The Week in Breach 4/23 – 4/30
Breach Updates and News Small Business Can Use!
Not Worried About that Public Data Breach? You Should be!
Credential Stuffing Bots are on the rise and working overtime to exploit you!
The “Evil Maid” Strikes Again…
A legitimate concern or stuff fairytales are made of? Micah Lee spends a paranoid-filled 2 years trying to catch a tamperer red-handed. Myth or not, practicing safe cyber hygiene while traveling is a must.
Are You in Healthcare?
Congratulations, you are twice as lucky to be breached!
Survey Says… What?
15% of people would rather do laundry than change their passwords?
Home Sweet Hacked Home!
Some common-sense advice on how to keep your home safe from our friends at GetSafeOnline.org.
How Secure are Your Sticky Notes?
A second common-sense link from GetSafeOnline.org. Great advice on password hygiene and a cute video at the end… Cheers!
Recent Breach Incidents impacting Small Business
WEI MORTGAGE ( Virginia-based subsidiary of ARC Home)
Financial Sector – Phishing
Small Business Risk: High (Forensic & Mitigation Costs, Financial Loss, Compliance Fines/ Penalties, Brand / Reputation Damage)
Exploit: Phishing: Employee Email Account Compromised
Risk to Individuals: High: Volume of PII elements disclosed in this breach PII.
What You Need to Know: Trusted with highly sensitive PII & Financial information, WEI clearly underinvested in cybersecurity basics:
- Phishing Email Mitigation
- Security Awareness Training
- 2 Factor Authentication
- Encryption
Date Occurred or Discovered | Unauthorized access to email accounts between Sept. 13 and Sept. 28, 2017. |
Date Disclosed | April 23, 2018 (7 Months) |
Data Compromised | According to the lender, with access to the email accounts in question, the hacker (or hackers) may have had access to numerous pieces of personal information including: Social Security number, date of birth, address, driver’s license or state identification number, passport number, bank account information, credit or debit card information, tax identification number, username and password, loan package information, and name.
Additionally, health insurance information, health insurance group number, and health insurance member number of certain individual may have been exposed. The lender cautions that its investigation found no evidence of actual or attempted misuse of personal information thus far, but the investigation showed that some personal information was present in the impacted email accounts at the time of the incident. |
How Compromised | Employee’s email account accessed via phishing scheme which ultimately gained access to the employee’s account and perhaps other accounts. |
Customers Impacted | WEI did not reveal the size of the breach or the number of potentially affected customers |
Attribution/Vulnerability | Phishing |
Sources | Housing Wire | National Mortgage News |
Kansas-based MEDantex (medical transcription)
Healthcare Sector – Database Misconfiguration, Ransomware
Small Business Risk: High (Forensic & Mitigation Costs, Financial Loss, Compliance Fines/ Penalties, Brand / Reputation Damage)
Exploit: Database Security Misconfiguration, Single Factor Login, Ransomware Exploit
Risk to Individuals: High: Significant Patient Health Information Exposed. Downstream exploitability of patients, employee and medical professionals.
What You Need to Know: This incident is particularly concerning for several reasons:
- MEDantex is still unable to determine how long its portal was exposed.
- Even when the portal was “secure”, it only required single-factor authentication. This is a major fail given that the portal housed PII PHI dating back to 2007.
- Basic penetration testing should have picked up this vulnerability.
Date Occurred or Discovered | Length of time exposed is undetermined but was open as late as April 10, 2018. |
Date Disclosed | Unknown/April 2018 |
Data Compromised | The number of exposed records was unclear, but one accessible directory alphabetized more than 2,300 doctors by their last name with access to downloadable records. While most records appeared recent, some dated back to at least 2007. This included administration tools that let anyone who visited the page add or delete users and search for medical records by patient or provider names. |
How Compromised | A security issue with an online portal that was apparently leaking medical records onto the internet that should have been password protected. Numerous online tools intended for use by MEDantex employees were exposed to anyone with a Web browser, including pages that allowed visitors to add or delete users, and to search for patient records by physician or patient name. No authentication was required to access any of these pages. |
Customers Impacted | Patient data from at least 2,300 providers |
Attribution/Vulnerability | Several MEDantex portal pages left exposed to the Web suggest that the company recently was the victim of “WhiteRose”, a strain of ransomware that encrypts a victim’s files unless and until a ransom demand is paid.However, misconfigured databases continue to plague the industry and are most often caused by user error. In fact, insider errors outnumber outside threat actors in the healthcare industry, according to Verizon’s latest breach report. |
Source | 14 News | Health Care IT News |
Technology – Database Security Misconfiguration
Small Business Risk: Moderate (Forensic & Mitigation Costs, Financial Loss, Compliance Fines/ Penalties, Brand / Reputation Damage)
Exploit: MongoDB Database Security Misconfiguration
Risk to Individuals: High: Significant PII & Financial information disclosed. Downstream exploitability of investors.
What you need to know: Bezop is certainly guilt of cyber negligence however, this exploit has the hallmarks of cypto-cyber espionage for financial gain or to discredit the stability and credibility of Bezop.
- Code review and penetration testing should have picked up this vulnerability.
Date Occurred or Discovered | Unknown, but sources say investors’ data was publicly accessible as late as March 30. |
Date Disclosed | April 25, 2018 |
Data Compromised | Bezop, which offers its own cryptocurrency “tokens” in addition to… some sort of blockchain-based e-commerce app, left a MongoDB database wholly unsecured, exposing full names, addresses, email addresses, encrypted passwords, wallet information, along with links to scanned passports, driver’s licenses, and other IDs. |
How Compromised | A leaky database discovered online. |
Customers Impacted | Over 25,000 Bezop investors. |
Attribution/Vulnerability | Undisclosed at this time. |
Source | Gismodo |
Small Business Risk: High (Compliance Fines/ Penalties, Brand / Reputation Damage)
Exploit: Supply Chain Vulnerability. Human Error
Risk to Individuals: Low: Data Identified, Contained and Destroyed
What You Need to Know: Access publicly admits that failed to develop and enforce data security requirements within its supply chain. This is highly concerning given that Access operates in a highly regulated industry where security requirements and compliance standards are clearly defined.
Date Occurred Or Discovered |
March 23, 2018 / Discovered March 28, 2018 |
Date Disclosed | April 27, 2018 |
Data Compromised | Included borrowers’ names, driver’s license numbers and Social Security numbers. Access Group was assured that the vendor who received the files deleted them and didn’t retain copies. |
How Compromised | Information was inadvertently released by Nelnet, which processes student loans for Access Group. |
Customers Impacted | 16,500 borrowers |
Attribution/Vulnerability | The business that the files were sent to was not identified but has been described as a student loan lender. |
Sources | Star Tribune | US News |
Exploit: Compromised Email Account, Probable (Phishing or Compromised Credential)
Risk to Individuals: Moderate: Limited Exposure & Data Value
What you need to know: Billings Clinic does not detail how the attack originated. However, chatter suggests that a compromised credential was used to gain access to an email account operated by the organization.
Date Occurred Or Discovered |
April 27, 2018 |
Date Disclosed | April 27, 2018 |
Data Compromised | Information that was potentially viewed includes patient names, dates of birth, phone numbers and amounts owed to Billings Clinic’s Atrium Pharmacy. In some cases, information included internal Billings Clinic patient identification or billing numbers and limited medical information. Social Security numbers, credit card numbers, banking information or insurance information were not involved and the incident did not compromise Billings Clinic’s electronic medical record system or financial systems. |
How Compromised | The clinic identified unusual activity within its email system. The investigation confirmed that an unauthorized person viewed a number of emails that contained personal information on some Billings Clinic patients. No further information was disclosed. |
Customers Impacted | 949 patients |
Attribution/Vulnerability | Undisclosed at this time |
Source | 8 KPAX |
MSP Partners, please feel free to share this information with your customers!
Are you looking to see how Dark Web ID™ can help you protect your customers’ credentials. Learn about ID Agent’s Partner Program now!