At a glance.
- Data breach at a Georgia fertility clinic.
- Notes on the New York Law Department breach.
- mHealth apps and user data collection.
- TrickBot responsible for Ohio school cyberattacks.
- Catholic Health exposed by vendor breach.
Georgia fertility clinic suffers a data breach.
Reproductive Biology Associates, LLC, a fertility service based in the US state of Georgia that recruits egg donors, and then retrieves and stores eggs, disclosed that it had been subjected to a ransomware attack. BleepingComputer reports that Reproductive Biology Associates and its MyEggBank subsidiary realized they'd come under attack on April 16th after "a file server containing embryology data was encrypted and therefore inaccessible." The company's disclosure suggests that they paid ransom to secure a decryptor and to receive assurances that the data stolen had been destroyed: "Access to the encrypted files was regained, and we obtained confirmation from the actor that all exposed data was deleted and is no longer in its possession."
Javvad Malik, Security Awareness Advocate at KnowBe4, pointed out that incidents of this kind ought to convince similar organizations that their risks aren't negligible:
"It's essential that all organizations take the threat of cyber attacks seriously and put in place layers of security to help protect, detect, and respond to any threats in a timely manner. These should be a mix of technical, procedural, and also human controls, to maximize the chances of preventing an incident.
"Organizations such as fertility clinics may consider themselves as lower risk than, say, hospitals, but the truth is that they have just as much sensitive personal information that is of value to criminals and can disrupt daily operations.
"Once data has been accessed by criminals, even if an organization can restore from backup or pay a ransom, there is no limitation of what the criminals can do with the stolen data. This can include selling the data on to other criminals or using the data themselves to attack unsuspecting victims."
New York Law Department breach result of inadequate security measures.
The New York Times offers an in-depth look at how a lack of multifactor authentication, a safeguard that has been required by the city for over two years, allowed an intruder to infiltrate the New York City Law Department’s network earlier this month by simply acquiring one employee’s email password. In addition to personal info on thousands of employees, the potentially exposed data included highly sensitive case information, and the breach caused major disruptions to court proceedings. The agency’s machines have been disconnected from the city’s network and an investigation is being conducted by the New York Police Department’s intelligence bureau and cyber experts from the Federal Bureau of Investigation. That said, as the perpetrator remains unidentified and no ransom has been demanded, motive remains unclear.
mHealth apps and user data collection.
A report published by Sidney’s Optus Macquarie University Cyber Security Hub has found that 88% of the nearly 21,000 mobile health apps available on the Google Play Store in Australia access and share users’ personal data with outside parties, WeLiveSecurity reports. Two-thirds of these apps were found to collect media access control identifiers or cookies, one third collect email addresses, and one quarter could determine a user’s location based on cell tower info. Though only about 4% shared that data with a third party, almost one-third of the apps offered no details about their privacy policy. For those that did have privacy policies, one-quarter were found to be operating in violation of those protocols, and one-fourth transmitted user data via an unencrypted HTTP connection.
TrickBot responsible for Ohio school cyberattacks.
GovTech examines how the court proceedings following the cyberattacks of two Ohio schools shed light on the operations of TrickBot, the Russian cybercrime network responsible for the theft of tens of millions of dollars from organizations all over the world. In 2017, hackers infiltrated the Avon school system and stole $470,000 via a series of illicit wire transfers, and when attackers disabled the Coventry schools network in 2019, classes were disrupted and the district lost $80,000 in recovery expenses. A federal grand jury in Cleveland has indicted Latvian national and trusted Trickbot operative Alla Witte, and the action is being heralded as a major blow to the cybercrime network. “This indictment puts other Russian hackers on notice; you’ll be tracked down and brought to justice,” said Scott Jasper, senior lecturer at the US Naval Postgraduate School.
Catholic Health exposed by vendor breach.
Buffalo, New York, healthcare provider Catholic Health has suffered a third-party data breach, Spectrum Local News reports. Pharmaceutical software vendor CaptureRx informed Catholic Health that in February an unauthorized party accessed files containing patient names, dates of birth, and prescription data. Though no financial info was exposed, patients have been advised to monitor their accounts for any suspicious activity.