Monthly Breach Report: September 2020 Edition

As companies, schools, and universities consider how to bring their employees and students back to work, on-site and in the classroom, temperature checks and privacy data have been clashing. Organizations trying to make certain it is safe to come back by using temperature checks is not so simple when they also have to be sure not to intrude on anyone’s privacy. One thing is clear: the data is connected to the particular individual in the company or school attendance records. The institution or company must somehow separate medical information like this from personnel records for compliance with both the American Disabilities Act (ADA) and the Health Insurance Portability and Accountability Act (HIPPA). There are state-by-state privacy regulations to adhere to, as well. Infractions of any of these can result in hefty fees on an organization. Further, an individual whose privacy data is not protected properly and is exposed can pursue legal actions.

If your company has decided to implement temperature checks on employees or customers, be sure the privacy data practices are well established and impeccably followed. The fact remains, data should not be stored beyond data management guidelines and the more data collected, the greater the risk of exposure in a data breach.

During August, there have been notable privacy data breaches affecting individuals and companies alike.

Instagram, TikTok, and YouTube

Data vigilantes have once again targeted unsecured databases. In August 2020, it was Instagram, TikTok, and YouTube whose user profiles were leaked and exposed, reportedly by Social Data, which sells media influencer data to marketers. In no small numbers, these profiles were spread over a myriad of datasets. The leaked personal information includes photographs, full names, age, gender, and much more data valuable to phishing campaigns. Comparitech reported the leak and noted that hackers then need very little time to start attacking the databases once exposed. The number of records scraped was about 2 million from Instagram, almost a half-million from TikTok, and about 4 million from YouTube. Instagram is a property of Facebook that had revoked Deep Social’s access to its platform two years ago.

Sources:
Wall Street Journal
Identity Force

Free Pick of the Litter

The largest platform of free graphic resources, Freepik, employs 450 in-house graphic designers and external contributors and serves 20 million unique registered users. 8.3 million of those users in August were affected by a data breach. Their user information and email addresses were stolen, and 3.8 of them also experienced their account hashed passwords being taken. Both Freepik and sibling company Flaticon were affected by the malware hack through SQL injection exploitation. The companies issued notifications to all affected users with proper steps to prevent a future occurrence. Freepik beefed up its external security consultant engagement and initiated a full review of its external and internal security measures.

Sources:
InfoSecurity
SiliconRepublic

Delivering Bad News

As if being relegated to your homes and not being able to socialize with friends and extended family were not enough, customers of cheery Instacart pick-up and delivery service were notified of an August 2020 security event involving their accounts. It was the second incident in two consecutive months, following July’s debacle when a credential stuffing attack on 278, 531 accounts’ put details up for sale on the dark web on a forum marketplace. This August incident involved contractors working for a third-party support vendor. It was during a security audit that the breach was discovered. The contractors viewed thousands of shopper profiles, which was unnecessary for the support tasks they were there to perform. They saw full names, email addresses, telephone numbers, driver’s license numbers, and an image of those driver’s licenses. So far, forensics is not turning up any digitally copied or downloaded data. In the aftermath, Instacart is adding protective measures, including shopper ID verification, secure login, and automatic logouts.

Sources:
Security Boulevard
ZDNet

Sans this, sin that

SANS Institute immerses, educates, and certifies over 30,000 people worldwide each year to help them protect their companies from dangerous cybersecurity threats and attacks. All it took in August 2020 was one employee being phished as the domino that knocked into approximately 28,000 elements of personally identifiable information (PII) and leaked them in a data breach. No passwords or financial information were taken. The company has reached out to all the individuals affected. Further, if after investigations conclude, the incident turns out to include any valuable learning experience for future classes, the company may use the incident as a case in future training.

Sources:
InfoSecurity
ComputerWeekly

Recovering Injuries and Identities

Personal information for as many as 103,000 customers of Dynasplint Systems was accessed without authorization in an IT breach. The attack actually occurred on 16 May 2020, close to three months before customer communications were attempted. Impacted customers and individuals were notified in communication that went out on 07 August 2020.

Dynasplint Systems is the market pioneer and market leader providing dynamic splint systems to over a million people with neurological and orthopedic connective tissue medical issues. So, as both a US manufacturer and seller of the devices, Dynasplint holds personal, sensitive data protected by HIPAA law. The hacked data contained medical details as well as associated names, email addresses, addresses, dates of birth, and Social Security numbers. The company described the type of breach as an encryption attack that prevented employees from accessing computer systems. In the time between discovering and reporting the breach to customers, the company undertook its own investigation, contacted the FBI, and submitted its breach report “to the Department of Health and Human Services’ Office for Civil Rights indicating (sic.)102,800 individuals were potentially affected by the attack.” Since the attack, Dynasplint has been working with leading cybersecurity experts. In its press release regarding the attack, Dynasplint included for its impacted customers some “measures that can be taken to protect their personal information, including free identity monitoring and recovery services” as well as how to access their response services.

Sources:
AiThority
HIPAA Journal
Data Guidance

Canadian Revenue Agency Forced to Shutdown

By the 14th of August, about 5,500 Canada Revenue Agency (CRA) accounts linked to its services had been compromised by two separate cyber attacks. The agency had to temporarily shut down their online services as part of its immediate response. The agency stated they quickly disabled access to the identified accounts to ensure taxpayer security and personal information were safely secured and requested law enforcement investigative assistance. Once the online services were shut down, people attempting to apply for emergency response COVID-19 benefits could not access the services they needed. First, Canadians began reporting that their email addresses associated with their CRA accounts and information about their direct deposits were being changed, and even that they could see Canada Emergency Response Benefit payments were being made in their name. However, they’d not applied for benefits. CBC’s news teams started reporting on these incidents and finally the government admitted the breach.

The attack was not only on CRA but also on an online authentication system Canadians use to access their My Service Canada accounts and about 30 other departments, GCKey. Reportedly 9,041 GCKey accounts were accessed fraudulently in the breach. For several days the online systems were not available. Yet, people could continue to apply for benefits using a telephone agency support system with some days of delay in receiving benefits. The attackers accessed accounts using a group of devices infected with malware using combinations of user IDs and passwords to log in until they get the correct combination. Once in, more personal information was easily obtained, and activities as the user were able to be executed. There were both direct and indirect account access methods used following the breach of the GCKey accounts. A process has been set up for affected taxpayers with revoked access to confirm their identities and further protect and restore access to their accounts.

Sources:
CBS
iPolitics

During COVID-19, as always, people are encouraged to use strong passwords and different online passwords for different accounts. Companies and institutions are urged to strengthen their data management processes and use the most effective technology to discover and protect sensitive data throughout their data ecosystems, both in the cloud and on-premises.