At a glance.
- Hardware encryption bug discovered in Samsung Galaxy phones.
- College data breach impacts thousands.
- Healthcare data breach roundup.
Hardware encryption bug discovered in Samsung Galaxy phones.
Researchers from Tel Aviv University have released details about (now-patched) security flaws detected in the design of 100 million Android phones from leading smartphone maker Samsung. As the Hacker News details, the flaws lie in Android’s hardware-backed Keystore, a system that supports the creation and storage of cryptographic keys within Trusted Execution Environments (TEEs) -- secure, isolated environments in which Trusted Applications (TAs) can complete critical tasks. In this case, the TEEs were not so secure, potentially allowing a threat actor to obtain root privileges that would give him unauthorized access to hardware-protected private keys and data. An attacker could exploit the security flaws to bypass authentication or even conduct advanced attacks overriding the security guarantees typically offered by cryptographic systems. The bugs, which impact Samsung's Galaxy S8, S9, S10, S20, and S21 devices, were responsibly disclosed to Samsung last spring and patched in security updates released last fall.
College data breach impacts thousands.
JDSupra reports that St. Augustine College, a small private college located in the US state of Illinois, has disclosed it suffered a data breach last August. After conducting an investigation, it was determined last month that an intruder accessed network files containing the names and Social Security numbers of over 13,000 individuals associated with the school. The identities of those impacted have not been released, but it’s worth noting that St. Augustine’s student body is composed of only about one thousand students. School officials have begun sending breach notification letters to affected individuals, and law firm Console & Associates, P.C. will be interviewing victims to determine what legal claims may be available.
Healthcare data breach round-up.
Health IT Security offers details on three recent US healthcare sector data breaches. Though the country seems to be rounding a corner in regards to the pandemic, securing COVID-19 data continues to be an issue for the country’s healthcare entities. A January data breach impacting the COVID-19 test results portal of the Health Department of Houston, Texas has resulted in the exposure of ten thousand test results to the portal’s approximately thirty-five hundred users. The compromised data include users’ names, dates of birth, email addresses, test dates and results. Within forty-eight hours of discovering the issue, the department shut down the portal. No foul play has been detected, and the incident has been attributed to a technical issue that resulted in some accounts being erroneously linked.
National pharmacy buying group EPIC Pharmacy Network was targeted in a phishing attack last August that resulted in unauthorized access to two employee email accounts, compromising the data of nearly 29 thousand individuals. Following a forensic investigation completed in December, EPIC began notifying impacted patients in February. Though it’s unclear when EPIC first detected the incident, it’s worth noting that entities covered by the Health Insurance Portability and Accountability Act are required to notify impacted patients within sixty days of breach discovery. Compromised data include names, birth dates, medical treatment details, and prescription information.
And finally, Alliance Physical Therapy Group suffered a cyberattack in December. The subsequent investigation determined that the data of nearly 15 thousand individuals were exposed, including Social Security numbers, birth dates, health insurance information, medical information, and driver’s license numbers, though the Michigan-based physical therapy provider says there’s no evidence the data were misused.