Security Breach Report: Beyond the Phish Edition
In honor of our 2016 Beyond the Phish™ Report, which was released earlier this month, we bring you a Security Breach Report that focuses on recent data and security exposures that originated outside of email attacks.
A Variety of Culprits Documented by the OCR
Between May 1 and September 2, 2016, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) logged 98 reported healthcare breaches affecting 500 or more individuals. More than a third of the breach types identified in the list indicate no ties to phishing:
- Improper Disposal: 2
- Loss: 2
- Theft: 15
- Unauthorized Access/Disclosure with Paper/Films as the location of the breached information: 15
To provide further context, 37 of the data breaches were attributed to a Hacking/IT Incident, and 14 of the Unauthorized Access/Disclosure breaches list Email as the location of the breached information.
Wireless Network Vulnerabilities
A report released by the U.S. Office of Inspector General (OIG) at the HHS revealed “significant” vulnerabilities in federal health services data centers. Penetration testing done on the wireless networks at 13 Centers for Medicare & Medicaid Services (CMS) facilities identified flaws that could have resulted in unauthorized access to protected health information. CMS blamed the problems on “improper configurations and failure to complete necessary upgrades.”
Sensitive Data Transferred to Portable Devices
A recent investigation conducted by members of the U.S. House Committee on Science, Space, and Technology revealed “major problems with the cybersecurity protocols of the Federal Deposit Insurance Corporation (FDIC).” In three significant breach incidents, an FDIC employee either accidentally or intentionally placed the banking data of thousands of individuals on an unauthorized portable drive. Five additional recent breaches involved employees who kept FDIC data after they quit or were fired. All of the breaches went unreported.
Confidential Information Left Publicly Accessible Online
Several recent data breaches occurred when companies and organizations placed PII and customer data on servers that were publicly accessible online:
- The personal data of more than 650,000 Bon Secours patients was left publicly accessible online for four days earlier this year by one of the hospital system’s business associates, R-C Healthcare Management. When the reimbursement firm was reconfiguring its network settings in April, it reportedly exposed names, insurance identification numbers, banking information, social security numbers, and clinical data of patients in three states.
- Two Mexican electoral databases were found online by security researcher Chris Vickery of MacKeeper. One contained more than 93 million “strictly confidential” voter registration records that Vickery indicated were stored on an Amazon cloud server configured for public access.
- Vickery reportedly found other data troves online recently:
- A Fortune.com article outlines the breach of a mid-2014 version of the Thompson Reuters World-Check database, which is used by intelligence agencies, governments, global banks, and law firms to identify individuals with ties to terrorism, corruption, and other crimes. Vickery said the dataset — which contains 2.2 million records on “heightened risk individuals and organizations” — was stored in an open-source Apache database called CouchDB that was configured for public access.
- Vickery claims to have discovered another publicly accessible CouchDB database stored on Google Cloud that contained more than 150 million U.S. voter profiles. He said the database required no user authentication and that he has “proof that foreigners may have been accessing it.”
- Last December, Vickery reportedly found an unsecured MongoDB database belonging to online dating service BeautifulPeople.com. Though Vickery reported it to the company, who then secured the data, the damage was already done; the personal information of 1.1 million Beautiful People users recently ended up for sale on the black market.
Lax Security Culture
A recent U.S. congressional investigation indicated that the U.S. Office of Personnel Management (OPM) failed to implement even basic cybersecurity safeguards that could have mitigated — and potentially prevented — the agency’s mega-breaches in 2014 and 2015. The investigative report indicated that a lax security culture and ineffective leadership exacerbated the incidents, which exposed the data of more than 22 million individuals. Government officials also noted that, since 2005, the OPM had largely ignored inspector generals’ repeated warnings about cybersecurity vulnerabilities.
The email addresses, user names, and passwords of nearly 800,000 users of Brazzers, an adult website, have recently surfaced online as the result of a data breach that originally occurred in 2012. Hackers reportedly exploited security vulnerabilities in the site’s vBulletin chat forum software, and exposed data could include sensitive messages posted within the forum.
Social Media Fraud
Dark Reading reported that a recent Proofpoint study revealed that 19% of the social media accounts associated with ten major international brands are fraudulent. According to the report, 30% of the 902 identified fake accounts are used by cybercriminals to offer counterfeit products and services, while 4% of the accounts are used to pilfer PII, deliver malware, satirize brands, and protest. The study also showed that the fastest-growing threat with social media is phishing, with a 150% uptick in scammers posing as legitimate brands in order to trick users into revealing sensitive information.
Lack of Encryption
In other “old breach haunting” news, stolen login names and passwords from a 2012 breach of the Russian Rambler.ru email service have now been placed for sale on the black market. More than 98 million users of the service — which has been described as the Yahoo of Russia — have had their information exposed as a result. According to Leaked Source, the credentials were stored in a plain text file with “no encryption or hashing.” In related “bad passwords” news, analysis of the data showed that more than 723,000 users shared the same login code: asdasd. The second most popular password choice among users: asdasd123.
U.S. healthcare organizations are also lax about encryption. A new survey of 150 hospital executives by the Healthcare Information and Management Systems Society indicates that only 68% of hospitals encrypt personal health information (like electronic medical records) when it’s shared with other parties. Compounding the problem, just 59% of these institutions use audit logs to track access to patients’ health and financial records.
A retiring system administrator was discovered to have faked a cyberattack on his employer’s website in an attempt to cover the theft of company data, which he planned to sell to cybercriminals. When the sysadmin was approached by fraudsters about selling data, he simulated a hactivist attack on a company website in order to mask his theft of data from the server. Inconsistencies in the sysadmin’s story and actions were later discovered by the company’s web security provider.