At a glance.
- Sennheiser investigates potential data breach.
- Phishing leads to compromise of healthcare operation in West Virginia.
- EMS crew in the Garden State reports data compromise (and it's not theirs).
- Raidforums member posts Bkav user data.
Accidental exposure of Sennheiser customer data?
German audio technology manufacturer Sennheiser is investigating the possibility of a data breach that may have exposed the information of over 28,000 customers. My Tech Decisions explains that the company was informed of the breach in October after researchers at vpnMentor discovered a cloud storage database that had been inadvertently left unprotected. Seemingly forgotten, the data hadn’t been updated since 2018, but even old data could be attractive to hackers. At the time of discovery, Sennheiser thought no personal data had been compromised, but it turns out customer contact information was included in the database. Sennheiser’s official statement reads, “This contact information…was originally provided to register for our newsletter and for participation in online competitions. At the end of last week, we therefore immediately complied with our duty to inform the data security authority of the state of Lower Saxony.” The storage bucket also included 4GB database backup, but fortunately it was protected.
Trevor Morgan, product manager with comforte AG, earlier wrote us to offer some perspective on the risks that attend cloud storage:
"The recently reported Sennheiser data breach underscores just how important it is not to forget about cloud resources and any assets or data you’ve stored in the cloud. Improperly configured or poorly protected S3 buckets can wreak havoc on an organization, and in this instance nearly 28,000 customers were affected, with highly sensitive PII being a part of the overall dataset.
"Simple human error often is part of the problem, so organizations need to continue to develop healthy cultures of data security and data privacy, in which care, safety, and thoroughness are privileged over speed and the desire to complete tasks as quickly as possible.
"Another part of the solution is making sure to apply data-centric protection to all data as soon as it enters your information ecosystem. By tokenizing sensitive data elements, you can effectively obfuscate sensitive meaning while preserving data format, which helps your organization work with data while it remains in a protected state."
"For anyone listening, the solutions are quite clear and audible."
West Virginia health system infiltrated after phishing scam.
ZDNet reports that Monongalia Health System (Mon Health), located in the state of West Virginia, experienced a data breach in which a successful phishing attack allowed hackers access to several email accounts containing the personal data of patients, providers, employees, and contractors. Mon Health’s first indication of suspicious activity was a vendor inquiry about an unreceived payment, leading the health system to launch an investigation.
A Monongalia Health statement distributed on PRNewswire notes that the intrusion was limited to Mon Health's email system and did not impact internal health records systems, nor did it disrupt hospital operations or services. The company states that "the purpose of the unauthorized access to the email accounts was to obtain funds from Mon Health through fraudulent wire transfers and to perpetrate an email phishing scheme, not to access personal information.” When asked how the incident could have been prevented, KnowBe4’s security awareness advocate, James McQuiggan told Infosecurity Magazine, “From a technology perspective, implementing verification of domains and senders’ email addresses, while not widely used, is a quick fix to authenticate domains and emails to reduce the risk of an attack by a ‘doppelganger domain.’” For its part, Mon Health said that it “is continuing to review and enhance its existing security protocols and practices, including the implementation of multi-factor authentication for remote access to its email system.”
New Jersey EMS squad discovers patient data exposure.
The Lincoln Park First Aid Squad, a volunteer EMS agency in the state of New Jersey, has announced that patient data was inadvertently exposed when the state health department gave the New Jersey State Police’s Fatal Accident Reporting System administrator access to an electronic records system used by ambulance services throughout the state. EMS1 explains that when contacted by investigators, Office of EMS Director Dr. Terry Clancy,said there was a data-sharing agreement, but it pertained only to data related to opioid overdoses.. When the squad learned of the breach, they paused sharing data with the state, which resulted in threats of disciplinary action. The Squad’s attorney Matthew R. stated, “The Squad needs to know the scope of this improper access to conduct its federally-mandated data breach investigation. But more importantly, the public has a right to know what medical records were accessed, and why, and if that access is still happening today.
Raidforums member publishes Vietnamese phone user data.
A hacker nicknamed seasalt123 published a user database he claims belongs to Vietnamese security software and electronics company Bkav. The database was created by Breport.vn, a reporting system established by Bkav to allow Bphone users to log product issues. SGGP English Edition reports that the database contains sensitive information like user IDs and emails, full names and phone numbers and was posted by the hacker on the RaidForums underground data marketplace. Bkav has filed a lawsuit to the Department of Cybersecurity and High-Tech Crime Prevention and the Authority of Information Security for investigation. It’s worth noting that this is Bkav’s second recent breach, as in August another RaidForums member posted data from an internal data leak.