Cyber Incident Weekly Report - Week of April 1, 2024

AT&T Confirms Massive Data Breach

WHAT HAPPENED: AT&T, the communication giant, confirmed this week a data breach affecting 73 million current and former customers. Initially denied by AT&T, the breach was revealed after a threat actor posted a data sample on the dark web. Customers can use services like Have I Been Pwned to determine if their data was compromised in this breach. Stolen data includes names, addresses, phone numbers, and, for many customers, social security numbers and birth dates.

CONCERNING: AT&T, Data Breach, Data Privacy, Dark Web

SENSCY'S ANALYSIS: According to the preliminary report provided by AT&T, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders. Some passwords of the 7.6 million current AT&T customers were also leaked and have been reset by the company. AT&T will notify all 73 million former and current customers about the breach and the next steps they should take. Additionally, a spokesperson from AT&T explained that the company is working to confirm if the leaked data "is the same dataset that has been recycled several times on this forum" (dark web). This refers to a previous incident in 2021 when a hacking group, ShinyHunters, leaked a similar dataset.

Jackson County, Missouri, Investigates Potential Ransomware Attack

WHAT HAPPENED: In a statement released on Tuesday, April 2, Jackson County reported potential ransomware impacting its IT systems, including tax payments and online services. County Executive Frank White, Jr. declared a state of emergency to expedite response efforts.

CONCERNING: Jackson County, Missouri, Ransomware, Municipalities

SENSCY'S ANALYSIS: SensCy reported on a ransomware attack on Fulton County last week, and while there is no indication that the two events are related, there are many similarities between them. Threat actors target large counties in the U.S. for several reasons. Most of them are financially motivated and attracted by the data-rich environment guarded by the counties, including personal information about residents (financial and health-related). Threat actors targeting counties are also likely to be politically motivated, hoping to disrupt government operations, sow chaos, or undermine public trust in the institutions. Counties play a crucial role in states' critical infrastructure. They provide essential services to residents, including public safety, education, transportation, and healthcare. Disrupting these services through a ransomware attack can attract attention and cause chaos, likely increasing the likelihood of ransom payments. Overall, a combination of perceived vulnerabilities, valuable data, financial and political incentives, and relatively low risk makes counties in the U.S. attractive targets for threat actors. Additionally, a successful ransomware attack can lead to many complications that extend beyond the immediate technical challenges.

Prudence Insurance Confirms Data Breach Following Cyberattack

WHAT HAPPENED: One of the largest insurers in the U.S. filed a data breach notice on Friday with the Maine Attorney General following a cybersecurity incident when Prudence Insurance detected unauthorized access on February 5, 2024. During the incident, threat actors stole the information of more than 36,000 individuals. Stolen data includes names, addresses, driver's license numbers, or ID cards. Based on a document filed with the Securities and Exchange Commission (SEC), threat actors accessed "administrative and user data from certain information technology systems and a small percentage of Company user accounts associated with employees and contractors." The ransomware group AlphV claimed the attack.

CONCERNING: Prudence Insurance, Data Breach, Insurance Providers, Data Privacy

SENSCY'S ANALYSIS: This is not the first time Prudence Insurance suffered a large data breach; 320,000 people had their Social Security numbers and more exposed last year. There are many vectors a threat actor can use to attack an insurance provider; while phishing and exploiting known vulnerabilities are two of the most common risk vectors for insurance, we will be looking at two different vectors and their potential consequences. First, brute force attacks: in a brute force attack, threat actors try to guess or crack passwords by systematically trying combinations until they find the correct one. This method is often used against remote login portals, such as VPNs or remote desktop services, that are not correctly secured or have weak password policies. The consequences of a successful brute force attack can include unauthorized access to sensitive systems and databases containing confidential information; potential exposure of customer data to unauthorized parties; internal systems compromised, allowing threat actors to conduct further attacks or data exfiltration; and regulatory fines and legal repercussions for failing to protect customer data and prevent unauthorized access adequately. Finally, in supply chain attacks, threat actors may target third-party vendors or service providers with access to the insurance company's network. Threat actors can indirectly infiltrate the company's network by compromising these trusted entities, bypassing traditional security defenses. Consequences include the compromise of sensitive data shared with third-party vendors, including customer records and proprietary information; disruption of business operations if critical services provided by third-party vendors are compromised or unavailable; damage to the company's reputation and trust among customers if a breach occurs due to a supply chain attack.

Interested in understanding the threat level of cyberattacks at your organization? Access our free cyberhealth evaluation here: https://senscy.com/free-cybersecurity-assessment-senscy-score/