Fresh off the news that Iranian hackers and other international bad actors aggressively targeted the American infrastructure, the U.S. Senate recently passed a bill to protect the country’s electrical grid. Part of a $750 billion defense funding bill, The Securing Energy Infrastructure Act would establish a two-year pilot program to “study security vulnerabilities and research and test technology.” Inspired by a 2017 Russian cyberattack on the Ukraine power grid that left more than 225,000 people without power, the bill takes a systematic approach towards solving cybersecurity issues.
However, a survey conducted in advance of the Black Hat USA 2019 conference indicates that the problem is much more urgent. According to 40 percent of respondents, “large nation-states” present the top threat to the critical American infrastructures. The scary statistics from the Black Hat USA 2019 survey don’t stop there:
- 60 percent expect Kremlin-supported hackers to compromise U.S. voting machines in 2020.
- 77 percent expect a successful critical attack on the American infrastructure within two years.
- 65 percent of security experts believe their organization will suffer a “disastrous data breach” within one year.
Speaking of disastrous data breaches, Baltimore Mayor Jack Young sponsored a resolution opposing ransomware payments at last month’s U.S. Conference of Mayors. According to the resolution text, at least 170 county, city or state government systems experienced a ransomware attack since 2013. When Baltimore got hit with a ransomware attack last month, Young refused to pay the $100,000 ransom in Bitcoin. A full recovery from the Baltimore ransomware attack is expected to cost the city at least $18 million.
Now, without further ado, here are the latest cyberattack news stories affecting U.S. organizations over the last few weeks.
U.S. DATA BREACH NEWS (July 1-16, 2019)
Cloud solutions provider PCM, which boasts over 2,000 customers and $2.2 billion in revenues, detected a breach in May. Hackers stole admin credentials that PCM uses to manage client accounts in Office 365, compromising email and file-sharing systems for some PCM customers. It is unclear how this data breach the planned purchase of PCM by Insight Enterprises.
Former CIO for US Information Systems Jun Ying became the second person sentenced to prison for insider trading related to the massive Equifax data breach in 2017. The Equifax breach exposed names, addresses and Social Security number of 147 million Americans. Although the company learned about the data breach in July 2017, it did not get disclosed to the public for another three months.
Meanwhile, Ying sold all his shares in the company ten days before the breach became public knowledge. Besides receiving jail time, Ying also got ordered to pay $117,000 in restitution and a $50,000 fine.
After a two-month investigation, authorities arrested five people suspected of data theft and fraud, including one DCFS employee. Two other suspects in the crime remain at large. The investigation started in May 2019, when a Florida retailer contacted authorities after suspecting fraudulent activity. The suspects allegedly used the PII of Florida residents to open credit card accounts and purchase thousands of dollars of merchandise.
Over the last weekend in June, the Georgia Administrative Office of the Courts discovered “sophisticated malware” on the website and network that supports the state’s court system. Of course, Georgia is no stranger to costly cyber attacks, as a 2018 ransomware outbreak encrypted 3,800 City of Atlanta computers. The cost of recovery in the Atlanta attack totaled more than $7 million.
A recent state audit released on July 3 found that the Oregon DAS lacks “basic controls needed to guard against cyberattacks.” The audit laid out recommendations for next steps, but most of the goals feature a July 2023 completion date. Meanwhile, the Department of Human Services got hit with a cyberattack in January, and both Oregon State University and Oregon State Hospital fell victim to phishing emails within the last two months.
Yahoo News: Maryland Department of Labor Reveals Data Breach Potentially Exposing 78,000 Customers
As the City of Baltimore continues to recover from a crippling ransomware attack, the Maryland Department of Labor announced another mass data breach. Hackers accessed files through the Literacy Works Information System and a “legacy unemployment insurance database.”
The files came from 2009, 2010 and 2014, and possibly included names, dates of birth, places of residence and Social Security numbers. Anyone affected by the breach will get offered two years of free credit monitoring.
On July 6, a cyberattack knocked government systems offline in this Indiana county. Luckily, the county IT director limited the damage by shutting down the computer system, but not before half of the county’s servers got impacted. Website and email account access remain unavailable as officials deal with the aftermath of the attack. No timetable on a full recovery was offered, although the county expects that cyber insurance will cover at least some of the costs.
UPDATE: Even though there is no guarantee they will get their data back, La Porte County government officials decided to meet the hackers’ ransom demands. The Indiana county paid $130,000 to the criminals who breached their network, although most of the money will get covered by cyber insurance.
In an investigation published in Marine Safety Alert on June 8, the U.S. Coast Guard claims that a Feb. 2019 cyberattack “exposed critical control systems of a deep draft vessel bound for the Port of New York.” Making matters worse, the crew of the vessel knew that the shipboard network presented significant security risks.
Unfortunately, the shipping industry security vulnerabilities don’t stop there. The investigation also revealed that it is “common practice for cargo data to be transferred at the pier, via USB drive.”
During a marathon session last week, state legislators approved numerous amendments to CCPA, California’s landmark data privacy law. However, despite the best efforts of the tech industry and other lobbying groups, the most business-friendly changes failed to pass or got withdrawn. One withdrawn bill would allow businesses to continue selling personal data to third parties, even after a consumer opts out. CCPA is still scheduled to go into effect on Jan. 1, 2020.
Personal information of nearly 15,000 patients who received medical care through Los Angeles County hospitals and clinics got exposed by a phishing attack. The attack targeted Nemadji Research Corp., a third-party contractor used for verifying patient eligibility. A Nemadji employee opened a phishing email on Mar. 28, allowing outside access to company data for several hours.
Data compromised by the cyberattack included names, addresses, dates of birth and medical record numbers. Nemadji is offering free access to credit monitoring and identity protection services for affected individuals. LA. County Department of Health Services is the second-largest health system in the nation.
In a related story, Duluth-based Essentia Health informed 1,000 patients that the Nemadji data breach exposed their personal health information. The breach affected Essentia Health system patients in Minnesota, Wisconsin and North Dakota.
A July 1 ransomware attack disabled most of the programming systems for KHSU, a Humboldt State University radio station. The servers did not house sensitive information, and no demand for payment was specified. However, the station remains off the air until the issue gets resolved. Since KHSU is a federally licensed facility, the attack got reported to federal law enforcement officials and the Federal Communications Commission.
According to a new study by cyber security firm Infocyte, small to medium-sized businesses remain especially vulnerable to data breaches. Infocyte measured recent threats over 90 days, reviewing material from more than 550,000 forensic inspections. The study found that the average dwell time for “confirmed, persistent malware” is 798 days. Meanwhile, 72 percent of SMB networks found “riskware” and unwanted applications in their environment.
A lawsuit filed by Pomerantz Law Firm in New York claims that FedEx violated federal securities laws in the aftermath of a June 2017 cyber attack. The attack targeted TNT Express, a Dutch company previously purchased by FedEx for $4.8 billion.
Meanwhile, the lawsuit only impacts people who purchased FedEx stock during a 15-month period starting in Sep. 2017. It claims that FedEx misled those investors about how fast it could cover costs from the cyber attack.
Hackers locked down the network of Monroe College, which operates four locations in the New York City area, in a July 10 ransomware attack. While the college continues to work offline, the hackers demanded 170 bitcoin (worth approximately $2 million) to restore the system. The NYPD is investigating the incident as “grand larceny committed by extortion.”
A phishing email that targeted county employees allowed hackers to access the payroll system of Arlington County, Virginia. County officials claim that resident data did not get compromised in the attack, only the data of county employees. The county beefed up security since the attack, while the Arlington County Police Department continues to investigate the incident.
Premera Blue Cross is still feeling the fallout from a 2014 data breach that exposed the personal information of more than 10 million people. Last week, Premera, the largest health insurer in the Pacific Northwest, reached an agreement with the attorneys general of 30 states on a $10.4 million settlement.
This news comes on the heels of a report that found 3.5 million people had data exposed in healthcare breaches last month. That total nearly doubles the 2 million people compromised by data breaches in May.
The Premera breach started with a successful spear-phishing attack in May 2014 and lasted almost one year, even though Oregon state auditors previously alerted Premera to network security vulnerabilities.
A ransomware attack using the Ryuk virus corrupted both internal files and backup data on the server of this Bellingham, Washington-based college. The school remains open for now, although services remain limited and video conferencing classes are down entirely. Northwest Indian College is the only accredited Tribal College or University serving reservation communities in the Pacific Northwest.
A ransomware attack caused a week-long network outage at the Syracuse City School District in New York. The system remains down while the school district debates whether or not to pay the hackers’ ransom demand. According to Syracuse.com, the district’s cyber insurance company is urging them to pay, while FBI officials are discouraging cooperation.