Another day. Another case of pwnage via supply chain attack.
Friday, a consulting firm working with the Department of Justice, Greylock McKinnon Associates, reported a data breach to regulators in Maine, telling 341,000 victims that personal information such as Medicare, Social Security numbers and more were accessed during an incident last May.
The company which provides “litigation support services in civil litigation matters”, said those affected by the breach originally had information obtained by the DOJ “as part of a civil litigation matter.” Information accessed by the hackers included:
- Names
- Dates of birth
- Addresses
- Medicare Health Insurance Claim Numbers
- Social Security numbers
- Some medical or health insurance info
The consulting firm says it “deleted DOJ data from its systems after the incident.”
Meanwhile, Sunday, threat actors claimed to have hacked the Environmental Protection Agency allegedly compromising the data of over 8.5 million customers and contractors.
The EPA hasn’t yet confirmed the breach, but various reports confirm the legitimacy of the hacker’s claims. The leaked database was found to contain three zipped files with 500MB of data. The files are named: Contact (3,726,130 records), Inter_Contact (9,952,374 records), and Staff (3,325,973 records). Some of the fields included:
- Full names
- Phone numbers
- Email addresses
- Mailing Addresses
- Company name
- Company address
After filtering the duplicate records, the total accounts breached amounted to 8,460,182.
Corey Brunkow, Dir of Eng Operations, Horizon3.ai:
The DOJ data breach is a great use-case example of Supplier Security Posture Management. Supplier Security Posture Management is the concept that your large organization’s exploitable attack surface is not just your own IT infrastructure any longer, but the IT infrastructure of your suppliers and your distributors too. Forward thinking organizations like the Cyber Collaboration Center at NSA are running pilot programs to manage this risk among their defense industrial base suppliers – See Link to info here: https://www.nsa.gov/About/Cybersecurity-Collaboration-Center/DIB-Cybersecurity-Services/
“In this case, the US DOJ utilized a consultant (Labor Supplier) whose cyber security was not able to prevent this 3rd party attack, despite the regulations and bureaucracy of government contracting. TheRecord reports that the consulting firm deleted the data AFTER the hacking incident. This may be the case, but based on the breach notification, the consultants failed to verify that the data was either deleted or sufficiently protected prior to attackers gaining access to it. This is a common Supplier Security Risk Management risk for large organizations and should be prevented to avoid risk to brand and reputation of both suppliers and large organizations in both the commercial and government sectors. “
The EPA hack is pretty bad because of the scale. But the DoJ hack is worse because it’s another supply chain attack. How long will it take for organizations to get the message that supply chain attacks are real and defending against them has to move up the list of priorities? I ask because the amount of supply chain attacks that I report on seems to be greater than the amount of ransomware attacks that I report on. Which is insane and shows how bad this problem is.
Like this:
Like Loading...
Related
This entry was posted on April 10, 2024 at 8:52 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
DOJ Consulting Firm Compromises Data Of 341k While EPA Hack Impacts 8.5m
Another day. Another case of pwnage via supply chain attack.
Friday, a consulting firm working with the Department of Justice, Greylock McKinnon Associates, reported a data breach to regulators in Maine, telling 341,000 victims that personal information such as Medicare, Social Security numbers and more were accessed during an incident last May.
The company which provides “litigation support services in civil litigation matters”, said those affected by the breach originally had information obtained by the DOJ “as part of a civil litigation matter.” Information accessed by the hackers included:
The consulting firm says it “deleted DOJ data from its systems after the incident.”
Meanwhile, Sunday, threat actors claimed to have hacked the Environmental Protection Agency allegedly compromising the data of over 8.5 million customers and contractors.
The EPA hasn’t yet confirmed the breach, but various reports confirm the legitimacy of the hacker’s claims. The leaked database was found to contain three zipped files with 500MB of data. The files are named: Contact (3,726,130 records), Inter_Contact (9,952,374 records), and Staff (3,325,973 records). Some of the fields included:
After filtering the duplicate records, the total accounts breached amounted to 8,460,182.
Corey Brunkow, Dir of Eng Operations, Horizon3.ai:
The DOJ data breach is a great use-case example of Supplier Security Posture Management. Supplier Security Posture Management is the concept that your large organization’s exploitable attack surface is not just your own IT infrastructure any longer, but the IT infrastructure of your suppliers and your distributors too. Forward thinking organizations like the Cyber Collaboration Center at NSA are running pilot programs to manage this risk among their defense industrial base suppliers – See Link to info here: https://www.nsa.gov/About/Cybersecurity-Collaboration-Center/DIB-Cybersecurity-Services/
“In this case, the US DOJ utilized a consultant (Labor Supplier) whose cyber security was not able to prevent this 3rd party attack, despite the regulations and bureaucracy of government contracting. TheRecord reports that the consulting firm deleted the data AFTER the hacking incident. This may be the case, but based on the breach notification, the consultants failed to verify that the data was either deleted or sufficiently protected prior to attackers gaining access to it. This is a common Supplier Security Risk Management risk for large organizations and should be prevented to avoid risk to brand and reputation of both suppliers and large organizations in both the commercial and government sectors. “
The EPA hack is pretty bad because of the scale. But the DoJ hack is worse because it’s another supply chain attack. How long will it take for organizations to get the message that supply chain attacks are real and defending against them has to move up the list of priorities? I ask because the amount of supply chain attacks that I report on seems to be greater than the amount of ransomware attacks that I report on. Which is insane and shows how bad this problem is.
Share this:
Like this:
Related
This entry was posted on April 10, 2024 at 8:52 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.