The Week in Breach: 04/02/19 – 04/08/19

April 11, 2019

This week, ransomware shuts down a US medical practice, freshmen hack their school’s Wi-Fi to avoid tests, Canadian pension plans go missing, Irish healthcare group is scammed, and UConn is hit with a $5M data breach lawsuit.

Dark Web ID Trends:

Top Source Hits: ID Theft Forums (99%)
Top Compromise Type: Domain (99%)
Top Industry: Finance & Insurance
Top Employee Count: 11 – 50 Employees

United States – Burrell Behavioral Health (BBH)
https://healthitsecurity.com/news/67000-patients-impacted-by-business-associate-breach-from-august-2018

Exploit: Unsecured business associate portal
BBH: Mental health service provider based in Missouri

Risk to Small Business: 2.333 = Severe: BBH has sent letters to patients notifying them of a breach that occurred in August of last year. Potential attackers would be able to infiltrate a business associate’s portal to access electronic protected health information (ePHI) and compromise sensitive records. The mental health service provider noted that there was no evidence of unauthorized access, but will be providing free identity monitoring, protection, and reporting from agencies including Equifax, Experian, and TransUnion. Along with the direct costs associated with offering such services to patients, the organization will have to pour funds into reputation management.

Individual Risk: 2.571 = Severe: The exposed records included names, addresses, contact information, DOBs, medical history information, driver’s license numbers and SSNs. Given the amount of time that has lapsed, patients are at high risk and should immediately begin monitoring their identity and credit reports.

Customers Impacted: 67,493 patients
How it Could Affect Your Customers’ Business: As breaches continue to become more commonplace, companies are being held accountable for providing free identity protection for their customers and employees. Such damage can be disabling for small businesses, especially when combined with the costs that come with managing public relation.

ID Agent to the Rescue: Monitoring the Dark Web for stolen credentials is critical for MSPs who want to provide comprehensive security to their customers. BullPhish ID™ complements that data with simulated phishing attacks and security awareness training campaigns to educate employees, making them the best defense against cybercrime: https://www.idagent.com/bullphish-id.

Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

United States – Brookside ENT & Hearing Center
https://www.hipaajournal.com/michigan-practice-forced-to-close-following-ransomware-attack/

Exploit: Ransomware attack
Brookside: Medical practice in Battle Creek, Michigan

	Risk to Small Business: 2 = Severe: The doctor’s office of Dr. William Scalf and Dr. John Bizon will be forced to close on April 30th after falling victim to a ransomware attack and refusing to pay $6,500 to regain access. Although hackers were unable to compromise their data, all information regarding appointments, patients, and payments was completely erased.
	Individual Risk: 2.428 = Severe Sensitive information of individuals was not accessed, only deleted. However, none of the unrecoverable data was salvaged and the office closure will force patients to seek treatment elsewhere, even those with imminent health concerns.

Customers Impacted: Undetermined
How it Could Affect Your Customers’ Business: This security incident is a perfect example of how devastating a ransomware attack can be for small businesses and their customers. Hackers are capable of wiping out infrastructure and important records, causing business owners to rebuild from the ground-up. As such, company managers must begin assessing cybersecurity threats and working with MSPs to protect themselves from compromises going forward.

ID Agent to the Rescue: Dark Web ID™ can find out how payment data is being used on the Dark Web, even in the case of a malware attack. We work with MSPs to strengthen their security suite by offering industry-leading detection. Find out more here: https://www.idagent.com/dark-web/.

Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk

*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

United States – Secaucus High School
https://newyork.cbslocal.com/2019/04/02/police-secaucus-high-school-freshmen-hacked-schools-wi-fi-made-life-difficult-for-teachers-for-week/

Exploit: Malware
Secaucus High School: New Jersey school district

Risk to Small Business: 2.333 = Severe: Two high school freshmen were arrested for disabling their school’s Wi-Fi system to avoid taking tests. The students used a private company to execute the hack, resulting in them being charged with computer criminal activity and conspiracy to commit computer criminal activity. Although the systems are back up and running, it remains to be seen how the students will be disciplined by the school district.

Individual Risk: 2.482 = Severe: None.

Customers Impacted: 2
How it Could Affect Your Customers’ Business: Hacks are being commoditized, with packaged products capable of bringing down systems and stealing information becoming readily available on the Dark Web. Smaller organizations must learn to recognize such trends and protect their members, customers, and staff by investing in security providers that host solutions enabling them to understand the inner workings of online, underground marketplaces.

Canada – BC Pension Corporation
https://www.cbc.ca/news/canada/british-columbia/bc-pension-plan-warning-8000-privacy-breach-1.5087283

Exploit: Missing microfiche
BC Pension Corporation: One of the largest pension plan administration agents in Canada

Risk to Small Business: 2 = Severe: Members of the BC College Pension Plan are receiving notifications that their information may be at risk after a box went missing during an office move from last year. Contents of the container included microfiche with personal information of members who worked from 1982 to 1997, and the breach was discovered in October 2018. Although the corporation has declared this as a low risk security incident, FIPA argues that it is a high-risk attack. Along with negative publicity, the BC Pension Plan Corporation will face backlash from members and may spearhead the case for implementing mandatory data breach reporting requirements in British Columbia.

Individual Risk: 2.428 = Severe: Some of the information includes names, social insurance numbers and dates of birth. Although there is currently no indication of an attack, plan members should investigate identity and credit reports to see if they were affected. In the words of one of the affected members, West Kelowna resident Pamela Stevens, “the information is out there, and there are people that wait around for these things to happen to get people and to use their cards and information to misuse it.”

Customers Impacted: Around 8,000
How it Could Affect Your Customers’ Business: Delays in breach notifications compound over time and can prove costly for companies. Without proper detection, it becomes nearly impossible to identify the source of a breach, with the end-result being disgruntled customers, penalties, and more. Along with partnering up with security providers to incorporate Dark Web monitoring solutions, businesses must alert their customers immediately to maintain a healthy dialogue.

ID Agent to the Rescue: Dark Web ID can monitor the Dark Web and find out if your employee or customers data has been compromised. We work with MSSPs to strengthen their security suite by offering industry-leading detection. Find out more here: https://www.idagent.com/dark-web/.

Canada – Unity Housing
https://www.cbc.ca/news/canada/ottawa/ociso-privacy-breach-montsion-video-1.5081138

Exploit: Data leak
Unity Housing: Ottawa community housing agency

Risk to Small Business: 2 = Severe: Thousands of personal files related to Unity Housing were released to Ontario’s police watchdog and have been sitting in an exposed court exhibit for weeks. A USB key storing the files was initially delivered in lieu of a manslaughter trial, but most of the information was completely irrelevant to the case. The company maintains that it was unaware of the breach, and that no one accessed the data except for the defense council. Although it is unlikely that the compromised data was manipulated for malicious reasons, it draws attention to the agency and may make homeowners question the safety of their data.

Individual Risk: 2.428 = Severe: Since the USB key was only accessed by government officials and lawyers, it is unlikely that it was accessed nefariously. Therefore, individual risk is limited.

Customers Impacted: To be determined
How it Could Affect Your Customers’ Business: When a data leak reaches news headlines, the security and care of the responsible company is put under question. To avoid similar incidents from occurring in the future, businesses must protect the personal information of customers and employees by establishing a “need-to-know” basis. Additionally, they must understand whether leaked information is being used by hackers, which can be done by working with security suites that monitor their primary marketplaces on the Dark Web.

ID Agent to the Rescue: Dark Web ID can monitor the Dark Web and find out if your employee or customers data has been compromised. We work with MSSPs to strengthen their security suite by offering industry-leading detection. Find out more here: https://www.idagent.com/dark-web/

Germany – Bayer Pharmaceuticals
https://www.zdnet.com/article/drug-firm-bayer-targeted-by-cyberattack-threat-contained/

Exploit: Malware attack
Bayer Pharmaceuticals: German multinational pharmaceutical and life sciences company

Risk to Small Business: 2 = Severe: In a statement this past Thursday, Bayer revealed that infectious software was discovered on its systems back in early 2018. Before removing the malware in March, the company proceeded to “spy” on the hackers to identify the responsible party. Without any further details on their incident response methodology or further information on what Bayer means by “spy” ID Agent recommends always contacting an Incident Response Team if a compromise has been identified. Allowing an unknown third party to continue accessing data is generally inadvisable. The drug maker announced that there is no evidence of data theft, and they have traced the source of the hack to a group known as Winnti.

Individual Risk: 2.428 = Severe: No individuals are at risk

Customers Impacted: N/A
How it Could Affect Your Customers’ Business: The era of industrial espionage is here, and small businesses should be taking notice. Hackers are setting their sights towards technology and intellectual property, given its tremendous value and sometimes limited security. Phishing campaigns are the most frequent of all attack vectors, followed by infection via custom malware.

ID Agent to the Rescue: Designed to protect against human error, Bullphish ID simulates phishing attacks and manages security awareness training campaigns to educate employees, making them the best defense against cybercrime. Learn more here: https://www.idagent.com/bullphish-id

1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

Ireland – Saolta University Healthcare Group
https://www.irishexaminer.com/breakingnews/ireland/possible-data-breach-being-investigated-at-galway-hospital-after-patients-receive-scam-letter-915497.html

Exploit: Scam
Saolta University Healthcare Group: Umbrella hospital group composed of 6 sites across Western Ireland

Risk to Small Business: 2.333 = Severe: Patients of one of the hospitals in the Saolta network, University Hospital Galway (UHG) are receiving letters from an organization calling itself the Anglo American Lottery. The scam informs them that they have won a prize in the “hospital sick patient lottery draw” and will be admitted to a ward. Along with soliciting DOBs and other personal details, the scheme offers a fake website and phone number. Patients of UHG are filing complaints and have voiced their concerns to the Data Protection Commission, and it remains to be seen how Saolta will be penalized.

Individual Risk: 2.714 = Moderate Risk: Given that hackers were able to send personalized letters to the home addresses of patients, it’s clear that an exposure of information has already occurred. Anyone who has received or responded to the letter must immediately enlist in identity protection and reach out to Saolta to receive reparations.

Customers Impacted: To be determined
How it Could Affect Your Customers’ Business: As you can imagine, patients/customers are not happy when they realize that hackers are using their information collected from a company to orchestrate scams. With the rapidly growing ecosystem of cybersecurity awareness and vigilance, companies who fall short must face the consequences of customer attrition, news headlines, and hefty penalties.

ID Agent to the Rescue: With BullPhish ID, MSPs can provide a more complete picture of a company’s security posture and potential risk, transforming the weakest links of an organization into their strongest points of protection. Find out how you can get started with us here: https://www.idagent.com/bullphish-id.

United Kingdom – UK Universities
https://www.bbc.com/news/education-47805451

Exploit: Password spraying
UK Universities: Universities across the United Kingdom that agreed to participate in a Jisc initiative

Risk to Small Business: 2 = Severe: Ethical hackers from Jisc, the company that provides internet services to UK universities and research centers, were able to access personal data of students and staff, financial systems, and research networks in less than 2 hours. The penetration testing was conducted in over 50 universities, with some being tested multiple times. Out of the simulated attacks, spear phishing proved to be one of the most effective.

Individual Risk: 2.571 = Moderate: None.

Customers Impacted: N/A
How it Could Affect Your Customers’ Business: The academic sector is under attack by opportunistic hackers looking to sell research and student information on the Dark Web to the highest bidders. Given the sensitivity of such information, it is likely that future regulations will address such gaps and set minimum requirements for cybersecurity. Sensitive research fuels everything from military operations to economic growth, which should make educational organizations acknowledge and protect such information through data security.

ID Agent to the Rescue: BullPhish ID simulates phishing attacks and conducts security awareness training campaigns to educate your employees, making them the best defense against cybercrime. Click the link to get started: https://www.idagent.com/bullphish-id.

In Other News:

Celebgate 2.0: attacks on the Apple accounts of musicians and athletes

A Georgian man has confessed to hacking the Apple accounts of NFL and NBA players, along with famous musicians. By creating fake accounts and impersonating Apple’s customer service, Kwamaine Jerell Ford was able to send phishing emails that coaxed victims into providing their login credentials as early as 2015. Once he had taken over the accounts, he would change the email addresses and passwords, and proceed to purchase air travel, hotels, and furniture.

With credit card information from Apple in hand, he was also able to transfer money to his own online payment accounts. Ford has pleaded guilty to one count of computer fraud and one count of aggravated identity theft. He will be sentenced on June 24.

Such an incident serves as a strong reminder of just how much damage can be inflicted through phishing. To prevent this highly effective form of cyberattack, small businesses and security providers invest in solutions that are specifically designed with customers and employees in mind, and able to proactively stop phishing campaigns in their tracks. Enter BullPhish ID!

https://www.techspot.com/news/79447-man-pleads-guilty-hacking-apple-accounts-famous-musicians.html https://www.techspot.com/news/79447-man-pleads-guilty-hacking-apple-accounts-famous-musicians.html

What We’re Listening To:

Know Tech Talks
Security Now
Defensive Security Podcast
Small Business, Big Marketing – Australia’s #1 Marketing Show!
IT Provider Network – The Podcast for Growing IT Service
TubbTalk – The Podcast for IT Consultants
Risky Business
CHANNELe2e

A note for your customers:

UConn’s $5M data breach lawsuit

The University of Connecticut Health Center has been served a class action lawsuit over a data breach that resulted in the exposure of 326,000 current and former patients. Yoselin Martinez and others are seeking $5M in damages, alleging that the university not only took months to report the breach, but could have done more to prevent it. Martinez claims that her bank account has been defrauded and overdrawn due to the information that was compromised during the breach.

The attack was discovered in December of last year, when an unauthorized party was able to access an employee’s email account and compromise names, DOBs, addresses, medical information, and SSNs. With the public eye scrutinizing organizational efforts to protect their customers and employees, small businesses must catch on early and begin working with MSPs to bolster new cybersecurity initiatives.

https://www.scmagazine.com/home/security-news/data-breach/uconn-health-center-hit-with-5m-suite-over-breach/

Are you an ID Agent Partner? Feel free to re-use this blog post (in part or in entirety) for your own social media and marketing efforts! Just send an email to [email protected] to let us know!

Not a Partner? Learn more about Dark Web ID™ and the benefits it holds for your Business. Contact us today!

Categories

Tags

The Week in Breach: 04/02/19 – 04/08/19