At a glance.
- Check-the-box privacy?
- Brightline confirms GoAnywhere-related breach.
Are EU IT specialists too apathetic about securing company data?
A study conducted by cybersecurity firm comforte AG indicates that European IT and security leaders may be overly confident about how well their data is protected from cyberattacks. Of the 503 IT Security Specialists and Chief Information Officers in the UK, France, and Germany surveyed, nearly 75% say their company suffered at least one attack in the past twenty-four months. However, 85% of respondents say they’re confident they will avoid future attacks in the next two years, and that if they are breached, they'll be able to detect an intrusion within just two hours. Three-quarters of those interviewed say they’re doing the bare minimum when it comes to data privacy, merely taking a tick-box approach to ensuring they are compliant with the EU’s General Data Protection Regulation. While 97% say they have a breach contingency plan in place, 26% say they’ve never tested it.
Perhaps this apathetic response is due to the fact that only a quarter of respondents say their organization has been fined for past data breaches. Henning Horst, comforte CTO, says, “Data is the number one asset that any organization holds, and they shouldn’t wait until it’s too late to take action. Our research clearly shows that serious attacks are a matter of when, not if. By deploying data-centric security today, enterprises can mitigate the worst impacts of a potential breach tomorrow, and drive digital transformation initiatives forward with confidence.”
Brightline confirms data breach as a result of the Fortra GoAnywhere bug.
It became apparent that Brightline, a pediatric virtual mental health provider, was one of the many companies impacted by the zero-day vulnerability discovered in the Fortra GoAnywhere MFT secure file-sharing platform after the Cl0P ransomware group listed the company on its leak site in March. Now, Bleeping Computer reports, Brightline has confirmed that the attackers who exploited the bug stole the protected health information of 783,606 people. The exfiltrated data include full names, street addresses, dates of birth, member IDs, plan coverage dates, and employer names.
A statement on Brightline’s website says, "As soon as we became aware of the incident, we took immediate action to investigate it by confirming Fortra deactivated the unauthorized user's credentials, turned off the service, and rebuilt our version so it was no longer vulnerable." Brightline provides services for an extensive list of US organizations including Diageo, Nintendo of America, and Harvard University, and the number of impacted individuals could increase as investigations continue.
It’s worth noting that yesterday Cl0p mysteriously removed Brightline from its leak site, stating, "We delete the data and we did not know what this company is doing, because not all companies are analyzing. And we ask for forgiveness for this incident.” It’s unclear if the cybercriminals have actually destroyed the stolen data.
Sally Vincent, Senior Threat Research Engineer at LogRhythm, commented on how a single vulnerability can have national consequences:
"Brightline, a provider of counseling services for mental and behavioral health, recently suffered a data breach that has affected more than 780,000 individuals. The cause of the breach was a zero-day vulnerability exploited by the Clop ransomware gang, who gained unauthorized access to sensitive data through Brightline's file-sharing platform. The compromised data includes member identification numbers, employer names, addresses, birthdates, names, and dates of health plan coverage. Despite taking steps to address the issue, including deactivating user credentials, shutting down the service, and implementing supplementary security measures, this unfortunate event highlights the need for healthcare organizations to ensure the complete protection of patient data.
"This is another example of a zero-day remote execution vulnerability leading to lateral movement, and unfortunately, there will always be zero-days-- organizations need to have full visibility of their networks and hosts to detect lateral movement. To prevent the recurrence of such attacks that may endanger the wellbeing of mental and behavioral health patients, organizations like Brightline must prioritize cybersecurity controls. The interdependence of healthcare and cybersecurity implies that until healthcare organizations give cybersecurity the same weight as their core operations, they will remain vulnerable to such attacks. Healthcare organizations can brace themselves for cyberattacks by adopting password hygiene, threat detection, and both preventive and responsive controls that can repel malicious cybercriminals, protect patient data, and ensure uninterrupted IT operations. By employing dependable security monitoring solutions equipped with robust automated response capabilities, organizations can have a complete view of their IT environments, enabling the timely identification of cybercriminal activity, and the provision of proper patient care."
James Graham, VP of RiskLens, notes the special responsbilities healthcare organizations have: "Members of the healthcare industry are often targeted by threat actors, which means healthcare organizations need to be exceptionally sure of their cybersecurity investments. Part of this is performing quantitative risk assessments using the FAIR standard to provide an overview of risk in terms of probability and cost, allowing for security investments to be made more efficiently."
According to Avishai Avivi, CISO at SafeBreach, “The newest report on Brightline’s ransomware attack is a good example of the high financial cost of a data breach and its impact on both the company and its cyber insurer. Brightline revealed the breach affected at least 783,000 victims as well as 58 covered entities, the companies and healthcare insurance providers that offer Brightline’s services." Avivi approves of the credit-monitoring offer. "It’s impressive to note that Brightline is offering two-year free credit monitoring via their insurer, Cyberscout, for individuals who were potentially impacted. This is not mandated by HIPAA or any state Privacy or Consumer Protection Laws but is of course the responsible action to take." But the total costs of a breach of this size are likely to be great. "However, the total retail cost of providing such insurance, typically $29.95/month, would run more than $500 million if every impacted individual took the offer. It’s safe to assume that even at a small fraction of that cost, Brightline’s insurer is going to absorb a significant claim. Brightline will most likely face regulatory fines, increased cyber premiums, and an immeasurable cost to their brand reputation and customer base. And situations like these will cause cyber insurance companies to raise the bar for companies to be eligible for insurance. When you understand the wider financial costs of a ransomware attack, it reinforces the importance for companies to deploy their security controls properly, continuously validate them once deployed, and prepare and test a formal recovery and remediation plan to remain as resilient as possible in the face of an attack.”
(Added, 4:15 PM ET, April 4th, 2023. We've received some additional comments from Ani Chaudhuri, CEO of Dasera, on the incident. "The recent data breach involving Brightline, a pediatric mental health provider, is a stark reminder of the importance of data security in the healthcare industry. While it is disheartening to learn that such a vital service provider has been targeted, this incident should serve as a call to action for organizations to strengthen their data protection measures," Chaudhuri wrote. "It is essential to recognize that Brightline promptly addressed the breach, taking immediate steps to investigate and mitigate the impact of the incident. Their efforts to enhance security measures, rebuild their service, and reduce data exposure demonstrate a commitment to protecting their patients' information. However, the fact remains that even the most well-intentioned organizations can fall victim to cyberattacks.
"As a data security company, we understand organizations' challenges in safeguarding their sensitive information. In this rapidly evolving landscape, companies must invest in robust data security solutions and work closely with experts to ensure they are prepared for emerging threats.
"Moreover, it is vital for organizations to regularly assess their data security infrastructure and implement necessary updates and patches to address vulnerabilities. As the ransomware gang exploited a zero-day vulnerability in this case, it highlights the importance of staying informed about potential risks and swiftly mitigating them.
"We empathize with Brightline and the affected individuals, understanding the stress and potential harm such breaches can cause. To assist those impacted, offering complimentary identity theft and credit monitoring services is a commendable step by Brightline. Organizations must prioritize their clients' well-being and offer support during these challenging times.
"While the Brightline data breach is unfortunate, it is a critical reminder for organizations to prioritize data security and invest in necessary measures to protect sensitive information. Collaboration between organizations and data security companies is essential to safeguard against threats and minimize the impact of breaches on the lives of those affected.")