At a glance.
- CEO of Vastaamo psychotherapy clinic convicted for data breach.
- Researchers report on three new Pegasus hacks.
- DC Health Link breach caused by configuration error.
CEO of Vastaamo psychotherapy clinic convicted for data breach.
As a refresher, in 2020 the highly sensitive data of tens of thousands of psychotherapy patients were exposed when a hacker infiltrated a storage database owned by Finland’s Psychotherapy Centre Vastaamo. Ville Tapio, the ex-CEO of the now closed clinic, has now been convicted for what the court has determined was negligence in failing to safeguard his clients’ data. As Naked Security explains, it was discovered that Tapio was aware of the clinic's lax cybersecurity and that the clinic had experienced in 2018 and 2019 that Tapio failed to report or act upon. The message sent by his convictions is that a company head’s failure to remediate the company’s cybersecurity issues is a punishable crime. Although Tapio has received a three-month prison sentence, it has been suspended, which means he won’t be going to jail just yet.
Researchers report on three new Pegasus hacks.
Citizen Lab’s continued investigation into NSO Group’s Pegasus hacks has revealed that the Israeli spyware maker deployed at least three new “zero-click” hacks against iPhones last year. The report, released yesterday, explains that the attacks targeted phones with iOS 15 and early versions of iOS 16 operating software, and the bugs in question have now been remedied by Apple. The Washington Post reports that the hacks were used to track the devices of human rights activists investigating the 2015 mass kidnapping of student protesters in Mexico. Consequently, the Mexican government is a major NSO client. According to Citizen Lab, the findings indicate that NSO is actively seeking to discover zero-click exploits in order to hack into devices without the users’ knowledge. “It is their core business,” said Bill Marczak, a senior researcher at Citizen Lab.
DC Health Link breach caused by configuration error.
As we reported previously, DC Health Link, the health insurance marketplace for the District of Columbia, suffered a breach last month that exposed personal data belonging to lawmakers and staff in both chambers of US Congress. A congressional hearing on the incident is taking place today, and according to prepared statements, ABC News reports, the cause of the breach was human error. Mila Kofman, Executive Director of the District of Columbia Health Benefit Exchange Authority, says the Federal Bureau of Investigation’s Cyber Security Task Force traced the source of the leak to a misconfigured computer server that allowed access without authentication. Kofman explained, “Based on our investigation to-date, we believe the misconfiguration was not intentional but human mistake." The misconfiguration allowed the intruder to exfiltrate two reports that contained the data of over 56,000 current and past Health Link clients including members of Congress, as well as their families and staff. Today Kofman and Catherine Szpindor, the chief administrative officer for the House of Representatives, will testify before the House Oversight Committee's subcommittee on cybersecurity, information technology, and government innovation in a joint session with the Committee on House Administration's oversight subcommittee. The two subcommittee chairs, Representatives Nancy Mace of South Carolina and Barry Loudermilk of Georgia, both Republicans, last week released a joint statement about the incident. “The individuals who trusted the D.C. health exchange to keep their personal health data secure are rightly concerned about the potential consequences of this breach on their personal lives,” the statement read. “They are relying on us to investigate how it took place, how it could have been avoided, how the fallout can be mitigated, and how to prevent a recurrence.”
(Added 9:30 PM ET, April 23rd, 2023. DC Health breach. Nathan Hunstad, Deputy CISO at Code42, reviewed the implications of this kind of human error:
“On March 6, 2023, DC Health reported data theft after the personal information and data of customers was posted on the dark web. Fast forward to today, the incident has now been branded as the result of “human error” after a server was incorrectly configured in mid-2018 when DC Health installed Slack. That misconfiguration enabled a hacker to steal the information of 56,415 current and past customers including members of Congress.
"It's important to ensure that sensitive data repositories are correctly configured to only allow authorized access. This is an all-too-common attack vector. Even when data stores are configured correctly, visibility into data movement is also necessary. According to Code42’s research, insider-driven data exposure, loss, leak and theft events could cost companies $16 million per incident, on average. Knowing the costly consequences of data loss events should make companies pause and evaluate their data security policies and data visibility solutions.
"Building a collaborative company culture, where employees are the allies of the security team, and outlining strategic insider risk security protocols is the first step to ensuring employees make safer and smarter decisions about sharing data.”)