Weekly Cyber Risk Roundup: Instagram Bug May Affect Millions and FDA Recalls Vulnerable Pacemakers

Instagram was among the week’s top trending cybercrime targets due to both the company confirming a bug that may have leaked some users’ personal information and a malicious actor claiming that he is selling the personal data of six million Instagram users.


On August 28, Instagram’s most popular user, Selena Gomez, had her account hacked and used to spread nude photographs from 2015 of her ex-boyfriend Justin Bieber. Two days later, Instagram warned that a bug in the Instagram API had been used to steal some high-profile users’ personal information — which may have contributed to the Gomez account takeover.

“We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information — specifically email address and phone number — by exploiting a bug in an Instagram API,” the company said. “At this point we believe this effort was targeted at high-profile users so, out of an abundance of caution, we are notifying our verified account holders of this issue.”

However, that same day a malicious actor claiming to have scraped the personal data of six million Instagram users contacted Ars Technica and told the outlet that he or she was selling the data in a searchable website for $10 per query. The actor claimed to have learned of the vulnerability used to scrape the data in an IRC discussion — suggesting that the bug confirmed by Instagram may have a wider scope of impact than initially thought. An Instagram representative said company officials are aware of the claim and are investigating it. Researchers said the 10,000-record sample provider by the actor appears to be legitimate. Until Instagram clarifies the extent of the bug and the subsequent breach of personal information, Instagram users should assume that their associated email addresses and phone numbers may in the hands of malicious actors.


Other trending cybercrime events from the week include:

  • Numerous ransomware announcements: NHS Lanarkshire hospitals were disrupted by a Bitpaymer ransomware infection that resulted in the staff bank and telephone systems going offline, as well as the rescheduling of appointments. An employee of the German state parliament of Saxony-Anhalt opened a malicious attachment in a spear phishing email, leading to a ransomware infection that media said “crippled” the state parliament’s network. Dorchester School District 2 in South Carolina announced it paid $2,900 via its insurance coverage after 25 of the 65 servers for the district’s computer network were infected with ransomware. Medical Oncology Hematology Consultants, PA in Delaware said that a ransomware infection affected 19,203 patients. The Indiana accounting firm Whitinger & Company notified clients of a data breach and ransomware attack.
  • Insiders lead to lawsuits, data breaches: Allstate Insurance has filed a lawsuit against Ameriprise Financial accusing the company of attempting to steal confidential information by encouraging Allstate agents to create contact lists and download client data to use in soliciting clients once they quit and get hired at Ameriprise. Tewksbury Hospital in Massachusetts discovered unauthorized employee access to patients’ medical records that dated back to 2003 and is attempting to notify affected individuals that their information was compromised.
  • Organizations expose data: Researchers discovered an insecure backup device belonging to the London-based Bell Lomax Agency that exposed thousands of documents related to the company and its literary clients. MacKeeper researchers said anyone could access the documents, which included the Agency’s Quickbooks accounting files, archive email boxes, financial data, expenses, administrative details, royalties, and client details for 2014-2015. Major League Lacrosse is notifying all players that their information was accidentally available online due a link on its website that pointed to a spreadsheet containing data on every player in the league.
  • Other notable incidents: There have been multiple attacks against South Korean cryptocurrency exchanges, financial technology companies, and startups that use blockchain technology. CeX is notifying two million registered website customers that their information may have been accessed by an unauthorized third party. MacEwan University said that it was the victim of an $11.8 million wire transfer fraud after a series of fraudulent emails convinced university staff to change electronic banking information for one of the university’s major vendors. Swedish web hosting company Loopia said that hackers accessed parts of its customer database, including customer contact information and encrypted passwords. Zazzle is warning customers that their accounts may have been compromised due to brute-force attacks and is prompting customers to choose new passwords. Oklahoma City’s Tower Hotel is the latest in a growing number of hotels to announce being impacted by the breach of the Sabre Hospitality Solutions SynXis Central Reservations system. The hacking group OurMine used a domain spoofing attack to redirect visitors of WikiLeaks website to a page created by the group.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.


Cyber Risk Trends From the Past Week

2017-09-01_RiskScoresThe FDA has approved a firmware update for certain Abbott (formerly St. Jude’s) pacemakers to address cybersecurity vulnerabilities — essentially ordering a recall to correct the issues present in 465,000 implanted RF-enabled cardiac pacemakers.

“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient’s physician) to access a patient’s device using commercially available equipment,” the FDA wrote in safety communication. “This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.”

The firmware update follows a series of high-profile news stories regarding St. Jude dating back to 2016 when the healthcare cybersecurity company MedSec teamed up with the short selling firm Muddy Waters to disclose — and ultimately profit from — several remotely executable flaws in St. Jude pacemakers and defibrillators. A lawsuit, government alerts, and a January 2017 patch that many claimed fell short followed (the timeline is summarized well in this article from CSO Online).

The firmware update requires an in-person patient visit with a health care provider and takes approximately 3 minutes to complete. After installing the update, any device attempting to communicate with the implanted pacemaker must provide authorization to do so. The FDA asks affected patients to consult with their physicians about any risks associated with receiving the firmware update, which has “a very low risk of an update malfunction.”

In 2016, the FDA issued recommendations to manufacturers for continued monitoring, reporting, and remediation of medical device cybersecurity vulnerabilities.