At a glance.
- Report: Medical AI firm exposes patient data.
- Fake profiles exposed in data breach.
- Grief counts coup at NRA.
- Scoolio app exposed students' data.
Medical AI company exposes (dummy, test) patient data.
The researchers at Website Planet disclose they discovered an unsecured database containing nearly 900 million records of medical data connected to Deep6.AI. (Note: the data were from a test database, not from an actual patients' database.) The California-based software company provides AI-enabled patient-trial matching, and a recent press release explains they work with “dozens of leading research institutions including 6 NCI-designated comprehensive cancer centers, 30,000 healthcare physicians and other providers, 30 million patients, and thousands of active trials.” The researchers notified Deep6.AI about the exposure and the company swiftly secured the database, which was in any case not connected to production systems.
Note added 10.28.21. Clarification: the data records were from a test database containing dummy data. No actual personal data were exposed.
Deep6 explains what occurred, and they've confirmed that "there was no access to real patient records":
"Despite recent claims, no personal or patient health data was accessed, leaked or at risk from a Deep 6 AI proof-of-concept database.
"In August, a security researcher accessed a test environment that contained dummy data from MIT's Medical Information Mart of Intensive Care (MIMIC) system, an industry standard source for de-identified health-related test data. To confirm, no real patient data or records were included in this ephemeral test environment, and it was completely isolated from our production systems.
"Based on current reporting, we have confirmed that the recent claims reference MIMIC data, and there was no access to real patient records. When the researcher notified us in August, we immediately secured the test environment to ensure there was no further concern.
"Data security and privacy is a top priority at Deep 6 AI, and the responsibility to protect data is at the core of our business and top-of-mind for all our people."
Thus, again, only test data were involved, not information about actual patients or their treatment.
Employment agency breach exposes fake profiles.
The Desorden Group ransomware gang has taken credit for the data breach of a Singaporean employment agency that seemingly exposed the data of 40,000 job applicants. However, Dorothy Neo, the managing director of Protemps Employment Services, told the Straits Times that the majority of the profiles compromised were fake, sent to the company from spam accounts. To be exact, she claims that only about twenty-five hundred of the accounts were real, and of those, only about three hundred contained full profile details. Neo also says Protemps has not yet received a ransom request from Desorden. The Personal Data Protection Commission has been notified of the incident and an investigation is ongoing.
Grief compromises National Rifle Association member data.
Russian ransomware group the Grief claims to have stolen data from the US National Rifle Association (NRA), NBC News reports. The hackers have already posted thirteen files of alleged NRA data on their leak site and have threatened to publish more if not paid a ransom. The NRA has not commented on the incident besides posting a tweet explaining the association “does not discuss matters relating to its physical or electronic security." As the Daily Beast explains, the data seem related to national grant requests and minutes from an internal meeting. Complicating matters, many experts believe the Grief is the reincarnation of the group previously known as Evil Corp, suspected to be responsible for the recent attack on Sinclair Broadcasting Group and currently under sanctions by the US Treasury Department. In other words, paying up is not only a bad idea, but could be illegal.
Paul Bischoff, privacy advocate at Comparitech, reminds victims that there's no particular reason to think that a gang will destroy stolen data, even if the ransom is paid: “NRA members should take steps to protect themselves from any repercussions that might arise as a result of this breach. Hint: a gun won't help. Even if the NRA pays the ransom, there is no guarantee that Grief will destroy the stolen data.
Tim Erlin, VP of Strategy at Tripwire, noting that "It’s hard to shoot your way out of a cyberattack," wrote about the importance of prevention:
"It’s always better to prevent a successful ransomware attack than respond to one. It might seem like an impossible task, but keep in mind that unsuccessful ransomware attacks rarely make the headlines. Ensuring that systems are securely configured, that vulnerabilities are patched, and that users are as well trained as possible to spot phishing attempts can go a long way to making the attacker’s job more difficult.”
"The inclusion of tax forms is particularly concerning because cybercriminals can use them to perpetrate tax fraud. Be sure to file taxes early and make sure no one else files in your name."
Tony Pepper, CEO of Egress, sees a possibility that Grief is using political pressure as leverage:
“The NRA appears to be the latest victim in an ongoing wave of ransomware attacks carried out by Grief. While it’s unclear whether this attack is politically motivated, or simply hackers looking for a payday. Posting the NRA’s internal files publicly could be a move to turn up the pressure on the NRA to pay a ransom. As long as there’s a chance organizations will continue to pay out, they’ll continue to be an attractive target for ransomware. Phishing emails are by far the most common entry point for ransomware attacks, and today's threat landscape, all organizations need robust security solutions in place to truly protect their employees against the daily deluge of malicious emails.”
Data exposure at student community app.
An API bug discovered in Scoolio, a student community platform popular among schools in Germany, has led to the exposure of the data of 400,000 users, Bleeping Computer reports. The app’s development was supported by three state-owned investment groups, and the app has become a standard tool in many German classrooms. IT security collective Zerforchung’s Lilith Wittmann, who discovered the flaw, says the compromised data includes user GPS location, school names, UUID details, and even personal details like religion and sexuality. It’s worth noting that although Scoolio claims to have 1.8 million users, Zerforchung believes the number is far lower because the app inflates its numbers: “As soon as you download the app and open it once, an empty profile with a UUID is generated - regardless of whether you actually want to create a user account.” Zerforchung also feels it took Scoolio too long to resolve the issue once they learned of it, as it was reported on September 21 and not fixed until October 25. Scoolio CEO Danny Roller responded, "Fortunately, after extensive testing, we can confirm that no user data was intercepted by third parties prior to the investigation by Ms. Wittmann and we have successfully closed the gaps found.
Ilia Kolochenko, Founder of ImmuniWeb and a member of Europol Data Protection Experts Network, wrote to explain some of the difficulties API vulnerabilities present software users:
“Most of the modern web applications have serious vulnerabilities in their APIs and web services. Some vulnerabilities allow executing remote code and taking full control of the remote system. Such security flaws are usually undetectable by automated scanning tools due to their exploitation complexity. Few software developers have the requisite security skills to make complex cross-application eco-systems secure, while usage of a multi-cloud environment and containers boosts complexity and exacerbates the situation.
"This specific incident may trigger serious legal ramifications under GDPR, moreover, the unreasonably long period to fix a fairly simple flaw will likely cause a higher fine if competent DPA decides to impose monetary penalties. The sensitive nature of the exposed data, if misappropriated by cybercriminals, can foster targeted phishing campaigns, identity theft and financial fraud.
"All companies that operate large web systems, that handle personal or other types of regulated data, should consider implementing a Secure-SDLC program that would include, among other things, continuous security monitoring and regulation penetration testing. Systems like WAF or RASP can be used to timely detect and prevent exploitation of vulnerabilities while developers are working on patches.”