At a glance.
- Australia’s largest health insurance company target of cyberattack.
- US university discloses ransomware attack.
- Misconfigured Azure Blob exposes Microsoft data.
- FBI warns of student debt relief scams.
Australia’s largest health insurance company target of cyberattack.
Health insurer Medibank has become the latest victim in a recent wave of cyberattacks in Australia. A hacker claims to have stolen 200GB of data, offering up the data of 100 customers as evidence, and with 3.7 million customers total, Medibank is concerned the number of impacted individuals could increase. As ABC reports, when Medibank first became aware of the ransomware attack, it believed no sensitive customer data had been accessed. Days later, the company received a message from the alleged hackers, and soon Medibank confirmed the attackers were in possession of data that appeared to have been stolen from their systems. The sample data includes customer names, street addresses, dates of birth, insurance claim info, and diagnosis and procedure details. The hacker claims to also have stolen credit card info, but this has not been verified. ABC adds that the attack has been referred to the Australian Federal Police, and Medibank is also working with the Australian Cyber Security Agency and the Australian Signals Directorate. Cyber Security Minister Clare O'Neil stated, "If you think about a lot of cybercrime it relates to financial or identity information, which is very problematic when it comes into the public realm. What we have here is … healthcare information and that just on its own being made public can cause immense harm to Australians and that's why we are so engaged with this." O’Neil noted that this breach is just the latest of several attacks, including the massive data breach at telecom giant Optus that exposed the data of up to 10 million customers. She added, "I think combined with Optus, this is a huge wake up call for the country and certainly gives the government a really clear mandate to do some things that frankly probably should have been done five years ago, but I think are still very crucially important."
US university discloses ransomware attack.
Whitworth University, a private liberal arts school located in the US state of Washington, has confirmed that a July data breach was the result of a ransomware attack, Spokesman.com reports. While Whitworth said the breach may have affected over five thousand Washington state residents, it’s unclear how many out-of-state students or employees might have been impacted. The threat actors potentially accessed names, student identification numbers, state identification numbers, passport numbers, Social Security numbers, and health insurance information, but the university says the hackers fortunately did not access more sensitive information. Though Whitworth has not disclosed the perpetrators, industry experts feel the LockBit ransomware group could be behind the attack.
Misconfigured Azure Blob exposes Microsoft data.
Microsoft yesterday disclosed that a misconfigured server exposed sensitive customer data, Bleeping Computer reports. The Azure Blob Storage server was discovered by security researchers at threat intelligence firm SOCRadar, and upon learning of the leak, Microsoft secured the server on September 24. “This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services,” the company stated on its website. They added that the breach was not caused by a vulnerability, but was instead the result of an "unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem.” The exposed data includes names, email addresses, email content, company names, and phone numbers, and business files, and SOCRadar says it was able to link this sensitive information to more than 65,000 entities from 111 countries stored in files dated from 2017 to August 2022. However, Microsoft says it believes SOCRadar "greatly exaggerated the scope of this issue" and "the numbers," and also called the research firm out for collecting the data and making it searchable on its BlueBleed data leak search portal.
FBI warns of student debt relief scams.
In August the US government announced the Student Loan Debt Relief Plan, and while this is good news for those wading through college debt, scammers have (of course) found a way to take advantage of the situation. The US Federal Bureau of Investigation (FBI) on Tuesday issued a public service announcement warning of scams targeting individuals seeking federal student loan forgiveness. Fraudsters posing as representatives of a bank or the Department of Education are contacting victims via phone, email, snail mail, text, and other messaging platforms and informing them they have qualified for loan debt relief. They then request payment for fake services (entrance into the debt relief program does not require any payment) or simply harvest victim data for use in other operations. The FBI’s warning instructs victims to submit a report to the FBI Internet Crime Complaint Center at www.IC3.gov.
Chris Clements, VP of solutions architecture at cybersecurity company Cerberus Sentinel, commented on the opportunities the news around student loans can offer to criminals:
“Cybercriminals and fraudsters are always on the lookout for new opportunities to lure victims into making inadvertent payments or divulging sensitive information, and highly publicized events with a financial motivation like the loan forgiveness program make for a potent trap.
“In an age of widespread fraud and cybercrime, both institutions like companies and government as well as consumers bear responsibility for combatting scams. First and foremost, institutions must be crystal clear in their messaging on how they will interact with consumers, both in definite ways they can expect to receive communications such as through postal mail or not at all but also in ways that they will not receive legitimate contacts like phone call or email. The widespread fake IRS telephone fraud campaign in years past could have been drastically mitigated by more deliberate messaging to make the now hopefully well-known fact that the IRS will never call individuals common knowledge. There also needs to be a pre-thought out easy and obvious plan for how consumers will interact with an institution, such as a simple website address like studentaid.gov in this instance, ready to go simultaneously with any program or campaign’s launch. Any delay or complexity gives attackers a window and opportunity to capitalize. Finally, consumers should be told exactly what type of information they should be expected to provide or not provide. A government program like loan forgiveness may require a social security number for identity verification, but not payment info like a credit card number. At the same time, consumers should be aware of the frequency of online scams and that they are still ultimately responsible for their online safety. It’s a new modern day life skill to be able to filter out scams whether they come from phishing, phone calls, or text messages. It’s an unfortunate reality that everyone needs to come to terms with that a healthy dose of skepticism and independent verification are now the norm.”
KnowBe4 security awareness advocate Erich Kron wrote to express some thoughts on Federal programs and criminal opportunities:
“Federal programs, especially those amounting to reasonable amounts of financial impact that have been promoted by the government for some time, can be a very enticing tool for bad actors. The federal government has already advertised and hyped the program, making it more trustworthy by default. The fact that people will recognize the program name and what it represents, can make it much easier for bad actors to set up imitation application websites where they will ask for sensitive information, without alarming potential victims.
"To protect against this, people should ensure they only follow links from a .gov website, such as studentaid.gov, to the application. Rather than following links in emails, going straight to studentaid.gov, where the information is posted, is a much wiser choice.”