Breach Report 2019 – August

by Sarah Harvey / September 3rd, 2019

Every month there is headline after headline reporting about new data breaches. Whether it’s a ransomware attack, a negligent employee opening a phishing email, or a state-sponsored attack, millions of individuals are impacted by data breaches and security incidents on a regular basis. Let’s take a look at some of the top data breaches that occurred during August and the lessons we can learn from them.

State Farm Data Breach in 2019

What Happened?

On August 7th, insurance provider State Farm notified the California Attorney General of a data breach caused by a credential stuffing attack. State Farm sent out an email notifying users whose online log-in credentials had been compromised, stating that “a bad actor used a list of user IDs and passwords obtained from some other source, like the dark web, to attempt to access [sic] to State Farm online accounts. During our investigation, we determined that the bad actor possessed the user ID and password for your State Farm online account.” While usernames and passwords were compromised, no other PII or fraud has been detected.

Lessons Learned

According to Verizon’s 2019 DBIR, over 60% of breaches involved the use of stolen credentials. To prevent organizations from experiencing a data breach like State Farms, organizations must work to protect their users’ data by implementing information security best practices, like these recommended by OWASP:

  • Deploy Multi-Factor Authentication
  • Use a CAPTCHA
  • Use IP blacklists
  • Utilize Device Fingerprinting
  • Disallow Email Addresses as User IDs

Presbyterian Health Services

What Happened?

Presbyterian Health Services, a New Mexico-based healthcare provider, fell victim to a data breach after multiple employees responded to a phishing email. Malicious hackers were then able to gain access to the protected health information of nearly 183,000 patients and health plan members.

Lessons Learned

The healthcare industry is amongst one of the top targets for cyberattacks, and malicious hackers will only become more creative and cunning; however, time and time again, we see reports of healthcare organizations being impacted by something as simple as phishing attacks. This highlights the extreme importance of training employees on information security best practices on a regular basis; all employees should know how to identify and report suspicious emails and other forms of electronic communications.

22 Texas Local Governments

What Happened?

Last month, it was Los Angeles County Department of Health Services and Maryland’s Department of Labor. This month, it’s 22 Texas municipalities. Malicious hackers are targeting municipal governments more than ever, and Texas is only the latest victim. Faced with paying a $2.5 million ransom to restore all crypto-locked systems, these Texas municipal governments are in the stages of investigating and recovering from the attack. And while the Texas Department of Information Resources is leading the incident response effort and are being assisted by entities like the U.S. Department of Homeland Security and the FBI’s cyber division, the type of ransomware used has not been released. However, Mayor Gary Heinrich of Keene, Texas, gave more details on the attack in an interview with NPR, stating, “They got into our software provider, the guys who run our IT systems. A lot of folks in Texas use providers to do that, because we don’t have a staff big enough to have IT in house.” Services like vital statistics, credit card payments, and utility disconnections were impacted by the data breach.

Lessons Learned

Month after month, local governments are being attacked by malicious hackers. Why? Because once malicious hacker targets big companies and government agencies and fails, they target smaller companies and governments. And because of the limited personnel and financial resources, local governments like those in Texas are often forced to partner with third-party IT service providers, making them even more susceptible to breaches. This underscores just how important having robust cybersecurity strategies are for municipal governments, especially when it comes to working with third-party vendors. It also points to the need for municipal governments to perform thorough risk assessments of third-party vendors in order to mitigate and risk-rank the potential threats associated with working with third-party vendors.

Imperva

What Happened?

On August 20th, Imperva, a leading provider of Internet firewall services that help websites block malicious cyberattack, announced that it experienced a data breach that impacted users of their cloud-based Web Application Firewall (WAF) product. According to a report issued by KrebsOnSecurity, malicious hackers compromised data including email addresses, scrambled passwords, API keys, and SSL certificates.

Lessons Learned

When asked about the lessons organizations can learn from Imperva’s breach, KirkpatrickPrice’s Director of Audit Operations, Richard Rieben said, “The biggest takeaway is that no one is immune to breaches – organizations need to continually defend against malicious attacks as well as internal misconfigurations. While we don’t know all of the details of this exact breach, it highlights the need for defense-in-depth techniques which would minimize exposure due to this specific breach given what was disclosed.”

Bonus: What to Watch

Netflix recently released The Great Hack, re-sparking the conversation around Cambridge Analytica, Facebook, and the use of personal data to create propaganda and targeted messaging. The Great Hack follows Cambridge Analytics former employees Christopher Wylie and Brittany Kaiser, Carole Cadwalladr, the journalist who broke the story, as well as David Carroll, the professor who took legal action against Cambridge Analytica to access the data points collected about him.

Data rights are human rights. As technology booms, data is the first asset to be used to influence buyer habits, ways of thinking, and decision making. It’s also the first asset to be stolen or targeted by a hacker. As organizations continue to use more and more personal data to create targeted messages towards data subjects, we’ll continue to see laws and regulations (like GDPR and CCPA) rise up to protect data. If your organization is considered a controller or processor of personal data, you have a responsibility to develop data privacy practices that protect data subjects.

To understand the impact that insecure or illegal data privacy practices can have, find time to watch The Great Hack and let us know your reactions. We’d love to hear them!

Whether it’s a government agency or a private healthcare collection’s agency, at KirkpatrickPrice, we know that data breaches are only a matter of when, not if, they’ll occur, no matter what industry you’re in. That’s why we’re committed to offering a variety of quality, thorough assurance services to help keep your organization protected. Want to learn more about our services and how they can help you mitigate the risk of experiencing a data breach? Contact us today.