The Week in Breach: 07/16/18 – 07/20/18
This week serves up a reminder why medical data should be handled with care, as it’s among the most highly sought after and valuable for bad actors. Two of the biggest telecommunications providers in the world were also breached this week, which is what happens when you “phone in” cyber security.
Highlights from The Week in Breach:
– Can’t Opt Out, Aussie!
– Unsecure Amazon S3 bucket strikes again! Hello… Verizon, can you hear me now?
– Unencrypted Healthcare Data.
In Other News:
It’s my data, give it back!
So many Australians have been rushing to opt-out of their government’s new centralized health record system that the site has crashed! Originally it was designed as an opt-in database, but there just wasn’t a lot of activity with the program. After the government spent more than AU $4 billion on this database, a flop of that magnitude was not an option, so it became a mandatory opt-out program. Those who have been calling in rather than taking to the web to opt-out of the system face employees with a lack of training, long wait times, and general mayhem. Many people cite privacy concerns as their reason for opting out, which is a fair assessment. This lack of trust could be because despite assurances by government officials that no data will be shared with third parties, a partner app called HealthEngine has been caught red-handed breaking those promises. For more information on the HealthEngine story, check out this past Week in Breach.
https://www.zdnet.com/article/my-health-record-systems-collapse-under-more-opt-outs-than-expected/
95% Success Rate GPS Spoofing
Researchers have successfully been able to launch GPS spoofing attacks on road navigation systems… a scary achievement. GPS spoofing systems have been around for a while but had previously been unable to trick humans into actually following the directions. The phone or GPS unit would give directions that didn’t make sense, such as abruptly turning off the road. The new and improved technology can now take into account the road layout while giving the driver wrong directions. As car manufacturers look toward a self-driving future, accurate GPS spoofing could lead to some unfortunate circumstances.
https://www.bleepingcomputer.com/news/security/researchers-mount-successful-gps-spoofing-attack-against-road-navigation-systems/
DDoS Siege
Gaming studio Ubisoft was the victim of a DDoS attack this week, leaving many of its most popular titles unplayable. The attacks lasted for several days and were focused on the game’s connections and server latency. This is not the first time a gaming studio has been targeted by a DDoS attack, as American studio Blizzard, known for their game World of Warcraft, experienced downtime last week due to the same issue. While the motive behind the attacks is unclear, what is certain is that these attacks are costing the companies that experience them a LOT of money.
https://cyware.com/news/ubisoft-hit-by-massive-ddos-attacks-affecting-far-cry-5-for-honor-and-other-games-d3efe5ab
Podcasts:
IT Provider Network – The Podcast for Growing IT Service
Know Tech Talks – Hosted by Barb Paluszkiewicz
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!
Israel – Verizon – Exposed by Nice Systems
Exploit: Exposed Amazon S3 storage server, supply chain vulnerability.
Risk to Small Business: High: Supply chain breaches are increasingly blamed on the prime vendor as its their fiduciary responsibility to ensure the downstream vendors they use are secure. This one has global reach as many of the customers are US-based individuals.
Individual Risk: High: Could allow hackers to break into an exposed individual’s email account protected by 2FA.
Verizon: A U.S. based phone company that has over 108 million post-paid wireless customers.
Nice Systems: An Israeli based enterprise software company that has 85 of the Fortune 100 as customers.
Date Occurred/Discovered: Late June 2018
Date Disclosed: July 2018
Data Compromised:
- Name
- Cell phone number
- Account PIN (allowing access to a subscriber’s account)
- Home address
- Email address
- Current balance of account
- Verizon customer subscribed services
Customers Impacted: 14 Million.
https://www.zdnet.com/article/millions-verizon-customer-records-israeli-data/
Singapore – Ministry of Health
Exploit: Undisclosed at this time. Lack of advanced, real-time intrusion detection.
Risk to Small Business: High: Nation-state originated, this is a massive breach in both scope and severity; most business would not recover from this, especially due to the fines that many countries would levy on a business that did not secure healthcare data.
Individual Risk: High: Medical information is valuable on the Dark Web and can be used to impersonate or exploit an individual.
Ministry of Health: Singapore’s national health organization that manages the country’s public healthcare system.
Date Occurred/Discovered: June 27, 2018 – July 4, 2018
Date Disclosed: July 20, 2018
Data Compromised:
- Name
- NRIC number
- Address
- Gender
- Race
- Date of birth
- Details on dispensed medicines
Customers Impacted: 1.5 million citizens, including the Prime Minister.
https://www.bleepingcomputer.com/news/security/hackers-stole-a-third-of-singapores-healthcare-data-including-prime-ministers/
Canada – CarePartners
Exploit: Unencrypted data-at-rest. Elevated privileged access. Unpatched vulnerability open for 2 years.
Risk to Small Business: High: Ransom and exfiltrate attacks are an increasingly common practice amongst cyber criminals and can be reputationally and monetarily damaging to an organization.
Individual Risk: Extreme: Health information is useful for identity theft and traded frequently on Dark Web market places.
CarePartners: An organization that provides home medical services for the Ontario government.
Date Occurred/Discovered: June 2018
Date Disclosed: June 2018… however this week, the hackers revealed that they had much more information than CarePartners revealed.
Data Compromised:
- Names
- Phone numbers
- Addresses
- Medical Records
- Past conditions
- Diagnoses
- Surgical procedures
- Care plans
- Medications
- Credit card numbers
- Expiry dates
- Security codes
- T4 tax slips
- Social insurance numbers
- Bank account details
- Plaintext passwords
Customers Impacted: 80,000.
http://www.cbc.ca/news/technology/carepartners-data-breach-ransom-patients-medical-records-1.4749515
A note for your customers:
How long could it take for your business to fail? Months of operating on a loss? Years of a bad employee costing you money? How about an hour. According to top researchers in the UK, more than HALF of UK small businesses could be hacked in less than an hour. Systems are put into place to prevent frivolous spending within an organization and to stop theft before it happens. Budgets are made, and doors are secured with locks. Why wouldn’t you do the same for cyber security? Especially when it could only take someone across the country, or even in a different country, less than an hour to cripple your business if you are not protected. You wouldn’t just eyeball your organization’s spending or leave your office’s door open at night. So again, the question is raised, why would you take a lackadaisical approach to cyber security? With the world becoming increasingly connected, it is important to proactively fight cyber-attacks with employee training and defense systems, monitor for Dark Web credential exposure with tools like Dark Web ID™ and to have a robust breach response plan in place.
Are you an ID Agent Partner? Feel free to re-use this blog post (in part or in entirety) for your own social media and marketing efforts! Just send an email to [email protected] to let us know!
Not a Partner? Learn more about Dark Web ID™ and the benefits it holds for your Business. Contact us today!