At a glance.
- Update on the LastPass data breach.
- The Twitter breach just gets messier.
- Vice Society leaks stolen UK school data.
- Data incident at health organization prompts questions about disclosure rules.
Update on the LastPass data breach.
As we previously discussed, popular password manager LastPass experienced a data breach last year that was detected in August and declared to be contained just a few weeks later. However, Cybersecurity Dive recounts, in November LastPass learned that an unknown threat actor had used the data stolen in the August breach to access its cloud-based storage environment and encrypted password vaults. And as December approached, LastPass disclosed that everyone’s worst fears had come true and the attacker had gained access to customer data. Now, Cointelegraph reports, a class-action lawsuit has been filed against the company by an unnamed plaintiff who alleges that the data breach resulted in the theft of approximately $53,000 of Bitcoin. The plaintiff says he used LastPass to store the private keys protecting his Bitcoin wallet. When he learned of the breach, he quickly deleted the private data in his account, but apparently he was not quick enough, as in November he found his Bitcoin had been stolen.
Though a figure sought for damages has not yet been identified, the suit accuses LastPass of negligence, breach of contract, unjust enrichment and breach of fiduciary duty. As Fox Business notes, the complaint filed in the US District Court of Massachusetts claims LastPass failed to "exercise reasonable care in securing and safeguarding highly sensitive consumer data in connection with a massive, months-long data breach that began in August" and impacted "potentially millions" of customers, and the suit is asking that LastPass be forced to disclose specifically all the types of private information that were compromised as a result of the breach.
The Twitter breach just gets messier.
As we noted yesterday, the massive data breach at Twitter continues to plague the social media platform. As Gizmodo reports, the data stolen from Twitter over a year ago was this week posted for sale on dark web marketplace Breached for the crypto equivalent of $2 (so essentially for free) by a hacker known by the flippant handle “StayMad.” As Bloomberg notes, experts believe the database dates back to 2021, and it contains the email addresses and usernames of approximately 235 million Twitter users.
With Twitter’s popularity with everyone from regular citizens to world leaders, the breach’s impact has had a far reach, and the victims in the database include household names like Sundar Pichai, Donald Trump Jr., SpaceX, CBS Media, the NBA, and the World Health Organization. Chris Heaton-Harris, the Northern Ireland secretary, has disclosed that hackers temporarily gained access to his account and used the opportunity to post controversial messages. The Guardian reports that although the tweets were quickly removed, one of the posts allegedly read, “Why are black people so poor?” and another stated, “We are passing a new law soon, all transgenders and homosexuals will now serve 10 years behind bars.” Shortly after, Heaton-Harris posted an apology stating, “I’m afraid my Twitter account was hacked overnight and someone posted some deeply unpleasant stuff on my account for which I can only apologise.” It’s worth noting that Heaton-Harris is the second cabinet member to have recently suffered a Twitter account hijacking; education secretary Gillian Keegan also had her account hacked over Christmas.
Forbes notes that some experts feel the initial cause of the breach, vulnerabilities in Twitter’s Application Programming Interface (API), is not getting the attention it deserves. "API security is the real story here," Sammy Migues, principal scientist at Synopsys Software Integrity Group. He continues, "As cloud-native app development explodes, so does the world of refactoring monolithic apps into hundreds and thousands of APIs and microservices.”
Vice Society leaks stolen UK school data.
Prolific threat group Vice Society has published private data stolen from fourteen UK schools, Computing reports. The BBC reviewed leaked documents stolen from Pates Grammar School, located in the county of Gloucestershire, and the compromised data include student’s passport scans, special education needs details, and contract information going back as far as 2011. Pates suffered a cyberattack in September of last year that resulted in the temporary shutdown of the school’s phone lines and computer systems. Other schools included in the data leak include Carmel College in St. Helens, Durham Johnston Comprehensive School, and Frances King School of English in London and Dublin. A number of the schools were aware they had been attacked but did not know, or at least had not disclosed, that private data had been compromised.
Data incident at health organization prompts questions about disclosure rules.
Maternal & Family Health Services disclosed this week that it discovered an intrusion into its networks on April 4th, 2022. The unauthorized access to the organization's systems took place between August 21, 2021 and April 4, 2022. The lag in disclosure prompted some industry comment.
Avishai Avivi, CISO of SafeBreach, thinks eight months from discovery to disclosure a surprisingly long time:
“This latest breach and subsequent press release by Maternal & Family Health Services is deeply concerning. It highlights the fact that HIPAA and HITECH are not sufficient to protect patient privacy. Another worrying sign is that it took almost 8 months from discovery of the breach (April 4th, 2022), before the organization started reaching out to individuals potentially impacted (January 3rd, 2023).
"I believe regulations must be tightened to follow the lead from the financial industry. This includes shorter notification windows, as well as stronger defenses. The fact that a ransomware attack was able to impact patient data would indicate that Maternal & Family Health did not validate their controls against such attacks.”
James McQuiggan, security awareness advocate at KnowBe4, commented on the conduct of both criminals and victim:
“When organizations are attacked with ransomware, they either have to pay the cybercriminal group to get the decrypter to restore the data or may have to pay not to expose the data to the public. However, when an organization states they were attacked many months prior and data was released, it resulted in them not paying the ransom. Additionally, cybercriminals like to post on their shame site which organizations they've breached and are holding their data for ransom.
"Looking back through various ransomware group feeds, it's unclear which group breached their defenses to steal the data and release it into the 'wild.'
"Either way, the patients are the victims as this data is now readily available for cybercriminals to conduct targeted social engineering attacks against them. Sometimes it is seen that the data is sold off, mainly when it contains this large amount of personal data. However, in this case, it was just released.
"The patients will not only need credit monitoring but also be vigilant in emails they receive, making sure they understand what to look for in the links for emails. If it's an email they're not expecting, and even if they know the person, they should take great care in checking the links to avoid their cyber attack.”