Breach Report 2019 – June

by Sarah Harvey / June 27th, 2019

Regardless of the size or industry of organizations, every month there is headline after headline about new data breaches. Whether it’s a ransomware attack, a negligent employee opening a phishing email, or a state-sponsored attack, millions of individuals are impacted by data breaches and security incidents on a regular basis. Let’s take a look at some of the top data breaches that occurred during June and the lessons learned from them.

AMCA

What Happened?

Perhaps the most noteworthy data breach during June was caused by American Medical Collection Agency (AMCA), a healthcare collection agency, when unauthorized persons compromised their web payment page between August 1, 2018 and March 30, 2019. Thus far, it has been reported that AMCA’s data breach as impacted three of their clients and their clients’ customers including Quest Diagnostics, LabCorp, and Opko Health’s subsidiary, BioReference Laboratories. It is estimated that more than 20 million patients have been impacted by the data breach. Both Quest Diagnostics and LabCorp have since filed complaints with the SEC against AMCA, and AMCA’s parent company, Retrieval-Masters Creditors Bureau, has reportedly filed for bankruptcy.

Lessons Learned from the Data Breach

As a business associate, AMCA put the sensitive data of more than 20 million patients at risk, but the blame doesn’t solely fall on AMCA. When it comes to partnering with business associates, or any third-party vendor, covered entities must perform their due diligence to ensure that the third party they’ve entrusted to provide secure services will be able to follow through with their promises to protect their sensitive assets. This means that organizations must implement a formal risk assessment policy, understand shared risk, and undergo information security audits that validate the security of third-party vendors.

EatStreet

What Happened?

According to ZDNet, on May 17, 2019, EatStreet, a popular mobile and online food ordering service, identified that an unauthorized user was accessing partner information since May 3, 2019. Over the two-week period, the malicious users, identified as Gnosticplayers, gained access to EatStreet’s network and began stealing information, such as names, phone numbers, email addresses, and financial information, from the company’s data base, impacting their customers and partners. While there has been no official report on the number of impacted individuals, it is estimated that EatStreet’s data breach affected nearly 6 million individuals.

Lessons Learned from the Data Breach

EatStreet was not the first organization to fall victim to Gnosticplayers, but their data breach can point to one critical lesson that all organizations should consider when it comes to securing their customers’ data: effective monitoring of their organization’s networks. Although Gnosticplayers only had access to EatStreet’s network for two weeks, had EatStreet been monitoring their network more closely, the security incident could have been identified and mitigated more promptly and the impact might have been much less severe.

Riviera Beach, Florida

What Happened?

According to The Palm Beach Post, a Riviera Beach police department employee caused a city-wide data breach after they opened a phishing email causing a ransomware infection that encrypted and locked the city’s files. Impacted systems and services included the city’s email services, billing systems, and water utility pump stations. After initial discussions, the city council voted unanimously to have their insurer pay the ransom of 65 bitcoins or about $600,000. While investigations are ongoing, the Riviera Beach City Council has planned to allocate nearly $1 million to replace its computer systems, including 310 new desktops, 90 laptops, and other hardware.

Lessons Learned from the Data Breach

The Riviera Beach data breach points to a few key lessons all municipal governments must take into consideration. First, humans are always the weakest link, and one employee could cause an entire city to shut down. Does your local government require their employees to undergo regular security awareness training to stay current on cybersecurity best practices? Second, municipal governments must understand the value in implementing robust cybersecurity strategies for when a cyber attack occurs. Finally, local governments must make it a priority to ensure that their critical systems remain up-to-date to decrease the risks of being impacted by a cyber attack.

U.S. Customs and Border Control

What Happened?

In the second major data breach at the DHS this year, the United States Customs and Border Control (CBP) recently announced that it experienced a data breach impacting nearly 100,000 citizens. CBP explained that a malicious hacker compromised a federal subcontractor who stored photographs of travelers and their license plates.

Lessons Learned from the Data Breach

While the name of the federal subcontractor and border crossing location have not been identified, this data breach is a sobering reminder of the risks associated with increased government surveillance and the need for government agencies to protect the data they collect about citizens. For example, in an interview with The Washington Post, Oregon Democratic Senator, Ron Wyden, emphasized, “If the government collects sensitive information about Americans, it is responsible for protecting it — and that’s just as true if it contracts with a private company.”

Whether it’s a government agency or a private healthcare collection’s agency, at KirkpatrickPrice, we know that data breaches are only a matter of when, not if, they’ll occur – no matter what industry you’re in. That’s why we’re committed to offering a variety of quality, thorough assurance services to help keep your organization protected. Want to learn more about our services and how they can help you mitigate the risk of experiencing a data breach? Contact us today.

More Resources

Rebuilding Trust After a Data Breach

Business Continuity and Disaster Recovery Planning Checklist

Incident Response Planning: 6 Steps to Prepare your Organization