Month: April 2021

A grand jury has indicted a California resident accused of stealing Shopify customer data on over a hundred merchants, TechCrunch has learned.

The indictment charges Tassilo Heinrich with aggravated identity theft and conspiracy to commit wire fraud by allegedly working with two Shopify customer support agents to steal merchant and customer data from Shopify customers to gain a competitive edge and “take business away from those merchants,” the indictment reads. The indictment also accuses Heinrich, believed to be around 18 years old at the time of the alleged scheme, of selling the data to other co-conspirators to commit fraud.

A person with direct knowledge of the security breach confirmed Shopify was the unnamed victim company referenced in the indictment.

Last September, Shopify, an online e-commerce platform for small businesses, revealed a data breach in which two “rogue members” of its third-party customer support team of “less than 200 merchants.” Shopify said it fired the two contractors for engaging “in a scheme to obtain customer transactional records of certain merchants.”

Shopify said the contractors stole customer data, including names, postal addresses and order details, like which products and services were purchased. One merchant who received the data breach notice from Shopify said the last four digits of affected customers’ payment cards were also taken, which the indictment confirms.

Another one of the victims was Kylie Jenner’s cosmetics and make-up company, Kylie Cosmetics, the BBC reported.

The indictment accuses Heinrich of paying an employee of a third-party customer support company in the Philippines to access parts of Shopify’s internal network by either taking screenshots or uploading the data to Google Drive in exchange for kickbacks. Heinrich paid the employee in thousands of dollars worth of cryptocurrency, and also fake positive reviews claiming to be from merchants to whom the employee had provided customer service but had not left feedback. The indictment alleges that Heinrich received a year’s worth of some merchants’ data.

Heinrich allegedly spent at least a year siphoning off incrementing amounts of data from Shopify’s internal network, at one point asking if he could “remotely access” the customer support employee’s computer while they were asleep.

In a brief statement, Shopify spokesperson Rebecca Feigelsohn said: “Shopify has cooperated with the FBI to investigate an incident involving the data of a small number of our merchants in September 2020. As previously stated, the perpetrators involved no longer work with Shopify. Because there is an active criminal investigation, we are unable to provide further comment at this time.”

Heinrich was arrested by the FBI at Los Angeles International Airport in February and is currently detained in federal custody pending trial, set to begin on September 7. Heinrich has pleaded not guilty.

Updated with comment from Shopify.

Source: Tech Crunch

As consumers build their wealth, assets are typically tangible: cash, investments, property, cars, jewelry, art. But increasingly we’re adding a new type of asset to the mix: digital assets, whether in the form of cryptocurrency or a new asset class, NFTs.

We’re going through the biggest wealth transfer in history right now, with an estimated $16 trillion expected to change hands in the coming decades. While it’s easy to hand over the reins of a physical asset in the event of an emergency or death, it’s not as simple with digital assets.

A new Angus Reid study commissioned by Canadian online will platform Willful finds that only one in four consumers have someone in their life who knows all of their passwords and account details, which begs the question: Will consumers be prepared to pass on digital assets, or will billions in virtual goods be stuck in the digital ether?

Digital assets have been dominating the news cycle in 2021. While cryptocurrency isn’t new, it’s attracted a lot of attention in the past year because of its skyrocketing value, promotion from prominent figures like billionaire Elon Musk, and bitcoin offerings from traditional financial firms like Morgan Stanley. If you hold any type of cryptocurrency, the only way to access it is via a private key — typically a 64-digit passcode. No private key, no access to the virtual currency.

There have been many stories reported about people who purchased bitcoin and would be millionaires today if they hadn’t thrown out their hard drive or lost track of their key. One high-profile case is that of Gerald Cotten, the founder of cryptocurrency exchange Quadriga. When Cotten died in 2018, he took with him the private keys to over $250 million in client assets.

Consumers have also been inundated with stories about NFTs, or non-fungible tokens, which are digital assets hosted on the same blockchain that makes cryptocurrency possible. To most, it seems absurd that artist Beeple could sell a $69 million piece of art through a Christie’s auction, or that a virtual home in Toronto could sell for over $600,000, or that people would spend over $200 million trading virtual NBA highlights like we used to trade baseball cards. But this new asset class is proving that digital assets can be as valuable if not more valuable than physical assets — and similar to cryptocurrency, they likely require a private key to access them.

When someone dies, they either have a will that dictates how their assets will be distributed, or, if they die without a will, a government formula outlines how their assets will be divided. While a will outlines who should receive what, it typically doesn’t have an up-to-date asset list, nor does it contain passwords or access keys. There’s an estimated tens of billions in unclaimed assets sitting in banks today as a result of a family or executor not knowing about those accounts following an individual’s death.

But an executor can do due diligence by calling financial institutions to double-check whether the person held accounts and get access to those funds, which typically requires providing copies of the will and/or death certificate. With digital assets, it’s not as simple as calling the bank and finding out a relative had a valuable NFT. There’s no directory or central body that governs NFTs or cryptocurrency — it’s purposely decentralized, which is great for privacy but less than ideal for family members who want to figure out if someone held valuable digital assets.

And it’s not just about knowing digital assets exist — it’s about knowing how to access them. A recent study from the Angus Reid Forum, commissioned by Willful, showed that consumers under 35 are way less likely to have shared account access with loved ones (19% of those under 35 have shared account info, compared with 32% of those over 55). This makes sense, since the younger you are, the less likely you are to think about passing on assets after you die. But this tech-savvy younger demographic may leave their families in the lurch if something happens.

So what can consumers do to ensure their digital assets are protected? First, consider using a password manager like 1Password — which can store all of your account information, logins, private keys to digital assets and any other key information — and share the master access password with your executor or store it with your will.

While this can ensure easy access to your accounts in an emergency, Lee Poskanzer, the founder of Directive Communication Systems, says it can also put your family or executors at risk, highlighting that in many cases, website and app owners explicitly prohibit password sharing in their terms of service, and privacy laws in some jurisdictions prohibit account holder impersonation (in the U.S., that’s covered by the Stored Communications and Electronic Communications Privacy Act). Not to mention, accounts increasingly require two-factor authentication, which may not be easy to confirm if executors don’t have access to the person’s smartphone.

Directive Communication Systems’ platform helps manage the transfer of digital assets upon death, and Poskanzer says they don’t collect passwords for this reason. Instead, they work with the estate to provide content providers (Google, social media platforms, etc.) with required documentation, which can include a death certificate, obituary, ID or other documents. Upon meeting those requirements, which vary by company, content providers provide a data dump of an account’s contents, making them available via the cloud.

Second, consider using a digital wallet or exchange to store your digital assets — if your family has access to that, it may also include access to your private keys, depending on the wallet’s features, or the exchange itself may have a death-management process.

For example, Coinbase clearly outlines what an executor or family member can do to retrieve digital assets in case of the death of the account holder. As a backup, you can store your private key on a physical piece of paper and ensure it’s stored in a safe deposit box, fireproof safe or other safe place your executor can access in the event of your passing.

Third, create an up-to-date list of your assets that your executor and/or key family members have access to — this should include physical and digital assets, and should be reviewed and updated either annually or when you acquire a new asset or change financial institutions. Finally, create a will that clearly outlines how you want your assets to be distributed and provide specific instructions on how you want digital assets to be distributed.

Not only is this best practice to protect your assets of any kind and to appoint key roles like guardians for minor children, it will also likely be required in order to release any account contents (for example, Coinbase requires a copy of the will as part of its process to release funds to an estate).

As we go through this major wealth transfer between generations, it’s likely that banks, fintechs, crypto exchanges, social media platforms and other content providers will create clear death-management processes that make it easier to alert people about digital assets before you die and provide easy access instructions. But until that happens, following these steps means you can ensure your assets go to the people or organizations you want them to — and that they won’t be stuck in digital purgatory.

Source: Tech Crunch

The highest court in the land has a lot to say about tech this week. The Supreme Court weighed in on Google’s long legal battle with Oracle on Monday, overturning a prior victory for the latter company that could have resulted in an $8 billion award.

In a 6-2 decision, the court ruled that Google didn’t break copyright laws when it incorporated pieces of Oracle’s Java software language into its own mobile operating system. Google copied Oracle’s code for Java APIs for Android, and the case kicked off a yearslong debate over the reuse of established APIs and copyright.

In 2018, a federal appeals court ruled that Google did in fact violate copyright law by using the APIs and that its implementation didn’t fall under fair use.

“In reviewing that decision, we assume, for argument’s sake, that the material was copyrightable. But we hold that the copying here at issue nonetheless constituted a fair use. Hence, Google’s copying did not violate the copyright law,” Justice Stephen Breyer wrote in the decision, which reverses Oracle’s previous win. Justices Samuel Alito and Clarence Thomas dissented.

“Google’s copying of the Java SE API, which included only those lines of code that were needed to allow programmers to put their accrued talents to work in a new and transformative program, was a fair use of that material as a matter of law,” Breyer wrote.

Google SVP of Global Affairs Kent Walker called the ruling, embedded below, a “big win for innovation, interoperability & computing.”

Click to access 18-956_d18f.pdf

Source: Tech Crunch

Welcome back to The TechCrunch Exchange, a weekly startups-and-markets newsletter. It’s broadly based on the daily column that appears on Extra Crunch, but free, and made for your weekend reading. Want it in your inbox every Saturday? Sign up here. 

Happy Saturday, everyone. I do hope that you are in good spirits and in good health. I am learning to nap, something that has become a requirement in my life after I realized that the news cycle is never going to slow down. And because my partner and I adopted a third dog who likes to get up early, please join me in making napping cool for adults, so that we can all rest up for Vaccine Summer. It’s nearly here.

On work topics, I have a few things for you today, all concerning data points that matter: Q1 2021 M&A data, March VC results from Africa, and some surprising (to me, at least) podcast numbers.

On the first, Dan Primack shared a few early first-quarter data points via Refinitiv that I wanted to pass along. Per the financial data firm, global M&A activity hit $1.3 trillion in Q1 2021, up 93% from Q1 2020. U.S. M&A activity reached an all-time high in the first quarter, as well. Why do we care? Because the data helps underscore just how hot the last three months have been.

I’m expecting venture capital data itself for the quarter to be similarly impressive. But as everyone is noting this week, there are some cracks appearing in the IPO market, as the second quarter begins that could make Q2 2021 a very different beast. Not that the venture capital world will slow, especially given that Tiger just reloaded to the tune of $6.7 billion.

On the venture capital topic, African-focused data firm Briter Bridges reports that “March alone saw over $280 million being deployed into tech companies operating across Africa,” driven in part by “Flutterwave’s whopping $170 million round at a $1 billion valuation.”

The data point matters as it marks the most active March that the African continent has seen in venture capital terms since at least 2017 — and I would guess ever. African startups tend to raise more capital in the second half of the year, so the March result is not an all-time record for a single month. But it’s bullish all the same, and helps feed our general sentiment that the first quarter’s venture capital results could be big.

And finally, Index Ventures’ Rex Woodbury tweeted some Edison data, namely that “80 million Americans (28% of the U.S. 12+ population) are weekly podcast listeners, +17% year-over-year.” The venture capitalist went on to add that “62% of the U.S. 12+ population (around 176 million people) are weekly online audio listeners.”

As we discussed on Equity this week, the non-music, streaming audio market is being bet on by a host of players in light of Clubhouse’s success as a breakout consumer social company in recent months. Undergirding the bets by Discord and Spotify and others are those data points. People love to listen to other humans talk. Far more than I would have imagined, as a music-first person.

How nice it is to be back in a time when consumer investing is neat. B2B is great but not everything can be enterprise SaaS. (Notably, however, it does appear that Clubhouse is struggling to hold onto its own hype.)

Look I can’t keep up with all the damn venture capital rounds

TechCrunch Early Stage was this week, which went rather well. But having an event to help put on did mean that I covered fewer rounds this week than I would have liked. So, here are two that I would have typed up if I had had the spare hours:

• Striim’s $50 million Series C. Goldman led the transaction. Striim, pronounced stream I believe, is a software startup that helps other companies move data around their cloud and on-prem setups in real time. Given how active the data market is today, I presume that the TAM for Striim is deep? Quickly flowing? You can supply a better stream-centered word at your leisure.
• Kudo’s $21 million Series A. I covered Kudo last July when it raised $6 million. The company provides video-chat and conferencing services with support for  real-time translation. It had a good COVID-era, as you can imagine. Felicis led the A after taking part in the seed round. I’ll see if I can extract some fresh growth metrics from the company next week. One to watch.

And two more rounds that you also might have missed that you should not. Holler raised $36 million in a Series B. Per our own Anthony Ha, “[y]ou may not know what conversational media is, but there’s a decent chance you’ve used Holler’s technology. For example, if you’ve added a sticker or a GIF to your Venmo payments, Holler actually manages the app’s search and suggestion experience around that media.”

I feel old.

And in case you are not paying enough attention to Latin American tech, this $150 million Uruguayan round should help set you straight.

Various and sundry

Finally this week, some good news. If you’ve read The Exchange for any length of time, you’ve been forced to read me prattling on about the Bessemer cloud index, a basket of public software companies that I treat with oracular respect. Now there’s a new index on the market.

Meet the Lux Health + Tech Index. Per Lux Capital, it’s an “index of 57 publicly traded companies that together best represent the rapidly emerging Health + Tech investment theme.” Sure, this is branded to the extent that, akin to the Bessemer collection, it is tied to a particular focus of the backing venture capital firm. But what the new Lux index will do, as with the Bessemer collection, is track how a particular venture firm is itself tracking the public comps for their portfolio.

That’s a useful thing to have. More of this, please.

Alex

Source: Tech Crunch

Amazon kicked off the holiday weekend by backtracking slightly on a social media offensive that unfolded in the waning days of a historic unionization vote. The earlier  comments reportedly arrived as Jeff Bezos was pushing for a more aggressive strategy.

Along with taking on Senators Bernie Sanders and Elizabeth Warren, the Amazon News Twitter account went toe to toe with Congressman, Mark Pocan. The Wisconsin Democrat cited oft-reported stories of Amazon workers urinating in bottles in reaction to comments from Consumer CEO, Dave Clark.

“You don’t really believe the peeing in bottles thing, do you?” the account asked. “If that were true, nobody would work for us. The truth is that we have over a million incredible employees around the world who are proud of what they do, and have great wages and health care from day one.”

The Congressman’s initial response was pithy and to the point: “[Y]es, I do believe your workers. You don’t?”

Subsequent reports have served to cement those stories. One called the urination issue “widespread” among Amazon drivers, adding that defecation had also, reportedly, become a problem. Last night, the company offered a mea culpa of sorts, saying it “owe[s] an apology to Representative Pocan.”

Things break down a bit from there. Amazon’s apology acknowledges that workers peeing in bottles is a thing, but appears to imply that it’s limited to drivers and not the fulfillment center staff at the center of this large scale unionization effort. From there, the company adds that drivers peeing in bottles is an “industry-wide issue and is not specific to Amazon.”

The company helpfully includes a list of links and tweets that are, at very least, an indictment of the gig economy and the treatment of blue collar workers, generally. Essentially, Amazon is admitting to being a part of the problem, while working to spread the blame across an admittedly faulty system.

Reports of workers urinating in bottles also go beyond drivers, including stories of warehouse employees resorting to the act in order to meet stringent quotas.

“A typical Amazon fulfillment center has dozens of restrooms, and employees are able to step away from their work station at any time,” company writes in the post attributed to anonymous Amazon Staff. “If any employee in a fulfillment center has a different experience, we encourage them to speak to their manager and we’ll work to fix it.”

Union vote counting for the company’s Bessemer, Alabama warehouse began last week. Results could have a wide-ranging impact on both Amazon and the industry at large.

Source: Tech Crunch

As governments scrambled to lock down their populations after the COVID-19 pandemic was declared last March, some countries had plans underway to reopen. By June, Jamaica became one of the first countries to open its borders.

Tourism represents about one-fifth of Jamaica’s economy. In 2019 alone, four million travelers visited Jamaica, bringing thousands of jobs to its three million residents. But as COVID-19 stretched into the summer, Jamaica’s economy was in free fall, and tourism was its only way back — even if that meant at the expense of public health.

The Jamaican government contracted with Amber Group, a technology company headquartered in Kingston, to build a border entry system allowing residents and travelers back onto the island. The system was named JamCOVID and was rolled out as an app and a website to allow visitors to get screened before they arrive. To cross the border, travelers had to upload a negative COVID-19 test result to JamCOVID before boarding their flight from high-risk countries, including the United States.

Amber Group’s CEO Dushyant Savadia boasted that his company developed JamCOVID in “three days” and that it effectively donated the system to the Jamaican government, which in turn pays Amber Group for additional features and customizations. The rollout appeared to be a success, and Amber Group later secured contracts to roll out its border entry system to at least four other Caribbean islands.

But last month TechCrunch revealed that JamCOVID exposed immigration documents, passport numbers, and COVID-19 lab test results on close to half a million travelers — including many Americans — who visited the island over the past year. Amber Group had set the access to the JamCOVID cloud server to public, allowing anyone to access its data from their web browser.

Whether the data exposure was caused by human error or negligence, it was an embarrassing mistake for a technology company — and, by extension, the Jamaican government — to make.

And that might have been the end of it. Instead, the government’s response became the story.

A trio of security lapses

By the end of the first wave of coronavirus, contact tracing apps were still in their infancy and few governments had plans in place to screen travelers as they arrived at their borders. It was a scramble for governments to build or acquire technology to understand the spread of the virus.

Jamaica was one of a handful of countries using location data to monitor travelers, prompting rights groups to raise concerns about privacy and data protection.

As part of an investigation into a broad range of these COVID-19 apps and services, TechCrunch found that JamCOVID was storing data on an exposed, passwordless server.

This wasn’t the first time TechCrunch found security flaws or exposed data through our reporting. It also was not the first pandemic-related security scare. Israeli spyware maker NSO Group left real location data on an unprotected server that it used for demonstrating its new contact tracing system. Norway was one of the first countries with a contact tracing app, but pulled it after the country’s privacy authority found the continuous tracking of citizens’ location was a privacy risk.

Just as we have with any other story, we contacted who we thought was the server’s owner. We alerted Jamaica’s Ministry of Health to the data exposure on the weekend of February 13. But after we provided specific details of the exposure to ministry spokesperson Stephen Davidson, we did not hear back. Two days later, the data was still exposed.

After we spoke to two American travelers whose data was spilling from the server, we narrowed down the owner of the server to Amber Group. We contacted its chief executive Savadia on February 16, who acknowledged the email but did not comment, and the server was secured about an hour later.

We ran our story that afternoon. After we published, the Jamaican government issued a statement claiming the lapse was “discovered on February 16” and was “immediately rectified,” neither of which were true.

Instead, the government responded by launching a criminal investigation into whether there was any “unauthorized” access to the unprotected data that led to our first story, which we perceived to be a thinly veiled threat directed at this publication. The government said it had contacted its overseas law enforcement partners.

When reached, a spokesperson for the FBI declined to say whether the Jamaican government had contacted the agency.

Things didn’t get much better for JamCOVID. In the days that followed the first story, the government engaged a cloud and cybersecurity consultant, Escala 24×7, to assess JamCOVID’s security. The results were not disclosed, but the company said it was confident there was “no current vulnerability” in JamCOVID. Amber Group also said that the lapse was a “completely isolated occurrence.”

A week went by and TechCrunch alerted Amber Group to two more security lapses. After the attention from the first report, a security researcher who saw the news of the first lapse found exposed private keys and passwords for JamCOVID’s servers and databases hidden on its website, and a third lapse that spilled quarantine orders for more than half a million travelers.

Amber Group and the government claimed it faced “cyberattacks, hacking and mischievous players.” In reality, the app was just not that secure.

Politically inconvenient

The security lapses come at a politically inconvenient time for the Jamaican government, as it attempts to launch a national identification system, or NIDS, for the second time. NIDS will store biographic data on Jamaican nationals, including their biometrics, such as their fingerprints.

The repeat effort comes two years after the government’s first law was struck down by Jamaica’s High Court as unconstitutional.

Critics have cited the JamCOVID security lapses as a reason to drop the proposed national database. A coalition of privacy and rights groups cited the recent issues with JamCOVID for why a national database is “potentially dangerous for Jamaicans’ privacy and security.” A spokesperson for Jamaica’s opposition party told local media that there “wasn’t much confidence in NIDS in the first place.”

It’s been more than a month since we published the first story and there are many unanswered questions, including how Amber Group secured the contract to build and run JamCOVID, how the cloud server became exposed, and if security testing was conducted before its launch.

TechCrunch emailed both the Jamaican prime minister’s office and Jamaica’s national security minister Matthew Samuda to ask how much, if anything, the government donated or paid to Amber Group to run JamCOVID and what security requirements, if any, were agreed upon for JamCOVID. We did not get a response.

Amber Group also has not said how much it has earned from its government contracts. Amber Group’s Savadia declined to disclose the value of the contracts to one local newspaper. Savadia did not respond to our emails with questions about its contracts.

Following the second security lapse, Jamaica’s opposition party demanded that the prime minister release the contracts that govern the agreement between the government and Amber Group. Prime Minister Andrew Holness said at a press conference that the public “should know” about government contracts but warned “legal hurdles” may prevent disclosure, such as for national security reasons or when “sensitive trade and commercial information” might be disclosed.

That came days after local newspaper The Jamaica Gleaner had a request to obtain contracts revealing the salaries state officials denied by the government under a legal clause that prevents the disclosure of an individual’s private affairs. Critics argue that taxpayers have a right to know how much government officials are paid from public funds.

Jamaica’s opposition party also asked what was done to notify victims.

Government minister Samuda initially downplayed the security lapse, claiming just 700 people were affected. We scoured social media for proof but found nothing. To date, we’ve found no evidence that the Jamaican government ever informed travelers of the security incident — either the hundreds of thousands of affected travelers whose information was exposed, or the 700 people that the government claimed it notified but has not publicly released.

TechCrunch emailed the minister to request a copy of the notice that the government allegedly sent to victims, but we did not receive a response. We also asked Amber Group and Jamaica’s prime minister’s office for comment. We did not hear back.

Many of the victims of the security lapse are from the United States. Neither of the two Americans we spoke to in our first report were notified of the breach.

Spokespeople for the attorneys general of New York and Florida, whose residents’ information was exposed, told TechCrunch that they had not heard from either the Jamaican government or the contractor, despite state laws requiring data breaches to be disclosed.

The reopening of Jamaica’s borders came at a cost. The island saw over a hundred new cases of COVID-19 in the month that followed, the majority arriving from the United States. From June to August, the number of new coronavirus cases went from tens to dozens to hundreds each day.

To date, Jamaica has reported over 39,500 cases and 600 deaths caused by the pandemic.

Prime Minister Holness reflected on the decision to reopen its borders last month in parliament to announce the country’s annual budget. He said the country’s economic decline last was “driven by a massive 70% contraction in our tourist industry.” More than 525,000 travelers — both residents and tourists — have arrived in Jamaica since the borders opened, Holness said, a figure slightly more than the number of travelers’ records found on the exposed JamCOVID server in February.

Holness defended reopening the country’s borders.

“Had we not done this the fall out in tourism revenues would have been 100% instead of 75%, there would be no recovery in employment, our balance of payment deficit would have worsened, overall government revenues would have been threatened, and there would be no argument to be made about spending more,” he said.

Both the Jamaican government and Amber Group benefited from opening the country’s borders. The government wanted to revive its falling economy, and Amber Group enriched its business with fresh government contracts. But neither paid enough attention to cybersecurity, and victims of their negligence deserve to know why.

Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more. 

Source: Tech Crunch

The cyber world has entered a new era in which attacks are becoming more frequent and happening on a larger scale than ever before. Massive hacks affecting thousands of high-level American companies and agencies have dominated the news recently. Chief among these are the December SolarWinds/FireEye breach and the more recent Microsoft Exchange server breach. Everyone wants to know: If you’ve been hit with the Exchange breach, what should you do?

To answer this question, and compare security philosophies, we outlined what we’d do — side by side. One of us is a career attacker (David Wolpoff), and the other a CISO with experience securing companies in the healthcare and security spaces (Aaron Fosdick).

CISO Aaron Fosdick

1. Back up your system.

A hacker’s likely going to throw some ransomware attacks at you after breaking into your mail server. So rely on your backups, configurations, etc. Back up everything you can. But back up to an instance before the breach. Design your backups with the assumption that an attacker will try to delete them. Don’t use your normal admin credentials to encrypt your backups, and make sure your admin accounts can’t delete or modify backups once they’ve been created. Your backup target should not be part of your domain.

2. Assume compromise and stop connectivity if necessary.

Identify if and where you have been compromised. Inspect your systems forensically to see if any systems are using your surface as a launch point and attempting to move laterally from there. If your Exchange server is indeed compromised, you want it off your network as soon as possible. Disable external connectivity to the internet to ensure they cannot exfiltrate any data or communicate with other systems in the network, which is how attackers move laterally.

3. Consider deploying default/deny.

Source: Tech Crunch