Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Never reuse passwords across accounts!
A recent survey by password management firm BitWarden reported that nearly a third of all respondents reuse the same password across 5-10 accounts or applications. Hackers know these numbers, and whenever they manage to crack or steal a password from one service, they will often pivot to try it on other common websites and services. Don’t run the risk of multiplying the impact of a breach by using the same credentials in several places! Play it safe by making your passwords unique (as well as long and strong), and consider the use of a password manager to help keep track of them.
Costly settlement reached in Montana healthcare data breach
Logan Health Medical Center of Kalspell, Montana has reached a $4.3 million (all figures USD) settlement with the 213,543 patients and employees whose personal and protected health information was compromised during a cyber incident dating back to November 2021. The settlement responds to a class action filed with a United States District Court in Montana. In the incident, Social Security numbers, birthdates, contact information, medical histories, insurance data, medical record numbers, insurance details, provider names, and other sensitive data relating to the patients and employees were compromised.
This is the second breach-related lawsuit settled by the Montana provider in just over two years. Under their former operating name of Kalispell Regional Healthcare, the six-hospital system was victimized by a phishing attack that led to a data compromise affecting 130,000 patients. In that incident, patients successfully sued the hospital, leading to a $4.2 million settlement in December 2020.
The current lawsuit took aim at Logan Health’s previous breach, accusing the healthcare provider of failing to follow representations made in the earlier settlement, failing to reasonably train employees, and neglecting to implement procedures or protocols that would have prevented the second security incident. Logan had committed to taking steps to revise procedures to minimize the risk of a similar event happening again.
In addition to the financial terms, the proposed settlement requires Logan Health to specifically share details into the actions it has already taken or its plans to strengthen the cybersecurity training and awareness programs, data policies, security measures, and data restrictions, as well as its monitoring and response capabilities.
A final hearing for the settlement proposal is set for March 9. If approved, Logan Health will have paid $8.5 million in data breach settlements during the COVID-19 pandemic.
Okanagan College confirms potential data breach after recent cyber incident
On January 23, Okanagan College issued an update regarding the cyber incident that affected them earlier in January. https://www.okanagan.bc.ca/cyber-incident-and-network-updates. In the course of their investigation into the cyber attack, “it has been determined that certain information belonging to current students and employees may have been subject to risk as result of the incident. The College has notified the Office of the Information and Privacy Commissioner for British Columbia and is in the process of notifying students and staff,” according to the statement.
The investigation into the breach, which affected the 17,000 students and 1,100 employees at Okanagan College, continues.
U.S. telcos affected by third-party data breach
On January 26, threat actors began releasing datasets on the dark web, allegedly containing customer information related to various telecom providers in the United States. Data relating to some 7.5 million Verizon customers was posted in one case; over half a million Charter Communications customers were part of a second disclosure posting.
All of the data is believed to trace back to a cyber incident affecting a third-party marketing services provider used by the telcos, which occurred in early January 2023.
According to a report in The Cyber Express, a spokesperson for Verizon has confirmed the authenticity of the 7.5M records, saying “the vendor had access to customer first names, device types, and service plans. The vendor did not have access to Social Security numbers, credit card numbers, or other personally identifiable customer information. We have severed this vendor’s access to our systems and suspended use of their services.”
In the case of Charter, a representative was quoted in Recorded Future as saying: “We are aware of the post and following our security protocol in response. The initial evidence suggests that one of our third-party vendors had a security breach. At this time, we do not believe that any customer proprietary network information or customer financial data was included.”
In Charter’s case, the data dump appears to be somewhat more extensive, containing detailed sales and service call information, account numbers, and address information (excluding customer names). The sample dataset was accompanied by a message saying: “In January 2023, a database of 550K customers belonging to the Charter Coms was stolen by hackers.”
ITRC releases Annual Data Breach Report
As part of Data Privacy Week 2023, the Identity Theft Resource Center (ITRC) released the 17th edition of its Annual Data Breach Report on Wednesday, January 25.
This year’s report reveals that the number of data compromises reported in the United States in 2022 (1,802) was only 60 events short of the previous all-time high set the previous (1,862 compromises in 2021). The report also highlights the rising number of third-party breaches reported, with supply chain attacks moving ahead of malware-based compromises in 2022 by a 40% margin. According to the report, “ten million people were impacted by supply chain attacks targeting 1,743 entities. By comparison, 70 malware-based cyberattacks affected 3 million people.”
Cisco releases annual privacy benchmark study
Also recognizing Data Privacy Week, Cisco released its annual privacy benchmark study on January 24. Among the findings in this year’s report was a continuing trend of investment in privacy by firms, practically right across the board. “The average spending was $2.7 million [all figures USD], up significantly from $1.2 million just three years ago. The most significant growth from 2021 to 2022 occurred at smaller organizations: spending at organizations with 50-249 employees increased more than 17% to $2.0 million from $1.7 million. At organizations with 500-999 employees, spending rose more than 13% to $2.6 million from $2.3 million. Spending at larger organizations remained relatively unchanged after steep increases from 2019 to 2020.”