At a glance.
- Update on the DC Health Link breach.
- Marketing or surveillance?
- UNC accidentally exposes employee tax data.
Update on the DC Health Link breach.
As we discussed last week, the personal data of members and staff of the US House of Representatives were exposed in a breach impacting DC Health Link, the health insurance marketplace for the District of Columbia. It was initially unclear how many individuals were compromised in the incident, but on Friday the DC Health Benefit Exchange Authority revealed the number of victims is upwards of 56,000, the New York Times reports. It’s unclear how many of the impacted individuals are members of Congress, but DC Health Link serves about 11,000 members of Congress and their staff members. CBS58 reports that CNN obtained an email from the Senate sergeant-at-arms detailing what data were stolen, and it's worse than initially thought. Senate members as well as staff were impacted, and the compromised data include names, Social Security numbers, dates of birth, health plan information and other personal information like home addresses, phone numbers, email addresses, ethnicity and citizenship status. WTOP News notes that DC Health Link released an official statement to members on Friday, stating that a third-party investigation would be conducted and that it is working with law enforcement and the Federal Bureau of Investigation. The statement continues, “We recognize the seriousness of this incident and we have reached out to impacted enrollees to provide three years of free identity and credit monitoring for all three major credit bureaus.” Axios adds that a hacker who goes by the handle “Denfur”' is selling a database he claims is connected to breach, and he’s posted it on what CheckPoint Research calls the "biggest English-speaking dark web hacking forum." The price tag is just a few dollars, and Denfur expressed his political leanings by signing off his post with "Glory to Russia!" Sergey Shykevich, threat intelligence manager at Check Point Research, stated, "Such precious information will have high demand in the dark web and, in the wrong hands, can lead to significant downstream consequences."
Marketing or surveillance?
Chinese clothing retailer SHEIN is facing repercussions for a 2018 data breach. Letitia James, Attorney General of the State of New York, alleges that the fast fashion seller’s then-parent company Zoetop failed to detect the breach due to weak security measures, and that the company was dishonest in its handling of the incident. James stated, “[P]ersonal data was stolen and Zoetop tried to cover it up. Failing to protect consumers’ personal data and lying about it is not trendy. SHEIN and [sister brand] ROMWE must button up their cybersecurity measures to protect consumers from fraud and identity theft.” A 2022 New York court judgment led to a relatively modest $1.9 million fine. Now, Naked Security reports, researchers at Microsoft have published a retrospective analysis of version 7.9.2 of SHEIN’s Android app from early 2022, and it reveals that SHEIN added code to the app that essentially turned it into a marketing spyware tool. By surreptitiously collecting price and URL data from users’ clipboards, it was gathering info on users’ shopping activities. The app has been updated several times since then, and Google responded by strengthening Android’s clipboard handling code, but the revelation demonstrates that Google Play apps, even those that are vetted and approved, could use dubious marketing tactics to collect user data.
UNC accidentally exposes employee tax data.
University of North Carolina (UNC) at Chapel Hill has disclosed that it inadvertently exposed sensitive employee data in January when administrators accidentally sent approximately twelve hundred 1099 tax forms to the wrong recipients. According to the US school, multiple forms were accidentally put into individual mailing envelopes, meaning that some recipients, in addition to receiving the correct form, also received forms intended for other employees. UNC media relations told the News & Observer that notification letters were sent to the potentially impacted individuals and entities on February 28, about a month after the university detected the mistake. So far, no abuse of the exposed data has been discovered, and the school says it has “implemented updated processes, technical improvements, and employee training to help prevent something like this from happening again.”