It’s not just the number of cyber breach news stories on the rise. According to the results of the annual data breach study conducted by IBM and the Ponemon Institute, cyber breach costs are also increasing.
Among other findings, the price of a data breach went up 12 percent over the last five years and now costs an average of $3.92 million. Meanwhile, smaller companies with less than 500 employees suffered average losses of over $2.5 million. The report interviewed more than 500 companies around the world, and it came filled with disturbingly eye-catching statistics.
- U.S. data breaches cost an average of $8.19 million, more than double the worldwide average.
- Roughly one-third of all data breaches incur “long-tail costs” that last over one year.
- The average lifecycle of a data breach lasts 279 days–206 days to identify, 73 days to contain.
If that’s not enough to scare you into double-checking your company’s cybersecurity posture, this week’s collection of cyber breach news stories starts with two of the most massive breaches in history.
U.S. CYBER BREACH NEWS (July 17-31, 2019)
Seattle resident Paige Thompson was arrested on Monday for breaking into the servers of Capital One and stealing information from more than 100 million Capital One accounts and credit card applications. According to a criminal complaint filed by the U.S. Department of Justice, Thompson accessed the data while working as a software engineer for Amazon Web Services, Capital One’s cloud hosting company.
Last March, Thompson exploited a firewall vulnerability to breach the Capital One server. After the breach, Thompson posted the data on GitHub bragged about the crime on Slack. She even took to Twitter to announce her intentions to sell the stolen data, which includes 140,000 Social Security numbers, 80,000 bank account numbers, and an undisclosed number of names, addresses, credit scores and more.
Ultimately, the Capitol One hack is not the most massive data breach in history. It’s not even one of the top five data leaks in recent history. The Capitol One breach still sits behind the Yahoo breaches in 2013 and 2014, the Marriott/Starwood breach last year and the Equifax hack in 2017.
While we’re on the subject of mass-scale data breaches, Equifax is back in the cyber breach news this week. The Atlanta-based consumer credit reporting agency Equifax agreed to pay nearly $700 million to settle state, federal and consumer claims over a 2017 data breach that affected over 147 million people. This settlement mandates that Equifax put at least $380.5 million into a restitution fund for consumers, although the fund could reach as high as $500 million. After breaching the Equifax network through an unaddressed security vulnerability, hackers siphoned information for 76 days.
Along with the settlement came the news that the personal data of 15 million Californians got exposed in the Equifax breach. The exposed information included names, Social Security numbers, birthdates, addresses and drivers’ license numbers. Anyone who believes they are due compensation from the breach can visit equifaxbreachsettlement.com or call the toll-free hotline at 1-833-759-2982. California is getting an $18.7 million piece of the settlement to divvy up.
The fallout from the May 2019 data breach of American Medical Collection Agency continues to spread to healthcare organizations across the country. Maine-based Penobscot Community Health Care became the latest organization to announce their patients’ personal and credit card information got compromised in the AMCA data breach. Penobscot used AMCA to collect on overdue patient bills. Any Penobscot patients who encounter mysterious or unusual billings should contact the provider directly.
Right on the heels of the Penobscot announcement came news of another AMCA breach victim. Clinical Pathology Laboratories says that over 2 million patients had their personal information accessed. The exposed data includes names, addresses, phone numbers, birth dates and more. Another 34,500 CPL patients may have had their credit card or banking information compromised.
Lyon County School District in Nevada became the latest local agency to get targeted in a ransomware attack. The school district is still working to restore systems after a virus entered the network earlier this month. Phone lines also got taken down in the attack, which started on July 5, the first Friday after a federal holiday.
A report conducted by California State Auditor Elaine Howle found “high-risk deficiencies” in 21 government entities. This report specifically looked at government branches not currently mandated to meet the CA Department of Technology information security standards. The most commonly found security vulnerabilities include poor security patch management, unchanged default passwords and a general lack of security assessments.
American telecommunications giant Sprint recently confirmed that hackers possibly accessed customer accounts through Samsung’s “Add a Line” website. Potentially exposed personal information includes names, billing addresses, phone numbers and more. Sprint learned about the breach in late June when they started sending reset PIN codes to affected accounts. Unfortunately, Sprint did not provide information on when the cyberattack happened, or on the number of affected accounts.
Not all cyber breach news is bad news. After a ransomware attack on the Asian Art Museum in May, IT experts from the City of San Francisco managed to restore the museum’s network. While the system got restored in full, questions about the source of the attack linger.
The hackers demanded a ransom, but the museum and the City refused to pay. San Francisco had its city network hijacked in 2008 by a disgruntled Department of Technology worker. Since then, the City established a policy never to pay ransomware demands. Meanwhile, the City provides regular security awareness training classes for employees and also carries a cyber insurance policy.
It’s not just new media under attack by cybercriminals. Following last week’s report about a college radio station shut down by hackers, Florida community radio station WMNF got hit by ransomware. No sensitive data got accessed, but archived episodes of news and public affairs programming may be lost forever. The ransomware infected the AudioVault system, which stored all the station’s audio archives, including pre-recorded promos.
Proving once again that public schools and institutions remain some of the softest targets for hackers, a school district and library system in New York got hit by the Ryuk ransomware virus. School district computer files are inaccessible, and the system is inoperable, while the library’s online and phone services remain down. No ransom demand was received, but the FBI was contacted, and a forensic investigation is ongoing.
From the Experian data breach to the City of Atlanta shutdown, some of the most high-profile cyberattacks in recent years targeted businesses and institutions in the state of Georgia. Now, Henry County in Georgia is under attack, with no timeline for when the servers will come back online. The cyberattack got flagged by the county’s IT team, which took down the network and isolated the affected servers.
However, the damage was already done. The county website remains offline, phones in county offices are still out, and on-demand transit operations are inoperable. Meanwhile, the county courts are operating, but court records are still not available. Henry County officials are working with the FBI and the Georgia Technology Authority to investigate the incident.
Sophos recently published a report called “The Impossible Puzzle of Cybersecurity” that surveyed 3,100 IT managers in 12 countries. Not surprisingly, the findings paint a bleak picture of the current threat landscape. According to the report, 67 percent of organizations suffered a cyberattack in 2018. Over half of all successful attacks involved phishing schemes, while another 30 percent involved ransomware.
More bad news for the state of Georgia. A ransomware attack on police networks in Lawrenceville encrypted electronic reports and body camera videos. No ransom demand was received, but the FBI and private cybersecurity experts are working on the case while the computers remain down. Investigators believe that the ransomware virus breached the system back in March. The attack occurred on the same weekend that computers in Henry County and the Blackshear Police Department got hit, and it used the same virus.
A vendor used by the Tennessee Higher Education Commission and Department of Education experienced a data breach, exposing the information of students. The vendor is Graduation Alliance, which hosts a career planning website called CollegeforTN.org for THEC. Independent forensic experts are on the case, although the site will not come back online until the investigation is complete.
A cyberattack paralyzed multiple computer systems on the campus of Southern Illinois University Edwardsville. The attack started early in the morning on Sunday, July 14. IT workers isolated the attack before any data got compromised, but roughly 100 servers and backup servers got shut down in the quarantine process. Some services got restored quickly, but faculty and staff home directories and the computer system of campus newspaper The Alestle remained locked down as of press time.
On July 23, a ransomware attack hit Vigo County in Indiana. Officials are still assessing the damage, but the scope of the attack was limited to the courthouse and government center. No ransom request was received, but the county does carry a cyber insurance policy to cover any damages. Vigo County contains the City of Terre Haute, but city networks were not affected by the attack.
Another day, another Ryuk ransomware attack against an American city. A July 18 cyberattack on Collierville, a Tennessee city with a population of 50,000, impacted numerous municipal services. The City expects utility bills to go out later than usual, while the city library checks out books by hand. Although the FBI is on the case, it is still expected to take several weeks for Collierville to recover fully.
Medical records of 20,000 patients of Kentucky-based nonprofit Park DuValle Health Center have been held hostage by hackers for nearly two months. The June 7 cyberattack was the second attack on Park DuValle’s computer system in the last few months. Park DuValle runs four medical clinics for low-income and uninsured patients. Since the attack, Park DuValle employees have not been able to take appointments, send reimbursement claims to insurance companies, or access records of previous treatments and medications.
After multiple Louisiana school systems got attacked with malware, Gov. John Bel Edwards declared the state’s first-ever “cybersecurity emergency activation” on July 24. The attacks down school district IT networks as well as phone systems. Meanwhile, the Governor’s declaration “enables local governments to utilize cybersecurity experts from the Louisiana National Guard, Louisiana State Police, the Office of Technology Service and more.
Another day, another cyberattack on a public institution in the state of Georgia. On the morning of July 27, IT workers discovered a ransomware attack on the Georgia Department of Public Safety. The DPS includes the Georgia State patrol, Georgia Capitol Police and the Motor Carrier Compliance Division. Georgia Technology Authority workers are conducting a forensic investigation.
Salt Lake City-based Zions Bank sent data breach notification letters to some customers this week. According to the letter, the bank learned about “unauthorized access to our computer network” on June 1. Exposed PII includes usernames, email addresses, account numbers and more. The bank is working with federal law enforcement, forensic experts and banking regulators to investigate the situation. Meanwhile, affected customers will get two free years of identity theft protection.