Cyber Incident Weekly Report - Week of August 26, 2024

Seattle-Tacoma International Airport Isolate Sytems Following Cyberattack

WHAT HAPPENED: The Port of Seattle, which includes the Seattle-Tacoma International Airport, published a statement on its X (formally Twitter) indicating they were managing “system outages indicating a possible cyberattack.” The outages forced the airport to isolate critical systems, forcing some airlines to sort bags and handwrite boarding passes manually. Travelers were urged to use airline apps to handle boarding passes and to check bags before getting to the airport. The airport is the busiest in the Pacific Northwest region, and many travelers and airlines are already experiencing significant delays.?

CONCERNING: Seattle, Seattle-Tacoma International Airport, Airports, Outages.?

SENSCY'S ANALYSIS: At the time of writing, the Port of Seattle’s websites, phone, email, and wifi are still down following the attack. The attack on the Seattle Port joins the long list of airports and transportation hubs significantly impacted by cyber incidents over the last couple of years, and the frequency of attacks is increasing rapidly.? SensCy recently reported on a cyber attack in Wichita, Kansas, that caused airport disruptions, and took down the airport’s wifi. Four months later, the wifi is still unavailable. While an investigation is ongoing at the Seattle Port following the disruption, the incident highlights the need for ports and airports to address cyber threats. Ports and airports are critical components of global infrastructure, handling vast amounts of sensitive data, financial transactions, and logistical operations. These incidents, including the recent Crowdstrike/Microsoft outage, have made cybersecurity for transportation hubs a key focus for government agencies. President Bident issued an executive order in February giving the US Coast Guard express authority to respond to cyber incidents. This order aims to streamline the response and responsibilities when restoring operations after a cyber attack. TSA also released new cybersecurity requirements for airport and aircraft operators in 2023, requiring “TSA-regulated entities to develop an approved implementation plan that describes measures they are taking to improve their cybersecurity resilience and prevent disruption and degradation to their infrastructure.”

California Credit Union Confirms Ransomware Attack

WHAT HAPPENED: Patelco, a California credit union, confirms 726k individuals were impacted by the ransomware attack that occurred at the end of June. Threat actors stole and exposed the names, dates of birth, Social Security numbers, and driver's license numbers of 726,000. The attack came ahead of the July 4th holiday, creating chaos with many customers unable to access their accounts or take out more than $500 from ATMs. The RansomHub ransomware gang, responsible for attacks on Rite Aid, Frontier, and the city of Columbus, claimed the attack.

CONCERNING: Credit Union, Patelco, Holidays.

SENSCY'S ANALYSIS: Holidays in the US are always a time when hackers increase their activity for several strategic reasons. While this is no time for organizations to worry about cybersecurity, it is important to understand why hackers are more active and how organizations can be proactive in preparing for any holidays. During holidays, many organizations operate with reduced staff, including IT and security teams. This can result in slower detection and response times to security incidents, making it easier for attackers to exploit vulnerabilities and carry out attacks unnoticed for longer periods. Holidays also offer great targeting opportunities for threat actors who may craft targeted campaigns that exploit holiday themes, such as fake holiday sales or travel deals. These campaigns can be very effective at tricking people into providing sensitive information or downloading malware. In the case of ransomware attacks, launching an attack during a holiday period can increase the pressure on the victim to pay quickly to restore operations. The urgency to minimize downtime and resume business after the holiday break may compel organizations to pay the ransom sooner. To best prepare your organization ahead of national holidays, SensCy recommends that organization be proactive, this includes educating your employees to recognize phishing emails, text messages, and social engineering tactics; ensure that all systems are updated with the latest version before taking some time off; ensure all critical data is backed up and encrypted and kept separate from your network, offline, or in a cloud service designed for this purpose; finally, develop a cybersecurity incident response plan outlining the steps to be taken in the event of a cyberattack or breach.

DICK’S Sporting Goods Suffers Cyberattacks

WHAT HAPPENED: In a filing with the SEC, the retail store DICK’s Sporting Goods disclosed that confidential information was exposed following a cyber attack. In the notice, DICK’s explained that "On August 21, 2024, the Company discovered unauthorized third-party access to its information systems, including portions of its systems containing certain confidential information.” According to a source who spoke with Bleeping Computer, email systems had been shut down and all employees were locked out of their accounts. DICK’S IT staff now has to manually validate employee’s identity for them to gain access to the systems. DICK’S notified federal law enforcement.?

CONCERNING: DICK’S Sporting Goods, Retail, Third-Party Risk.

SENSCY'S ANALYSIS: While the investigation is ongoing, the first indicators based on the SEC filing indicate that DICK’S was able to immediately activate its cybersecurity incident response plan after uncovering the incident. Organizations should recognize the critical importance of having effective cybersecurity incident response plans. The filing also indicates that the incident was caused by a third party. When it comes to large organizations like DICK’S, Third-Party Risk Management (TPRM) is also a key part of an organization's cybersecurity program. And according to a recent IBM report, third-party ransomware has skyrocketed by 415% from 2022 to 2023. Organizations rely on several vendors and suppliers to manage various aspects of their business. In some cases, these vendors have access to critical and sensitive information, which can introduce significant cybersecurity risks. SensCy’s TPRM program offers business owners visibility into their vendors’ and suppliers’ cybersecurity posture, by assessing third parties, conducting external scans, and providing executive briefings to the top of the organization to inform on risk across the supply base.