At a glance.

  • Recent US health data breaches.
  • Drive at your own risk. 
  • Magecart attacks on the rise.
  • Industry comment on the LendingTree incident.

Recent US health data breaches.

The American Dental Association (ADA) has disclosed that it was hit with a ransomware attack in which an unauthorized party gained access to the sensitive consumer data. JDSupra notes that although the ADA has not stated exactly what data were compromised, the hackers posted a sample of the stolen data on the dark web which includes W2 forms, non-disclosure agreements, and accounting spreadsheets belonging to dentists. 

Insurance agency Blue Shield of California Promise Health Plan experienced a data breach that started at a vendor of a subcontractor used by Blue Shield. In May Blue Shield learned that vendor Matrix Medical Network had suffered a ransomware attack as the result of an incident involving one of Matrix’s vendors, brand engagement firm OneTouchPoint. The breach resulted in the compromise of Blue Shield plan member data including names, addresses, dates of birth, subscriber ID numbers, diagnoses, medications, and medical history. JDSupra adds that Blue Shield filed an official notice of the breach and notified impacted individuals earlier this month.

Oklahoma State University’s Center for Health Services has paid $875,000 to settle potential HIPAA violations tied to a malware attack that exposed the protected health data of over 275,000 patients. JD Supra explains that the Center reported the breach to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) as required by HIPAA, but the OCR investigation concluded that the Center had failed to conduct an adequate risk analysis or implement an appropriate incident response. 

Drive at your own risk. 

Cybersecurity analysts at BitSight have found that a popular GPS vehicle tracker produced by Shenzhen-based electronics maker MiCODUS contains six vulnerabilities that could allow a threat actor to track or even remotely cut the engines of vehicles. The devices can be found in at least a million vehicles worldwide, including vehicles owned by a Fortune 50 company, a nuclear power plant operator, as well as law enforcement agencies, militaries, and national governments across the globe. TechCrunch notes that the most severe vulnerability involves a hardcoded password, embedded directly into the code of the Android app, that can easily be found by anyone with access to the code and can be used to gain complete control of any GPS tracker and even remotely cut off fuel to the vehicle engine. The bugs were found in the MV720 model, but Pedro Umbelino, the BitSight researcher who authored the report, says his findings raise “significant questions about the vulnerability of other models.” The security company reached out to inform MiCODUS of the issues in September 2021, but so far no efforts have been made to remedy the issue. BitSight and the Cybersecurity and Infrastructure Security Agency are urging vehicle owners to remove the devices as soon as possible. 

Magecart attacks on the rise.

Security firm Recorded Future has identified two web-skimming operations targeting three online ordering platforms, resulting in the exposure of the credit card details at over three hundred US restaurants. Magecart malware was detected on online ordering portals MenuDrive, Harbortouch, and InTouchPOS, and the details of 50,000 payment cards have already been posted for sale by hackers on the dark web. The campaign that impacted InTouchPOS has infected over four hundred e-commerce sites since 2020, and as of this June, thirty of the websites are still infected. Such platforms have become a desirable target for Magecart attacks because the compromise of a single portal can give cybercriminals access to online transactions performed at a large number of eateries, resulting in a huge payout for little work. Bleeping Computer adds that although law enforcement and all impacted entities have been notified, both operations are ongoing, and their corresponding exfiltration domains are still operational.

Kim DeCarlis, CMO at PerimeterX, sees cybercrime as a cyclic problem, and that a multilevel solution is called for to break that cycle:

“This Magecart attack against 300 U.S. restaurants is yet another example of the persistent challenges e-commerce companies face when securing their sites. Sophisticated attackers understand that websites are comprised of a supply chain of code, many from third or n-th parties, and will continue to seek out ways to steal credit card information by planting onsite skimmers and abusing vulnerable code. This is another example of the web attack lifecycle – the cyclical and continuous nature of cyberattacks – where a data breach on one site, perhaps as a result of a Magecart attack, fuels carding, credential stuffing or account take over attacks on another site  Given the risks of Magecart and digital supply chain attacks, it is paramount that e-commerce companies, such as restaurants and food delivery companies, implement solutions to stop the theft, validation and fraudulent use of identity and account information on their web sites and web apps. They can do this by deploying a multi-layered solution that helps protect users’ account and identity information everywhere along their digital journey.”

Erfan Shadabi, cybersecurity expert with comforte AG argues that the problem calls for a data-centric solution:

“As a common trend, cyberattackers mostly target food delivery service providers or online ordering platforms to obtain credit or debit card details of their customers. So the key aspect to consider here is to protect the credit card information as well as the user account details stored on a website or app. Businesses in these sectors need to apply data-centric protection to any sensitive data within their ecosystem (PII, financial, and transactional) as soon as it enters the environment and keep it protected even as employees work with that data. By tokenizing any PII or transactional data, they can strongly protect that information while preserving original data format, making it easier for business applications to support tokenized data within their workflows. They also need to revisit their enterprise backup and recovery tactics to ensure that they can quickly recover if hackers are able to get into their environment and encrypt their enterprise data.”

Industry comment on the LendingTree incident.

LendingTree is dealing with a data incident, but it’s not the serious incident hoods have claimed on the dark web–those claims, the Record reports, are bogus. Henning Horst, CTO at comforte AG, commented on my successful financial services institutions like LendingTree are attractive targets for fraud at many levels: 

“Recent months have seen a number of major global cyber-attacks on the financial sector. Financial services companies continue to be heavily targeted, and typically feature in the top five sectors for severity and frequency of cyber-attacks. One reason they are a prime target is the wealth of information they collect and process.

“As consumers, we must have assurances that the organizations which are collecting and processing our most sensitive personal information are handling and storing that data with the utmost care, using the most sophisticated data protection tools. That means more than just applying traditional perimeter-based controls.

“If your organization possesses such a wide array of sensitive information about your customers, you will want to investigate stronger protection and mitigation methods, such as data-centric security. By tokenizing sensitive data as soon as it enters your data ecosystem, you can keep it in a protected state while still working with the data in your business applications due to data format preservation. Even if threat actors get their hands on the data, it is meaningless and worthless to them, and no sensitive information will be compromised.”