At a glance.
- French social security beneficiary data mistakenly exposed.
- BART suffers ransomware attack at the hands of Vice Society.
- A gentle reminder to schedule that colonoscopy.
French social security beneficiary data mistakenly exposed.
Just before 2022 came to a close, Radio France's news and investigation service discovered that the Gironde branch of the French social security agency the Family Allowance Fund (CAF), inadvertently shared a file containing the sensitive personal information of around 10,000 beneficiaries with a service provider. As CSO Online explains, the service provider, which handles training for the CAF’s statisticians, says it did not ask for data on current benefit recipients, and that the Gironde CAF failed to specify that the data were real. Making matters worse, the service provider posted the data on its website back in March 2021 and forgot to remove it until last week. In other words, the data were accessible without encryption by anyone visiting the site for approximately eighteen months. Individuals’ names and postal codes had been omitted from the file, but it did include beneficiaries’ addresses, dates of birth, household composition and income, and amounts and types of benefits received.
Even without the beneficiary names, investigating journalists were able to identify most of the compromised individuals. Digital rights advocacy group La Quadrature du Net commented, “Thus CAF seems to ignore the basic principles of anonymizing personal data. Proper anonymization requires much more processing so that it is not possible to identify the individuals to whom the data is attached.” CAF was already being scrutinized by La Quadrature du Net for an algorithm used for a recipient rating system. It’s likely that French data protection agency CNIL will conduct an investigation as to whether the breach is a violation of the EU’s General Data Protection Regulation, and the CAF will also likely launch an internal investigation of the Gironde branch.
BART suffers ransomware attack at the hands of Vice Society.
Ransomware group Vice Society has struck again, this time targeting the police department that serves the Bay Area Rapid Transit (BART), the largest public transportation system in the US state of California. Cybersecurity Dive reports that Vice Society listed BART on its leak site on Friday, leaking highly sensitive and personal data including files titled “master employee list,” “background disposition” reports, police reports, a “suspected child abuse report,” and a controlled substances examination report for heroin. Alicia Trost, BART’s chief communications officer, has stated, “We are investigating the data that has been posted…No BART services or internal business systems have been impacted. As with other government agencies, we are taking all necessary precautions to respond.” As Dark Reading explains, Emsisoft threat analyst Brett Callow discovered Vice Society had added BART to its leak site. “Attacks on police departments are among the most serious due to the sensitivity of the information they hold, and the potential consequences if that information is exposed,” Callow stated. “Lives could be put at risk, investigations compromised, evidence lost and prosecutions dropped.” BART has not disclosed the date of the breach or whether ransomware was involved, but as Yahoo News notes, the release of the data indicates that BART refused to meet Vice Society’s ransom demands.
Avishai Avivi, CISO at SafeBreach, wrote to point out that public organizations remain high-risk targets. “Unfortunately, public sector organizations tend to be at higher risk for a breach. The challenge of attracting cybersecurity talent, combined with constrained budgets, typically correlates with a lagging cybersecurity program. Public sector organizations are also less likely to have the option of paying the ransom that the malicious actors are demanding," Avivi commented. "Sadly, as can be seen through the information already described, the malicious actors have very little regard for the true victims of this breach - the people whose information was stored in the compromised files. Public sector organizations must avail themselves of all of the free services provided by CISA, and follow the advisories they publish. No public sector organization can assume that they are not a target.”
Roger Grimes, data-driven defense evangelist at cybersecurity company KnowBe4, is disgusted but not surprised by the coarse greed of the cybercriminals. "This continues to show that many hackers have zero ethics and do not care about anything else other than money," he wrote. "But once a hacker has access to an environment, they can do anything. That's why it's more important than anything else to stop the breach before it happens. Decades of data show us that most hacking is successful due to social engineering. About 70% to 90% of hacking involves social engineering. No other single root cause comes close. But most organizations, and I assume BART, as well, don't take the threat of social engineering seriously enough. Even though social engineering is the majority reason why most organizations and people are hacked, most organizations spend less than 5% of their IT security budget to fight. As long as that fundamental misalignment exists hackers will continue to terrorize us with near impunity."
Added, 3:45 PM, 1.12.23.
Torsten George, Vice President, Corporate & Product Marketing at Absolute, wrote to describe the ways in which endpoints in the public sector can serve as targets:
“It is undeniable, U.S. public-sector organizations have been prime targets of ransomware attacks for years. Given the recent urgency following the attack on SF Transit Police, public-sector organizations must ensure they’re adequately prepared to proactively prevent and respond to these attacks before a system breach occurs.
"Endpoints are a common target for threat actors. Once they have compromised an end user device, hackers detect and disable endpoint security measures (e.g., anti-virus or anti-malware) to avoid detection. Next, they move laterally across the network to perform reconnaissance and identify IT schedules, additional security controls, etc. Subsequently, they disable security controls across endpoints and the corporate infrastructure before dropping their ransomware. To break this attack chain, organizations need to establish not only endpoint resilience by assuring that the installed security controls are always working as intended, but also strong network resilience. This is crucial to build on a platform of strong user verification as this is the most strategic means of preventing a breach of these systems. Zero Trust Network Access can also help in this context, as a means of verifying users on a case-by-case basis, to assess, identify and alert of any suspicious behavior. Upon assessing the contextual attributes, the ZTNA solution then dynamically offers the appropriate level of access at that specific time. As there is a constant change in the risk levels of users, devices, and applications, access decisions are made for each individual request.
"When teams are notified of potential threats in advance, they can freeze or shutdown potentially compromised entities to stop threat actors in their tracks. When this action is taken, this prevents hackers from moving laterally across a network, where they could cause even further damage to confidential records.”
A gentle reminder to schedule that colonoscopy.
Becker's GI & Endoscopy reports that Captify Health, a US management services company that focuses on colonoscopy prep, has disclosed it suffered a data breach. The company has notified approximately 244,300 patients that their personal information may have been exposed in a malicious code incident impacting the company's colonoscopy prep retail site, Your Patient Advisor. According to a breach notification filed with the attorney general of the state of Maine, the incident occurred from May 26, 2019, to April 20, 2022. After Captify was alerted to fraudulent consumer credit card use linked to its payment card environment in March 2021, an investigation was launched. The breach was discovered in October and the company began notifying the impacted individuals on December 16. The potentially compromised data include full names, addresses, payment card numbers, expiration dates, and security codes.