The Week In Breach October 1 2018

 

 

Cyber awareness Match

 

This week Medical Data is on our minds, due to a new study on the healthcare industry and cyber security. Facebook and the United Nations were also breached this week, and both were very large datasets, impacting tens of millions of people.

Dark Web ID Weekly Trends:

  • Total Compromises: 861
  • Top Source Hits: ID Theft Forum
  • Top PIIs compromised: Domains
    • Clear Text Passwords: 501
  • Top Company Size: 11-50
  • Top Industry: High-Tech & IT

United States – Facebook

https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html

Exploit: Web vulnerability.
Facebook: Facebook is a social media platform that is one of the Internet’s most popular websites.
Risk to Small Business: 2.333 = Severe: The loss of trust any organization would feel after a breach of this magnitude would greatly harm the organization’s ability to retain or obtain customers.
Individual Risk: 2.571 = Moderate: The data accessed puts those affected by this breach at an increased risk for identity theft, spam and targeted phishing campaigns.
Customers Impacted: 50 million.

How it Could Affect Your Business: Facebook being such a large and widely-used social media platform means that it has data on a large amount of the population that uses the Internet. If employees post information to this site, they could now be open to targeted phishing campaigns and spam.

Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk

*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

United States – Aspire Health

https://www.usatoday.com/story/money/nation-now/2018/09/26/aspire-health-hacked-phishing-scheme-patient-health-data/1430262002/

Exploit: Compromised email account hacked through a phishing scheme.
Aspire Health: According to Aspire health website, “Aspire Health specializes in providing an extra layer of support and relief from stress, pain and symptoms to patients facing a serious illness.”
Risk to Small Business: 2.333 = Severe: The risk to small business is severe due to medical data as well as confidential information being accessed.
Individual Risk: 2.571 = Moderate: The data accessed puts those affected by this breach at an increased risk for identity theft.
Customers Impacted: This information has not been released as the investigation is ongoing.

How it Could Affect Your Business: Breaches that involve medical data can have serious long-lasting effects on the reputation of a business, due to the sensitive nature of the data.

ID Agent to the Rescue: Spotlight ID by ID Agent offers comprehensive identity monitoring that can help minimize the fallout from a breach such as this. Learn more: http://downloads.primetelecommunications.com/Dark-WeB

Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk

*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

United Nations

https://cyware.com/news/united-nation-wordpress-site-publicly-exposes-thousands-of-resumes-2f2a8cf1

Exploit: WordPress Vulnerability.
United Nation: An intergovernmental organization tasked to promote international cooperation and to create and maintain international order.
Risk to Small Business: 2.333 = Severe: While the United Nations is unlikely to see any repercussions for this breach, a small business would face serious PR consequences if they experienced a breach such as this.
Individual Risk: 2.714 = Moderate Risk: Resumes contain a significant amount of personal information and job history, which can be used for spear phishing attacks and identity theft.
Customers Impacted: Resumes that have been submitted to the UN since 2016.

How it Could Affect Your Customer’s Business:  The exposure of resumes for 2 years would deal a serious blow to an organization of any size: the amount of time the data was exposed, and the type of data included in resumes makes this breach score severe on our risk score scale.

Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk

*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


In Other News:

No Fly Zone
The Dark Web is known to have all things illegal for sale, from medical information to illicit drugs. A new trend has been discovered by researchers where frequent flyer miles are being sold for significantly less than what legitimate buyers would pay. The average rate that a batch of frequent flyer miles sells for is $31, although the price depends on the airline and number of miles.
https://www.hackread.com/stolen-frequent-flyer-miles-of-top-airlines-sold-on-dark-web/

Podcasts:
Know Tech Talks – Hosted by Barb Paluszkiewicz
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!


A note for you:

The Cost of Healthcare on The Dark Web.
We all know that compromised health records and other medical information is highly valuable and sought after on the Dark Web. A new study by JAMA helps us conceptualize the volume of medical information for sale, and how much your health records go for on the Dark Web.

The annual data breach tally has increased every year since 2010 (except for 2015). The median number of records accessed per breach: 2,300. The mean number of records accessed per breach: 84,456. With patient records selling on the Dark Web for $300 – $500, hackers could make close to $700,000 ($690,000) by breaching an organization that stores medical information.

Who in the healthcare sector was hit the hardest?

  • Healthcare providers: 1,503 data breaches or 37.1 million records
  • Health plans: 278 data breaches or 110.4 million records

Be careful where you allow your medical records to be stored!
https://www.hcanews.com/news/yes-healthcares-data-breach-problem-really-is-that-bad

Advertisements

The Week in Breach – Post Labor Day 2018 Edition

Breaches are flying high this week thanks to Air Canada!  China’s hospitality industry targeted and the data shows up on the Dark Web. And, in an effort to cut out Google’s cut, the creators of the game Fortnite create massive security challenges for unwitting gamers.

Highlights from The Week in Breach:

  • Fortnite on Android.
  • Hackers Take Flight!
  • Russian Breach.

In Other News:

Trust
Several companies that specialize in developing software designed to spy on one’s spouse or other unsuspecting “targets” have been compromised over the past few years. This category of software, which is essentially spyware installed on the target’s phone, collects a good bit of highly personal and sensitive data. This time, the company who makes the app, TheTruthSpy, was breached, allowing the target’s texts, location information, social media chats and other sensitive data to be extracted and posted on TOR/Dark Web forums for all to see.
https://motherboard.vice.com/en_us/article/mb4y5x/thetruthspy-spyware-domestic-abusers-hacked-data-breach

Fortnope
It seems like every kid on the planet is playing the popular video game, Fortnite, these days. Epic, who is the maker of the hit title, is planning on launching the Android version of the game soon, but not on the Google Play Store… this is an unprecedented move by a well-respected and popular game title, and likely has to do with Epic not wanting to give Google a cut of their money printing machine. This controversial move by the game developer has been made even more so due to Google researchers finding that the app is vulnerable to ‘man in the disk’ attacks. Man in the disk is an attack vector that takes advantage of Android’s less-secure external storage space. The vulnerability has since been patched, but make sure to have your kids update their app.  Scratch that… tell your kids to put the game down and go outside and play! Seriously people!
https://www.bleepingcomputer.com/news/security/fortnite-android-app-vulnerable-to-man-in-the-disk-attacks/

Podcasts:
Know Tech Talks – Hosted by Barb Paluszkiewicz
IT Provider Network – The Podcast for Growing IT Service
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Small Business, Big Marketing – Australia’s #1 Marketing Show!


Canada – Air Canada
Exploit: Unclear.
Risk to Small Business: High: The number of customers affected is a low percentage of the airline’s customer base, but to most other businesses, a breach of this scale would be much worse. Either way, the breach is extremely damaging to the company due to loss of customer trust.
Individual Risk: Extreme: The nature of the data leaked is highly sensitive and useful for identity theft.
Air Canada: Canada’s largest full-service airline.
Date Occurred/Discovered: August 22, 2018 – August 24, 2018
Date Disclosed: August 29, 2018
Data Compromised:

  • Names
  • Email addresses
  • Phone numbers
  • Passport numbers
  • Passport expiry date
  • Passport country of issuance
  • NEXUS numbers
  • Gender
  • Dates of birth
  • Nationality
  • Country of Residence

Customers Impacted: 20,000
https://techcrunch.com/2018/08/29/air-canada-confirms-mobile-app-data-breach/

China – Huazhu Hotels Group
Exploit: Unclear.
Risk to Small Business: High: The loss of customer trust alone would greatly cost the company, in addition to the other costs associated with a breach.
Individual Risk: Extreme: The information is already for sale on the Dark Web.
Huazhu Hotels Group: One of China’s largest hotel chains.
Date Occurred/Discovered: Earlier this month
Date Disclosed: August 28, 2018
Data Compromised:

  • ID card number
  • Mobile phone number
  • Email address
  • Login password
  • Customer name
  • Home address
  • Date of birth
  • Check in time
  • Departure time
  • Hotel ID number
  • Room number

Customers Impacted: 130 million
https://www.bleepingcomputer.com/news/security/data-of-130-million-chinese-hotel-chain-guests-sold-on-dark-web-forum/

RUSSIA – ABBYY
Exploit: Exposed database.
Risk to Small Business: Extreme: Sensitive internal documents were exposed that could have major effects on their business.
Individual Risk: Low: Only corporate documents were exposed.
ABBYY: Moscow-based optical character recognition software provider.
Date Occurred/Discovered: August 19, 2018
Date Disclosed: August 27, 2018
Data Compromised:

  • Contracts
  • Non- disclosure agreements
  • Memos
  • Other confidential documents

Customers Impacted: 200,000 sensitive documents.
https://cyware.com/news/abbyy-inadvertently-exposes-over-200000-sensitive-documents-via-unsecured-mongodb-database-be026aa2



Scam, Scam, Go Away.
Australia is well-known to be a dangerous place, with many poisonous plants and animals that inhabit its borders. Another danger in the outback is cybercriminals! According to the Australian Competition and Consumer Commission, Australian small businesses have been scammed out of $2.3 million so far in 2018.

The scam that most frequently targeted businesses is the false-billing scam, while employment and investment scams funneled the most amount of money away from Australian businesses.

Stay safe out there and make sure to have a healthy dose of suspicion when dealing with unexpected emails, especially those that deal with money!
https://www.arnnet.com.au/article/645826/aussie-small-businesses-scammed-2-3m-far-2018/?utm_campaign=daily-pm-edition-2018-08-28&utm_source=daily-pm-edition&utm_medium=newsletter&eid=-4152


Here is the last week in Data Breaches

Kevin Lancaster from ID Agent publishes a weekly summary of data breaches that occur. No matter how much we protect our own networks- perimeter and endpoints- our valuable information can be compromised off of a third party site. Here is his summary of breaches from the past week:

 

It’s the little things that give you away.

This past week brought us a diverse set of incidents. Unfortunately, several of the high-profile compromises could have been easily prevented. From database misconfigurations to Phishing exploits, this week was the busiest week in disclosure since the week of March 19th.

Here are a few items to note from this week’s report:

  1. Compromised credentials are still #1: Several incidents leverage compromised credentials from 3rd party data breaches to initiate their attack.
  2. Amazon buckets are still leaking: Two of the incidents reviewed this week leverage flaws in Amazon S3 configurations. It’s surprising to see these very easy-to-fix issues still impacting organizations that hold very sensitive data.
  3. Global reach of data breaches noted: Data breaches are getting more coverage globally. This week demonstrates that massive exploits are not just targeted towards the US.
  4. Financially motivated breaches on the rise: Insider Threat and “Accidental Loss” of high-value data are on the rise.
  5. The healthcare sector targeted:  Healthcare organizations are clearly in the crosshairs.

Kevin
Chief Executive Officer


1. TaskRabbit

Business Vulnerability: High: Network Exploit, Compromised Credential Exploit, Customer PII Loss, Website Defacement, Phishing email generation using company CRM/customer database.
Individual Risk: High: Compromised PII, Password Re-use/3rd Party Compromise, Phishing Exploit

Date Occurred: April 15th, 2018
Date Disclosed: April 17th, 2018
Data Compromised: Personally Identifiable information of users including clear-text passwords.

How Compromised: 
Incident first appeared to be a technical glitch that redirected users to a WordPress site when they tried to visit TaskRabbit

Customers Impacted: TaskRabbit Users: Customers posting jobs and “Taskers”

Attribution/Vulnerability: Network & Website Exploit via Compromised Credentials.

https://techcrunch.com/2018/04/18/taskrabbit-ceo-posts-statement-as-its-app-returns-following-a-cybersecurity-breach/

 What you need to know:
Given its complexity, I’m surprised that the SecOps space has given this incident very little attention.  This is a great case study in compromise and lateral exploit.

It appears that a compromised credential allowed the attacker to gain network access AND access to TaskRabbit’s website and customer database. TaskRabbit acknowledges that it needs to do a better job with its “network intrusion detection” and that it stored more PII on its customers than needed.

Here’s what seems to have happened:

  1. Attacker uses a compromised email and password to gain access to the network
  2. Attacker defaces, then re-directs the website to a bogus WordPress landing page
  3. Attacker uses the company’s CRM/CMS to send Phishing emails from the domain to customers.

If anything, this highlights how a single credential can be used to create a large attack surface. For MSPs, these scenarios can be particularly complex to deal with and have long-term downstream damage since most MSPs are not tasked with or provide services to host and secure their customers’ websites.

2. Localblox (data scraping/collection firm)Business Vulnerability: High: Unsecured Amazon S3 Bucket Exploit

Individual Risk: Moderate: Harvested data already & still widely available on the surface web

Date Occurred: Early 2018

Date Disclosed: April 18, 2018

Data Compromised: The data was found in a human-readable, newline-delimited JSON file. The data collected includes names and physical addresses, and employment information and job histories data, and more, scraped from Facebook, LinkedIn, and Twitter profiles. Localblox would use to cycle through email addresses that it had collected through Facebook’s search engine to retrieve users’ photos, current job title and employer information, and additional family information.

How it was Compromised: The company left a massive store of profile data on a public but unlisted Amazon S3 storage bucket without a password, allowing anyone to download its contents. The bucket, labeled “lbdumps,” contained a file that unpacked to a single file over 1.2 terabytes in size. The file listed 48 million individual records, scraped from public profiles, consolidated, then stitched together.

Customers Impacted: Localblox claims it has more than 650 million records in its device ID database, and 180 million records in its mobile phone database, which includes mobile phone numbers and carriers. The company also says it has a US voter database with 180 million citizens.

Attribution/Vulnerability: Localblox Misconfiguration

https://www.hackread.com/localblox-exposes-millions-of-facebook-linkedin-data/

What you need to know: Most companies using S3 (including Localblox in this case), do not realize that they had to go back and re-configure their access settings within Amazon’s S3 service to prevent anyone with access to Amazon’s platform from finding and accessing any bucket.

By default, the S3 service is highly prone to misconfiguration that can give almost anyone looking the ability to access or modify information in a non-password protected bucket. Attackers can gain access to list and read files, write/upload files, or change access rights to all objects and control the content of the files in a bucket.

The S3 issue is well known and easily fixed.  It’s concerning that a company scraping social and web data to build profiles on people would be this negligent with their data storage and security.

As for the data they are scraping… it’s still widely available and easily accessed.  By anyone…

3.  FastHealth Interactive Healthcare (Website programming and hosting for hundreds of hospitals and other healthcare organizations) 

Business Vulnerability: High: Compromised Default Password, Unsecured/internet database

Individual Risk: High: Compromised PII, Compromised PHI, Compromised Financial Data

Date Occurred: 2016 & 2017  (2 incidents)

Date Disclosed: April 2018

Data Compromised: Incident 1: Patient billing and health-related information entered via online patient web forms. Incident 2: Patient Health Information. At this time, it is unknown whether the databases were breached or if information was actually retrieved.

How it was Compromised: Attackers used credential stuffing to access the accounts, this means that hackers attempted to access the accounts by using credentials leaked from other data breaches.

Customers Impacted: At least 9200.

Attribution/Vulnerability: Compromised Default Password – Law Enforcement Observation

What you need to know: Compromised default password exploits are still very common. What’s concerning about this group is that it has experienced 2 incidents over a 2-year period.  It looks like the organization fell asleep at the wheel, as the second incident was identified by Law Enforcement.  There are very few details on what LE noticed.  There is little chatter about this data being for sale.

http://www.insurancefraud.org/IFNS-detail.htm?key=27891       

4. True (Thai telecommunications company)

Business Vulnerability: High: Unsecured Amazon S3 Bucket Exploit

Individual Risk: High: Impacted Thai citizens with PII exposed

Date Occurred: Unknown/March 2018

Date Disclosed: March 2018

Data Compromised: True said stored copies of national identification cards belonging to 11,400 customers who bought “TrueMove H” mobile packages via True’s e-commerce platform iTruemart, run by True’s digital arm Ascend Commerce, had been made public.

How it was CompromisedThe data leak came to light after Norway-based security researcher Niall Merrigan said in his personal blog on Friday that he was able to access 32 gigabytes of True’s customer data, including identification cards, and that he notified True in March about the security breach.

Customers Impacted: 11,400 TRUE Customers.

Attribution/Vulnerability: Exposed by Norway-based researcher Niall Merrigan

What you need to know: Sound familiar? Thai communications is lucky that Niall decided to put his white hat on and notify them that their bucket is leaking!

https://www.reuters.com/article/us-true-corporation-data/thai-telco-true-defends-security-measures-after-user-data-breach-idUSKBN1HO2D5 

5. Blue Shield of California

Business Vulnerability: High: Potential PII Exploit for Financial Gain or Accidental Data Loss

Individual Risk: Low: Dataset isolated/ impacted individuals contacted

Date Occurred: Breach had occurred in November 2017 during the 2018 Medicare Annual Enrollment Period

Date Disclosed: The Blue Shield of California Privacy Office received confirmation on March 23, 2018

Data Compromised: The PHI included names, home addresses, mailing addresses, Blue Shield subscriber identification numbers, telephone numbers, and subscribers’ Blue Shield Medicare Advantage plan numbers.

How it was CompromisedA Blue Shield employee emailed a document containing PHI to an insurance broker “in violation of Blue Shield policies.” Blue Shield of California said that it believes the insurance broker may have contacted some of the individuals identified in the document to sell a Medicare Advantage Plan offered by another health insurance company.

Customers Impacted: Blue Shield CA customers.

Attribution/Vulnerability: Insider Threat/ Blue Shield employee

What you need to know: It’s not entirely clear if this incident was an exploit for financial gain or just a case of accidental data loss. It does come on the heels of a success for Phishing exploit that exposed the PHI of 21,000 people. It’s interesting that several reports suggest that the 3rd party that received the data tried to use it to sell a Medicare Advantage plan. I would not be surprised if there is a criminal inquiry under way.

 https://iapp.org/news/a/blue-shield-of-california-confirms-phi-data-breach/ 

6. American Esoteric Laboratories

Business Vulnerability: High: Stolen Laptop Potential PII Exploit for Financial Gain or Accidental Data Loss

Individual Risk: High: Sensitive Patient Data (PHI), Payment Data

Date Occurred: On or after October 15, 2017

Date Disclosed: April 20, 2018

Data Compromised: Data breach may have resulted in the exposure of the personal and protected health information of patients of a medical lab chain with multiple Alabama locations.

How it was CompromisedEmployee’s laptop containing a wide range of personal information about patients may have been stored on the laptop, including names, addresses, Social Security numbers, dates of birth, health insurance information, and/or medical treatment information.

Customers Impacted: American Esoteric Lab patients.

Attribution/Vulnerability: Unknown

What you need to know: It appears that the organization, even though it knew it had PHI, did not use an endpoint protection nor did it encrypt their laptops.  AEL states that it’s taking steps to make sure this type of incident does not happen again. “These steps include increasing the security of the AEL systems and networks through the use of encryption technology, updating relevant policies and procedures, and retraining staff.”

http://www.al.com/news/birmingham/index.ssf/2018/04/data_breach_could_impact_some.html

 Do you want to know if your business domain’s emails have been exposed? We will do a free Dark Web scan that will show you when, where and what was exposed.

Here is the link: http://downloads.primetelecommunications.com/Dark-WeB

The Latest Round Up of Data Breaches for March 2018 and up to April 4 2018

Here is the latest round up of data breaches that can compromise your network’s credentials. As you know, after the data is stolen, it appears on the Dark Web for sale. Whereas individuals should use products like LifeLock or Experian; IT managers/CISOs/CFO’s for small and midsize businesses can use our Dark Web search for free to see if they are compromised. http://downloads.primetelecommunications.com/Dark-WeB. 

If you find that you have credentials exposed, we can help you by monitoring and educating your end users.

Warning:

We do not recommend that you access the Dark Web on your own. Exploring this hidden network of sites without the necessary expertise is extremely dangerous and can expose you, your network, company and data to a large number of threats. Let experienced professionals specializing in cyber security help you access the necessary intelligence to safely bolster your defenses.


 

  1. MyFitnessPal

Date Occurred: February 2018

Date Disclosed: March 2018

Data Compromised: May include usernames, emails addresses, and hashed passwords. Payment information NOT affected.

How it was Compromised :  Unauthorized party access

Customers Impacted: 150 million users

Attribution: None at this time

Business Risk: Moderate (Data Exploit, Compromised Credentials, Weak Encryption)

Since motivation is unknown at this time its hard to determine how the data may be used and its direct impact on individuals compromised. The data set holds 3 key data elements: Email, Username and Password.  “Most” Password were encrypted using becrypt, however, it appears a large percentage were simple SHA-1. Financial data was collected and housed separately, a solid best-practice.

https://www.cnbc.com/2018/03/29/under-armour-stock-falls-after-company-admits-data-breach.html

  1. Ohio Applebee’s

Date Occurred: December 6, 2017 – January 2, 2018

Date Disclosed: March 2, 2018

Data Compromised: Certain guests’ names, credit or debit card numbers, expiration dates and card verification codes processed during limited time periods could have been affected.

How it was Compromised: Unauthorized software placed on the point-of-sale system at certain RMH-owned and -operated Applebee’s restaurants was designed to capture payment card information and may have affected a limited number of purchases made at those locations.

Customers Impacted:  Only impacted stores within the RMH network of restaurants and not the broader Applebee’s network.

Attribution:  None at this time

Business Risk: Low (POS exploit, Regional)

This POS compromise was regional in scope and would have more of a direct impact to individuals rather than businesses. We will continue to monitor for chatter/ uptick in online financial fraud levering this data set.

https://www.rmhfranchise.com/dataincident/

  1. Boeing

Date Occurred: Early 2018

Date Disclosed:  March 2018

Data Compromised: Not disclosed at this time

How it was Compromised : “Limited intrusion of Malware” WannaCry, Supply Chain

Customers Impacted: “A small number of systems”; older systems

Attribution: Nation State leanings. WannaCry, Crypto-malware

Business Risk: High (External / Persistent Targeting, Crypto, Vulnerability Exploit)

Although Boeing is publicly downplaying its impact, the company called for a sent company-wide alert calling for “All hands-on deck.” Its apparent that the infections caused major disruptions to airplane production and significant internal resources were spent on determining downstream impacts.

There has been significant chatter regarding alternate payload distribution and kill switch circumvention.  Boeing most certainly would have beefed up its resiliency to WannaCry after its initial outbreak in 2017.  This suggests that supply chain access to Boeing core systems was exploited to deliver the payload.

https://www.seattletimes.com/business/boeing-aerospace/boeing-hit-by-wannacry-virus-fears-it-could-cripple-some-jet-production/

  1. Active.com

Date Occurred: December 2016 – September 2017

Date Disclosed: March 2018

Data Compromised: PII used in registration/checkout process for races

How it was Compromised: Unauthorized access by 3rd parties

Customers Impacted: Potentially hundreds of runners in Great Britain affected; full affects not known.

Attribution: None at this time

Business Risk: Low (POS exploit, Regional)

Small scale POS exposure impacted several hundred individuals in the UK.  3rd party intel firms suggest data has been sold on dark web markets in TOR. However, we have not validated the sale or exploit of this data as of 4/2/18.

https://www.runnersworld.co.uk/events/credit-card-details-from-runners-potentially-at-risk-in-a-security-breach

  1. Loganville, Gwinnett County, GA

Date Occurred: March 15, 2018

Date Disclosed: March 2018

Data Compromised: May include PII such as social security numbers and/or banking information

How it was Compromised: City server breached by outside person or entity

Customers Impacted: Specifics unknown

Attribution: None at this time

Business Risk: Moderate (External / Persistent Targeting, Vulnerability Exploit)

The city’s announcement on Facebook suggest that its systems were left open to public access. It has yet to be determined/ disclosed if access was the result of an individual leveraging default password access or if systems were left unpatched and open to automated exploit. It does not appear to be related to the City of Atlanta’s Samsam ransomware compromise from March 22.

https://www.wsbtv.com/news/local/gwinnett-county/metro-atlanta-city-reports-its-own-data-breach-warns-customers/722204765

  1. Baltimore 911 Dispatch System

Date Occurred: March 24-25, 2018

Date Disclosed: March 2018

Data Compromised: Hack affected messaging functions within the Computer Aided Dispatch (CAD) system which supports 911 and 311 functions in the city.

How it was Compromised : Crypto-malware hack prompted temporary shutdown of automated 911 dispatching services and forcing reversion to manual operations

Customers Impacted: Specifics unknown

Attribution: Unknown actors – assumed Eastern European, Crypto-malware

Business Risk: Severe (External / Persistent Targeting, Human Error, Vulnerability Exploit)

Attack shows constant scanning and targeting of public sector systems.  Attackers performed an automated scan of the city’s firewall/ ports within a few hours of a technician manually changing firewall settings on the its computer-aided dispatch system.

https://technical.ly/baltimore/2018/03/28/cyber-breach-baltimores-911-dispatch-system-investigation/

  1. Orbitz

Date Occurred: October 1, 2017 – December 22, 2017

Date Disclosed: March 1, 2018

Data Compromised: Potentially wide range of PII including full names of customers, credit card numbers, birth dates, phone numbers, mailing addresses, billing addresses and email addresses.

How it was Compromised: Hackers able to breach one of the company’s legacy booking platforms to access records that cover dates between January 2016 – December 2017.

Customers Impacted: Orbitz customers and potentially customers who used Amextravel.com to book.

Attribution: Unknown actors

Business Risk: High (Vulnerability Exploit, potential for widespread online fraud)

It took Orbitz almost 3 months to discover that attackers exploited a legacy version of their travel booking platform between October 1, 2017 and December 22, 2017.

Data impacts more than 880,000 individuals.  The string of PII compromised combined with business itinerary information provides the ability to effectively social engineer impacted individuals.  Individuals should proactive monitor their personal data for misuse.

https://thehackernews.com/2018/03/expedia-data-breach.html

  1. Hudson’s Bay Co. (Saks /Lord & Taylor)

Date Occurred: “Preliminary analysis” found credit card data was obtained for sales dating back to May 2017

Date Disclosed: April 1, 2018

Data Compromised: Hackers stole information for more than 5 million credit and debit cards used at Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores. Cards used for in-store purchases. “No indication” online purchases were affected.

How it was Compromised : Not known at this time.

Customers Impacted: The breach likely impacted more than 130 Saks and Lord & Taylor locations across the country, but the “majority of stolen credit cards were obtained from New York and New Jersey locations.”

Attribution: Hacking syndicate JokerStash or Fin7 began boasting on dark websites last week that it was putting up for sale up to 5 million stolen credit and debit cards. The hackers named their stash BIGBADABOOM-2.

Business Risk: High (POS compromise, potential for widespread online fraud)

Chatter about data sets began to surface 2 weeks back but were largely discounted.  The Joker’s Stash site has been touted several comprehensive sets of validated credit card data going back to 2016 including Hilton and BeBe Stores.

The data set contains more than 5 million credit and debit cards (all card types with complete data strings). This data set will produce significant online credit and debit card fraud.  Any organization running ecommerce platforms are urged to add additional card validation requirements until card issuers are able to invalidate all cards identified in the harvest.

https://www.nytimes.com/2018/04/01/technology/saks-lord-taylor-credit-cards.html 

  1. ATI Physical Therapy

Date Occurred: Unknown – discovered in January 2018.

Date Disclosed: Early March 2018

Data Compromised:  ATI Holdings discovered in January that some employees’ direct deposit information had been changed in its payroll system. At least one of the hacked email accounts included patient names, birth dates, driver’s license numbers, Social Security numbers, credit card numbers, diagnoses, and medication and billing information, among other data.

How it was Compromised: May have been compromised after hackers got ahold of email accounts belonging to the Bolingbrook, Illinois-based chain’s employees.

Customers Impacted: As many as 35,000 patients of ATI Physical Therapy and its subsidiaries. ATI Physical Therapy has more than 100 clinics in Illinois and hundreds of others across 24 other states.

Attribution:  Not known at this time.

Business Risk: High (Compromised Email Accounts, Lateral movement, Downstream Exploit)

With the hallmarks of organized crime, this compromise was able to extract and manipulate both employee and customer data.  The downstream impacts are widespread and will have adverse impacts on impacted individuals.  Privilege access was leveraged to re-route banking information and extract comprehensive medical records/ data sets on thousands of patients.

This is a devastating compromised that allowed attackers to move laterally within their victim’s network for an undetermined length of time.

https://www.hipaajournal.com/ati-physical-therapy-data-breach-impacts-35000-patients/

  1. CareFirst

Date Occurred:  Unknown
Date Disclosed: Discovered March 12, 2018; disclosed late March 2018

Data Compromised:  The breached email account allowed the attackers access to the employee’s emails, the attack could have compromised personal information on about 6,800 CareFirst members — including names, member identification numbers and dates of birth. The company said the information did not include medical or financial data. CareFirst also disclosed, in the case of eight members, social security numbers may have been compromised.

How it was Compromised : CareFirst employee was the victim of a phishing attack, which compromised their email account. In this case, the compromised CareFirst email account was used to send spam messages to an email list of individuals, which the insurer said were not associated with CareFirst.

Customers Impacted: Potentially 6,800 CareFirst members

Attribution: Not known at this time.

Business Risk: High (Phishing, Compromised Credentials)

Well-crafted Phishing attack harvesting compromised credentials. Expect more information on this compromise to surface in the coming week. The public response to this compromise falls inline with how most large organizations are messaging their exposures. It’s becoming common place for organization generalize the numbers impacted to minimize negative public reaction.

https://www.databreachtoday.com/carefirst-bluecross-blueshield-hacked-a-8248

11. DELTA Airlines

Date Occurred:  Unknown
Date Disclosed: Discovered March 12, 2018; disclosed late March 2018

How it was compromised: [24]7.ai–a company that provides online chat services for a variety of companies including Delta–was involved in a “cyber incident.” This cyber incident allowed Delta customer payment information to be accessed during the period from September 26, 2017 to October 12, 2017

https://www.inc.com/peter-economy/delta-air-lines-just-revealed-stunning-data-breach-and-your-payment-information-may-have-been-exposed.html

Improving Security & Reducing the Risk of Data Breach

It’s a parallel that seems to represent a negative product of change: as technology advances, so do security threats. In a world where data breaches make headlines, security is of utmost importance—especially for companies that have critical assets such as customer data, intellectual property, or proprietary corporate data.

Despite the progress that has been made to improve security, there are still instances of data breaches over the cloud. However, by taking the right measures, businesses can utilize the cloud to prevent data breaches and reduce the inherent stress perpetuated by security threats.

Below are five tips on utilizing security in the cloud.

1)    Be aware of your cloud apps. We all love the various services that apps can provide. However, it is important to know the business readiness of app and which ones encrypt data stored on the service. It is important to know which apps render you more or less prone to a breach. If you employ cloud services, you should know exactly what is provided, and how your company utilizes them.

2) Transfer users to high-quality apps. As you already know, cloud-switching costs are minimal—which means that switching to better apps is possible. Choose apps that are best suited to your business needs; shopping around for the best apps is advised. If you stumble upon unsatisfactory apps, talk to your vendor or even switch. Our current technological makeup is dominated by a preponderance of worthy apps—utilize them.
3) Ask yourself: where is my data going? Look at your data in the cloud: review uploads, downloads, and data. Check if you have personally-identifiable information (PII) or unencrypted confidential that is in—or moving to—the cloud. Be aware of where your data is going.

4) Identify user activity. It is essential to understand not only which apps you utilize, but also your user activity. Which apps are used to share information? According to a VentureBeat study, one-fifth of tracked apps enabled sharing—ranging from customer-relationship management to finance and business intelligence. Knowing who is what sharing information—and with whom—will enable you to implement the right policies.

5) Reduce risk through granular policy. Begin with business-critical apps and implement policies that will help your business in the case of a breach. Some ideas: blockthe upload of information, block the download of PII, or block access to vulnerable apps when necessary. Preparation is key—and knowing where your information is at all times is paramount in mitigating risk.

Preventing data security breach is possible—it relies on your careful attention to cloud apps and user activity. Knowing your data is crucial in preventing risk. Analyzing your apps takes time, but is a worthwhile task. Contact us today to learn more about security and minimizing your cloud and data risks.

Get more information here!

increased_security