At a glance.
- Hospitals receive unwanted holiday visits from cybercriminals.
- Bettor beware.
- Hackers invade Santa’s sack.
- Retired Pentagon device exposes private data.
Hospitals receive unwanted holiday visits from cybercriminals.
Recorded Future’s senior threat intelligence officer Allan Liska told CNN, “Healthcare continues to be an attractive target for ransomware groups because even if a ransom isn’t paid, these attacks attract a lot of attention for the ransomware group, increasing their notoriety.” Indeed, over the holidays several healthcare institutions disclosed they suffered cyberattacks. Lake Charles Memorial Health System (LCMHS), located in the US state of Louisiana, has confirmed that hackers accessed the personal data of nearly 270,000 patients in an October ransomware attack, Bleeping Computer reports. The potentially compromised data includes health insurance information, medical records numbers, and in some cases, Social Security numbers. The Record by Recorded Future notes that the medical center began distributing breach notification letters to impacted individuals on December 23. The Hive ransomware group has taken credit for the attack, listing LCMHS on its data leak site and publishing allegedly stolen files as evidence.
Howard Memorial Hospital, located in the US state of Arkansas, has disclosed it detected signs of an intrusion on December 4. In a December 29 news release the hospital stated, "Steps were promptly taken to secure HMH's network, and an investigation began with assistance from outside cybersecurity specialists to determine the nature and scope of this activity and to safely maintain full operational functionality so HMH could continue to treat patients.” Becker’s Hospital Review explains that the attackers gained access to the hospital's network starting on November 4, and investigation revealed they may have accessed certain files containing patient names, contact information, birth dates, and Social Security numbers, as well as direct deposit bank account information for some employees.
Meanwhile, Barbados’ Queen Elizabeth Hospital (QEH) is recovering from a December 13 cyberattack, Barbados Today reports. The incident led to the suspension of all of QEH’s internet-dependent services, and the hospital is working to restore services by next week.
In an unusual turn of events, Bleeping Computer reports the LockBit ransomware gang has expressed remorse for the December 18 attack of Toronto’s Hospital for Sick Children (SickKids), explaining that by targeting the hospital, one of its members violated the group’s rules. "We formally apologize for the attack on sikkids.ca and give back the decryptor for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program," LockBit stated on December 31. The ransomware’s operation policies state, "It is forbidden to encrypt institutions where damage to the files could lead to death, such as cardiology centers, neurosurgical departments, maternity hospitals and the like, that is, those institutions where surgical procedures on high-tech equipment using computers may be performed.” CP24 notes that SickKids has said it is aware of the statement and is consulting with experts to “validate and assess the use of the decryptor.”
Bettor beware.
BetMGM, an online sports betting company owned by MGM Resorts, on December 21 confirmed it experienced a data breach that compromised customer data. On the same day, Security Week reports, a database containing the information of 1.57 million BetMGM customers was offered for sale on a hacker forum. BetMGM believes the incident occurred in May, though the company did not learn of the attack until November 22. Meanwhile, a hacker on a popular cybercrime forum has taken credit for the attack, offering to sell a database containing data allegedly associated with “any customer that has placed a casino wager.” The compromised information includes name, email address, postal address, phone number, date of birth, hashed Social Security number, account identifier, and information related to transactions. Though the company claims there is no evidence that passwords or account funds were impacted, it recommends customers change their passwords out of an abundance of caution.
Hackers invade Santa’s sack.
After two different ransomware gangs posted stolen data on their leak sites, leading toymaker Jakks Pacific last week confirmed it suffered a cyberattack on December 8. The company states that the attack encrypted their servers, and it has enlisted the aid of cybersecurity experts to restore its network and protect the data contained therein. “We believe that the data that was unlawfully accessed potentially includes personal information (including names, emails, addresses, taxpayer identification numbers, and banking information of affected individuals and businesses),” the company said in a statement released on December 22. The Hive ransomware group was the first to leak the stolen data on December 19, followed by the BlackCat gang on December 28. A spokesperson for the Hive ransomware gang says both groups bought access to the company’s network from an initial access broker, agreeing to split a $5 million ransom (which Jakks refused to pay). As the Record by Recorded Future notes, the incident sheds light on the complicated network of initial access brokers and wholesale access markets that shuttle stolen data throughout the cybercriminal ecosystem.
Retired Pentagon device exposes private data.
The New York Times reports that a biometric device offered for sale on eBay contained a great deal more data than the buyer bargained for. The device, called a Secure Electronic Enrollment Kit, or SEEK II, was designed to capture fingerprints and perform iris scans and was purchased by German security researcher Matthias Marx for $68 (a deal considering the offering price was $150). Upon receipt, Matthias was surprised to find the device’s memory card held the names, nationalities, photographs, fingerprints, and iris scans of over 2,600 individuals. Previously used by the Pentagon in the summer of 2012 near Kandahar, Afghanistan, around the same time that the American war effort was ending there, the device contained info on mostly known Afghani or Iranian terrorists or wanted individuals, while others had worked with the US government or simply been stopped at checkpoints.
It’s unclear how the device ended up on eBay, but the data it contained is highly sensitive and could be dangerous if in the wrong hands. Motivated by concerns raised last year that the Taliban had seized such devices after the US evacuated Afghanistan, Marx and a small group of researchers at European hacker association the Chaos Computer Club purchased six biometric capture devices on eBay with the intent to analyze them for vulnerabilities and determine if the Taliban could have used the data contained to find individuals who had assisted the US. Marx said that discovering the unencrypted data was disturbing, and seemed to indicate that the US military “didn’t care about the risk, or they ignored the risk.” Brigadier General Patrick S. Ryder, the Defense Department’s press secretary, said in a statement. “Because we have not reviewed the information contained on the devices, the department is not able to confirm the authenticity of the alleged data or otherwise comment on it. The department requests that any devices thought to contain personally identifiable information be returned for further analysis.”