At a glance.
- US medical center employee abuses access to patient data.
- New York bank discloses third-party data breach.
- Eyewear giant hit with third recent data breach.
- Researchers say smartphone facial locks shouldn’t be taken at face value.
US medical center employee abuses access to patient data.
University of Missouri Health Care, a medical center located in the US state of Missouri, has disclosed that an employee was discovered to be inappropriately accessing data in the electronic medical record (EMR). An investigation revealed that the employee viewed over seven hundred patient records between July 2021 and March 2023 without a purpose backed by the Health Insurance Portability and Accountability Act (HIPAA). The compromised data include patient name, date of birth, medical record number, and some treatment and/or clinical information. The staffer’s access to the EMR has been suspended and impacted patients are being notified.
Ani Chaudhuri, CEO of Dasera, sees the incident as representative of a common challenge the healthcare sector faces:
"The news about the data breach at MU Health Care underscores a widespread challenge within the industry: keeping sensitive patient data secure. While it's distressing to see another breach, especially one involving an insider threat, it's important to view this situation not just as an isolated incident, but as a symptom of a larger, systemic issue in data security.
"The breach in question involved an employee accessing over 700 patient records without verified HIPAA purpose. It's easy to point fingers at a single wrongdoer, but such incidents also highlight the need for more robust, automated security controls that can detect and prevent unauthorized access in real time.
"At the heart of this is a two-pronged challenge: ensuring that only authorized personnel have access to sensitive patient data, and monitoring that this access is being used appropriately. However, this isn't as simple as it may sound. Today's healthcare environment is complex and constantly evolving, with thousands of staff needing various levels of access to patient data. Determining what constitutes "appropriate" access in such a fluid context is a nontrivial task, one that demands a solution more sophisticated than manual reviews or basic access controls.
"MU Health Care’s decision to utilize workforce education to train for appropriate access to patient information is commendable, and it's a crucial step towards cultivating a security-first mindset among staff. However, training alone may not be enough to prevent all instances of inappropriate data access, as evidenced by the recent breach.
"Therefore, in tandem with training initiatives, there is a pressing need for comprehensive and automated data governance and security solutions. These technologies not only help detect inappropriate data access and use, but they also work proactively to establish an environment where such breaches are much less likely to occur.
"I'm confident that MU Health Care, like many other organizations that have unfortunately found themselves in a similar situation, will not only learn from this incident but will also work towards implementing these enhanced data security measures. Data breaches can be a wake-up call, a chance to reassess and improve our data protection strategies – because at the end of the day, protecting patient data is not just about maintaining trust and compliance; it's about safeguarding the very essence of healthcare itself."
New York bank discloses third-party data breach.
Bank of New York Mellon Corporation (BNY Mellon), an investment bank located in New York, New York, has suffered a third-party data breach, JD Supra reports. The identity of the third party has not been disclosed, but it is assumed to be a vendor that was given access to confidential BNY Mellon consumer data including names and Social Security numbers.The bank sent breach notification letters to all impacted individuals on May 13.
Dasera's Chaudhuri also commented on the "unfortunate" data breach at BNY Mellon. In this case the specific challenge is management of third-party risk:
"This incident highlights a salient issue that businesses and consumers face today - third-party data breaches. Today, business operations are intertwined with multiple entities, including vendors, service providers, and partners. As such, an organization's data security is no longer confined within its walls but extends to all the third-party entities it interacts with.
"This breach underscores the importance of robust third-party risk management. It's crucial for organizations to meticulously vet the security practices of all third-party partners they engage with. To ensure robust protection, companies should consider implementing continuous monitoring of third-party vendors and conduct regular security audits.
"Moreover, the sensitive nature of the data involved - names and Social Security numbers - brings to light the need for stronger data anonymization and encryption practices. Even if data falls into the wrong hands, it should be rendered useless through strong encryption measures. Data should be treated as a crucial asset, and protective measures should be in place to shield it at all times.
"BNY Mellon's immediate actions following the breach - notification to affected individuals and offering free credit monitoring services - are commendable. Rapid response is key in such situations. Simultaneously, organizations should be committed to learning from such incidents and adapting their security posture accordingly.
"Moving forward, we need to rethink our approach to cybersecurity, acknowledging the complex, interlinked landscape we operate in. The digital age offers immense opportunities, but it also brings with it new challenges that we must be prepared to meet head-on.
"As a community, we must stand together, learn from these incidents, and adapt. Only through cooperation and dedication can we hope to build a safer digital future for all."
Eyewear giant hit with third recent data breach.
Luxottica, the world’s largest eyewear company, announced that one of its partners suffered a 2021 data breach that exposed the personal data of 70 million customers. The breach was confirmed by Luxottica, owner of popular brands like Ray-Ban, Oakley, and Chanel, after hackers posted a stolen database containing 300 million US and Canadian customer records on a hacking forum last November. The stolen data included customers' email addresses, first and last names, addresses, and dates of birth. As Bleeping Computer explains, it was at first unclear whether the data were accessed in a new attack or one of two previous breaches the company suffered in 2020, but Andrea Draghetti, leading researcher at Italian cybersecurity firm D3Lab, analyzed the leaked data and determined it was exfiltrated in March 2021. Upon receiving this news, Luxottica issued a statement saying, “We discovered through our proactive monitoring procedures that certain retail customer data, allegedly obtained through a third-party related to Luxottica retail customers, was published in an online post.”
Dror Liwer, co-founder of Coro, noted that reattacks aren't uncommon. “It is not uncommon for criminals to attack the same target more than once, like in this case. Once an organization is hit, the initial instinct is remediation, not prevention. Attackers know they have a window of opportunity before an organization will move from remediation to vulnerability scanning and lockdown, and use this window to execute additional attacks. Using automated security platforms that detect, prevent and remediate automatically greatly reduces the success of these tactics.”
And Roger Grimes, data-driven defense evangelist at KnowBe4, asks if you're using a credit-monitoring service. If you're not, he thinks you ought to consider doing so:
“I think most computer security experts think that everyone's personal and financial data has been compromised one or more times, and the Luxottica breach is just another datapoint in our information ending up in the hands of hackers. Even if you were not directly impacted by the Luxottica breach, because everyone's information is likely breached, everyone should have a fraud/credit monitoring service to alert them of potentially threatening scenarios involving their data.
"I belong to multiple such services at no cost to myself because of past breaches. I've had free credit monitoring services for nearly a decade because of continuous breaches involving my data. Each monitoring service warns me all the time of my personal information being posted on hacker sites, which as unsettling as it is to learn, doesn't really provide me any useful defense. I know they've got my data, but what can I do? It's out there. But I can't stop it from being used by a hacker to commit some crime against me using my personal data. But what you can do is be notified if hackers do something malicious with your personal data, such as open new loans in your name, filing fraudulent tax returns, or opening up new credit cards using your information. The best anyone can do right now is to belong to a fraud/credit card monitoring service, get notified of any truly harmful new scenarios involving your personal data, and then work quickly to mitigate those issues. The worst thing you can do is to be unaware of how your data is being used to harm your own interests. Be aware of what is going on with your data and be prepared to shut down any harmful scenarios you learn about.”
Researchers say smartphone facial locks shouldn’t be taken at face value.
Consumer group Which? has found that the facial locks available on most popular mobile phone brands can be evaded by using a two-dimensional, low-res photo of the owner. Researchers tested forty-eight smartphones and found that nineteen were fooled, including phones made by Samsung, Honor, Motorola, Nokia, Oppo, Vivo, and Xiaomi. The Times notes that all of the failing phones run on Google’s Android operating system; Apple’s phones use special 3D facial ID technology that was not able to be breached with the phony images. Lisa Barber, technology editor of Which?, stated, “It’s unacceptable that brands are selling phones that can easily be duped using a 2D photo. Our findings have worrying implications for people’s security and susceptibility to scams.” Which? recommends that users of the fooled phones switch to fingerprint sensor or password phone locking mechanisms and employ extra security measures for especially sensitive apps like Google Wallet. It’s worth noting that some experts worry even more sophisticated facial ID tech like Apple’s could be circumvented using AI deepfakes. Sensity AI, developer of a deepfake detection platform, recently tested the top ten ID verification systems and found that only one in ten was able to detect that an image was a deepfake and not the actual individual in question.
Nick France, Chief Technology Officer at Sectigo, wrote, "A recent experiment proves high-tech phones can have their facial locks undone by low-res photos of owners. For security to evolve at the rate of technological advancement, we must re-imagine encryption and turn to new tools for protection. One of the best solutions that can evade the potential of phishing is PKI-based authentication. PKI does not rely on biometric data that can be spoofed or faked, by using public and private keys, PKI ensures a high level of security that can withstand tomorrow's threats”.