At a glance.
- Credential-stuffing warning.
- Data breach at Ohio conservatory exposes visitor information.
- Missouri medical center patient data exposed.
- Student COVID test data misdirected by human error.
- FTC reaches settlement with mortgage data firm.
New York OAG offers advice on credential stuffing attacks.
The Office of the New York State Attorney General (OAG) has issued guidance to businesses on preventing and detecting credential stuffing attacks. The OAG launched an investigation to “identify businesses and consumers impacted by credential stuffing,” and in so doing determined a range of protections businesses can take to defend themselves against the practice. The OAG worked with seventeen companies known to be impacted by credential stuffing in order to determine how the credentials were stolen and how to prevent theft in the future. The guidance recommends bot detection, multi-factor authentication, passwordless authentication, and web application firewalls as methods for securing businesses’ sites against theft. The OAG also suggests several prevention measures and response protocols, such as monitoring customer activity and fraud reports, and seeking the expertise of a threat intelligence firm.
Alicia Townsend, technology evangelist with identity management firm OneLogin, commented on the attractiveness of credential-stuffing to cyber criminals:
“Cybercriminals no longer need to randomly guess passwords when they can easily purchase an extensive list of usernames and passwords that have been captured from various systems. These criminals can then count on the fact that users routinely use the same username/password combinations to get into the dozens of (possibly hundreds of) applications they need to provide credentials for and use the same credentials to try and hack into other systems.
"Every report along these lines just proves again and again that the use of a username and password to get into a system is no longer secure. Different types of authentication must be required or required in addition to a username and password.”
Conservatory data breach exposes visitor data.
NBC4 WCMH-TV reports that Franklin Park Conservatory, located in the US state of Ohio, has begun notifying the individuals affected by a data breach that occurred last July. The attackers infiltrated the data of nearly five thousand people, including financial account details. The conservatory stated, “This event was the result of unauthorized actors deploying ransomware in the Franklin Park environment, which encrypted the organization’s servers…The Conservatory worked with third-party forensic specialists to investigate the event and assist with restoring the network to full functionality.” The Columbus Dispatch adds that Jennifer Wilson, the conservatory’s director of marketing, says the attack potentially impacted visitors to the park between July 21 and August 12.
US medical center attack exposes patient data.
Missouri healthcare provider Capital Region Medical Center has disclosed that patient data was potentially exposed in a December cyberattack. "We are in the process of reviewing files to determine whose and what specific information was accessed and will notify any individuals in accordance with applicable law," a spokesperson stated. ABC17NEWS reports that the attack led the center to shut down its phones and email systems for several days, but Capital Region said they’re working to restore the network, and the website is currently back up and running.
School COVID data leak attributed to human error.
A UK school experienced a data leak when an employee accidentally sent students’ COVID-19 test results to the wrong parents. The De Montfort School headteacher Ruth Allen explained to the Evesham journal, “Unfortunately, whilst uploading results, a data breach occurred that affected a small number of students. The breach has been investigated following the guidance set out in the Four Stones Multi Academy Trust data protection policy, reported to the Information Commissioner's Office and found to be the result of a human error.”
FTC reaches settlement with Ascension.
The US Federal Trade Commission (FTC) has reached a settlement with mortgage data analytics firm Ascension for a 2019 data exposure that compromised the sensitive data of over 60,000 Americans. The leak occurred when OpticsML, hired by Ascension to convert documents into computer-readable text, left a database containing 24 million mortgage documents unprotected and viewable by anyone with knowledge of the IP address. The FTC found Ascension in violation of the Gramm-Leach-Bliley Act’s Safeguard Rule, which requires business to ensure that its vendors are in compliance with data security safeguards. TechCrunch, which conducted the investigation that revealed the breach, reports under the settlement Ascension has been ordered to improve its security protocols and gain assurance that its vendors also adhere to appropriate data security standards, but the firm will not shoulder any financial penalties. It’s worth noting that FTC commissioner Rebecca Kelly Slaughter voted against the decision, feeling it did not do enough to lay charges against the company, and former FTC commissioner Rohit Chopra said the settlement “misses the mark on identifying the responsible company.”