At a glance.
- Accounting firm faces lawsuit alleging failure to notify individuals affected by a data breach.
- Questions about a state transit authority's data collection.
- Hospitality firm's customers' data exposed in ransomware incident.
- Credit card theft.
- Healthcare system discloses data breach.
CPA firm sued for alleged data breach mishandling.
Chicago-based accounting firm Bansley and Kiener (B&K) is facing a lawsuit for allegedly failing to promptly notify impacted individuals of a healthcare data breach. Health IT Security reports that B&K became aware that its systems had been encrypted in December 2020. However, it wasn’t until May 2021 that the firm determined that the attackers had stolen personal data, and the plaintiff claims the lapse in time is an indication of negligence. B&K also failed to disclose the incident to the necessary government agencies until almost a year after the attack was detected. The lawsuit reads, “As a result of this delayed response, Plaintiff and Class Members were unaware that their PII had been compromised, and that they were, and continue to be, at significant risk to identity theft and various other forms of personal, social, and financial harm.” The plaintiff also claims that B&K failed to secure sensitive data like unredacted and unencrypted Social Security numbers, tax IDnumbers, and passport information.
ACLU asks questions about public transit breach.
In another incident of potential incident mishandling, a data breach at the Rhode Island Public Transit Authority (RIPTA) has attracted the attention of the state’s American Civil Liberties Union (ACLU). SecurityWeek explains that although the breach was discovered in early August, it wasn’t until late October that the compromised individuals were identified, and they weren’t notified until almost two months later. The ACLU is also asking why the incident led to the exposure of the data of state workers who were never employed by the transit authority, and why victim tallies reported on the US Department of Health and Human Services’s website and those reported by RIPTA are off by over 12,000 people. A letter from the ACLU reads, “It is essential that RIPTA provide answers to the public as to why it had this private information in the first place and why it has provided misleading information about this security breach to the public.” So far RIPTA’s explanation has been that investigating the breach was “time and labor-intensive.”
McMenamins customers exposed in ransomware attack.
McMenamins, a hospitality company that operates breweries, pubs, hotels, and music venues in the states of Oregon and Washington, has disclosed that it suffered a ransomware attack. Victim notification letters confirm that the data of employees going back as far as 1998 were potentially compromised. SecurityWeek notes that the attackers accessed a wide range of data including names, birth dates, physical and email addresses, Social Security numbers, performance notes, income, and info on retirement and health insurance plans. The attack also disrupted the chain’s phone, email, credit card processing, gift card redemption, and hotel reservation systems.
PulseTV confirms credit card theft incident.
A data incident at online shopping platform PulseTV compromised the data of approximately 200,000 users, SecurityWeek reports. A letter to the impacted individuals states that Pulsetv.com was “a common point of purchase” for unauthorized VISA and MasterCard credit card transactions, and the breach potentially affects all customers who made credit card purchases on the website between November 1, 2019, and August 31, 2021. Although PulseTV says, “The investigation was unable to verify that the website was the cause of the unauthorized transactions,” the platform is taking steps to beef up its data security. The steps it has taken or plans to take include transitioning to a new payment system.
Broward Health data breach.
CBS Local - Miami reports that Broward Health, a healthcare system that operates several locations in Florida, has sustained a data breach in which unauthorized parties obtained access to patient and employee records. Broward Health traces the issue to a third-party medical provider. The breach occurred in October; notifications went out to the 1.3 million persons affected last week. ZDNet reports that Broward Health says it delayed notification at the request of the US Department of Justice. The information, which Broward Health says it has no reason to believe was abused, includes names, addresses and phone numbers, Social Security numbers, bank account information, medical histories, insurance account information, driver's license numbers, email addresses and treatments received.
Adir Gruss, vice president of technical solutions at Laminar, wrote to urge organizations to secure data first, especially when they operate in the cloud:
“Organizations must take a data-centric approach to security in order to uplevel overall risk posture. The biggest challenge impeding data security teams today is that as more and more organizations move toward the cloud they have lost track of where sensitive data resides. You simply cannot protect what you don’t know about. In order to protect against a majority of today’s cyberattacks, IT teams must prioritize visibility into cloud data including supply chain access. With that knowledge, data protection teams can move from gatekeepers to enablers.”
Steve Moore, chief security strategist at Exabeam, cautions against overlooking third-party risk:
"No matter how robust your security stack is, your organization can still be vulnerable to intrusions stemming from compromised credentials – especially those that belong to third-party vendors and partners. According to the Verizon 2021 Data Breach Investigations Report, over 80% of breaches involve brute force attacks or the use of lost or stolen credentials.
"Giving network access to third parties only increases risk. As a result, even the best organizations must manage this problem perfectly to avoid adverse outcomes as well as ensure that partners are up to the same security standards, and perfect is difficult. Proper training, feedback loops, visibility, and effective technical capabilities are the keys to managing the risk of compromised insiders and external adversaries to protect important health information.
"A helpful defender capability is the development of a baseline for normal employee and third-party vendor behavior that can assist organizations with identifying compromised credentials and related intrusions. If you can establish normal behavior first, only then can abnormal be known - a great asset in uncovering unknowingly compromised credentials."