Category Archives: Breach

Security News for the Week Ending September 25, 2020

GAO Tells Treasury: Track Cyber Risk in Financial Sector

The GAO told Treasury to work with Homeland Security to better track cyber risk in the financial sector.

The GAO says that Treasury does not track efforts or prioritize them. The “sector specific” security plan was last updated in 2016 and, of course, most of the tens of trillions of dollars of assets belong to private companies.

Not only that but Treasury has not implemented the recommendations from the last audit. Credit: Meritalk

Trump Campaign Spent $4 Million to Buy Your Location Data

The Trump campaign spent $4 million buying data on voters, including location, from a data broker named Phunware. The company makes a software development kit that developers can use to collect your data, including location, and sell it to data brokers. Nothing illegal, but lucrative for the app developers and useful for political campaigns and others. Credit: Vice

Google and Amazon – Both Can Be Un-Secure

We always talk about Amazon S3 storage buckets being configured in an un-secure manner, leaking data. Researchers say that 6 percent of a sample of Google storage buckets are also configured so that the wrong people can read from or write to it. Documents they were able to read include passports and birth certificates. Just like with Amazon, Google will disavow any responsibility if you mis-configure your storage. Bottom line – test your security regularly and do not assume that anything is secure. Credit: Threatpost

Russia and China, Oh, My! (Hacking)

While the current occupant of 1600 Pennsylvania Avenue continues to put pressure on China, he is not putting pressure on Russia and they are definitely going after us.

The Russian government hacking group known as APT28 or Fancy Bear is sending out fake NATO training materials laced with hard to detect Zebrocy Delphi malware. The email attachment has a zipx file extension. At the time researchers got a copy of the malware only 3 virus products detected it. It seems like with this campaign, the Ruskies are going after government computers, but there is always collateral damage. Credit: Bleeping Computer

At the same time, the FBI says that the Chinese are still actively going after Covid-19 research, including vaccines. After all, it is easier to steal a vaccine than to develop and test one. The Chinese read the newspapers, see who is claiming interesting stuff, and then try to hack them and steal their information. They are not alone. Russia and Iran are also trying to steal research and vaccine info. Credit: MSN

Suppliers Under Attack

The company Blackbaud helps companies in a variety industries manage their customer relationships. Their services include fundraising and relationship management, customer engagement, financial management and related services.

The customers span many industries including arts and culture, faith based organizations, non-profit foundations, healthcare organizations, higher education, change agents and even commercial corporations.

Companies can also install their own copies of the Blackbaud software in their computer computer rooms and data centers instead of in Blackbaud’s data centers. It is this subset of their customers that were compromised and only some of them.

Unfortunately for Blackbaud, among the many companies affected are healthcare providers and since they are HIPAA Covered Entities, they are required to report these breaches to the U.S. Federal Government and they publish the largest of these breaches.

While this breach (which was actually a ransomware attack where the hackers stole the data before encrypting it) happened in May and this is September, we are still hearing about more companies who’s data was compromised, including some who have not yet reported the breach.

Among those companies are:

  • Northern Light Health – 657,000 people’s information compromised
  • Saint Luke’s Foundation – 360,000 people
  • Multicare Health System – 179,000 people
  • University of Florida Health – 136,000 people

and others. The total, just in healthcare, so far – more to come – is almost 1.6 million people who’s data was compromised.

This is just ONE VENDOR who serves healthcare that was attacked this year.

Another vendor is Magellan Health which is a managed healthcare provider. That breach affected about 1.7 million people.

Some organizations were affected by both breaches.

And while the Magellan breach likely only affected the healthcare industry and that is where this story is focused, the Blackbaud breach affects every industry.

In the case of healthcare, as is usually the case, who winds up on the short end of the stick is the healthcare providers.

In concept, they did nothing wrong other than trust a provider, a vendor, that maybe they should not have trusted.

These 3+ million people who were affected represent just two compromises and just this year. Many other organizations were independently hacked this year and their numbers are not included.

Again in just 2020 alone and only in healthcare, 345 breaches affected over 11 million . Those are just the ones that were posted to Health and Human Services “wall of shame”.

But fines, if and when the do happen, are typically small and come 5 years or more after the event, when most of the people responsible are no longer there.

So what needs to happen?

First of all, given the current Republican administration, it is unlikely that enforcement is going increase or speed up.

Ultimately, who gets to do the heavy lifting is the companies who hire these vendors. It is the companies’ responsibility to make sure that their vendors secure their data.

There is no rocket science involved. What is involved is

  • Time
  • Money
  • People
  • Motivation

Unfortunately, at least some businesses look at it as a profit and loss decision. If it is perceived to cost more to fix the problems of poor security than than to deal with the consequences, some companies make that financial decision.

But as a company that hires these vendors, you can impact this.

Your vendor CYBER risk management program needs to make sure that these vendors that have access to or store your client’s data are following best security and privacy practices.

You also want to make sure that your contracts with these vendors hold those vendors financially responsible for all of the costs that you bear including lost business and lawsuits, among other costs.

The only way we are going to shift the conversation and have vendors make the needed investments in cybersecurity is if it becomes more costly to be non-secure than secure.

In the case of healthcare, it is easy – it is the law!

If you need help building or enhancing your vendor cyber risk management program, please contact us. Credit: Data Breach Today

Arrests Do Not Slow Down Hacking

In just the last few months, companies as diverse as Travelex and Canon have been hacked. Universities like UCSF have paid millions to criminals.

In just one news feed today, I see the following:

  • AI firm Cense exposed 2.5 million records containing sensitive and confidential medical records that were supposed to be loaded into a database.
  • The Ritz London’s customers are being hit by phone scams after a data breach. After stealing the data, the hackers called hotel guests and asked them to confirm their credit card information.
  • Medical collection agency R1 RCM, formerly known as Accretive Health, one of the largest medical debt collection companies in the US with revenues of over a billion dollars a year was hit by a ransomware attack. R1 RCM has personal data, insurance data, treatment data and other personal information.
  • 350 million email addresses were exposed on a mis-configured Amazon AWS S3 bucket. While less sensitive than other breaches, what else is incorrectly configured. As of right now, they don’t even know who owns the data.
  • SANS Institute loses 28,000 customer records in a phishing attack.

These are just a few of the recent attacks.

On the other hand, in the same HACKREAD feed, Ukraine arrested a ransomware gang accused of running fraudulent cryptocurrency exchanges and laundering $42 million through underground forums.

Also in the feed is news that the FBI and NSA disrupted the finance campaigns of three terrorist groups using cryptocurrency.

And finally, again, the FBI and NSA exposed a Russian state hacking tool for Linux systems.

This is the basis of the cat and mouse game that the hackers and law enforcement play every day.

The FBI’s Internet Crime Complaint Center receives 3,000 to 4,000 complaints every day. This is not a battle that the good guys seem to be winning.

This means that you have to protect yourself. If you don’t you will wind up being one of the statistics and not a good one.

Maybe sometime in the future the cops will win. I’m not counting on it, unfortunately. Credit: Hackread

Security News for the Week Ending August 7, 2020

Microsoft Considering Buying TikTok

In light of President Trump’s threats to ban TikTok, Microsoft says that it is considering buying the company from its Chinese owners. That would be a win-win-win for Microsoft. They would add another social media platform to their inventory. The can probably buy it at fire sale prices and they would be doing something nice for the Republican administration. Credit: NY Times

Republicans Say TikTok is a National Security Risk

The current Republican administration says that TikTok is a national security risk and it may well be, but not for any of the reasons that they are talking about. Secretary of State Pompeo says that the TikTok and other Chinese owned software might be feeding the Chinese your address, your facial image, phone number or friends. First of all, they likely have all of that already. Second, they can get all that information from Twitter or Facebook, so what is special about TikTok and third, they can buy or steal all of that and a whole lot more from any one of a thousand data brokers and it is all legal.

Why is this only a China problem and not, say, a Russia problem? One reason is that we don’t tend to use Russian software. But in the bigger picture, if the Republicans don’t think that Russia, North Korea, Iran, as well as friendly countries like France, Israel and Germany, among many others, they are wrong. After all, we are doing this, both to our citizens and theirs.

The bigger problem is that the TikTok software, along with a lot of other software running on your computers (PC or Mac) and phones (iPhone and Android) is horribly unsecure and is leaking WAY MORE data than just that. And that assumes that the software does not have malicious intent. *THAT* is a national security risk that the Republicans don’t want to talk about because it cost American businesses money to fix that problem. What if a malicious update to a piece of software vacuumed whatever data it could off your phone – contacts, texts, photos. It is probably more realistic than you think. Credit: Fox News

Papers Leaked Before UK Election Linked to Russia

Classified US-UK trade documents that were leaked before the recent UK election in an attempt to manipulate the elections are now being linked to Russia. They were stolen from former British trade minister Liam Fox. The Brits say that they have a “very robust” system to protect classified documents and are investigating how the Russians access Fox’s email multiple times between July and October of last year in spite of this so-called robust system. This is a classic technique that all intelligence services try to use – steal documents. Cherry pick which ones to leak. Use social media to generate outrage. Rinse and repeat. Score one for Russia. Credit: US News

Shocking News: Voting Machine Security Improves When you Work With Researchers

Voting machine maker ES&S has a horrible reputation when it comes to security. Organizers at Defcon bought used ES&S (and other) voting hardware and let people hack it. I don’t think any piece of their hardware lasted 5 minutes. What was ES&S’s response? They threatened to sue. Recently, they have begun to change that strategy. They are now going to offer a bug bounty program managed by an independent third party and are actually listening to the researchers. Did the gov threaten to blackball their machines? Who knows? Whatever they did, it is good for voting security. Credit: The Register

Feds Fine Capital One for Shoddy Cloud Security

Dial back your wayback machine to September of last year. Capital One announced a hack of their Amazon environment by an ex-Amazon employee the previous July that was possible to due an incorrect configuration of their security settings.

Fast forward to today and the feds announced an $80 million fine for bad cloud hygiene.

The feds (the OCC) fined Capital One for Failure to establish effective risk management processes” prior to migrating some of their systems to the cloud.

The OCC said that they considered the bank’s notification and remediation processes favorably in assessing the fine, meaning that the fine would likely have been larger if they hadn’t responded as well after the breach as they did.

On the other hand, they said that the bank glossed over numerous weaknesses in an internal audit.

On top of that, the OCC said that they didn’t report the flaws that they found appropriately to their Board’s audit committee. This means that internal processes were not sufficient to allow the Board to perform it’s fiduciary responsibility. Rather than blaming the Board, in this case they blamed management.

They also claim that Capital One failed to patch security vulnerabilities, violating regulations that banks must follow (GLBA).

After Capital One got caught, the bank decided this was a good time to spend some money on cybersecurity and start fixing the problems.

There is a moral here, I think.

This is a bank, so the expectations for security are high, but still …..

You could wait for a breach and the ensuing regulators and lawsuits. And fines. Or you can start looking at cyber risk management as a business problem and decide that it is probably cheaper to spend the money pre-breach. Last year Capital One said the breach could cost them $150 million. Whether this $80 million fine is in addition is not clear. Credit: The Register

Security News Bites for the Week Ending July 31, 2020

Many Cyberspace Solarium Commission Recommendations Likely to Become Law

The Cyberspace Solarium Commission was a blue ribbon commission that made recommendations to Congress earlier this year on improving government cybersecurity. It appears that many of their recommendations are being added to the National Defense Authorization Act, which is “must pass” bill to fund the military. President Trump has said that he will veto it because it directs the Pentagon to rename bases named after Confederate Generals. Stay tuned; that sausage is still being made. If they do remain in the bill, that would be a great thing. Credit: CSO Online

Fintech “Dave” Exposed 7.5 Million Customers’ Data

Fintechs, those Internet firms that act as an intermediary between your financial institutions and you, are not regulated in the same way that say, banks are. Fintech Dave (yes, that is their name) exposed data on 7.5 million customers as a result of a breach at one of their vendors. One more time, vendor cyber risk management is an issue and Dave will wind up with the lawsuits and fines. While credit card data was not exposed, passwords, which were very weakly encrypted, were compromised. Credit: Dark Reading

IRS “Recommends” 2FA – Makes it Mandatory Next Year

IRS is “Recommending” Tax Pros Use Multi-factor Authentication, especially when working from home. They say that most of the data thefts reported to the IRS this year by tax pros could have been avoided if they used multi-factor authentication. Starting in 2021, this will be mandatory for all providers of tax software. The IRS seems to recommend two factor apps like Google Authenticator over SMS messages which are easier to hack. Credit: Bleeping Computer

5G is Here – Sort Of

The article says “After years of hype, 5G making progress in the US”. While true, there is less to the statement than most people would like. Last week AT&T joined T-Mobile in claiming that have deployed 5G nationwide. While this is a true statement, they are doing it using the low frequency band. They are doing this because they can cover the country with an order of magnitude less cell sites. Unfortunately, this also means that the speed that you will see after you fork over a thousand bucks for a new 5G phone is basically the same as the speed you currently have with your current phone without spending the money on the new phone and new plan. For details, read the article in USA Today.