At a glance.
- Inadequate government response to cyberattack serves as cautionary tale.
- ICO says at least ninety organizations were impacted in the Capita attack.
- Proper precautions not taken in recent NL ransomware attack.
- Personal data exposed in cyber incident at dental insurance company.
Inadequate government response to cyberattack serves as cautionary tale.
Fire Rescue Victoria (FRV), the fire and rescue service in the Australian state of Victoria, suffered a ransomware attack in December 2022, and victims say FRV’s incident notification process has left much to be desired. As one victim explains to ABC, the service’s initial notification letter offered little detail about the scope of the breach. "They just told me that I'm part of a breach, they didn't tell me what information was breached," the woman says. "I just kind of thought I'd given my name, address, phone number … I'd sort of forgotten how much information I had shared." She says she was shocked when she learned just how much of her sensitive data had been exposed, and she questions why a government entity like FRV didn’t keep her better informed. "This is a state government body, why aren't they on top of what their state government bodies are doing with personal information?” she asks. David Vaile, chair of the Australian Privacy Foundation, agrees that FRV’s notification process was lacking.
"It puts all the burden of trying to understand what has happened, onto the people who are least in a position to understand," Mr. Vaile said. "And the delay means that notification has lost its major benefit. This is almost a case study in how not to communicate." Although the exact number of victims has not been determined, the FRV data breach potentially impacted anyone who has ever applied for or worked in a position at FRV or its predecessor the Melbourne Metropolitan Fire Brigade, the number of which could be in the tens of thousands. And even now, more than five months after the attack, FRV’s emergency alert systems have not been fully restored.
ICO says at least ninety organizations were impacted in the Capita attack.
As we noted previously, London-based outsourcing firm Capita suffered a March cyberattack that exposed the data of its clients. BBC News reports that so far ninety organizations have disclosed to the Information Commissioner's Office (ICO) that personal data was breached as a result of the attack. "We are receiving a large number of reports from organisations directly affected by these incidents and we are currently making enquiries", said the ICO. It’s worth noting that in May a security researcher also discovered that Capita had left a repository of files unsecured online, further exposing client data. Although Capita initially tried to downplay the attack, stating that it did not believe that personal data had been compromised, a number of councils have said otherwise. Capita’s operations, which include administering payments for company pension schemes, means the company handles the personal data of millions of people. The Pensions Regulator recently contacted more than three hundred pension funds asking them to determine if their data had been put at risk by the Capita attack, and the
Universities Superannuation Scheme pension fund has begun notifying its 500,000 members that their data was potentially compromised. Capita told the BBC: "We have worked quickly to provide our clients with information, reassurance and support, while delivering for them as a business. In instances where we need to provide further support to those affected, we will do so."
Proper precautions not taken in recent N.L. ransomware attack.
In another update on a past data breach, Canada’s Office of the Information and Privacy Commissioner says health officials in the province of Newfoundland and Labrador (N.L.) failed to respond to warnings they needed to do more to protect the sensitive health data of hundreds of thousands of individuals impacted in a 2021 ransomware attack. In a 115-page report issued last week, the privacy watchdog states, "The biggest question at the outset of this investigation for us was whether this cyberattack succeeded despite these [provincial health] entities having cybersecurity practices that met recognized international standards, or if it succeeded because those standards were not being met at the time. Unfortunately, we found the latter." The report goes on to explain that the health information system’s lack of certain recommended cybersecurity measures made a cyberattack both foreseeable and practically inevitable. Sean Murray, a senior official in the commissioner's office who led the investigation of the attack, explained, "The Department of Health and Community Services was informed in 2020 — over a year prior to the cyberattack — that a threat assessment rated the chances of a cyberattack as high, and the impact of such an event as high.” Furthermore, CBC explains, the investigators say it’s likely a greater number more people were exposed by the breach than previously disclosed. "The total number of privacy breaches caused by the cyberattack is unknown but is likely to be in the hundreds of thousands," the report reads. Last Wednesday at the House of Assembly interim Opposition leader David Brazil asked Premier Andrew Furey why the government hid the scope of the attack. "We were very open in our communications — in fact we said immediately, upon recognition, that there was a problem,” Furey responded. “We said we didn't know the scope of the problem but we said it was a potential, that many Newfoundlanders and Labradorians could have been involved in this." As for what happens now that the report has been released, Justice Minister John Hogan says it’s too soon to tell. "I'm not sure where the health authority is going to go with that, but I'm sure they'll look at it, along with the recommendations in the findings," Hogan stated.
Personal data exposed in cyber incident at dental insurance company.
Dental health plan provider MCNA Insurance Company suffered a cyber incident that exposed personal information. HackRead reports that the data exposed includes "full names, dates of birth, residential addresses, telephone numbers, email addresses, Social Security numbers, driver’s license numbers or government IDs, health insurance information, and dental care records." Not every individual lost all or even more than one of these categories of data, but in all several million individuals are believed to have been affected to some extent. In its data breach disclosure to the State of Maine's Attorney General, MCNA put the number of those affected by the breach at 8,923,662.
James Graham, VP, RiskLens, suggested some considerations for all organizations that handle healthcare information. “Healthcare organizations must assume that persistent cyber attacks are the norm, and take steps to understand their risk exposure more accurately," he wrote. "It's vital for them to know the types of cyber incidents most likely to impact them and what their likely losses could be, in financial terms. This is important not only for the entire organization, but also the safety and privacy of patients, whose personal data could be at risk of exposure. In order to do so, they must perform quantitative risk assessments that allow them to calculate their risk exposure in dollar terms, then allocate budgets and security solutions accordingly to boost their security and minimize costs."
KnowBe4's Javvad Malik, who serves as Lead Security Awareness Advocate, was struck by the sheer number of people affected by the incident. "It is unfortunate to see yet another data breach impacting millions of individuals," Malik said, going on to note the potential such an incident has for exploitation in further fraud. "The information stolen in this breach is a treasure trove for criminals who can use it to conduct identity theft or social engineering attacks. This incident highlights the importance of investing in cybersecurity, especially identifying the root causes of ransomware attacks. Inevitably, these causes are linked to social engineering tactics such as phishing, unpatched software, poor authentication, and the lack of multi-factor authentication. Addressing these issues through effective employee training, system updates, and robust security controls can help prevent future data breaches. Organizations should prioritize cybersecurity and ensure that they implement the necessary measures to protect their customer data. As we can see from this attack, the cost of inaction is simply too high."
Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, offered some suggestions for an approach to data security. “The healthcare sector, including dental clinics, store vast amounts of sensitive personal data, including medical histories, insurance information, and personally identifiable information (PII)," Shadabi wrote. "The compromise of such data through a ransomware attack poses significant risks to both patients and the organization itself. The compromised data, for instance, can be leveraged for social engineering attacks, potentially leading to further breaches in other domains. The costs associated with remediation, including forensic investigations, system restoration, and potential legal liabilities, can be steep. To mitigate such risks, organizations should adopt a data-centric security approach that includes measures like tokenization and format-preserving encryption. Implementing tokenization and format-preserving encryption reduces the value of stolen data and limits the potential impact of a breach. By removing the actual data and replacing it with tokens or encrypted values, the risk of unauthorized access and misuse is significantly reduced. Even if a ransomware attack occurs, the stolen data holds limited or no value, as it cannot be used for identity theft or other nefarious purposes.”