Professional services giant CBIZ Benefits & Insurance Services (CBIZ), a management consulting company specializing in tax, financial, benefits, HR services and insurance services, has confirmed a data breach in which a threat actor accessed client information in certain data bases by exploiting a vulnerability in a CBIZ web page. CBIZ has 120 U.S. offices employing 6,700 people, with $1.59 billion in revenue in 2023:
On June 24, 2024, CBIZ learned that an unauthorized party may have acquired information from certain databases. CBIZ promptly launched an investigation with the assistance of cybersecurity professionals. CBIZ’s investigation determined that an unauthorized party was able to exploit a vulnerability associated with one of its web pages, and acquired information from certain databases between June 2, 2024 and June 21, 2024.
CBIZ conducted a review of the data acquired and determined that individuals associated with multiple CBIZ clients were impacted by the incident. Beginning on July 24, 2024, CBIZ began notifying its clients of the incident and the data involved for each client. The information varied by CBIZ client and included information related to retiree health and welfare plans which, depending on the individual, may have included their name, contact information, Social Security number, date of birth, and/or date of death.
On August 28, 2024, CBIZ began mailing letters with information about the incident to individuals on behalf of CBIZ’s clients. CBIZ has offered two years of complimentary credit monitoring and identity theft protection services for individuals whose Social Security number was involved.
Stephen Gates, Principal Security SME, Horizon3.ai had this comment:
A seemingly harmless vulnerability in a public-facing website – that has access to downstream databases – can be the enabler of data breaches. Critical vulnerabilities like remote code execution and/or arbitrary code execution in web applications can enable these sorts of outcomes. Improper input sanitization would also be high on the list of being a likely culprit.
Evan Dornbush, former NSA cybersecurity expert follows with this:
The lack of transparency surrounding the CBIZ data breach is alarming.
Despite the mandatory SEC 8-K filing for material events, it appears that CBIZ has yet to disclose this significant incident. The company’s silence on the technical details of the vulnerability not only fails to help the community understand and take action but also undermines trust at a time when cybersecurity initiatives like CISA KEV are gaining prominence. As concerns grow, there are already law firms soliciting potential plaintiffs for a suit against CBIZ.
This is all sorts of problematic, which honestly requires the relevant authorities to investigate further as the lack of transparency along with the sorts of data that were swiped make me wonder if there’s more to this than we know.
Like this:
Like Loading...
Related
This entry was posted on September 4, 2024 at 9:45 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
CBIZ Pwned…. And It’s Really Bad
Professional services giant CBIZ Benefits & Insurance Services (CBIZ), a management consulting company specializing in tax, financial, benefits, HR services and insurance services, has confirmed a data breach in which a threat actor accessed client information in certain data bases by exploiting a vulnerability in a CBIZ web page. CBIZ has 120 U.S. offices employing 6,700 people, with $1.59 billion in revenue in 2023:
On June 24, 2024, CBIZ learned that an unauthorized party may have acquired information from certain databases. CBIZ promptly launched an investigation with the assistance of cybersecurity professionals. CBIZ’s investigation determined that an unauthorized party was able to exploit a vulnerability associated with one of its web pages, and acquired information from certain databases between June 2, 2024 and June 21, 2024.
CBIZ conducted a review of the data acquired and determined that individuals associated with multiple CBIZ clients were impacted by the incident. Beginning on July 24, 2024, CBIZ began notifying its clients of the incident and the data involved for each client. The information varied by CBIZ client and included information related to retiree health and welfare plans which, depending on the individual, may have included their name, contact information, Social Security number, date of birth, and/or date of death.
On August 28, 2024, CBIZ began mailing letters with information about the incident to individuals on behalf of CBIZ’s clients. CBIZ has offered two years of complimentary credit monitoring and identity theft protection services for individuals whose Social Security number was involved.
Stephen Gates, Principal Security SME, Horizon3.ai had this comment:
A seemingly harmless vulnerability in a public-facing website – that has access to downstream databases – can be the enabler of data breaches. Critical vulnerabilities like remote code execution and/or arbitrary code execution in web applications can enable these sorts of outcomes. Improper input sanitization would also be high on the list of being a likely culprit.
Evan Dornbush, former NSA cybersecurity expert follows with this:
The lack of transparency surrounding the CBIZ data breach is alarming.
Despite the mandatory SEC 8-K filing for material events, it appears that CBIZ has yet to disclose this significant incident. The company’s silence on the technical details of the vulnerability not only fails to help the community understand and take action but also undermines trust at a time when cybersecurity initiatives like CISA KEV are gaining prominence. As concerns grow, there are already law firms soliciting potential plaintiffs for a suit against CBIZ.
This is all sorts of problematic, which honestly requires the relevant authorities to investigate further as the lack of transparency along with the sorts of data that were swiped make me wonder if there’s more to this than we know.
Share this:
Like this:
Related
This entry was posted on September 4, 2024 at 9:45 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.