At a glance.
- Two data leaks in the healthcare sector.
- DC police data exposed by Babuk.
- Does Facebook’s privacy policy let them decide what’s news?
- Reverb faces the music.
- BigBasket breach.
- Gyrodata hit by ransomware attack.
Two data leaks in the healthcare sector.
In the US state of Colorado, a burglary has led to potential data theft, KKTV reports. In March, Peak Vista Community Health Centers experienced a break-in in which two computers (along with other office equipment) were stolen. A subsequent investigation determined that the swiped machines contained data belonging to approximately three thousand patients, including names, birth dates, and diagnosis info. While some of the equipment has been recovered, an investigation is ongoing.
On the other side of the world, Australia-based healthcare provider UnitingCare Queensland disclosed that they suffered a ransomware attack, iTWire reports. UnitingCare is working with forensic advisors as well as the Australian Cyber Security Centre to investigate the incident. In a statement, the hospital disclosed, “Where necessary, manual back-up processes are now in place to ensure continuity of most services. Where manual processes cannot be implemented, services are being redirected or rescheduled accordingly.”
DC police data exposed by Babuk.
StateScoop reports that threat actors affiliated with Babuk ransomware published images of data stolen from the Washington, DC police department on the dark web. The hackers claim to have obtained more than two hundred fifty gigabytes of police data including arrest records, internal memos, and documents shared with other authorities, like the Federal Bureau of Investigation. Given Babuk’s tendency to scan networks for easy-to-exploit vulnerabilities, and the fact that the threat group doesn’t typically target the public sector, Allan Liska of threat intelligence company Recorded Future feels the theft was likely a crime of opportunity: “They’re scanning for open RDP [Remote Desktop Protocol] or something like that, and bam, they hit the police department.”
Does Facebook’s privacy policy let them decide what’s news?
The New York Times discusses a little-known Facebook privacy loophole that essentially lets the social media platform decide what’s newsworthy and what’s not. Facebook recently blocked a New York Post article about a civil rights activist’s real estate purchases. When asked why, Facebook’s lawyer explained that if a story mentions someone’s location, it’s considered tantamount to digital “doxxing,” and the subject can ask Facebook to remove the story from the platform. Considering that locations are mentioned in a huge number of news articles, this gives Facebook a great deal of power over which articles are allowed on the platform. As the Electronic Frontier Foundation’s director of strategy, Danny O’Brien explains, this creates “a world in which you get to pick your gatekeeper, rather than the world we were promised — and which technology offers — of not picking a gatekeeper at all.”
Reverb faces the music.
Online musical instrument marketplace Reverb disclosed that the site experienced a data breach, Techaeris reports. The company’s official statement explains that the compromised data, which includes names, addresses, phone numbers, and emails, was accessible for a “short period of time,” but it is unclear exactly how long that was or how many users were impacted.
We heard from some industry experts on the implications of the Reverb breach. PJ Norris, senior systems engineer at Tripwire, sees it as further evidence that misconfigurations have become commonplace causes of data exposure:
“Misconfigurations like these are becoming all too common. Exposing sensitive data doesn’t require a sophisticated vulnerability, and the rapid growth of cloud-based data storage has exposed weaknesses in processes that leave data available to anyone. A misconfigured database on an internal network might not be noticed, and if noticed might not go public, but the stakes are higher when your data storage is directly connected to the Internet.
"Organizations should identify processes for securely configuring all systems, including cloud-based storage, like Elasticsearch. Once a process is in place, the systems must be monitored for changes to their configurations.
"Change detection (hardening) is key for securing your cloud infrastructure and preventing inadvertent exposures as we've seen here. These are solvable problems, and tools exist today to help.”
Data spill on aisle five.
Users of India’s BigBasket online grocery shopping service are likely wishing they’d visited the supermarket the old fashioned way. Last November BigBasket experienced a data breach at the hands of prolific hacker ShinyHunter, who posted a large database of BigBasket user data for sale on the dark web. Now, as is his modus operandi, the hacker has released the approximately 20 million user records for free in an underground forum, Bleeping Computer reports. The data includes email addresses, street addresses, phone numbers, and SHA1 hashed passwords, 2 million of which forum members claim they’ve already de-hashed. According to LatestLY, cybersecurity expert Alon Gal explained on Twitter, “To better understand how bad this type of hash is for the passwords, I can test 700,000,000,000 (700 billion) attempts at a password per minute with my RTX 3080. These passwords are essentially plaintext.”
Gyrodata hit by ransomware attack.
Infosecurity Magazine explains that US drilling tech specialist Gyrodata experienced a ransomware attack that compromised current and former employee data including social security numbers, passport numbers, and W-2 tax forms. Gyrodata has approximately one thousand employees globally, and those impacted are being contacted by mail.
Chris Clements, VP of Solutions Architecture, Cerberus Sentinel, had this to say:
"No organization enjoys a security breach, but the unfortunate truth is that the brunt of the damage often falls most heavily on customers or employees whose information is stolen. In such instances it’s admirable when the breached organization steps up and proactively purchases identity theft protection services, but the reality is that those protection services are never indefinite with most only lasting around 12 months. After that, it’s game on for identity thieves to make use of the stolen data.
"There’s no such thing as being ‘safe’ from compromise anymore. All organizations are lucrative targets for cybercriminals, whether through ransomware or from stolen data. Many cybercrime organizations have more budget than the security teams at the organization they are targeting and can be highly skilled in bypassing even the best security products and controls. They opportunistically scan large swaths of the internet looking for any and all ways to gain unauthorized access to victim’s systems and data and ruthlessly exploit any weakness they spot.
"To protect themselves, organizations must adopt a culture of security starting from executive leadership and extending down to line of business service delivery. It’s critically important that all aspects of security from the human element to granular technical controls are considered, properly implemented and continuously monitored to ensure resiliency against a motivated attacker."