SecureFact - Cyber Security News - Week of October 28, 2024

Data Breaches

1. UnitedHealth says data of 100 million stolen in Change Healthcare breach

UnitedHealth has confirmed that a significant data breach involving its subsidiary Change Healthcare has affected over 100 million individuals, making it one of the largest healthcare data breaches in recent history. This breach was initially reported following a February ransomware attack orchestrated by the BlackCat (ALPHV) ransomware gang, which exploited vulnerabilities in the company's Citrix remote access service that lacked multi-factor authentication. The breach exposed a wide array of sensitive information, including: Health insurance details (e.g., policy numbers, member IDs), Medical records (e.g., diagnoses, treatment histories), Billing information (e.g., claim numbers, payment details), Personal identifiers (e.g., Social Security numbers, driver's licenses) The U.S. Department of Health and Human Services updated its records to reflect the scale of the breach, confirming that Change Healthcare had sent notifications to approximately 100 million individuals regarding the incident.

2. Henry Schein discloses data breach a year after ransomware attack

Henry Schein has reported a significant data breach affecting over 160,000 individuals due to two cyberattacks by the BlackCat ransomware gang in 2023. Approximately 35 TB of sensitive files were stolen during these incidents. The first attack prompted the company to take systems offline on October 15, disrupting manufacturing and distribution operations. The BlackCat gang claimed responsibility and threatened further encryption of the network if their ransom demands were not met. A second attack occurred on November 22, with some stolen data released on the gang's leak site. In a notification to the Maine Attorney General, Henry Schein confirmed that 166,432 people's personal data was compromised. The company has engaged an external firm to assess the breach and is offering a free 24-month membership to Experian's IdentityWorksSM for credit monitoring and fraud detection to those affected.

3. Insurance admin Landmark says data breach impacts 800,000 people

Landmark Admin has reported a data breach affecting over 800,000 individuals due to a cyberattack detected on May 13, 2024. The company, which provides administrative services for insurance carriers, shut down its IT systems to contain the incident and engaged a third-party cybersecurity firm to investigate. The investigation revealed that the attackers accessed files containing sensitive personal information of 806,519 people, including names, addresses, Social Security numbers, driver's license numbers, financial account details, medical information, and health insurance policy numbers. Affected individuals will be notified by mail regarding the specific information compromised. Landmark has not yet identified the responsible threat actors or confirmed whether the attack involved ransomware or data theft. The investigation is ongoing, and impacted individuals are advised to monitor their credit reports and bank accounts for any suspicious activity.

4. Data leaks: Irdai directs two insurers to conduct IT systems audit

The Insurance Regulatory and Development Authority of India (Irdai) has directed two unnamed insurers to conduct audits of their IT systems due to recent data leaks affecting policyholders. This action follows a breach admitted by Star Health Insurance, while the second insurer's identity remains undisclosed. Irdai is actively engaging with the management of these companies to address vulnerabilities and ensure the protection of policyholders' interests. The insurers have been instructed to appoint independent auditors for a comprehensive review of their IT systems to eliminate vulnerabilities. The affected insurers have isolated the compromised systems and enlisted external IT security firms for root cause analysis. Vulnerabilities identified in the audit are being addressed, and preventive measures are being implemented, including system upgrades and rectification of API vulnerabilities.

5. LinkedIn Fined More Than $300 Million in Ireland Over Personal Data Processing

Ireland's Data Protection Commission (DPC) has fined LinkedIn €310 million (approximately $335 million) for serious violations of the European Union's General Data Protection Regulation (GDPR). The fine stems from LinkedIn's failure to obtain valid consent from users for processing their personal data to deliver targeted advertising, which the DPC determined was neither "freely given" nor "informed" as required by GDPR standards. The investigation, initiated in 2018 following a complaint from the French digital rights organization La Quadrature du Net, revealed that LinkedIn improperly justified its data processing practices under various legal bases, including consent, legitimate interests, and contractual necessity. The DPC found these justifications inadequate, emphasizing that LinkedIn did not provide clear information to users regarding their rights or the nature of data processing. Deputy Commissioner Graham Doyle stated that LinkedIn's actions constituted a "clear and serious violation" of users' fundamental rights to data protection. This fine is noted as one of the largest imposed under GDPR since its introduction in 2018.

Malware and Vulnerabilities

1. Cisco Patches Critical Vulnerability Affecting VPN Services

Cisco Systems has issued a critical advisory regarding a vulnerability in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, specifically affecting the Remote Access VPN (RAVPN) service. This vulnerability, identified as CVE-2024-20481, has a Common Vulnerability Scoring System (CVSS) score of 5.8 and is classified under CWE-772. Cisco advises organizations to upgrade to the latest software versions as there are no workarounds available for this vulnerability. Users should verify if SSL VPN is enabled on their devices using specific commands and ensure adequate hardware compatibility when upgrading.

2. Fortinet warns of new critical FortiManager flaw used in zero-day attacks

Fortinet has disclosed a critical vulnerability in its FortiManager API, tracked as CVE-2024-47575, which is being actively exploited in zero-day attacks. This flaw allows remote unauthenticated attackers to execute arbitrary code and steal sensitive files, including configurations and credentials for managed devices. The vulnerability has a severity rating of 9.8 out of 10. Fortinet began notifying customers about the issue on October 13, 2024, but reports indicate that some users were attacked weeks prior to these notifications. The flaw affects multiple FortiManager versions and can be mitigated by upgrading to the latest software or implementing specific security measures.

3. Microsoft SharePoint Vuln Is Under Active Exploit

A critical vulnerability in Microsoft SharePoint is currently being actively exploited, according to security researchers. The flaw, identified as CVE-2023-36884, allows attackers to execute arbitrary code on affected systems. Microsoft has released a security advisory urging users to apply patches immediately to mitigate the risk. The vulnerability primarily affects SharePoint Server versions 2016 and 2019. Attackers can exploit it by sending specially crafted requests to vulnerable SharePoint servers, potentially leading to unauthorized access and data breaches.