Data Breach Roundup: October 2013
Data loss related to theft and loss is on the rise, says security expert Ryan Kalember, thanks to the huge popularity of smartphones and tablets.
Each month, eSecurity Planet looks back at the data breaches we've covered over the past 30 days, providing an admittedly unscientific but potentially interesting overview of the current breach landscape.
To get some added perspective on the shifting nature of enterprise threats, eSecurity Planet spoke to WatchDox Chief Product Officer Ryan Kalember. What follows is a list of the past month's breaches by category, noting what happened, what data was exposed, and what (if anything) the organization is doing to help those affected -- along with Kalember's thoughts on many of the breach categories.
Mobile Devices Shrink, Theft Threat Grows
Data breaches resulting from the theft of a laptop are an ever-growing category. In reality though, Kalember says, that category is likely dwarfed by breaches resulting from the loss of tablets and smartphones.
"As bits get cheaper and easier to move around, sensitive data is simply going to end up in more places," he says. "There are obvious examples, like unencrypted laptops, that are more likely to be discovered. Then there's an entire category of data breaches due to the loss of unencrypted mobile devices that are not laptops - things like tablets and smartphones - which very likely also contain regulated information, and which, if we had better tools to ascertain what information had actually ended up on those devices, would probably be resulting in more data breach disclosures than the stolen laptops."
Persuading users to ensure that such devices are encrypted, Kalember says, is always going to be an uphill battle. "The problem with the traditional encryption approaches is that they're really all stick and no carrot. If you encrypt somebody's laptop, they're not going to really derive any benefit from that," he says. "You as a corporation are going to derive some benefit, in that if the laptop goes missing, you don't have to do a breach disclosure - and you can certainly write that into the policy, which everybody does. But making sure that users actually use the technology to protect that data, when there's no obvious benefit to them in using it, is a very, very tough thing to do."
"When your employees' incentives don't align with data protection, they're actually acting rationally by having this information all over the place," Kalember adds. "If you're measuring your application development team on uptime and on how much money that application's going to generate for you, rather than on how secure it is - and their compensation and their performance reviews are tied to that - then that's what they're going to optimize for."
More than 700,000 AHMC Healthcare patients' names, Medicare/insurance identification numbers, diagnosis/procedure codes, insurance/patient payments and Social Security numbers may have been exposed when two unencrypted laptops were stolen from a hospital administration office. One hundred Denver Public Schools elementary school students' confidential health information, including medications, health-related letters and medical histories, may have been exposed when a briefcase containing a thumb drive was stolen from a school nurse's car.
Names, addresses or email addresses and Social Security numbers of 33 Genesis Rehabilitation Services employees, agency employees and applicants may have been exposed when a USB drive that had been left in a secure office was found to be missing. All those affected are being offered one free year of credit monitoring services from Kroll. Approximately 8,000 current and former Hope Family Health patients' names, birthdates, Social Security numbers and billing addresses were exposed when an unencrypted laptop was stolen from an employee's home.
An undisclosed number of Legal Aid Society of San Mateo County clients' names, birthdates, Social Security numbers, and medical and health information may have been accessed when 10 laptops were stolen during a burglary. Personal information from an undisclosed number of people may have been exposed when two NBC Sports laptops were stolen from a locked vehicle. The laptops contained the people's names, along with at least one of the following data elements: Social Security number, driver's license number and/or date of birth.
An undisclosed number of Petrochem Insulation employees' names, employee identification numbers and Social security numbers were exposed when a laptop was stolen from an employee's locked car. All those affected are being offered a free year of credit monitoring through Experian's ProtectMyID. An undisclosed number of current and former Yusen Logistics (Americas) employees' names, addresses, Social Security numbers and payroll benefit deduction amounts may have been exposed when an unencrypted laptop was stolen from an employee's vehicle. All those affected are being offered one free year of identity protection services from AllClear ID.
Names, addresses, birthdates, marital status and assessment data of more than 18,000 participants in Region of Peel Public Health's Healthy Babies Healthy Children program were exposed when an unencrypted SD card was stolen from a Health Services employee's car. More than 600 St. Mary's Janesville Hospital patients' names, birthdates, medical record and account numbers, providers, departments of service, bed and room numbers, dates and times of service, visit histories, complaints, diagnoses, procedures, test results, vaccines and medications were exposed when an unencrypted laptop was stolen from an employee's car. All those affected are being offered one year of free identity theft protection services from ID Experts.
More than 3,400 UCSF Medical Center patients' names and medical record numbers, along with some health information and some Social Security numbers, were exposed when an unencrypted laptop was stolen from an employee's locked vehicle. All patients whose Social Security numbers were exposed are being offered one free year of credit monitoring services from ID Experts.
Hackers: Perimeter Defense Not Enough
Particularly in industries like technology and manufacturing where information has to be shared externally, Kalember says there's an understandable fear that such information will be easy for hackers to steal. "They have to share that information with their supply chain, and they're absolutely terrified of it being stolen in APT-style attacks," he says. "And it's a legitimate concern."
In response, Kalember says, the focus of enterprise security really needs to shift from network protection to data protection. "If you look at most of the security spending, it's still network security spending," he says. "The firewall market is still a $7 billion market, dwarfing any other sector in information security. But it's less and less relevant, as everything is connected to the Internet, and everything can potentially show you your data … so all that data is ending up in so many places, all of which are connected to the Internet, and all of which are potential vectors for compromise."
Hackers accessed more than 38 million Adobe Systems customers' names, Adobe customer IDs, encrypted credit or debit card numbers, expiration dates and other data relating to customer orders. The hackers also accessed source code for Adobe Acrobat, ColdFusion, ColdFusion Builder and possibly other products. It's not clear how the breach occurred. Customers whose credit or debit card information was exposed are being offered one year of free credit monitoring services.
TeamBerserk hackers were involved in four notable breaches in October. They accessed and published 1,454 email addresses, user names and cleartext passwords from the Loretto Telecom website. It's not clear how the site was breached. They leveraged a SQL injection vulnerability to access and publish more than 600 email addresses and user names, along with more than 200 matching passwords in cleartext from the Mound Telecom website. They leveraged a SQL injection vulnerability to access a database containing customers' email addresses, user names and cleartext passwords from the Sebastian website, then leveraged those user names and passwords to access customers' bank accounts – and boldly posted a video online showing the attack in progress. And they leveraged a SQL injection vulnerability to access and publish server domain information from The West Australian, including 42 user names and encrypted passwords.
A test database containing an undisclosed number of Brandon University applicants' names, addresses, birthdates and insurance numbers was accessed by a hacker. The university didn't learn of the breach until the hacker contacted them by email. Hackers compromised a server at Sacramento State University and may have accessed 1,800 employees' personal information, including their Social Security numbers and driver's license numbers. It's not clear how the breach occurred.
Hackers accessed a computer at Monterey County Department of Social Services that held 144,493 county residents' names, Social Security numbers, and in some cases, addresses and birthdates. It's not clear how the computer was compromised.
An undisclosed number of Ouidad customers' names, billing addresses, email addresses, phone numbers, credit card numbers, CVV codes and expiration dates, and in some cases, user names and passwords may have been accessed by hackers. It's not clear how the site was compromised. All those affected are being offered one free year of access to Equifax Credit Watch Gold.
An undisclosed number of sales agents' names, Social Security numbers and bank account numbers were exposed when a data backup of an internal business system at PayJunction was inappropriately accessed. It's not clear how the data was breached. All those affected are being offered one year of free identity protection services from AllClear ID. A hacker breached the website of Tom Sawyer Software and accessed more than 60,000 customers' names, email addresses, contact information, user names and encrypted passwords. It's not clear how the site was breached.
Hackers leveraged a ColdFusion vulnerability to access a database containing approximately 10,000 records at PR Newswire, though the company says a minority of the records represent active users. Hackers leveraged a zero day exploit in WHMCS to access PureVPN customers' names and email addresses, then sent those customers spam claiming that the company was shutting down due to legal issues. The company says no credit card data or other sensitive personal information was compromised.
Several hundred clients' names, Social Security numbers, email addresses, account numbers and birthdates were exposed at R.T. Jones Capital Equities Management when the facility that hosts its website was hacked on July 22, 2013. All those affected are being offered one free year of identity monitoring through First Watch ID.
An unauthorized person used authorized individuals' passwords to gain access to UnityPoint Health 's electronic medical record (EMR) system from February 2013 to August 2013. It's not clear how the passwords were obtained. Nearly 2,000 patients' names, addresses, birthdates, medical and health insurance account numbers, and health information related to patient treatment were exposed. All those affected are being offered free access to a credit monitoring service.
Insider Breach: Data Drill Down
Kalember says there's one way to deal with many insider threats that's relatively straightforward to implement. "In general, when an employee leaves your firm, not only do you want to revoke access to what you probably do now - their e-mail account, their applications, their network login - but you ideally want to revoke their access from all of your data that they might have downloaded to their devices, whether they're personally owned or not, while they worked for you," he says.
A certified medical assistant at Allina Health may have inappropriately accessed more than 3,000 patients' personal health information, including their names, addresses, phone numbers, birthdates, clinical information, health information, and the last four digits of their Social Security numbers. Allina is offering free identity and financial monitoring services to those affected. An employee working for a physician clinic affiliated with Boone Hospital may have inappropriately accessed 125 patients' personal health information, including their birthdates, Social Security numbers, medical diagnoses and prescribed treatments. All those affected are being offered one year of free access to a credit monitoring service.
An employee in a doctor's office at Holy Cross Hospital accessed patients' names, birthdates, addresses and Social Security numbers, presumably to file fraudulent tax returns. It's not clear how many patients were affected, so all patients are being offered one free year of credit monitoring through Experian's ProtectMyID. A former employee of Kearny Mesa Infiniti may have improperly accessed an undisclosed number of customers' names, birthdates, addresses, phone numbers, Social Security numbers and driver's license information. One customer has alleged that the former employee used the information to obtain prescription drugs.
Phishing: Disable Macros
With data residing on an increasing number of devices and in an increasing number of places, Kalember says phishing attacks are posing an ever more significant threat. "As the information about you becomes more and more public, and as people gradually accumulate details, it becomes easier to phish them in lots of different ways," he says. "And nobody's going to get away from using technologies like Microsoft Office, Windows, Adobe and Java, which are the main vectors for those compromises. All those exploits are going to be nearly impossible to engineer out of the equation. So you really have to assume, from the perspective of the end user, that their machine is compromised, and you just have to protect what really matters."
One solution for some phishing threats, Kalember says, is simply to disable macros. "That's not something you might think of as a big security threat, but if you think about it, the ability to run macros is basically the ability of a Word document or a PDF file to run and execute code - which, most of the time, is probably malware," he says.
The EBS HR/payroll systems at Michigan State University were taken offline after two employees received email confirmations of changes to their direct deposit information. The university says valid credentials were used to modify the employees' data; it believes the credentials were obtained through a phishing attack. Approximately 3,000 people's protected health information may have been exposed when a few employees of Saint Louis University provided their account credentials in response to phishing emails sent on July 25, 2013. About 10 employees' direct deposit information was changed, though no unauthorized financial transactions took place. The attackers were also able to access 20 email accounts that held about 3,000 people's personal health information, along with approximately 200 Social Security numbers. All those affected are being offered one free year of credit monitoring and identity theft protection services.
Malware and Employee Error
An undisclosed number of Colonial Properties Trust customers' names and Social Security numbers may have been accessed when the company's network was infected with malware. All those affected are being offered a free one-year membership in Experian's ProtectMyID service. An undisclosed number of Datapak Services Corporation customers' names, addresses, credit/debit card numbers, expiration dates and CVV codes may have been accessed when the company's systems were infected with malware. All those affected are being offered one free year of identity protection services from AllClear ID.
More than 1,300 CaroMont Health patients' names, birthdates, addresses, phone numbers, medical record numbers, diagnoses, medications and insurance company names were potentially exposed when the information was sent by an employee via unsecure email.
Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at firstname.lastname@example.org.
By Jeff Goldman
October 25, 2013
And 44 percent have access rights that aren't necessary for their current jobs, according to BeyondTrust.