At a glance.
- Another commodity infostealer hits the C2C market.
- A patient is left in the dark after hospital data breach.
- Accidental data leak at Liverpool hospital.
Another commodity infostealer hits the C2C market.
Sekoia reports finding a commodity infostealer circulating in the wild. First noticed last month, it's called "Stealc," and it's been seeing increased use through February. Stealc bears some similarities to the Vidar, Raccoon, Mars, and Redline strains of malware.
Dror Liwer, co-founder of Coro, notes it as another readily available tool in the C2C market that lowers the technical barrier to entry for aspiring criminals. “As advanced tools and Attack-as-a-Service offerings become easily accessible on the dark web, even relatively unsophisticated attackers are enabled to execute extremely sophisticated and lucrative attacks. What this translates to is more attacks on a wider population, with the economics working even when the attacked is a mid-market or small business.”
Roger Grimes, data-driven defense evangelist at KnowBe4, points out that Stealc ("like most other malware programs today") depends on social engineering for its distribution. "Social engineering is involved in 70% to 90% of all successful attacks and educating users on how to recognize, defeat, and report social engineering scams is the single best cybersecurity defense most organizations could do. It is the inability for society to recognize how big a problem social engineering is and in aggressively countering it that allows malware and hackers to be so continually successful today." Grimes notes that in one respect, at least, Stealc seems to be an outlier. "One interesting addition I see in this malware is its specific targeting of password managers," he writes. "It specifically targets at least 13 browser extensions installed by password managers and other authenticators. I'm not sure if StealC is the first malware program to do this much targeting of password managers...probably not...but it obviously tells us that hackers are increasingly targeting password manager users. This is a trend we all need to pay attention to."
A patient is left in the dark after hospital data breach.
The Daily Record offers a look a the personal side of a medical data leak by speaking with a cancer patient who was impacted in the recent breach at National Health Service (NHS) Lothian, which provides healthcare services in the Edinburgh, East Lothian, Midlothian and West Lothian areas of Scotland. The incident involved an NHS Lothian employee “inappropriately” accessing the data of approximately ninety patients. West Lothian resident Martin Laing received a letter from the health board informing him his data had been compromised in the breach, but he says the healthcare provider has been less than forthcoming when it comes to details. The police have said they are unable to divulge much info because the incident is still under investigation, and although authorities have said the perpetrator has been fired, their identity – and what they might have done with the compromised data – remains a mystery to victims like Laing. “I’m a regular visitor to the hospital unfortunately because I suffer from leukaemia, cancer of the pancreas, osteoporosis, COPD and various other things,” Laing explains. “So I’m saying to myself, what exactly have they gleaned from my records? And will it affect me in the future?”
It’s worth noting that this is the second recent breach of this nature to impact NHS Lothian; in February 2021, a staff member accessed medical records belonging to over one hundred NHS colleagues. The hospital has stated that this is a new breach, but has not confirmed whether the staff member responsible for this incident has been let go. Medical Director Dr. Tracey Gillies stated, “While NHS Lothian does not comment on current or former members of staff, we take the security and confidentiality of patient records extremely seriously.”
Accidental data leak at Liverpool hospital.
Speaking of the NHS, an NHS hospital trust located in Liverpool has disclosed that the data of approximately 14,000 employees were inadvertently exposed when a file containing payroll information was accidentally emailed to hundreds of NHS managers and twenty-four external accounts. A notification letter sent to the victims explains, “The spreadsheet file included a hidden tab which contained staff personal information. Whilst it was not visible to those receiving the email, it should not have been included in this spreadsheet.” The compromised data include names, addresses, dates of birth, National Insurance numbers, gender, ethnicity, and salary info. The hospital deleted the data from the accounts of the NHS managers and asked the external recipients to do the same, but there is no way to ensure that they follow through. As Infosecurity Magazine notes, last year human error accounted for 13% of breaches analyzed by Verizon and contributed to 82% of breaches that involve a “human element,” and accidental leaks like this one can have legal ramifications for the organization at fault. Christine Sabino, legal director at law firm Hayes Connor, explains, “If identifying personal information is sent out to the wrong recipients, the sender is in clear violation of GDPR laws and staff may have grounds for compensation.”