North Texas Municipal Water District was recently pwned in a ransomware attack, causing operational issues and exfiltrated customer files:
Officials at North Texas Municipal Water District have confirmed that the water, wastewater, and solid waste management services provider had its business computer network impacted by a cyberattack, according to The Record, a news site by cybersecurity firm Recorded Future.
While phone services have been disrupted by the attack, there has been no impact on customers, said NTMWD Director of Communications Alex Johnson, who added that an investigation looking into the extent of the incident is already underway.
Ransomware operation Daixin Team has taken credit for the attack, which it claims has resulted in the exfiltration of more than 33,000 files with customer details from NTMWD’s systems.
Well that sucks for North Texas Water. Tom Marsland, VP of Technology, Cloud Range had this comment:
The breach of the North Texas Municipal Water District only breached the business network and phone system, and core water, wastewater, and solid waste services were unaffected. Kudos to the teams for strong isolation and/or practices that prevented a breach of the OT network. Municipal water and utility companies are a growing target due to limited staff – there is still a schism between IT and OT operations personnel in most organizations that I’ve worked with.
The recent publication by CISA regarding the exploitation of Unitronics PLCs used in water and wastewater systems highlights basic principles that highlight the schism between OT operations personnel and cybersecurity departments. Use of default passwords, multi-factor authentication, keeping backups of running configurations, practicing recovery, and keeping things off the open internet that do not need to be there are basic tenets of cybersecurity – the fact CISA has to remind organizations of these highlights the need for experienced professionals working in OT cybersecurity. All of these are low-hanging fruit for any organization to cover.
We will continue to see more breaches of OT/ICS systems until these methods of protection are taken seriously. Devices should not be connected to the internet that could directly impact human life just for convenience. There needs to be wider, open-source security solutions provided to smaller organizations, both in ICS/OT and IT, to help with cybersecurity practices. Too often we’re seeing the smaller organizations be the weak link in the chain that is then enabling wider breaches.
Seeing as a municipal water provider was the target of this attack, it highlights the fact critical infrastructure needs to be protected from attacks like this. But clearly that isn’t happening, and that needs to change. Now.
23andMe Puts A Number To Them Being Pwned In October
Posted in Commentary with tags Hacked on December 5, 2023 by itnerdBack in October of this year, 23andMe was pwned in a credential stuffing attack. Fast forward to today and it appears that 23andMe has put a number to the number of people affected by this attack:
On Friday, the California-based company said in a regulatory filing that the personal data of 0.1% of customers – or about 14,000 individuals – had been accessed by “threat actors”. But the filing warned that hackers were also able to access “a significant number of files containing profile information about other users’ ancestry”.
The company confirmed to TechCrunch on Saturday that because of an opt-in feature that allows DNA-related relatives to contact each other, the true number of people exposed was 6.9m – or just less than half of 23andMe’s 14 million reported customers.
Another group of about 1.4 million people who opted in to 23andMe’s DNA relatives feature also “had their family tree profile information accessed”, the company also acknowledged. That information includes names, relationship labels, birth year, self-reported location and other data.
23andMe said in a statement: “We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts.
“We believe that the threat actor may have then, in violation of our terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts.”
That is a non-trivial number of people who have had been affected by this. And I don’t exactly see, nor have I heard of any direct communication to users of this service. George McGregor, VP, Approov Mobile Security concurs with that:
“This is starting to look like a good case-study in how to not handle a breach. It’s difficult at this point to be confident that no more bad news will be forthcoming. In addition, there has still (as of December 4th) been no direct communication to users. Let it be a lesson for others to ensure a solid data breach plan is in place!”
23andMe really needs to get its act together as from what I can see, they have failed their user base miserably. And given the scope and scale of this hack, they need to do better. Much better.
UPDATE: Ted Miracco, CEO, Approov Mobile Security adds this:
“With data breaches, the compromise of DNA connections, family tree information, and genetic data exceeds the conventional threat posed by compromised credit cards and social security numbers. The depth of personal insight inherent in one’s familial relationships (& genetic blueprint!) amplifies the potential for profound and lasting damage.
“As it has been said, ‘great power comes with great responsibility’, and the alarming lack of transparency surrounding this breach heightens the implications for individuals and their privacy. The repercussions of this breach extend far beyond casting a shadow on the company’s reputation and raising questions among shareholders about the adequacy of security measures, as this problem will not be fixed with an apology and 12 months of credit monitoring services. We should expect the consequences of this breach will be far reaching, and hopefully lead to better accountability. ”
1 Comment »