Please fill in the form below to subscribe to our blog

The Week In Breach 6/11/18 – 6/17/18

June 27, 2018

Breach news to share with your customers!

Highlights from The Week in Breach

 It should serve as no surprise, two of the breaches profiled this week occurred as the result of compromised email address and passwords. The particular events highlight the need to make password hygiene and compromised credential monitoring front and center.
This week also demonstrates that healthcare organizations are increasingly targeted by bad actors. Heathcare related PII/PHI is increasingly valuable and sought after in dark web markets and forums.  
 
A few more highlights…
 
– Malware on the move!  New Malware targeting Android phones making the rounds 
 
– Cortana… the weakest link? An exploit in Windows 10 was patched on Tuesday that allowed one to change passwords
 
– AI startup working on the United States drone program finds Russian malware on their server
 
– The Nigerian princes are back! This time, they want to be business partners…
 
There is a new mobile malware targeting Android phones, containing a banking Trojan, keyloggers, and ransomware. The malware, called MysteryBot will exfiltrate your data and send it back to LokiBot assets. While it’s still not in wide circulation, Android users should exercise caution when downloading apps both in and out of the play store. https://www.bleepingcomputer.com/news/security/new-mysterybot-android-malware-packs-a-banking-trojan-keylogger-and-ransomware/
 
A vulnerability that used Cortana to access computer files even if the device was locked was revealed this week… just after patch Tuesday. https://securingtomorrow.mcafee.com/mcafee-labs/want-to-break-into-a-locked-windows-10-device-ask-cortana-cve-2018-8140/
 
Across the globe, email scammers are a consistent source of problems for those who use the web. This week the FBI made 74 arrests across 7 countries and an email scam bust that targeted mid-sized businesses. The scam originated in Nigeria, the same country where the notorious ‘Nigerian prince’ email scam comes from. https://www.cnet.com/news/fbi-busts-international-email-fraud-ring-that-stole-millions/
 
Look out for suspicious .men! Some top-level domains are more likely to be malicious than others, with .men .gdn and .work being the most abused. If you open a .men link there is about a 50/50 chance that you are going to a site loaded with spam or malware. Check those hyperlinks! https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
 
What we’re listening to this week!
 
 
 
 
Elmcroft Senior Living
Exploit: Outside actor.
Risk to Small Business: High: Lack of Data Loss Protection (DLP) and chain of custody leading to breach
Risk to Exploited Individuals: High: Elevated probability for Identity theft and fraud based on PII compromised.
Elmcroft: Recently ending its management of more than 70 assisted living, memory care, and inpatient hospital rehabilitation, Elmcroft was in wind-down mode when the breach occurred.

Date Occurred Discovered Occurred May 10th 2018, Discovered on May 12th
Date Disclosed Elmcroft made an official statement on June 8th, 2018
Data Compromised Names Date of birth Social Security Numbers Personal health information
How it was Compromised A third party had access to information being transferred from Elmcroft to the new management company
Customers Impacted
Residents Residents family members Employees Possibly others
Attribution/Vulnerability Undisclosed at this time.

https://www.mcknightsseniorliving.com/news/data-breach-puts-personal-information-of-residents-workers-at-risk-elmcroft-senior-living-says/article/772385/

 
Terros Health
Exploit: Phishing scam that compromised one account.
Risk to Small Business: High: Demonstrates phishing is still a primary tactic to generate exploits and how one compromised email account can end in a major breach.
Risk to Exploited Individuals: High: Sensitive personal information, Social Security numbers and medical information were leaked all of which can be used maliciously by an outside actor.
Terros Health: Phoenix-based mental health and addiction services provider.

Date Occurred Discovered April 2018
Date Disclosed June 8th, 2018
Data Compromised
Patient names Date of birth Social Security number
How it was Compromised
Phishing scam that compromised a single email account
Customers Impacted
1,600 patients
Attribution/Vulnerability One compromised email due to a phishing scam

https://www.bizjournals.com/phoenix/news/2018/06/10/terros-healthwarns-of-patient-data-breach.html

 
Clarifi
Exploit: Malware exploit to steal IP
Risk to Small Business: High: Demonstrates the need to harden security when dealing with Intellectual Property and being targets as a Federal Contractor/Supply Chain Sub-contractor.
Risk to Exploited IndividualsHigh: Highly sensitive military information is located at the company, making individuals who work their targets for state-sponsored hacking. Clarifi: An artificial intelligence startup based in New York involved in improving U.S. military drones.

Date Occurred Discovered November 2017
Date Disclosed June 2018
Data Compromised
Possibly customer data, although Clarifi denies that any data was compromised.
How it was Compromised Unclear, although the origin of the malware is believed to be Russian.
Attribution/Vulnerability Malware
Customers Impacted The company assures that no customer data was compromised

https://www.wired.com/story/startup-working-on-contentious-pentagon-ai-project-was-hackedhttps://cyware.com/news/ai-startup-clarifai-working-on-pentagons-project-maven-was-allegedly-hacked-by-russian-source-8a171b30

 
HealthEquity
Exploit: Compromised email.
Risk to Small Business: High: Demonstrates the need for compromised credential monitoring and implementing stronger authentication tools.
Risk to Exploited Individuals: High: sensitive personal information and Social Security numbers were accessed during the breach.
HealthEquity: Utah based firm that handles millions of health savings accounts.

Date Occurred Discovered April 11, 2018
Date Disclosed June 2018
Data Compromised Names of members HealthEquity ID numbers Names of employers Employers HealthEquity IDs Social Security numbers
How it was Compromised
An email account of a HealthEquity employee was compromised, and the outside actor was able to gather data for two days before the malicious activity was noticed by the company.
Attribution/Vulnerability Compromised employee email.
Customers Impacted 23,000

https://www.infosecurity-magazine.com/news/23000-individuals-affected-in/

 
Dixons Carphone
Exploit: Investigation ongoing.
Risk to Small Business: High: Breach response requirements of GDPR will significantly change how quick companies must disclose breach incidents and respond.
Risk to Exploited Individuals: High: Card data of customers was accessed by an outside actor.
Dixons Carphone: Electronics company located in the UK.

Date Occurred Discovered July 2017
Date Disclosed June  2018
Data Compromised Customer Cards Names Addresses Email addresses
How it was Compromised
The investigation is currently ongoing into how the breach happened, but it was only just discovered a little under a year after it happened.
Attribution/Vulnerability Unauthorized access to company data
Customers Impacted 5.9 million

An important takeaway from this week is the damage that a single compromised email account can have on an organization of any size. With one compromised email account, a bad actor can send countless employees malware from an unsuspicious and legitimate email, often times without the employee knowing their email is compromised.

 
Continuously educating your customers and prospects about current cyber breaches will drive home why they should update their cybersecurity protection, so share this information today. Below is sample messaging to send along and we love hearing our Partners’ marketing success stories! Let us know about your latest ones at [email protected].

Don’t let your business end up in the next Week in Breach. Make sure you and your employees’ passwords are strong, not reused or shared, and that your network credentials aren’t for sale by constantly monitoring the Dark Web with Dark Web ID™!


Haven’t considered Partnering with ID Agent? Find out how Dark Web ID™ can help you protect your customers’ credentials, upsell services and close new deals. Our Partner Relation Managers are also here to provide marketing and sales support that will show you how to increase your MRR with the help of our platform! Learn about ID Agent’s Partner Program now!