When it comes to cyberattack news, it often feels like we still only see the tip of the iceberg. Despite the pervasive threats, it also seems that many businesses do not take network security seriously. A new report compiled by RiskBased Security appears to confirm those fears.
The 2019 MidYearQuickView Data Breach Report analyzes publicly reported breaches that occurred in the first six months of 2019. According to the report, data breaches exposed 4.1 billion records between Jan. 1 and Jun. 30, 2019. A jaw-dropping 3.2 billion of those records got exposed in just eight incidents, even though there were 3,800 publicly disclosed breaches.
Some other sobering facts from the 2019 MidYearQuickView Data Breach Report:
- Despite a recent focus on educational and government institutions, the business sector accounts for 67 percent of reported breaches
- Three of the ten largest data breaches of all time occurred in the first six months of 2019
- Email (70 percent) and passwords (65 percent) account for the most commonly exposed data types
However, perhaps the most alarming finding from the RiskBased Security report is that the majority of breaches exposed 10,000 or fewer records. In other words, no target is too small to get attacked. It’s all about the data.
Now for this week’s roundup of cyberattack news from across the United States. We start with one of the most disturbing public institution attacks in recent memory.
U.S. CYBERATTACK NEWS (Aug. 15-31, 2019)
The Texas state government got rocked by a coordinated ransomware attack on at least 20 separate departments and entities. For security reasons, Texas did not release a full list of affected departments. Texas Department of Information Resources, Texas Military Department, and the Texas A&M University System’s Cyberresponse and Security Operations Center teams are all assisting in the recovery effort.
Meanwhile, ZDNet reported that the ransomware virus used in the attack is named Sodinokibi. Experts expect to see more of these types of “simultaneous attacks,” since hackers tend to copy each other.
Suprema, a self-described “global powerhouse in biometrics, security and identity solutions,” suffered a significant data breach to their biometric database. The cyberattack exposed facial recognition records and fingerprints, as well as personal information on the Suprema staff. Over 5,700 organizations in 83 countries work with Suprema, and the attack likely affected millions of people across the globe. In a shocking oversight for a security company, Suprema left highly sensitive data unencrypted.
The network of Ohev Shalom, a synagogue in Maitland, Florida, got infected with ransomware in a targeted cyberattack. According to Ohev Shalom board president Steven Hornick, the attack involved a “new” type of ransomware. Word documents and Excel spreadsheets got encrypted and held for ransom, but the personal information of Ohev Shalom members did not get accessed.
Delta Air Lines filed a lawsuit against third-party vendor 24/7 for its role in a 2017 data breach. According to the lawsuit, 24/7 got contracted to create a chat platform for the Delta website. Due to “inadequate authentication measures,” a hacker accessed the Delta networks and modified the chat services software to scrape the credit card information of over 800,000 users. The suit claims that 24/7 knew about the incident for five months before notifying some Delta employees through LinkedIn messages.
A third party accessed an employee email account from Virginia Gay Hospital in Vinton, Iowa, potentially compromising patient information. The 25-bed hospital suffered a “data security incident” on June 18. Some of the exposed information includes names, dates of birth, Social Security numbers and medical information. Virginia Gay sent out notification letters to affected parties, and also established a call center to answer patient questions.
Phoenix-based broadband communications provider Cable One experienced a breach when an unauthorized person gained access to 14 employee email accounts. The attacker had access to the personal information of current and former employees, as well as their family members. Exposed PII likely includes names, addresses, Social Security numbers, financial account numbers, digital signatures and health insurance information.
Rockville, Maryland-based hotel chain Choice Hotels recently started contacting customers about a data breach involving roughly 700,00 records. This breach is related to a third-party vendor that copied and moved Choice Hotels data to their server. Choice Hotels ended its relationship with the vendors, but guest information likely got exposed in the breach. The hotel industry is becoming a prime target for hackers because of the amount of information they hold on customers.
Stevens Institute of Technology in Hoboken, New Jersey, is racing to fix computer and network issues before the start of the school year. The attack occurred on Aug. 8, and the school’s IT department shut down the entire system as a precaution. While the school’s wireless network remains down, summer school exams got postponed, and the deadline for tuition payments got expanded.
A cyberattack forced the school district in Nampa, the third most populated city in Idaho, to shut down all network services. The attack targeted Windows applications, and the school district is working with Microsoft to figure out the scope and origin of the attack. However, teachers remain unable to access any online curriculum during the recovery effort.
Embattled movie ticket subscription service MoviePass left tens of thousands of customer card numbers and personal credit cards exposed and unencrypted. A security researcher at SpiderSilk discovered the vulnerable database, which contained 161 million records, including some sensitive user information. At least 58,000 of the exposed records included debit or credit card data.
Hackers stole the personal information of 9,900 patients who participated in research studies at Massachusetts General Hospital. The hospital is working with federal law enforcement and notifying patients affected by the June data breach. Compromised data includes names, birthdates, genders, races, ethnicities and health care data.
In July, a Long Island school district got hacked with the Ryuk ransomware virus. The virus encrypted files on the server of this 3,500-student district, rendering the data inaccessible. Rock Centre paid nearly $100,000 to get a decryption key, with the district’s cyber insurance policy mostly covering the payout.
KrebsOnSecurity found over 5.3 million credit and debit cards from the Hy-Vee data breach for sale on the “dark web.” Iowa-based supermarket chain Hy-Vee, which owns over 245 stores across the Midwest, disclosed a possible data breach on Aug. 14. The breach mostly affected transactions on gas pumps at Hy-Vee gas stations, as well as drive-thru coffee shops and some in-store restaurants. However, the stolen information relates to accounts from 35 different states.
Delaware-based brokerage Lyons “detected unusual activity in an employee email account” in March. The company launched an investigation with third-party security experts, finding that two employee accounts got accessed without authorization. Affected data includes names, contact information, driver’s license information, bank account numbers, dates of birth, medical record numbers, patient ID numbers and more. Affected parties will get offered complimentary credit monitoring and identity restoration services.
Impacted courthouses in Georgia continue to recover from a June cyberattack that infiltrated the state judicial system’s network. The attack originated from outside the United States and used a ransomware known as Defray777. It targeted a management system used by 30 Magistrate Courts, 23 Municipal Courts and 17 Probate Courts.
Affected courts cannot access criminal cases and traffic citations, marking a temporary return to paper records. Meanwhile, courts continue to reschedule dates and negotiate with private vendors for a new management system. An estimated 12,000 manpower hours have been used to reenter the lost data. Meanwhile, Gov. Brian Kemp already ordered twice-a-year cyber security training for all state employees.
An unnamed third party alerted security vendor Imperva, a “leading provider of internet firewall services,” about a data breach of their cloud firewall product. Information left exposed by the California-based company included email addresses, hashed passwords, API keys and SSL certificates. Imperva was acquired earlier this year by private equity firm Thoma Bravo for $2.1 billion.