At a glance.
- FBI joins investigation of Optus data breach.
- Connecticut hospital warns of third-party breach.
- New York hospital loses patient data on stolen USB drive.
FBI joins investigation of Optus data breach.
Investigation of the Optus breach continues, and the US FBI has joined the inquiry to assist the Australian Federal Police. Australian Cyber Security Minister Clare O'Neil said, A Current Affair reports, that "Australian police (are) working with the FBI and state police forces around the country to not only find the person who is responsible for this vast breach of Australians' data, but to try to stop this data being used to commit financial crimes against Australians."
The AFP has organized its investigation as "Operation Hurricane," and there are signs that those who've claimed responsibility for the attack (and sought to extort the victims) may be feeling the heat and having second thoughts. The self-proclaimed threat actor (who, BleepingComputer notes, hasn't been confirmed as the one responsible for the breach or subsequent partial release of the stolen data) posted an apology online. They chose discretion as the better part of valor. "Too many eyes. We will not sale data to anyone. We can't if we even want to: personally deleted data from drive (only copy)," they said. "Ransom not payed but we dont care anymore. Was mistake to scrape publish data in first place."
Whatever the threat actor may do or say, Filip Verloy, Technical Evangalist at Noname Security, wrote to characterize the apparent root cause of the breach as a major error that will exact consequences for some time:
"Australian telecoms giant, Optus, was under fire from the government for a massive cyber breach. It was reported that the company left an API open that revealed customer data to anyone who communicated with the API. While classified as a security misconfiguration, this sort of issue originates internally and cannot be blamed on external forces. If unauthorized API access was indeed the source of the Optus data breach, it’s wrong to even call its data breach a 'hack.' It was an epic blunder of monumental proportions and a spooky story for years to come. As Hanlon's razor states, 'Never attribute to malice that which is adequately explained by stupidity.'”
Connecticut hospital warns of third-party breach.
According to the Journal Inquirer, Johnson Memorial Hospital in Stafford, Connecticut, has alerted the public to a possible data breach originating with a third party, in this case a law firm. "Reid and Riege of Hartford reported that around March 21, the law firm became aware of attempts at suspicious activity on its computer system and immediately secured its network, believing the incident had been contained," the Journal Inquirer reports. "The firm then launched an investigation, with the help of computer forensics specialists, and determined its network had been infected with malware from an outside source, which prevented access to certain files." The hospital is also alerting patients to the possibility of fraud, and cautions people not to respond to telephone calls purporting to be from Johnson Memorial, Trinity Health of New England, or Reid and Riege.
New York hospital loses patient data on stolen USB drive.
The Bronx Times reports that a USB drive belonging to the research coordinator at New York City's Montefiore Medical Center was stolen, and that with the device was stolen information about 1332 patients. The hospital disclosed the incident as required by the Health Insurance Portability and Accountability Act (HIPAA), and it reported the theft to local law enforcement authorities.
"Patient information stored on the device, according to Montefiore, not only 'may have' included demographic data like first and last names, medical record numbers, email addresses and dates of birth," the Bronx Times writes, "but also clinical information, like treatment location, provider names, dates of service, reasons for visits, an indication of previous diagnoses, medications, test results and other treatment information." The hospital says neither Social Security Numbers nor payment information were compromised. Montefiore says that it's found no evidence of the stolen data having been abused.