Tag Archives: breach

Oklahoma Government Suffers Massive Data Leak

Another massive data leak has been discovered.

This latest leak involves an open Oklahoma Department of Securities storage server exposing millions of records, including confidential files linked to FBI investigations, 17 years of email archives and thousands of Social Security numbers.

The breach was discovered by a researcher from cybersecurity specialist UpGuard, while scanning the web with Shodan, a search engine that lets the user find specific types of devices (webcams, routers, servers, etc.) connected to the internet using a variety of filters.

The data was exposed through an unsecured rsync service, a utility for synchronizing files across computer systems. With the IP address, registered to the Oklahoma Office of Management and Enterprise Services, anyone could download the publicly accessible files stored on the server. Continue reading Oklahoma Government Suffers Massive Data Leak

OCR Announces Fourth Largest Penalty Ever

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently announced an Administrative Law Judge (ALJ) ruled against The University of Texas MD Anderson Cancer Center (MD Anderson) after MD Anderson suffered three breaches that disclosed the health records of about 35,000 patients. The ruling requires MD Anderson to pay $4,348,000 in civil money penalties making it the fourth largest monetary penalty in OCR’s history.

The Three Breaches

MD Anderson suffered three different data breaches in 2012 and 2013. The breaches involved the theft of an unencrypted laptop and the loss of two USB thumb drives containing the unencrypted protected health information of over 33,500 patients.

Lack of Encryption

OCR’s investigation found MD Anderson had written encryption policies dating back to 2006 but those policies were not adopted until 2011 and, even then, MD Anderson did not encrypt all of its electronic devices as evidenced by the breaches in 2012 and 2013.  Furthermore, MD Anderson’s own risk analyses recognized that the lack of device-level encryption posed a high risk to the security of ePHI. Continue reading OCR Announces Fourth Largest Penalty Ever

Educational Institutions are Feeling the Heat from Data Breaches

Colleges, universities, and school districts are high on the radar for cyber criminals. Security experts are noticing a rapid spike in stolen or fake .edu accounts available on the dark web.

The Digital Citizens Alliance (DCA) released a study – Cyber Criminals, College Credentials, and the Dark Web – highlighting the cyber risks faced by educational institutions. The DCA noted their goal is to emphasis the challenges the educational sector deals with in protecting their users.

Schools and universities have an interesting range of users to consider: faculty, staff, students, and alumni. According to the report, student email accounts are highly targeted due to the content in their inboxes.

“We’re talking about receipts, information about travel, medical information, sign-up information for other accounts and discount offers that threat actors can use not to just get items on the cheap but to create a new account for purchasing items in the name of somebody. A cybercriminal might view a student in terms of a commodity,” notes DCA deputy director Adam Benson.

Educational institutions dealing with financial assistance also need to account for Social Security numbers and financial information.

Tips for Universities to Protect User Data

The report dedicates a section to providing advice and suggestions on best practices to make the university community safer. It touches on several security areas:

  • Password education
  • Network segmentation
  • User awareness training
  • Multi-factor authentication
  • Layered defense approach

Teenager Hacks CIA Director’s Email Account

In a story first reported by the New York Post, it appears the personal AOL email account of CIA Director John Brennan has been hacked. The hacker contacted The Post—referring to himself as a high school student and detailing how he orchestrated the attack.

Apparently, Brennan’s private account contained sensitive files, one of which was his 47-page application to obtain top-secret security clearance. Other emails found in Brennan’s personal AOL account contained attachments and spreadsheets with sensitive personal information and Social Security numbers for several top U.S. intelligence officials. One letter that was recovered referenced the use of harsh interrogation techniques.

This comes months after news broke about Hillary Clinton using a private email server and email account to conduct government-related work.

The Hack

The hacker says that he started the attack by doing a reverse lookup on Brennan’s mobile phone number to find out he’s a Verizon customer. The next step was to call Verizon posing as an employee to fish for information on Brennan’s account. The hacker told Verizon that his tools weren’t working and wasn’t able to access the customer database.

The only thing left to do was give Verizon a made-up employee code and the information was his for the taking. The hacker was able to get Brennan’s account number, the four-digit PIN, the backup phone number for the account, the AOL email address, and the last four digits on his payment card.

The hacker turned his attention to AOL, calling and telling them he was locked out of his account and needed a password reset. The hacker answered the security questions by giving the last four digits of the payment card and verified the account with the name and phone number, then the password was successfully reset.

The hacker posted screenshots of some of the email contents on his Twitter @phphax. Brennan deleted the AOL account after being notified of the breach. But the hacker reports that there were several back and forth attempts to control the account.

Takeaways

This is a classic social engineering attack that shows everyone is vulnerable to having their accounts compromised. Always be careful what is stored and sent via email, and consider whether a personal email account is the proper method to communicate sensitive or work-related information.

Additional Resources

For more information about data breaches, ePlace Solutions is hosting a free webinar on the lessons learned from data breaches over the past 10 years on Wednesday, December 9th, at 10:30 AM PT / 1:30 PM ET. Register and share with others in your organization!

  • Event ID: 2015
  • Event Password: 9870

Target Breach: The Inside Story

By now everyone is familiar with the Target breach that compromised over 40 million customer debit and credit card accounts at the end of 2013. Shortly after discovering the breach, Target hired a Verizon security team to conduct penetration tests on its systems and networks to analyze and find any security flaws. Brian Krebs at KrebsOnSecurity got access to the finding from the Verizon report and wrote about the results on his blog.

Key Findings

Verizon discovered that there were no controls in place to limit access to any system, including POS systems. They were able to initiate communication between store registers and servers from the company’s core network. These findings validate the initial theory on how the attackers originally got into Target’s system. A small heating and air conditioning company working with Target suffered a breach, and the attackers utilized the virtual private network credentials found to remotely connect with Target’s network.

Passwords

The Verizon team found weaknesses relating to internal usage of passwords. Target had a password policy, but it wasn’t being followed by most of the employees. Weak and default passwords were found on several systems that allowed the team to take on a system administrator role and roam around Target’s internal network. It took the team one week to crack 472,308 of the 547,470 passwords (86%) that allowed access to internal networks.

Patching

Many systems were found to be missing critical security patches. There was a whole host of outdated software – Microsoft, Apache, IBM WebSphere, and PHP. The team was able to exploit the known vulnerabilities in the software and compromise other systems that eventually led to full access to the network.

Cyber Fusion Center

In response to the Verizon findings, Target built the Cyber Fusion Center, a team of security personnel to detect and respond to threats to its systems and networks. This group is referred to as the ‘red team’ and constantly test the security of the company’s networks and employees.

Takeaways

While somewhat obvious and elementary, the findings from the Verizon report on Target’s internal blunders can be a lesson for all retailers and organizations.

  • Network Segmentation. Limit the number of people with access to sensitive data and parts of the network. Access should be determined by the minimum necessary to perform a job function.
  • Find and Fix Vulnerabilities. Implement a process for finding and closing the security gaps. Taking advantage of vulnerabilities scanning tools and ensuring vulnerabilities are patched within a set time frame is a good start to a vulnerability management program.
  • Penetration Test. Attacking your own network before the bad guys do will help to identify the security issues that need to be addressed promptly. This should cut down the length of time weaknesses are allowed to exist within the network.

CareFirst BlueCross Breach Affects 1.1 Million

carefirstCareFirst BlueCross announced that it has suffered a data breach compromising the personal information of approximately 1.1 million customers. The attackers gained access to names, birth dates, email addresses, and insurance identification numbers. However, the compromised database did not include Social Security numbers, credit card numbers, passwords, or medical information.

After the recent wave of cyberattacks on health insurers, CareFirst contracted Mandiant to perform an audit on the organization’s IT environment. The audit revealed that attackers gained access to a database in June 2014 that stores manually entered data from members.

Signs point towards the same group from China thought to be behind the Anthem and Premera breaches. Both of the previous breaches used fake domains in order to resemble the original domain and trick the user by mimicking a common tool for allowing employees remote access to internal networks.

The same organization that registered the fake Anthem and Premera domains in April 2014 also registered two CareFirst phony domains – careflrst.com and caref1rst.com – replacing the “I” with an “L” and the number “1”.

The CareFirst breach further demonstrates the target on the back of health care organizations and insurers. Health information is highly valuable relative to other personal data, such as financial information, because unlike credit card numbers, you can’t replace medical records.

What Can You Do?

Making employees aware of the security risks is the first priority. Spoofed domains, like the ones in the CareFirst, Anthem, and Premera breaches, are becoming more common and effective. Employees should be aware of fake web domains, as well as other social engineering techniques seeking information like links and attachments in emails.

Lessons from the Anthem Breach – 9 Tips

shutterstock_163858277

HealthcareInfoSecurity posted a useful summary on Protecting Against Anthem-Like Attacks, outlining 9 Tips for minimizing the risk of hacker intrusions. These tips apply to other industries as well.

9 Tips to Minimize the Risk of Hacker Intrusions

  1. Train staff about phishing risks. Anthem believes the breach started with phishing emails sent to employees. It is important to teach employees to be suspicious of emails from unknown sources requesting information.
  2. Carefully analyze data storage practices. Healthcare organizations have large databases with sensitive information, and the trend is increased usage of massive databases. Organizations should use caution and proper security controls with large quantities of sensitive data.
  3. Carefully assess encryption. Anthem has acknowledged the breached data wasn’t encrypted. Experts urge healthcare organizations to take the next step and encrypt data at rest.
  4. Use a multilayered approach. Using multiple security defenses makes the task of accessing information more difficult for hackers.
  5. Use detection tools. It is important to implement intrusion prevention and detection tools, and to use them to perform penetration tests.
  6. Go beyond compliance. HIPAA’s security rule doesn’t provide an end-all solution to security; compliant companies can still suffer a breach.
  7. Limit Social Security number use. With the high value placed on SSNs,  organizations should avoid using them as identifiers.
  8. Monitor vendors. Although the Anthem breach did not involve a vendor breach, as the Target breach has shown, third-parties are one of the potential weak links to security.
  9. Share cyber-information with peers. Information sharing will help organizations keep ahead of threats.

Laptop, Passcodes, and Encryption Keys Stolen at Gunpoint

According to a press release from Brigham and Women’s Hospital (BWH) in Boston, a laptop computer and cell phone belonging to a BWH physician were stolen in an armed robbery. The plot twist came when the assailants forced the victim to reveal the passcodes and encryption keys, allowing the ability to view information stored in the devices.

The report notes that “the data contained on the devices included information of 999 patients who received treatment at BWH’s Neurology and Neurosurgery programs between October 2011 and September 2014. The data on the devices includes patient names or partial names, and may also include one or more of the following: medical record number, age, medications, and information about diagnosis and treatment.”

The theft was immediately reported to the Boston Police Department, and neither the laptop nor cell phone have been recovered.

This type of breach involving encrypted devices is unusual. The effort to steal the data might show increasing awareness among criminals that personal health information (PHI) has great value. This example also shows the risks of having PHI on portable devices, even if protected by encryption.

Best Practices –

  • One potential defense for this type of attack would be the use of encrypted hidden containers stored on the device. Even with the attacker bypassing the encryption keys and passcode, the data is hidden and secure on the device. However, it must be noted that attackers might have the capabilities for finding the hidden containers.
  • Avoid storing PHI data on portable devices. If remote access is needed, use 2 factor authentication VPN.
  • Have the ability to remotely wipe out data stored on portable devices as soon as it is reported as lost or stolen.
  • Encrypt individual documents containing sensitive data when possible.

California Extends Breach Notification Deadline from 5 to 15 Days

Effective January 1, 2015, Assembly Bill 1755 extends California’s breach notification deadline for medical information breaches from 5 business days to 15 business days for clinics, health facilities, home health agencies, and hospices.

Existing law requires a clinic, health facility, home health agency, or hospice to prevent unlawful or unauthorized access to, and use or disclose of, patients’ medical information, as defined. Existing law requires the clinic, health facility, home health agency, or hospice to report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the State Department of Public Health and to the affected patient or the patient’s representative no later than 5 business days after the unlawful or unauthorized access, use or disclosure has been detected.