At a glance.
- LA housing agency hit by LockBit ransomware attack.
- Class action lawsuit filed in connection with LVHN data breach.
- Update on DC Health Link data breach.
LA housing agency hit by LockBit ransomware attack.
The Housing Authority of the City of Los Angeles (HACLA), a state-chartered agency providing affordable housing and job training to low-income residents in the California city, suffered a data breach after an attack carried out by the LockBit ransomware gang. SC Media explains that the encryption of HACLA’s computer systems was first detected on December 31, 2022, and the subsequent investigation revealed that intruders had had access to the systems for nearly a year. The potentially compromised data offer a trove of private information including HACLA members' full names, birthdates, Social Security numbers, driver's licenses, passport numbers, medical details, and financial account numbers. LockBit posted samples of the stolen data on December 31 and followed through on their threat to leak the full files by the end of January. However the download link is no longer functional. As Bleeping Computer notes, LockBit is one of the most infamous ransomware-as-a-service operations around.
Etay Maor, Senior Director of Security Strategy at Cato Networks, wrote to offer observations about the LockBit gang:
“LockBit are a very well-known ransomware group which appeared on the scene in early 2022. The group is likely a continuation of the Conti ransomware group, Russian in origin, with a very high profile. They have targeted many organizations across multiple countries (excluding Russia of course) and maintain a high level of OPSEC (Operational Security) while also engaging in RaaS (Ransomware as a Service).
"In many cases ransomware groups obtain credentials or third-party credentials onto the network they want to target. Simply put, they don’t hack the networks, they log in!
"These types of credentials can be obtained in multiple ways: they can be bought in criminal forums, they can be found in databases of breaches that were already published, they can be phished, they can be collected via malware infection, they can be social engineered, they can be obtained by an insider.
"Organizations today try to prevent attacks by buying more and more point solutions. Small to medium organizations have roughly 20-40 security products while large organizations have over 60. What these organizations end up with are endless integration projects, patching issues, management complexity, alert fatigue and more.
"Organizations need to understand that an attack such as a ransomware attack should be viewed and dealt with holistically. Trying to deal with these threats using on-prem point solutions is futile. The right approach is applying a multiple choke points approach across the entire attack path using a system that incorporates all the security products under one roof, allowing these solutions to enrich and share data. Such an architecture comes in the form of a single pass cloud-based solution (such as a SASE architecture), rather than the multiple pass, fragmented, on prem approach we still see today.”
Rebecca Moody, Head of Data Research at Comparitech, notes some of the inflationary pressures driving up the ransom demands. “We are seeing an increasing number of organizations being threatened with the publication of data stolen by ransomware groups. As more companies try to avoid paying ransoms, hackers appear to be upping the ante with their threats to publish data, which is sometimes incredibly sensitive in nature," she wrote. Whether those demands are actually met, of course, is another matter. "While businesses should be applauded for not giving in to the extortion tactics made by hackers, the growing amount of data being published by hackers is of great concern. Not only does it put people at risk of identity theft but, as we have seen in the recent case against Lehigh Valley Health Network where naked images of patients were uploaded, hackers will seemingly stop at nothing to try and secure their ransom demands. How organizations limit the damage caused by the publication of data, e.g. with substantial identity theft protection and in-depth advice for consumers, is crucial." She concluded, "So far this year we have recorded 47 publicly confirmed ransomware attacks against U.S. organizations. This has affected more than 1.1 million records with the average ransom demand being $4.2 million.”
Chris Hauk, consumer privacy champion at Pixel Privacy, observes that the data amount to a data breach jackpot. “The ransomware group LockBit scored quite the data bonanza with its breach of HACLA," Hauk said. "As customer data is included in the breach (including names, Social Security numbers, driver's license or ID numbers, credit card info, and much more), HACLA clients will want to stay alert for phishing emails, calls, and texts, which will attempt to use the information that has already been gleaned, to gain more information or to cheat targeted victims from monetary funds or additional credit card or banking info.”
Class action lawsuit filed in connection with LVHN data breach.
As we previously noted, the Lehigh Valley Health Network (LVHN), a healthcare system located in the US state of Pennsylvania, was recently hit with a BlackCat ransomware attack, and the cybercriminal gang followed up by publishing stolen photos of cancer patients on the dark web. Yahoo News reports that a proposed class action lawsuit has been filed over the breach, and the plaintiffs allege that LVHN failed to sufficiently secure patient data, despite knowledge that national hospital systems are being targeted by hackers. Philadelphia attorney Patrick Howard states in the suit, “While LVHN is publicly patting itself on the back for standing up to these hackers and refusing to meet their ransom demands, they are consciously and intentionally ignoring the real victims. Rather than act in their patients' best interest, LVHN put its own financial considerations first." The lead plaintiff, a female victim of the attack who has chosen to remain anonymous, says she was not aware that her photo had been taken or that it would be stored on the LVHN’s servers. The suit seeks damages on five counts, including negligence and breach of contract and privacy.
Update on DC Health Link data breach.
We’ve been covering last week’s data breach of DC Health Link, the District of Columbia’s online health insurance marketplace, which exposed the personal data of Congress members, staffers, and their families. As Courthouse News Service notes, DCHealth Link has confirmed that over 56,000 people were impacted, and approximately 11,000 of those are members of Congress, congressional employees, or relatives.The House Administration Committee chair Bryan Steil released a statement Tuesday saying, “Immediately after learning of the breach, congressional leadership responded with a strong, nonpartisan response to ensure accountability and security.” He went on to say that Congress is working with the Office of the Chief Administrative Officer, US Capitol Police, and House Sergeant at Arms to investigate the full scope of the breach, but it could be weeks before any conclusions are reached. “I'm committed to protecting this institution,” Steil said. “Moving forward, the Committee on House Administration will take action to hold bad actors accountable and avoid this occurring again in the future.”