At a glance.
- Data breach at Minneapolis Schools.
- DC Health Link breach data posted for sale on dark web.
- More on the LVHN ransomware attack.
- AT&T customer data exposed in vendor breach.
- Over-collection and over-sharing.
Data breach at the Minneapolis Public Schools.
A ransomware group calling itself Medusa Media Team posted a nearly-hour-long video teasing the kind of sensitive data it claims to have obtained in an attack on the Minneapolis Public Schools, the 74 reports. The group subsequently took the video down, but then they'd already made their point. The Star-Tribune, in the course of advising affected individuals how to protect themselves from the consequences of the breach, described how the incident and its disclosure unfolded gradually. The data on display in Medusa Media Team's video indicated that the gang had obtained "student names and addresses, disciplinary information and forms that could contain sensitive employee information, like W-2s. Other images appear to show lesson plans, enrollment projections and district forms and policy documents."
Jon Miller, CEO and Co-founder, Halcyon, commented on gangland's ruthlessness.“Ransomware groups continue to prove they are ruthless, heartless criminals with zero consciences. They continue to victimize organizations in education and healthcare simply because they are easy targets," he said. "These sectors usually lack the appropriate budgets and staff to maintain a reasonable security posture. Despite available grant money or technology donations from big companies, these organizations likely lack the staff to properly manage and protect their infrastructure. Even if the attack is easily resolved, students whose personal information was stolen may continue to be at risk of identity theft and financial fraud into the unforeseeable future. Ransomware attacks and data exfiltration will continue unabated until profit motives are eliminated. To protect themselves, EDU organizations must reevaluate what kinds of data they collect and store, for how long and pinpoint where it’s stored. They continue to keep legacy student data that is no longer relevant or needed. Eliminating unnecessary data will make EDU organizations a less attractive target to attackers, thus, minimizing potential threats.”
DC Health Link breach data posted for sale on dark web.
As we discussed yesterday, the personal data of members and staff of the US House of Representatives were exposed in a breach impacting DC Health Link, the health insurance marketplace for the District of Columbia. Bleeping Computer now reports that a threat actor, known as IntelBroker on the dark web, is selling data allegedly stolen from DC Health Link's servers. IntelBroker posted a sample of the stolen data on a hacking forum, and the database header indicates that it contains records for approximately 170,000 individuals and offers a treasure trove of personal data including names, dates of birth, street addresses, email addresses, and Social Security Numbers. After asking for an “undisclosed amount in XMR crypto currency” in exchange for the data, the threat actor added that the database has already been sold to at least one other buyer. On Wednesday, the Public Information Officer for Health Benefit Exchange Authority Adam Hudson confirmed that some of the stolen DC Health Link data had been published online, and the next day House Speaker Kevin McCarthy and House Minority Leader Hakeem Jeffries stated in a letter to the head of the DC Health Benefit Exchange Authority that the FBI had purchased some of the data posted for sale, presumably to authenticate and analyze it as part of the bureau’s investigation.
Alexander Heid, Chief Researcher at SecurityScorecard, wrote with some notes on attribution:
"Compromised records for DC Health Link are confirmed as being publicly available on the hacking forum known as 'Breached.' The forum post made sample data available, and attributed the breach to a hacker known as TheKilob, a former forum participant who has since been banned from the community for breaking forum rules. However, the release of the DC Health Link hack indicates that TheKilob is still active, and maintains communication with other Breached forum members.
"The records contained in the data are useful for fraudsters interested in carrying out identity theft or insurance fraud, and can be leveraged for prexting credibility for a social engineering campaign. While the scale of the breach is small, the impact is significant because much of the data consists of politicians and their staff in the Washington DC area. While the OPM breach of 2015 was much larger, the data is not widely circulated on public hacking forums. The OPM breach is most likely to be used by APT groups for espianoge and traded within private groups, the DC Health Link breach will be used by everyone within the criminal underworld and will be widely circulated.
"While DC Health Link has not disclosed the attack vector, a hypothesis can likely be deduced based on TheKilob's modus operandi in previous attributed cyberattacks."
Thomas Richards, Principal Security Consultant for Synopsys Software Integrity Group, wrote to point out that the breach went undetected until the stolen data were offered for sale:
“The most concerning issue with this breach was that it was undetected until the data was for sale. This, unfortunately, points to a failure in both the prevention and detection of such attacks. The sensitivity and types of data breached should trigger a thorough review of the DC Health Link cybersecurity policies and procedures. Without knowing the root cause of the breach, it is difficult to offer specific remediation guidance to prevent such attacks. In a situation like this, the affected systems need to be forensically examined to determine the scope or the breach and to prevent any further data leakage. The attackers could still have access inside the DC Health Link network so any anomalous network connections or activity needs to be reviewed.
"The entirety of DC Health Link’s external network should undergo a penetration test to identify any areas of risk. Additionally, any public web applications and APIs should also undergo application penetration testing. Based on breach reports in the past, social engineering is one of the most common methods of compromise. DC Health Link should perform regular phishing simulation tests against their employees and conduct regular security awareness training.
"Finally, DC Health Link’s internal security monitoring systems should be reviewed for any event logs and if systems were not covered by these tools they should be configured with them.”
Rehan Jalil, President & CEO of Securiti, notes a familiar lesson: data are precious, and should be protected accordingly:
"While details are still emerging about this significant data breach, this incident underscores the risks that come along with housing mass amounts of sensitive data and how important it is to ensure that data is properly secured, especially when it comes to that of officials affiliated with critical infrastructure. Personally Identifiable Information (PII) from health insurers, especially information associated with government officials, is a highly desirable target for cybercriminals who aim to leverage it for financial gain due to the high-profile nature of those affected. It goes without saying that breaches like this pose a significant threat to the safety and security of government officials.
"To mitigate the risk of a data breach, organizations must take strong proactive and reactive security measures. These include regularly monitoring all of their data to gain real-time insights into what sensitive data they hold, reducing security vulnerabilities of underlying data systems, and governing data activity to prevent unauthorized access. By implementing a strong data security posture management discipline, organizations can anticipate threats they face and deploy appropriate security and privacy countermeasures. But nobody can completely eliminate the risk of a security breach, and in this case, it is great to see the accelerated victim notifications. By identifying specific individuals whose data has been exposed, organizations can provide them with transparency into exposure risk and recommend safety measures to limit harm to impacted customers."
ForgeRock CEO Fran Rosch wrote, “Healthcare continues to be the biggest target of data breaches, and this incident with DC Health Link is just the latest example of how valuable personal identifiable data is for malicious actors on the dark web. Healthcare represented 70% of all records breached by ransomware attacks in 2021, which isn’t surprising given the nature of valuable information, such as Social Security Numbers, dates of birth, medical history and prescription data, in possession. Access to this poorly protected data, combined with other personal health information and medical history, enables cybercriminals to perpetrate harmful activities including insurance fraud."
He added, "Vigilance and change are necessary to enhance healthcare IT security. Implementing a Zero Trust approach - where all implicit trust is removed and access is evaluated dynamically and continuously - is critical to reduce the risk of data breaches. Additionally, as artificial intelligence (AI) adoption skyrockets, organizations must take advantage of the technology to strengthen security. This includes the implementation of AI-based access management and passwordless authentication, such as biometrics and passkeys, as traditional passwords and usernames have rendered ineffective when protecting such valuable information."
Stuart Wells, CTO of Jumio, commented on the importance of sound security practices in the healthcare sector:
“The DC Health Link data breach underlines how important it is for healthcare organizations to implement rigorous security controls. With personally identifiable information (PII), such as Social Security numbers, phone numbers, dates of birth and physical addresses stolen during the attack, U.S. House of Representative members, their staff and their families find themselves at risk of insurance fraud, identity theft and account takeover attacks. The stolen information is already being sold online, causing further complications for the victims.
"Because the healthcare sector remains a lucrative target for cybercriminals, it’s critical that these institutions have the appropriate security measures in place. For instance, biometric authentication (using a person’s unique human traits to verify identity), liveness detection and anti-spoofing technology can help healthcare organizations ensure data is only accessed by authorized users, keeping data protected and out of fraudsters’ hands.”
Austin Berglas, BlueVoyant's Global Head of Professional Services, also commented on how attractive such data are to attackers. The stolen information has long-term value:
“The recent data breach of a DC Health Link, affecting numerous U.S. House members and staff, highlights that data such as protected health information (PHI) and social security numbers are constantly targeted by cyber criminals. PHI is so valuable because it maintains long term value opposed to other types of information that is commonly stolen. For example, stolen financial information such as credit cards are only valuable for a limited time — once a financial institution or victim realizes that the financial data has been stolen, they can cancel the card and the risk of further monetary loss ends. At a minimum, PHI contains data such as social security numbers, addresses, dates of birth, plan information, and telephone numbers. As PHI can be used to make fake medical claims, open up new accounts, purchase prescriptions, and receive treatment, healthcare records are among the most valuable in dark web forums and marketplaces. In addition, some of the data contained in health records (name, date of birth, address, social security numbers) can provide a good start for cyber criminals to steal a person's identity and perform significant financial fraud.
"Although many people have had information stolen in these types of data breaches, it is important to take a few proactive steps to help reduce the impact. Placing a hold or 'freeze' on your credit can prevent unauthorized persons from using your social security number to open new accounts, make purchases, or establish new lines of credit. In addition, make sure to check your credit report to identify new accounts and consistently check financial accounts for unauthorized expenses or purchases.”
More on the LVHN ransomware attack.
As we previously noted, the BlackCat ransomware gang reached new lows by publishing images of cancer patients stolen during a February cyberattack on Lehigh Valley Health Network (LVHN), a healthcare system located in the US state of Pennsylvania. The HIPAA Journal notes that this is likely the first time that nude images of hospital patents have been released on the dark web as part of a ransomware attack. Brian A. Nester, LVHN President and CEO, confirmed that the attack targeted a network supporting a physician practice in Lackawanna County, and the compromised data included clinically appropriate patient images for radiation oncology treatment, as well as other sensitive patient information. When LVHN refused to meet the cybercriminals’ ransom demands, BlackCat began leaking the stolen data on its leak site in an effort to pressure LVHN into paying. Nester stated, “Attacks like this are reprehensible and we are dedicating appropriate resources to respond to this incident.” It’s worth noting that as more ransomware victims have (quite rightly) refused to pay, ransomware gangs have increasingly become more aggressive in their tactics. According to Coveware, in Q4, 2022, just 37% of ransomware victims chose to meet ransom demands, compared to 76% of victims in 2019.
AT&T customer data exposed in vendor breach.
The data of approximately 9 million AT&T customers have been exposed after a January breach impacting the company’s marketing vendor. The global telecom giant told BleepingComputer, "Customer Proprietary Network Information [CPNI] from some wireless accounts was exposed, such as the number of lines on an account or wireless rate plan.” The compromised CPNI includes first names, wireless account numbers, wireless phone numbers, and email addresses. The company added that for a small percentage of victims the rate plan and payment info were also exposed, but that the compromised data was several years old. AT&T noted, “The information did not contain credit card information, Social Security Number, account passwords or other sensitive personal information. We are notifying affected customers." Federal law enforcement have also been notified of the breach as required by the Federal Communications Commission. To reduce future exposure risk, customers have been advised to turn off CPNI data sharing on their accounts.
Neil Begley, Senior Vice President for Moody’s Investors Service, commented on the business implications of the incident. “AT&T’s announced cybersecurity breach is credit negative, as it could adversely impact customer behavior, cause churn to spike, and/or attract the scrutiny of the FCC and other regulators,” he wrote. “Cyber incidents in the telecoms industry appear to be rising, raising questions about the industry’s cyber risk governance and defenses, as well as the overall exposure profile. The AT&T breach, stemming from a hack against a marketing vendor, further highlights the multitude of exposure lanes for cyberattacks.”
Telehealth start-up says it may have overshared.
TechCrunch reports that the telehealth startup Cerebral has disclosed collecting and sharing information "that may be regulated as protected health information ('PHI') under HIPAA." The data were collected and shared in the course of Cerebral's use of tracking technology as patients interacted with its site. What information may have been disclosed varies with the individuals involved, but Cerebral outlines three general cases:
"If an individual created a Cerebral account, the information disclosed may have included name, phone number, email address, date of birth, IP address, Cerebral client ID number, and other demographic or information.
"If, in addition to creating a Cerebral account, an individual also completed any portion of Cerebral’s online mental health self-assessment, the information disclosed may also have included the service the individual selected, assessment responses, and certain associated health information.
"If, in addition to creating a Cerebral account and completing Cerebral’s online mental health self-assessment, an individual also purchased a subscription plan from Cerebral, the information disclosed may also have included subscription plan type, appointment dates and other booking information, treatment, and other clinical information, health insurance/ pharmacy benefit information (for example, plan name and group/ member numbers), and insurance co-pay amount."
It appears that in effect users were treated as having opted in to having their data collected and shared, which technically they may have, since words to that effect were embedded in the service's terms of use and privacy policy statement. But few, of course, probably bother to read those. Two industry experts contacted us about the incident, which they doubt is much of an outlier.
Chris Hauk, Consumer Privacy Advocate at Pixel Privacy, sees startups as generally not placing a priority on privacy. "Tech firms over the last few years have been exposed as sharing data with other companies and the government when they absolutely should not have been doing so," Hauck wrote. "Unfortunately, privacy is not a cornerstone of today's tech startups. It is especially disappointing when we find that a telehealth startup is sharing personal medical information." Hauck went on to add, "Unfortunately, customer data is the currency used on the internet these days, and companies like Cerebral are compromising our privacy, security, and safety. We've seen exposure of data sharing that, along with what seems like daily data breaches, puts us all at risk."
Paul Bischoff, Consumer Privacy Advocate at Comparitech, thinks the disclosure's arrival on the heels of a competitor's FTC settlement may be preemptive damage control. "Cerebral's disclosure comes on the heels of the FTC settling with BetterHelp, a Cerebral competitor, for $7.8 million over similar data misuse, and I have to wonder if the timing is a coincidence," he wrote. "Why did Cerebral, which has been collecting and sharing user data since it started in 2019, choose now to disclose that it was doing so? I think this is damage control, and Cerebral is scrambling to comply with regulations to avoid a similar fine. Fortunately, that means the BetterHelp settlement is having the desired effect and forcing other telehealth providers to safeguard user data."
(Added, 1:00 PM ET, March 13th, 2023. Michael Lyborg, CISO at Swimlane, wrote about the Cerebral data exposure incident. The kind of information in the patient assessments seem unusually sensitive:
"Mental Health startup Cerebral is currently under fire for exposing the personal information of as many as three million patients. A company statement and Department of Health and Human Services filing reported that some of the leaked information may even include details on mental health treatment. A review of the online assessments found that the information in question may also include questions on patients’ alcohol abuse, personality disorders and panic attacks.
"Healthcare-related organizations are some of the most sought-after institutions when it comes to threat actors looking to extort data due to the degree of sensitivity of the stored information. These companies must do everything in their power to protect the privacy of these vulnerable patients—especially when it comes to details on mental health. To prevent a situation like this from happening in the future, organizations like Cerebral must prioritize their cybersecurity posture to deter bad actors. Efforts should include leveraging a low-code security automation platform that can orchestrate incident response and breach reporting processes to improve the security team’s ability to protect patient data. Additionally, these platforms allow the centralization of detection, response and investigation efforts into a single program to ensure full visibility into IT environments.")