At a glance.
- Utah Imaging Associates data breach disclosed.
- Data released in UHC breach.
- GoDaddy discloses a breach.
- Meta delays end-to-end encryption for its social media platforms.
Data breach at Utah radiology center.
Security Week reports that radiology medical center Utah Imaging Associates disclosed it suffered a data breach in September in which unauthorized individuals gained access to files containing private data of over 580,000 former and current patients. The affected data include full names, birth dates, mailing addresses, health insurance policy numbers, Social Security numbers, as well as medical details like diagnoses and prescription info.
Hacker releases data stolen from California medical center.
United Health Centers of the San Joaquin Valley (UHC) experienced a data breach in August that resulted in stolen patient data being published on the dark web. The Business Journal explains that the “encryption event” occurred in August, and UHC discovered the data had been released on September 28. The compromised data include demographic and clinical information such as names, addresses, dates of birth, Social Security numbers, diagnosis, provider, and medication details. In a press release, UHC stated, “Once UHC has completed its investigation, which includes a detailed review of the potentially impacted data to determine the types of information involved and to whom it relates, UHC will provide written notice directly to impacted individuals.”
GoDaddy breach compromises data of over a million users.
Internet domain registrar and web hosting company GoDaddy has disclosed a data breach that compromised its managed WordPress hosting environment. According to a filing with the US Securities and Exchange Commission, the data of 1.2 million active and inactive users were exposed when an intruder gained access to a provisioning system designed to automatically configure new sites as customers create them.
As TechCrunch explains, the US-based company allows customers to host their own WordPress installs on their servers. According to GoDaddy chief information security officer Demetrius Comes, an intruder used a compromised password to gain access to the system on September 6. GoDaddy discovered the breach on November 17, the Verge notes, and immediately locked the intruder out. In addition to email addresses and customer numbers, the original WordPress admin password, set at the time of installation, was also exposed, and for active customers, sFTP and database usernames and passwords were also accessed, Security Week explains. For some active customers, SSL private keys, which a hacker could use to impersonate the user’s website, were also compromised.
GoDaddy says they’ve reset customer WordPress passwords and private keys, and are in the process of issuing new SSL certificates for those affected. However, the company has been tight-lipped about the cause of the attack or identity of the hacker, as the investigation is ongoing. In an official statement, Comes said: “We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.” It’s worth noting that this is not GoDaddy’s first recent customer data breach; the Hill adds that in May 2020 an incident exposed the web hosting account credentials of about 28,000 users.
We received a great deal of industry comment on the incident. Jim Taylor, Chief Product Officer for SecurID (an RSA Business) points out the foreseeable threats likely to appear as sequelae to any breach of this magnitude:
“This breach puts GoDaddy users—and ultimately their employees and clients—at greater risk of phishing attacks, account take-over, and brand impersonation. Ultimately the breach means that GoDaddy’s users should put even greater emphasis on authentication and verify a user is who they claim to be.
"Phishing, account take-over, and brand impersonation could create major damage to GoDaddy’s users: these attacks could enable hackers to scam customers, damage a brand’s reputation, make changes to their corporate website, expose business to GDPR violations, and more. Moreover, if the leaked GoDaddy credentials are the same or similar to other, third-party services or admin information, then cybercriminals could infiltrate a corporate network or launch a ransomware attack.
"While the unauthorized person used a compromised password to get access to GoDaddy’s systems and that it is still not clear if the compromised password was protected with two-factor authentication – broadly speaking, passwords make for terrible security. In 2020, 80% of hacking-related data breaches involved brute force or the use of weak or stolen passwords. Every organization should try to eliminate as many passwords as possible specifically because of the risk that they pose. Moreover, some form of multi-factor authentication should be table stakes for every business
"Passwords are difficult for legitimate users to remember and easy for hackers to guess – every business should try to eliminate passwords and go passwordless. At a minimum, every business also needs some form of multi-factor authentication to verify access requests.
"In its most recent fraud report, Outseer found that nearly half of all cyberattacks involved some form of brand impersonation. These leaked credentials could accelerate that trend—if a website or service that you’ve done business with in the past seems off, take a moment before handing over your account information or submitting an order. Ultimately, the same security practices apply to individuals as well as businesses: minimize your use of passwords and turn on MFA to make it harder for a hacker to access what they shouldn’t.”
Nick France, CTO of SSL at Sectigo agrees that this breach will have consequences, particularly with respect to compromised certificates. And breach arrived at an inauspicious time, the opening of the holiday season:
"Breaches like the GoDaddy incident where a large number of private keys are compromised will ultimately lead to events where the compromised certificates all need to be revoked in a very short space of time. The impact this can have on businesses reliant on those certificates can be significant - especially on holiday weeks such as this. It highlights the importance of ensuring all enterprises manage their certificates – regardless of which CA they are from – in one interface so that the impact of such events can be minimized.”
Ed Williams, Director, Trustwave SpiderLabs, agrees that the timing is particularly bad:
“A breach of this size is particularly dangerous around the holidays. Hackers try to take advantage of every new email address and password exposed in an attempt to launch phishing attacks and social engineering schemes. Enterprises, SMBs, and individuals using frequently targeted platforms like WordPress should ensure they are following strong password best practices: complexity, frequent password changes, not sharing passwords between applications, and multi-factor authentication. If possible, utilize an authenticator app to secure your account instead of traditional two-factor authentication via SMS – as hackers have recently been targeting users with specialized SMS phishing.”
Geoff Bibby, CMO of Zix | AppRiver, recommends general adoption of two-factor authentication, by GoDaddy, but also by its customers:
"Unfortunately, the data breach that has impacted GoDaddy is becoming a common occurrence for many companies. Organizations that handle massive amounts of customer data are increasingly being targeted by cybercriminals hoping to access the incredibly sensitive and valuable information they possess. Organizations that handle such valuable information must ensure they are taking appropriate measures to protect their data, especially since the affected customers are now at risk of additional phishing attacks.
"To prevent a data breach like this, organizations need to implement two-factor authentication (2FA), which provides an extra layer of security by making users confirm their identity and leverage end-to-end email encryption for any messages containing confidential or personally identifiable information. GoDaddy should also encourage customers to implement 2FA themselves and never reuse the same password on different services because if the service is compromised, attackers will try that same password for others.”
Ev Kontsevoy, CEO of Teleport, sees the root of the risk the breach exposes people to as passwords, simply passwords themselves:
"Today’s breach reported by GoDaddy, unfortunately, is destined to be another footnote on the ongoing list of data leaks caused by faulty password management. Earlier this year, we learned the hack that took down the Colonial pipeline was the result of a single compromised password. Passwords are everywhere, so eventually we’re going to see them leaked, intercepted or stolen.
"Because they pose a security risk, there is no other way to say it: passwords in our infrastructure have to go. But beware — not everything that replaces a password is a better choice. Only relatively simple, purpose-built security devices that use public/private key crypto, and that verify presence and identity through biometrics, are a good-enough replacement for passwords today.
"From headline-catching compromises to everyday annoyances, passwords are reaching the end of their usefulness. They are simply too difficult to keep track of and keep secure. As an industry, we need to build responsible systems that protect user data and prevent the critical infrastructure we maintain from being used to expose or compromise such data. Removing passwords from our infrastructure is one step towards this.
Danny Lopez, CEO of Glasswall, wrote to draw attention to the need for a comprehensive approach to enterprise security:
“Reports of hackers gaining access to web hosting companies such as this is troubling, given the amount of data such businesses hold and the ramifications if it falls into the wrong hands.
"Organisations need to adopt robust processes for onboarding and offboarding employees and affiliates that may receive access to key information systems. It's vital to control privileged access and to monitor those that enjoy that administrator privilege. Ensuring that multi-factor authentication is enforced wherever possible, is a vital defence where user credentials find their way into the public domain. This will help to limit the blast radius, and in most cases, defeat the data breach.
"Attacks like these demonstrate that a traditional castle-and-moat approach to network security leaves organisations exposed. Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. In a world where data can be held amongst multiple cloud providers it is crucial to strengthen all processes relating to access verification. Without a zero trust approach organisations run the risk of attackers having a free reign across a network once they are inside.”
Matt Meehan, Chief Operating Officer at TokenEx, recommends that businesses remove sensitive personal data from internal systems:
“The incident that allowed an unauthorized person to use a compromised password to gain access to GoDaddy systems is the same old story. Password policies are critical to personal and business security.
"We encourage users not to repurpose passwords across systems and instead use lengthy and unique intricate passwords whenever possible in combination with two-factor authentication.
"Additionally, malware and other attack methods can bypass passwords. Before hackers can advance your credentials, we recommend using password managers to generate strong passwords or moving to biometric or physical keys for authentication.
"For more sensitive data like credit card numbers or other personal info, businesses can use tokenization to remove that data entirely from internal systems. That way, if a hacker does access company systems, they can’t take any useful information.“
Steve Moore, Chief Security Strategist at Exabeam, calls for organizations to train employees to recognize and deal with the abuse of compromised credentials:
"No matter how robust your security stack is, your organization will still be vulnerable to intrusions stemming from compromised credentials. According to the Verizon 2021 Data Breach Investigations Report, over 80% of breaches involve brute force or the use of lost or stolen credentials. Even the best organizations must manage this problem perfectly, and perfect is seldom possible.
"Proper training, feedback loops, visibility, and effective technical capabilities are the keys to defending against compromised insider and external adversaries.
"A helpful defender capability is the development of a baseline for normal employee behavior that can assist organizations with identifying compromised credentials and related intrusions. If you can establish normal behavior first, only then can abnormalities be known—a great asset in uncovering unknowingly compromised accounts."
End-to-end encryption in tension with child safety?
One normally associates end-to-end encryption with greater privacy and security, but that's not necessarily the case. Meta, the newly named parent of Facebook and Instagram, has announced that it will delay its plans to bring end-to-end encryption to its two flagship platforms until 2023 at least, the Telegraph reports. In this case the delay is prompted, according to the Guardian, by concerns over child safety. The fear, particularly in evidence among British officials and child-protection advocates elsewhere, is that end-to-end encryption will place children at risk by cloaking their abusers.
Ilia Kolochenko, Founder of ImmuniWeb, notes that there are different national practices, and that law enforcement really does need to look for ways of lawfully extracting data without help from app providers. And criminals do find ways of working in the interstices of different legal systems:
“While there is no clear legislation on mandatory decryption of communications made via messaging apps and services, we will probably remain in a stalemate situation. The 'privacy vs. security' impasse is exacerbated by divergent national legislation in many countries, spanning from national privacy laws to criminal procedure laws. What may be lawful in Texas, may be unlawful in California, let alone France or Germany. We should also consider that different law may apply to unlocking a mobile device when its owner refuses to provide a password and to seizing and decrypting stored communications from remote servers. Depending on the service provider and jurisdiction, different solutions may be faster and easier.
"Sometimes a process to get the requisite data from the provider may take months or even years, while the latter rarely have a duty to collaborate and oftentimes hinder investigations to play the 'privacy protection' card. Cybercriminals aptly profiteer from the unmanageable patchwork of legislation to safely communicate via legitimate messengers about their criminal activities or to lure new victims into traps. Encryption of communications doesn’t really matter today as even if the communications are eventually decrypted in a year or so, it will be far too late and will unlikely help to apprehend the offenders or save the victims. This is why law enforcement agencies need to know and to leverage all possible opportunities to lawfully extract or intercept data without collaboration with the messaging apps.”