The MOVEit Flaw Has Claimed More Victims

MOVEit Seems to be the gift that keeps on giving for hackers as two more organizations have been added to the list of victims. Let’s start with The Colorado Department of Health Care Policy & Financing (HCPF)  who was pwned by hackers who targeted IBM according to this notice. And according to this, over 4 million people have been affected.

Ani Chaudhuri, CEO, Dasera had this comment on this massive breach:

Indeed, the MOVEit software breach incident at IBM that led to Colorado HCPF’s data exposure is just the tip of the iceberg in what appears to be a larger vulnerability affecting several organizations. While the specific details about every breached entity might not always be public, it is imperative to understand that the software’s widespread usage makes it an attractive target. The recent disclosure by Colorado State University, which was similarly breached due to the vulnerability in the MOVEit Transfer software, affecting thousands of students and staff, underscores the urgency. If MOVEit’s vulnerability can affect educational institutions of such magnitude, it stands to reason that healthcare providers with a similar reliance on the software could be at equal, if not greater, risk, given the value of health data in the dark market.

In light of these breaches, healthcare providers must take a multi-pronged approach to damage containment:

  • Immediate Assessment: Conduct a rapid and comprehensive assessment to ascertain the extent of the breach. This involves understanding the nature of accessed data, the duration of unauthorized access, and potential secondary access points that the threat actors might have established.
  • Notify Affected Parties: Transparency is essential. Informing affected individuals meets regulatory obligations and allows them to take personal protective measures, such as monitoring for suspicious activities.
  • Enhanced Monitoring: Deploy advanced monitoring solutions to identify suspicious activities or data access patterns. This will help detect any malicious activities from the breach in real-time.
  • Rethink Data Storage and Access: Minimize the exposure of sensitive data by implementing robust data governance principles. This means limiting access based on necessity, employing end-to-end encryption, and frequently auditing data access logs.
  • Software Patching and Updates: Ensure all systems and software are updated with the latest patches. Regularly liaise with software vendors for updates on vulnerabilities and corresponding patches.
  • Employee Training: Often, the success of ransomware campaigns, like the one that exploited the MOVEit vulnerability, hinges on human error. Regular training of staff on the latest cybersecurity threats and maintaining a culture of vigilance can act as the first line of defense.
  • Collaborate and Share Information: Collaborate with other organizations, regulatory bodies, and cybersecurity entities to share knowledge about threats and best practices. This collaborative approach will not only bolster individual defenses but also strengthen the broader healthcare community’s resilience against cyber threats.
  • Cyber Insurance and Legal Counsel: Ensure that cyber liability insurance is in place. A legal team well-versed in cybersecurity issues can also guide on regulatory obligations and potential legal ramifications post-breach.

While the current scenario paints a grim picture, it’s also an opportunity. An opportunity for healthcare providers to reevaluate, reinvent, and fortify their data protection mechanisms, ensuring the sanctity of patient data now and in the future.

Now let’s move on to New York Life who was exposed to the MOVEit Transfer attack via a third-party vendor Pension Benefit Information (PBI):

According to PBI’s letter to the Maine Attorney General, the attack exposed 25,685 NYLIC-related individuals. The breach notification indicates that threat actors accessed individuals’ Social Security numbers (SSNs).

Losing SSNs poses significant risks, as impersonators can use stolen data in tandem with names and driver’s license numbers for identity theft.

Again, Ani Chaudhuri, CEO, Dasera has a comment on this:

The current digital landscape’s complexities have led us into an era where even the most reputable companies are vulnerable to sophisticated cyber-attacks. It’s terrible to see global giants like New York Life Insurance Company (NYLIC), Prudential Insurance, and many others fall prey to the MOVEit Transfer attacks. It underscores the fundamental challenge many corporations face: it’s not just about securing your environment but ensuring that every part of your digital supply chain is equally fortified.

First and foremost, our sympathies should lie with the companies and the millions of individuals impacted by these breaches. Having one’s personal and sensitive information exposed is a severe violation of trust and can have long-lasting repercussions. However, it’s important to remember that in many of these cases, the breached entities themselves were not the primary weak link. Instead, third-party vulnerabilities became the gateway for malicious actors to access data.

In this instance, the trend of targeting third-party vendors and systems, such as PBI, has become increasingly prevalent. It’s a cunning tactic from cybercriminals: why attack the fortress directly when you can exploit a lesser-protected entry point? Herein lies the crux of the issue: in a globally interconnected digital ecosystem, your security posture is only as strong as the weakest link in your chain.

Furthermore, this is not merely an IT or a “tech” problem—it’s a holistic business challenge. Given the increasing interdependence on third-party vendors and platforms for various services, it’s more crucial than ever for organizations to embed data governance and security into their core strategy deeply. As we’ve seen, merely patching software vulnerabilities is a reactive measure; we need proactive, comprehensive approaches that account for the entire data lifecycle and all its touchpoints.

So, what can we take away from this calamity?

  • Third-party Audits: Regularly evaluate and audit the security posture of third-party vendors, especially those with access to sensitive data. Mere assurances or past reputations are no longer sufficient.
  • Comprehensive Data Governance: Implement robust data governance frameworks that provide clear visibility into where and how data is stored, processed, and transmitted—even when outside the direct purview of the company.
  • Shared Responsibility and Collaboration: In the face of such adversities, the business community must come together, share insights, and collectively elevate our defenses against cyber threats. Finger-pointing or laying blame post-facto is counterproductive.

Every organization and individual to empathize with the affected companies and end-users. In today’s intricate digital web, any entity, regardless of size or reputation, can find itself under siege. Instead of distancing ourselves from those affected, we should draw closer, share knowledge, and fortify our collective defense. Cybersecurity isn’t a competitive advantage; it’s a shared responsibility.

In both of these cases, organizations were pwned because some other organization was exposed to MOVEit. Thus you have to wonder how many other organizations are exposed to this threat which right now seems completely out of control.

Leave a Reply

%d bloggers like this: