Category Archives: SEC

February 2024 Data Breach Round Up

Supply chain security concept illustration

From Healthcare to Finance: The Shocking Cybersecurity Wake-Up Call of February 2024

Lately, it feels like we’ve been hit by a wave of cybersecurity incidents that have really shaken things up. It’s not just a bunch of breaches we’re talking about here; we’re seeing huge, flashing signs telling companies it’s high time to beef up their cybersecurity defenses and get smarter about how they handle incidents when they happen. In this blog, I’ll dive into the chaos of these cyber incidents, break down their effects, and tease out the valuable lessons they’re teaching us. So, come along for the ride and read up about the top breaches of February! 


  1. Change Healthcare


Change Healthcare, a subsidiary of UnitedHealth Group, experienced a cybersecurity incident on February 21, 2024, that has led to significant disruptions across the U.S. healthcare sector, affecting hospitals, pharmacies, and millions of patients. This breach, described by government and industry officials as one of the most severe attacks on the health-care system in U.S. history, has highlighted critical vulnerabilities within the U.S. healthcare infrastructure. Change Healthcare, crucial for processing 15 billion claims amounting to over $1.5 trillion annually, acts as an intermediary between healthcare providers and insurers. The attack has not only compromised patient data but has also strained the financial operations of healthcare organizations reliant on Change’s services for billing and reimbursement.


The ramifications of this incident are widespread, with some hospitals unable to discharge patients due to medication access issues and others facing severe financial strains. Senate Majority Leader Charles E. Schumer has called for expedited payments to affected healthcare providers to mitigate the financial impact. Despite efforts to manage the situation, including temporary assistance from Optum and manual claims processing, the industry faces “very, very imperfec t workarounds,” according to Molly Smith from the American Hospital Association. The attack underscores the urgent need for enhanced cybersecurity measures across the healthcare ecosystem to prevent future disruptions and safeguard patient information.


In a company update, they confirm that they are “experiencing a cybersecurity issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat.”


  1. Unlocking the Impact: Fidelity’s Third-Party Vendor Vulnerability Exposed


On February 13, 2024, Fidelity Investments Life Insurance Company and Empire Fidelity Life Insurance Company discovered a cybersecurity incident involving their third-party vendor, Infosys McCamish Systems (IMS), which may have impacted the security of personal information belonging to approximately 28,268 people. IMS, responsible for administering certain life insurance policies for a limited number of customers, experienced a cybersecurity event when an unauthorized third party gained access to IMS systems between October 29, 2023, and November 2, 2023, potentially compromising data including names, Social Security Numbers, dates of birth, and bank account details used for premium payments. 


  1. Medical Management Resource Group: Eyes Wide Open

American Vision Partners, a company specializing in providing administrative support to ophthalmology practices, has recently addressed a significant cybersecurity breach affecting patient information. On February 15, 2024, the company sent out notification letters explaining that on November 14, 2023, the organization detected unauthorized access within its network infrastructure. Immediate action was taken to mitigate the breach by isolating the affected systems, initiating a thorough investigation with the help of leading cybersecurity experts, and notifying law enforcement authorities. Despite these efforts, it was confirmed by December 6, 2023, that the breach led to unauthorized access to personal data of patients linked to the practices serviced by American Vision Partners. The compromised data encompasses a range of sensitive information, including names, contact details, dates of birth, Social Security numbers, and specific medical and insurance details. 


It has also come to light that not only patients but also employees of the affected organization were victims of a data breach. The compromised information varies among individuals but could include a range of personal details such as names, contact information, dates of birth, Social Security numbers, driver’s license and passport details, and even bank account numbers. While not every piece of information was accessed for each individual, the breach’s potential impact is taken with utmost seriousness. In response, the organization is proactively offering identity protection and credit monitoring services to all impacted employees for two years at no charge, demonstrating a commitment to the security and welfare of its personnel. 


About 2,264,157 individuals were impacted by this incident. 


  1. Spark Driver: A Rough Road for Walmart’s Workforce

On February 23, 2024, Walmart Inc. notified employees about a recent security incident that has impacted Spark Driver™ accounts. This breach, discovered in late January, allowed unauthorized access to employees’ driver profiles, potentially compromising sensitive information, including Social Security Numbers, drivers licenses, dates of birth, names, and contact details. The breach provided the intruder with the ability to view details about earnings, tax information, driver verification documents, and background checks.


  1. LoanDepot: A Flood of Personal Data at Risk


LoanDepot issued a notice on February 23, 2024, regarding a data breach that potentially compromised sensitive personal information of almost 17 million people due to unauthorized access to its systems. This security incident was first identified on January 4, 2024, prompting immediate actions to contain and address the breach, including contacting law enforcement and initiating a thorough investigation with external cybersecurity experts. The breach, occurring between January 3 and January 5, 2024, may have exposed personal details such as names, addresses, email addresses, financial account numbers, Social Security numbers, phone numbers, and dates of birth.


In response to this incident, LoanDepot has taken significant measures to secure its systems and mitigate any potential impact on affected individuals. Although there is currently no evidence to suggest that the accessed information has been used maliciously, LoanDepot is offering 24 months of complimentary identity protection and credit monitoring services through Experian. This service is designed to assist in detecting and resolving identity theft and fraud. Affected individuals are encouraged to follow the provided instructions to enroll in these protection services to safeguard their personal information.


  1. UNITE HERE: A Union Under Siege


UNITE HERE, representing a substantial workforce across the U.S. and Canada, has formally reported a data breach to the Maine Attorney General on February 23, 2024, following the detection of unauthorized access to its IT network. The breach was discovered on October 20, 2023, when it was found that an unauthorized entity had gained access to their systems, impacting about 791,273 individuals. The potentially compromised information includes a wide array of personal data such as names, Social Security numbers, driver’s licenses, state ID numbers, alien registration numbers, tribal identification numbers, passport numbers, birth certificates, dates of birth, marriage licenses, signatures, financial account information, and medical data. 


Although there is no current evidence to suggest that this breach has led to identity theft or fraud, UNITE HERE is proactively informing affected individuals and has implemented several security measures. These measures include resetting system passwords, enhancing security protocols, and cooperating with law enforcement to prevent future incidents.


  1. Xerox Corporation: Copying Catastroph


On February 20, 2024, Xerox issued an alert regarding a security breach within its subsidiary, Xerox Business Services (XBS), emphasizing that safeguarding the data privacy and protection of its clients, partners, and employees remains a paramount concern. In early December 2023, an unauthorized entity managed to infiltrate a segment of the XBS network. Despite the swift detection and containment efforts by Xerox personnel, the investigation revealed that on December 10, 2023, the intruder succeeded in extracting a limited set of data from XBS’s systems.


The compromised information primarily includes names, contact details, and Social Security numbers of those affected. Xerox is actively conducting a comprehensive investigation into the breach and has already involved law enforcement agencies. Despite the ongoing legal probe, Xerox has chosen to promptly inform all impacted parties, underscoring its commitment to transparency and the importance of immediate action to address the security incident.


  1. PJ&A: Confidentiality on the Line


Perry Johnson & Associates, Inc. (PJ&A), a provider of medical transcription services for healthcare organizations including Concentra Health Services, Inc. (Concentra), has reported February 8th, a security incident affecting certain patient information. This incident, which did not affect Concentra’s systems directly, resulted from unauthorized access to PJ&A’s systems between March 27, 2023, and May 2, 2023. Notably, on April 7 and April 19, 2023, an unauthorized actor accessed a system containing Concentra patients’ information.


Upon detecting suspicious activity, PJ&A promptly initiated an investigation with cybersecurity experts to assess the incident’s scope and impact. The investigation identified that personal information, such as names and addresses, of almost 13 million Concentra patients was potentially compromised. Following the investigation, PJ&A informed Concentra, which then undertook efforts to verify affected patients and expedite notification.


To mitigate potential risks and support affected individuals, PJ&A is offering credit monitoring services through IDX for a specified period at no cost. Individuals are advised to remain vigilant by monitoring their account statements and credit reports for any suspicious activity and to consider enrolling in the provided credit monitoring service. Detailed instructions for enrollment and additional protective measures are included in PJ&A’s communication to the impacted parties.


  1. Verizon: An Inside Job


Verizon, one of the largest telecommunications service providers in the US has issued a notification concerning unauthorized access to certain personal information of its employees by one of its employees, in breach of company policies. This incident, identified around September 21, 2023, but addressed in February to the Maine Attorney General, involved unauthorized acquisition of a file containing employee data such as names, addresses, Social Security numbers or other national identifiers, gender, union affiliations, dates of birth, and compensation details. Currently, there is no indication that this information has been misused or disseminated outside of Verizon.


In response to this incident, Verizon undertook an immediate review to ascertain the nature of the compromised information and has taken steps to enhance its technical controls to prevent similar incidents in the future. The company has also informed relevant regulatory bodies about the breach.




From the major upset at Change Healthcare to the breach in Verizon’s backyard, it’s pretty obvious we’re standing at a major fork in the road. These incidents aren’t just cautionary tales; they’re wake-up calls, highlighting just how crafty and relentless cyber threats have become, and just how tough our defenses need to be.  Each month, we compile a summary of the most significant breaches from the preceding period. Be sure to explore our latest round-up! At Findings, we streamline the process of cybersecurity compliance assessments, ensuring your systems adhere to pertinent regulations while safeguarding your infrastructure.




Automate Your Cybersecurity Compliance Journey

* indicates required
Your work email please

January 2024 Data Breach Round Up

January 2024 data breaches findings.co

Enhancing Cybersecurity in the Face of Growing Threats

U.S. SEC’s X Account Compromise

The U.S. Securities and Exchange Commission’s (SEC) X account was hacked to falsely announce the approval of Bitcoin ETFs, causing a temporary spike in Bitcoin prices. The false claim was quickly addressed by SEC Chairperson Gary Gensler, who clarified that the SEC had not approved Bitcoin ETFs and that the tweet was unauthorized. This hacking incident is part of a broader wave of cyberattacks on verified X accounts aimed at promoting cryptocurrency scams. Notably, companies like Netgear, Hyundai MEA, and cybersecurity firms such as CertiK and Mandiant have also been targeted. The SEC has terminated the unauthorized access and is collaborating with law enforcement to investigate the breach and its implications. The incident underscores the growing concern over cybersecurity in the digital finance space.

VF Corporation Data Breach

On January 18, 2024, VF Corporation, the parent company of popular brands such as Vans, Timberland, The North Face, Dickies, and Supreme, reported a ransomware attack it experienced in December that compromised the personal information of over 35 million customers. Fortunately, sensitive information like social security numbers, bank account, or payment card details were not stolen as the company does not store these details on its systems. Despite no evidence of stolen consumer passwords, the breach disrupted business operations, leading to the temporary shutdown of IT systems, inventory replenishment issues, and delayed order fulfillments. VF Corp has since managed to restore the affected IT systems and reported minimal operational issues in its retail stores, e-commerce sites, and distribution centers as of the latest update.

Trello API Misuse

An exposed Trello API vulnerability was exploited to link private email addresses to 15 million Trello accounts, leading to a significant data leak. The issue came to light when a user named ’emo’ attempted to sell the data on a hacking forum, which included emails, usernames, full names, and other account information. Trello, owned by Atlassian, attributed the leak to public data scraping and not unauthorized system access. However, further investigation revealed that a publicly accessible API allowed the association of email addresses with Trello profiles without requiring authentication. Trello has since modified the API to prevent unauthenticated queries, aiming to balance user convenience with security. The data breach underscores the potential for abuse in public APIs and highlights the importance of securing such interfaces against unauthorized access. This incident also raises concerns about the use of public data in targeted phishing campaigns, prompting users to be vigilant.

Capital Health Ransomware Attack

The LockBit ransomware group has taken responsibility for a cyberattack on Capital Health, a key healthcare provider in New Jersey and Pennsylvania, in November 2023. On their data leak site, the group wrote, “We purposely didn’t encrypt this hospital so as not to interfere with patient care. We just stole over 10 million files.” They have threatened to release seven terabytes of sensitive data and negotiation communications if their ransom demands are not met. Although LockBit typically forbids affiliates from encrypting hospital network files to avoid disrupting patient care, they claim to have stolen data without encryption in this instance. Capital Health has restored its systems and enhanced security measures but is still assessing the extent of the data breach. This incident is part of a disturbing trend where healthcare organizations, despite guidelines advising against such attacks for ethical reasons, are increasingly targeted by ransomware gangs. LockBit’s actions, including previous attacks on healthcare institutions globally, challenge the notion of “harmless” cyberattacks by highlighting the potential for significant operational disruptions and data breaches within the healthcare sector.

loanDepot Cyberattack

loanDepot, a leading U.S. mortgage lender, experienced a cyberattack that disrupted its IT systems and online payment portal, affecting customers’ ability to make loan payments and contact the company via phone. In company notice, it is now revealed that, “Although its investigation is ongoing, the Company has determined that an unauthorized third party gained access to sensitive personal information of approximately 16.6 million individuals in its systems. The Company will notify these individuals and offer credit monitoring and identity protection services at no cost to them.” The incident led loanDepot to take certain systems offline as they work with law enforcement and forensic experts to investigate and resolve the issue. In an 8-K filing, the company reported that the unauthorized actor gained access to certain company systems and the encryption of data. This attack raises concerns about potential data theft, including sensitive customer information, which could lead to phishing attacks or identity theft. This event marks another significant cyber challenge for loanDepot, following a data breach disclosed in May from an August 2022 cyberattack, highlighting ongoing security threats in the financial services sector.

Trezor Support Site Breach

Trezor, a leading hardware cryptocurrency wallet provider, announced a security breach affecting its third-party support ticketing portal, exposing personal data of 66,000 customers. The breach, detected on January 17, led to unauthorized access but did not compromise users’ digital assets. Trezor reassured customers that their funds remain secure and their devices are unaffected. However, the breach exposed names or usernames and email addresses of users who interacted with Trezor Support since December 2021. Although other personal information like postal addresses and phone numbers were stored, there’s no evidence they were accessed. The company confirmed 41 instances of data exploitation, with attackers phishing for users’ recovery seeds via email, posing as Trezor Support. Trezor has alerted potentially affected users, emphasizing that wallet recovery seeds should never be shared, as disclosing them could lead to irreversible cryptocurrency theft. The unauthorized access has been terminated, and the risk mitigated.

Veolia North America Ransomware Attack

Veolia North America, part of the global Veolia group, was hit by a ransomware attack affecting its Municipal Water division’s systems and disrupting online bill payment services. Veolia responded by taking certain systems offline and is collaborating with law enforcement and forensic experts to understand the attack’s full impact. The company reassured customers that payments made during the disruption have been processed and no late fees or interest charges will apply. Importantly, Veolia’s water treatment and wastewater services remained uninterrupted, indicating the attack was limited to internal back-end systems. A small number of individuals’ personal information may have been compromised, and Veolia is assessing the extent of this breach. This incident underscores the growing cybersecurity threats facing critical water infrastructure, highlighting recent attacks on other water services and CISA’s efforts to bolster security within the sector.

Jason’s Deli Credential Stuffing Attack

Jason’s Deli has reported a data breach due to a credential stuffing attack, impacting customers of its online platform. Hackers obtained login credentials from other breaches and tested them on Jason’s Deli’s website on December 21, 2023. This type of attack exploits the common practice of using the same password across multiple services, posing a risk to accounts with reused credentials. The breach potentially exposed personal data including names, addresses, phone numbers, birthdays, preferred locations, account numbers, Deli Dollar points, and the last four digits of credit card and gift card numbers. The exact number of affected accounts is unknown, but all potentially impacted customers, estimated at 344,034, have been notified and advised to reset their passwords. Jason’s Deli is also restoring any unauthorized use of Deli Dollars to ensure customers do not face losses.

A Call to Action for Cybersecurity Leaders

These incidents collectively highlight the multifaceted nature of cyber threats and the critical need for advanced security measures, employee training, and regulatory compliance. CISOs, cybersecurity experts, and risk managers must remain vigilant, adopting a proactive approach to cybersecurity that anticipates and mitigates potential threats. Collaboration, innovation in security technologies, and adherence to best practices are essential in safeguarding against the evolving cyber threat landscape, ensuring the integrity and resilience of organizational operations in an increasingly digital world.

2024 Trends Unveiled: Cybersecurity as a Key Business Enabler

As 2024 unfolds, we are witnessing a revolutionary transformation in the cybersecurity landscape. No longer a mere aspect of IT, cybersecurity is now a pivotal driver in reshaping business operations on a global scale. This blog post delves into the forefront of cybersecurity, compliance, highlighting pivotal regulations such as the ASEAN Guidelines on Consumer Impact Assessment (CIA), CMMC, PCI DSS 4.0, DORA, and SEC incident disclosure regulations. These emerging trends are rapidly becoming the gold standard in global business cybersecurity practices.

 

CMMC: Evolving from Defense to a Universal Cybersecurity Benchmark

  • The Cybersecurity Maturity Model Certification (CMMC) is evolving from its U.S. defense sector roots to a worldwide cybersecurity standard. Now applicable across various industries, CMMC’s layered cybersecurity approach is garnering universal acceptance. Its comprehensive framework, focused on continuous improvement, is especially vital for entities managing sensitive or critical data, signifying a move towards standardized cybersecurity excellence.

PCI DSS 4.0: Revolutionizing Payment Security Standards

  • PCI DSS 4.0 is revolutionizing payment security standards globally in 2024. This updated version introduces an adaptive, risk-based approach, essential for any business involved in digital transactions. Its flexibility and focus on tailored security measures are vital for e-commerce, financial institutions, and others in the payment ecosystem, making PCI DSS 4.0 compliance synonymous with secure and trustworthy payment processing.

DORA: Spearheading Digital Resilience in the Financial Sector

  • The Digital Operational Resilience Act (DORA) is a groundbreaking EU regulation shaping the financial sector’s approach to digital risks in 2024. Its influence extends globally, affecting financial entities interacting with the EU market. DORA emphasizes operational resilience, highlighting the need for robust digital risk management in today’s interconnected digital finance landscape.

SEC Incident Disclosure: Championing Transparency in Corporate Cybersecurity

  • The SEC’s incident disclosure regulations are leading a worldwide movement towards transparency in corporate cybersecurity. These mandates, which require prompt and detailed disclosure of cybersecurity incidents, are becoming critical for publicly traded companies globally. This shift towards transparency and accountability in cybersecurity reflects an increasing demand from investors and consumers for trustworthiness and integrity in corporate practices.

ASEAN CIA: Redefining Cybersecurity with a Consumer-Centric Approach

  • The ASEAN Guidelines on Consumer Impact Assessment, originating from Southeast Asia, are now setting a global precedent. These guidelines shift the focus towards assessing cybersecurity’s impact on consumers, prioritizing their rights and data privacy. This consumer-centric approach, especially critical for businesses in or targeting the ASEAN market, is now a global best practice. It underscores the imperative of balancing robust security with consumer rights, a notion gaining traction across various industries.

Other Regulatory Developments Shaping the Cybersecurity Domain

Additional global regulations also predict significant cybersecurity trends:

  • GDPR: Continues to influence data privacy and protection globally, impacting businesses handling EU citizens’ data.

  • ISO/IEC 27001: Gaining traction as a comprehensive framework for managing information security, key for organizations striving for global best practices.

  • NIST Framework: Increasingly adopted worldwide, indicating a move towards unified approaches in cybersecurity risk management.

Cybersecurity Compliance: A Strategic Business Advantage

In 2024, adherence to these emerging cybersecurity regulations offers businesses a strategic advantage. It transcends legal compliance, fostering trust, enhancing brand reputation, and providing a competitive edge. The integration of AI in cybersecurity is another emerging practice, offering efficient and effective solutions for meeting these standards.

  • Increased Focus on Supply Chain Attacks: Modern supply chains are interconnected and complex, making them susceptible to cyberattacks. A breach in one part can have a cascading effect, impacting multiple businesses. This emphasizes the need for rigorous cybersecurity measures across the entire supply chain.

  • Collaborative Risk Management: The trend towards collaborative defense strategies is based on the principle that sharing threat intelligence and best practices can strengthen the security posture of all involved parties. By learning from each other’s experiences, industries can develop more effective defenses against common threats.

State-Sponsored Cyber Attacks: An Escalating Concern

  • Global Ramifications: State-sponsored cyberattacks are particularly concerning due to their scale and impact. These attacks target critical infrastructure, such as energy grids or financial systems, and can compromise national security. The global nature of these threats requires an international response and cooperation.

  • Advanced Countermeasures: To combat these sophisticated threats, organizations need to implement advanced threat detection systems that can identify and neutralize attacks quickly. A zero-trust security model, where trust is never assumed and verification is required from everyone, can be crucial in mitigating these risks. Continuous monitoring ensures that any suspicious activity is detected and addressed promptly.

AI in Cybersecurity: A Complex Role

  • Enhanced Detection and Response: AI can significantly improve threat detection by analyzing vast amounts of data to identify patterns that may indicate a cyberattack. However, this technology can also be used by attackers to create more sophisticated threats, such as deepfakes or AI-driven phishing attacks.

  • Proactive Mitigation Strategies: Organizations must not only invest in AI-based defense systems but also ensure that their workforce is trained to recognize and respond to AI-generated threats. This includes understanding the limitations of AI and being able to identify when a human response is required.

Ransomware Evolution: The Changing Landscape of Cyber Extortion

  • Sophisticated Tactics: Modern ransomware attacks are more than just data encryption; attackers are now threatening to leak sensitive data if the ransom isn’t paid, adding an extra layer of coercion. This dual-threat approach makes it even more challenging for victims to decide whether to pay the ransom or risk public exposure of their data.

  • Comprehensive Defense Strategies: To protect against these evolving ransomware threats, organizations must have robust backup systems that can restore data with minimal loss. Employee training is crucial to help staff recognize and avoid potential ransomware attacks. Additionally, a well-prepared incident response plan can ensure quick action to mitigate damage if an attack occurs.

The Metaverse and Cloud Security: New Frontiers, New Risks

  • Expanded Attack Vectors: As businesses venture into new digital domains like the metaverse and cloud platforms, they face new cybersecurity challenges. These platforms can provide attackers with novel ways to exploit security vulnerabilities.

  • Proactive Security Measures: Ensuring security in these new environments involves a comprehensive approach that includes strong encryption to protect data, robust identity management to verify users, and regular security audits to identify and address vulnerabilities.

The Human Element: Bolstering the Frontlines of Cyber Defense

  • Empowering Through Training and Awareness: Regular and comprehensive training programs are essential in equipping employees with the necessary skills to recognize and prevent security breaches. This training should cover the latest cybersecurity threats and best practices.

  • Cultivating a Security-First Mindset: Creating a culture of security within the organization is crucial. This involves fostering an environment where employees are aware of the importance of cybersecurity and are motivated to take proactive steps to protect the organization’s digital assets.

As 2024 progresses, it’s clear that these cybersecurity trends and regulations are not just shaping, but redefining business strategies. From the consumer-centric ASEAN CIA guidelines to CMMC’s comprehensive security model, and the transparency demanded by SEC disclosure regulations, these developments are crucial in enabling businesses to thrive in the digital era. By staying ahead of these trends, companies can harness cybersecurity not only as a compliance requirement but as a cornerstone for growth and success. Understanding evolving regulations, embracing innovative technologies, and reinforcing human-centric defenses remain key to ensuring business resilience and triumph in an increasingly digitized world.

November Security Breach Round Up

November Security Breaches

Welcome to this month’s edition of our data breach round up, where we unravel the recent cyber threats that have sent shockwaves across industries. In a digital landscape fraught with challenges, our commitment at Findings is to equip you with the knowledge and tools necessary to navigate these turbulent waters.

This month’s featured breaches spotlight the vulnerabilities that transcend sectors, from the technology giant Samsung to the healthcare domain with McLaren Health Care, and even reaching into the retail space with Dollar Tree. Each incident reveals not only the compromise of personal and sensitive data but also the profound implications for privacy, security, and trust in our increasingly interconnected world.

  1. Samsung:

    Samsung has acknowledged a significant data breach affecting its U.K. customer base. The breach, which spanned a year, was first brought to light in a statement to TechCrunch by Chelsea Simpson, a spokesperson for Samsung via a third-party agency. According to Simpson, the breach led to unauthorized access to contact details of some Samsung U.K. e-store customers. The specifics of the breach, including the number of affected customers and the method used by hackers, remain undisclosed.

    In communications with affected customers, Samsung revealed that the breach stemmed from a vulnerability in an unspecified third-party business application. This vulnerability exposed the personal data of customers who made purchases on the Samsung U.K. store from July 2019 to June 2020. The company only discovered the breach on November 13, 2023, over three years after the fact, as detailed in a letter to customers that was shared on X (formerly Twitter).

    The compromised data includes names, phone numbers, postal and email addresses, but Samsung assures that no financial information or passwords were affected. The company has reported the breach to the U.K.’s Information Commissioner’s Office (ICO), where spokesperson Adele Burns confirmed that the regulator is conducting enquiries into the incident.

    This breach marks the third such incident disclosed by Samsung in the past two years. Previous breaches include a September 2022 attack on Samsung’s U.S. systems, with undisclosed customer impact, and a March 2022 breach where Lapsus$ hackers allegedly leaked around 200 gigabytes of Samsung’s confidential data, including source codes and biometric unlock algorithms.

  2. KidSecurity:

    KidSecurity, a popular parental control app, inadvertently exposed user data due to a security oversight. The app, with over a million downloads, tracks children’s locations and activities. Researchers discovered that the app failed to secure its Elasticsearch and Logstash databases, leaving over 300 million records publicly accessible for over a month. This exposed data included 21,000 phone numbers, 31,000 email addresses, and partial credit card information.

    The unprotected data became a target for malicious actors, with indications of a compromise by the ‘Readme’ bot. Cybersecurity expert Bob Diachenko highlighted the severity of this breach, especially considering the app’s focus on children’s safety. The exposure of sensitive information such as contact details and payment information poses serious risks, including identity theft and fraud. KidSecurity had yet to comment on the breach at the time of the report.

  3. McLaren Health Care:

    McLaren Health Care recently informed its patients of a cybersecurity incident affecting its computer systems. The healthcare provider noticed suspicious activity around August 22, 2023, and immediately commenced an investigation with third-party forensic specialists. This inquiry revealed unauthorized access to McLaren’s network between July 28 and August 23, 2023, with potential data acquisition by the unauthorized party.

    A thorough review, completed by October 10, 2023, indicated that sensitive information might have been compromised. The data at risk includes names, Social Security numbers, health insurance details, medical information like diagnoses, physician details, medical records, and Medicare/Medicaid data.

    In response, McLaren has taken steps to secure its network and is reviewing and reinforcing its data protection policies and procedures. They are also offering affected individuals identity theft protection services through IDX, including credit monitoring and a $1,000,000 insurance policy, valid until February 9, 2024.

    McLaren urges individuals to stay vigilant, monitor their financial statements, and report any suspicious activity. For further assistance, IDX is available for inquiries, with representatives knowledgeable about the incident. McLaren emphasizes that, as of now, there is no evidence of misuse of the compromised information.

  4. Staples:

    Staples, a prominent American office supply retailer, recently confirmed a cyberattack that led to significant service disruptions and delivery issues. The company, operating 994 stores across the US and Canada and 40 fulfillment centers, took immediate action to contain the breach and safeguard customer data. The incident came to light following multiple Reddit posts from earlier in the week, reporting issues with Staples’ internal operations. Employees noted problems accessing various systems, including Zendesk, VPN employee portals, and email services. Comments on Reddit from Staples employees expressed surprise and concern, with one stating, “I’ve never seen anything like this in my 20 years with Staples.”

    Unconfirmed reports also suggested that employees were advised against using Microsoft 365’s single sign-on and that call center staff were sent home. Staples confirmed to BleepingComputer that they had to take protective measures against a “cybersecurity risk,” which disrupted their backend processing, product delivery, and customer service communications. Although Staples stores remain open, the company’s online operations, including staples.com, continue to face challenges. A company spokesperson stated that systems are gradually coming back online, but some delays in processing orders are expected. Staples has assured a swift return to normal operations and has posted a similar notice on their website.

    BleepingComputer reported that no ransomware or file encryption was involved in the attack. Staples’ rapid response, including shutting down networks and VPNs, may have prevented the attack from reaching its full potential. The extent of any data theft and the potential consequences, such as ransom demands, remain to be seen. This cyberattack is not Staples’ first brush with cybersecurity issues. In March 2023, Essendant, a Staples-owned distributor, faced a multi-day outage impacting online orders. Furthermore, in September 2020, a data breach at Staples exposed customer and order information due to an unpatched VPN vulnerability.

  5. Dollar Tree:

    Dollar Tree, a notable discount retail chain with stores across the United States and Canada, has been affected by a data breach involving a third-party service provider, Zeroed-In Technologies. This breach has impacted nearly 2 million individuals, specifically targeting Dollar Tree and Family Dollar employees.

    The breach, occurring between August 7 and 8, 2023, was disclosed in a notification to the Maine Attorney General. While the intrusion into Zeroed-In’s systems was confirmed, the exact details of accessed or stolen files remained unclear. Consequently, Zeroed-In conducted a thorough review to identify the compromised information, which included names, dates of birth, and Social Security numbers (SSNs).

    Affected individuals have been notified and offered a twelve-month identity protection and credit monitoring service. In response to inquiries from BleepingComputer, a Family Dollar spokesperson stated, “Zeroed-In is a vendor that we and other companies use. They informed us that they identified a security incident, and they provided notice of the incident to current and former employees.”

    The breach’s impact may extend beyond Dollar Tree and Family Dollar, potentially affecting other Zeroed-In customers, although this has not been confirmed. Zeroed-In has not responded to inquiries about the incident.

    The breach’s magnitude has prompted law firms to investigate the possibility of a class-action lawsuit against Zeroed-In.

  6. General Electric:

    General Electric (GE), a prominent American multinational involved in various industries, is investigating a possible cyberattack and data theft. A hacker known as IntelBroker allegedly breached GE’s development environment, initially attempting to sell access on a hacking forum for $500. After failing to attract buyers, the threat actor claimed to offer both network access and stolen data, including sensitive military and DARPA-related information.

    IntelBroker, recognized for previous high-profile cyberattacks, provided screenshots as evidence of the breach, showing data from GE Aviation’s database on military projects. GE confirmed to BleepingComputer their awareness of these allegations and their ongoing investigation.

    IntelBroker’s past exploits include a breach of the Weee! grocery service and a significant data theft from D.C. Health Link, a healthcare marketplace used by White House and House staff. The D.C. Health Link breach, which led to a congressional hearing, revealed that a misconfigured server had exposed sensitive data online.

  7. HSE:

    Holding Slovenske Elektrarne (HSE), Slovenia’s largest electricity provider, was recently hit by a ransomware attack. Despite this, the company’s power generation remained unaffected. HSE, which accounts for about 60% of Slovenia’s domestic power production, managed to contain the attack within a few days.

    The company’s IT systems and files were encrypted, but operational functions continued normally. HSE informed national cybersecurity authorities and the police, and engaged external experts for mitigation. While no ransom demand has been received yet, the company remains cautious during the cleanup process.

    Unofficial sources attribute the attack to the Rhysida ransomware gang, known for high-profile attacks without immediate ransom demands. The breach might have occurred through stolen passwords from unprotected cloud storage, although this has not been confirmed. Rhysida has been active since May 2023 and is notorious for targeting various organizations internationally. HSE is yet to issue a formal response to these allegations.

The array of cyberattacks faced by the companies above demonstrate the complexity and severity of the cybersecurity landscape. These incidents serve as stark reminders of the persistent threats in the digital domain, urging organizations to fortify their defenses and adopt more robust data protection measures. As the aftermath of these breaches unfolds, it is imperative for companies to not only address the immediate security gaps but also to engage in proactive measures to safeguard against future threats. Furthermore, these events underscore the need for ongoing vigilance, transparency, and collaboration among businesses, regulatory bodies, and cybersecurity experts to enhance the resilience of our digital ecosystem against such pervasive and evolving threats.

The SEC’s New Cyber Rules

what every ciso needs to know about the new cybersecurity sec rules

What Every Public Company CISO Must Know:

The role of a Chief Information Security Officer (CISO) in public companies has never been more pivotal. With cyber threats escalating in scale and sophistication, the Securities and Exchange Commission (SEC) has rolled out new cyber regulations aimed at safeguarding investors, stakeholders, and the broader market. Given that the amendments took effect on September 5, 2023, it’s crucial for your organization to be informed. While the final rules are quite lengthy, I’ll offer a condensed and digestible version in this blog post to help you understand the key points – so make sure to read on!

The Backdrop:

Back in March 2022, the Commission took the bold step of introducing a suite of regulations. The intent was clear: fortify public company disclosures concerning cybersecurity. This encompassed key areas such as cyber threats, strategic countermeasures, governance structures, and insights into major cyber incidents.

At the time, there were several major trends that led the Commission to take this action. The digital evolution and massive work-from-home shifts, intertwined with the allure of cybercrime monetization and an overarching reliance on third-party tech services like cloud platforms, have stretched cyber risk boundaries. The financial fallout from cyber incidents have also skyrocketed. Given all of this, the Commission’s move to ensure transparency isn’t just timely—it’s imperative.

Though the Commission offered guidance in 2011 and 2018, the standards remained inconsistent. The 2022 regulations were introduced to bring consistency and offer investors clearer insights.

Key Mandates To Be Aware Of:

Skip ahead to 2023, and the SEC’s proposed rules have officially transformed into finalized rules. Here are the essential highlights you should be aware of…

  1. Form 8-K Item 1.05: A pivotal element in the new regulations. Public companies now have the duty to report significant cyber incidents. Reports must, “describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations.” 

  2. Disclosure Timeline: Post a cyber event, companies need to swiftly gauge its significance. If found consequential, a Form 8-K needs to be filed within four business days. However, exceptions do exist. Should the U.S. Attorney General deem a quick disclosure a threat to national or public safety, delays can ensue.

  3. Regulation S-K Item 106: This regulation delves deep. It mandates firms to shed light on their cyber threat assessment, detection, and management strategies. Past incidents that have or might have considerable ramifications also need to be outlined. Plus, it casts the spotlight on how involved the board is in overseeing cyber risks and the prowess of the management in mitigating them.

  4. International Disclosures: The SEC is highlighting that global transparency is crucial. Modifications to Form 6-K and Form 20-F ensure that foreign private entities aren’t left out. Significant cyber events disclosed overseas or required by foreign issuers need to be detailed.

What Lies Ahead:

The new regulations will be operational a month after their Federal Register appearance. For companies, the compliance timelines are split based on the form:

  • Regulation S-K Item 106 & Form 20-F: Disclosure starts with annual statements for fiscal years ending on or after December 15, 2023.

  • Form 8-K Item 1.05 & Form 6-K: Compliance starts 90 days post Federal Register publication or by December 18, 2023, except for smaller firms. They have until June 15, 2024.

  • Finally, when it comes to structured data mandates, the spotlight is on Inline XBRL. The final rules require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language. Entities must tag their disclosures using this format, a year after the kick-off of initial disclosure duties. To simplify what this filing format is for those who may not be aware, it’s a special language for computers that makes it possible to create a single document that’s human and machine readable. So, instead of making two different documents (one for people to read and one for computers to understand), you just make one using Inline XBRL.

Every day we are reminded how crucial cyber resilience is. For CISOs in public companies, aligning with the SEC’s updated cyber regulations is not just about compliance—it’s a commitment to transparency, investor protection, and long-term business sustainability.



August Data Breach And Security Round Up

august security breach round up

August may be known for summer vacations and relaxing by the beach, but in the world of hackers, it was a month of action-packed cyber escapades. As the digital realm grows, so does the audacity of those who breach the walls of data security. In this blog post, I will take you through the breaches that unfolded in the hot days of August. From electric cars to language learning apps, we’ve got it all covered. Let’s dive in.

Tesla:

Tesla recently reported a data breach affecting over 75,000 of its employees to insider misconduct, according to an official statement. The electric vehicle manufacturer, headed by Elon Musk, stated in a data breach report submitted to Maine’s Attorney General that a thorough investigation determined two former employees had disclosed personal information belonging to more than 75,000 individuals to a foreign media organization.

Tesla’s data privacy officer, Steven Elentukh, stated in the report that “the investigation uncovered that two former Tesla employees wrongfully obtained and shared this information, contravening Tesla’s IT security and data protection protocols by providing it to the media outlet.”

The sensitive data included personally identifiable details such as names, addresses, contact numbers, employment records, and Social Security numbers of 75,735 past and current Tesla employees. The report also revealed that the two ex-employees had transmitted this data to the German newspaper Handelsblatt, which assured Tesla it would refrain from publishing the information and adhere to legal restrictions concerning its use.

In May, Handelsblatt had previously reported a significant breach at Tesla, disclosing various internal documents, known as the “Tesla Files,” totaling 100 gigabytes of confidential information. These documents included employee personal data, customer banking information, proprietary production details, and customer grievances regarding Tesla’s Full Self-Driving (FSD) functionalities. Remarkably, the leak even contained Elon Musk’s Social Security number.

Tesla responded by initiating legal action against the individuals believed to be responsible for the data breach, leading to the confiscation of their electronic devices. Additionally, the company obtained court orders to prevent these former employees from further accessing, sharing, or using the data, with potential criminal consequences for violations.

This incident follows a previous report in April by Reuters, which revealed that Tesla employees had shared sensitive images recorded by customer vehicles, including invasive pictures and videos captured by car cameras, over the period from 2019 to 2022.

Duolingo:

In January 2023, a data breach of Duolingo resulted in the exposure of 2.6 million users’ data on a hacking forum. This has created an opportunity for malicious actors to execute targeted phishing campaigns using the compromised information. The dataset consists of public login and real names, along with confidential details, such as email addresses and internal data related to the Duolingo platform, which can be exploited in cyberattacks.

The data was acquired by exploiting a publicly available application programming interface (API), which had been openly shared since at least March 2023. Researchers had been posting on social media and public platforms about the ease of using this API, which ultimately led to the data breach. The API permits anyone to input a username and receive JSON output containing the user’s publicly accessible profile data. Importantly, it also facilitates the input of an email address into the API to confirm its association with a valid Duolingo account.

The presence of email addresses in the dataset raises significant concerns as it can be exploited in phishing campaigns, which can have detrimental effects on individuals and organizations. It is vital to note that while the inclusion of real names and login names is part of a user’s Duolingo profile, the presence of email addresses is not considered public information.

Companies often downplay the significance of scraped data, as much of it is already publicly accessible, even if its compilation is not straightforward. However, when public data is combined with private information, such as phone numbers and email addresses, it amplifies the risk associated with the exposed data and may potentially breach data protection regulations. Facebook encountered a significant breach in 2021 when an “Add Friend” API flaw was exploited to link phone numbers to Facebook accounts for 533 million users. Subsequently, the Irish Data Protection Commission (DPC) imposed a fine on Facebook for this mishandling of scraped data.

I will say, it is also pretty concerning that the API, which led to the Duolingo data breach, is still openly accessible on the internet, even after reports of its misuse were forwarded to Duolingo in January. This puts Duolingo users at risk and highlights the need for companies to take data protection seriously. While companies may downplay the significance of scraped data, the potential for harm is significant, and it is crucial to address these issues proactively to ensure that personal information remains secure.

Discord.io:

On August 14, 2023, an unofficial platform known for providing redirect and invitation links to Discord servers, Discord.io, suffered a significant data breach. The hacker “Akhirah” exposed the breach, which has compromised the personal information of more than 760,000 users.

The stolen data from the breach includes usernames, Discord IDs, email addresses, and passwords that have been salted and hashed. While the password encryption offers a degree of protection, the potential for decryption remains a looming threat, underscoring the immediate need for users to bolster their security. Discord.io urges users to change their passwords to mitigate the impact of the breach.

Discord.io has taken the unprecedented step of indefinitely suspending its operations in response to the breach. Visitors to the Discord.io website now encounter a message detailing the seriousness of the breach. The company is being transparent about the compromised data fields, aiming to provide affected users with clarity regarding the information exposed and what remains secure in the wake of this incident.

“We have canceled existing premium subscriptions, and we will be reaching out to affected users individually. As of now, we have not been contacted by those responsible for the breach, nor have we initiated contact with them. To our knowledge, the database has not been made public at this time.” – Discord.io

In an interview with the hacker Akhirah, he expressed a desire for Discord.io to eliminate malicious content from their platform and communicate with him to resolve these issues, without seeking retribution or a reward.

This data breach follows a similar trend in the cybersecurity landscape. Just recently, the LetMeSpy Android Spyware Service also announced its permanent shutdown following a successful breach by a hacker who gained access to user data.

SEIKO: 

SEIKO NPC Corporation, a long-established Japanese semiconductor manufacturer founded in 1975 with approximately 12,000 employees, has officially recognized the possibility of a data breach.

On August 10th, the company posted a data breach notification on its website. However, cybersecurity experts only recently became aware of the breach after the ransomware group BlackCat featured SEIKO on its data leak platform.

SEIKO did not provide specific details but referred to the cybersecurity incident as a “potential” data breach.

According to SEIKO, “On July 28th of this year, the company experienced a potential data breach. It appears that unauthorized individuals or parties gained access to at least one of our servers.”

ALPHV/BlackCat Ransomware, now taking credit for the breach, shared several files on their data leak platform as evidence. Among these files was what appeared to be a copy of Yoshikatsu Kawada’s passport, a director at SEIKO’s well-known Watch Corporation subsidiary.

After an external cybersecurity expert examined the incident, SEIKO determined that a breach occurred, and some of the company’s information may have been compromised.

“At present, we are in the process of confirming the precise nature of the information stored on the affected servers. Once our ongoing investigation yields more specific results, we will promptly provide an update,” the company stated. However, no further updates regarding the breach have been made available thus far.

About ALPHV/BlackCat Ransomware:

ALPHV/BlackCat ransomware first emerged in 2021. Similar to other entities in the cybercriminal realm, this group operates a ransomware-as-a-service (RaaS) enterprise, selling malware subscriptions to criminal actors. Notably, the gang employs the Rust programming language.

According to an analysis by Microsoft, threat actors associated with this ransomware were known to collaborate with other prominent ransomware families such as Conti, LockBit, and REvil.

The FBI has suggested that money launderers affiliated with the ALPHV/BlackCat cartel have ties to Darkside and Blackmatter ransomware cartels, indicating a well-established network of operatives within the RaaS sector.

Recently, ALPHV/BlackCat has been notably active among ransomware groups. According to cybersecurity analyst ANOZR WAY, the group was responsible for approximately 12% of all attacks in 2022.

This gang appears to have recently focused its efforts on professional service providers. In mid-May, it claimed responsibility for breaching Mazars Group, an international firm specializing in auditing, accounting, and consulting services.

Forever 21:

Clothing and accessories retailer, Forever 21, is in the process of sending data breach notifications to over half a million individuals whose personal information was exposed to unauthorized intruders. The company operates a global network of 540 outlets and has a workforce of approximately 43,000 employees.

A portion of the data breach notification, shared with the Office of the Maine Attorney General, reveals that the company detected a cyberattack on multiple systems on March 20. The investigation unveiled that hackers had sporadic access to Forever 21 systems between January and March of this year and utilized this access to pilfer data.

“The investigation determined that an unauthorized third party accessed specific Forever 21 systems at different intervals between January 5, 2023, and March 21, 2023,” states the notice. “Results from the investigation indicate that the unauthorized third party acquired specific files from certain Forever 21 systems during this timeframe” – Forever 21.

The data breach notice, dispatched on August 29 to 539,207 affected individuals, lists the following potentially exposed data types:

  • Full names

  • Social Security Numbers (SSN)

  • Dates of Birth

  • Bank Account Numbers

  • Forever 21 Health Plan information

BleepingComputer reached out to Forever 21 to ascertain if the security incident impacted both customers and employees. A spokesperson from the company issued the following statement: “The incident was limited to current and former Forever 21 employees and did NOT affect personal data pertaining to Forever 21 customers.”

In the notice, Forever 21 reports that they have taken steps to ensure that the hackers have deleted the stolen data, implying that the company may have engaged in communication with the attacker. Such actions often occur following ransomware attacks, where the victim negotiates with the hackers to reach a reasonable ransom. However, it is important to note that a ransomware attack on Forever 21 has not been confirmed.

In November 2017, Forever 21 informed its customers of another data breach affecting its payment system, resulting in the compromise of card data from transactions made between March and October 2017.

Italian Banks Temporarily Disabled by Distributed Denial of Service (DDoS) Attacks:

Several banks in Italy recently experienced temporary outages due to targeted Distributed Denial of Service (DDoS) attacks.

On August 1st, the Agenzia per la Cybersicurezza Nazionale (ACN) announced that it had identified cyberattacks against at least five banks in the country, resulting in a temporary disruption of their services.

The affected banks included BPER Banca (EMII.MI), Intesa Sanpaolo (ISP.MI), FinecoBank (FBK.MI), Popolare di Sondrio (BPSI.MI), and Monte dei Paschi di Siena (BMPS.MI).

According to the ACN, it “detected the resurgence of distributed denial of service (DDoS) attack campaigns carried out by pro-Russian… groups targeting national institutional entities.” The ACN attributed the attacks to the Russian hacking group known as “NoName.”

An employee from one of the affected banks informed Reuters that the bank’s website was taken offline due to a substantial surge in traffic. However, the bank’s mobile app continued to function normally during the attack, and the website was restored after a brief period.

The ACN stated that it provided assistance to all those affected by the DDoS attacks launched by NoName.

What Are DDoS Attacks?

Distributed Denial of Service (DDoS) attacks involve malicious actors attempting to disrupt a website by overwhelming its infrastructure with a significant volume of internet traffic. As DDoS attacks saturate a site’s bandwidth, users are unable to access it.

DDoS attacks can be motivated by various factors, but their primary objective is to cause disruption by temporarily taking websites offline. Due to their disruptive nature, DDoS attacks are employed by malicious entities as a means of directly targeting specific individuals or organizations.

Moving Forward:

Data breaches can have severe consequences for both companies and individuals, including financial loss, reputational damage, and identity theft. As the frequency and sophistication of cyberattacks continue to increase, it is crucial for companies to prioritize data protection and implement robust security measures. By staying vigilant and proactive in their approach to cybersecurity, organizations can minimize the risk of a data breach and protect their customers’ trust.


The Evolving Landscape of Cybersecurity Compliance in North America

Blogs - The Evolving Landscape of Cybersecurity Compliance in North America

Cybersecurity compliance is a non-negotiable for organizations in a largely digital world. Without it, you could face severe financial penalties, damaged brand reputation, loss of customer trust, and detrimental operational disruptions. 

 

Whether you’re operating in the U.S., Canada, or Mexico, you want to remain compliant with your respective country’s regulations. After all, understanding the ever-changing regulatory trends in North America is essential for ensuring optimal security — and avoiding severe repercussions. 

 

This article will offer an in-depth exploration of the current cybersecurity compliance trends, North America’s unique regulatory landscape, potential upcoming changes, and how automated cybersecurity solutions are essential for maintaining compliance. 

North America’s regulatory landscape

The United States doesn’t have federal laws that regulate the collection and use of personal data. Instead, the U.S. has a multifaceted system of state laws and regulations that often overlap and contradict one another.

 

For example, California has the California Consumer Privacy Act (CCPA), which grants California residents novel rights regarding their personal information and affects companies across the United States that do business with Californians.

 

Rather than federal regulation, the U.S. allows each industry to regulate privacy. For instance, the Health Insurance Portability and Accountability Act (HIPAA) protects health information, while the Gramm-Leach-Bliley Act (GLBA) governs financial institutions.

 

In contrast, Canada has PIPEDA at the federal level, setting the baseline for how businesses handle personal information. 

 

Interestingly, numerous provinces also maintain their own privacy statutes, mirroring PIPEDA quite closely. It’s worth mentioning that Quebec, Alberta, and British Columbia stand out with their own private-sector privacy legislation, acknowledged as being largely akin to the federal mandate.

 

These regulatory landscapes force companies to plan and implement their cybersecurity strategies — because non-compliance could result in fewer sales and significant penalties. 

 

However, regulation laws aren’t static and are set to undergo changes. Artificial intelligence (AI) and machine learning (ML) pose a significant threat, prompting regulators to reassess current conditions and potentially create new ones. 

The comprehensive guide to cybersecurity compliance trends

In 2023, the trend in the cybersecurity landscape is toward an escalating wave of cybercrime, amplified vulnerabilities in open-source code bases, and an increased focus on human-centered design and board oversight. Amid this landscape, there’s a shared consensus: an organization’s cybersecurity strategy must balance people, processes, and technology.

 

AI and ML have taken center stage in 2023, and this trend extends into the cybersecurity landscape as the integration of AI and ML becomes commonplace. The International Data Corporation (IDC) attributes the impressive growth of the cybersecurity market to these technologies, with spending projections to hit $46.3 billion by 2027. But, alongside their benefits, AI and ML can be exploited by threat actors to identify and target vulnerabilities.

 

This creates an environment where AI and ML are double-edged swords. While these technologies enhance predictive analytics, facilitating faster and more efficient threat detection, they’re also used by threat actors to identify and exploit vulnerabilities. 

 

Additionally, open source vulnerabilities continue to pose a significant threat with at least one vulnerability found in 84% of code bases, according to Synopsys

 

This underlines the importance of regular penetration testing and effective patch management. Using a Software Bill of Materials (SBOM) can help organizations keep track of their software components and update outdated open-source components, mitigating their exposure to potential cyber threats. 

 

However, to navigate these advancements and vulnerabilities, compliance with trending regulations like Cybersecurity Maturity Model Certification (CMMC), the Directive on Security of Network and Information Systems (the NIS Directive), and the Zero Trust model are crucial. They guide organizations to secure their infrastructure and manage cyber threats adequately.

 

For example, the CMMC (a requirement for all Defense Industrial Base (DIB) and Department of Defense (DoD) contractors) ensures that these entities have sufficient security controls in place to protect sensitive data. This compliance regulation safeguards national security while also elevating the baseline level of cybersecurity measures. Likewise, the Zero Trust model is a proactive stance against data breaches, focusing on minimizing uncertainty — a growing trend for 2023 and beyond. 

 

On the other hand, the European Union’s NIS directive provides legal measures for high-level security of network and information systems. It facilitates increased collaboration between EU member states and promotes a culture of risk management and incident reporting.

 

Lastly, accounting and financial data have been attractive targets for cyber attackers. In the past 12 months, 34.5% of executives reported that their organizations’ financial data were targeted, with 22% experiencing at least one cyber event. The same poll also found only 20.3% of their accounting and finance teams work closely with their peers in cybersecurity, suggesting a disconnect that could increase vulnerability to attacks.

The inevitable changes to cybersecurity regulations

The imminent changes in cybersecurity regulations carry consequences for registered investment advisors (RIAs), funds, and publicly traded companies. The U.S. Securities and Exchange Commission (SEC) is inching closer to cementing new regulations that could shake up these groups significantly, especially considering that fewer than one in five companies (20%) are equipped to handle cyber risks.

 

The new rules coming into place have three main parts: written plans for handling cybersecurity risks, reporting and disclosing cyber incidents, and using specific formats for reporting data. These parts are going to need a good understanding and detailed planning to comply with.

 

Luckily, plenty of companies like Findings offer a similar, more comprehensive service. For example, Findings helps businesses make and review their cybersecurity assessments each year. 

 

Findings also helps businesses outline what a cyber incident looks like, set up practices for reporting them, and come up with a clear plan to protect against cyber threats and handle any incidents that do happen.

 

While these new SEC rules mainly affect financial and publicly traded companies, all organizations need to pay attention. Beyond just avoiding fines and penalties, having strong cybersecurity practices (e.g. ones that involve automation, AI, and ML) helps build trust with stakeholders.

The role of automation in building a cyber-resilient future

To stay ahead in cybersecurity, organizations are now leveraging automation for a more efficient and agile approach to risk assessment and management.

 

Automation enables faster, error-free decisions. It delivers real-time threat information, which empowers security teams to effectively manage threats. Not to mention, the systematic organization of data reduces the time between threat detection and mitigation. 

 

Additionally, automation helps harmonize data and collaboration within organizations. A centralized platform for data collection ensures consistent information across all departments, eliminating discrepancies and enabling effective collaboration. 

 

With accurate and comprehensive information at their fingertips, executives and managers can make better-informed decisions — improving cyber risk management strategies.

 

As organizations aim to protect their assets and maintain customer trust, automation is a must. 

 

Adopting automated security risk assessments enables organizations to maintain a proactive stance against cyber threats, ensuring a secure operational environment. With new compliance trends and the looming possibility of further regulatory changes, your business needs to be prepared — by implementing automation. 

 

When you integrate automation, you can improve response times, standardize data, enhance collaboration, and scale security risk assessment processes, turning this potential challenge into a strategic strength.

 



July Data Breach Roundup

Findings.co July 2023 cybersecurity and data breaches roundup

As we navigate the relaxing summer season, it’s important to note that just because half the world is on pause, doesn’t mean hackers are too. While those who are relaxing and not paying much attention, these attackers are sweeping their ways into their supply chains and causing damage. Luckily, automation helps, and catching vulnerabilities in your supply chain with our Assessment and Audit AI features will help you stay on track. 

 

This month’s blog arrives hot on the heels of an important announcement from the SEC. They have mandated that public companies must now report data breaches within 4 days of discovery. This new regulation comes at a critical time as the MOVEIT vulnerability continues to wreak havoc, causing significant disruptions in recent months.

 

July proved to be a challenging period for cybersecurity, with major players like Deutsche Bank, Genworth Financial, and Maximus falling victim to the consequences of data breaches. While numerous breaches occurred throughout the month, I will focus on the most noteworthy ones to glean valuable insights and lessons from.

 

Continue reading to discover other prominent names  that experienced security breaches, along with crucial information you should be aware of. Stay informed and learn from these incidents to protect your own data and systems.

 

  1. HCA Healthcare Experiences Breach

 

HCA Healthcare, a prominent hospital and clinic operator, recently announced that it has experienced a significant cyberattack, compromising the data of over 11 million patients. This unfortunate breach has raised concerns about the security of sensitive patient information and highlights the urgent need for better data protection measures in the healthcare industry. Just last week, IBM’s Cost of a data breach report came out proving that costs are escalating in healthcare breaches. The average cost of a studied healthcare breach reached nearly $11 million in 2023, a 53% increase since 2020. Cybercriminals targeting healthcare organizations have made stolen data more accessible to downstream victims, making medical records a high-value leverage point.

 

What Happened?

 

HCA Healthcare discovered the breach on July 5,2023, when a sample of stolen data was posted online by the suspected hacker. The company believes that the attack targeted an external storage location primarily used for email message formatting. As an immediate containment measure, the company disabled user access to this location.

 

Who Was Affected? 

 

Patients from 20 states, including California, Florida, Georgia, and Texas, have been affected by the breach, which ranks among the largest healthcare data breaches in history. The compromised data includes patients’ names, partial addresses, contact information, and upcoming appointment dates. Additionally, information such as email addresses, telephone numbers, date of birth, and gender was accessed by the hackers.

 

With the scale of this data breach impacting millions of patients, HCA Healthcare faces a significant challenge in safeguarding sensitive information. As investigations continue, it serves as a reminder to healthcare organizations to strengthen their cybersecurity protocols to protect patients’ data and maintain their trust in an increasingly digital world.

 

  1. Rite Aid Data Breach Exposes Customer Information

 

Rite Aid, a popular pharmacy chain in America, recently announced a data breach that may have exposed personal information of its customers. The breach, caused by an unknown third party exploiting a software vulnerability, occurred on May 27. Although sensitive data like Social Security numbers and credit card numbers were not accessed, Rite Aid is taking proactive steps to address the situation and notify affected customers.

 

The Breach Incident:

 

On May 31, one of Rite Aid’s vendor partners informed the company about the data breach. In response, Rite Aid took swift action by updating its systems and the vendor’s software to prevent further exploitation of the vulnerability. During this process, the company discovered that specific files containing customer information had been accessed during the breach. The information accessed by the unknown party included the following:

 

  • Patient First and Last Name

  • Date of Birth

  • Address

  • Prescription Information

  • Limited Insurance Information

  • Cardholder ID

  • Plan Name



The Rite Aid data breach serves as a reminder that security assessments are essential for catching vulnerabilities, whether it be your direct company, or your vendors. While the company has taken swift action to address the situation, affected customers should remain vigilant and take appropriate measures to protect their personal information. 



  1. A New Malware is Making Headlines

 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reported the discovery of a new malware strain known as Submarine, which was used to backdoor Barracuda ESG (Email Security Gateway) appliances on federal agencies’ networks. 

Barracuda provides services and products to over 200,000 organizations worldwide, including prominent entities like Samsung, Delta Airlines, Kraft Heinz, and Mitsubishi.

 

The attack was carried out by a suspected pro-China hacker group known as UNC4841 and involved exploiting a now-patched zero-day vulnerability.

 

In May, a series of data-theft attacks was detected on Barracuda ESG appliances, but it was later revealed that the attacks had been active since at least October 2022. The attackers utilized the CVE-2023-2868 remote command injection zero-day to drop previously unknown malware named Saltwater and SeaSpy, as well as a malicious tool called SeaSide. These were used to establish reverse shells for easy remote access.

 

Barracuda took an unconventional approach last month by offering replacement devices to all affected customers at no charge. The decision came after the company issued a warning that compromised ESG appliances needed immediate replacement, rather than just re-imaging them with new firmware, as they couldn’t guarantee complete malware removal.

 

Now, CISA has disclosed the existence of the Submarine malware, also known as DepthCharge by Mandiant, the incident response division of FireEye. Submarine is a multi-component backdoor residing in a Structured Query Language (SQL) database on the ESG appliance. It serves various purposes, such as detection evasion, persistence, and data harvesting.CISA’s malware analysis report stated, “SUBMARINE is a novel persistent backdoor that lives in a Structured Query Language (SQL) database on the ESG appliance. SUBMARINE comprises multiple artifacts that, in a multi-step process, enable execution with root privileges, persistence, command and control, and cleanup.” The report also mentioned that sensitive information was found in the compromised SQL database.

 

In response to Barracuda’s remediation actions, the threat actors employed the Submarine malware as an additional measure to maintain persistent access on customer ESG appliances. Barracuda maintains that the malware was present on a small number of already compromised ESG appliances. Barracuda’s recommendation to customers remains unchanged. Those with compromised ESG appliances should discontinue their use and contact Barracuda support to obtain a new ESG virtual or hardware appliance.

 

CISA has warned that the Submarine malware poses a significant threat for lateral movement within affected networks. 

 

  1. Estée Lauder Faces Data Breach and Ransomware Attack

 

Estée Lauder recently experienced a data breach and ransomware attack, but the company has been tight-lipped about the specifics of the incident. The beauty giant acted proactively by taking down some systems to prevent further expansion of the attack on their network. It appears that the CL0P ransomware gang gained unauthorized access to Estée Lauder by exploiting a vulnerability in the MOVEit Transfer platform used for secure file transfers. The threat actor took advantage of the vulnerability when it was still a zero-day in late May and claimed to have breached numerous companies for the purpose of data theft and extortion.

 

On their data leak site, the Clop ransomware gang publicly listed Estée Lauder as one of their victims. The gang criticized the company, accusing them of neglecting their customers’ security. They claimed to have over 131GB of Estée Lauder’s data in their possession. Another ransomware group, BlackCat, also added Estée Lauder to their list of victims. However, unlike Clop, BlackCat expressed dissatisfaction with the company’s silence in response to their extortion emails. BlackCat attempted to initiate negotiations with Estée Lauder by reaching out to their corporate and personal email addresses but received no response from the company.

 

Notably, BlackCat claimed that they did not encrypt any of Estée Lauder’s systems, but they threatened to reveal more details about the stolen data unless negotiations were initiated. The potential exposure of sensitive information could affect customers, company employees, and suppliers. The attack has caused significant disruption to parts of the company’s business operations, as stated in their SEC filing.



  1. Google Cloud Build Vulnerability Raises Supply Chain Attack Concerns

 

A vulnerability in Google Cloud Build, known as Bad.Build, has raised concerns about potential supply chain attacks for organizations using the Artifact Registry as their primary or secondary image repository. Security researchers from Orca Security and Rhino Security Lab independently reported the issue.

 

Orca Security researcher Roi Nisimi highlighted that the vulnerability allows attackers to escalate privileges by exploiting the cloudbuild.builds.create permission. This could enable attackers to tamper with Google Kubernetes Engine (GKE) docker images using artifactregistry permissions and run code inside the docker container with root privileges.

 

After the issue was reported, the Google Security Team implemented a partial fix by revoking the logging.privateLogEntries.list permission from the default Cloud Build Service Account. However, this measure didn’t directly address the underlying vulnerability in the Artifact Registry, leaving the privilege escalation vector and the supply chain risk still intact.

 

Google Cloud Build customers are advised to modify the default Cloud Build Service Account permissions to match their specific needs and remove entitlement credentials that go against the Principle of Least Privilege (PoLP) to mitigate the privilege escalation risks.

 

Supply chain attacks have had far-reaching consequences in recent cybersecurity incidents like the SolarWinds, 3CX, and MOVEit attacks. Therefore, organizations using Google Cloud Build need to be vigilant and implement cloud detection and response capabilities to identify anomalies and reduce the risk of potential supply chain attacks.

 

In response to the discovery, a Google spokesperson expressed appreciation for the researchers’ efforts and confirmed that a fix based on their report had been incorporated in a security bulletin issued in early June. Google also emphasized its commitment to identifying and addressing vulnerabilities through its Vulnerability Rewards Program.



As I wrap up this month’s breach blog, I must address IBM Security’s annual “Cost of a Data Breach Report.” The report reveals that the global average cost of a data breach has reached an all-time high of $4.45 million in 2023, marking a 15% increase over the past three years. Below I’ve outlined key findings. 

 

Key Highlights From the Report:

 

AI and Automation Accelerate Breach Identification and Containment: Organizations extensively employing AI and automation experienced a significantly shorter data breach lifecycle, reducing it by 108 days compared to organizations not leveraging these technologies (214 days vs. 322 days). This reduction resulted in nearly $1.8 million in lower data breach costs, making AI and automation the most impactful cost-saving measures identified in the report.

 

Silence is Costly in Ransomware Attacks:

 

Ransomware victims who involved law enforcement in their response saved an average of $470,000 in breach costs compared to those who chose not to involve law enforcement. Despite this potential benefit, 37% of the ransomware victims studied did not engage law enforcement during an attack, leading to longer breach lifecycles and increased costs.

 

Detection Gaps Persist:

Only one-third of the studied breaches were discovered by the organization’s own security team, while 27% were disclosed by the attacker, and 40% were disclosed by neutral third parties like law enforcement. Breaches identified by the organizations themselves incurred nearly $1 million less in breach costs compared to those disclosed by the attackers. This is where conducting regular assessments comes into play. The report emphasizes that early detection and rapid response are crucial in reducing the impact of a breach. Organizations are encouraged to invest in threat detection and response approaches, to bolster their cybersecurity defenses.



While this month’s update is on the longer side, I hope you’ve learned and realized just how important conducting regular security checks is for your business and entire supply chain. Findings automates assessment and audit processes, to help you stay compliant, while ensuring that your supply chain is secure. 

 

 

 

Data Breaches and Cyber Attacks Round Up: June 2023

Findings.co data breaches and cyber attacks in review june 2023

In a world where technology reigns supreme and cyber crime lurks around every digital corner, organizations find themselves locked in a never-ending battle to protect their precious data. From the daring MOVEit vulnerability that left organizations trembling, to the turbulence in the airline industry caused by data breaches, and even a ransomware attack on a tech titan. Buckle up and get ready to explore these hair-raising incidents that prove cybersecurity is no joke in the fast-paced digital age. It’s time to dive into the data breaches and cyber attacks that organizations faced in June 2023. 



MOVEit:


Recently, a significant incident involving the MOVEit vulnerability and data extortion has had a global impact on numerous organizations. Exploiting a vulnerability in Progress Software’s widely-used MOVEit file transfer application, criminals targeted organizations, particularly those within supply chains utilizing the app, resulting in data breaches and the theft of customer and/or employee data.


In more detail, Progress Software Corporation, a company specializing in software and services for user interface development, devops, and file management, issued a warning to its customers regarding a critical vulnerability called CVE-2023-34362. The vulnerability affects the MOVEit Transfer and MOVEit Cloud products, which provide a secure and convenient way to store and share files within teams, departments, companies, and supply chains. MOVEit Transfer’s web-based front end, designed to simplify file sharing and management through a web browser, was discovered to have a SQL injection vulnerability. This vulnerability occurs when an HTTP request sent to a web server is improperly converted into a database query, leaving the server open to manipulation. Attackers can inject malicious commands through URLs, potentially leading to data loss or unauthorized access. Progress Software released patches for the affected versions of MOVEit, but unauthorized commands may have been injected before the patch, resulting in data compromise. To mitigate the risk, Progress recommends ensuring that all instances of MOVEit software are patched, disabling the web-based interfaces if patching is not immediately possible, monitoring logs for suspicious activities, and adopting secure programming practices such as input sanitization and parameterized queries to prevent SQL injection attacks.



Additional Victims of the MOVEit Hack:


The total number of impacted organizations has come to over 130, affecting over 16 million individuals. Brett Callow, a threat analyst at cybersecurity firm Emsisoft, has so far identified around 138 organizations that have fallen victim to the campaign, resulting in the compromise of personal information for over 15 million people. It is expected that these numbers will rise as more victims come forward. The cybercrime group, believed to have ties to Russia and known for their use of the Cl0p ransomware, has claimed responsibility for the attack. They boast being the sole threat actor aware of the MOVEit zero-day exploit before it was patched. Recently, they have started naming organizations that have refused to pay their ransom demands or engage in negotiations. 


Their list includes notable entities such as Shell, Siemens Energy, Schneider Electric, UCLA, Sony, EY, PwC, Cognizant, AbbVie, Kirkland & Ellis, and K&L Gates. Siemens Energy and Schneider Electric have confirmed being targeted. UCLA acknowledged the exploitation of the vulnerability but clarified that it does not classify the incident as a ransomware attack, likely because no file-encrypting malware was employed and there is no evidence of other system compromises on campus. Government organizations, including the US Department of Energy and the Health Department, have also been affected. The New York City Department of Education, the Oregon DMV, the National Student Clearinghouse, and associated schools have reported being victims as well. The cybercriminals, however, claimed on their website that they have deleted data from over 30 government-related organizations as their focus is purely financial and not interested in such entities. Gen Digital, the parent company of renowned cybersecurity brands including Avast, Avira, AVG, Norton, and LifeLock, has also officially acknowledged that the personal information of its employees was compromised during the recent MOVEit ransomware attack. 


As you can tell, this recent MOVEit data breach has had a domino effect.  The personal information of approximately 769,000 retired members of CalPERS, the California Public Employees’ Retirement System. The breach also affected 415,000 members and beneficiaries of CalSTRS, the California State Teachers’ Retirement System. The breach was reported by CalPERS after their third-party vendor, PBI Research Services, discovered a vulnerability in their MOVEit Transfer Application. The vulnerability allowed unauthorized access to sensitive data such as names, dates of birth, Social Security numbers, and even the names of family members of the affected members. CalPERS is the largest public pension fund in the United States, serving over 2 million members in its retirement system and more than 1.5 million in its health program. CalSTRS, on the other hand, is the second-largest public pension fund in the country and the largest retirement system for teachers, serving more than 947,000 members.


American Airlines:


American Airlines and Southwest Airlines, two major global airlines, have recently reported data breaches resulting from a security incident involving Pilot Credentials, a third-party vendor responsible for managing pilot applications and recruitment portals for multiple airlines. Both airlines were notified about the incident on May 3, clarifying that the breach was limited to the systems of the third-party vendor and did not impact their own networks or systems. The unauthorized individual behind the breach gained access to Pilot Credentials’ systems on April 30 and stole documents containing information submitted by certain applicants during the pilot and cadet hiring process.


American Airlines stated that the breach affected 5,745 pilots and applicants, while Southwest reported a total of 3,009 affected individuals. The compromised data included personal information such as names, Social Security numbers, driver’s license numbers, passport numbers, dates of birth, Airman Certificate numbers, and other government-issued identification numbers. It’s worth noting that American Airlines has experienced previous data breaches, including one in September 2022 resulting from a phishing attack and another in March 2021 due to a breach in SITA’s Passenger Service System, which affected multiple airlines globally.



Taiwan Semiconductor Manufacturing Company (TSMC):


The world’s largest contract chipmaker, has confirmed a data breach after being targeted by the LockBit ransomware gang. The gang, linked to Russia, listed TSMC as a victim and demanded a $70 million ransom. TSMC stated that the breach did not impact its business operations or compromise customer information. The incident originated from a cybersecurity breach at one of TSMC’s IT hardware suppliers, Kinmax Technology. TSMC terminated its data exchange with Kinmax and assured that customer information remains secure. Kinmax also apologized for the incident and indicated that other customers may have been affected. The breach follows recent arrests related to LockBit ransomware attacks. Taiwan Semiconductor Manufacturing Company (TSMC), a major semiconductor supplier for Apple, recently attributed a data breach and subsequent $70 million ransom demand from the LockBit ransomware group to a third-party IT hardware supplier. TSMC confirmed the security incident but refrained from disclosing the specific data accessed or held for ransom by LockBit actors. The company assured that the breach did not impact its business or customer information. TSMC identified the third-party supplier as Kinmax Technology, an Hsinchu-based systems integrator known to collaborate with various technology companies. It remains uncertain if other customers were affected by the attack.


The National Hazard Agency, a subgroup of LockBit, set a deadline of August 6 for TSMC to pay the ransom, threatening to publicly release the stolen data. The threat actors also claimed to possess “points of entry” to TSMC’s network, along with login credentials, which are valuable to cyberattackers. TSMC reported robust financial figures for 2022, making it an enticing target. Following the incident report, TSMC conducted a thorough review of its hardware components and security configurations, discontinuing data exchange with Kinmax and reinforcing security measures. The company emphasized its commitment to raising security awareness among suppliers and ensuring compliance with its security requirements.


Kinmax, the implicated IT supplier, downplayed the breach, stating that the intruder accessed system installation preparation information in the engineering test environment, which was unrelated to customers’ actual applications. Kinmax expressed regret and extended apologies to affected customers, mentioning enhanced security measures implemented to prevent future incidents.


TSMC’s breach highlights the growing trend of third-party compromises leading to data breaches in various organizations. It coincides with reports of organizations falling victim to the Cl0p ransomware gang due to a vulnerability in the widely used MOVEit Transfer app by Progress Software. The Biden administration’s cybersecurity executive order in May 2021 has underscored the significance of securing IT supply chains.


Microsoft:


In early June 2023, Microsoft encountered a surge in traffic that affected the availability of some services. To address this issue, Microsoft promptly launched an investigation and began monitoring ongoing Distributed Denial-of-Service (DDoS) activity conducted by a threat actor known as Storm-1359. These attacks seem to rely on the utilization of multiple virtual private servers (VPS), rented cloud infrastructure, open proxies, and DDoS tools. No evidence suggests that customer data has been accessed or compromised during these recent DDoS attacks. The focus of these DDoS attacks was primarily on layer 7 rather than layer 3 or 4. To enhance customer protection against similar DDoS attacks, Microsoft has fortified its layer 7 defenses by optimizing the Azure Web Application Firewall (WAF). While these measures have proven effective in mitigating most disruptions, Microsoft consistently evaluates the performance of its defenses and incorporates lessons learned to further refine and enhance their effectiveness.


Customers are advised to review the technical details and recommended actions provided in this blog to bolster the resilience of their environments and mitigate the impact of comparable attacks.


Technical Details:

Microsoft’s assessment reveals that Storm-1359 possesses a collection of botnets and tools that enable the threat actor to launch DDoS attacks from various cloud services and open proxy infrastructures. Storm-1359 appears to be primarily focused on causing disruption and gaining publicity.


Storm-1359 has been observed employing different types of layer 7 DDoS attack traffic, including:


HTTP(S) flood attack: This attack exhausts system resources by inundating them with a high volume of SSL/TLS handshakes and HTTP(S) requests. The attacker distributes a large number of HTTP(S) requests from different source IPs across the globe, overwhelming the application’s backend and depleting compute resources (CPU and memory).


Cache bypass: This attack attempts to bypass the Content Delivery Network (CDN) layer, potentially overwhelming the origin servers. The attacker sends a series of queries against generated URLs, causing the frontend layer to forward all requests to the origin instead of serving cached content.


Slowloris: In this attack, the client establishes a connection with a web server, requests a resource (e.g., an image), but intentionally fails to acknowledge or accepts the download slowly. This forces the web server to keep the connection open and retain the requested resource in memory.


Recommendations – Layer 7 DDoS Protection Tips:


To mitigate the impact of layer 7 DDoS attacks, Microsoft recommends that customers consider the following measures:


Utilize layer 7 protection services like Azure Web Application Firewall (WAF) (available with Azure Front Door, Azure Application Gateway) to safeguard web applications.


When using Azure WAF:


Employ the bot protection managed rule set, which provides defense against known malicious bots. For more information, refer to the configuration instructions for bot protection.

Block IP addresses and ranges that you identify as malicious. Examples of how to create and use custom rules can be found in the provided resources.

Consider blocking, rate limiting, or redirecting traffic from outside or within defined geographic regions to a static webpage. Refer to the examples in the provided resources for more information on creating and using custom rules.

Create custom WAF rules that automatically block and rate limit HTTP or HTTPS attacks with known signatures.


DMPS:


Des Moines Public Schools is currently contacting approximately 6,700 individuals to inform them about a data security event that occurred earlier this year. This incident, which occurred in January, involved a cyberattack on the school district and may have led to the potential exposure of personal information belonging to those affected. 


The cyberattack on DMPS also involved a ransom demand. However, in accordance with the advice of cybersecurity experts and considering the best interests of the school district and community, no ransom has been or will be paid in response to this attack.


And speaking of schools, the university of Manchester also recently disclosed a breach. In the week starting on June 6th, the University received news of a cyber incident, where unauthorized individuals gained access to certain systems and likely copied data. Our dedicated team of experts, both internal and external, is diligently working day and night to address this incident and determine the extent of the data accessed. Our main focus is to swiftly resolve this situation and promptly inform those affected. We are allocating all possible resources towards achieving these objectives.



Cybersecurity is Essential:


The incidents surrounding MOVEit, American Airlines, TSMC and Microsoft serve as stark reminders of the importance of cybersecurity in our fast-paced digital age. These incidents underscore the serious and ongoing nature of cybersecurity threats, reminding organizations to remain vigilant, strengthen their defenses, and prioritize the safeguarding of valuable data in the digital landscape. 





Discover How Findings Can Help



Top Cyber Attacks and Data Breaches: May 2023 Round Up

May 2023 data breaches

In an era dominated by digital connectivity, the frequency and impact of data breaches continue to escalate, leaving individuals and organizations vulnerable to devastating consequences. From state-sponsored hacking campaigns to opportunistic cybercriminals, the realm of data security is constantly under siege. Recent events have once again thrust data breaches into the spotlight, as major corporations and industry giants grapple with the aftermath of malicious intrusions. In this blog post, I will delve into a series of alarming incidents that have unfolded in May 2023, shedding light on the tactics employed, the extent of compromised information, and the potential ramifications for affected individuals and businesses. Brace yourself for an eye-opening exploration of the evolving threat landscape as we navigate the treacherous waters of data breaches and their far-reaching impact.

 

  1. On May 24,2023, Microsoft reported that it found targeted malicious activity by Volt Typhoon, a state-sponsored group from China, aiming to access unauthorized credentials and explore critical infrastructure networks in the US. This campaign supposedly  intends to disrupt communication infrastructure between the US and Asia during future crises. Volt Typhoon has been active since mid-2021, primarily targeting critical infrastructure organizations in Guam and other US regions across various sectors. They employ stealth techniques, living-off-the-land methods, and manipulate systems using command line instructions. The threat actor maintains persistent access and attempts to conceal their activities by routing network traffic through compromised SOHO network equipment. 

 
  1. Sysco, a major U.S. multinational food distribution corporation, recently revealed that approximately 126,243 current and former employees may have had their sensitive data accessed and acquired in a cyberattack that took place in January. According to notification letters sent to affected individuals, Sysco’s systems were initially breached on January 14, but the intrusion was only discovered nearly two months later. The company assured that its operational systems, business functions, and customer services remained unaffected by the breach. While specific details about the data accessed for each individual are yet to be confirmed, Sysco stated that the compromised information may include personal data provided for payroll purposes, such as names, Social Security numbers, account numbers, or similar information. 

 
  1. On May 26, 2023, Managed Care of North America (MCNA) Dental published a data breach notification on its website, informing approximately 9 million patients that their personal data was compromised. MCNA Dental is one of the largest government-sponsored (Medicaid and CHIP) dental care and oral health insurance providers in the U.S. On March 6, 2023, the insurance provider discovered unauthorized activity in their computer system. They took immediate action to halt the activity and initiated an investigation with the assistance of a specialized team. It was determined that an unauthorized user was able to access and make copies of certain information between February 26, 2023, and March 7, 2023. The potentially compromised information includes contact details such as first and last name, address, date of birth, phone number, and email address. Social Security numbers, driver’s license numbers or other government-issued ID numbers were also accessed. Additionally, health insurance information such as plan details, insurance company information, member numbers, and Medicaid-Medicare ID numbers may have been involved. Specific information related to dental care, including visits, dentist and doctor names, past treatments, x-rays/photos, prescribed medicines, and treatment details, as well as bills and insurance claims, were also potentially exposed. 

 
  1. NextGen Healthcare, a vendor of cloud-based electronic health records, has been informing over 1 million individuals about a data compromise that involves the unauthorized acquisition of login credentials. This incident marks at least the second alleged data security breach that the company has probed since January. The company explained an unknown third-party gained unauthorized access to a limited set of personal data between March 29, 2023, and April 14, 2023. The accessed information includes names, dates of birth, addresses, and social security numbers. Out of the 198 significant breaches of health data that have been reported on the Department of Health and Human Services’ HIPAA Breach Reporting Tool website in 2023, impacting a total of 17.4 million individuals, it has been disclosed that at least 75 of these incidents affecting 9.8 million individuals were reported to involve business associates. Approximately 38% of the major health data breaches reported on the HIPAA Breach Reporting Tool website in 2023 involved vendors and other business associates. Interestingly, despite accounting for a smaller proportion of breaches, these incidents were responsible for impacting 56% of the individuals affected by breaches in the healthcare sector.

 
  1. Luxottica, the world’s largest eyewear company known for brands like Ray-Ban, Oakley, and Chanel, has officially confirmed a data breach that occurred in 2021 via BleepingComputer. The breach exposed the personal information of approximately 70 million customers when a database was recently made available for free on hacking forums. Luxottica revealed that one of its partners experienced the breach, involving a security incident that affected a third-party contractor responsible for holding customer data. The exposed data includes sensitive details such as full customer names, email addresses, phone numbers, residential addresses, and dates of birth. Luxottica emphasized that financial information, social security numbers, login credentials, and other critical data that could endanger customer safety were not compromised. The FBI has made an arrest in connection with the incident, resulting in the shutdown of the website where the data was published. 

 
  1. On May 11, 2023, Brightly informed present and past SchoolDude users that a security incident occurred. SchoolDude is an online platform used by educational institutions for placing and tracking maintenance work orders. Information such as name, email address, account password, phone number, and school district name were potentially breached. 

 
  1. On May 8, 2023, Dragos, a company specializing in industrial cybersecurity, experienced a failed extortion scheme by a cybercriminal group. The group gained unauthorized access by compromising the personal email of a new sales employee, allowing them to impersonate a Dragos employee and access resources in SharePoint and the contract management system. Although they accessed a report with customer IP addresses, Dragos’ security controls prevented the threat actor from deploying ransomware or making further infrastructure changes. The cybercriminals resorted to extortion attempts, escalating their messages and contacting Dragos executives and known contacts. However, Dragos chose not to engage with the criminals and promptly activated their incident response retainer and involved their third-party MDR provider. The investigation is ongoing, but Dragos has implemented additional verification steps for their onboarding process and emphasizes identity and access management, multi-factor authentication, continuous monitoring, and incident response preparedness.

 

In other news, in May, it was discovered that Apple banned its employees from using generative AI tools like OpenAI’s ChatGPT and GitHub’s Copilot due to concerns about potential data leaks and disclosure of sensitive information. Apple’s decision is based on the fact that OpenAI stores all user interactions by default, including conversations with ChatGPT, which are used for training and subject to moderation. While OpenAI introduced an option to disable chat history, conversations are retained for 30 days for abuse review before permanent deletion. Apple worries that employees may unintentionally reveal confidential project information within ChatGPT, which could be accessed by OpenAI moderators. Similar restrictions have been implemented by other companies like JP Morgan, Verizon, and Amazon. Despite the ban, OpenAI recently launched an iOS app for ChatGPT, making Apple’s decision notable, considering the app’s availability and future expansion plans. 

 

As data breaches continue to make headlines, it becomes abundantly clear that the protection of sensitive information is of paramount importance. The incidents highlighted in this blog post serve as a stark reminder that no individual or organization is immune to the persistent and ever-evolving threats posed by cybercriminals. As we move forward, it is imperative for individuals and businesses alike to prioritize robust security measures, including stringent access controls, advanced encryption protocols, and employee education programs. By staying vigilant, proactive, and informed, companies can fortify their defenses and mitigate the risks associated with data breaches. 

 



Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today

Let's Tackle Compliance Together

Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account


Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!