Security Breach Report: April 2016

Spear phishing…ransomware…social engineering…these are just three of the techniques that attackers have been using to gain a foothold in organizations and to pilfer data from people and enterprises around the globe. While we’d be likely to disagree with G.I. Joe that knowing is half the battle as far as cyber security goes, being aware of the dangers others are facing is never a bad thing.

Following are some of the latest headlines related to data and security breaches.

Ransomware Rampant, Organizations Under Fire

Ransomware is an increasingly hot topic, and the morphing nature of this disruptive — and destructive — form of malware makes it clear that organizations need to be on their toes. Here are some of the latest headlines and stories to follow:

• Though MedStar Health officials have been reluctant to classify this week’s security event as a ransomware attack, the Washington Post reported that an employee of one of the organization’s medical centers sent them an image of the ransom message. Ten hospitals and hundreds of outpatient centers were reportedly forced to shut down their computers and email as a result of the attack. According to MedStar’s Facebook feed, systems were still not at full restoration at the time this article was posted.
• MedStar is far from alone in this battle, and healthcare organizations have been particularly vulnerable to ransomware attacks of late. There has been a rash of infections already this year, with attackers not only targeting users, but taking advantage of other vulnerabilities that allow them to plant malware without user interaction.
• The FBI is asking for help in fighting ransomware, according to a recent report by Reuters, which claims to have obtained a confidential “Flash” advisory in late March. Of particular concern is the MSIL/Samas.A strain of ransomware, which attempts to encrypt entire networks rather than a single computer.

IRS, Tax-Related Scams Continue to Plague Companies, Individuals

Back in February, we reported on the IRS alert regarding this year’s massive increase in phishing and malware attacks on taxpayers. It’s continued to be a busy tax season as far as attacks go:

• The IRS issued a statement regarding an automated attack on its Electronic Filing PIN application, which reportedly compromised more than 100,000 PINs.
• In late March, CSO Online reported that 41 organizations — including Seagate and Snapchat — had experienced business email compromise attacks targeting employee W-2 and other payroll information. Since that report, other organizations have be similarly victimized, including Kentucky State University and Nashville’s Ryman Hospitality Properties, the parent company of the Grand Ole Opry.
• There are significant concerns about the continued proliferation of tax fraud resulting from this year’s and prior years’ theft of personally identifiable information. A recent KrebsOnSecurity article highlighted the multiple victimizations of a CPA from South Dakota. And there have been a number of fraudulent tax filings reported already this year, impacting employees from Tidewater Community College, and residents of Wisconsin, Virginia, and Alabama (just to name a few).

That said…the news isn’t all bad as far as tax fraud goes. Network World recently reported on the significant number of successful IRS investigations during the 2015 fiscal year, many of which resulted in fraudsters forfeiting millions of illegally obtained funds.

Additional News, Stats, and Research About Breaches

• Hackers have reportedly breached a number of prestigious U.S. law firms — and Internet postings by the attackers suggest that they aren’t finished yet. A Wall Street Journal account indicated that federal investigators aren't ruling out insider trading as a motive for the theft of the confidential information.
• The identities of thousands of Stormtroopers were leaked after Kylo Ren, a commander of the First Order, was victimized by a business email compromise attack. According to Ren, the well-crafted spear phishing message appeared to have been sent by his commanding officer, Supreme Leader Snoke.
• A recent Verizon Security Solutions Report indicates that a hacktivist group with ties to Syria was able to hack the control systems of a water treatment plant, altering the mix and level of chemicals added to the water supply. Though the plant’s name and location were anonymized in the report, its believed that the personal information of the water company’s 2.5 million customers was also exposed during the breach.
• A former employee of Australia’s Menulog, an online provider of takeout ordering, reportedly was able to access the contact information of more than a million Menulog customers. Nicola Holden claims that the information — including personal details of police officers, celebrities, and government officials — was accessible when she logged into Menulog’s client portal using her new employer’s credentials.
• In "train beyond the phish" news, a Computerworld article published in late March highlighted the continued threat posed by BYOD policies (and untrained end users). A survey of nearly 900 IT professionals showed that 21% of organizations have experienced a security breach related to a mobile device. Malicious WiFi hot spots and malware were the most frequently stated culprits.
• A disturbing story out of California in late February indicated that a maintenance worker targeted more than 30 female college students by using social media and geotagging data to track their activities and find their addresses. While the women were out, he would burglarize their homes.
• Social media can also compromise the security of businesses and their executive staff. A recent Infosecurity Magazine article highlighted the results of a Digitalis Reputation survey, which revealed some questionable privacy practices of the 1,000 CEOs who were polled.
• In “do as I say, not as I do” news, a recent Absolute Software survey revealed that 45% of IT personnel intentionally circumvent their own security policies. In addition, 33% of the 501 IT managers and decision makers surveyed indicated that they have successfully hacked their own company or another organization.
• Late last month, KrebsOnSecurity reported that the breached contact information of 1.5 million Verizon Enterprise Solutions customers had been put up for sale on an underground cybercrime forum. In addition to the customer data, the seller was reportedly offering access to website vulnerabilities. Verizon indicated to KrebsOnSecurity that it had identified and remediated a security flaw in its enterprise client portal.
• Several lawsuits have been filed against 21^st Century Oncology, a Florida-based cancer care provider, following a November privacy breach that was made public in early March. The organization reportedly held off on announcing the breach at the request of the FBI. There are some conflicting reports, but a March 30 update by Florida’s WINK News indicated that a fifth class-action filing accuses 21^st Century of storing confidential information on Joomla, a cloud-based service the suit claims is “notoriously vulnerable” and “widely known to have a serious flaw that allowed hackers to gain administrative access."
• The University of Central Florida revealed that it has been billed nearly $110,000 for costs related to a February 4 data breach that compromised the personal information of 63,000 individuals, including current and former students. The university expects its cyber security insurance to cover the costs. FBI officials in Jacksonville are still investigating the incident.
• In February, Infosecurity Magazine and other outlets reported about a piece of Android malware masquerading as a security feature for AliPay, a popular Chinese online payment similar to PayPal. Victims believed the fake app provided AliPay security enhancements, but it was really a Trojan that stole and forwarded SMS messages from the device.
• Personal details — including passport numbers — of more than 2,000 foreigners living in Thailand were briefly posted online last month, reportedly during a site developer’s demo for police. Social media users spotted the leak, and the site was later taken down.
• According to Experian’s third annual data breach preparedness study, more than half of the UK’s small businesses are unprepared to deal with a data breach. SmallBusiness.co.uk also reported that small businesses drastically underestimate the true cost of a data breach by an average of 40%.
• Doritex Corp., a uniform services company based in New York, and its website developer have collectively been fined $95,000 for insufficient security on the Doritex website and employment application portal. More than 500 Social Security Numbers were reportedly exposed because encryption technologies were not properly implemented.

The Wombat approach to security awareness and training can help organizations change behaviors and reduce risks. Learn more by reviewing our Case Studies and Proof of Concept series, which highlight results experienced by companies in a variety of industries.

Healthcare organizations who want to be proactive about end-user education should review our new Healthcare Security Awareness Training Program, which was developed to target the time and security challenges that are unique to healthcare settings.