Cyber Risk Governance Insights | October 28, 2024
WEEK IN HEADLINES
HEALTHCARE – Confirmed Exposure of 100M Americans’ Medical Records
The well-known ransomware attack on Change Healthcare, a subsidiary of UnitedHealth [NYSE: UNH], has resulted in the exposure of personal health information for 100 million Americans. The breach, which occurred in February 2024, is one of the largest in U.S. history, affecting medical records, social security numbers, and other sensitive data. The incident has caused significant disruption across the healthcare sector, prompting multiple class action lawsuits.
INSIGHT: Implementing Zero Trust Architecture (ZTA) would have been a prudent decision for UnitedHealth (UNH), despite the significant resources required for its implementation. In hindsight, this investment might have proven cost-effective, given the scale and impact of the data breach.
FINANCIAL SERVICES - Breach Exposes PI of Nearly 1Musers
Landmark Admin has disclosed a significant data breach affecting 806,519 individuals. The breach, resulting from a ransomware attack, led to the theft of personal information, including names, addresses, and social security numbers. The company has since taken measures to contain the breach and is working with third-party security experts to enhance its cybersecurity posture.
INSIGHT: There is value to engaging a 3rd party to conduct a security audit and risk and assessment.? It is important for you to know the current state of your cyber posture.
TECHNOLOGY - Ransomware Exploits Microsoft Teams to Breach Enterprises
The Black Basta ransomware group has been impersonating Microsoft Teams IT support to gain access to enterprise systems. By flooding employees’ inboxes with spam and then posing as helpdesk staff via Teams, the attackers trick users into granting access, leading to significant data breaches. This sophisticated social engineering attack highlights the vulnerabilities in enterprise communication platforms.
INSIGHT: Implement strict access controls and verification for external communications to prevent unauthorized access. You might consider configuring Microsoft Teams to only accept messages from verified domains and enable MFA for all communications.
HEALTHCARE – Data Breach Revealed A Year Later
Henry Schein, [NASDAQ: HSIC]a global distributor of health care products and services, finally got around to reporting a data breach following a ransomware attack last year conducted by the BlackCat group. The breach compromised the personal information of over 160,000 individuals. The attackers stole 35TB of sensitive data, including patient medical histories and financial information. The company has since taken steps to enhance its cybersecurity measures and is offering identity theft protection to affected individuals.
INSIGHT: Ensure proper encryption of sensitive data both in transit and at rest. Regular offline backups will help prevent data loss during an attack.
NONPROFIT - $1.3M Demanded by Rhysida Ransomware
Easterseals, a nonprofit organization supporting disabled individuals, has suffered a significant data breach due to a ransomware attack by the Rhysida group. The breach, reported in April 2024, compromised the personal information of 14,855 individuals, including names, addresses, social security numbers, and medical details. The attackers demanded a ransom of $1.3 million, as of this report, Easterseals has not paid the ransom.
INSIGHT: Network segmentation may have been effective in limiting the impact.? By segmenting your network, you restrict the lateral movement of the attackers, confining the attack to a smaller portion of your network. While a attack may affect a “room in your house”, you don’t lose your entire home – so to speak.?
PUBLIC SECTOR - Mass Phishing Attack Targets Citizens’ Personal Data
Ukrainian authorities have warned of a mass phishing attack aimed at stealing sensitive personal data from citizens. The attackers, identified as UAC-0218, send phishing links disguised as bills or payment details, leading to the download of data-stealing malware. This malware searches for and exfiltrates documents from victims’ devices, compromising personal and financial information.
INSIGHT: Implementing email filtering with advanced phishing detection systems, combined with a continuous security awareness education program, significantly reduces the likelihood of employees falling victim to phishing attempts. This approach will prove to be a high-return investment in your cybersecurity posture.
INSIGHTS & EXPERT PERSPECTIVES
PRIVACY - PII Valued in Bankruptcy: What Could Possibly Go Wrong?
@Daniel Solove’s recent article, Bankruptcy Sale of DNA Data: From Toysmart to 23andMe, discusses the implications of private companies selling personal data during bankruptcy proceedings, focusing on the historical case of Toysmart and the potential sale of 23andMe’s genetic data. It highlights the privacy risks and regulatory challenges associated with such transactions, emphasizing the need for stringent data protection measures.
Key takeaways
INSIGHT: Bankruptcy proceedings are complex and selling personal data is a contentious issue. While the goal is to maximize asset value for creditors, including consumer data raises ethical and privacy concerns.
领英推荐
Selling consumer data can provide substantial financial recovery for creditors, crucial in bankruptcy cases. It helps settle debts and allows for business continuity or restructuring. Consumer data is often a company’s most valuable asset. Excluding it from asset valuation could significantly reduce potential recovery, leading to greater financial losses.
Allowing the sale of consumer data can facilitate market dynamics where data can be utilized by other companies to enhance services, encourage innovation, and create new or additional value. This can be seen as a way to ensure that the data continues to be used productively rather than being wasted.
However, these “positive” perspectives must be balanced against the need to protect consumer privacy:
The real lesson for all of us: Always read the Terms and Conditions of anything you download, install, or use. If you don’t pay for a product, you are the product. If you pay a discounted price for a product or service, consider what you might be giving up, as there is usually a reason for the discount.
COMPLIANCE - SEC Fines Companies for Misleading Supply Chain Attack Disclosures
The SEC has fined four companies—Unisys, Avaya, Check Point, and Mimecast—a total of $7 million for misleading disclosures related to the 2019 SolarWinds hack. These companies downplayed the impact of the breach, violating securities laws. The fines highlight the importance of transparency in cybersecurity disclosures and the need for robust cyber resilience measures.
Take aways:
INSIGHT: While the fines aim to enforce compliance and transparency, the financial penalties may not be sufficient to drive significant changes in corporate behavior. For large corps, these fines might be seen as a cost of doing business rather than a compelling incentive to enhance cybersecurity measures. A more effective approach will likely require higher penalties to ensure that organizations prioritize cyber resilience and proactive risk management.
The fines imposed by the SEC appear to be an initial signal that the SEC is serious about enforcing its cybersecurity disclosure rules. This action demonstrates the SEC’s commitment to holding companies accountable for transparency in reporting cybersecurity incidents. It should also serve as a warning to other organizations that non-compliance with these rules can result in significant financial penalties and regulatory scrutiny. This move is likely intended to encourage companies to take proactive steps to improve their cyber resilience.
If you're a SMB executive, consider taking earning new customers by taking these proactive steps to enhance your company cyber resilience posture by doing the following: ?
By taking these steps, you will significantly improve your company’s cyber resilience and better protect against potential cyber threats. This approach not only helps in complying with your customer's expectations but also builds trust with customers and stakeholders.
Netswitch Sharpen Your Cyber Edge with Netswitch
Master Compliance & Minimize Risks:
Deepen Your Knowledge:
Don't wait.
Contact Netswitch Technology Management today to take control of your cyber risk.
Disclaimer: The information and links provided in this newsletter are for informational purposes only. Netswitch does not warrant the accuracy or completeness of such information and is not liable for any damages arising from its use.
Senior Cybersecurity Advisor and Principal Consultant
4 周Great write up Stanley as usual