At a glance.
- Update on the Alaska DHSS breach.
- EventBuilder flaw exposed user information.
- Slots knew about your medical insurance? Who knew?
- Afghan interpreters' personal data exposed in UK MoD email misstep.
Update on Alaska health department data breach.
The Department of Health and Social Services (DHSS) of the US state of Alaska has released additional information on a May cyberattack, confirming the incident might have exposed the personal health data of Alaskan residents. Though there’s no evidence the exposed data was stolen, and the exact number of potential victims has not been determined, Health and Social Services Commissioner Adam Crum told Governing, "It is a fair statement to say that any Alaskan could have been compromised by this." DHSS has not identified the specific threat actors behind the attack, but evidence suggests the attackers were a sophisticated cybercrime group backed by a foreign nation-state.
Security Week explains that the breach was the result of the exploitation of a vulnerability in a DHSS website server, and while there is no reason to believe the attackers still have access, precautions have been taken to secure the networks against further intrusion. GovTech reports that the compromised data include Social Security numbers, dates of birth, driver's license numbers, and health and financial information. The Record by Recorded Future notes that all breached systems remain offline, which includes systems used to perform background checks and request birth, death, and marriage certificates. These processes are currently being handled in person or over the phone, and a DHSS spokesperson told CNN, "There is still no timeline for when all services that are currently offline will be back online."
Webinar app flaw exposes attendee data.
A (now fixed) security bug in event management app EventBuilder led to the potential exposure of the data of over 100,000 online event attendees. The Daily Swig explains that the issue was connected to a feature that allows hosts to record webinars for link-only access. Due to a misconfiguration, webinar data like full names, company names, job titles, and webinar questionnaire responses were stored in an unsecured Microsoft Azure Blob. Security researcher Bob Diachenko stated, “The flaws are quite serious. We are glad we’ve discovered them, and not hackers, and made the company aware of the possible misuse of the data so they could fix it before anything bad happened.” Though there is no evidence the data were misused, the incident highlights the inherent potential weaknesses of web applications that are connected to cloud storage.
Unlucky slots company gambles away medical data.
Nevada Restaurant Services (NRS), owner of US slot machine parlor chain Dotty’s, has disclosed a breach in which an intruder gained unauthorized access to customer data including Social Security numbers, driver’s license and ID card numbers, passport numbers, and payment card info. Biometric Update notes that strangely, the compromised info also comprised medical data like health insurance information, treatment details, and unspecified biometric data, raising questions about why this info was being stored at all. NRS states they have added “further technical safeguards to its environment,” and the company is offering free identity protection services to all impacted customers.
Afghan interpreters' personal information exposed.
Forces Net reports that the UK's Ministry of Defence has apologized for, and is investigating, a data breach that exposed the emails of about two-hundred-fifty Afghan interpreters. The interpreters were left behind in Afghanistan following the hasty departure of US-led forces from that unfortunate country. The incident appears to have been the result of a mistake, but those affected are now exposed to increased risk of Taliban persecution. The Guardian quotes a Ministry of Defence representative as saying, “An investigation has been launched into a data breach of information from the Afghan Relocations Assistance Policy team. We apologise to everyone impacted by this breach and are working hard to ensure it does not happen again. The Ministry of Defence takes its information and data handling responsibilities very seriously.”
Trevor Morgan, product manager with data security specialists comforte AG, sees at least three important issues here:
“The report that the MoD accidentally shared sensitive PII about over 250 Afghan interpreters demonstrates three critical points. One, the majority of data breach incidents actually stems not from brilliant technical maneuvers carried out by genius hackers but from simple human error. Anyone who’s fallen prey to the “Reply to All” gaffe can associate with the situation and commiserate with the instigator. In this case, mistakenly copying these peoples’ email addresses, though, could have dire consequences for the unfortunate data subjects.
"Two, while governments exist to serve citizens, all these governing organizations consist of people all prone to human error. Perfection exists nowhere, so we should expect that these errors can and will occur everywhere—yes, even in your company.
"And three, the only way to prevent or at least mitigate the consequences of human error like this is to continue to institute within every organization and enterprise a very strong culture of data privacy encouraging people to slow down, double- and triple-check human input especially when it deals with sensitive information, and always keep in mind the potential consequences of data leaks and breaches triggered by simple mistakes.
"Couple that last one with effective data-centric protections, such as tokenization, that can replace sensitive data elements with innocuous and indecipherable tokens, and you have a good chance of avoiding these types of embarrassing and potentially dangerous incidents. The people deserve no less.”