At a glance.
- Britain's Labour Party sustains a third-party data incident.
- The Office of the Australian Information Commissioner finds fault with a firm's data collection.
- US healthcare breaches.
- Unpatched flaw exposes data at the University of Colorado.
- Healthcare training platform suffers from exposed AWS S-3 buckets.
Labour Party experiences third-party data incident.
The UK’s Labour Party has disclosed it suffered a data incident, probably the effect of a ransomware attack on a third party that handles the party's information. While an investigation to determine what data were impacted is still ongoing, the Party states, “We understand that the data includes information provided to the Party by its members, registered and affiliated supporters, and other individuals who have provided their information to the Party.” The Guardian notes that the Party currently consists of approximately 430,000 members and collects contact information and basic financial data like direct debit info. It’s unclear at this point whether the attack was intended to target Party data, or if Labour was just collateral damage, although Sky News says early evidence indicates a ransomware attack. This is not the Labour Party’s first member data breach, as it was one of the many entities affected by last year’s ransomware attack on cloud computing company Blackbaud.
Clearview AI ordered to cease operations in Oz.
After determining that US facial recognition software firm Clearview AI collected Australians' data without consent, the Office of the Australian Information Commissioner (OAIC) has ruled that Clearview can no longer gather images from websites and must destroy Australian data already collected, CRN Australia reports. Clearview uses photos scraped from social media in its facial recognition process, and the OAIC says their methods are a violation of Australian privacy laws. Information Commissioner Angelene Falk stated that Clearview’s techniques present "significant risk of harm to individuals, including vulnerable groups such as children and victims of crime, whose images can be searched on Clearview AI's database…The covert collection of this kind of sensitive information is unreasonably intrusive and unfair.” The company disagrees with the decision and will ask the Administrative Appeals Tribunal to review the ruling. Mark Love, a lawyer for Clearview in Australia, stated, “Not only has the commissioner's decision missed the mark on Clearview AI's manner of operation, the commissioner lacks jurisdiction...Clearview AI has not violated any law, nor has it interfered with the privacy of Australians. Clearview AI does not do business in Australia (and) does not have any Australian users."
Healthcare breaches across the US.
In further evidence that the healthcare sector is being targeted by threat actors, several US medical providers have reported recent incidents. GovInfoSecurity reports that Community Medical Centers, a group of nonprofit health centers in the state of California, suffered a cyberattack that potentially exposed the PII and protected health data of at least 656,000 individuals. In nearby Nevada, Las Vegas Cancer Center has disclosed a Labor Day weekend ransomware attack that likely impacted thousands of patients. On the other side of the country, the Cumberland Times-News reports that the US Department of Health and Human Services’ Office for Civil Rights is investigating the surge of ransomware attacks in the state of Maryland. Former FBI supervisory agent Jason G. Weiss, currently of law firm Faegre Drinker Biddle & Reath, told GovInfoSecurity, "As long as threat actors continue to be successful with these type of attacks, not only will they not end, but they will continue to grow and become more prominent, more serious and more intrusive...The time to act is now.”
Software supplier breach impacts Colorado university.
Staying in the US, University of Colorado Boulder (CU Boulder) has begun informing thousands of former and current students of a data breach that might have exposed their data. Infosecurity Magazine explains that the incident is the result of an unpatched flaw in software provided to the school’s Office of Information Technology (OIT) by Atlassian Corporation Plc, an Australian software company that supplies products for software development teams. Atlassian released a patch for the flaw on August 25, but CU Boulder says the OIT is still preparing to implement the upgraded software when the breach occurred. The school says the majority of the 30,000 potentially compromised individuals are former students or staff. No Social Security numbers or financial data were compromised, but the impacted info includes student ID numbers, addresses, dates of birth, phone numbers, and genders.
Comment on Facebook's retreat from facial recognition.
Paul Bischoff, privacy advocate with Comparitech, sent us a comment on Meta (formerly Facebook) and its decision to abandon facial recognition. He thinks the company is doing the right thing:
“Facebook is taking a step in the right direction by abandoning face recognition. Facebook didn't really specify why it's removing face recognition, but it could be preemptively planning for new regulations and court precedents regarding the technology. Clearview.AI, which was just ordered to delete face recognition data collected from Australians, is a prime example.
"Removing face recognition improves user privacy in a few ways. Notably, it means Facebook will get rid of what is probably the largest face template database in the world. If law enforcement or some other authority were to approach Facebook and coerce it to identify someone in a photo taken by a security camera, for example, Facebook could no longer do so. Additionally, users can no longer use Facebook's face recognition to identify and stalk people in photos.”
"Earlier this year, Comparitech published its analysis of the top 100 most populated countries around the world for their use of facial recognition technology within the government, police, airports, schools, banking, workplaces, and on buses and trains.
Student data exposed by medical training organization.
VPNMentor reports finding a large data exposure at Phlebotomy Training Specialists, a platform that connects people pursuing certifications in phlebotomy with training centers in several US states. ZDNet says the data included almost two-hundred-thousand files amounting to some 157GB of data.
Troy Gill, Senior Manager of Threat Intelligence at Zix | AppRiver, wrote to comment on the attractiveness of both the healthcare and the education and training sectors to criminals:
"The healthcare and education industries continue to be a top target for cybercriminals who find new ways to obtain the endless sensitive patient and student information due to the organizations requirements to store this data. In the case of US medical training school, a server without authentication controls left the personally identifiable information (PII) of thousands of students exposed.
"This is a great reminder for organizations to examine their security solutions and evaluate their current authentication practices to ensure they are building the safest habits to protect themselves and sensitive data that they store from bad actors. It is critical that authentication controls are not only in place, but that organizations take it a step further by deploying two-factor authentication (2FA). Implementing 2FA provides an extra layer of security by making users confirm their identity, most often via a unique code sent to the user's phone, email address or through an authenticator app, after entering their username and password. It’s getting easier for cybercriminals to breach even the most complex password, which is why implementing 2FA is critical. Additional password best practices to keep information secured include regularly updating passwords and ensuring that passwords are not recycled among services.
"To avoid simple errors that could lead to attacks and data theft, organizations should also make it a habit to deploy regular security audits to identify vulnerabilities and other suspicious behavior, allowing them to ensure sensitive data is routinely being backed up.”