At a glance.
- Data shows hospitals are more vulnerable to attack during mergers.
- IU Health reports MOVEit-linked third party breach.
- Vulnerabilities discovered in Axis cameras.
- UK Electoral Commission discloses breach.
Data shows hospitals are more vulnerable to attack during mergers.
A researcher at the University of Texas at Dallas has found that hospitals that are just starting or ending a merger deal are twice as likely to report a data breach. Presenting her findings at an infosec conference last month, doctoral student Nan Clement says the probability of a breach increased from 3% to 6% for healthcare facilities in the year before and after the close of a merger. Prior to the merger, the breach risk is increased by “the vast amount of information released about the target hospitals and the buyers, which reduces information asymmetry on the hackers’ side,” Clement wrote. On the other end of the deal, breach risk is heightened because the hospitals involved are working to integrate their IT systems; data breaches due to differences in electronic health record systems rose by 1.62%. Fierce Healthcare notes that the increased risk is due to outsider attacks – particularly ransomware – not internal misconfiguration or data leaks. “Considering the rising cybersecurity costs for companies in recent years, the government should provide cybersecurity incident prevention warnings based on the hospital and health system size and market visibility,” Clement wrote. “Best practice managing post-merger information system risk control deserves more policy attention from the healthcare and financial market authorities.”
IU Health reports MOVEit-linked third party breach. Vulnerabilities discovered in Axis cameras.
Data breaches linked to the recently discovered vulnerabilities in the popular MOVEit file transfer application are still popping up. Indiana University (IU) Health, a US nonprofit healthcare system, has disclosed it suffered a data breach that occurred as a result of a third-party vendor’s use of MOVEit. JDSupra reports that the vendor in question is TMG Health, Inc, a US provider of outsourcing solutions for Medicare and Medicaid which IU Health uses for claims processing services. The breach allowed an unauthorized party to access members’ sensitive information including names, member identification numbers, effective dates of plans, and banking account and routing numbers.
Vulnerabilities discovered in Axis cameras.
Nozomi Networks Labs reports that six bugs were detected on camera systems made by Axis Communications. The cameras in question offer a License Plate Verifier application, and researchers found that a vulnerability discovered in the software could allow an attacker to exfiltrate credentials to access additional systems, and by chaining some of these bugs together, the hacker could obtain full privileges to execute forbidden functionalities on the camera. A camera synchronization capability offered by the license plate app could allow the attacker to escalate their privileges from viewer to operator, and an “anonymous viewer” option could allow the bugs to be exploited by a completely unauthenticated attacker. Axis has already issued a software upgrade for the bugs, and it’s recommended that device owners apply the patch as soon as possible.
Chris Grove, Director of Cybersecurity Strategy at Nozomi Networks, offered further perspective on the researchers' findings. He sees the lesson to draw from the discovery is the importance of patching. "Patching vulnerabilities is not just best practice – it is an absolute necessity in today's interconnected world. Failure to address vulnerabilities can open the door to threat actors, with devastating consequences for businesses, and particularly for mission-critical industries like aviation and healthcare. Within certain critical infrastructure environments, some systems cannot be patched and as such other methods or tactics must be used in order to recognise and take the best course of action, and to determine whether vulnerabilities should be patched, mitigated or accepted." These lessons aren't confined to security systems, either, nor do they apply only to concerns about privacy. They apply across all critical infrastructure sectors. "It is important to possess deep insight into where vulnerabilities lie, and to understand what to do, when, and why. And equally imperative to make sure that systems within critical industries are secure so that malicious actors are not able to escalate their involvement to acquire credentials and gain access to other systems. If Axis, as an asset owner, is affected, many other production devices would be impacted as well as they are leaders in the field. We need to understand that there is always a bigger picture and a breach of one application can have wide-reaching implications."
UK electoral database breached.
The UK's Electoral Commission today issued a public notification of an attack on electoral systems. It's an old incident, identified in October of 2022 and believed to have been in progress since August of that year. The personal information exposed includes:
- "Personal data contained in email system of the Commission:
- "Name, first name and surname.
- "Email addresses (personal and/or business).
- "Home address if included in a webform or email.
- "Contact telephone number (personal and/or business).
- "Content of the webform and email that may contain personal data.
- "Any personal images sent to the Commission.
- "Personal data contained in Electoral Register entries:
- "Name, first name and surname
- "Home address in register entries
- "Date on which a person achieves voting age that year."
Taken in isolation, the Commission thinks the information doesn't pose much risk to individuals, but, of course, combined with other sources of personal data it might. The Commission says it's taken steps to improve security. "We have strengthened our network login requirements, improved the monitoring and alert system for active threats and reviewed and updated our firewall policies." TechCrunch reports that there seems little threat to the integrity of elections, but the publication received no explanation when it asked the Electoral Commission why it took them nine months to disclose the incident.
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, observed that, while paper ballots are reassuring insofar as election integrity is concerned, the theft of personal data remains troubling. "Elections across the UK, Europe, and across much of the world are increasingly being targeted by criminals looking to disrupt, influence, or call into question the validity of election results. So it's natural that news like this brings about some level of concern. Although the Electoral Commission assures us that the largely paper-based process of elections makes it difficult for criminals to sway the outcome, we can't deny the importance of staying alert in this age of digital democracy. Let us not forget that even in the land of tea and stiff upper lips, the ever-increasing threats against the electoral process cannot be underestimated either directly or indirectly. Bearing in mind that criminals don't need to wholly undermine an election, they just need to sow enough seeds of doubt amongst the public for them to distrust the outcome."
(Added, 8:30 PM ET, August 8th, 2023.) Rob Ames, Threat Researcher at SecurityScorecard, sees the breach as an instance of a trend in which threat actors, whether state-run, hacktivist, or conventionally criminal, attach sites related to the machinery of government. "The Electoral Commission’s breach notification comes alongside recent news highlighting the targeting of politically-relevant organizations’ email systems by APT groups. Microsoft reported that a China-linked threat actor group compromised its cloud assets to conduct espionage against government agencies’ email services," Ames commented. "SecurityScorecard’s Attack Surface Intelligence tool has identified at least one Electoral Commission-attributed IP address attackers may have targeted. The IP addresses’ malicious reputation findings correspond to the appearances of those addresses on blocklists or threat feeds, which would, in turn, indicate that analysts had observed the addresses conducting malicious activity. While little information is publicly available regarding the threat actor group responsible for the Electoral Commission breach or the tactics, techniques, and procedures (TTPs) involved in the attack, taken alongside Microsoft’s report, the incident may serve as further evidence that government bodies’ email systems are targets of particular interest to nation-state threat actors, should such an actor have been responsible for the breach, which some of the few publicly-available details may suggest."
(Added, 8:45 PM ET, August 8th, 2023.) Nikhil Girdhar, Senior Director of Data Security at Securiti, finds both the scope of the breach and its laggard disclosure troubling. "The recent revelation of a data breach affecting the UK's registered voters is deeply concerning, both because of its scale and the significant delay in its disclosure. This incident underscores the pressing need to evaluate organizational preparedness in both preventing and responding to security threats," Girdhar wrote. "With limited resources, both human and technological, security teams must strategically identify assets that hold sensitive data. The focused approach enables them to efficiently allocate resources to strengthen security controls such as login requirements, access policies, and firewall rules for pivotal data systems. Given the myriad of alerts that SOC teams process daily, it's paramount to prioritize notifications associated with these critical systems, ensuring a rapid and effective incident response." A proper defense, Girdhar added, requires a proper recognition of the risk. "It's also essential for organizations to recognize that their primary defenses could be breached. Therefore, encrypting sensitive data serves as a pivotal secondary measure, ensuring exposed data remains worthless to attackers. Timely response to breaches is another key facet of security readiness. Even seemingly benign data, when merged with public records, can be weaponized to profile and potentially jeopardize individuals. Automating breach analysis and notification mechanisms can expedite communication to those affected, allowing them to take protective actions more swiftly. Modern strategies, such as data security posture management (DSPM), present a holistic framework for establishing a resilient defense against escalating data threats in our increasingly digital age."