At a glance.
- Toll Group data exposed during its ransomware incident.
- Magellan Health breached (also by ransomware).
- WeLeakData was itself the victim of a breach, and data theft.
- Privacy implications of COVID-19 contact tracing.
Toll Group discloses data loss during ransomware incident.
Australia's Toll Group has confirmed that it lost data in the course of the ransomware attack it recently sustained. The logistics company, which has declined to pay ransom, had suffered various operational disruptions, and has now concluded that employee information had also been placed at risk.
Magellan Health breached.
BleepingComputer reports that Magellan Health, a large US managed care and insurance provider, has also discovered that it had been the victim of a ransomware attack. The incident compromised personal data including names, addressed, employee ID numbers, and various details from US W-2 or 1099 tax forms. The company has brought in Mandiant to investigate and assist with recovery. A letter to affected stakeholders said that no fraud had so far been detected, but of course the incident remains under investigation. Magellan said that the ransomware arrived in a phishing email that misrepresented itself as coming from a customer.
Colin Bastable, CEO of security awareness training company Lucy Security, commented by email:
“Phishing emails are used in over 92% of all data breaches, and healthcare is the number one target for hackers. Ransomware attacks are incredibly disruptive and expensive to mitigate, and with so many staff working remotely all organizations are highly vulnerable. Mandiant is a highly regarded company, so Magellan Health has reacted positively. One wonders if tokenization might have been effective in preventing the hackers from stealing viable data. Today, everyone who has not been hacked should thank their lucky stars and train their employees to spot and report phishing emails. Up to 30% of untrained employees will fall for such a phishing email. Security awareness training identifies those people and delivers a 10-fold reduction in the success rate of social engineered attacks.”
WeLeakData has been compromised.
WeLeakData, a hacker forum known as, among other things, a place where criminal hackers can go to count coup, disappeared in April amid rumors that something had happened to its proprietors. BleepingComputer has an overview of the site's recent troubles. Those troubles apparently include the loss of much of the forum's data. Researchers at Cyble say they've determined that WeLeakData wasn't, as rumor initially had it, taken down by law enforcement, but rather that the site itself was breached. After it went offline, much of its material quickly reappeared under a new brand: "Allegedly, the site was sold to a new member of the forum, and came back online. Around the same time, we noticed a new fork cracking site – leaksmarket[dot]com which was strikingly the same site (operated by a new actor with no credibility), with all the same content." But then the original site returned, and it became evident that WeLeakData had been compromised, and its (stolen) data stolen. Among the more interesting information taken and posted were the contents of hacker chats. That information included not only the content of messages, but also email addresses, usernames, passwords, and IP addresses.
Trevor Morgan, product manager at comforte AG, commented in an email:
“The biting irony of the situation aside, the serious takeaway is that no data is safe. Not even the data generated, collected, and stored by the people engaged in intrusion and data theft, by those who know intimately how defense tactics can be overcome for their own purposes (and potential gain). The presumption that your security measures are enough and foolproof leads to complacency and potentially damaging exposure. It’s a cautionary tale for any organization engaged in legal corporate activities to rethink everything about how you’re protecting sensitive, mission-critical data. If exposure of leaked data can happen to knowledgeable threat actors, then it can certainly happen to you.
"Always assuming that your defenses can be breached and that sensitive data can be accessed and exposed (or leaked) is the starting point of a strong data-centric security posture. By employing data-centric security measures such as tokenization, which renders sensitive data meaningless while within the confines of your corporate workflows, you can be better assured that data leaving your protected perimeter, either intentionally or unintentionally, won’t compromise your organization. In this way, you safeguard not only your best interests but also those of your customers, partners, and anyone else with whom you do business.”
And KnowBe4's Security Awareness Advocate, Javvad Malik, observed:
"There is no honour among cyber thieves. All credentials and private data such as chat data has some value, and the private conversations of WeLeakData is no exception. It should be a reminder for all organisations of all sizes and nature, that they should invest into cybersecurity, because even data which they feel may be of little value, always has value to criminals."
COVID-19 contact tracing: privacy and data security.
In the European Union, the European Telecommunications Standards Institute (ETSI) is working on a set of standards designed to ensure the efficacy and interoperability of any technology developed to help contain COVID-19 through data collection and analysis, ComputerWeekly reports. The aim is "to enable the development of interoperable systems to automatically trace and inform potentially infected users in addition to manual notification methods, while preserving users’ privacy and complying with relevant data protection regulations." This goal is predicated on the conviction that the most effective way to contain the spread of the disease is by using contact tracing to break the chain of transmission from infected to uninfected persons.
In the UK, where trials of an NHSX-developed app have been in progress on the Isle of Wight, Parliament's Joint Committee on Human Rights has asked Health Secretary Matt Hancock to support proposed legislation that would put privacy safeguards in place for the technology. The proposed Contact Tracing (Data Protection) Bill 2020, ComputerWeekly writes, provides for the “regulation of the processing of information in respect of contact tracing for Covid-19, and for connected purposes.” It would appoint a new Digital Contact Tracing Human Rights Commissioner responsible for overseeing the privacy aspects of technologies deployed to track the spread of the disease.As the nation looks to increased public health surveillance as a crucial tool to re-open an economy battered by COVID-19, serious concerns about privacy and data security abound.
John Dermody, counsel in the Washington, D.C. office of international law firm O’Melveny & Myers, and a member of the firm's Data Security and Privacy Group, commented on the general effects contact tracing seems to be having:
“The coronavirus has forced us to re-evaluate many fundamental beliefs, including our expectations of privacy. When it comes to COVID contact tracing, privacy and public health imperatives are aligned. Contact tracing applications are only going to be effective if there is widespread adoption and regular use. And that is only going to happen if people trust that their data will protected and used appropriately.
“Hackers will pursue that data not just for its value, but potentially for the more nefarious goal of seeding distrust in the public health response. Protecting the security of the information will be a no-fail mission."
He predicts that contact tracing will contribute to a post-pandemic new normal for privacy expectations.