At a glance.
- Two insurance giants suffer breaches of Japanese customer data.
- Healthcare breach round-up.
Two insurance giants suffer breaches of Japanese customer data.
The Japanese branch of leading insurance company Aflac has disclosed it experienced a third-party data breach that exposed the personal information of over three million customers, including over one million holders of its cancer insurance product, Nippon.com reports. Aflac says the leak stemmed from the January 7th data breach of an unnamed US-based contractor to which it outsources marketing work. Aflac explained, "The incident, caused by a vulnerability in a file transfer server, originated with a subcontractor of a third-party vendor that Aflac Japan uses for marketing purposes.” In a formal apology, the company said that while the compromised data include customer surname, age, gender, and insurance coverage, the information is not enough to identify individual customers, meaning that the likelihood of misuse of the data is “extremely low.” Aflac added that “the external company that was the source of the leak has already deleted the customer's information from the server they are using, and we are taking measures to prevent further information leaks." The Register says it verified that a sample of the stolen data was found on an underground breach forum where it was being offered for sale.
On the same day that Aflac confirmed its breach, Swiss insurer Zurich reportedly disclosed data belonging to over two million of its Japanese customers was also exposed through a third-party data leak, though it’s unclear whether the two incidents can be traced to the same contractor. Zurich told Bank Info Security that 757,463 current and former customers of its "Super Automobile Insurance" were impacted.
Lior Yaari, CEO and co-founder of Grip Security, wrote to discuss the risk of exposure to third-party credential theft: “With breaches at Aflac and Zurich, we can see once again how third-party exposures can lead to exploits, likely through compromised credentials. The third party has the authority to access the Aflac and Zurich systems, likely through a simple username and password. When credentials are left unchecked and unguarded, it can lead to threat actors gaining access without having to break-in…they simply log-in. Whether it’s a third-party, former employee, overly permissive grants, or dangling access on zombie accounts, the opportunity to exploit credentials and thereby gain access to sensitive information has never been more appealing. Which is one of the reasons third parties and their credentials to access client systems remain top attacker targets.”
Liat Hayun, CEO of Eureka Security, points out that some degree of exposure to third-party risk is effectively inevitable: “Who do you trust with your critical data assets? Your answer would be “no one.” However, the reality is that organizations use third-party vendors to enable day-to-day operations. With that said, it is best to work with third-party vendors who have the same, if not better data security policies than your own organization to further accelerate day-to-day operations.”
Healthcare breach round-up.
Cybercriminals continue to target companies that handle valuable and sensitive healthcare data. Health IT Security details a trio of US medical data breaches:
- Bay Bridge Administrators (BBA), an insurance administrator located in the state of Texas, experienced an incident that exposed the data of individuals enrolled in employment insurance benefits administered. BBA discovered the network disruption on September 5 and later determined that an intruder had gained access to its network in late August. The compromised data include names, Social Security numbers, health insurance information, medical information, driver’s license numbers, and dates of birth, and impacted individuals are being notified.
- As we noted earlier this week, Your Patient Advisor by Captify Health, a provider of colonoscopy preparation supplies, suffered a website breach that impacted the payment card data of over 244,000 individuals. The company released a notice stating,“Your Patient Advisor has implemented additional security measures to secure its online ordering platform to reduce the risk of a similar incident occurring in the future and to protect the privacy and security of all personal information in its possession. Also, out of an abundance of caution, Your Patient Advisor has taken steps to ensure its platform is safe and secure for all purchases.”
- CentraState Healthcare System, based in the state of New Jersey, has been experiencing an IT network issue that has impacted some of its patient services. First detected on December 30, the issue is still disrupting operations at a few of its lab locations. In an update issued earlier this week, the company stated, “Our high standards of patient care remain in place and our emergency department continues to function at near full capability with some limited exceptions.