At a glance.
- Accidental data exposure at Klarna.
- Update: HSE ransomware incident and data breach.
- Update: Scripps Health recovery from cyberattack.
- Security camera glitch overshares.
- Comment: Canada Post breach.
- Comment: Fujitsu breach.
- Privacy implications of a medical research program.
Klarna users seeing strangers’ accounts.
Swedish fintech giant Klarna is grappling with an accidental data exposure, Sifted reports. Last week users reported they were being erroneously logged into other users’ accounts, giving them access to private account info like purchase histories and partial credit card numbers. Klarna shut down the app temporarily and released a statement emphasizing that the incident, which lasted only around thirty minutes, was the result of a bug, not a cyberattack, and that the data exposed is deemed “non-sensitive” by the General Data Protection Regulation. The timing of the breach isn’t ideal, as the company is on the cusp of a $40 billion deal with Softbank.
We received comments from David Steward, CEO of Approov, who says that accidents and attacks have this in common: they both imperil data:
"It's hard to say what caused this issue without more data, but it has all the hallmarks of a BOLA (Broken Object Level Authorization) vulnerability. Our recent security research into mHeath apps and APIs surfaced similar issues. The key lesson is understanding the importance of ensuring that the user getting the data is really authorized to do so, and that this needs to be tracked all the way down the backend stack, not just on the perimeter."
Updates on Ireland’s HSE breach.
Ireland’s Health Services Executive (HSE) continues to contend with last month’s Conti ransomware attack that exposed 700GB of data and disrupted services across the country. Cyber Security Hub reports the HSE will face General Data Protection Regulation fines and potential lawsuits from the compromised individuals. The National Cyber Security Centre has issued an advisory to help other organizations prevent such attacks. Donegal News reports that CHO (Community Health Organization) Area 1 is still working to restore their email system, and services like virtual group psychology sessions and COVID-19 testing referrals have been canceled.
The latest on the Scripps Health breach.
In more healthcare breach news, California hospital system Scripps Health is still dealing with the fallout from the cyberattack it experienced in May, Tech Republic reports. While an FAQ that Scripps released last week confirmed that the incident was a ransomware attack, CEO Chris Van Gorder explained they’re being tight-lipped about the details of the incident in order to preserve the ongoing investigation and restoration efforts. Though it’s clear Conti ransomware was used in the attack, efforts to identify the perpetrators have proven inconclusive. Sean Nikkel, senior analyst at Digital Shadows explains, "To date, we have not seen evidence of any of the usual ransomware groups taking credit for the attack or threats to post data, which has been a hallmark for groups using the extortion angle lately.”
Security cameras not so secure.
9News reports that a software bug in Eufy brand security systems has led to users gaining access to other customers’ camera feeds. Thousands of individuals in Australia, New Zealand, the US, Mexico, Cuba, Brazil and Argentina have reported that upon opening the app, they’re seeing footage of strangers’ homes instead of their own. In a Facebook apology, Eufy stated the issue was caused by a bug that surfaced during a routine server upgrade.
The Canada Post breach.
Insurance Business Canada reports Canada Post's investigation of a third-party breach it sustained when one of its suppliers was hit by what was probably a ransomware attack, specifically an attack by a relatively new gang, Lorenz. Information related to more than nine-hundred-fifty-thousand customers was exposed. We heard from some industry sources on the incident.
James McQuiggan, Security Awareness Advocate at KnowBe4, suggests that understanding attacks like this involves returning to first principles:
"Cyber criminals work to achieve two things -- money and data they can sell for money. Data breaches where they can steal names, email addresses and phone numbers are a good source of revenue and can be added to more extensive, accumulated data from other breaches.
"It is cross-referenced to create and verify a digital profile of individuals. This action helps increase the confidence of the data for the cyber criminal to create targeted or spear phishing emails to lure the victim into clicking a link and gaining access to their system.
"The cyber criminals will leverage that connection of trust to the victim's friends and families to click a link or open an attachment that appears to come from them and continue the vicious cycle of having people fall victim to various social engineering attacks.
Demi Ben-Ari, CTO and Founder of Panorays, observes that even unlikely organizations can become victims of this sort of attack:
"You may not expect that a supplier that manages shipping data for a postal agency would be the entry point for a cyberattack, but that’s exactly what happened here. In this case, the data of 950,000 Canada Post customers was compromised after Commport Communications, its electronic data interchange solution supplier, became the victim of a malware attack. Cyber incidents such as these illustrate why it’s so essential for organizations from every industry to assess and continuously monitor all of their third parties in order to pinpoint and close cyber gaps. This can be accomplished most effectively with a combination of external attack surface assessments and customizable automated security questionnaires, while also considering business context."
The Fujitsu data breach.
BleepingComputer reports that the data breach at Fujitsu has had cascading effects on Japanese government agencies. And, as Chenxi Wang, Ph.D., Founder and General Partner, Rain Capital, pointed out in an email, the incident is likely to contribute to jitters around the Olympic Games:
"As the Olympics event approaches, more cyberattacks are expected targeting the Japanese infrastructure and government agencies. We don't know if this attack is tied to the Olympics, but it's clear that the attackers are going after widely deployed platforms, similar to the Solarwinds attack in the US. From the perspective of tactics, this does not feel like an economically-driven attack. Rather, this could be a nation state sponsored event, aiming to steal critical government data or disrupt national infrastructure operations."
Big data: efficiencies and attack surfaces.
The Wall Street Journal reports that Google and HCA Healthcare have concluded an agreement to use data from some thirty-two million patients to develop healthcare algorithms they hope will serve as useful tools for doctors to improve patient outcomes and develop new treatments. The potential risk to privacy hasn't gone unnoticed, as Dr. Al-Siddiq, CEO and founder of Biotricity, commented in an email:
“The biggest issue in healthcare is chronic patients who consume 70% or higher of healthcare dollars. The issue here is being able to predict and find issues before they occur. Having tech companies crunch this data can certainly lead to huge improvements in care for these patients and reduce risk. But, big tech is also known for storing and owning data, piercing privacy. Apple is known for blocking people out of their platform. Two AI ethicists were let go at Google for matters related to biases in the algorithms. We are moving in the right direction, but we are also blurring the lines between privacy, accuracy, and outcomes. All of tech wants more data to understand the consumer better. Sometimes that data helps in improving outcomes and sometimes it is only another way of collecting user data. We need to focus on striking a balance in privacy while addressing the gaps for chronic patients in order to improve outcomes and reduce costs.”