At a glance.
- Washington state food services worker data compromised.
- MOVEit vulnerability exploited to expose retirement plan data.
- Idaho colleges suffer third-party data breach.
- Data breach (via MOVEit exploitation by Cl0p) at Colorado State.
Washington state food services worker data compromised.
On Friday the Tacoma-Pierce County Health Department (TPCHD) disclosed that anyone employed in food service in the US state of Washington prior to 2019 may have been impacted in a breach of the Washington State Food Worker Card online training system database. The notification states that an “unauthorized person” gained access to a database containing the data of 1.5 million individuals (or about 20% of the state’s population), and the data was subsequently posted on a hacker forum.
Kenny Via, public information officer and content manager for TPCHD, told Big Country News, “The reason it’s such a large number is because we do the food worker cards for pretty much everybody in the state.” The health department says that nearly 10,000 of the exposed records contained drivers license numbers, but it’s worth noting that since the time of the breach Washington has implemented a new numbering system for its drivers licenses, so it’s likely most of the impacted users now have new license numbers. As well, TPCHD no longer uses the software that was employed at the time of the breach. “Our new support vendor transitioned our system from a legacy Adobe Flash-based website to a modern cloud hosted HTML5 application with cloud hosted database,” Via stated.
Idaho colleges suffer third-party data breach.
Seven colleges and universities in the US state of Idaho have been impacted by a third-party software data breach, BoiseDev reports. The software is used by National Student Clearinghouse and the Teachers Insurance Annuity Association of America (TIAA), both of which provide services to the schools, which include Boise State University, University of Idaho, Idaho State University. The potentially compromised data include first and last name, date of birth, address, and Social Security number. It’s worth noting that last week Washington State University, another US higher ed institution, also disclosed it was impacted in the software breach, and, it’s possible the breaches are connected to the mass-hack of the popular MOVEit file transfer application, as TIAA has confirmed previously that its systems were impacted in that attack.
MOVEit vulnerability exploited to expose retirement plan data.
PlanSponsor reports that Pension Benefits Information LLC, a leading US provider of research services to the pension, insurance, and financial industries, was impacted in the breach of the file transfer application. Also known as PBI Research Services, the company says the incident occurred at the end of May and was discovered on June 2. John Bikus, the president of PBI, wrote in a notification letter sent to customers, “Upon learning about this vulnerability, we promptly took steps to patch servers, investigate, assess the security of our systems, and notify potentially affected customers and individuals associated with those customers.” WBIR also reports that data held by Tennessee Consolidated Retirement System, were also exposed in the PBI Research Services breach. Nearly 172,000 retirees in the US state of Tennessee were impacted, and the compromised data include names, Social Security numbers, dates of birth, and mailing addresses.
Third-party risk (via Cl0p MOVEit exploitation) at Colorado State.
Colorado State University last week disclosed that it had sustained a data breach via exploitation of MOVEit vulnerabilities in third-party vendors. "TIAA, National Student Clearinghouse, Corebridge Financial, Genworth Financial, Sunlife, and The Hartford notified CSU that they were impacted by the global attack against the MOVEit Transfer software. MOVEit allows exchange of data files with clients across the world. We’ve been informed that the data breach may involve data for some current employees and students, as well as former employees and students dating back to at least 2021."
Avishai Avivi, CISO at SafeBreach, noted that Colorado State was the second large university to fall victim to MOVEit vulnerability exploitation last week. “This week, two universities have been confirmed as new victims of the MOVEit mass-hack, including Colorado State University and Washington State University. Even weeks following the initial outset of the Clop attacks, new victims from US private, public, and government sectors continue to come to light. Having taken advantage of a vulnerability in the Managed File Transfer (MFT) system of the MOVEit Platform, the Clop ransomware group is obviously opportunistic and financially motivated. It's clear that Clop doesn’t care what type of organizations they attack including those of schools and healthcare institutions, as long as they receives their ransoms," Avivi wrote, adding:
"This is very similar to the Fortra GoAnywhere breaches that first occurred in January, where Clop took advantage of a different vulnerability in a MFT system and, as a result, successfully breached many organizations. In the MOVEit case, Clop identified a zero-day SQL injection vulnerability in the file transfer system. SQL injections remain one of the top three security risks listed by the OWASP Top 10 (Open Worldwide Application Security Project), and I find it astounding that this type of vulnerability is still not being adequately addressed. Considering Clop’s behavior with the Fortra GoAnywhere breaches, it’s also likely that when the MOVEit breaches have run their course, Clop will once again pivot to a new vulnerability to exploit.
"What these two different Clop attacks emphasize is that it’s incredibly important for companies to use caution when transferring data through third-party vendors. Even if the vendor says they are secure, companies should take precautions. For example, applying critical secure-by-design principles would prevent sensitive data from being allowed to linger in a location meant to be a temporary transfer system. It appears that Clop exfiltrated large amounts of data that was readily available on the servers themselves.
"In addition, security teams should continuously test and audit for security gaps, keep their software patching current, and keep informed of the latest cybersecurity alerts from CISA and others about new vulnerabilities. If the Fortra GoAnywhere breach is any harbinger, we can expect that millions of individuals will, unfortunately, continue to be affected by this latest MOVEit mass breach event.”
James McQuiggan, Security Awareness Advocate at KnowBe4, framed the incident as an illustration of nth-party risk. "The MOVEIT file transfer issues continue to haunt the victim's customers and clients, which impacts users and the third-party and fourth-party organizations associated with it. Users should be aware that their personal information has been exposed, continue monitoring their credit, and be mindful of targeted emails attempting to access more sensitive data. This breach highlights two significant cybersecurity challenges for educational institutions." Two features of university operations render them attractive to ransomware operators. "First, like many other organizations, they rely on dozens, if not hundreds, of outside vendors for critical services like housing, administration, and of course, the education of their students. While organizations emphasize the need for robust security programs and features from third-party vendors, they ultimately need more visibility into or control over vendors' systems and practices. For example, most organizations rely on a SOC2 report to gauge the vendor's cybersecurity quotient. However, it can only attest to that moment in time, and evaluating the exceptions found in that report is essential. Secondly, educational institutions will contain large amounts of valuable data, not just students' personal information but also their finances and possibly healthcare records, and then the university's intellectual property in the proprietary research and intellectual property. This data makes them prime targets for cybercriminals seeking to profit from stolen data or cause mayhem by disrupting academics." And he offered some advice on managing risk. "Organizations should take a proactive, holistic approach to managing cyber risk across their vendors and supply chain. Vendor risk management should be highly prioritized, with vetting and contractual security requirements. A strong security culture with multi-factor authentication and network segmentation can help limit damage from third-party breaches, and resources must be devoted to monitoring for threats, not just reacting to them. Cybersecurity must be baked into institutional culture, not grafted on as an afterthought."
While patching and security upgrades are often scheduled and organized in a regular way, there are circumstances when an organization might need to jump a priority fix to the head of the line. Stephen Gates, Principal Security SME at Horizon3.ai, thinks the MOVEit vulnerability may be one of those. “Although most organization have regularly scheduled maintenance windows where they take systems offline, apply the latest patches, perform system updates, and complete any other scheduled maintenance, organizations must be able to make exceptions to their standard operational procedures, especially for times like these," Gates wrote. “In the case of the recent MOVEit vulnerabilities that threat actors are actively exploiting in the wild, organizations cannot wait for regularly scheduled maintenance windows to patch. If organizations have applied patches, good job! If they have not already applied patches, they must make an exception and update now. If not, the likelihood of more organizations falling victim is extremely high.”