At a glance.
- Conti offers free decryptor key to Ireland’s HSE.
- Geico data breach leads to unemployment fraud.
- Update on Pennsylvania Department of Health data breach.
- Comment on unfortunately developed Android apps.
Conti offers free decryptor key to Ireland’s HSE.
As the CyberWire noted earlier this week, Ireland’s Health Services Executive (HSE) and Department of Health were hit with Conti ransomware attacks over the weekend. While the Department of Health was able to intercept the attack before damage was done, the HSE is now faced with the daunting task of recovering their systems amid nationwide disruptions to healthcare services. Bleeping Computer reports that Conti has now offered the HSE a free decryption key on their Tor negotiation site, but is still threatening to publish the 700 GB of data stolen in the attack if their ransom demand of $19,999,000 is not met. “We are providing the decryption tool for your network for free. But you should understand that we will sell or publish a lot of private data if you will not connect us and try to resolve the situation," Conti warned. Officials are assessing the tool for any malicious properties before using it, but they have publicly stated they have no plans of negotiating payment with the threat actors.
Geico data breach leads to unemployment fraud.
WINK News reports that Geico is warning customers they might be at risk of unemployment benefit fraud as the result of a recent data breach that exposed customer driver’s license numbers. Often victims are unaware that their data is being used for benefit fraud until their employer notifies them or they receive tax documents detailing unemployment payments they never requested. Unfortunately, this scam is not unusual, as the US Department of Labor estimates over $63 billion was lost last year to unemployment fraud.
Update on Pennsylvania Department of Health data breach.
As the CyberWire noted last month, Insight Global, the company contracted by the Pennsylvania Department of Health to conduct COVID-19 contact tracing, exposed the data of over 70,000 state residents by discussing sensitive info via unsecured channels. Though the Department of Health initially stated they planned to maintain their contract with Insight Global until it expires in July, CBS Local Pittsburgh now reports the department has decided to terminate the contract in June. The about-face is likely due to pushback from lawmakers who were less than pleased at the prospect of the department continuing to work with the vendor. Acting Health Secretary Alison Beam announced the change at a news conference, also stating that the department will work to make sure there’s no disruption to contact tracing services. The department also explained that Insight Global will be required to contact the individuals impacted by the breach. Meanwhile, state senators are pressing for new legislation that will protect against future breaches of state governments and their third-party vendors.
Comment on unfortunately developed Android apps.
We've received some comments on Check Point's recent finding that misconfigured Android apps have exposed the data of more than 100 million people via third-party cloud services. Paul Bischoff, privacy advocate at Comparitech, stated the following:
"Our own research on Android apps using Firebase databases aligns with Check Point's findings. We found that 4.8 percent of mobile apps using Google Firebase to store user data are not properly secured, allowing anyone to access databases containing users’ personal information, access tokens, and other data without a password or any other authentication. Firebase is used by an estimated 30 percent of all apps on the Google Play Store, making it the most popular storage solution for Android apps.
"In separate studies, we also found that the average Android user has at least one app that requests excessive permissions, and many Android app use flawed credential storage that open them up to attack."
Chris Hauk, consumer privacy champion at Pixel Privacy, stated:
“What is shocking about this issue is that developers as well as database administrators don't take the basic security steps required to protect their users' data and personal information.
"Perhaps we've gotten to the point where App Stores like Google Play and Apple's App Store make it a requirement for developers to properly protect their users' data before having the app approved for distribution in the stores. While this is harder to enforce on a platform like Android where users can easily sideload apps onto their device, it would at least be a step in the right direction when it comes to protecting users.
"Perhaps it would also be advisable for developers to purchase a book or visit a website or five that will teach them how to properly secure an app user's data. In today's world, where there seems to be a data breach on a daily basis, developers cannot claim ignorance when it comes to protecting their users' data."