The IT Nerd

Infosys McCamish Systems (IMS) has started sending out data breach notification letters regarding a ransomware attack that it disclosed in February 2024 to over 6 million victims, far more than the initially reported 57,000 Bank of America customers. I covered that initial report here.

IMS is a multinational corporation that provides business consulting, IT, and outsourcing services in the insurance and financial services industries for companies such as the Bank of America and seven out of the top ten insurers in the country.

In February 2024, IMS informed the public that it had been hit by ransomware in November 2023 resulting in the compromise of the personal data of about 57,000 Bank of America customers.

In a new notification shared with the authorities, IMS now says the total number of people affected is over 6 million.

The compromised data varies by individual but includes the following:

• Social Security Number 
• Date of birth
• Medical treatment/record information
• Biometric data
• Email address and password
• Username and password
• Driver’s License number or state ID number
• Financial account information
• Payment card information
• Passport number
• Tribal ID number
• U.S. military ID number

IMS has not disclosed which of its clients were impacted except for Oceanview Life and Annuity Company. The list of impacted data owners may be supplemented as more customers request to be named in the filing.

Evan Dornbush, former NSA cybersecurity expert, has this comment:

“This is another example of attacks becoming more complex and taking longer to determine full impact.

 “Also once again, this is an example of customers becoming passive victims in a process where they cannot take any action beyond hoping the breach isn’t so bad.  It’s simply maddening.  While some of the compromised data can be easily replaced – such as credit card numbers, license and passport identifiers are less easily renewed, and the loss of medical treatment and biometric data is irrevocably damaging to one’s privacy.”

Given the scope of this breach, I am hoping that IMS, Bank of America, and whomever else was involved in this is hauled before the relevant authorities and made to answer questions on this. Because a breach this size that took months to figure out is simply unacceptable.

The BlackSuit ransomware gang is claiming responsibility for a June 8th cyberattack on Kadokawa Corporation, threatening to publish stolen data unless a ransom is paid. The gang has set a deadline of July 1st for the ransom, warning that the released data will include contacts, confidential documents, employee data, business plans, and financial data.

Kadokawa Corporation is a major Japanese media conglomerate involved in film, publishing, and gaming, including the well-known game developer FromSoftware. The company reported net sales of approximately $1.6 Billion USD in 2023. The cyberattack caused service outages across multiple Kadokawa Group websites, significantly disrupting the company’s operations as they share the same data center. This attack particularly affected the popular Japanese video-sharing platform Niconico.

“In response to the system failure, Kadokawa is working on building a secure network and server environment,” explained the Wednesday update.

“Its top priority is to restore the accounting functions, which are fundamental to its business activities, and to normalize the manufacturing and distribution functions in the publication business, which generate considerable revenue. The accounting functions, owing partly to measures in an analog manner, are expected to be restored in early July.”

BullWall Executive, Carol Volk had this comment:

“As Kadokawa rebuilds its systems, focusing on the protective aspects of ransomware containment is crucial. A robust ransomware containment system offers significant benefits over simple Endpoint Detection and Response (EDR) solutions. While EDR is essential for identifying and mitigating threats, a comprehensive ransomware containment system ensures that sensitive data remains secure even during an attack. This approach not only detects but also isolates and neutralizes threats”

Cigent CGO Brett Hansen follows with this comment:

“Restoring critical functions and rebuilding the network is table stakes after a major attack and fortifying against similar threats. That said, it is more a matter of protection, than detection to ensure data remains safe during an attack. When data is protected at rest, it can remain safe during an attack. There are multiple ways to ensure an attacker in-system still cannot steal or encrypt your data. zero-trust, MFA, hidden partitions and encryption are all proven methods of protecting data at rest when properly implemented.”

I wish the company luck in restoring their systems. But in this day and age, you need a plan to keep the bad guys out, and a plan to fix everything if they do get in. I am not sure about the first part of this, but this organization is certainly testing the second part right now.

Ophthalmology practice Texas Retina Associates yesterday notified nearly 300,000 customers about a data breach earlier in the year that compromised names, Social Security numbers, medical info, health insurance info, addresses, and dates of birth:

On June 26, 2024, Texas Retina Associates (“Texas Retina”) filed a notice of data breach with the Attorney General of Texas after discovering that confidential information that had been entrusted to the company was subject to unauthorized access. In this notice, Texas Retina explains that the incident resulted in an unauthorized party being able to access consumers’ sensitive information, which includes their names, Social Security numbers, addresses, medical information, health insurance information and dates of birth. Upon completing its investigation, Texas Retina began sending out data breach notification letters to all individuals whose information was affected by the recent data security incident.

Rogier Fischer, CEO and Co-Founder, Hadrian had this to say:

“We don’t have the specific details on the cause of breach or the impact of it, but based on the cases that we handled in the US, we see several issues firms in the US, particularly Texas, could face in such a situation. If a data breach occurs at a Texas-based firm, the Texas Business and Commerce Code mandates that the firm must notify affected individuals immediately. If over 250 residents are affected, the Texas Attorney General must also be informed. HIPAA rules come into play if any medical information was compromised, as in this case. The HIPPA provisions demand specific notifications and call for potential penalties on non-compliance.

The business or organization in question may face scrutiny from the FTC if their data security measures are deemed inadequate. Possible penalties in that case include fines, civil damages, and orders to improve our security protocols. Apart from the regulatory compliance issues, the organization could face potential class action lawsuits from affected individuals, citing negligence or breach of privacy. In this particular case, the Texas Attorney General could also pursue legal action, leading to civil penalties and mandated corrective actions.There are several steps to mitigate the damage in these situations, but adopting an offensive cybersecurity strategy is the best defense of all. Automated penetration testing keeps the organization a step ahead of their peers, while automated compliance and reporting ensures that the systems they have in place are up and updated all the time.”

I think it’s a pretty safe bet that Texas Retina Associates are about to come under a lot of scrutiny over this….. Whatever this is as details are pretty scarce. I hope they have answers for all the questions that they’ve about to be asked.

Remember when I told you that the infamous ransomware group LockBit claimed to have pwned The Federal Reserve? Well that turns out to be incorrect because yesterday, Evolve Bank & Trust confirmed in an online statement that hackers stole retail bank and financial technology partners’ customers’ information and posted it on the dark web. Here’s the connection to the Federal Reserve. The documents that were posted in relation to the alleged Federal Reserve hack actually belonged to Evolve.

“33 terabytes of juicy banking information containing Americans’ banking secrets,” claimed LockBit on its leak site.

The bank said it is investigating the incident and it appears the hackers have released data including Personal Identification Information that varies by individual but may include:

• Name
• Social Security Number
• Date of birth
• Account information
• Other personal information

Earlier this month, Evolve was subject to a Federal Reserve enforcement action and Tuesday LockBit’s dark web post linked a press release about the enforcement action alongside a collection of information apparently taken from the institution’s systems. 

Stephen Gates, Principal Security SME, Horizon3.ai had this to say:

   “Once an organization experiences a breach, and the smoke begins to clear after a deep investigation into what happened, the biggest question they need to ask is, “What do we do next?” Everything in the networking environment is now suspect, possibly riddled with other exploitable vulnerabilities and weaknesses that likely remain hidden. Teams must find the attack path that allowed the breach to happen, and they must uncover other attack paths that could enable it to happen again.

   “Now is the time to thoroughly assess the entire networking environment, both on-premises and cloud, but that could take months if not longer. And as one area gets assessed, and human assessors move on to the next, changes have already taken place in areas that were previously marked as secure. This is the time when autonomous assessment solutions meet a critical need.

   “These technologies are designed to find the original attack path (if it still remains a mystery) and other attack paths that remain unknown. Acting as force multipliers for human assessors, autonomous assessment solutions never tire as they scan the entire environment looking for other weaknesses such as easily compromised credentials, additional exposed data, unidentified software misconfigurations, inadequately implemented security controls, and unenforced security policies.

   “Some of these issues were probably uncovered by attackers when defenses were breached the first time. If they are not resolved now, the inescapable will likely happen again.”

At this point, Evolve has some explaining to do given the fact that it was subject to an enforcement action from the Federal Reserve. And Evolve’s customers will be waiting to hear those answers.