Weekly Cyber Risk Roundup: Massive Data Dumps and More Insider Breaches

After a short period without seeing any new mega breach announcements, the past two weeks has seen several massive data dumps totaling more than 130 million records. In last week’s roundup, we mentioned a hacker going by the Twitter handle “0x2Taylor” who released 58 million records claiming to be stolen from an unsecured database. That leak has been attributed to Modern Business Solutions, but the company did not responded to numerous news outlets or sites that reached out to them about the breach.

2016-10-21_ITT.pngIt was also recently announced that gaming company Evony was hacked in June 2016 and more than 33 million user records were stolen. The compromised records contained usernames, email addresses, passwords, IP addresses and other internal data. LeakedSource said the passwords were stored using unsalted MD5 hashing and that they had already cracked “most” of the passwords.

On Thursday, a massive data breach was announced affecting Weebly, a popular web-hosting service featuring a drag-and-drop website builder. That breach included more than 43 million user records containing usernames, email addresses, passwords and IP addresses. The good news, LeakedSource wrote, was that the company actually responded to its notification attempts and “did not have [its] head buried deeply in the sand” like other companies it has attempted to notify of late. Also, the compromised passwords were stored using uniquely salted Bcrypt hashing. That’s good because as a hosting provider the breach not only affected tens of millions of users, but also tens of millions of websites.

As our Mid-Year 2016 Cybercrime Trends report noted, the credentials stolen/leaked tag appeared in 12.7% of the negative CyberFacts collected by SurfWatch Labs in the first half of 2016, a rise from 8.3% in 2015. A quick look at the updated data shows that since that report, that number has risen once again to 13.3% — driven, in part, by the more than 130 million records compromised in these three data breaches.

2016-10-21_groups

Other trending cybercrime events from the week include:

  • WikiLeaks, government leaks, dominate news: On Monday WikiLeaks tweeted that the Internet link for founder Julian Assange was intentionally severed by Ecuador. Ecuador later confirmed it was behind the interference due to WikiLeaks’ decision to publish documents affecting the U.S. election and Ecuador’s desire to not meddle in the election processes. That hasn’t stopped the ongoing leak of emails from Hillary Clinton’s campaign manager John Podesta, which was brought up several times during Wednesday’s presidential debate. Executive director of the North Carolina GOP Dallas Woodhouse is the latest official to have his email hacked. In this case it was used to send phishing emails to all of his contacts with a link to a fake Dropbox file titled “GOP-financial_Document.pdf.”
  • Financial information continues to be targeted: Axis Bank in India is investigating a cyber intrusion after being notified by Kaspersky Lab of a potential breach. Approximately 1,000 members of One Nevada Credit Union had their payment card information stolen via ATM skimming devices, and at least one member had $5,000 stolen due to the incident. Noble House Hotels & Resorts announced a point-of-sale breach affecting payment cards used at its Teton Mountain Lodge & Spa and Hotel Terra properties. According to the company’s press release, only customers who used their cards between September 5 and September 6 of this year were impacted.
  • Researcher’s computer infected, data stolen: A researcher at the University of Toyama’s Hydrogen Isotope Research Center had research data and personal information stolen from a personal computer after clicking on an attachment claiming to be questions from a student. Japanese news sources said that “huge volumes” of data were transmitted while the computer was infected. The data affected mostly included research that was either already published or slated to be published, as well as the email addresses of 1,500 people. The individual whose device was compromised was researching tritium, a radioactive isotope of hydrogen that may one day be used for fuel in nuclear fusion reactors.
  • More data breaches announced: CalOptima announced that 56,000 of its members may have had their personal information compromised when an employee downloaded their information onto a personal, unencrypted USB drive. Australian event management company Pont3 announced its third-party external electronic mailing account was accessed without authorization resulting in some participant, volunteer and associated information being stolen. redBus, an inter-city bus ticketing service founded in India, is investigating a possible data breach after being alerted of a potential intrusion; however, the company said it has not been able to conclusively establish a data breach.
  • Russian man tied to LinkedIn breach: A Russian man that was arrested by Czech police is connected to the 2012 data breach at LinkedIn, the company said on Wednesday, although officials have not publicly confirmed the connection. Russian news agency TASS indicated that Russia would fight any attempts to extradite the man to the U.S.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2016-10-21_ittnew

Cyber Risk Trends From the Past Week

After several weeks of steady or dropping cyber risk scores, this week saw a consistent rise in risk across most sectors. Nine out of twelve sectors saw an uptick in cyber risk score when compared to the previous week, with Utilities (+10.9%) and Healthcare (+9.7%) seeing the biggest change. Government and Other Organizations experienced a rise of more than 6%, in part due to the many cyber-attacks and leaks tied to the U.S. presidential election.

2016-10-21_risk

Another reason for that rise is a steady trickle of small-scale data breaches tied to groups such as education and healthcare facilities. In a recent blog, we highlighted the difficult and growing problem of malicious insiders, but as that blog noted, the majority of insider incidents are unintentional errors committed by employees, vendors and third parties.

We saw several such news stories this past week:

  • Katy Independent School District in Texas experienced a data breach affecting 78,000 students after a third-party that works with the district’s student data management system accidentally copied student information and uploaded it to a security software application used by 29 other school districts.
  • Nearly 700 users of Vermont’s online health insurance marketplace had their information inadvertently exposed due to a subcontractor mishandling their data and making it publicly accessible. WEX Health was hired by Vermont to perform payment processing for the insurance exchange, and Samanage, a subcontractor for WEX Health, made a data file publicly accessible for nearly two months.
  • St. Joseph Health agreed to a settlement with the U.S. Department of Health and Human Services, Office for Civil Rights over accidentally making electronic protected health information publicly accessible on the Internet from February 2011 until February 2012.

This week’s stories highlight the variety of ways a data breach can occur from ill-trained employees and contractors along with other poor risk management strategies.

In the case of Katy Independent School District, an employee for SunGard K-12 mistakenly copied a file containing Katy ISD data into a standard installation pack for an information security software application. In the case of St. Joseph Health, a server that was purchased to store files included a file sharing application whose default settings allowed anyone with an Internet connection to access them. St. Joseph Health did not examine it or modify it after implementation, HHS wrote in a press release, leading to the ePHI of 31,800 individuals being compromised. That mistake cost St. Joseph a payment of $2,140,500 and the adoption of a comprehensive corrective action plan in order to settle potential HIPAA violations.

Those incidents, along with our previous blog on malicious insiders, serves as an important reminder that many data breaches do not come from outside the organization; rather, they come from within.

Author: Jeff Peters

SurfWatch Labs editor and host of SurfWatch Labs Cyber Chat podcast. Focused on using threat intelligence and data visualization in order to bring cybercrime to life and help make organizations safer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s