Archive for the Commentary Category

« Older Entries

Silverfort recognized as a Microsoft Security Excellence Awards finalist 

Posted in Commentary with tags on March 20, 2023 by itnerd

Silverfort today announced it is a Zero Trust Champion and Security ISV of the Year award finalist in the Microsoft Security Excellence Awards. The company was honored among a global field of industry leaders that demonstrated success across the security landscape during the past 12 months.  

At the Microsoft Security Excellence Awards on April 24, 2023, Microsoft will celebrate finalists in 11 award categories honoring partner trailblazers, solution innovators, customer and technology champions, and changemakers. This is the fourth year Microsoft is recognizing partners for their outstanding work in the security landscape. All finalists are members of the Microsoft Intelligent Security Association (MISA), an ecosystem of independent software vendors (ISVs) and managed security service providers (MSSPs) that have integrated their security products and services with Microsoft’s security technology.  

MISA was established to bring together Microsoft leaders, ISVs, and MSSPs to work together to defeat security threats and make the world a safer place. The industry veterans in MISA and Microsoft will vote to select the winners of the Microsoft Security Excellence Awards, providing an opportunity for colleagues to honor their peers for delivering exceptional work to our shared customers. 

Leave a comment »

Guest Post: Queen Elizabeth and Taylor Swift among most used passwords in 2022

Posted in Commentary with tags on March 20, 2023 by itnerd

The most frequently reused credentials eventually end up on breached lists accessible to purchase on the dark web, thus becoming a weak point in personal and company security when subject to brute force and password-spraying attacks.
 

Examining the most often reused passwords allows individuals to gain insights into what type of passwords to avoid when safeguarding their online journeys. 

Some passwords, like password, 123456, qwerty, and other similar basic choices, have always been and will remain some of the most insecure picks to protect one’s account.

However, the data presented by Atlas VPN, which comes as a courtesy of SpyCloud, who extracted it from various lists on the dark web, reveals that the most commonly used credentials also change year-by-year and reflect the hottest topics.  

It is no surprise that music, streaming, and celebrity culture are among the most prevalent themes in passwords in 2022. 

Celebrity names as most common passwords

Last year, hundreds of thousands of credentials included keywords connected to celebrities Taylor Swift, Bad Bunny, Jennifer Lopez, Ben Affleck, and Elon Musk. 

Swift’s 10th album, “Midnights,” which reportedly generated $230 million in sales, resulted in passwords such as taylor, taylor swift, swiftie, and midnights being used 186,000 times. 

Similarly, Bad Bunny’s status as the most-streamed artist on Spotify in 2022 inspired the use of bad bunny, titi, and verano as passwords, with the latter two being among his popular songs, appearing 141,000 times.

The acquisition of Twitter by Elon Musk inspired the use of twitter and elon musk as passwords, which were used 74,000 times. 

Additionally, Jennifer Lopez and Ben Affleck’s reunion and marriage, known as Bennifer, was reflected in passwords such as jennifer lopez, jlo, ben affleck, and bennifer, appearing 46,000 times.

Avoid streaming and family-related passwords

Other pop culture events that captured the public’s attention were also reflected in the list of frequently reused passwords. 

The growing popularity of streaming TV services was reflected in passwords such as youtube, netflix, and hulu, which were chosen 261,000 times. 

The death of Britain’s Queen Elizabeth and other news about the royal family ignited the use of queen, queen elizabeth, and royal family as passwords. In total, credentials with the aforementioned keywords were used 167,000 times in 2022, according to various databases on the dark web.  

As expected, other frequently reused passwords included russia, russian war, ukraine, ukraine war, and trump. 

To read the full article, head over to: https://atlasvpn.com/blog/queen-elizabeth-and-taylor-swift-among-most-used-passwords-in-2022 

Leave a comment »

Let’s Say You Want To Ban TikTok Outright… How Would It Be Done?

Posted in Commentary with tags on March 19, 2023 by itnerd

I’ve been talking a lot about Chinese owned TikTok being banned in various places. Most of these bans relate to devices with access to some sort of government network. But the stakes are about to go up for TikTok as the US is looking to ban the social media app outright. If that were to happen, how would such a ban be implemented? I have some thoughts on how that could work:

  1. Apple and Google would be required to stop offering the app for download: This one is easy as both companies can do this easily. Not only that, they can do this on a geographical basis. By that I mean that they could enforce a ban in the US by making TikTok “disappear” in the US. Though I suspect that any sort of ban would spread elsewhere, which means that they would have to do this in more places. But as I said earlier, this is easy for either company.
  2. Apple and Google would be required to remove TikTok from phones: This is where things start to get tricky. I can’t imagine that any ban on TikTok would be effective if the app were still on people’s phones. Thus I can see a scenario where TikTok was instantly “Thanos Snapped” off of every phone the moment that the ban went into effect. I imagine that both Apple and Google have the ability to do this as mobile device management programs that companies use to manage smartphones can do this. Where things become very tricky is that I can see a scenario where people might sue Apple, Google, or the government because they would feel that nobody has the right to remove apps from their phones. It is possible that both Apple and Google have language in their terms of service that nobody reads that allows them to do that. But even if they do, I suspect that a court will have to sort this out.
  3. Apple and Google would be required to stop people from “side loading” TikTok: Here’s another tricky part of this whole discussion. Side loading. Which is the act of loading an app that isn’t on an App Store onto your device. If you’re on team Apple, you’ll need to do a function called “jailbreaking” to get past Apple’s restrictions on this sort of thing. And that’s not a trivial task for 95% of Apple iPhone users. That to me suggests that Apple likely doesn’t have much to worry about on this front. The real challenge is with team Android who have made “side loading” a sport because it’s not all that difficult to do. Google would have to figure out how to shut that down to ensure that they comply with a ban of TikTok. Which given the diversity of the Android platform may be difficult or next to impossible to do.

Now it is entirely possible that TikTok may avoid an outright ban, making this all irrelevant. But I don’t think so. The US is really intent on taking it to TikTok, and US allies will likely follow suit. Thus I hope that Apple and Google are planning for this as I am sure that a ban of TikTok is coming, and they will need to respond.

Leave a comment »

Today Is Digital Cleanup Day

Posted in Commentary on March 18, 2023 by itnerd

Digital Cleanup Day, which is today, is dedicated to raising awareness of digital waste and its impact on the environment, and encouraging individuals, businesses, and even government agencies to do their part to declutter their digital footprint. It also reminds us that the ramifications of digital waste are significant. 

The Digital Cleanup Day site states that internet use accounts for 3.7% of global carbon emissions, equivalent to all air traffic in the world (a stat also found here). This digital pollution contributes to global warming and climate change. Additionally, as the number of personal devices and data centers grows in order to store, manage, utilize, and protect the world’s exponential data growth, which unfortunately oftentimes includes digital waste, they require more energy to operate, which can put a strain on the power grid and increase energy costs.

All of this is in addition of course to the negative consequences digital clutter has on maintaining uptime and availability, ensuring the security of data and infrastructure, and optimizing resource utilization, which in turn has the potential to hurt an organization’s ability to meet business requirements and stay competitive in the industry.

Carl D’Halluin, CTO of Datadobi, and Amit Shaked, CEO and co-founder of Laminar, had this to say about why it’s important to be mindful of our digital habits and to take steps to reduce digital waste:

Carl D’Halluin, Chief Technology Officer (CTO), Datadobi:

“Digital Cleanup Day is an initiative that encourages individuals and organizations to declutter and organize their digital lives. People are encouraged to clean up their digital devices, including their computers, data storage, smartphones, and tablets. This may involve deleting unnecessary files, organizing folders and emails, and/or uninstalling unused apps, unused cloud service subscriptions, and unused user accounts. The day’s goal is to promote better digital hygiene habits and help individuals and organizations become more efficient, productive, and secure in their digital lives. Of course, until recently, digital cleanup for enterprises was much easier said than done.

Organizations that wish to declutter on Digital Cleanup Day and maintain a clean and well-organized digital footprint moving forward should start with the biggest nut to crack. According to analyst estimates, 80%-90% of all data is unstructured. This includes but isn’t limited to unnecessary data copies, outdated data, data belonging to employees no longer with the organization, and expired data backups and archives. To tackle such a monumental task, users should seek a data management solution that is vendor-neutral and can handle all types of unstructured datasets, including file and object data, whether they are located on-premises or in the cloud. It must be able to assess, organize and act upon your data. That is, it must be able to assess and analyze metrics such as data size, date created, format, type, complexity, and frequency of access, as well as other unique factors that are important to your organization. Then, it must enable the user to organize the data into a schema that makes the most sense for that specific organization. And last critical piece of the puzzle… the solution must enable the user to act. That is, enable the user to migrate, move, replicate, sync, or delete data with a few clicks of the button.

Now that digital cleanup can be “easier done than said” with the right solution in hand, organizations can enjoy numerous benefits including optimized storage usage, streamlined data management, reduced risk of data breaches and non-compliance, and increased productivity due to better data accessibility. Moreover, digital cleanup can unlock the value of important data insights, leading to improved business decision-making and innovation opportunities.”

Amit Shaked, CEO and co-founder, Laminar:

“While Digital Cleanup Day’s main mission is to help organizations reduce carbon footprint, it also serves as an important reminder for IT, data governance and data security teams to start keeping tabs on all of their sensitive data in the cloud. Often data security teams are blind to the location, volume and types of sensitive data that lies in the cloud. Not only can unknown data lead to excess costs and digital waste, it can also introduce significant risk. 

The rapid shift to the cloud and move toward data democratization has enabled organizations to quickly spin up data stores, especially in buckets or blob storage. Unfortunately, however, many companies don’t have full visibility into where their sensitive data resides. This unknown or “shadow” data is growing, and is a top concern for 82% of data security professionals. Examples of shadow data include database copies in test environments, analytics pipelines, orphaned backups, unlisted embedded databases and more. 

To help reduce carbon footprint and the overall attack surface, organizations must start with complete observability of their data. With new agile and cloud-native tools, enterprises now have the solutions they need to clean up unnecessary data, and to keep up with today’s fast-paced, cloud environment.”

Leave a comment »

FDIC #Fails Audit Regarding Active Directory Controls Within Their Organization

Posted in Commentary with tags on March 17, 2023 by itnerd

The FDIC is reporting disappointing results after the Office of Inspector General performed an audit of its controls for securing and managing its Microsoft Windows Active Directory which it uses for central management of all IT system user credentials.

According to auditors, privileged system users didn’t practice simple password hygiene such as:

  • Reusing their passwords 
  • Sharing passwords across multiple accounts
  • Failing to change passwords for over a year

In addition, the probe found that, in over 900 cases, the accounts of users were not removed after prolonged inactivity. They also found three FDIC IT accounts with privileged access that remained privileged for almost a year after the access was no longer required for their positions.

Since the audit findings, the FDIC IG has made 15 recommendations to the agency for improving security controls such as providing password training and the removal of unnecessary privileges. This brings into question what training may have been up until now for password and credential controls, and other widely-used cybersecurity issues such as phishing, for example. 

Details of the cybersecurity concerns come as the financial regulator headlines the SVB failure, and following another report published earlier this year also by the OIG, which found that the FDIC is not doing enough to monitor cyber risks within the institutions it regulates.

Oh boy.

I have there comments on this rather shambolic audit. The first is from

Naveen Sunkavalley, Chief Architect at Horizon3.ai had this comment: 

   “The issues highlighted in the audit – password re-use, excessive account privileges, and the failure to deactivate stale accounts – are very serious and commonly exploited by threat actors. These issues make it easier for an attacker to compromise an account and then use that single account to take over many other accounts and elevate privileges, ultimately leading to full compromise of AD and all AD-managed assets.

   “The FDIC is not alone though. We see the same problems in many of the organizations we work with. And the problems can easily recur after being fixed once, as users join or leave an organization, or users change passwords. We recommend regular security assessments of Active Directory environments to identify issues and address them as soon as possible. 

Baber Amin, COO at Veridium had this to say:

This report highlights two fundamental problems.

  1. Reliance on knowledge based credentials and trusting that humans will not follow the path of least resistance. Training is important, but we now have the means to eliminate passwords for the most part. The report continues to focus on password quality rather than asking for removal of passwords. Strong passwords that are not shared or reused actually do not need to rotate or update often. There is ample evidence on this.
    • Multi factor authentication should also play a larger role than how it is treated in the report. This is the first line of defense.

Action:  Don’t put a training band aid, eliminate the problem, eliminate passwords.

  1. Orphan accounts and access, and overarching entitlements
    • I put these under the access umbrell  Organizations need to embrace the concept of least privileged access and grant only the minimal amount of access necessary for the minimal amount of time. We have multiple entitlement management products and services that can root out orphan accounts, access sprawl, and even unused or orphan access grants.  These tools need to be used on a regular basis.

Action: Limit access grants, use privileged access management tools to monitor privileged activity, use smart entitlements to limit overarching access, use smart monitoring to identify probes, and anomalies.

Morten Gammelgaard, EMEA, co-founder of BullWall had this to say:

   “The fact that privileged users were found to be reusing passwords and sharing them across accounts, as well as failing to change passwords for extended periods, indicates a lack of awareness about the importance of good password hygiene practices.

   “Moreover, the incorrect account configurations, and the discovery that user accounts were not removed after prolonged inactivity, reveals a lack of oversight in managing user accounts. These are common weaknesses that leave agencies vulnerable to cyber attacks, particularly ransomware attacks, which have only increased year over year.

   “For all their potential resources, government agencies clearly need to prioritize cybersecurity best practices and implement robust security controls. This includes providing password training to users, regularly reviewing user accounts and privileges, and removing unnecessary elevated domain privileges.”

It’s bad enough that smaller businesses suffer from these sorts of issues. But for the FDIC to have these sorts of issues is insane. Hopefully this is the wake up call that they need to move them into a much better place. And everybody else should read this report and ensure that they don’t have any of these issues as well.

Leave a comment »

Rogers Email Issues Continue To Drag On…. With Not Even A Peep From The Telco

Posted in Commentary on March 17, 2023 by itnerd

I’ve been covering issues with Rogers Internet offering. It started as a general outage, but what has dragged on for weeks is an issue with email.

Let me the recap the issue that Rogers has been unable to fix. Anyone who uses Rogers email service (in other words they have a @Rogers.com address) cannot get their email. This is in part due to the fact that Rogers requires users to create  App Specific Passwords via Rogers Member Center on each program or device that an email address is used on. The creation of new app specific passwords doesn’t work and existing app specific passwords appear to have been deleted in many cases. That pretty much breaks your applications that rely on them.

#Fail

There is a workaround though:

The workaround for this is to open a web browser and go to https://mail.yahoo.com and enter your Rogers email account details there. The password that you should use is the one for Rogers Member Center. This will at least allow you to view and reply to email on the web. And while this is a sub optimal workaround for many, it’s the only workaround that exists right now. 

A secondary issue is that you might have tried to reset your email password under the belief that you were using the wrong password. If that’s you, I have some bad news for you. The only way to truly reset your email password is to dial into Rogers to do that. The good news is that once you hit a human, it doesn’t take long to do that. The bad news is that I am hearing wait times of three hours or more to actually get to a human. And I am also hearing that people are getting disconnected while waiting for a human to come onto the line. Which punts you to the back of the line. 

The fact that this workaround is available is great. But viewing mail through a web browser is suboptimal. Especially on a smart phone. And having to get a human to reset your password is likely the reason why nobody can get through to Rogers in a timely manner. For a company who has spent a lot of time and effort to improve the customer experience, that’s really bad.

But what’s worse is that the silence from Rogers is stunning. But don’t take my word on that. I’ve been monitoring this situation as I have clients who are affected by this, and there are several threads on Community Forums that I have been watching. And Rogers customers are not happy. Here’s a few examples:

I want to stop here for a second. Assuming that this comment is true, it’s pretty bad when Rogers basically lies to a customer about an issue. That erodes any trust that the customer might have left.

And I want to talk about these last two comments. The first is relates to the fact that Rogers has not said a single word about this. Zip, zero, nada. When you don’t communicate to your customers about an ongoing issue, it creates room for people to say and think anything. Which means that you (or in this case Rogers) loses control of the message. That’s where the first comment comes from. In terms of the second comment, the person who wrote this is 1000% correct. Rogers needs to communicate way better than it has to date. But Rogers hasn’t and as this person has said, they’re left in the dark as a result. That’s not a good customer experience and that will come back to haunt Rogers.

So, what are your options if you’re affected by this and the workaround is sub optimal? Well, some of my customers are having me assist them in creating domains and email addresses associated with them so that they and not their ISP are in control of their email. Basically doing what I suggest here in terms of never using an ISP’s email service. One challenge that they have is exporting emails that they have since doing what I suggest here isn’t an option at the moment. But as long as they can get email on the device or program of their choosing, that’s good enough for them and they will take care of the export part of this whenever Rogers fixes their issues.

Other clients are taking a step further. On top of doing the above, they are also transitioning over to Bell if they have that option. Which in the areas where my clients are located in, they do. The feedback that I get from these clients is that they forgave Rogers for the outage in July of last year. And they even bought into Rogers marketing (Which is dead from what I can tell. Likely because of the backlash to it) that they are “committed to Canadians“. But those days are over and it’s time to dump Rogers as far as they are concerned. The fact is that Rogers really has dropped the ball here and bungled this situation badly. However this turns out, Rogers as a telco would have really deleted whatever goodwill that it had left with its customers. Which to be frank, I didn’t think was possible.

Shame on you Rogers.

Leave a comment »

Hackers Only Need To Know Your Phone Number To Pwn Samsung Exynos Based Devices

Posted in Commentary with tags , on March 17, 2023 by itnerd

Google’s Project Zero team has posted a blog post that paints a pretty scary picture for Pixel and Samsung owners:

In late 2022 and early 2023, Project Zero reported eighteen 0-day vulnerabilities in Exynos Modems produced by Samsung Semiconductor. The four most severe of these eighteen vulnerabilities (CVE-2023-24033 and three other vulnerabilities that have yet to be assigned CVE-IDs) allowed for Internet-to-baseband remote code execution. Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.

The fourteen other related vulnerabilities (CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076 and nine other vulnerabilities that are yet to be assigned CVE-IDs) were not as severe, as they require either a malicious mobile network operator or an attacker with local access to the device.

The following devices are known to be affected by these exploits:

  • Samsung phones including the Galaxy S22 series, the Galaxy M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04
  • Vivo phones including the S16, S15, S6, X70, X60 and X30
  • Google Pixel 6 and 7 series
  • Wearables using the Exynos W920 chipset
  • Vehicles that use the Exynos Auto T5123 chipset

That’s a very big list. And I have to wonder what cars use Exynos based modems. I guess we will find out shortly. In any case, the mitigation until updates come out is to turn off Wi-Fi calling and Voice-over-LTE (VoLTE). You should be able to find both of these in the Settings menu under Network & internet > SIMs, though the exact location may vary from device to device. If you have a vehicle that uses this chipset, I have no mitigation for you. And I have no way for you to check your vehicle to see if you have this Exynos chipset.

Expect patches for phones and wearables to come out soon, if they haven’t already. As for vehicles, your guess is as good as mine.

UPDATE:

David Maynor, Senior Director of Threat Intelligence at Cybrary had this to say:

   “The flaw in the baseband component is important for enterprise customers to be aware of but not for the reasons it seems. The baseband component is the radio that communicates with cellular infrastructure. The software is a binary blob that’s encrypted, and there are not good ways to inspect the baseband state. So, you have a place you can’t monitor with software you can’t inspect that creates a perfect place for bad guys to do nefarious things.”

Ted Miracco, CEO of Approov followed up with this:

   “The discovery of 18 vulnerabilities in Samsung’s Exynos chipsets is deeply unsettling, especially given that four of them enable remote code execution without any user interaction or indication. Overall, the discovery of these vulnerabilities highlights the importance of ongoing security research and the need for vendors to prioritize mobile security in their products. While, It also serves as a reminder for users to remain vigilant and take steps to protect themselves from potential attacks, the fact that an attacker only needs the victim’s phone number to carry out these attacks further highlights the severity of these vulnerabilities.”

Leave a comment »

New Zealand Becomes The Latest To Ban TikTok On Government Devices

Posted in Commentary with tags on March 17, 2023 by itnerd

The march to ban TikTok continues with news that New Zealand is going to be the latest country to ban TikTok on government devices:

New Zealand said on Friday it would ban TikTok on devices with access to the country’s parliamentary network due to cybersecurity concerns, becoming the latest nation to limit the use of the video-sharing app on government-related devices.

Concerns have mounted globally about the potential for the Chinese government to access users’ location and contact data through ByteDance, TikTok’s Chinese parent company.

The depth of those concerns was underscored this week when the Biden administration demanded that TikTok’s Chinese owners divest their stakes or the app could face a U.S. ban. 

In New Zealand, TikTok will be banned on all devices with access to parliament’s network by the end of March.

Parliamentary Service Chief Executive Rafael Gonzalez-Montero said in an email to Reuters that the decision was taken after advice from cybersecurity experts and discussions within government and with other countries.

    “Based on this information, the Service has determined that the risks are not acceptable in the current New Zealand Parliamentary environment,” he said.

The thing is that TikTok other than saying things like it it “disappointed” by these bans, hasn’t really offered up anything in the way of a substantive rebuttal to accusations that the social media app is a tool for the Chinese Communist Party to spy on the west and spread Chinese propaganda. Until they do that, these bans will simply continue. And likely expand to outright bans where TikTok will be erased from phones everywhere. Such as the one that seems to be coming in the US. So as a result of that, I expect these bans to continue to accelerate and expand.

Leave a comment »

CISA to begin scanning for vulnerabilities

Posted in Commentary with tags on March 17, 2023 by itnerd

On Monday, CISA announced that under its new Ransomware Vulnerability Warning Pilot (RVWP) program it has started scanning critical infrastructure entities’ networks for vulnerabilities to warn and help entities fix the flaws ahead of the bad actors.

As part of RVWP, CISA leverages existing authorities and technology to proactively identify information systems that contain security vulnerabilities commonly associated with ransomware attacks. Once CISA identifies these affected systems, our regional cybersecurity personnel notify system owners of their security vulnerabilities, thus enabling timely mitigation before damaging intrusions occur.

CISA accomplishes this work by leveraging its existing services, data sources, technologies, and authorities, including CISA’s Cyber Hygiene Vulnerability Scanning service and the Administrative Subpoena Authority granted to CISA under Section 2209 of the Homeland Security Act of 2002.

Naveen Sunkavalley, Chief Architect at Horizon3.ai had this to say:

   “CISA’s new program is a necessary and definite step in the right direction to protect critical infrastructure. Many N-day vulnerabilities are now being exploited by threat actors within days of being disclosed. Time is of the essence. The faster organizations are notified of critical vulnerabilities, the faster they can react to avoid compromise.

   “CISA’s program is not a panacea though. Many vulnerabilities are exploited as zero days, and there is often a delay of at least a few days between the time a new vulnerability is disclosed and when CISA adds that vulnerability to its Known Exploited Vulnerabilities catalog. Understanding which vulnerabilities are likely to be exploited and notifying prior to any known exploitation would be valuable.

   “Moreover, exploiting vulnerabilities isn’t the only method ransomware actors have at their disposal. Phishing attacks and leaked credentials are used just as often (for instance with the Colonial Pipeline attack). Organizations need to operate under the mindset that a breach will eventually happen, and critically evaluate their attack surface, both external and internal, against a wide spectrum of possible attacks.”


Dave Ratner, CEO of HYAS follows up with this:

   “We continue to see increasing attacks on all aspects of critical infrastructure and believe that increased visibility and observability into what is happening in real-time inside the environment is critical to rapid identification of these attacks and shutting them down before they expand into major incidents.  

   “Attackers continue to find new and innovative ways to circumvent the perimeter and breach both IT and OT networks; however, given that the malware then needs to beacon out for instructions, visibility into outgoing communication – which domains and what infrastructure is being communicated with and how often — can identify anomalous and nefarious activity inside the network and provide a key layer of protection, if not the “last line of defense”, for all aspects of critical infrastructure.”

This is a good step in terms of fighting threat actors. But it is only a step. This has to be combined with the hard work of those responsible for defending networks against threat actors along with spending money on the tools to effectively fight threat actors. Otherwise the CISA’s work will mean nothing.

Leave a comment »

Independent Living Is Largest Healthcare Hack of 2023 – SO FAR

Posted in Commentary with tags on March 17, 2023 by itnerd

On March 14th, Miami based Independent Living Systems (ILS) disclosed a healthcare data breach that impacted more than 4 million individuals, the largest reported healthcare data breach of 2023, so far. More on the so far part later.

Hackers were in their network from June 30th to July 5, 2020, when the company discovered that its network was accessed and employee data had been exfiltrated. Here’s a snippet of what the data breach notice said.

On July 5, 2022, ILS experienced an incident involving the inaccessibility of certain computer systems on its network. ILS responded to the incident immediately and began an investigation with the assistance of outside cybersecurity specialists. Through our response efforts, ILS learned that an unauthorized actor obtained access to certain ILS systems between June 30 and July 5, 2022. During that period, some information stored on the ILS network was acquired by the unauthorized actor, and other information was accessible and potentially viewed. Upon containing the incident and reconnecting its computer systems, ILS conducted a comprehensive review to understand the scope of potentially affected information and identify the individuals to whom such information relates. ILS received the results of this review on January 17, 2023, and then worked as quickly as possible to validate the results and provide notice to potentially impacted individuals and entities. 

The types of impacted information varies by individual and could have included: name, address, date of birth, driver’s license, state identification, Social Security number, financial account information, medical record number, Medicare or Medicaid identification, CIN#, mental or physical treatment/condition information, food delivery information, diagnosis code or diagnosis information, admission/discharge date, prescription information, billing/claims information, patient name, and health insurance information.  

But the part that catches my attention is this:

ILS previously notified potentially affected individuals on September 2, 2022 by posting a preliminary notice of this data event on its website. Additionally, ILS previously provided preliminary notice to its primary state and federal regulators. Now that its review and validation efforts are complete, ILS is notifying potentially affected individuals via this media release, posting supplemental notice on its website, and mailing letters to potentially affected individuals for whom ILS has address information. ILS is also providing supplemental notice to its primary state and federal regulators, initial notice to certain additional state regulators (as required), and initial notice to the three major consumer reporting agencies (i.e., Equifax, Experian, and TransUnion). 

Yeah, it took over six months to identify and notify victims. #Fail.

Tim Schultz, VP, Research & Development at SCYTHE had this to say:

   “Healthcare data – the most treasured record in the Underground Economy.

   “The healthcare industry is going to continue to be targeted by threat actors and I don’t see it stopping anytime soon. Similar to other industries where more restrictive cybersecurity controls may have a broader business impact, cybersecurity maturity lags behind. Since medical information can be leveraged in future attacks against individuals either for social engineering or extortion, the data stolen will be valuable for a long time.”

Healthcare is a huge target for threat actors as evidenced by these major breaches:

•    February, Heritage Provider Network – 3.3 million patients
•    February, Community Health Systems – 1 million patients
•    March, Cerebral – 3.1 million patients

The take home message here is that the healthcare sector needs to up its game to stop this from happening over and over again. Because with the scale of hacks that we see in this sector, there clearly isn’t enough being done to safeguard data.

Leave a comment »

« Older Entries