At a glance.
- Tips for preventing third-party data breaches.
- Medicare data exposed in third-party ransomware attack.
- Medicare data exposed in third-party ransomware attack.
- Canadian school district job applicants compromised in hiring website breach.
- Epic Games settles FTC regulatory case for $520 million.
- CRM data exposure reported.
Tips for preventing third-party data breaches.
Ride-sharing app Uber made headlines recently after sensitive company data were leaked when an attacker accessed the public cloud backup server of a third-party vendor, exposing the data of over 77,000 employees. Such incidents are becoming more commonplace, and CyberArk offers advice for security teams looking to protect their company’s data from third-party breaches. Third-party vendors should be considered an extension of the organization, and as such should be carefully vetted for compliance with security protocols. Zero-trust policies should be implemented to ensure that third-party users are authenticated whenever they attempt to access privileged information, and while third-party vendor security audits are smart, they need to be performed on a regular basis to ensure nothing slips through the cracks. Other recommendations include implementing network segmentation, conducting penetration testing, and ensuring privileged access practices adhere with industry regulations like FIPS 200 and HIPAA.
Medicare data exposed in third-party ransomware attack.
Remaining on the topic of third-party data breaches, in October the personal data of Medicare beneficiaries were potentially compromised in a ransomware attack on a government subcontractor, Healthcare Management Solutions. Although the affected individuals account for less than 0.4% of Medicare’s total 64.5 million beneficiaries, that still comes to nearly 254,000 victims. The compromised data include name, address, date of birth, phone number, Social Security number, Medicare beneficiary identifier, banking info, and Medicare enrollment details. The Centers for Medicare & Medicaid Services say notification letters are being sent to those impacted, and they will be issued with replacement Medicare cards.
Centers for Medicare & Medicaid Services Administrator Chiquita Brooks-LaSure stated, “We continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident, and will take all necessary actions needed to safeguard the information entrusted to the Centers for Medicare & Medicaid Services.” Healthcare Management Solutions told CNBC that when the breach was detected it took its network offline, and an investigation is ongoing.
Canadian school district job applicants compromised in hiring website breach.
Clearview Public Schools, located in the Canadian province of Alberta, suffered a data breach after an intruder last week accessed the school district’s account on job posting website Indeed.com. The data of up to eight hundred job applicants for school district positions were impacted, rdnewsnow.com reports. The compromised data include resumes and applications bearing names, contact details, employment history, or other hiring information. What’s more, the attacker used the hijacked Indeed.com account to send applicants emails containing links intended to lure them into sharing more personal info or engaging in illegal acts. Scot Leys, Superintendent of Clearview Public Schools, stated, “We take privacy seriously and will be doing everything in our power to respond to this situation, including investigation into the cause of the breach to minimize the risk of a similar event in the future. We will also respond legally if and when that becomes possible.” The district has suspended the impacted Indeed.com account and the associated email account.
Epic Games settles FTC regulatory case for $520 million.
The US Federal Trade Commission (FTC) announced this morning that Epic Games (publisher of the popular Fortnite game, among others), has agreed "to pay a total of $520 million in relief over allegations the company violated the Children’s Online Privacy Protection Act (COPPA) and deployed design tricks, known as dark patterns, to dupe millions of players into making unintentional purchases." $275 million of the total settles the accusations that Epic Games violated COPPA by collecting children's personal information without "verifiable consent from a parent." The remaining $245 million in the settlement will take the form of refunds to consumers over allegations that Epic Games used dark-pattern deceptive tactics to induce customers to make in-game purchases.
Epic Games in its own response to the settlement focused on what it intended to do about the practices that caused the problem in the first place. It offered advice to developers about the hazards that attend attempts to "streamline the checkout process."
CRM data exposure reported.
BleepingComputer reports that restaurant customer relations management provider SevenRooms has seen some data exposed in what appears to be a third-party breach. The firm told the publication, "SevenRooms recently learned that a file transfer interface of a third-party vendor was accessed without authorization. This may have affected certain documents transferred to or by SevenRooms, including the exchange of API credentials (now expired), and some guest data, which may include names, email addresses and phone numbers." SevenRooms said that sensitive information--paycards, bank accounts, Social Security Numbers, and the like--were not stored on the affected server, and so should be uncompromised.
Erfan Shadabi, cybersecurity expert with comforte AG, wrote to note the attractiveness of CRM systems to criminals:
“CRM systems are attractive targets for attackers. The trove of sensitive data can be extensive, spanning financial data, customer data, etc. A business that collects and retains sensitive data needs to take data privacy and security very seriously. The first thought is to ensure that any housed data is walled off and secure. But what happens if a breach occurs (even one involving a third-party partner) and that data falls into the wrong hands? Only data-centric security methods can protect against that type of situation. Data-centric security protects the data itself instead of the “walls” around it using technologies such as tokenization or format-preserving encryption. If companies like SevenRooms adopt a data-centric strategy, then they won’t have to worry about their customers’ private information. Unfortunately, this doesn’t seem to be the case in this incident. That doesn’t mean other businesses can’t learn from the situation.”
Paul Bischoff, privacy advocate with Comparitech, thinks it advisable that it's best to disclose breaches as early as possible:
“The fact that SevenRooms didn't disclose the breach until after attackers leaked the data online is not a good look. It means SevenRooms either didn't know about the breach until the data was leaked, or it knew about it but kept quiet. So it appears that SevenRooms was either withholding or negligent. SevenRooms has decided to go with the "blame the vendor" PR strategy in response. Although the breach affected a lot of customers, the data was thankfully not that sensitive. No payment info or other sensitive customer data was leaked. However, some contact information was leaked, so customers should be on the lookout for targeted phishing emails and messages. These messages may impersonate SevenRooms clients or related businesses. Never click on links in unsolicited messages and emails!”
And Chris Hauk, consumer privacy champion at Pixel Privacy, notes that even information less sensitive than pay card and bank account data can still be used by criminals, especially in future social engineering attacks:
“While SevenRooms says that no guests' credit card information, bank account data, social security numbers, or other "sensitive" information was accessed, some sensitive data - possibly including customers' including names, email addresses and phone numbers - was indeed accessed. That data could be used by bad actors to phish for more information from customers, meaning any customer of the affected companies need to be aware of possible phishing emails, texts, and phone calls from bad guys.”