At a glance.
- RFI seeking info on data brokerage firms.
- ILS suffers largest medical data breach of 2023.
- Latitude Group Holdings cyberattack exposes sensitive loan data.
Consumer Financial Protection Bureau (CFPB) seeks info on data brokerage firms.
The Consumer Financial Protection Bureau (CFPB) has issued a Request for Information (RFI) in an effort to learn more about data brokers and how they track and gather information on consumers. The goal is to paint a clearer picture of how the data brokerage industry operates and whether various brokers follow similar policies. CFPB Director Rohit Chopra explains, “Modern data surveillance practices have allowed companies to hover over our digital lives and monetize our most sensitive data. Our inquiry will inform whether rules under the Fair Credit Reporting Act [FCRA] reflect these market realities.” Passed by Congress in order to address worries that data brokers were creating detailed consumer profiles used to inform employment and credit decisions, the FCRA is intended to protect consumers by establishing accuracy standards and restrictions on data handling. The CFPB’s RFI will be published in the Federal Register and public comments will be due by June 13.
ILS suffers largest medical data breach of 2023.
American healthcare solutions provider Independent Living Systems (ILS) has disclosed a data breach that compromised the personal data of over 4.2 million individuals, making the incident the largest healthcare breach so far this year. The company, based in the US state of Florida, first detected a network intrusion on July 5, 2022. The subsequent investigation revealed that the intruders had access to ILS systems between June 30 and July 5, 2022, Bleeping Computer reports. The exposed data included patient names, Social Security numbers, taxpayer identification numbers, medical information, and health insurance details. Gov Info Security notes that ILS, which provides clinical and third-party administrative services to managed care organizations serving elderly and disabled patients, described the breach as "involving the inaccessibility of computer systems.” This phrase could indicate the involvement of ransomware, but this has not been confirmed.
On September 2, 2022 ILS initially reported the incident had impacted just over five hundred individuals, but further investigation revealed the breach was much larger than that initial estimate. The company posted an update on its site this week stating, "Now that our review and validation efforts are complete, we are notifying potentially affected individuals via posting this supplemental notice on our website, providing notice to the media, and mailing letters to potentially affected individuals for whom ILS has address information.” Tom Walsh, president of privacy and security consulting firm twSecurity, says the incident illustrates the challenges of breach reporting. "Data breaches are time-consuming to investigate," he explains, especially when a breach is this large in scale. "The more patients that may have been affected by a data breach, the longer it takes to determine a list of names and contact information of those that were affected," he adds.
Brian Higgins, Security Specialist at Comparitech, sees a gap in US consumer protection:
"Aside from laying such a vast number of people open to identity theft, phishing emails and all the other vulnerabilities that cyber criminals will immediately exploit once an attack is made public, this incident highlights the incredibly slow progress the U.S. are making in consumer protection. Most first-world jurisdictions have regulations and legislation in place which force organizations and businesses to report data breaches in a very swift timeframe, sometimes within days of discovery, thus allowing time for victim organizations to offer remedial advice and resources to their affected clients and supply chain. The fact that this critical personal information has been in the wild for so long before ILS decided they should report it to their customers makes their offer of free identity protection a bit of a waste of time."
Paul Bischoff, Consumer Privacy Advocate, also with Comparitech, was struck by the amount of time it took for the breach to come to light. "This is a huge and severe data breach that took far too long to come to light," Bischoff wrote. "The breach affects a large number of people and leaked highly sensitive information that could be used for identity theft and health benefits fraud. It's been nearly a year since the breach took place, so it's likely that some damage has already been done. ILS is offering free identity protection services, but that's too little, too late for victims. I don't blame organizations when they get hacked, but waiting nine months to tell victims about a breach of their sensitive private information is unacceptable."
Dror Liwer, co-founder of cybersecurity company Coro, notes the vulnerability of smaller organizations. “Smaller organizations such as ILS are just as susceptible, if not more so, to cyberattacks. Attackers know smaller organizations have limited resources including weaker cybersecurity defenses making them an easy target for exploitation," Liwer said. "A 200 employee organization, for example, can be challenged with managing the multiple tools needed for full protection. As a result, they should take a holistic approach that removes this burden, but provides the full support they need to secure their organization from attacks. Implementing this type of program will help protect smaller organizations especially those that store such sensitive, sought after information.”
(Added, 10:15 PM, ET, March 16th, 2023. Stephan Chenette, Co-Founder and CTO at AttackIQ, wrote to point out that third-parties supplying services to care providers are as vulnerable to theft of PHI as are the healthcare providers themselves.
"Another healthcare provider has been a target of threat actors looking to sell protected health information (PHI) on the dark web. Just last week, The Hospital Clinic de Barcelona was hit with a ransomware attack that forced the hospital to operate at a limited capacity.
"It is unknown if the attack on Independent Living Systems, a third-party company that provides administrative services, was ransomware, but information including names, addresses, and social security numbers of over 4 million people was accessed during the attack.
"To prevent similar attacks, healthcare organizations, as well as any third-party companies utilized, must study the common tactics, techniques, and procedures used by common threat actors, which will help them build more resilient security detection, prevention, and response programs mapped specifically to those known behaviors. Additionally, organizations should use automated solutions that safely validate their defensive controls against ransomware campaigns and their techniques to better prepare for the next threat."
We also heard from Jocelyn Houle, Senior Director, Data Governance, at Securiti:
"Just one week after the Zoll Medical data breach that exposed the sensitive information of more than 1 million individuals, threat actors have accessed the sensitive healthcare data of over 4 million people by hacking the networks of Independent Living Systems (ILS). The series of data breaches against healthcare organizations come as no surprise, but what is surprising is that week after week more organizations fall prey to the same type of attacks."
"These data breaches against healthcare organizations highlight the increasing need to make data management, privacy and security a top priority to ensure patients’ private information remains private. AI & ML techniques to automate data management processes are becoming an essential step to mitigating the risk of the exposure of personal health information (PHI). Automating policies by locating, protecting, and managing PHI reduces the risks of a breach, and coupled with controls such as least privilege access and techniques such as data masking, organizations can minimize exposure and damage in case of an attack. Implementing a privacy management software also helps by providing cross-system visibility to identify insider threats and prevent threat actors from accessing healthcare organizations’ networks.")
Latitude Group Holdings cyberattack exposes sensitive loan data.
After a (very) brief respite from major cyberattacks, Australia has been hit with yet another high-profile hack. Digital payments firm Latitude Group Holdings announced today that the personal data of approximately 328,000 customers were stolen in what “appears to be a sophisticated and malicious cyber attack,” Reuters reports. The compromised data include 103,000 identity documents from one service provider– 97% of which are copies of drivers' licenses – and 225,000 customer records from a second provider. “While Latitude took immediate action, the attacker was able to obtain Latitude employee login credentials before the incident was isolated,” the company stated. Latitude supports customer loan and credit programs for several major retailers, and University of New South Wales cybersecurity expert Richard Buckland told ABC News that the breach was "very concerning" given the sensitive nature of the data customers must divulge during the loan process. "It's precisely the information an attacker needs to take out a loan in your name: the information you use to take out a loan in your name," Buckland said. Cyber Security and Home Affairs minister Clare O'Neil tweeted, "Latitude Financial is cooperating with the [Australian Cyber Security Centre] to support incident response and receive ongoing technical advice.”
The Guardian notes that University of Wollongong’s Professor Alex Frino released research last month showing that many Australian companies have neglected to alert shareholders after facing serious cyber-attacks. Fino found that eleven of the thirty-six cyber attacks against listed companies reported by media during a ten-year period were not initially reported to the public. Australia has had a mandatory data breach notification scheme in place for four years, but of the 853 notifications received over the last fiscal year, the majority were never publicized. Share trading in Latitude has been temporarily suspended, and the company issued a statement saying, “Latitude apologises to the impacted customers and is taking immediate steps to contact them…Latitude is continuing to respond to this attack and is doing everything in its power to contain the incident and prevent the theft of further customer data, including isolating and removing access to some customer-facing and internal systems.”