Last week, phishing attacks expose protected health information, hackers hijack a shoe company’s email list, patients are upset about healthcare data breaches, and Twitter comes under fire for data misuse.
United States - UAB Medicine
Exploit: Phishing attack
UAB Medicine: Academic medical center based in Birmingham, Alabama
Risk to Small Business: 1.666 = Severe: A phishing attack tricked several employees into providing their email credentials to hackers, which subsequently exposed the protected health information for thousands of patients. The email purported to originate from a hospital executive, asking employees to participate in a fake business survey. Executives believe that hackers were trying to access the healthcare provider’s payroll system, but they were prevented from reaching this information. Regardless, the August 7th breach will have a significant impact on the patients whose data was compromised and on UAB Medicine, as they will bear the cost of credit monitoring and identity theft protection services as well as the increased regulatory scrutiny because of the nature of the information involved.
Individual Risk: 2.571 = Moderate: Hackers had access to patients’ protected health information, including names, medical record numbers, dates of birth, dates of service, location of service, and other medical-related information. Some patients also had their Social Security numbers compromised. UAB Medicine is encouraging anyone impacted by the breach to closely monitor their accounts and benefit statements for fraudulent activity. In addition, they should enroll in the year of free credit and identity monitoring services provided by UAB Medicine.
Customers Impacted: 19,557
How it Could Affect Your Customers’ Business: Despite your best efforts, phishing attacks will likely make their way into your employees’ inboxes at some point. Fortunately, comprehensive awareness training can empower employees to sidestep ongoing efforts at gaining access to your network and compromising your data. Given the growing costs associated with a data breach, the ROI on cybersecurity best practices is remarkably clear and should be required for every employee with an email account.
United States - TOMS
Exploit: Unauthorized database access
TOMS: Designer and producer of shoes, eyewear, coffee, apparel, and handbags
Risk to Small Business: 2.333 = Severe: In an unusual cybersecurity incident, a hacker hijacked the mailing list for TOMS and sent a message encouraging customers to log off their devices and enjoy the outdoors. The message was not malicious in nature, but the hacker admitted that he accessed the platform for a significant time period before sending the email. The hacker also ridiculed bad actors, describing their actions in obscene language sent to TOMS customers. Fortunately, the hacker didn’t disrupt any other elements of TOMS’ IT infrastructure, but his actions highlight the company’s weak cybersecurity standards, which could negatively impact the company on many fronts.
Individual Risk: No personal information was compromised in the breach.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: When it comes to protecting customer data, speed and precision are your best friends. Unfortunately, too many companies don’t have the IT capabilities to identify a data breach or to adequately investigate an event after it happens. As a result, customer data can virtually linger indefinitely before protective action can be taken, such as changing passwords or otherwise ensuring data integrity. This incident serves as an important reminder that every business needs to enlist in services that help proactively monitor and protect customer data.
United States - Methodist Hospitals
Exploit: Phishing attack
Methodist Hospitals: Community-based healthcare system located in Gary, Indiana
Risk to Small Business: 1.222 = Extreme: A successful phishing attack against two employees compromised the private health data for thousands of patients. The incident occurred in June, but the healthcare provider didn’t finish investigating the breach until August. It’s unclear why the company waited two months before making the breach public. Regardless, Methodist Hospitals will face intense regulatory scrutiny due to the nature of the information involved.
Individual Risk: 2.142 = Severe: The compromised data was accessed on June 12th or between July 1st and July 8th. It included patient names, addresses, health insurance information, Social Security numbers, government ID information, passport numbers, financial account numbers, payment card information, electronic signatures, usernames, and passwords. This incredibly expansive data set has a great value on the Dark Web, as it can be used to perpetuate additional cybercrimes. Therefore, those impacted by the breach should take every precaution to protect their data, including contacting their financial institutions and enrolling in credit and identity monitoring services.
Customers Impacted: 68,039
How it Could Affect Your Customers’ Business: Today’s digital landscape is replete with threats, but companies are not defenseless. Phishing scams require employees to actively compromise their credentials, and comprehensive awareness training can equip team members to identify and report fraudulent communications, effectively rendering them useless and creating a safe environment for your customers’ data.
Canada - TransUnion
Exploit: Unauthorized database access
TransUnion: Consumer credit reporting agency
Risk to Small Business: 2.111 = Severe: Using compromised user credentials, hackers accessed the personal information of Canadian TransUnion customers. The breach, which occurred between June 2019 and July 2019 and detected in August, shines a spotlight on the company’s delayed breach response and notification process. Although the company’s IT infrastructure wasn’t at fault, their inability to account for a holistic vulnerability that allowed hackers using stolen credentials to access their customers’ information, will bring negative media scrutiny and public attention to the company.
Individual Risk: 2.857 = Moderate: TransUnion did not release a specific overview of the compromised data; however, the sensitive nature of their business means that personally identifiable information was likely included in the event. Notably, the company acknowledged that credit report data was exposed in the breach. This can include individuals’ names, dates of birth, current and former addresses, information on existing card and loan obligations, social insurance numbers, and other sensitive data.
Customers Impacted: 37,000
How it Could Affect Your Customers’ Business: The deluge of data breaches in the past several years have made login credentials widely available to bad actors. Therefore, today’s companies should be proactive about identifying compromised credentials and taking intentional steps to limit accessibility using this information.
1 - 1.5 = Extreme Risk
1.51 - 2.49 = Severe Risk
2.5 - 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
In Other News:
Twitter Uses Two-Factor Data for Targeted Advertising
Implementing cybersecurity best practices is critical for today’s companies, especially in regard to securing infrastructure throughout an increasingly complicated threat environment. Unfortunately, in many cases, organizations rely on their customers to adopt these priorities in order to effectively protect their data.
These protocols include initiatives such as using strong, unique passwords to secure accounts and implementing two-factor authentication to further secure this information. Of course, companies undermine user adoption when they use that information to serve up targeted advertising.
This week, Twitter acknowledged that it used the phone number and email address data from its two-factor authentication protocol to developing targeted advertisements. The information was used by the company’s tailored audiences program that allows companies to create targeted advertisements by matching their own marketing lists with Twitter user data. The company resolved the issue on September 17th, but it’s unclear how long companies benefit from this security-centered information.
More importantly, this misuse of personal data might discourage users from adopting these security protocols in the future, a decision that would put both parties at risk for a data breach.
A Note From Kobargo.
20,000 E-commerce Sites Could Be Compromised by Magecart
Providing an online shopping experience is increasingly critical for SMBs looking to stay ahead of the competition. Unfortunately, malware attacks are infecting the checkout page of many stores, compromising customer payment data and undermining companies’ efforts to attract business through their websites.
This reality became even more prescient this week when the notorious Magecart malware-infected Volusion, a cloud hosting platform for online stores. Already, more than 6,500 stores have been compromised, and Volusion boasts a customer base of more than 20,000 companies, so the number of infected web stores might continue to grow.
Most prominently, Volusion hosts the Sesame Street Live online store, which was brought offline after the attack was revealed.
Now thousands of companies will be left grappling with the consequences of lost sales both now and in the future. Notably, this underscores the importance of understanding the specific cyber threat landscape that most prominently impacts your business. If necessary, get third-party support from cybersecurity experts to adequately identify your risks and to establish best practice responses that ensure that your business benefits because of your IT environment.