At a glance.

  • The dangers of real time bidding.
  • Round-up of recent US healthcare breaches.
  • Threat groups just made it easier to find stolen data on leak sites. 

The dangers of real time bidding.

JDSupra offers a primer on the risks of real time bidding (RTB), the predictive advertising practice in which ad brokers create profiles based off of users’ internet activities, then auction the data to the highest paying advertiser. The advertiser is essentially purchasing the right to show its ad to the user, and though these profiles are curated out of seemingly nondescript data, a user’s browser’s history can often be linked to their identity, and they can reveal private details like religious beliefs, sexual orientation, political affiliation, and even pregnancy status. Furthermore, these profiles can be purchased by any third party, which means they could end up in the hands of threat actors, governmental agencies, or organizations in China or Russia. An investigation conducted by the Belgian Data Protection Authority found that the transparency and consent framework used by RTB ad brokers does not comply with the General Data Protection Regulation’s principles, with the DPA calling RTB “the biggest data breach ever recorded.” To protect themselves, users are advised to closely examine websites’ Privacy Policy and Terms of Use, limit the permissions granted to mobile applications to only the most necessary parts of the device, and whenever possible, decline advertising consent. 

Round-up of recent US healthcare breaches.

The past few days have been busy ones for US healthcare data breach disclosures. Associated Eye Care Partners (AEC), based in the US state of Montana, is informing patients that their personal data might have been compromised during a November 2020 ransomware attack targeting Netgain, a provider of managed IT services for the healthcare sector. The notification letter reads, “AEC, along with thousands of other healthcare entities, retained Netgain for online hosting of its environment, including cloud services and e-mail.” Security Week reports that although there’s no evidence any data were misused, the attackers had access to patient names, addresses, Social Security numbers, and medical history.

The Virginia Commonwealth University (VCU) Health System has disclosed a data leak that potentially exposed the personal data of over four thousand organ donors and recipients since 2006. The Richmond Times-Dispatch explains that information including Social Security numbers, lab results, and medical record numbers were possibly viewed by other VCU donors and recipients, but were not exposed to the general public. 

The IT security team at CHRISTUS Health, a hospital system located in the state of Texas, discovered in May that an unauthorized third-party had gained access to their network. Details are sparse, but kiiitv.com reports that the intruder potentially accessed patients’ full names, Social Security numbers, dates of birth, home addresses, and billing information.

Last week Bayhealth Medical Center, a not-for-profit healthcare system located in the state of Delaware, announced that the data of over 17,000 patients were potentially exposed in the breach of Professional Finance Company (PFC), a vendor used to collect patient debts. JDSupra notes that, according to PFC, the incident impacted patients at over 650 providers across the US, and though not all hospitals have disclosed how many of their patients were affected, the PFC data breach could be the largest healthcare data breach of 2022 so far. 

Threat groups just made it easier to find stolen data on leak sites. 

Bleeping Computer discusses a new strategy being employed by threat groups that will make it even easier for cybercriminals to find data stolen in attacks. ALPHV/BlackCat ransomware operation announced last week it has added a search function to their leak site, allowing thieves to comb through a searchable database containing data exfiltrated from non-paying victims/ LockBit is offering a similar, though not as advanced, search function, and the Karakurt data extortion gang has also implemented a search (though it doesn’t appear to actually work.) In addition to making it easier for thieves to find exactly the data they want, making stolen data searchable also puts added pressure on victims to meet their attackers’ ransom demands. 

Erich Kron, security awareness advocate at KnowBe4, commented on the quick evolution of ransomware TTPs:

“Ransomware continues to evolve at a breakneck pace, often taking pages from successful legitimate business practices, such as ‘as-a-service’ offerings, profit sharing, and tech support, and this is just another example of its maturity. The ability to structure and easily search for information makes it easier for other cybercriminals to use the stolen data to initiate other attacks, especially social engineering attacks such as email phishing. Bad actors involved in email phishing can make great use of the information found in many data dumps. This in turn could push victim organizations to pay, rather than simply hoping that the information will be lost in the obscurity of the attacker’s website.

“If organizations discover their information is searchable on one of these sites, they would be wise to train their users to spot and report phishing emails before the information is used against them, rather than afterward.”

Chris Clements, vice president of solutions architecture at Cerberus Sentinel, is also struck by the sophisticated approaches emerging in gangland:

“It’s a bit unnerving that ransomware attacks have become so commonplace that they now make for effective social engineering lures. 

“One of the most important facets of effective cybersecurity awareness training is educating users beforehand on how they will or will not be contacted, and what information or actions they may be asked to take. It is critical that users understand how they may be contacted by legitimate internal or external departments, and this goes beyond just cybersecurity. For example, a cybercriminal may call or email claiming to work with HR and extract sensitive personal information from a victim. By understanding the ways in which they may be contacted beforehand, users can be more resilient to these types of attacks. 

“Another important defensive measure to instill is the concept of “trusted paths” that a person can take to verify the legitimacy of an inbound request. A prime example is not giving out credit card info to an inbound caller, but rather hanging up and calling the number on the back of the card to ensure you reach the actual company. By educating users on similar trusted paths they can use to verify any incoming requests, you increase your organization’s overall resiliency to these types of cyberattacks.”