At a glance.
- Third-party breach exposes recipients of letters from local authorities, bank.
- Opening of school disrupted by ransomware in several US cities.
- More Blackbaud casualties.
Third-party breach affects bank, local governments, and others using a mail management service.
A data breach at London-based third-party mail service provider Virtual Mail Room has exposed details deriving from more than fifty-thousand letters sent by British banks and local authorities, WIRED reports. Virtual Mail Room disclosed an unspecified attack to the Information Commissioners Office. According to Public Sector Executive, Virtual Mail Room offers its customers "the ability to upload documents, contact lists and track the progress of mail-outs and generate reports." The data exposed included names, addresses, and the type of letter sent, but not the specific contents of the letters themselves. Many of the recipients were in some kind of economic difficulty brought on by the COVID-19 pandemic. WIRED says that Metro Bank, fourteen local councils, publishing giant Pearson, and insolvency specialist Begbies Traynor were among Virtual Mail Room's customers.
Javvad Malik, Security Awareness Advocate at KnowBe4, sent these comments on the incident:
"This is an unfortunate exposure of sensitive personal information which the regulators will undoubtedly be taking interest in. In many cases, these kinds of incidents can be pinned down to a lack of security culture within an organisation. When there is a culture of security, all aspects of the business are scrutinized through a security lens. This would include adequate security testing, assurance and monitoring controls, in addition to security awareness training for staff and robust procedures to support it all.
"In today's day and age, all data is vitally important to secure, particularly information relating to individuals, their address, and any financial information. Criminals can use this information to launch targeted attacks against individuals which can be difficult to spot or recover from."
Back-to-school ransomware in several US cities.
A number of US school districts, already stressed by the unfamiliarity of distance-learning systems whose use the COVID-19 pandemic has imposed on them, are recovering from a range of cyberattacks. A few, like the distributed denial-of-service attack the Miami-Dade Public Schools sustained last week, were essentially cyber-enabled truancy (“so easy a teenager could do it," WPLG sniffed haughtily—a lot of teenagers, we should note, have experience with booters, some of it gained in their play of online games). But ransomware seems to have been more common. The case of the Hartford (Connecticut) Public Schools is representative: a ransomware infestation forced a delayed opening. Schools in Toledo, Ohio (as reported by WTOL) and Clark County, Nevada (in an incident described by the AP) were among the larger systems similarly afflicted. Schools are reopening as they’re able, but Tuesday’s planned first day was, for many students, disrupted.
Cyber security specialist Melody J. Kaufmann, of Saviynt recommended that organizations facing heightened risk of ransomware attack devote some attention to the benchmarks offered by the Center for Internet Security:
"Ransomware threats are a pervasive threat that organizations face. The only effective means of dealing with ransomware is to implement proactive controls. A rigorously adhered to patch management schedule makes organizations harder targets. Hackers look for low-hanging fruit and frequently target well known exploitable vulnerabilities, which often have manufacturer patches. Combined with basic system hardening such as implementing the benchmarks outlined by the Center for Internet Security strengthens security decreasing bad actors’ opportunities to gain the elevated privilege that allows ransomware to take hold. Securing the end-user through effective training creates a first-line of defense from security’s weakest link, the human element. End-users that understand the danger of opening questionable links, emails, and attachments avoid taking these risky actions thus thwarting ransomware attacks."
It’s not difficult to see why schools have been appealing targets. Ransomware operators are attracted to targets during periods of heightened vulnerability, and schools attempting to operate either fully remotely or in some hybrid combination of distance and in-person instruction present criminals an opportunity. They depend upon high availability, they have a large number of users and a difficult to control attack surface, and, as we mentioned above, remote instruction remains an unfamiliar process, complex and fraught with unfamiliar challenges in planning and execution. James McQuiggan, Security Awareness Advocate at KnowBe4, also sees a connection to the recent holiday, since such are often seen as propitious times for attacks:
"Cybercriminal groups leverage a nation's holiday for these attacks because the amount of staff working [is smaller] and are less likely to act if an attack is discovered. Additionally, they continue to target organizations of all sizes and industries who are potentially understaffed or overworked. With the ransomware attacks over the past ten months becoming more dangerous, organizations should consider a ransomware attack as a data breach and a potential loss of data. Strengthening the human layer is an essential step in catching threats that make it through an email filter. Organizations should have robust security awareness training for their employees to recognize socially engineered emails and take the necessary action by reporting them internally to their IT department. Working with third-party security experts and law enforcement is also an important step organizations can implement to reduce downtime and productivity loss."
More casualties in the long-running Blackbaud third-party data breach.
The University of Missouri has disclosed that its donors' personal information may have been compromised in the Blackbaud breach, Government Technology reports. One institution's disclosure is representative.
Some healthcare systems were also affected: University of Kentucky Healthcare (according to the Louisville Courier-Journal), Boulder Community Health (as reported by the Longmont Times-Call) and Atrium Health (according to Government Technology).