a paradigm shift that introduces a number of logistical burdens that some organizations, even relatively new ones, are not prepared to deal with. Especially since IT infrastructures and dependencies change quite rapidly. So the question becomes how do we build data governance rules that can keep up with these nuanced laws and demands while still supporting the greater needs of the business? The severity of fines and reputation damage from non-compliance has forced us to sit around the table and try to find the right balance between risk and reward. I think ultimately privacy-by-design as a fundamental aspect of enterprise architecture will bring needed order to some organizations despite handicapping them in the near term.

The second challenge is also privacy related, but in terms of exposure, much more consequential. Data breaches and ransomware have inundated infosec teams and exploiting poor data governance models is routine for hackers. Most breaches obviously originate with end-users, but the protection, encryption, anonymization, etc. of private data sets requires thoughtful and strict data governance to sustain disruption. How do meet that high bar and also provide a seamless customer experience? That’s a work in progress.

How have you approached these challenges? Can you walk us through the process?

We try to spend as much of our time understanding the regulatory environment our client is subject to as much as their risk tolerance. You can always look for a baseline in terms of a particular set of laws, but often a best practice approach makes more sense in the long run. I think a solution needs to be proportional to an organization’s true risk, and while it must meet certain standards, your compliance professionals, data fulfillment service teams and IT support must be able to work with each other and speak the same language. It’s not as simple as throwing together a data map. This is, to your previous question, a challenge because the stakes are now much higher and teams must now not only support each other’s requirements but go farther in understanding and appreciating the very nature of those rules. It’s not just collecting the metadata, it’s understanding the relation of the attributes not simply from a database perspective but from an ethical one. This is a convergence of law and technology that requires true cross-functional teamwork, where each stakeholder must respect and value the contribution of his or her colleague. It’s just not enough to know your little corner of the universe anymore. At Compliance & Privacy Partners we aim to facilitate discussions that enable that synergy and eventually support change management goals.

What did you discover during this journey? Where are most organizations missing the mark?

As far as privacy goes, and despite its long history as a basic component of ethics and law, most groups still haven’t understood you can’t just throw bodies and technology at something like this. The specialty is too new and the laws are in many cases too vague to leave it up to a project manager, a lawyer, a vendor, and an enterprise architect. I’m seeing a lot of companies try to check off details of regulations without understanding exactly how they fit together. What ends up happening is a whole lot of talk, a whole lot of capital spend and very little result.  Companies have to take a step back. The smartest know they need to bring somebody in who can provide an overview and roadmap for their particular challenges and then take next steps. That planning is what’s really going to set up their in-house teams and leaders for long-term success. 

What would be your advice to your contemporaries?

From my perspective, it would be to actually value privacy, not just as a consumer yourself, but as a smart business decision. Customers want companies they can trust and who provide solutions that help them solve their problem, but also don’t exploit their data. Do unto others as they say. I think building a culture that can internalize that as a golden rule will be transformative and lead to better data governance across the board.

Rafael Moscatel, CIPM, CRM, IGP, is the Managing Director of Compliance and Privacy Partners. He has developed large-scale information management, privacy and digital transformation programs for Fortune 500 companies such as Paramount Pictures and Farmers Insurance. His latest book, Tomorrow’s Jobs Today, is available soon from John Hunt Publishing. Contact him at www.capp-llc.com or follow him on Twitter @rafael_moscatel.

Posted in: , ,
No comments
Events Professional Development

AIIM Conference 2020 Keynote – Tomorrow’s Jobs Today – Rafael Moscatel

By Rafael Moscatel, CIPM, CRM, IGP on

Full transcript below

Welcome to the AIIM 2020 Keynote Session Tomorrow’s Jobs Today, thinking beyond information management.

I’m Rafael Moscatel, I’m an AIIM member, and I’ve had the distinct pleasure of attending several of its thought leadership events over the past few years and had the opportunity to meet and become friends with many of you.

There isn’t much that could keep me away from an event like this, and I’m disappointed that I can’t be with you in Dallas, but I just became a father again, and it’s my first few weeks on the job. So I’m kind of afraid to ask for any time off yet!

Luckily, it’s a detail-oriented role, which is perfect because my background is in Compliance and Privacy, and I’ve spent most of my career building data governance programs for recognized brands like Paramount Pictures and Farmers Insurance.

But whether it’s a classic motion picture company or a premiere insurance group, I’ve learned that my ultimate goal isn’t just managing risk but rather elevating Information Governance and being an integral part of the “mission” of whatever organization I’m a part of. For a film studio, that’s producing content, and entertaining your audience. For an insurance carrier, the goal is to protect people’s livelihoods and helping us get back on our feet after a disaster.

So, whatever our organization’s mission might be, it’s imperative to connect “the what we do” to “the why we do it.” And that’s one of the wisest lessons I’ve learned from colleagues here at AIIM, like Michael Jay Moon, Dux Raymond Sy and some of the other leaders you have on the stage today.

It’s a big reason I wrote the book Tomorrow’s Jobs Today….

I interviewed almost two dozen trailblazing information management leaders in fields like AI, Blockchain, Big Data and Privacy from world-renowned organizations like Price Waterhouse Coopers, the International Criminal Court, and Iron Mountain to understand what their mission was and how they applied their unique skillsets in pursuit of that greater good.

The lessons I picked up in speaking with these folks should resonate with an information management professional. Despite their industry and diverse roles, three things stood out. First, they knew how to recognize an opportunity.

Take Ashish Gadnis of BanQu. Ashish grew up dirt poor on the streets of India, and following a life-changing experience in Africa, he developed a fantastic app that leverages the same technology behind Cryptocurrency, blockchain, to help the most deprived people and farmers in the world. By using his app, even if you’re in the last mile of a supply chain, you can establish your economic identity, better assert your value in society, and escape poverty. He saw the unequal gaps between significant brands, middle-men, and farmers on a supply chain and decided to transform those gaps into opportunities.

The second lesson I learned is also a timeless one but also speaks directly to the challenges the information age and our digital deluge. It’s Less is More. We learned from pioneers like George Socha of BDO and the EDRM that particular strategy is relevant not merely in disciplines and concepts like eDiscovery, and privacy-by-design, but how you approach your career. To be strategically selective with our words, our actions and our expectations runs contrary to the human nature of a large segment of the workforce and consumers. It’s also what makes you stand out.

Finally, coming full circle, the most important lesson I learned from all of the individuals I interviewed, and that was that Relationships Matter. Enjoying and being enriched by professional relationships is above and beyond the greatest gift you can give your career. Relationship building is, has always been and will always be, the most critical skill and strategy we should practice and master.

Now, I know it’s going to be many years before my youngest enters the workforce, and jobs are going to look a lot different, but I know the valuable lessons and wisdom that have guided me in my career and exemplified by the biographies in my book will still be around.

Because although the set decorations can be changed, and the actors, and the price of insuring your most valuable assets, what stays the same is the power you have over your destiny. I know that statement’s true because I just spent a year documenting the success stories of those who swear by it.

As working professionals in the Information Age, we must strive to recognize and even anticipate emerging technological trends. But seizing upon those opportunities is possible when we choose to partner with change agents who share our vision and can work with us to transform our enterprises. We must reach beyond our teams or spheres of influence and work closely with the legal, regulatory, and ethical communities that study, measure, and moderate the impact of our technology and products on our respective fields. We need to plan and develop ourselves with a deep respect for the world that our products and services impact.

By absorbing the perspectives, challenges, and solutions of those deeply in love with and accomplished in these new careers, we can help ourselves, our friends, and our employees transform anxiety over a job search, job loss, or just the winds of change into hope, understanding, and opportunity.

As you look ahead to your career over the next year, think back to the dreams you had as a kid. And think about how every one of us is in the business of making new dreams and opportunities come true for the next generation. Because if we don’t, they’ll never leave the house.

Thanks to each of you at AIIM for inspiring me in my own career. You can find out more about your colleagues in this book by going to tomorrow’s jobs today dot om where we’ll be publishing excerpts and updates about the book, and now I’ll turn it back to you Peggy and four visionaries who exemplify some of the best qualities our AIIM community has to offer.

Posted in: ,
No comments
Interview Privacy

Interview with Information Management Today MVP Award Winner Compliance & Privacy Partners

By Rafael Moscatel, CIPM, CRM, IGP on

The competition for the Information Management 2019 IMT MVP Awards was tight – and congrats are in order to all of our winners! We got to know one of them, a bit better here! Read the winning articles here: http://bit.ly/IMTAwards2019

The 2019 Information Management Today MVP Awards Winners Spotlight from Shelley Trout on Vimeo.

Posted in:
No comments
Artificial Intelligence Blockchain Internet of Things Privacy

Tomorrow’s Jobs Today to be released by John Hunt Publishing in 2020

By Rafael Moscatel, CIPM, CRM, IGP on

Design your career for tomorrow with wisdom from leaders whose shoulders you stand on today. 

It gives me great pleasure to shout from the digital mountaintop that along with my co-author, Abby Moscatel, Esq., we’ve signed a book deal with John Hunt Publishing to release our book, Tomorrow’s Jobs Today: Wisdom and Career Advice from Thought Leaders in AI, Big Data, Blockchain, the Internet of Things, Privacy, and More. The manuscript originated from a series of in-depth interviews we’ve been conducting around the world. The insights that emerged from these conversations were so essential and relevant to workers in the Information Age that we knew we just had to share it with a bigger audience!

Discover leadership secrets and technology strategies being pioneered by today’s most innovative business executives and renowned brands across the globe in this entertaining collection of interviews and stories exploring new careers of the Information Age.*

What’s the book about?

This collection of in-depth profiles featuring Smart City CIOs, Data Protection Officers, Blockchain CEO’s, Informatics Doctors and other diverse, skilled professionals gives readers first-hand insight into what tomorrow’s jobs look like today. The hands-on experiences, subject matter expertise, and measured job advice shared within these pages demonstrate how identifying opportunities, setting the right cadence, and building strong relationships are the essential ingredients to unlocking your future’s potential.

Who is the book for?

This book is for the new graduate, the professional between jobs and the doting parents desperate to get their “brilliant” but lazy kid out of the basement. It’s also for senior corporate leaders seeking an intimate understanding of the changes abounding in their organizations. It’s for the manager who wants to inspire and encourage professional development. And it’s for every knowledge worker out there who wants to leverage technology and information governance to reduce risk, generate revenue, and improve customer experiences.

Sign up for updates on the book below!

 

What People Are Saying About Tomorrow’s Jobs Today

In today’s data-driven, fast-changing world, Tomorrow’s Jobs Today gives business leaders a solid overview of many complex technology trends. This book helps surface many of the issues a business leader needs to be aware of and provides food for thought on how they might be navigated as we head into a new decade. –Gregory L. Steinhauer, President, American Life

Information is the currency that fuels and funds the Digital Transformation journey. Tomorrow’s Jobs Today manages to capture a set of leadership perspectives that, while diverse, share an essential characteristic for the future of transformative work: leveraging information as one’s most valuable asset. –Peggy Winton, CEO, Association for Intelligent Information Management AIIM

If you want to stay successful, you have to embrace and adapt to changes. Tomorrow’s Jobs Today shows you how those challenges can be both enlightening and empowering. –Jim Dodson, SVP, Iron Mountain

In a world often seized by ever-accelerating change, Tomorrow’s Jobs Today has brilliantly identified, captured, and recounted liberating insights for success from a broad range of global information governance and technology professionals. There will always be challenges, but for those willing to look, the opportunity is abundant. The Information Age remains an ever-growing frontier awaiting each new wave of pioneers. –Seth Williams, President, MER Conference

This is an empowering and beautifully written book that will surely guide the reader to find a place in this quickly changing Information Age, where they can thrive and contribute to the greater good. –Dr. Angela Bair Schmider, M.S., Ph.D., Massachusetts General Hospital and Harvard Medical School

The authors bring together the voices of leading thinkers, exploring the critical themes that will dominate the years to come. Entertaining interviews reveal the best paths forward for professional development and the impending social, political, and ethical challenges of tomorrow. This is an important book. –Alex Panagides, CEO, mxHero

Tomorrow’s Jobs Today brings together an impressive group of professionals sharing their wisdom and career advice from the cutting edge of technological advancement today. These insights will inevitably bolster your career path, and the combined knowledge of so many brilliant folks in one volume is staggering. I recommend this book for anyone who is pushing or looking to push their organizations into the future. –Nick Inglis, Executive Director of Content & Programming, ARMA International

Stepping away from the mush of data that sometimes arrives through surveys, Tomorrow’s Jobs Today goes straight to the people creating the future world of work. Read this book; go interview a few visionaries yourself; help shape the world to come. –Andy Watson, Head of School, Albuquerque Academy

*The opinions expressed by the interviewees in this book are their own and do not necessarily reflect those of their employer.

About John Hunt Publishing – John Hunt’s Business Books “Fresh thinking for the business world,” imprint publishes practical guides and insightful non-fiction for beginners and professionals. Covering aspects from management skills, leadership, and organizational change to positive work environments, career coaching, and self-care for managers, our books are a valuable addition to those working in the world of business.

Posted in: , , ,
No comments
Events GDPR Privacy Professional Development

Compliance and Privacy Partners and Ethikos to Speak at the 2020 MER Conference in Chicago

By Rafael Moscatel, CIPM, CRM, IGP on
The 2020 MER Conference Agenda has been announced and conference registration is now available.

This year’s conference takes place May 4-6th in Chicago and features Information Governance sessions on Privacy, eDiscovery, Data Remediation, emerging technologies, and operational best practices from the industry’s leading experts, along with the experiences of knowledgeable practitioners.

Compliance and Privacy Partners is participating in two sessions this year:

Using Information Governance with a Privacy Compliance Plan as the Fulcrum for Data Privacy and Compliance – Monday, May 4, 20202:10 – 3:00pm

Tackling data privacy and maintaining consumer trust is harder than ever, especially with the sheer amount of information you need to manage and with constantly evolving privacy laws (CCPA, GDPR, etc) moving the goalposts. The usual checkbox compliance, ad-hoc governance, and reactive information security policies will fail, if they haven’t already, and create too much organizational risk. To achieve a state of consistent compliance and minimize corporate risk you must provide three things to your business: transparent governance, frictionless security, and continuous validation. To provide these things, you must build a strong information governance framework and privacy compliance plan to succeed.

Meeting Evolving Business Needs – A Conversation Between RIM Educators and Thought Leaders – Tuesday, May 5, 202011:45am – 12:35pm

This special, two-part panel discussion facilitated by the ICRM will compare current academic curricula with the existing ICRM exam to identify gaps and areas of improvements for both academia and the ICRM. University Professors will discuss their programs and IG industry leaders will add perspective from the business world. There will be ample time for members of the audience to share their thoughts as well. It is time to close any gaps between what is taught at the university level and what is needed in the world of business. More effective preparation of the next generation of IG professionals will benefit all organizations that depend on these practitioners to address the business opportunities and challenges of the future and it will provide more fulfilling careers for those emerging from school into the world of business.

Also, our partners at Ethikos will be coming all the way from Brussels to present on GDPR.

GDPR – Two Years On -Monday, May 4, 202012:50 – 1:40pm

The GDPR will celebrate its second anniversary on 25 May 2020 – a good time for US companies impacted by this regulation to understand what they should expect in the coming months.  In this presentation, Legal professionals working in Europe will discuss how the GDPR has been enforced so far in Europe, what the regulators’ future direction might be, and the key areas US organizations will need to focus on in the coming months. Is there a higher risk of enforcement on the horizon? What is the level of privacy awareness among Internet users, consumers and individuals in Europe? Should US organizations that collect and process personal data of EU data subjects be worried about these regulatory trends?

Posted in: ,
No comments
Compliance Privacy Regulations

“California Consumer Privacy Act – Now What Do We Do” – Free Webinar 1/22/19

By Rafael Moscatel, CIPM, CRM, IGP on

MUST-SEE WEBINAR: SAVE THE DATE – January 22

“California Consumer Privacy Act – Now What Do We Do?” 

Register here: https://zoom.us/webinar/register/WN_inuTshVvT9SAQ_XGa

Learn: Why data protection and privacy are important to my business What to do in case of a data breach Preparation for a cyber-attack Preparation for CCPA Preparation for PII/PHI breach response 

When: Wednesday, Jan. 22, 2020 Time: 10 a.m. PST/1 p.m. EST 

 

Posted in: ,
No comments
Compliance Regulations

FTC Finalizes Settlement with Company that Misled Consumers about how it Accesses and Uses their Email

By Rafael Moscatel, CIPM, CRM, IGP on

The Federal Trade Commission finalized a settlement with an email management company that allegedly deceived some consumers about how it accesses and uses their email.

The FTC alleged that Unrollme Inc., which helps users unsubscribe from unwanted emails or consolidate their email subscriptions, falsely told consumers that it would not “touch” their personal emails in order to persuade consumers to provide access to their email accounts.

In fact, Unrollme shared users’ email receipts from completed transactions with Unrollme’s parent company, Slice Technologies, Inc. E-receipts can include, among other things, the user’s name, billing and shipping addresses, and information about products or services purchased by the consumer. Slice uses anonymous purchase information from Unrollme users’ e-receipts in the market research analytics products it sells.

As part of the settlement with the Commission, Unrollme is prohibited from misrepresenting the extent to which it collects, uses, stores, or shares information from consumers. It must also notify those consumers who signed up for Unrollme after viewing one of the allegedly deceptive statements about how it collects and shares information from e-receipts. The order also requires Unrollme to delete, from both its own systems and Slice’s systems, stored e-receipts previously collected from those consumers, unless it obtains their affirmative, express consent to maintain the e-receipts.

After receiving two comments, the Commission voted 4-0-1 to approve the settlement with Unrollme as well as responses to the commenters. Commissioner Rohit Chopra abstained from the vote.

Rafael Moscatel is Managing Director of Compliance and Privacy Partners, a consulting firm specializing in data governance and privacy solutions. He is an award-winning Information Governance Professional (IGP), Certified Records Manager (CRM), Certified Information Privacy Manager (CIPM). Rafael has spent the last twenty years developing large-scale Information Management Programs for the Fortune 500 including Paramount Pictures and Farmers InsuranceReach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

Posted in: , ,
No comments
Compliance Information Governance Regulations

5 Ideas To Kickstart Your Governance, Risk and Compliance Program in the New Year!

By Rafael Moscatel, CIPM, CRM, IGP on

We’ve all been there. Sitting around the conference room with our compliance teams, droning on about scheduling conflicts, procedural details and strategy about strategy. Here are some actual substantive ideas, initiatives and approaches to privacy, data governance and cyber-security that can get the ball rolling next year.

1. Policies aren’t just documents you keep around in case you might have to show them to a judge one day. Start putting them to work and leveraging their authority to cut costs and reduce operational risks!

For example:

  • Privacy policies, now required to be updated annually by the State of California, can actually help drive data mapping exercises, leading to new insights into structured and unstructured data systems. Use those insights to help patch gaps in your IT infrastructure and even retire costly, redundant systems, classify shadow IT and discard unused shelfware.
  • Retention policies can be used as virtual blueprints to justify and destroy, costly, over-retained paper records and electronic data lingering around the office and waiting to be discovered… by your adversaries!
  • Cyber-security policies like those required by the New York DFS can be used to help IT decision makers prioritize strategic investments in your cyber-defense software.
2. Chief executives realize audits are necessary to continually optimize business processes, but even the sharpest leaders sometimes forget the most sobering, useful assessments are conducted by outside parties who don’t have an inherently biased interest in determining the findings.

Executives need to make sure they are told what they need to hear, not what they want to hear.

3. One of the reasons assurance departments like compliance, risk and internal audit struggle with their annual reviews is because of a lack of policy organization within their OWN departments.

Lack of procedural consistency, ownership of policy and overlap and confusion over a directives authority in can create even more conflict, risk and uncertainty for an organization. But relying on institutional knowledge and spreadsheets just doesn’t cut it anymore. That’s why every regulated company needs a strong technology backbone in the form of a GRC or governance risk and compliance software.

4. These days the risk is not just internal. With so much of our data in the cloud and managed by other parties, some of the greatest risks have moved outside of the firewall.

Organizations need strategies and tools to help them prioritize and manage those vendor risks effectively. Sophisticated and affordable tools that address consumer data privacy requests can also be used to map and streamline an organizations external data, whether it’s private in nature or otherwise.

5. Finally, risk is not a one size fits all problem. Investment needs to be proportional to the exposure. That’s why it’s important to spend enough time planning your long-term strategy rather diving headfirst into solutions that promise the moon and end up creating more infrastructure dependency than you bargained for.

Rafael Moscatel is Managing Director of Compliance and Privacy Partners, a consulting firm specializing in data governance and privacy solutions. He is an award-winning Information Governance Professional (IGP), Certified Records Manager (CRM), Certified Information Privacy Manager (CIPM). Rafael has spent the last twenty years developing large-scale Information Management Programs for the Fortune 500 including Paramount Pictures and Farmers Insurance. Reach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

Posted in: , ,
No comments
Professional Development Records Management

Meeting Evolving Business Needs: A Conversation Between RIM Educators and Thought Leaders

By Rafael Moscatel, CIPM, CRM, IGP on

ICRM will not only conduct their spring Board and Business meetings at the MER Conference next May in Chicago, but will also facilitate a panel discussion  “Meeting Evolving Business Needs: A Conversation Between RIM Educators and Thought Leaders.” 

The panel of experts include: John Isaza, Esq, FAI, Rafael Moscatel, CRM, IGP, CIPM, and Wendy McLain, MLIS, CRM.  The panel of Academic Partners include: Patricia Franks, Ph.D, CRM, CA, IGP – San Jose State University; Gregory S. Hunter, Ph.D, CA, CRM, FSAA – Long Island University, Palmer School of Library and Information Science, and Tao Jin, Ph.D – Louisiana State University, School of Library and Information Science.

The desired outcome is to expand and nurture an ongoing and productive dialogue between our profession and academic institutions to ensure graduates are well prepared to fill current and future positions in key areas of Records and Information Management (RIM) and Information Governance (IG).  If interested in joining us at the MER Conference – go to their website and register for conference.  https://www.merconference.com/

Posted in: ,
No comments
Privacy Regulations

FTC Extends Deadline for Comments on COPPA Rule until December 11

By Rafael Moscatel, CIPM, CRM, IGP on

The Federal Trade Commission is extending the deadline to submit comments on the agency’s review of the Children’s Online Privacy Protection Act Rule (COPPA Rule) until December 11, 2019.

The federal government’s Regulations.gov portal is temporarily inaccessible. The FTC is giving commenters additional time to submit comments, as well as an alternative mechanism to file them. Those unable to submit comments via Regulations.gov can submit them via email with the subject line “COPPA comment” to secretary@ftc.gov. All comments, whether filed through Regulations.gov or sent by email, must be submitted by11:59 p.m. ET on December 11, 2019.

The Commission voted 5-0 to extend the comment deadline until December 11, 2019.

Rafael Moscatel, CRM, IGP, is the Managing Director of Compliance and Privacy Partners, LLC. Reach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

Posted in: ,
No comments
Hacking Information Security Information Technology

Russian National Charged with Decade-Long Series of Hacking and Bank Fraud Offenses

By Rafael Moscatel, CIPM, CRM, IGP on
From the US Justice Department

Russian National Charged with Decade-Long Series of Hacking and Bank Fraud Offenses Resulting in Tens of Millions in Losses and Second Russian National Charged with Involvement in Deployment of “Bugat” Malware

Reward of up to $5 Million Offered for Information Leading to Arrest or Conviction

The United States of America, through its Departments of Justice and State, and the United Kingdom, through its National Crime Agency (NCA), today announced the unsealing of criminal charges in Pittsburgh, Pennsylvania, and Lincoln, Nebraska, against Maksim V. Yakubets, aka online moniker, “aqua,” 32, of Moscow, Russia, related to two separate international computer hacking and bank fraud schemes spanning from May 2009 to the present.  A second individual, Igor Turashev, 38, from Yoshkar-Ola, Russia, was also indicted in Pittsburgh for his role related to the “Bugat” malware conspiracy. The State Department, in partnership with the FBI, announced today a reward of up to $5 million under the Transnational Organized Crime Rewards Program for information leading to the arrest and/or conviction of Yakubets.  This represents the largest such reward offer for a cyber criminal to date.

Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division, U.S. Attorney Scott W. Brady for the Western District of Pennsylvania, U.S. Attorney Joseph P. Kelly for the District of Nebraska, FBI Deputy Director David Bowdich, Principal Deputy Assistant Secretary James A. Walsh of the State Department’s Bureau of International Narcotics and Law Enforcement Affairs (INL), and Director Rob Jones of the Cyber Crime Unit  at the United Kingdom’s National Crime Agency (NCA) made the announcement.

“Maksim Yakubets allegedly has engaged in a decade-long cybercrime spree that deployed two of the most damaging pieces of financial malware ever used and resulted in tens of millions of dollars of losses to victims worldwide,” said Assistant Attorney General Benczkowski.  “These two cases demonstrate our commitment to unmasking the perpetrators behind the world’s most egregious cyberattacks.  The assistance of our international partners, in particular the National Crime Agency of the United Kingdom, was crucial to our efforts to identify Yakubets and his co-conspirators.”

“For over a decade, Maksim Yakubets and Igor Turashev led one of the most sophisticated transnational cybercrime syndicates in the world,” said U.S. Attorney Brady. “Deploying ‘Bugat’ malware, also known as ‘Cridex’ and ‘Dridex,’ these cybercriminals targeted individuals and companies in western Pennsylvania and across the globe in one of the most widespread malware campaigns we have ever encountered.  International cybercriminals who target Pennsylvania citizens and companies are no different than any other criminal: they will be investigated, prosecuted and held accountable for their actions.”

“The Zeus scheme was one of the most outrageous cybercrimes in history,” said U.S. Attorney Kelly.  “Our identification of Yakubets as the actor who used the moniker ‘aqua’ in that scheme, as alleged in the complaint unsealed today, is a prime example of how we will pursue cyber criminals to the ends of justice no matter how long it takes, by tracking their activity both online and off and working with our international partners to expose their crimes.”

“Today’s announcement involved a long running investigation of a sophisticated organized cybercrime syndicate,” said FBI Deputy Director Bowdich. “The charges highlight the persistence of the FBI and our partners to vigorously pursue those who desire to profit from innocent people through deception and theft. By calling out those who threaten American businesses and citizens, we expose criminals who hide behind devices and launch attacks that threaten our public safety and economic stability. The actions highlighted today, which represent a continuing trend of cyber-criminal activity emanating from Russian actors, were particularly damaging as they targeted U.S. entities across all sectors and walks of life. The FBI, with the assistance of private industry and our international and U.S. government partners, is sending a strong message that we will work together to investigate and hold all criminals accountable. Our memory is long and we will hold them accountable under the law, no matter where they attempt to hide.”

“Combatting cybercrime remains a top national security priority for to the United States,” said INL Principal Deputy Assistant Secretary of State Walsh. “The announcements today represent a coordinated interagency effort to bring Maksim Yakubets to justice and to address cybercrime globally.”

“This is a landmark for the NCA, FBI and U.S. authorities and a day of reckoning for those who commit cybercrime,” said NCA Director Jones. “Following years of online pursuit, I am pleased to see the real world identity of Yakubets and his associate Turashev revealed.  Yakubets and his associates have allegedly been responsible for losses and attempted losses totalling hundreds of millions of dollars. This is not a victimless crime, those losses were once people’s life savings, now emptied from their bank accounts.  Today the process of bringing Yakubets and his criminal associates to justice begins.  This is not the end of our investigation, and we will continue to work closely with international partners to present a united front against criminality that threatens our prosperity and security.”

Yakubets and Turashev Indicted in Relation to “Bugat” Malware

A federal grand jury in Pittsburgh returned a 10-count indictment, which was unsealed today, against Yakubets and Turashev, charging them with conspiracy, computer hacking, wire fraud, and bank fraud, in connection with the distribution of “Bugat,” a multifunction malware package designed to automate the theft of confidential personal and financial information, such as online banking credentials, from infected computers.  Later versions of the malware were designed with the added function of assisting in the installation of ransomware.

According to the indictment, Bugat is a malware specifically crafted to defeat antivirus and other protective measures employed by victims.  As the individuals behind Bugat improved the malware and added functionality, the name of the malware changed, at one point being called “Cridex,” and later “Dridex,” according to the indictment.  Bugat malware was allegedly designed to automate the theft of confidential personal and financial information, such as online banking credentials, and facilitated the theft of confidential personal and financial information by a number of methods.  For example, the indictment alleges that the Bugat malware allowed computer intruders to hijack a computer session and present a fake online banking webpage to trick a user into entering personal and financial information.

The indictment further alleges that Yakubets and Turashev used captured banking credentials to cause banks to make unauthorized electronic funds transfers from the victims’ bank accounts, without the knowledge or consent of the account holders.  They then allegedly used persons, known as “money mules,” to receive stolen funds into their bank accounts, and then move the money to other accounts or withdraw the funds and transport the funds overseas as smuggled bulk cash.  According to the indictment, they also used a powerful online tool known as a botnet in furtherance of the scheme.

Yakubets was the leader of the group of conspirators involved with the Bugat malware and botnet, according to the indictment.  As the leader, he oversaw and managed the development, maintenance, distribution, and infection of Bugat as well as the financial theft and the use of money mules.  Turashev allegedly handled a variety of functions for the Bugat conspiracy, including system administration, management of the internal control panel, and oversight of botnet operations.

According to the indictment, Yakubets and Turashev victimized multiple entities, including two banks, a school district, and four companies including a petroleum business, building materials supply company, vacuum and thin film deposition technology company and metal manufacturer in the Western District of Pennsylvania and a firearm manufacturer.  The indictment alleges that these attacks resulted in the theft of millions of dollars, and occurred as recently as March 19, 2019.

Yakubets Charged in Relation to “Zeus” Malware

A criminal complaint was also unsealed in Lincoln today charging Yakubets with conspiracy to commit bank fraud in connection with the “Zeus” malware.  Beginning in May 2009, Yakubets and multiple co-conspirators are alleged to have a long-running conspiracy to employ widespread computer intrusions, malicious software, and fraud to steal millions of dollars from numerous bank accounts in the United States and elsewhere.  Yakubets and his co-conspirators allegedly infected thousands of business computers with malicious software that captured passwords, account numbers, and other information necessary to log into online banking accounts, and then used the captured information to steal money from victims’ bank accounts.  As with Bugat, the actors involved with the Zeus scheme were alleged to have employed the use of money mules and a botnet.

Yakubets and his co-conspirators are alleged to have victimized 21 specific municipalities, banks, companies, and non-profit organizations in California, Illinois, Iowa, Kentucky, Maine, Massachusetts, New Mexico, North Carolina, Ohio, Texas, and Washington, identified in the complaint, including multiple entities in Nebraska and a religious congregation.  According to the complaint, the deployment of the Zeus malware resulted overall in the attempted theft of an estimated $220 million USD, with actual losses of an estimated $70 million USD from victims’ bank accounts.  According to the complaint, Yakubets’ role in the Zeus scheme was to provide money mules and their associated banking credentials in order to facilitate the movement of money, which was withdrawn from victim accounts by fraudulent means.

An individual charged as John Doe #2, also known as “aqua,” was indicted in District of Nebraska in case number 4:11-CR-3074.  The indictment in that case charges that individual and others with conspiracy to participate in racketeering activity, conspiracy to commit computer fraud and identity theft, aggravated identity theft, and multiple counts of bank fraud related to the Zeus scheme.  As alleged, the complaint unsealed today associates use of the moniker “aqua” in the Zeus scheme to Yakubets.

In case number 4:11-CR-3074, two of the co-conspirators of “aqua,” Ukrainian nationals Yuriy Konovaleko and Yevhen Kulibaba, were extradited from the United Kingdom to the United States.  Konovalenko and Kulibaba both pleaded guilty in 2015 to conspiracy to participate in racketeering activity and have completed prison sentences that were imposed.  Konovalenko and Kulibaba were previously convicted in the United Kingdom, after an investigation conducted by the Metropolitan Police Service, for their role in laundering £3 million GBP on behalf of the group responsible for the Zeus malware.

State Department $5 million USD Reward

The U.S. Department of State’s Transnational Organized Crime (TOC) Rewards Program is offering a reward of up to $5 million for information on Yakubets.  Cyber threats are a top national security threat to the United States, and the Department of State’s TOC Rewards Program is one of the many tools used by U.S. authorities to bring significant cybercriminals to justice.  Congress established the TOC Rewards Program in 2013 to support law enforcement efforts to dismantle transnational criminal organizations and bring their leaders and members to justice.  The U.S. Department of State’s Bureau of International Narcotics and Law Enforcement Affairs manages the program in coordination with other U.S. federal agencies.

In addition to NCA, the law enforcement actions taken related to these two prosecutions were assisted by the efforts of law enforcement counterparts from The Netherlands, Germany, Belarus, Ukraine, and the Russian Federation.

The FBI’s Pittsburgh and Omaha Field Offices led the investigations of Yakubets and Turashev with assistance by the FBI’s Major Cyber Crimes Unit and Global Operations and Targeting Unit.  The prosecution in Pittsburgh is being handled by Assistant U.S. Attorney Shardul S. Desai of the Western District of Pennsylvania, and the prosecution in Lincoln is being handled by Senior Counsel William A. Hall, Jr., of the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) and Assistant U.S. Attorney Steven A. Russell of the District of Nebraska.  The Criminal Division’s Office of International Affairs provided significant assistance throughout the criminal investigations.  The Department’s National Security Division also provided investigative assistance.

The details contained in the indictment, criminal complaint and related pleadings are merely accusations, and the defendants are presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.

Continue reading “Russian National Charged with Decade-Long Series of Hacking and Bank Fraud Offenses”

Posted in: , , ,
No comments
Ethics Information Security Privacy

FTC Issues Opinion and Order Against Cambridge Analytica For Deceiving Consumers About the Collection of Facebook Data, Compliance with EU-U.S. Privacy Shield

By Rafael Moscatel, CIPM, CRM, IGP on

The Federal Trade Commission issued an Opinion finding that the data analytics and consulting company Cambridge Analytica, LLC engaged in deceptive practices to harvest personal information from tens of millions of Facebook users for voter profiling and targeting. The Opinion also found that Cambridge Analytica engaged in deceptive practices relating to its participation in the EU-U.S. Privacy Shield framework.

In an administrative complaint filed in July, FTC staff alleged that Cambridge Analytica and its then-CEO Alexander Nix and app developer Aleksandr Kogan deceived consumers. Nix and Kogan agreed to settle the FTC’s allegations. Cambridge Analytica, which filed for bankruptcy in 2018, did not respond to the complaint filed by FTC staff, or a motion submitted for summary judgment of the allegations.

The FTC staff’s administrative complaint alleged that Kogan worked with Nix and Cambridge Analytica to enable Kogan’s GSRApp to collect Facebook data from app users and their Facebook friends. The complaint alleged that app users were falsely told the app would not collect users’ names or other identifiable information. The GSRApp, however, collected users’ Facebook User ID, which connects individuals to their Facebook profiles.

The complaint also alleged that Cambridge Analytica claimed it participated in the EU-U.S. Privacy Shield—which allows companies to transfer consumer data legally from European Union countries to the United States—after allowing its certification to lapse. In addition, the complaint alleged the company failed to adhere to the Privacy Shield requirement that companies that cease participation in the Privacy Shield affirm to the Department of Commerce, which maintains the list of Privacy Shield participants, that they will continue to apply the Privacy Shield protections to personal information collected while participating in the program.

In its Opinion, the Commission found that Cambridge Analytica violated the FTC Act through the deceptive conduct alleged in the complaint. The Final Order prohibits Cambridge Analytica from making misrepresentations about the extent to which it protects the privacy and confidentiality of personal information, as well as its participation in the EU-U.S. Privacy Shield framework and other similar regulatory or standard-setting organizations. In addition, the company is required to continue to apply Privacy Shield protections to personal information it collected while participating in the program (or to provide other protections authorized by law), or return or delete the information. It also must delete the personal information that it collected through the GSRApp.

The Commission voted 5-0 to issue the Opinion and Final Order.

Rafael Moscatel, CRM, IGP, is the Managing Director of Compliance and Privacy Partners, LLC. Reach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

Posted in: , , , ,
No comments