A New York healthcare provider, California’s higher education system and the U.S. Department of Energy have become the latest targets of data bandits.
The latest massive data breach at a healthcare provider took place at Excellus BlueCross BlueShield, which last week revealed that the personal data of more than 10 million people was at risk due to a penetration of its computer systems that dates back to December 2013, according to a report in The Hill.
Although there’s no evidence that the attackers robbed or have used any of the information, they were able to peek at customer’s names, birth dates, Social Security numbers, mailing addresses, and financial and claims information, the paper noted.
The intrusion is among the top 20 worst healthcare breaches of all time.
Caution Still in Order
Some folks may sigh with relief at the absence of evidence any data was pinched from Excellus, but Adam Kujawa, malware intelligence leader at Malwarebytes, isn’t one of them.
Since the attackers had administrative privileges, they probably could access files on the system in unencrypted form, he told TechNewsWorld.
“With an attack of this magnitude, being done over the course of more than a year, cybercriminals probably stole information by simply copying and pasting it from its unencrypted form on the secure network to their own systems, or utilizing built-in tools to parse the information for the most valuable data,” Kujawa explained.
“At the end of the day, this is just another example of the weak cybersecurity measures we currently have in place for sensitive information,” he added. “While many industries, such as banking, are stepping up to the plate, there’s still slow adoption from industries such as healthcare,” he said.
Deja Vu Strikes Again
If the Excellus breach appears familiar, it’s with good reason, according to Eric Chiu, president and founder ofHyTrust.
“There’s a striking similarity between the breach at Excellus and other recent incidents at Anthem, the Office of Personnel Management, Sony and Ashley Madison,” he told TechNewsWorld.
“The attacks are happening on the inside, where cybercriminals are leveraging [advanced persistent threats] and stolen credentials to gain access to corporate networks. From there, the attackers look like any other employee, making them difficult to detect,” Chiu explained.
“This is a critical situation,” he continued. “We need to turn our security paradigm around from an ‘outside in’ threat perspective, which has proven inefficient and largely ineffective, to an ‘inside out’ view that addresses both insider and outsider advanced threats.”
Turning the security paradigm inside out is going to take time, though — time that many healthcare organizations don’t have.
“Data breaches, especially in the target-rich healthcare industry, should no longer be considered front-page news,” said Jeff Hill, channel marketing manager for Stealthbits.
“Excellus is just the latest,” told TechNewsWorld.
“How many attackers are currently operating without detection on the networks of other healthcare companies, as we speak?” Hill asked.
Cal State Breach
Meanwhile, another popular target for hackers — education — also fell to a data breach of note.
Some 80,000 students in the California State University system were informed that personal information they entrusted to a contractor providing the system with a class on sexual harassment was at risk, the Los Angeles Times reported last week.
Cal State had few details for the students other than to say that the breach was caused by a “vulnerability in the underlying code.”
Passwords, usernames, email addresses, and gender, race and relationship status information was compromised, Cal State said, but not high-value data like Social Security, credit card and driver’s license numbers.
The Cal State breach is another example of an organization’s supply chain becoming low-hanging fruit for hackers.
“This illustrates the need for organizations to question and verify the security practices of their vendors, particularly when their systems will be housing personal information,” said Ken Westin, a senior security analyst withTripwire.
“In addition to ensuring that vendors regularly run vulnerability scans and follow system-hardening best practices,” he told TechNewsWorld, “questions also need to be asked regarding how sensitive information is stored on their systems.”
Bad Password Hygiene
If Cal State had reviewed the security practices of the breached vendor, We End Violence, it would have discovered some less-than-best practices.
“I verified with We End Violence by phone that the passwords being stored in these systems were not encrypted,” Westin said. “Not following this simple practice exponentially increases the risks for those students. This is particularly true if they use those same passwords for email, banking, social media and other services.”
Password hygiene is a problem at universities in general.
Of the 10 schools with the worst security postures, password exposure was the only category in which they all received a grade of F grade, Security Scorecard found in a report released last week.
“In general, this means that students, faculty, and employees of these colleges and universities are using easy-to-remember password combinations and are eschewing the security of these schools for the convenience of access,” the report notes.
Energy Department Breach
A government agency also made data breach news last week.
The U.S. Department of Energy’s computer systems were compromised 159 times between 2010 to 2014 — that’s 11 percent of the 1,131 hack attacks launched against the agency during the period — according to USA Today, which obtained the information through a Freedom of Information Act request.
DoE officials declined to comment on whether any sensitive data on the security of the national power grid or stockpile of nuclear weapons was stolen, the paper said, or if any foreign governments were behind the attacks.
Fifty-three successful forays against the agency were “root” compromises, meaning the raiders obtained administrative privileges for the DoE’s systems, which gave them an enormous amount of freedom to move through the systems and examine data, USA Today reported.
There’s some heartening news written between the lines of the DoE story, however.
“What differentiates high-performing organizations is not necessarily the absence of intrusions, but the speed of response and recovery,” observed Stephen Boyer, CTO of BitSight.
“The very fact that DoE has detected the issues and marked them as losses,” he told TechNewsWorld, “is a signal that they have a process in place for detection, response, recovery and reporting.”