At a glance.
- Here's hoping KFC's secret recipe wasn't stolen.
- Three recent US medical data breaches.
Here’s hoping KFC’s secret recipe wasn’t stolen.
It's a bad day for fast food aficionados. Yum! Brands, the appropriately-named parent company of popular fast food spots KFC, Pizza Hut, and Taco Bell, has disclosed that personal employee data were exfiltrated in a January 13 ransomware attack. Although the attack forced Yum! Brands to close around three hundred of its UK restaurants, the company initially reported that there was no evidence the hackers had stolen any customer data. Further investigation apparently proved otherwise. While the exact number of victims has not been disclosed, Yum! Brands has sent notification letters to impacted individuals explaining that the compromised data include names, driver's license numbers, and other ID card numbers. A company spokesperson told BleepingComputer that there was no evidence that customer data were exposed. "In the course of our forensic review and investigation, we identified some personal information belonging to employees was exposed during the January 2023 cybersecurity incident," the spokesperson stated. "We are in the process of sending individual notifications and are offering complimentary monitoring and protection services. We have no indication that customer information was impacted."
(Added, 11:00 PM ET, April 11th, 2023. Darren Williams, CEO and Founder of BlackFog, wrote to comment on the complexity of accounting for the costs of a ransomware attack. “This attack highlights not only the direct costs of a ransomware attack but also the flow on effects such as remediation, reporting and exposure to class action lawsuits," Williams wrote. "The additional regulatory reporting requirement for PII raises additional concerns and raises questions about the extent of the data exfiltration that has taken place. There is no question that this information will be sold on underground trading networks on the Dark Web such as Industrial Spy as we have seen in the past. It often takes companies several months to realize the extent of an attack, because its difficult to know where to look. The lack of data exfiltration detection means most companies don't really know as we saw in the example from Ferrari, where it took several months before they finally admitted that data was stolen.”
We also heard from Jon Miller, CEO & Co-founder of Halcyon, who argues that ransomware should be understood in the first place as a data exfiltration attack problem:
"Given how common it is for ransomware attacks to include the exfiltration of sensitive data, we should start talking about this issue as a data exfiltration attack problem that includes the delivery of a ransomware payload, instead of the other way around. While it may be a painful process to mitigate the impact of a ransomware attack, if the organization made the effort to build-in resilience to its incident response plans, it will recover. There is no recovery from data exfiltration - once the attackers have your data, it is beyond your control what happens to it.
"It's not surprising that Yum! is just now notifying customers that their data was exposed in a ransomware operation that was first discovered months ago. Incident response and forensic examinations are complicated and take a considerable amount of time to complete. Most companies, especially those that are public and/or are in highly regulated industries typically try to be as transparent as they can be, but it takes time to understand how a complex attack took place and exactly what assets were impacted.
"One would think that - given how ransomware attacks are designed to reveal themselves to the victim, unlike other attacks - that disclosure of the details would come swiftly. That's not necessarily the case with these attacks that not only deliver ransomware but are also stealthy data exfiltration operations. Up to the point the ransomware payload is delivered, there is little difference between these cybercriminal ransomware operations and corporate or government espionage attacks. These are complex, multi-stage operations often involving multiple threat actors.
"Their goal, like that of their espionage-focused counterparts, are determined to be as quiet as possible while infiltrating as much of the targeted network and exfiltrating as much sensitive data as they can and then leveraging it for a bigger ransom demand. In most respects, the only difference between a corporate espionage operation and a ransomware attack is that in the latter the attackers plan on revealing the attack to the victim in time."
Javvad Malik, Lead Awareness Advocate at KnowBe4, thinks you should think personal data, not secret recipes. "When one thinks of the major brands under the Yum! group, one would be quick to assume that the Colonels 11 secret herbs and spices were the most priceless info these companies held," he said. "However, it's not just the finger-lickin' recipes which criminals are after, any personal data which organizations collect which belongs to employees or customers can be easily monetized and turned around by criminals. People whose data was breached should be extra mindful of any emails claiming to originate from any of these brands, particularly ones offering mouth-watering irresistible deals, because there is a high likelihood these could be scams." )
(Added, 3:00 PM ET, April 12th, 2023. Roy Akerman, Co-Founder & CEO of Rezonate, sees the incident as an argument for careful use of a least privilege approach. “We repeatedly realize the criticality of a proactive practice to remove excessive access to critical systems holding PII data while at the same time the need to continuously monitor for any abnormal attempt to compromise systems," he wrote. "Data compromised in a leak may lead to follow up incidents and further compromise identities.”)
Three recent US medical data breaches.
US hospital network CommonSpirit Health says data belonging to 164 of its facilities were impacted in a ransomware attack that was reported last October. The HIPAA Journal recounts that CommonSpirit first confirmed in December that patient data had been exfiltrated in the attack, and the most recent update states that the data of patients who had received care at certain facilities operated by Catholic Health Initiatives, Dignity Health, Centura Health, and MercyOne had been compromised. The healthcare network stated that delay in determining the full scope of the breach was due to the time-consuming nature of the file review process. In December CommonSpirit reported that 623,774 individuals had been impacted by the breach, and that number has not yet been updated.
Community Health Systems (CHS), parent company of Tennova Healthcare, a US healthcare network based out of the state of Tennessee, has confirmed it experienced a data breach in January connected to the compromise of IT company’s Fortra’s popular GoAnywhere file transfer tool. ClarksvilleNow.com reports that the compromised data include patient names, dates of birth, addresses, medical billing, insurance information, diagnoses, medication, and Social Security number. CHS spokeswoman Rebecca Pitt stated, “We understand several other companies were impacted by this security incident as well.” Cl0p, the ransomware group that has taken credit for the GoAnywhere breach, claims over one hundred thirty companies have been impacted by the exploitation of vulnerabilities in the software.
The Money Message ransomware gang has added PharMerica Corporation, a national pharmacy headquartered in the US state of Kentucky, to its list of victims. Because PharMerica has not yet confirmed the attack, little is known about the incident beyond what the cybercriminals have claimed. According to databreaches.net, on April 8 Money Message posted on their leak site that they’d attacked PharMerica on March 28. The post was accompanied by samples of the stolen data, which included patients’ names, Social Security numbers, dates of birth, Medicaid and Medicare numbers, and health conditions. Databreaches.net has verified that several of the stolen Social Security numbers are valid, but PharMerica has yet to publicly acknowledge the breach. JDSupra speculates that the company is currently investigating the incident and will likely release a statement once the breach has been confirmed.