At a glance.
- Hyundai falls victim to a data breach.
- Sensitive information stolen from school district systems.
- Data breach affects Medicaid members.
Hyundai falls victim to a data breach.
SecurityAffairs reported Tuesday that Hyundai suffered a data breach that compromised information for customers in France and Italy. It wrote that “Threat actors had access to the email addresses, physical addresses, telephone numbers, and vehicle chassis numbers of the impacted individuals.” Adding “Hyundai Italy has notified the privacy watchdog and hired external cybersecurity experts to determine the scope of the incident.”
This is the second security incident this year, SecurityAffairs reports, as Hyundai and Kia were forced to release an emergency software update to patch a vulnerability that allowed criminals to steal cars with a USB cable. DonutMedia exposed this problem explaining in a YouTube video that the USB cable was used for convenience as they fit almost perfectly on the ignition cylinder as used in this application. Kia has since offered financial compensation for anti-theft kits for select customers across the US.
(Added, 10:15 PM, ET, April 13th, 2023. Ted Miracco, CEO of Approov, sees a complicated supply chain as a large and tempting attack surface. “Automobile manufacturers rely on one of the most complex networks of suppliers, and any vulnerability in the supply chain can be exploited by cybercriminals to gain access to sensitive data," he wrote in an email. “As modern vehicles become increasingly electronic-based products, they are both more connected and more software-driven. These trends make all automotive companies much more vulnerable to cyberattacks, particularly those emanating from mobile apps or devices. Hyundai isn't alone in falling victim to the vulnerabilities in the software or systems used in a vehicle, however they have been a frequent target and attackers have gained access to sensitive data. This is certainly problematic for Hyundai and something that needs to be addressed to rebuild consumers’ confidence in their products.“)
Sensitive information stolen from school district systems.
An elementary school was a victim of a data breach in 2022 and as a result the names and social security numbers of current and former employees have been compromised as reported by the Milwaukee Journal Sentinel. Elmbrook School Chief Strategy Officer Chris Thompson commented saying “These were professional cyber criminals. This is not something your antivirus software cleans up. I cannot comment on the efforts required to secure our network…" Thompson also added that Elmbrook elementary was not the only victim as this breach also targeted other schools across the country. The school district has since partnered with a third party cyber security firm to better defend against future attacks. Cyber attacks on schools seem to be maintaining the same pace as with other years as reports CyberSecurity Dive. Experts continue to recommend organizations conduct regular audits of their databases and the security protecting them.
Data breach affects Medicaid members.
The Iowa Department of Health and Human Services reported on Tuesday that a data breach occurred on a contractor’s computer system affecting some Medicaid members, however they confirmed that the Medicaid system, as a whole, has not been breached. “Between June 30 and July 5, 2022, ILS suffered a data breach that resulted in the exposure of personal information belonging to more than four million individuals across several states. Data for approximately 20,800 Iowa Medicaid members was involved in this breach. The breach led to the compromising of information, such as full names, Medicaid details, and other sensitive information.” Iowa medicaid is offering access to free credit monitoring to those members affected.
Paul Bischoff, Consumer Privacy Advocate at Comparitech, doesn't like the slow disclosure. "Disclosure of this breach took far too long. Eight months passed between ILS detecting the breach and Iowa HHS informing victims. A lot of damage could have already been done. Criminals could use the breached info for identity theft, Medicaid fraud, and phishing, among other attacks. Although it is late, I recommend all affected patients take advantage of the free credit monitoring being offered."
Chris Hauk, Consumer Privacy Advocate at Pixel Privacy, doesn't care for the way in which the breach was disclosed either. "It's disappointing that the data breach took so long to be disclosed to the public. When this much time passes between the actual breach and its disclosure, the bad guys have had too much time to make use of the information that has been gleaned from the breach. I strongly urge affected customers to take advantage of the free credit monitoring and the free credit report. They should also manually keep an eye on their accounts, while also staying alert for any phishing attempts from the bad guys."
Dror Liwer, co-founder of cybersecurity company Coro, thinks that dealing with a third party requires maintenance of a data chain-of-custody. “Organizations need to think in terms of the data chain of custody when it comes to what is shared with external suppliers. This is especially true for patient data as it is one of the most coveted types of data by criminals. The three steps to follow are posture management, encryption, and continuous audit cycles. Organizations should clearly articulate the security posture they expect from their vendors. That posture should flow downstream to any vendors used by the vendor. All data should be encrypted, and access to keys should be extremely limited. Lastly, an audit cycle should be established to ensure the security posture is indeed implemented. The audit should include penetration testing and certification.”
Erich Kron, security awareness advocate at KnowBe4, wrote to draw attention to the peculiar utility medical information has for identity thieves:
“While it's always concerning when an organization has a data breach, when the information that is lost is medical in nature, it can be even more of an issue. While losing a credit card number is slightly inconvenient, it can easily and quickly be remedied. However, the loss of medical information, which often includes Social Security numbers and other sensitive information, can easily be used to steal someone's identity, and the information can be used by social engineers to target victims by referencing information they believe is private. This allows attackers to gain trust with the victims much more quickly.
"The time that has passed between the breach, detection of the breach, the notification to the Iowa HHS and Medicaid, and now, is very unfortunate. This incredibly slow response means that these potential victims have had their information exposed for close to a year without ever having been made aware. While cyber incidents and breaches are an unfortunate part of modern business, for organizations impacted, the way that they deal with the response is very important.
"For organizations to defend themselves and avoid breaches in the first place, it is critical that they employ a comprehensive employee education and awareness training program designed to help them avoid falling for email phishing attacks, one of the most common initial attack vectors. In addition, Data Loss Prevention (DLP) tools and strong technical security controls should be in place to protect data and detect when bad actors are attempting to exfiltrate it.”