Tag Archives: breaches

Security News for the Week Ending January 22, 2021

Parler Finds A New Home With Russian Hosting Provider in Belize

“Hello world, is this thing on? With that message Parler’s website is back online. Well at least a one page website is back online. The site is being hosted by Russian-owned DDoS-Guard, a company that apparently also hosts ISIS web sites. Whether the folks who invaded the Capitol earlier this month are going to be willing to post their content on a Russian hosted server is not clear. It is unlikely that their hosting provider would respond to a US subpoena, but whether they would steal the posts for their own purpose is a different question. Credit: Cybernews

Capitol Terrorist Who (Allegedly) Planned to Sell Pelosi’s Laptop to Russian Intelligence Arrested

The amazing amount of video footage from the storming of the Capitol is really making the cops’ lives a lot easier. Riley June Williams, 22, from Pennsylvania, was outed by her former boyfriend. She videoed herself committing the felony and then shared that video. She has now been arrested. She has not been charged with espionage, yet. After the events of January 6th, she changed her phone number, deleted her social media accounts and fled. Her public defender wants her released but the feds say that she is a flight risk. Given she disappeared even before she was charged, that doesn’t seem unreasonable. Credit: WaPo

Parler Data Is Available for Download

If you want to be an amateur detective and you have 70 terabytes or so of free disk space on your computer, you too, can download the data that was scraped from the site during its last few hours of its existence. It is chunked down to 4GB chunks and more of it is being uploaded in real time. This will be examined and reexamined for a long time. Details can be found here.

Malware Bytes Joins Club of Those Hacked by SolarWinds Hacking Team

Malware Bytes joins the long and getting longer list of those folks sucked in by the Solar Winds attackers. In their case, they did not use Solar Winds but were compromised by other techniques used by the Solar Winds attackers. They said the damage was minor and limited to some of their emails. Credit: Cyber News

Trump Pardons Google Engineer Who Stole Self Driving Car Trade Secrets and Took Them to Uber

Anthony Levandowski, the Google Engineer who went to work for Uber’s self driving car division, was pardoned by Trump after being sentenced to 18 months for his theft. I am not sure if the pardon relieves him of the obligation to pay Google the $179 million fine, but it probably does. He took 141,000 files with him and likely advanced Uber’s progress by years. Google settled it’s lawsuit against Waymo in 2018 and paid a multi-hundred-million dollar fine. Curiously, Google is an investor in Uber, so they probably don’t want to hurt them too much. Credit: Cyber News

Breaches Down; Record Count Up

According to Risk Based Security, the NUMBER of breaches reported fell 48% in 2020 compared to 2019, but the number of records exposed was UP by 141% to an amazing 37 BILLION records. We don’t believe that the number of breaches was actually down; likely it is just that a lot of breaches are not being reported. Part of it may be that with other important events like the election and Covid, the media is not covering breaches. In addition, we are seeing some really large breaches. Hacking group Shiny Hunters disclosed 129 million hacked records in just five weeks. Credit: Tech Republic

Security News for the Week Ending December 18, 2020

Data from employment firm Automation Personnel Services Leaked

Automation Personnel Services, a provider of temporary employment services, found 440 gigabytes of their data leaked on the dark web. The poster says that it includes payroll, accounting and legal documents.

The data was leaked because the company refused to pay the ransom.

When asked if the data was genuine, the company only said that they are working with forensics firms and are improving their security. Credit: Cybernews

Are Hospitals Protecting Your Data?

The Register is reporting that two thousand servers containing 45 million images of X-rays and other medical scans were left online during the course of the past twelve months, freely accessible by anyone, with no security protections at all.

To make matters worse, apparently hackers had been there before the researchers and left all kinds of malware behind. Will anyone get in trouble over this? Probably not. Credit: The Register

Ya Know Those Smart TVs? Maybe Not So Smart to Use?

Ponder this. Most TVs are made in China. Smart TVs connect to the Internet. There is Internet in China. China makes the chips that go into those TVs. And the software that goes into those chips. The executives for at least some of those companies have a documented connection to the Chinese government and/or military. China might be very interested in hearing what goes on in everyone’s living room. And bedroom. Including your kids’ bedroom. Some smart TVs have cameras in addition to microphones. Connect the dots; I am not allowed to. Credit: US Department of Homeland Security

Ransomware Attacks on the Rise and Insurers React

As ransomware attacks increased this year – both in terms of cost and severity, insurers are becoming more selective and some are scaling back their coverage. Total costs of ransom payments doubled between 1H2019 and 1H2020, but that might change going forward now that the feds are threatening to throw people in jail if they pay ransoms to terrorists. This means that some premiums are going up and some carriers are even getting out of the cyber risk insurance business. Credit: Reuters

Suppliers Under Attack

The company Blackbaud helps companies in a variety industries manage their customer relationships. Their services include fundraising and relationship management, customer engagement, financial management and related services.

The customers span many industries including arts and culture, faith based organizations, non-profit foundations, healthcare organizations, higher education, change agents and even commercial corporations.

Companies can also install their own copies of the Blackbaud software in their computer computer rooms and data centers instead of in Blackbaud’s data centers. It is this subset of their customers that were compromised and only some of them.

Unfortunately for Blackbaud, among the many companies affected are healthcare providers and since they are HIPAA Covered Entities, they are required to report these breaches to the U.S. Federal Government and they publish the largest of these breaches.

While this breach (which was actually a ransomware attack where the hackers stole the data before encrypting it) happened in May and this is September, we are still hearing about more companies who’s data was compromised, including some who have not yet reported the breach.

Among those companies are:

  • Northern Light Health – 657,000 people’s information compromised
  • Saint Luke’s Foundation – 360,000 people
  • Multicare Health System – 179,000 people
  • University of Florida Health – 136,000 people

and others. The total, just in healthcare, so far – more to come – is almost 1.6 million people who’s data was compromised.

This is just ONE VENDOR who serves healthcare that was attacked this year.

Another vendor is Magellan Health which is a managed healthcare provider. That breach affected about 1.7 million people.

Some organizations were affected by both breaches.

And while the Magellan breach likely only affected the healthcare industry and that is where this story is focused, the Blackbaud breach affects every industry.

In the case of healthcare, as is usually the case, who winds up on the short end of the stick is the healthcare providers.

In concept, they did nothing wrong other than trust a provider, a vendor, that maybe they should not have trusted.

These 3+ million people who were affected represent just two compromises and just this year. Many other organizations were independently hacked this year and their numbers are not included.

Again in just 2020 alone and only in healthcare, 345 breaches affected over 11 million . Those are just the ones that were posted to Health and Human Services “wall of shame”.

But fines, if and when the do happen, are typically small and come 5 years or more after the event, when most of the people responsible are no longer there.

So what needs to happen?

First of all, given the current Republican administration, it is unlikely that enforcement is going increase or speed up.

Ultimately, who gets to do the heavy lifting is the companies who hire these vendors. It is the companies’ responsibility to make sure that their vendors secure their data.

There is no rocket science involved. What is involved is

  • Time
  • Money
  • People
  • Motivation

Unfortunately, at least some businesses look at it as a profit and loss decision. If it is perceived to cost more to fix the problems of poor security than than to deal with the consequences, some companies make that financial decision.

But as a company that hires these vendors, you can impact this.

Your vendor CYBER risk management program needs to make sure that these vendors that have access to or store your client’s data are following best security and privacy practices.

You also want to make sure that your contracts with these vendors hold those vendors financially responsible for all of the costs that you bear including lost business and lawsuits, among other costs.

The only way we are going to shift the conversation and have vendors make the needed investments in cybersecurity is if it becomes more costly to be non-secure than secure.

In the case of healthcare, it is easy – it is the law!

If you need help building or enhancing your vendor cyber risk management program, please contact us. Credit: Data Breach Today

Law Firms Face Cyber Security Risks

“This is not time for firms to keep calm and carry on.  The proper response is to freak out.” – Prof. Dan Solove, GWU Law School

While I am not sure that freaking out is, in fact, the only proper response, I think that what Prof. Solove is saying is that ignoring the situation is not going to work very well.  We are beginning to seem law firms being hacked showing up in the news. Firms such as Weil and Cravath have been outed by the FBI.  Bloomberg says that 80 out of the top 100 law firms have been hacked.  The Russian hacker Oleras has announced he is trying to hack 48 specific law firms.  It seems like the handwriting is on the wall.

Professor Solove calls hacking law firms a “gourmet data feast“.  Once they get in, many law firms have little to no monitoring, so the odds of getting caught are nearly zero.  In addition, many firms have no internal access controls, so while associates are not supposed to access files for clients that they are not working on, there is nothing to stop a hacker, who is using an associate’s credentials, from hacking every client’s data and sending it to their server in Outer Slobovia.

The gourmet data feast comes from the fact that most law firms have hundreds of clients and the data that they have may include HIPAA protected information, non public personal information, financial information, criminal trial information, civil trial information, merger and acquisition information, insider trading protected information and other sensitive files.  Hackers mouths just water at the thought of it.

Prof. solove suggests that state laws governing breach of confidentiality, public disclosure of private facts and negligence may be used against attorneys that do not take appropriate steps to protect their client’s information.  Even if the case is not ultimately successful, the reputational damage can be significant.

In the case of HIPAA protected information, the fines can be very steep.  HHS can fine a law firm that has a client’s protected health information up to $1.5 million per violation.  In addition, the client can be fined because the law firm is now considered a business associate under HIPAA and HiTech regulations and if the client does not have a written and signed business associate agreement, they can be held liable for violating HIPAA as well.

In addition to dealing with the breach – paying for forensics investigations, dealing with lawsuits and depositions, reputational damage and regulatory fines, victim clients could file ethics complaints for failing to adequately protect confidential information.

A client’s trade secrets could be disclosed and I am not sure how you can possibly put that genie back in the bottle.

In addition, the client could be liable too, via vicarious liability.

Since the client did not adequately vet the law firm for cyber security risk prior to hiring them, they get to share in the responsibility.  Assuming this happens the client could both get sued by the victims and sue the firm.

To really make things messy, the FTC recently sued a company for violating section 5 of the FTC Act – unfair or deceptive practices – for failing to vet their vendor prior to giving them sensitive information.  This means that the FTC could commence an action against your client for your data breach.  Under typical FTC consent orders, the FTC will be closely watching your client for a mere 20 years and requiring an external audit every year or two.  Who do you think the client is going to turn to in order to recover those costs?

To make matters a little more uncomfortable, the insurance broker Marsh did a study recently and found that only half of the law firms surveyed had cyber risk insurance and 60% said that they had not calculated the effective revenue that could be lost following a breach.  For the firms that do have insurance, whether the insurance would adequately cover the effects of a breach is unknown.

One last thought.  Professor Solove has almost 900,000 followers to his LinkedIn blog in addition to being a law professor at GWU Law School.  In the blogging world, that is a ridiculously large following.  He is also the organizer of the annual Privacy + Security forum in Washington, DC.  I would suggest that he would likely qualify as an expert.

Information for this post came from Prof. Solove’s company, Teach Privacy.

Why Healthcare Providers Need To Have An Effective Cyber Security Program

The Anchorage Community Mental Health Services (ACMHS) just agreed to pay a $150,000 fine after a 2012 breach of approximately 2,500 patients protected Health Information (PHI) due to malware on their healthcare software system according to Healthcare IT News.

Apparently ACMHS had adopted the sample Security Rule policies in 2005 but didn’t bother to follow them from 2005 to the date of the breach in 2012.  As a result, they ran outdated, unpatched software leading to the breach.

In addition to the $150,000 fine, they agreed to a corrective action plan lasting two years, which, if they complete successfully, they are off the hook for this HIPAA violation.

While this organization had 5 locations, if they only have 2,743 patients, they are small.

On the other hand, the good, old fashioned paper breaches are still going strong.  Parkview Health System in Ft. Wayne Indiana decided that placing 71 boxes of patient records on the driveway of a retiring physician  (who was out of town) was a good plan.  They had to cough up $800,000 in fines.

But these fines are not limited to the small guys.  New York Presbyterian Hospital/Columbia University Medical System paid a $4.8 million fine after patient records for 6,800 patients would up on Google back in 2010.

These 3 incidents represent a small part of the $26 million in fines the Feds have levied against healthcare entities so far.

While having a good cyber security program won’t stop you from having a breach, it will improve the odds.  For example, If your cyber security program requires you to encrypt data on laptops and tablets and you actually do that, when one of your employees loses a device containing PHI, you have a safe harbor meaning that you don’t have to pay a fine.

 

Small Businesses Face Big Cyber-Risks

Is your business prepared for a cyber breach?  Besides the cost, there is the potential for damage to your reputation , loss of customers, distraction while dealing with it and the potential for lawsuits, which can go on for years.

An article at AZCentral.com talks about the subject and the fact that hundreds of small businesses have been hacked recently.  The challenge with cyber-breaches is that the bad guy gets your data but you still have it too, so you might not even be aware that you have been attacked.

Sometimes you are never aware that you have been attacked.  Other times, the media catches it and announces it – like with Home Depot.  Still other times, law enforcement pays you a visit and lets you know.

Don’t think that because you are a small business that you are immune.  In fact, hackers assume that small businesses likely have less defenses and are less likely to discover an attack.  Statistics indicate that about a third of all data breaches are against organizations with less than 100 employees.

Cyber-insurance may help with the costs and your defense in court if it goes there (there are over 50 lawsuits pending against Target right now), but that won’t help with the distraction and the damage to your reputation.

Cyber-insurance is a non-standard product meaning that the exclusions and limitations vary from policy to policy.  Assuming you don’t have cyber liability insurance, you should consider it.  If you do, you should review it to understand what is covered and what is not covered.  This is a case where surprises are not a good thing.

For many businesses, cyber risk mitigation is an area where bringing in outside expertise is a good idea.

Mitch Tanenbaum