Last week, a phishing scam penetrates a popular health care network, a nonprofit organization has its donor list compromised, and “password” remains a stubbornly popular password.
United States - Sinai Health System
Exploit: Phishing scam
Sinai Health System: Chicago-based healthcare network
Risk to Small Business: 1.555 = Severe: Two employees fell for a phishing scam that gave hackers access to email accounts containing patients’ personal data. The attack, which occurred on October 16th, wasn’t discovered until December. In response, Sinai Health Network reset employees’ email passwords and provided employees with phishing scam awareness training to prevent a similar event in the future. Unfortunately, these actions cannot undo the damage of a data breach, and the healthcare network will now endure heavy regulatory scrutiny, as the Office for Civil Rights has launched an investigation into the incident.
Individual Risk: 2.285 = Severe: Patients’ personal information was compromised in the breach, including their names, addresses, dates of birth, Social Security numbers, health information, and health insurance information. Hospital administrators contend that there is no evidence of misuse, but patients impacted by the breach should not presume that their data is secure. Instead, they should closely monitor their accounts for unusual activity, and they should consider enrolling in identity monitoring services to ensure that their information isn’t misused down the road.
Customers Impacted: 12,578
How it Could Affect Your Customers’ Business: It’s inevitable that phishing scams will make their way into your employees’ inboxes. Fortunately, these attacks are useless if employees identify the threat and don’t engage with the email. Employee awareness training can empower email recipients to become a strong defense against phishing scams but waiting until after a breach to provide this training is fruitless. As Sinai Health System just learned, if employees aren’t ready to respond before an incident occurs, the training efforts won’t save your company’s data or its dollars.
United States - Special Olympics NY
Exploit: Phishing scam
Special Olympics NY: Nonprofit organization
Risk to Small Business: 2.222 = Severe: Cybercriminals hacked the organization's network and used this access to send phishing emails to its previous donors. Special Olympics NY contacted those impacted by the event, asking them to disregard the phishing communication and to offer confidence that their data was secure. Criminals created a sense of urgency by alerting donors that an automatic donation for $1,942,49 was scheduled to debit in two hours, and the emails invited users to confirm their donation by inputting their personal data on a malicious website.
Individual Risk: No personal information was compromised in the breach.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: While it’s unclear how cybercriminals accessed the organization’s communications platform, it’s possible that they walked right through the proverbial front door. With millions of user logins available on the Dark Web, many hackers have critical login information available at their fingertips. Unfortunately, the consequences for businesses can be devastating. For Special Olympics NY, it’s possible that this event could discourage donors from contributing in the future, a damaging blow to one of their critical revenue streams.
United States - Active Network
Exploit: Unauthorized database access
Active Network: Educational software developer
Risk to Small Business: 1.888 = Severe: Hackers infiltrated Active Network’s IT infrastructure and gained access to customers’ personally identifiable information. Bad actors had access to the network between November 1, 2019, and November 13, 2019, but the company didn’t identify the breach until December. The breach is limited to the Active Network’s Blue Bear software platform used by public K-12 schools. This incident is an irrevocable stain on a company operating in an industry that demands data privacy as a prerequisite for doing business, meaning this breach could have significant negative consequences for their business in the future.
Individual Risk: 2.287 = Severe: Hackers accessed user names, payment card expiration dates and security codes, and Blue Bear account usernames and passwords. However, Social Security numbers, driver's license numbers, and government ID numbers were not included in the breach. Every Blue Bear user should reset their account passwords, and those impacted by the breach should notify their financial institutions of the event. Active Network is offering free identity monitoring services to victims and enrolling in this service can help ensure that their personal information isn’t misused now or in the future.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Brand reputation is a cherished and hard-earned standard that can quickly erode when a data breach strikes. With more consumers demanding a track record of high data security standards before doing business with a company, organizations have every incentive to build their reputation on the bedrock of strong data security procedures. Simply put, to remain competitive in today’s digital environment, businesses can’t just talk about data security, they actually have to protect customers’ information.
1 - 1.5 = Extreme Risk
1.51 - 2.49 = Severe Risk
2.5 - 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
In Other News:
Financial Services Organizations Increasingly Targeted By Cybercriminals
According to the 2019 Financial Breach Report, financial services organizations are increasingly targeted by cybercriminals, and these breaches are putting peoples’ personally identifiable information at risk. In 2019, 6% of all data breaches impacted financial services organizations, including the Capital One breach that impacted 6 million Canadian and US customers.
However, despite the relatively small fraction of organizations breached, the industry accounted for 60% of all leaked records, with hacking and malware serving as the top cause for these breaches. Financial services organizations collect and store peoples’ most sensitive information, so any failure in this sector can have devastating consequences.
For companies, this new reality is manifesting in their bottom lines. The average cost of a stolen financial services record reached $210 in 2019, second only to the cost of a compromised healthcare record. Fortunately, preemptive measures like phishing scam avoidance training and network analysis can help ensure that cybercriminals can’t capitalize on stolen data.
A Note From Kobargo
The Worst Passwords of 2019
Using strong, unique passwords is a simple and effective way for everyone to keep their online accounts secure. Unfortunately, despite numerous warnings and seemingly unending headlines about new, devastating data breaches, people are often unwilling to adopt this practice in their daily lives.
In a year-end rundown, security researchers compiled a list of the worst commonly used passwords in 2019. Predictably, “12345,” “test1,” and “password” all made the top five most popular passwords. Other passwords included simple number combinations, popular female names, and horizontal or vertical letters or numbers on a QWERTY keyboard. It’s clear that millions of people can take a simple step to improve their defensive posture, and, when coupled with other easy-to-use features like two-factor authentication, they can promote a robust defense of their digital environment.