America’s astronauts may have the right stuff, but when it comes to cyber security, NASA has the wrong stuff.
According to a recent report by the Office of the Inspector General (OIG), the National Aeronautics and Space Administration (NASA) suffers from insufficient and outdated network security. Even though NASA is a massive target for cyberattacks, the organization’s IT landscape failed to evolve with the times.
Some of the glaring NASA security weaknesses include software patch management and incident response. The security vulnerabilities come as a shock, especially given the agency’s reliance on IT to support missions, as well as its history of getting attacked. A Dec. 2018 breach exposed the personal information of NASA employees. Meanwhile, a lack of oversight on NASA’s Jet Propulsion Laboratory caused the leak of 500 megabytes of data.
In this week’s data breach news roundup, we look at cyberattacks against a renewable energy provider in Utah, a health provider in Maine and Disney fans across the globe.
U.S. DATA BREACH NEWS ROUNDUP (Nov. 1-25, 2019)
Associated Press News: Hackers Plead Guilty in Data Breach that Uber Covered Up
Hackers Brandon Charles Glover and Vaile Mereacre plead guilty to a data breach that exposed the personal information of 57 million Uber passengers and drivers. Glover and Mereacre stole PII from Amazon Web Services between Oct. 2016 and Jan. 2017. Uber paid the hackers a $100,00 ransom to get the data back, but the company waited until Nov. 2017 to make the breach public. The hackers face a sentence of up to five years in prison and a $250,000 fine.
Utah-based renewable energy provider sPower reported a cyberattack in April, a month after the attack occurred. Experts believe this is the first-ever attack on a renewable energy provider, as well as the first to “disconnect the U.S. power grid operator from its power generation station.” The root cause of the breach was an unpatched firewall.
California Department of Motor Vehicles improperly sent Social Security data on 3,200 people to seven government agencies within the last four years. Those agencies include the Internal Revenue Service, Department of Homeland Security and San Diego and Santa Clara County District Attorney’s offices. The DMV claims the improper exposure was “due to a misinterpretation of federal law.”
The widely anticipated streaming service Disney+ went online earlier this month, with about 10 million people signing up in the opening days. However, Disney+ almost immediately fell victim to a hack, as thousands of customers got stolen and put for sale on the dark web. Meanwhile, customer complaints about technical problems and account lockouts screamed across social media.
News Center Maine: Maine Health Provider Hit by Email Security Breach
A data breach of a southern Maine health provider compromised the health information of 30,000 patients. Hackers gained access to the InterMed system through multiple hacked employee email accounts. Exposed personal information includes names, dates of birth and health insurance information, as well as a limited number of Social Security numbers.
Threat Post: Eye Clinic Breach Reveals Data of 20,000 Patients
Utah Valley Eye Center in Provo recently started informing 20,000 patients about a 2018 data breach that exposed their information. The security incident occurred in June 2018 when hackers accessed the system through a third-party portal. Hackers started sending phishing emails to patients regarding a phony PayPal payment. In addition to email addresses, the hackers also accessed names, dates of birth, home addresses and phone numbers.
The Advocate: St. James Parish Government Hit in Cyberattack
A cyberattack suspected of originating in Russia led to a “precautionary shutdown” of the government network of St. James Parish in Louisiana. A “special cyber task force” under the Governor’s Office of Homeland Security and Emergency Preparedness successfully fought the attack. The attack did not interrupt early voting in runoff elections, although workers did switch to paper ballots for a few hours.
Later in the month, a ransomware attack forced the Louisiana state government to disconnect from the internet. The attack impacted email accounts, state websites and online applications. Some state workers were sent home early because they could not perform their jobs without internet access. Office of Motor Vehicles locations in Louisiana stayed closed in the aftermath of the attack. Meanwhile, the cyberattack also prompted a deadline extension for filing state taxes. Following the widespread attack, Gov. John Bel Edwards declared a State of Emergency.
Silicon Angle: Surfing Company Boardriders Crippled in Cyberattack
Best known as the parent company of Billabong and Quicksilver, Huntington Beach-based Boardriders Inc. got hurt last month in a malware attack. The attack damaged international operations as well as IT systems, communications and distribution networks. Experts expect retailer cyberattacks to intensify during the holiday season, a time when businesses might be more motivated to pay a ransom. Earlier this month, a Ponemon Institute study found that 72% of retailers in the world have experienced a cyberattack.
A breach of the customer-facing portal of Massachusetts-based genetic testing startup Veritas led to unauthorized access to customer information. The exposed information does not include any testing information or health information. However, the breach certainly brings into question the wisdom of sharing DNA information with a company that can’t protect its data.
A New Mexico school district will upgrade hardware and scrub 30,000 computers after getting infected with ransomware on Oct. 29. Until that happens, the Las Cruces schools will remain offline. The district is working with a cyber security consultant and federal law enforcement officials on investigating what they describe as a “targeted attack.” This security incident is the third ransomware attack to hit the district within the past few years.
Miami Herald: Data Breach Put Thousands of Florida Blue Members’ Personal Information at Risk
Phoenix-based pharmacy management vendor Magellan suffered a data breach that sent ripples across the American medical industry. The breach affected several thousand Florida Blue members, exposing their names, dates of birth and prescriptions.
Meanwhile, the breach also affected 44,000 TennCare members in Tennessee. In that case, names, Social Security numbers, members IDs and more got exposed. Impacted individuals will receive complimentary credit monitoring and identity theft protection services.
A long-running data breach that started in 2013 will cost the Texas Health and Human Services Commission $1.6 million in fines. In violation of federal health privacy rules, the breach exposed personal health information on over 6,600 people. Meanwhile, the Office of Civil Rights investigation also found that the department failed to perform a risk analysis or implement access and audit controls.
The University of North Carolina at Chapel Hill School of Medicine recently experienced a data breach affecting 3,716 people. Hacked email accounts led to the incident, which exposed names, dates of birth, addresses, health insurance information, Social Security numbers, financial information and more. In response, the UNC School of Medicine will implement multi-factor authentication and expand security awareness training for employees.
Bleeping Computer: Macy’s Customer Payment Info Stolen in Magecart Data Breach
Hackers recently hit the Macy’s website with a MageCart attack. In this type of scheme, hackers breach a website and insert malicious scripts to steal information. Malicious scripts introduced into the Macy’s Checkout and My Wallet pages scraped customer credit and debit card information, along with names, home addresses, email addresses, phone numbers and more. Macy’s stock dropped 10.9% after news of the data breach went public.
Atlanta Business Journal: Church’s Chicken Investigating Possible Data Breach
Atlanta-based fast-food chain Church’s Chicken is looking into a “potential incident involving credit and debit card data.” The possible data breach only pertains to company-owned restaurants in Georgia and ten other states. Church’s Chicken believes that an unauthorized third party breached payment processing systems at certain restaurants. According to a prepared statement, Church’s will work with a cyber security firm to determine the cause and scope of the breach.