Data Breach News
Our data breach news items reinforce the need for organizations to maximize their defenses against malware attacks and phishing campaigns. Even though online security awareness is at an all-time high, cybercriminals are becoming more sophisticated in the methods used to extract passwords and break into databases.
It is also apparent from reading our data breach news items that the volume of cyberattacks is increasing. In order to mitigate the risk of malware attacks, organizations should implement a web content filter, while an email filter to prevent spams and scams reaching an inbox can eliminate the risk from phishing campaigns completely. Speak with us today for more information.
Another major restaurant POS breach has been detected. This time, Cleveland-based Select Restaurants Inc., has had its POS system breached. Select Restaurants owns many well-known restaurants throughout the United States.
According to Brian Krebs, restaurants known to be affected by the POS malware infection include:
- The Rusty Scupper (Baltimore, MD)
- Parkers Blue Ash Tavern (Cincinnati, OH)
- Parkers’ Restaurant & Bar (Downers Grove, IL)
- Winberie’s Restaurant & Bar (Oak Park, IL., Princeton, NJ., Summit, NJ.)
- Black Powder Tavern (Valley Forge, PA)
The restaurant POS breach does not appear to have occurred at Select Restaurants, instead it was the chain’s POS vendor that was attacked – Geneva. IL-based 24×7 Hospitality Technology. The attack occurred via a remote access application that the company uses to remotely access, update, and maintain the POS system used by its customers.
After gaining access to the POS system, the attackers installed a form of malware known as PoSeidon. The malware records and exfiltrates credit card data when cards are swiped by restaurant staff when customers pay for their meals. The malware was installed and active for around 3 months from October 2016 to January 2017.
While fraudulent use of customers’ credit card details is often quickly detected by banks and credit card companies, it can be difficult to track those fraudulent card uses back to a specific retailer or restaurant. When major restaurant chains experience POS malware infections it is far easier to detect the source of the fraud. Malware infections at smaller restaurant chains can take much longer to detect. During that time, the credit card details of all of the restaurant’s customers can be stolen.
The remote access system could have been attacked using a variety of methods. If a weak password was used, it may have been guessed or a brute force attack could have occurred. Alternatively, an employee may have revealed a password by responding to a phishing or spear phishing email.
In this case, the malware was installed via the POS system provider, although a restaurant POS breach could just as easily occur. Restaurant chains can do little to prevent attacks on their POS system provider, but they can implement cybersecurity defenses to protect them against direct attacks.
Restaurants are major targets for cybercriminals. Malware can remain undetected for many months during which time many thousands of credit cards can be stolen. The consequences for restaurant chains can be severe. While customers may not experience any losses – their credit card company will usually refund any fraudulent purchases – the effect on a restaurant chain’s reputation can be permanent.
To protect systems from attack, restaurant chains should ensure software solutions are installed to block the most common attack vectors. Software must be kept up to date and patched promptly to prevent vulnerabilities from being exploited and antivirus solutions should be kept up to date and regular scans should be scheduled on all parts of the network.
For further information on how to prevent a restaurant POS breach and malware infections, contact the TitanHQ team today.
A health center malware infection has potentially resulted in 2,500 patients’ protected health information (PHI) being sent to unknown individuals over a period of almost a year. Lane Community College health clinic in Eugene, OR, discovered the malware during routine maintenance last month.
Further investigation determined that the malware had been installed on the computer in March 2016. The malware remained active until last month when it was discovered and removed. The malware was identified as Backdoor:Win32/Vawtrak – a Trojan backdoor that enables attackers to steal login information and take full control of an infected PC.
While data access was possible, Lane Community College health clinic uncovered no evidence to suggest patient data had been stolen, although the possibility that PHI was accessed and stolen could not be ruled out. A spokesperson for the clinic said an analysis of 20 other computers used by the clinic uncovered no further malware infections. In this case, the infection was limited as the computer was not connected to other computers on the network.
The only data exposed were those stored on the machine itself. The information potentially exposed included patients’ names, addresses, phone numbers, dates of birth and medical diagnoses.
A health center malware infection can prove costly to resolve. In this case, the infection was limited to one machine, although once access has been gained and malware installed, hackers can often move laterally within a network and spread infections to other machines. Once data have been exfiltrated and there is no further need for access, hackers commonly install ransomware to extort money from their victims.
The exposure or theft of patient data can often lead to lawsuits from patients. While many of those lawsuits ultimately fail, defending a lawsuit can be costly. Healthcare data breaches that result in more than 500 records being exposed are also investigated by the Department of Health and Human Services’ Office for Civil Rights to determine whether the breaches were caused as a result of HIPAA violations. Should HIPAA Rules be found to have been breached, covered entities may have to cover heavy fines.
Health center malware attacks are commonplace due to the value of healthcare data on the black market. Healthcare providers should therefore implement a range of defenses to protect against malware infections.
Malware is commonly inadvertently installed by end users via spam email or redirects to malicious websites. Both of these attack vectors can be blocked with low cost solutions. Backdoor:Win32/Vawtrak – also known as Trojan-PSW.Win32.Tepfer.uipc – is recognized by Kaspersky Lab – one of the dual AV engines used by the SpamTitan spam filtering solution. SpamTitan blocks 100% of known malware and blocks 99.97% of spam emails to keep end users and computers protected.
To protect against Web-borne attacks and to prevent malicious software downloads, WebTitan can be deployed. Web-Titan is a powerful DNS-based web filtering solution that can be used to block a wide range of web-borne threats to keep healthcare networks malware free.
Both solutions are available on a free 30-day trial to allow healthcare providers to experience the benefits first hand before committing to a purchase.
To find out more about TitanHQ’s cybersecurity solutions for healthcare organizations or to sign up for a free trial, give the sales team a call today.
A recent university cyberattack in the United States resulted in more than 5,000 systems being taken out of action.
The university cyberattack only became apparent after the IT department was flooded with complaints from staff and students that the Internet had slowed to a snail’s pace. By the time that the cyberattack was identified, the attack had spread to multiple systems and devices, resulting in major headaches for the IT department. Attempts were made to bring systems back online but they failed. Not only had IoT devices been compromised, passwords were changed by the attackers. The IT department was locked out and was prevented from gaining access to any of the compromised devices.
The attack involved a range of devices. Even campus vending machines had been loaded with malware and were under the control of the attackers. In total, 5,000 smart devices were compromised in the attack and had been added to an emerging IoT botnet.
An investigation was launched which revealed the extent of the attack. Virtually the entire IoT network had been lost to the attackers. Everything from smart lightbulbs in street lamps to drink-dispensing vending machines had been infected with malware and made part of a botnet.
The IoT devices were making hundreds of DNS lookups, preventing users from performing web searches or visiting websites. In this case, the devices were being used to make seafood-related searches. So many searches that genuine use of the Internet was prevented.
Once the first devices were compromised, the infection spread rapidly. Every IoT device connected to the network was attacked, with the devices brute-forced until the correct username and password combo was found. The devices were then loaded with malware and added to the botnet. The speed at which the IoT devices were compromised and loaded with malware was due to the use of weak passwords and default login credentials. The university, for convenience, had also made the mistake of loading all IoT devices onto one network.
Once the attackers had gained access to an IoT device and loaded their malware, they had full control of the device. To prevent removal of the malware, the attackers changed the password on the device, locking the IT department out.
Once that had occurred, the only way the IT department thought it would be possible to remove the malware and regain control would be to replace every IoT device. All 5,000 of them.
However, before such a drastic measure was taken, the university sought external assistance and was advised to use a packet sniffer to intercept clear-text passwords sent by the attackers to the malware-compromised devices. The university was able to read the new passwords and regain access to its IoT devices. Passwords were then changed on all 5,000 devices and the malware was removed.
A university cyberattack such as this can cause considerable IT headaches, major disruption for staff and students, and involves a not insignificant resolution cost. However, the university cyberattack could have been avoided. Even if an attack was not prevented, its severity could have been greatly reduced.
Had strong passwords been set, the attackers would have found it much harder to infect devices, buying the IT department time and allowing action to be taken to mitigate the attack.
While it is easy to see why all IoT devices were included on a single network, such a move makes it far too easy for cybercriminals to spread malware infections. It is never wise to put all of one’s eggs in the same basket. It is also important to ensure that networks are separated. If access to devices on one network is gained, damage will be limited.
The past few months have seen an increase in phishing attacks on law firms. Cybercriminals are attacking law firms to gain access to the highly confidential data held by attorneys and solicitors. Healthcare industry attacks are often conducted to obtain sensitive patient data that can be used for identity theft and tax fraud. Phishing attacks on law firms on the other hand are conducted to steal data for insider trading. Data are also stolen to allow cybercriminals to blackmail law firms.
Law firms are threatened with reputation-killing publication of highly sensitive client data if sizeable payments are not made. Since law firms hold secret documents, including potentially damaging information on their clients, it is not only the law firm that can be blackmailed. Clients are also contacted and threatened. The profits that can be made from insider trading are enormous. The data held by law firms is incredibly valuable. It is therefore no surprise that phishing attacks on law firms are increasing. Cybercriminals see law firms as perfect targets.
Last year, more than 50 law firms were targeted by Russian hackers using a spear phishing campaign. The aim of that attack was to gather information that could be used for insider trading. The group, called Oleras, attacked some of the best-known law firms operating in the United States, including Cravath Swaine & Moor LLP and Gotshal and Manges LLP.
However, while those attacks were damaging, they arguably caused less harm than the Panama Papers Breach – The largest law firm data breach of the year. That attack resulted in an astonishing 2.6 Terabytes of data being stolen by the attackers – Documents that revealed highly sensitive banking activities of criminals, politicians, athletes and businessmen and women. More than 214,000 companies had data revealed as a result of that law firm data breach.
While law firms must ensure that firewalls are in place along with a host of other cybersecurity protections to prevent their systems from being hacked, all too often data breaches start with phishing attacks on law firms. A simple email containing a link to a website is sent to attorneys’ and solicitors’ inboxes. The links are clicked and users are fooled into revealing login credentials to networks and email accounts. The credentials are captured and used to gain access to sensitive data.
Website filtering for law firms is now as essential a protection as the use of antivirus software. Antivirus software may be able to detect attempted malware installations – although it is becoming less effective in that regard – although it will do little to prevent phishing attacks.
A web filter protects law firms by preventing users from visiting malicious links in emails. A website filtering solution also prevents end users from downloading malware, or accessing websites known to carry a high risk of infection with ransomware or malware. A web filter also prevents law firm staff from accidentally visiting phishing websites when browsing the Internet. Along with a robust spam filtering solution to prevent phishing emails from being delivered, law firms can make their networks and email accounts much more secure.
Further information on recent phishing attacks on law firms, along with steps that can be taken to prevent security breaches, can be found by clicking the image below. Clicking the image will direct you to a useful phishing infographic on this website.
A restaurant malware attack has resulted in the theft of the credit and debit card numbers of more than 355,000 customers, according to Krebs on Security. A breach was suspected to have occurred when credit unions and banks started to notice a flurry of fraudulent purchases. The breach was traced to the fast food restaurant chain Arbys.
While there have been numerous instances of credit card fraud reported in the past few days, the Arbys data breach was first identified in January. Industry partners contacted Arbys regarding a potential breach of credit/debit card numbers. At that point, the incident was only thought to have affected a handful of its restaurants.
The malware infection was soon uncovered and the FBI was notified, although the agency requested that Arby’s did not go public so as not to impede the criminal investigation. However, a statement has recently been released confirming that Arby’s is investigating a breach of its payment card systems.
Upon discovery of the breach, Arby’s retained the services of cybersecurity firm Mandiant to conduct a forensic analysis. The Mandiant investigation is continuing, although rapid action was taken to contain the incident and remove the malware from Arby’s payment card systems. The investigation revealed that the incident only impacted certain corporate-owned stores. None of the franchised stores were infected with malware. Arbys has more than 3,300 stores across the United States, more than 1,000 of which are corporate-owned.
PSCU, an organization serving credit unions, was the first to identify a potential breach after receiving a list of 355,000 stolen credit card/debit card numbers from its member banks. It is currently unclear when the restaurant malware attack first occurred, although the malware is currently thought to have been actively stealing data from October 25, 2016 until January 19, 2017, when the malware was identified and removed.
This is of course not the first restaurant malware attack to have been reported in recent months. The restaurant chain Wendys suffered a similar malware attack last year. That incident also resulted in the theft of hundreds of thousands of payment card details before the malware was discovered and removed. Similar payment card system malware infections were also discovered by Target and Home Depot and resulted in huge numbers of card details being stolen.
Details of how the malware was installed have not been released, although malware is typically installed when employees respond to spear phishing campaigns. Malware is also commonly installed as a result of employees clicking on malicious links contained in spam emails or being redirected to malicious sites by malvertising. In some cases, malware is installed by hackers who take advantage of unaddressed security vulnerabilities.
Once malware has been installed it can be difficult to identify, even when anti-virus and anti-malware solutions are in use. As was the case with the latest restaurant malware attack, data theft was only identified when cybercriminals started using the stolen payment card information to make fraudulent purchases.
Protecting against malware attacks requires multi-layered cybersecurity defenses. Good patch management policies are also essential to ensure that any security vulnerabilities are remediated promptly. Anti-spam and anti-phishing solutions can greatly reduce the volume of messages that make it through to employees’ inboxes, while malicious links and redirects can be blocked with a web filtering solution. A little training also goes a long way. All staff members with computer access should receive anti-phishing training and should be instructed on security best practices.
Regular scans should be performed on all systems to search for malware that may have evaded anti-virus and anti-malware solutions. Since a restaurant malware attack will target payment card systems, those should be frequently scanned for malware. Rapid detection of malware will greatly reduce the damage caused.
If your organization was hit with a malware or ransomware infection last year, the 2016 malware report from Malwarebytes may serve as an unpleasant reminder of 12 months best forgotten. Malware infections rose in 2016 and ransomware infections soared. In the case of the latter, there was an explosion in new variants. Malwarebytes charted a 267% increase in ransomware variants between January 2016 and November 2016. In quarter four alone more than 400 active ransomware variants were cataloged.
The 2016 malware report shows how ransomware has become the revenue-generator of choice for many cybercriminals. It is easy to understand why. Infecting computers is a relatively easy process, ransom payments are made within a matter of days, much of the process is entirely automated, and ransomware-as-a-service means no skill is even required to jump on the bandwagon and send out campaigns.
The 2016 malware report indicates ransomware accounted for 18% of malicious payloads from spam email and ransomware is the payload of choice for exploit kits, accounting for 66% of malicious downloads.
Locky was a major threat for most of the year, but in December there was a massive spike in Cerber ransomware variants, which are now the most populous ransomware family.
The cybersecurity’s company’s 2016 malware report confirms what many security professionals already know all too well. 2016 was a particularly bad year for everyone but the cybercriminals. Unfortunately, the outlook for 2017 does not look any better. In fact, it looks like it will be even worse.
Predictions have been made that will send shivers down many a system administrator’s spine. Ransomware is set to become even more aggressive. Critical infrastructures are likely to be targeted. Healthcare ransomware attacks will increase potentially placing patients’ lives at risk. Educational institutions will be targeted. No organization will be immune to attack.
Fortunately, new ransomware families will be limited in 2017. But that is only because Locky and Cerber are so effective and can easily be tweaked to avoid detection.
Then there are the botnets. The increase in use of IoT devices would not be a problem, were it not for a lack of security. Many insecure devices are coming to market which can all too easily be added to botnets. As we saw in the tail end of the year, these botnets – such as Mirai – are capable of conducting devastating DDoS attacks. Those attacks are only likely to increase in scale and frequency. As Malwarebytes correctly points out, unless manufacturers of IoT devices are better regulated and are forced to improve their security, vast sections of the Internet will come under threat.
So, it looks like all bad news for 2017. All organizations can do is purchase the technology to deal with the threats, plug security holes promptly, train staff to be aware of the threats, and shore up their defenses. The next 12 months could be a rocky ride.
Hotel malware attacks have been hitting the headlines in the past two years as cybercriminals target hotels looking for payment card information. Now, InterContinental Hotels Group Plc has announced that a malware infection has potentially resulted in the theft of customers’ payment card details from 12 of its hotels in the United States. The hotel malware attacks affected guests at InterContinental Hotels as well as Crowne Plaza and Holiday Inn hotels.
The data breach affected the payment systems used by the hotel chain’s restaurants and bars, but did not extend to the front desk system used to process guests.
Malware was installed on the hotels’ servers which searched for and obtained customer track data from credit and debit card transactions. Customers’ card data – including names, card numbers, expiry dates and verification codes – were intercepted and potentially stolen using the malware. The malware was discovered in late December when the hotel chain hired a cybersecurity firm to investigate a potential data breach following an unusual level of fraud affecting the hotel chain’s customers. That investigation revealed malware had been installed as early as August 1, 2016 which remained active until December 15, 2016.
InterContinental has not disclosed whether the malware passed on any payment card information to the attackers nor how many customers had been impacted by the incident, only that servers at 12 of the chain’s hotels had been affected. Investigations into the security breach are continuing and the investigation has now been extended to other hotels owned by InterContinental in the Americas.
Hotels are commonly targeted by cybercriminals seeking payment card information. Last summer, InterContinental’s Kimpton Hotels & Restaurants were attacked with malware and similar incidents were reported last year by Marriot International’s Starwood Hotels as well as the Hyatt, Westin, and Sheraton hotel chains. Hotel malware attacks were reported by the Hilton chain and Trump Hotels in 2015.
Cybercriminals are most interested in POS systems used by hotels. Malware is installed that is capable of capturing payment card information and those data are then transferred to the attackers. All too often, malware is installed and stays active for months before it is detected. During that time, tens of thousands of hotel guests can be impacted and have fraudulent charges applied to their accounts.
While hotel customers are often covered by their card providers’ insurance policy, the fallout from these incidents can be considerable. When guests suffer credit card and debit card fraud as a result of visiting a particular hotel, they may take their business elsewhere.
Malware can be installed by cybercriminals via a number of different attack vectors. Direct attacks take advantage of security flaws in software and hardware. Last year, Cylance’s Sophisticated Penetration Exploitation and Research Team (SPEAR) identified a zero-day vulnerability in ANTLabs InnGate routers, which are used by many of the top hotel chains to provide Internet access for guests. The flaw could be exploited to gain access to guest’s smartphones, laptops, and tablets, or potentially be used to install malware that targets POS systems on hotel servers.
According to SPEAR, the flaw was being actively exploited and 277 hotels had been targeted across 29 countries, including more than 100 hotels in the United States. Eight out of the world’s top ten hotel chains were found to have systems vulnerable to this type of attack. A patch was promptly issued to correct the flaw and hotels were able to plug the security hole.
It may not be possible to prevent attacks that exploit zero-day vulnerabilities; however, there are steps that can be taken to reduce hotel malware attacks. Malware is often downloaded as a result of employees’ or guests’ actions. Malware may be deliberately installed, although all too often downloads occur silently as a result of employees and guests visiting malicious websites.
Blocking access to these websites will protect both the hotel and its guests from web-borne malware and ransomware attacks. If a web filter – such as WebTitan – is installed, all websites known to house malware will be blocked.
If you run a hotel or hotel chain, a web filter is an additional layer of security that should be seriously considered. A web filter will help to reduce the risk of malware and ransomware infections and keep hotel networks safe and secure for all users.
A hotel ransomware attack in Austria hit the headlines in the past couple of days. The cyberattack affected the Romantik Seehotel Jägerwirt. The hotel’s computer system was infiltrated by the attacker who installed ransomware. A range of files were encrypted, which prevented the hotel from being able to check-in new guests and issue new key cards for hotel doors.
Hotel Ransomware Attack Hampers Guest Check-ins
Early reports of the hotel ransomware attack suggested hotel guests were locked out of their rooms or, in some cases, locked in their rooms. The latter is not possible as even when electronic key cards are used, locks can be opened manually from the inside. Guests who had been issued with key cards prior to the attack were also able to use their cards to get in their rooms, according to a statement issued by the hotel’s manager.
However, the cyberattack still caused considerable disruption at the 111-year old hotel. According to local news sources, the attack affected the hotel’s key card system, reservation system, and its cash desk.
Since files were encrypted that were necessary to program new key cards, any guest that had not been checked in before the cyberattack occurred experienced considerable delays. The issue was only resolved when the hotel paid the ransom demand of 1500 Euros – approximately £1,300/$1,600. Systems remained out of action for 24 hours as a result of the attack.
This was not the only attack affecting the hotel. A second attack reportedly occurred, although the hotel was able to thwart that attempt by taking its systems offline. Repeat attacks are unfortunately common. If one ransomware attack results in the payment of a ransom, other attacks may also occur as the attackers attempt to extort even more money from their victim. Backdoors are often installed during initial attacks to enable access to continue after payment has been made.
Not being able to check-in new guests for a period of 24 hours can make a serious dent in profits, not only from guests being forced to seek alternative accommodation, but also from the damage to a hotel’s reputation. Such an attack can keep future guests away.
In this case, in addition to paying the ransom demand, the manager of the Romantik Seehotel Jägerwirt confirmed that the hotel will be going old school in the impending future. Rather than continue to use an electronic key card system, the hotel will revert to using standard keys for hotel room doors. Another hotel ransomware attack would therefore not prevent guests from checking in.
Hotels Must be Prepared for Cybersecurity Incidents
This is not the first hotel ransomware attack to have occurred in 2017 and it certainly will not be the last. Hotels are attractive targets for cybercriminals because hotels cannot afford to have critical systems offline for lengthy periods of time due to the disruption they cause. Cybercriminals know that ransom demands are likely to be paid.
In this case, no lasting harm was caused, although that does not mean future attacks will be limited to reservation systems and cash desk operations. Elevator systems may be targeted or other systems that have potential to compromise the health and safety of guests.
Hotels therefore need to make sure that not only are defenses augmented to prevent ransomware attacks, but a data breach response plan is in place to ensure that in the event of a cybersecurity incident, rapid action can be taken to limit the harm caused.
Malware and phishing attacks on healthcare organizations are all but guaranteed. In fact, they are almost as certain as death and taxes. Healthcare organizations hold huge volumes of data on patients and more types of data than virtually any other industry.
Healthcare providers store personal information and Social Security numbers, which are needed for identity theft and tax fraud. Insurance information that can be used for health insurance fraud; Medicare/Medicaid numbers and health information that can be used for medical fraud. Bank account information and credit card numbers are also often stored. For cybercriminals, breaching a healthcare organization’s defenses means a big payday.
Further, health data does not expire like credit card numbers. Social Security numbers never change. It is therefore no surprise that malware and phishing attacks on healthcare organizations are on the rise.
As if there was not enough incentive to attack healthcare organizations, the healthcare industry has underinvested in cybersecurity defenses, lagging behind other industries when it comes to implementing the latest technologies to thwart cybercriminals. Healthcare networks are also highly complex and difficult to protect. They also contain many outdated software and operating systems. Many healthcare organizations still run medical devices on the unsupported Windows XP OS, which contains many vulnerabilities.
The Health Insurance Portability and Accountability Act (HIPAA) has helped to bring cybersecurity standards up to an acceptable level. HIPAA compliance has made it harder for cybercriminals, although far from impossible. With the healthcare industry, firmly in cybercriminals’ crosshairs, healthcare organizations need to look beyond meeting the minimum standards for data security to avoid a HIPAA fine and ensure that defenses are improved further still.
One of the biggest problems comes from cyberattacks on healthcare employees. Even advanced firewalls can be easily avoided if employees can be fooled into clicking on a malicious link or opening an infected email attachment. Phishing attacks on healthcare organizations are the most common way that cybercriminals gain access to healthcare networks. Most cyberattacks start with a spear phishing email.
In addition to perimeter defenses, it is essential for healthcare organizations to employ technologies to block phishing attacks. Advanced spam filters will prevent the vast majority of phishing emails from being delivered, while web filtering solutions will block phishing attacks on healthcare organizations by preventing malicious links from being clicked and malicious websites from being accessed.
Fortunately, with appropriate defenses in place, cyberattacks can be prevented and the confidentiality, integrity, and availability of ePHI can be preserved.
For further information on the major healthcare cyberattacks of 2016, the key threats to healthcare organizations, and the impact of data breaches, click the image below to view our healthcare hacking infographic.
According to a new report from data breach insurance provider Beazley, US ransomware attacks on enterprises quadrupled in 2016. There is no sign that these attacks will slow, in fact they are likely to continue to increase in 2017. Beazley predicts that US ransomware attacks will double in 2017.
Half of US Ransomware Attacks Affected Healthcare Organizations
The sophisticated nature of the latest ransomware variants, the broad range of vectors used to install malicious code, and poor user awareness of the ransomware threat are making it harder for organizations to prevent the attacks.
For its latest report, Beazley analyzed almost 2,000 data breaches experienced by its clients. That analysis revealed not only that US ransomware attacks had increased, but also malware infections and accidental disclosures of data. While ransomware is clearly a major threat to enterprises, Beazley warned that unintended disclosures of data by employees is actually a far more dangerous threat. Accidental data breaches increased by a third in 2016.
US ransomware attacks and malware incidents increased in the education sector, which registered a 10% rise year on year. 45% of data breaches experienced by educational institutions were the result of hacking or malware and 40% of data breaches suffered by companies in the financial services. However, it was the healthcare industry that experienced the most ransomware attacks. Nearly half of 2016 US ransomware attacks affected healthcare organizations.
The report provides some insight into when organizations are most at risk. US ransomware attacks spiked at the end of financial quarters and also during busy online shopping periods. It is at these times of year when employees most commonly let their guard down. Attackers also step up their efforts at these times. Beazley also points out that ransomware attacks are more likely to occur during IT system freezes.
Ransomware Attacks on Police Departments Have Increased
Even Police departments are not immune to ransomware attacks. Over the past two years there have been numerous ransomware attacks on police departments in the United States. In January, last year, the Midlothian Police Department in Chicago was attacked with ransomware and paid a $500 ransom to regain access to its files.
The Dickson County Sheriff’s Office in Tennessee paid $572 to unlock a ransomware infection last year, and the Tewksbury police department in Massachusetts similarly paid for a key to decrypt its files. In 2015, five police departments in Maine (Lincoln, Wiscasset, Boothbay Harbor, Waldboro and Damariscotta) were attacked with ransomware and in December 2016, the Cockrell Hill Police Department in Texas experienced a ransomware infection. The attack resulted in video evidence dating back to 2009 being encrypted. However, since much of that information was stored in backup files, the Cockrell Hill Police Department avoided paying the ransom.
Defending Against Ransomware
Unfortunately, there is no silver bullet to protect organizations from ransomware attacks. Ransomware defenses should consist of a host of technologies to prevent ransomware from being downloaded or installed, but also to ensure that infections are rapidly detected when they do occur.
Ransomware prevention requires technologies to be employed to block the main attack vectors. Email remains one of the most common mediums used by cybercriminals and hackers. An advanced spam filtering solution should therefore be used to prevent malicious emails from being delivered to end users. However, not all malicious attachments can be blocked. It is therefore essential to not only provide employees with security awareness training, but also to conduct dummy ransomware and phishing exercises to ensure training has been effective.
Many US ransomware attacks in 2016 occurred as a result of employees visiting – or being redirected to – malicious websites containing exploit kits. Drive-by ransomware downloads are possible if browsers and plugins are left unpatched. Organizations should ensure that patch management policies are put in place to ensure that all systems and software are patched promptly when updates are released.
Given the broad range of web-based threats, it is now becoming increasingly important for enterprises to implement a web filtering solution. A web filter can be configured to prevent employees from visiting malicious websites and to block malvertising-related web redirects. Web filters can also be configured to prevent employees from downloading malicious files and engaging in risky online behavior.
The outlook for 2017 may be bleak, but it is possible to prevent ransomware and malware attacks. However, the failure to take adequate preventative steps to mitigate risk is likely to prove costly.
A recently released 2016 data breach report has shown that the number of data breaches reported by businesses has remained fairly constant year on year. 4,149 data breaches were reported between January and December 2016, which is broadly on a par with the figures from 2015.
2015 saw the largest ever healthcare data breach ever reported – The 78.8 million record data breach at Anthem Inc. There were also two other healthcare data breaches in 2015 that resulted in the theft of more than 10 million records. The 11-million record breach at Premera Blue Cross and the 10-million record breach at Excellus BlueCross BlueShield.
2016 saw more data breaches reported by healthcare organizations than in 2015, although the severity of the attacks was nowhere near as bad. More than 27 million healthcare records were exposed in 2016, whereas the total for 2015 was in excess of 113 million.
2016 Data Breach Report Shows Severity of Cyberattacks Has Dramatically Increased
While the severity of healthcare data breaches fell year on year, the 2016 data breach report from Risk Based Security shows an overall increase in the severity of data breaches across all industries. 2016 was a record-breaking year.
In 2013 more than 1 billion records were exposed or stolen – the first time that the 1 billion record milestone had been passed. 2016 saw that previous milestone smashed. More than four times as many records were stolen in 2016 than in 2013. 2016 data breaches exposed an incredible 4.2 billion records.
The RBS 2016 data breach report details 94 data breaches that exposed more than 1 million records. 37 breaches resulted in the exposure of more than 10 million records. The United States was the biggest target, accounting for 47.5% of the data breaches reported over the course of the year.
Healthcare data breaches hit the headlines frequently in 2016 due to the potential impact they had on the victims. However, healthcare industry data breaches only made up 9.2% of the annual total. The business sector was the worst hit, accounting for 51% of breaches in 2016. Government organizations made up 11.7% of the total and education 4.7%.
According to the RBS 2016 data breach report, the top ten data breaches of 2016 exposed an incredible 3 billion records and the average severity score of those breaches was 9.96 out of 10. All but one of those security breaches was caused by hackers. One of the incidents was a web-related breach. Six of the data breaches reported in 2016 ranked in the top ten list of the largest data breaches ever reported.
Six 2016 Security Incidents Ranked in the Top 10 List of Largest Ever Data Breaches
The largest data breach of 2016 – and also the largest data breach ever reported – was the hacking of Yahoo. More than 1 billion user credentials were exposed as a result of that cyberattack. While malware is a major threat to businesses, malware attacks only accounted for 4.5% of data breaches in 2016. Hacking exposed the most records and was the main cause of 2016 data breaches, accounting for 53.3% of incidents and 91.9% of the total number of stolen records.
Many organizations also reported being attacked on multiple occasions. The 2016 data breach report shows that 123 organizations reported multiple data breaches in 2016 and 37% of those organizations reported experiencing three or more data breaches between January and December.
According to RBS, more than 23,700 data breaches have now been tracked. In total, more than 9.2 billion records have been exposed or stolen in those incidents. According to RBS Executive vice president Inga Goddijn, “Any organization that has sensitive data – which is every organization with employees or confidential business information – can be a target.”
Cyberattacks are coming from all angles. Employees are being targeted via email, the volume of malware-laden websites and phishing sites has soared, malvertising is increasing and hackers are exploiting unpatched software vulnerabilities.
It is difficult to predict how bad 2017 will be for cybersecurity breaches, but it is fair to assume that data breaches will continue to occur at a similar level. Organizations need to respond by increasing their cybersecurity defenses to prevent attacks from occurring, but also to prepare for the worst and ensure they are ready to deal with a breach when one occurs. A fast response can limit the damage caused.
Credential stuffing attacks on enterprises are soaring according to a recent study conducted by Shape Security. The massive data breaches at the likes of LinkedIn, Yahoo, MySpace have provided cybercriminals with passwords aplenty and those passwords are used in these automated brute force login attempts.
Organizations that have discovered data breaches rapidly force password-resets to prevent criminals from gaining access to users’ accounts; however, stolen passwords can still be incredibly valuable. A study conducted by Microsoft in 2007 suggested that the average computer user has 25 accounts that require the use of a username and password, while Sophos suggests users have an average of 19 accounts.
Password managers can be used to help individuals remember their login credentials, but many people have not signed up for such a service. To remember passwords people just recycle them and use the same password over and over again. Cybercriminals are well aware of that fact and use stolen passwords in credential stuffing attacks on websites and mobile applications.
Shape Security suggests that for many enterprises, 90% of login traffic comes from credential stuffing attacks. Those attacks can be highly effective and since they are automated, they require little effort on the part of the attacker. A batch of passwords is purchased from any number of sellers and resellers on darknet marketplaces. A target site is identified and an automated script is developed to login. The criminals then scale up the assault by renting a botnet. It is then possible to conduct hundreds of thousands of login attempts simultaneously.
Many of the stolen credentials are old, so there is a high probability that passwords will have been changed, but not always. Many people keep the same passwords for years.
The success rate may be low, but the scale of the credential stuffing attacks gives cybercriminals access to hundreds of thousands of accounts.
Shape Security researchers suggest the success rate of these attacks is around 2%. To put this into perspective, if the passwords from the Yahoo data breach were used in credential stuffing attacks, which they almost certainly are, a success rate of 2% would give criminals access to 20 million user accounts.
There is certainly no shortage of passwords to attempt to use to gain access to accounts. According to the report, more than 3 billion username and password combinations were stolen by cybercriminals in 2016 alone. That would potentially give the attackers access to 60 million accounts.
These attacks are not hypothetical. During a 4-month observation period of just one major U.S. retailer in 2016, Shape Security discovered that 15.5 million attempted logins occurred. Even more worrying was that more than 500,000 of the retailer’s customers were using recycled passwords that had previously been stolen from other websites.
Additionally, as a recent report from SplashData has shown, weak passwords continue to be used. The top 25 list of the worst passwords in 2016 still contains very weak passwords such as 123456 and password. These commonly used passwords will also be attempted in brute force attacks. SplashData suggests as many as 10% of Internet users use at least one of the passwords in the top 25 worst password list.
These studies highlight the seriousness of the risk of recycling passwords and send a clear message to organizations: Develop mitigations to prevent the use of stolen credentials and ensure that password policies are developed and enforced.
Trump Hotels and Management LLC has paid the price for failing to implement robust security controls to secure its POS system from cybercriminals.
The hotel chain, which is headed by Donald Trump and run by three of his children, has been fined $50,000 by the New York Attorney General for a data breach that exposed the credit card details and personal information of over 70,000 guests in 2015.
Banks conducted an investigation following a spate of fraudulent credit card transactions last year, and determined that the common denominator was all of the victims had previously stayed in Trump-owned hotels. In all of the cases, Trump Hotels was the last merchant to process a legitimate card transaction, indicating there had been a breach of credit card details at the hotel chain.
A further investigation revealed that the POS system used by 5 Trump hotels in Chicago, Las Vegas, and New York had been infected with malware. The malware was installed on the credit card processing system in May 2014 and access to the system was gained using legitimate domain administrator credentials. The malware was able to capture the payment card information of guests.
The fine, which was announced by New York Attorney General Eric Schneiderman on Friday, was issued for the failure to adequately secure its systems and for the delay in issuing breach notifications to consumers. Trump Hotels did place a breach notice on the company website, but it took 4 months for that notice to be uploaded – a breach of state laws in New York.
Schneiderman explained “It is vital in this digital age that companies take all precautions to ensure that consumer information is protected, and that if a data breach occurs, it is reported promptly to our office, in accordance with state law.”
A spokesperson for Trump Hotels explained that the hotel industry is under attack by cybercriminals looking to gain access to guests’ credit card details. “Unfortunately, cyber criminals seeking consumer data have recently infiltrated the systems of many organizations including almost every major hotel company.”
Other notable hospitality industry breaches include the cyberattack on Hyatt hotels and Starwood Hotels & Resorts Worldwide. The Hyatt breach affected 250 hotels, while the Starwood breach resulted in the POS systems of 54 hotels being loaded with malware.
Cyberattacks are to be expected; however, security controls at Trump Hotels appear to be insufficient. A second credit card system data breach was discovered to have affected the hotel chain in March this year. Investigators discovered malware had been installed on 39 computer systems used at various locations.
In addition to the $50,000 fine, Trump Hotels has agreed to adopt a corrective action plan which requires additional security controls to be installed to prevent future data breaches.
It may not be possible to prevent all cyberattacks but, with the hospitality industry coming under attack, it is essential that security controls are implemented that prevent the installation of malware. Keyloggers and other information stealing malware are usually delivered via spam email or are unwittingly downloaded from malicious websites.
In order to prevent infections via email, hotel chains can implement a robust spam filter. Web-borne infections can be prevented using a powerful web filtering solution to block malware downloads.
The Acer cyberattack recently reported to the California attorney general was due to an unspecified “security issue” on the company’s online store. Acer recently discovered that an unauthorized third party had gained access to its server and had stolen the data of its customers. Customers affected by the breach had made a purchase through Acer’s online store between May 12, 2015 and April 28, 2016.
Full Credit Card Information of Customers Stolen in Acer Cyberattack
Affected customers’ names, addresses, credit card numbers, card expiry dates, and CVC codes were all potentially stolen in the attack. Acer has pointed out that Social Security numbers were not recorded and were not obtained by the attackers. Acer does not believe that customer login details were stolen; however, the theft of password and login data could not be ruled out.
All individuals impacted by the breach do face a significant risk of suffering financial losses and must therefore keep a close check on their credit card statements for any sign of fraudulent activity. Due to the high level of risk Acer has recommended that all customers impacted by the breach place a credit freeze and fraud alert on their files. Credit reports should also be obtained from each of the credit agencies.
The incident has been reported to law enforcement and an investigation is ongoing. Acer also brought in external cybersecurity experts to assist with the investigation.
It is unclear how the Acer cyberattack occurred and whether the attackers gained access to the company’s systems in May last year or whether the attack occurred recently and resulted in a year’s worth of data being stolen. However, Acer did confirm to PCWorld that customers’ have been placed at risk because their data were “inadvertently stored in an unsecured format.”
In a statement issued by the Taiwanese computer company, Mark Groveunder Vice President, Customer Service for the Pan-American region said “We regret this incident occurred, and we will be working hard to enhance our security.” The company’s payment processing company has been informed of the breach and customers have now been notified by mail.
The Zuckerberg Twitter hack has clearly demonstrated the danger of password reuse. Zuckerberg used the same password for Twitter as he did for his Pinterest and LinkedIn accounts. In spite of the Facebook founder, chairman, and CEO’s lofty position at the top of the world’s most popular social media network, he is guilty of poor data security practices like many others.
In addition to reusing passwords, Zuckerberg also chose a password of 6 digits with no capital letters, symbols, or numbers and did not change it for at least three years. The password was revealed to be “dadada.”
Mark Zuckerberg Twitter Hack Stemmed from the LinkedIn Data Breach
A collective known as OurMine was responsible for the Mark Zuckerberg Twitter hack. The collective, which is understood to hail from Saudi Arabia, gained access to data from the LinkedIn breach. The data were listed for sale a few days previously by a hacker operating under the name of “Peace”.
The LinkedIn passwords were not stored as plaintext, so a little effort was required to reverse the hash to obtain the password. While SHA-1 was thought to be impossible to reverse, it has since been shown to be a relatively straightforward task unless the passwords are also salted. In the case of LinkedIn, they were not.
Simply enter in the SHA-1 hash of a password into one of many reverse hash calculators and the plaintext password will be revealed. A search of the keyword phrase “how to reverse a sha1 password” will reveal many online options for doing so. Once the password had been obtained, access to online accounts was possible.
The Zuckerberg Twitter hack did not appear to cause anything other than some embarrassment. The group notified Zuckerberg of the hack by tweeting him using his own account, saying “we are just testing your security.” While the tweet said that Zuckerberg’s Instagram account was compromised, it has since been confirmed that this account was secure all along, as was Zuckerberg’s Facebook account.
While it is embarrassing, it should be pointed out that Zuckerberg was not a regular Twitter user, having only sent 19 tweets from his account in the past four years. His compromised Pinterest account was similarly rarely used.
Spate of Account Hacks Reported After Major Data Leaks
Other individuals were not quite so fortunate. Since the data from the LinkedIn breach was made available online, numerous celebrity social media accounts have been compromised. The Twitter accounts of celebrities such as Keith Richards and Kylie Jenner were hacked, as was the account of Tenacious D. The latter’s account was used to send a tweet saying Jack Black had died.
While these hacks have not been confirmed as stemming from the LinkedIn breach (or the MySpace or Tumblr breaches) the spate of account hijacks suggest as much.
TeamViewer GmbH was also a victim, having had numerous accounts compromised recently. The company provides remote desktop software and a number of users claim that the hacking of GmbH employee accounts enabled attackers to compromise their computers and authorize PayPal and Amazon transactions. This was attributed to “password mismanagement” by GmbH rather than any flaws in their software.
All of these account hacks show how common the reuse of passwords is, and the danger of doing so. What should be particularly worrying for businesses, is many people use their LinkedIn passwords for work accounts, or vice versa. If that password is obtained via a data breach, malicious actors could do a considerable amount of damage.
Important Online Security Best Practices
To improve security and reduce the risk of more than one account being compromised….
- Never reuse passwords
- Create a complex password for each platform – use symbols, capitals, and numerals
- Change your passwords regularly – every month or three months
- Use 2-factor authentication if available
- Use a password manager to help keep track of passwords
- Don’t store your passwords in your browser
- Regularly check your email address/username against the Have I Been Pwned? database
Over the past few days, rumors have been circulating about a massive MySpace data breach. Initial reports suggested that 427 million usernames and passwords had been obtained by a hacker going by the name of “Peace”. The name should sound familiar. The Russian hacker is the same individual who recently listed 117 million LinkedIn login credentials for sale on an illegal darknet marketplace. The hacker was also allegedly responsible for the 65 million-record data breach at Tumblr.
360 Million Login Credentials Stolen in MySpace Data Breach
Yesterday, Time Inc., confirmed that login credentials had been listed for sale online and that a MySpace data breach had occurred, although it would appear that the stolen data was obtained some time ago. The login credentials are for the old MySpace platform and date to before June 11, 2013. While Time Inc., did not confirm exactly how many login names and passwords had been stolen, Time confirmed that the figure of 360 million that had been reported in the press in the last couple of days was probably accurate.
Usernames, passwords, email addresses, and secondary passwords are reportedly being offered for sale. Out of the 360 million logins, Leakedsourrce.com suggests that 111,341,258 of the stolen records include a username and a password, and 68,493,651 records had a secondary password compromised. Not all of those stolen records also included a primary password.
Since 2013, data security has improved considerably and many companies have enforced the use of numerals, capital letters, and symbols when creating passwords. The stolen data reportedly includes only a small percentage of accounts with a capital letter in the password. This makes the passwords much easier to crack. The algorithm used to encrypt the passwords was also weak.
The login credentials from the MySpace data breach are reportedly being offered for sale for 5 Bitcoin – approximately $2,800.
All old users of the MySpace platform, and current users who joined the website before June 11, 2013 are potentially at risk. MySpace has responded to the breach by resetting all passwords on accounts created before June 11, 2013. When these users visit MySpace again they will be required to authenticate their account and supply a new password.
Additional security measures have been employed to identify suspicious account activity and the data theft is now being investigated. It would appear that no one at MySpace was aware that its database had been breached until the data were offered for sale just before the Memorial Day weekend.
MySpace Breach Shows Why It is Important Never to Reuse or Recycle Passwords
Since the data breach appears to have occurred some time ago, it is probable that many users will have changed their passwords on the site long ago, but the data could still be used to attack past and current users. All too often passwords are recycled and used for other online accounts, and many individuals use the same passwords for different platforms or rarely (or never) change them.
The MySpace data breach shows why it is important to use a different password for each online account and to regularly change passwords on all platforms. In the event of a breach of login credentials, users will only have to secure one account. If there is a possibility that only passwords are still in use on other platforms, MySpace account holders should update their passwords as soon as possible.
Hackers have access to tools that can check to see if account login and password combos have been used on other websites.
A successful CEO fraud scam that resulted in a fraudulent bank transfer being made from company accounts to a cyberattacker has cost the CEO his job.
CEO Fraud Scan Results in Losses of 40.9 Million Euros
Earlier this year, FAAC – an Austrian aircraft component manufacturer – was targeted by attackers who managed to pull off an audacious 50 million Euro ($55 million) CEO fraud scam. A wire transfer was made for 50 million euros by an employee of the firm after receiving an email request to transfer the funds from CEO Walter Stephan. The email was a scam and had not been sent by the CEO.
Unfortunately for FAAC, the CEO fraud scam was discovered too late and the transfer of funds could not be stopped. While the company was able to recover a small percentage of its losses, according to a statement released by FAAC, the company lost 41.9 million Euros as a result of the attack which contributed to annual pretax losses of 23.4 million Euros.
The bank transfer represented approximately 10% of the company’s entire annual revenue. Given the high value of the transfer it is surprising that the transfer request was not queried in person – or over the telephone with the CEO.
The CEO and the employee who made the transfer were investigated but do not appear to have been involved in the scam. The attackers were not believed to be linked to FAAC in any way.
Heads Roll After Huge Losses Suffered
Earlier this year, FAAC sacked its chief finance officer as a direct result of the scam. The CEO was recently sacked following a meeting of the company’s supervisory board. Stephan had worked at the company as CEO for 17 years.
This CEO fraud scam is one of the largest ever reported, although this type of scam is becoming increasingly common. Earlier this year the FBI issued an advisory about the high risk of CEO fraud scams following many attacks on U.S companies over the past year. In April, the FBI reported that $2.3 billion has been lost as a result of this type of scam.
CEO email fraud involves a member of the accounts department being sent an email from the CEO – or another senior executive – requesting a bank transfer be made from the company accounts. A reason is usually supplied as to why the transfer request needs to be made, and why it must be made urgently.
Oftentimes, the scammer and the target exchange a few emails. An email is initially sent asking for a transfer to be made, followed by another email containing details of the recipient account where the funds must be sent and the amount of the transfer. The scams are effective because the request appears to come from within the company from a senior executive or CEO. Oftentimes the attackers manage to compromise the CEO’s email account, and spend time researching the style the CEO uses for emails and who transfer requests have been sent to in the past.
According to the FBI, the average transfer amount is between $25,000 and $75,000, although much larger scams have been pulled off in the past. Irish budget airline Ryanair fell victim to a CEO fraud scam and wired $5 million to a Chinese bank, although the funds were able to be recovered. The Scoular Co., wired $17.2 million to scammers in February last year, while Ubiquiti suffered a loss of $46.7 million as a result of a CEO fraud scam.
Easy Steps to Prevent CEO Email Fraud
There are steps that can be taken that can greatly reduce the risk of these scams being successful.
- Implement policies that require all bank transfers – or those above a certain threshold – to be authorized by telephone or through other communication channels.
- Ensure bank transfer requests are authorized by a supervisor and are not left to one single employee
- Configure spam filters to block spoofed domains to prevent scam emails from being delivered
- Provide training to all accounts department staff and warn of the risk of CEO fraud scams
The 2012 LinkedIn data breach was believed to have resulted in the theft of 6.5 million emails and encrypted passwords; however, the data breach appears to be worse than previously thought with considerably more data stolen. Those data have now been listed for sale on a darknet marketplace, prompting LinkedIn to contact a substantial percentage of its users to get them to change their passwords.
117 Million Unsalted SHA-1 Hashes and Corresponding Usernames from 2012 LinkedIn Data Breach Listed for Sale
A hacker called “Peace” listed 117 million LinkedIn email and encrypted password combinations for sale this week. LinkedIn believes the data has also come from the 2012 LinkedIn data breach. The data were in the same format as the 6.5 million passwords and email combinations that were previously listed for sale. The latest batch of data has been listed or sale for a reported $2,200.
The passwords stolen in the 2012 LinkedIn data breach were unsalted SHA-1 hashes. While the passwords are encrypted, they are poorly protected and can easily be cracked with relative ease.
Soon after the 2012 LinkedIn data breach the 6.5 million account details were offered for sale on a Russian hacking forum. Motherboard reports that as many as 90% of those passwords were able to be cracked. This now places 18 times as many users at risk of having their accounts compromised.
LinkedIn users that joined the professional networking website after the 2012 data breach will not be affected by the data sale, although older users of the site could be at risk, especially if the password they used for their LinkedIn account has been used other logins elsewhere online.
Individuals who tend to use the same passwords on multiple websites or those who recycle old passwords are advised to change their passwords on their banking websites, social media profiles, email accounts, and other online sites if there is a possibility that they have used the same password as they used on LinkedIn prior to the 2012 breach.
The 2012 LinkedIn data breach was possible because security at the time was not particularly robust, although that has since been addressed. LinkedIn now salts its hashes, uses two factor authentication, and also email challenges. Since being alerted to the listing of the password/username combos, LinkedIn has been contacting affected users and attempting to invalidate passwords and force users to reset.
It is strongly advisable to login to LinkedIn and change your password as a precaution if you are unsure whether you have changed your password since 2012.
Each year, the Ponemon Institute conducts a benchmark survey on healthcare data privacy and security. The surveys give a picture of the state of healthcare data security, highlight the main threats faced by the healthcare industry, and offer an insight into the main causes of healthcare data breaches. This week, the Ponemon Institute released the results of its 6th annual benchmark study on healthcare data privacy and security.
Over the past 6 years, the main causes of healthcare data breaches have changed considerably. Back in 2010/2011 when the two healthcare data privacy and security surveys were conducted, the main causes of healthcare data breaches were lost and stolen devices, third party errors, and errors made by employees.
Breaches caused by the loss and theft of unencrypted devices such as laptops, smartphones, tablets, and portable storage devices such as zip drives has fallen considerably in recent years. Due to the high risk of loss and theft – and the cost of risk mitigation following a data breach and compliance fines – healthcare organizations are keeping tighter controls on portable devices. Staff have been trained to be more security conscious and many healthcare organizations have chosen to use data encryption on portable devices. However, lost/stolen devices and mistakes by employees and third parties are still the root cause of 50% of healthcare data breaches.
Healthcare Data Privacy and Security Study Shows Criminals Caused 50% of Healthcare Data Breaches
Data breaches caused by the loss and theft of portable devices may be in decline, but the same cannot be said of cyberattacks, which have increased considerably. When the first benchmarking study was conducted in 2010, 20% of data breaches were caused by hackers and other cybercriminals. By 2015, the figure had risen to 45%. This year criminals have been responsible for 50% of healthcare data breaches.
Healthcare data breaches have increased in volume, frequency, and severity. Prior to 2015, the largest healthcare data breach exposed 4.7 million patient health records. Data breaches that exposed more than 1 million healthcare records were very rare. However, in 2015, the Anthem Inc. breach exposed 78.8 million healthcare records, Premera BlueCross recorded a cyberattack that exposed 11 million records, and Excellus Blue Cross Blue Shield reported a breach of 10 million records. These data breaches were caused by criminals who gained access to systems using phishing techniques.
Phishing remains a major cause for concern, as is malware, although over the course of the past 12 months a new threat has emerged. Ransomware is now the second biggest cause for concern for healthcare security professionals. DDoS attacks remain the biggest worry as far as cyberattacks are concerned.
The purpose of ransomware and DDoS attacks is to cause widespread disruption. Healthcare IT professionals are right to be concerned. Both of these types of cyberattack have potential to have a hugely detrimental effect on the care that is provided to patients, potentially disrupting healthcare operations to such a degree that patients can actually come to physical harm.
Healthcare organizations have been investing more heavily in data security technologies to prevent breaches, yet these measures have not been sufficient to stop breaches from occurring. The report indicates that 89% of healthcare organizations suffered a data breach in the past two years, 79% suffered more than one breach, and 45% experienced more than five data breaches.
The cost of healthcare data breaches is considerable. The Ponemon Institute calculates the average cost to resolve a data breach to be $2.2 million for healthcare providers. The average cost of a business associate data breach is $1 million. The total cost each year, to mitigate risk and resolve data breaches, has been estimated by Ponemon to be $6.2 billion for the industry as a whole.
Healthcare Organizations Need to Increase Cybersecurity Efforts
Cybersecurity budgets may have increased over the years, but too little is being spent on healthcare data privacy and security data. Even with the increased risk, 10% of healthcare organizations have actually decreased their cybersecurity budgets, and more than half (52%) said their budgets have stayed the same this year.
Further investment is needed to tackle the growing threat and to prevent criminals from gaining access to data and locking it with ransomware.
Education also needs to be improved and greater care taken by healthcare employees to prevent accidental disclosures of data and mistakes that open the door to cybercriminals. Employee negligence was rated as the top cause for concern by both healthcare providers and business associates of healthcare organizations. Unless greater care is taken to prevent data breaches and healthcare organizations are held more accountable, the data breach totals will only rise.
This week has seen the release of new U.S. data breach statistics by the Identity Theft Resource Center (ITRC). The new report reveals the extent to which organizations have been attacked over the past decade, breaking down data breaches by industry sector.
ITRC has been collecting and collating information on U.S. data breaches since 2005. Since records of security breaches first started to be kept, ITRC figures show a 397% increase in data exposure incidents. This year has seen the total number of data breach incidents surpass 6,000, with 851 million individual records now having been exposed since 2015.
U.S. Data Breach Statistics by Industry Sector
The financial sector may have been extensively targeted by cybercriminals seeking access to financial information, but between 2005 and March 2016 the industry only accounts for 7.9% of data breaches. The heavily regulated industry has implemented a range of sophisticated cybersecurity protections to prevent breaches of confidential information which has helped to keep data secure. The business and healthcare sectors were not so well protected and account for the majority of data breaches over the past decade.
Over the course of the past decade financial sector ranked lowest for breaches of Social Security numbers. The largest data security incident exposed 13.5 million records. That data breach occurred when data was on the move.
At the other end of the scale is the business sector, which includes the hospitality industry, retail, transport, trade, and other professional entities. This sector had the highest number of data breaches accounting for 35.6% of all data breaches reported in the United States. Those breaches exposed 399.4 million records.
ITRC’s U.S. data breach statistics show that the business sector was the most frequently targeted by hackers over the course of the past decade, accounting for 809 hacking incidents. Hackers were able to steal 360.1 million records and the industry accounted for 13.6% of breaches that exposed credit and debit card numbers. The huge data breaches suffered by Home Depot and Target involved the exposure of a large percentage of credit and debit card numbers.
Healthcare Sector Data Breaches Behind the Massive Rise in Tax Fraud
The business sector was closely followed by the healthcare industry, which has been extensively targeted in recent years. ITRC reports that the industry accounted for 16.6% of data breaches that exposed Social Security numbers. Since 2005, over 176.5 million healthcare records have been exposed and over 131 million records were exposed as a result of hacking since 2007. That includes the 78.8 million records exposed in the Anthem Inc., data breach discovered early last year.
While hacking has exposed the most records, employee negligence and error were responsible for 371 data breaches in the healthcare industry. Healthcare industry data breaches are believed to have been responsible for the massive increase in tax fraud experienced this year. Tax fraud surged by 400 percent in 2016.
Government organizations and military data breaches make up 14.4% of U.S data breaches over the past decade, with the education sector experiencing a similar number, accounting for 14.1% of breaches. Over 57.4 million Social Security numbers were exposed in government/military data breaches along with more than 389,000 credit and debit card numbers.
The education sector experienced the lowest number of insider data breaches of all industry sectors (0.7%) although 2.4 million records were exposed via email and the Internet.
Cybersecurity Protections Need to Be Improved
The latest U.S. data breach statistics show that all industry sectors are at risk of cyberattack, and all must improve cybersecurity protections to keep data secure. According to Adam Levin, chairman and founder of IDT911, “Companies need to create a culture of privacy and security from the mailroom to the boardroom. That means making the necessary investment in hardware, software and training. Raising employee cyber hygiene awareness is as essential as the air we breathe.”