At a glance.
- Arrest made in connection with PSNI data breach.
- Experts say lawsuits linked to the MOVEit bug blame the victim.
- Third-party breach exposes liquor board subscriber data.
- GEICO discloses MOVEit-related breach.
Arrest made in connection with PSNI data breach.
As we saw last week, officials in Northern Ireland are investigating a data leak in which the private info of all 10,000 of the Police Service of Northern Ireland’s (PSNI) serving officers and staff were inadvertently leaked due to an employee error. It wasn’t long before the data began circulating on the web, and on Monday a redacted document allegedly exposed in the leak was posted on a wall facing a Sinn Fein office in Belfast. The Irish Sun reports that on Wednesday a man was arrested on suspicion of collecting information likely to be useful to terrorists.
Belfast Live notes that after being detained and questioned at Musgrave Serious Crime Suite, the man was released on bail. Detective Chief Superintendent Andy Hill explained, "We are working tirelessly to address the risk posed to officers and staff. Today’s search operation, and subsequent arrest, is just one piece of a large-scale operation. We will continue in our efforts to disrupt criminal activity associated with this freedom of information data breach and to keep communities, and our officers and staff who serve them, safe.”
Experts say lawsuits linked to the MOVEit bug blame the victim.
Leading US hospital Johns Hopkins University and Health System is currently facing at least seven class action lawsuits brought by patients who say the medical institution failed to protect their private data. The breach was the result of hackers exploiting the recently discovered vulnerability in the popular MOVEit file transfer protocol, and approximately 300,000 individuals were impacted in the Johns Hopkins incident. However, Hopkins is just one of nearly seven hundred organizations that have fallen victim to the MOVEit mass-hack so far, and 46 million individuals have been impacted worldwide.
The Banner spoke with several cyber experts who explained that for organizations like Hopkins, avoiding exploitation via the MOVEit bug was practically impossible. Richard Forno, assistant director of the Center for Cybersecurity at the University of Maryland, Baltimore County and director of its graduate program, stated, “You could have the best cybersecurity software in the world and the best processes and people and do all the right things,” and still be vulnerable to this type of attack. The issue is that, no matter how secure the organization’s own systems are, it’s extremely challenging to fully vet “trusted” third-party applications like MOVEit. Massachusetts-based Progress Software, the developer behind MOVEit, has been named as co-defendant in three of the lawsuits against Hopkins, as well as several other breached organizations. Attorney Benjamin Yelin says the plaintiffs in these cases will likely have difficulty demonstrating legal standing, as many of the complaints fail to name specific examples of harm suffered by the victims. While many of the allegations say the victims lost time to monitoring their accounts for suspicious activity, these claims are often seen as too vague to confer legal standing. Yelin stated, “I think it’s unjust to blame the victims of these attacks without any proof that they were negligent in how they handled the data. I just don’t think it gets us anywhere to pass blame on Hopkins as an institution.”
(Added, 8:00 PM ET, August 17th, 2023.) Progress Software, whose product MOVEit is mentioned in accounts of these supply chain attacks, wrote to emphasize that there's only evidence that the single vulnerability in MOVEit Transfer addressed on May 31st has undergone exploitation.)
Third-party breach exposes liquor board subscriber data.
Ontario’s Canada’s Liquor Control Board (LCBO) has disclosed it suffered a third-party data leak that exposed subscribers to the board’s promotional emails. CBC News explains that the breach allowed an unauthorized party to access LCBO subscriber data including names and email addresses, dates of birth, postal codes, and Aeroplan numbers. The breached vendor in question is Conversion Digital, a service provider the LCBO uses for distributing its promotional emails, and in January the hackers embedded malicious code on the LCBO's website, forcing the corporation to disable customer access to the site while an investigation was carried out. The Office of the Information and Privacy Commissioner of Ontario has been informed of the incident.
GEICO discloses third-party data breach affecting employees.
GEICO has said it's aware of a third-party incident that may have exposed employee data to unauthorized parties. The breach is believed to be traceable to a vulnerability in MOVEit software (a patch has been available since the end of May). WBKW 7 Buffalo reports that GEICO has advised employees to freeze their credit. The company says no customer data are at risk.
Damir J. Brescic, CISO at Inversion6, wonders what steps GEICO has taken to bolster its cybersecurity posture in the wake of the incident. "A few thoughts pop to mind of what they could have done; starting with ensuring that MOVEit was regularly updated with the latest security patches and fixes. They should have implemented a robust access control and authentication mechanism within MOVEit to prevent unauthorized access to sensitive data. I am also a big fan of two-factor authentication, strong password policies, and role-based access control as effective ways to restrict access to authorized personnel only," Brescic wrote. "This incident serves as a reminder to customers to do their own due diligence, by considering several factors. They should understand the potential risks involved and take steps to protect their own personal information, such as using strong and unique passwords and enabling two-factor authentication whenever possible. Regular monitoring of financial statements and credit reports can also help detect any suspicious activities that may result from a data breach."