Happy New Year, CyberWire Pro readers! As a special thank you, we would like to offer you a free CyberVista practice test or free access to the Cloud Security Essentials Course, Use code PROLEARN at checkout to redeem this limited time offer.
The Japanese branch of leading insurance company Aflac has disclosed it experienced a third-party data breach that exposed the personal information of over three million customers, including over one million holders of its cancer insurance product, Nippon.com reports. Aflac says the leak stemmed from the January 7th data breach of an unnamed US-based contractor to which it outsources marketing work. Aflac explained, "The incident, caused by a vulnerability in a file transfer server, originated with a subcontractor of a third-party vendor that Aflac Japan uses for marketing purposes.” In a formal apology, the company said that while the compromised data include customer surname, age, gender, and insurance coverage, the information is not enough to identify individual customers, meaning that the likelihood of misuse of the data is “extremely low.” Aflac added that “the external company that was the source of the leak has already deleted the customer's information from the server they are using, and we are taking measures to prevent further information leaks." The Register says it verified that a sample of the stolen data was found on an underground breach forum where it was being offered for sale.
On the same day that Aflac confirmed its breach, Swiss insurer Zurich reportedly disclosed data belonging to over two million of its Japanese customers was also exposed through a third-party data leak, though it’s unclear whether the two incidents can be traced to the same contractor. Zurich told Bank Info Security that 757,463 current and former customers of its "Super Automobile Insurance" were impacted.
Lior Yaari, CEO and co-founder of Grip Security, wrote to discuss the risk of exposure to third-party credential theft: “With breaches at Aflac and Zurich, we can see once again how third-party exposures can lead to exploits, likely through compromised credentials. The third party has the authority to access the Aflac and Zurich systems, likely through a simple username and password. When credentials are left unchecked and unguarded, it can lead to threat actors gaining access without having to break-in…they simply log-in. Whether it’s a third-party, former employee, overly permissive grants, or dangling access on zombie accounts, the opportunity to exploit credentials and thereby gain access to sensitive information has never been more appealing. Which is one of the reasons third parties and their credentials to access client systems remain top attacker targets.”
Liat Hayun, CEO of Eureka Security, points out that some degree of exposure to third-party risk is effectively inevitable: “Who do you trust with your critical data assets? Your answer would be “no one.” However, the reality is that organizations use third-party vendors to enable day-to-day operations. With that said, it is best to work with third-party vendors who have the same, if not better data security policies than your own organization to further accelerate day-to-day operations.”
Cybercriminals continue to target companies that handle valuable and sensitive healthcare data. Health IT Security details a trio of US medical data breaches:
Monday is the US holiday of Dr. Martin Luther King, Jr. Day, and the CyberWire won't be publishing. We'll be back as usual on Tuesday. In the meantime, best wishes on the occasion to all who'll be observing the holiday with us.
Aflac's Japan says US partner leaked cancer customer info (Register) Zurich’s Japanese outpost also leaks a couple of million records
Aflac, Zurich Policyholders in Japan Affected by Data Leaks (Bank Info Security) Personal information for more than 1.3 million Aflac cancer insurance policyholders and almost 760,000 Zurich Insurance auto insurance policyholders in Japan has
Japan Units of Aflac, Zurich See 2 M. Customers' Data Breached (Nippon.com) Tokyo, Jan. 10 (Jiji Press)--Aflac Life Insurance Japan Ltd. and Zurich Insurance Co., the Japanese unit of Zu…
Crypto-inspired Magecart skimmer surfaces via digital crime haven (Malwarebytes) One criminal scheme often leads to another. This blog digs into a credit card skimmer and its ties with other malicious services.
TX Insurance Administrator Discloses Healthcare Data Breach (Health IT Security) Bay Bridge Administrators (BBA) experienced a data security incident that impacted individuals enrolled in some employment insurance benefits.
