At a glance.
- Driver's license data exposed in Oregon and Louisiana.
- Georgia university system suffers data breach.
- Data breaches lead to lawsuits.
Driver’s license data exposed in Oregon and Louisiana.
The recently discovered bugs in the popular file transfer software MOVEit continue to lead to data exposures. The US states of Oregon and Louisiana disclosed yesterday that residents’ driver’s license data were exposed due to breaches, and officials report that the incidents were linked to the MOVEit hack. Oregon Driver and Motor Vehicle Services says an estimated 3.5 million driver’s license and identification card files (about 90% of all card files) were exposed when the agency was hit with a cyberattack two weeks ago, Oregonlive reports. Agency spokesperson Michelle Godfrey said yesterday that the breach was first discovered on June 1 and the agency almost immediately locked down their systems. “But we didn’t have any information about what data may have been affected at that time,” she said. It took deeper analysis to determine the full scope of the attack. Thomas Amato, the agency’s Chief Information Officer, say they delayed publicly disclosing the breach because they didn’t want to reveal “too much evidence to the actual threat actors who could use our verification of their attack as leverage, and also to be able to prepare the kinds of resources to present it to the people of Oregon.”
Meanwhile in Louisiana, the Governor's Office of Homeland Security and Emergency Preparedness announced that the Louisiana Office of Motor Vehicles (OMV), as well as other government entities, had suffered a cyberattack, wwltv.com reports. According to the OMV, all Louisianans with a state-issued driver's license, ID, or car registration were likely impacted, and the compromised data include but are not limited to names, addresses, Social Security numbers, dates of birth, driver's license numbers, and even physical details like height and eye color. WDSU adds that although there is no evidence yet that the data have been sold or abused, the Louisiana Governor's Office of Homeland Security and Emergency Preparedness is advising all those potentially affected to freeze their credit accounts, change their passwords, and protect their tax documents.
Maybe there's a remedy for this kind of issue at the ballot box, but there's no obvious market solution. Dror Liwer, co-founder of cybersecurity company Coro, commented, “Citizens have a choice to walk away from companies that failed to protect their data. When it comes to government agencies, people don't have that choice, which is all the more reason for such agencies to take confidential information even more seriously than the private sector.”
Stephen Gates, Principal Security SME at Horizon3.ai, explained the "window-of-opportunity predicament." He wrote, “News of this breach (and more like it) is a textbook example of attackers taking advantage of the window of opportunity predicament. Vulnerabilities in widely used software applications are publicly announced, and new patches are becoming available from the vendor, yet the patches have often not been applied - resulting in a breach. The reason why attackers are successful at exploiting the window of opportunity is multi-fold. Often, organizations don’t always know what applications need to be patched, they give critical patching a lower priority than they should, they must wait for maintenance windows to patch vulnerable applications, and/or they often try to protect known vulnerabilities with other security controls not designed to mitigate the identified risk. Expect more of the same folks.”
James McQuiggan, Security Awareness Advocate at KnowBe4, wrote to point out the quantity of personal information at risk in these attacks. "This data breach can impact the users as so much of their data was stolen," he said. "While it may not have shown up yet, now that it has been reported, the cybercriminals will most likely go through and sell off the data or try to use it for targeted social engineering attacks. People with sensitive information stolen will want to act quickly to protect themselves from identity theft and social engineering attacks. The stolen personal data can be used maliciously; therefore, taking immediate steps to control the damage and prevent further harm is essential. They will undoubtedly want to monitor their financial accounts for suspicious transactions, checking with the credit bureaus to prevent identity thieves from opening new accounts or obtaining credit in their name. People must stay vigilant against phishing scams, social media engineering and cyber attacks. Keeping an eye out for suspicious emails, text messages or phone calls from unknown sources and never clicking on any link or attachment are just some of the steps they should be taking or need to take!"
Georgia university system suffers data breach.
In yet another US breach linked to the MOVEit bug, the University System of Georgia (USG) has disclosed that cybercriminals gained unauthorized access to their software systems. 11Alive.com reports that the vulnerability allowed hackers to view prohibited information contained in MOVEit repositories stored at the USG and the University of Georgia. USG officials say that upon learning of the potential breach they immediately applied the newly-developed patches supplied by MOVEit developer Progress Software, and experts are investigating to determine the full impact of the incident. Patrick Kelley of Leagas Security says universities are attractive targets for cybercriminals. "That's where some of the world's greatest and most impactful research takes place," he stated. "If you look at Georgia Tech, for instance, they have a world-renowned cybersecurity and nuclear research department. University of Georgia has similar...The scale of it is pretty enormous."
Data breaches lead to lawsuits.
Several recent data breaches have led to legal action this week. The NH Business Review reports that two residents of the state of New Hampshire are suing Harvard Pilgrim Health Care over a breach resulting from an April ransomware attack that exposed the data of 2.5 million individuals. The plaintiffs claim that Harvard Pilgrim and its parent company, Point32Health, neglected to adequately protect customer data. As well, the lawsuits allege the company took too long to detect the attack and disclose it to customers. As a result, one plaintiff says she experienced $250 worth of credit card fraud, and the other says she has seen an increase in spam texts and phone calls that has led to stress and other ailments.
In the state of Iowa, hospital network Mercy Health was hit with a pair of potential class-action lawsuits over a cyberattack that began in March. In the first case, Mercy is being sued for negligence, breach of implied contract, and unjust enrichment, as the plaintiffs allege that the network had “stored this private information on a database that was negligently and/or recklessly configured” and failed to adequately encrypt the data. In the second suit, the plaintiff claims Mercy violated the Health Insurance Portability and Accountability Act and failed to follow Federal Trade Commission guidelines for protecting sensitive data. The Iowa Capital Dispatch notes that Mercy has yet to file a response to either of the lawsuits.
Across the pond in the UK, law firm Barings Ltd. has begun legal proceedings against Capita P.L.C. on behalf of clients fear their personal data were compromised during a cyber attack targeting the process outsourcing company earlier this year, Business Insurance reports. Barings says the exposed data include personal info like email addresses, street addresses, and passport details.