We bring to your attention a sampling of recent media stories involving cyber risk & privacy liability. Among the stories we’re highlighting this month: Students learn of second data breach from Cardinal Care insurance provider, Ransomware Extortion Threat Actors Post Data from 4 Healthcare Entities, Capital One Warns of More Data Leaked in 2019 Breach, and more.
Healthcare
Accellion data breach strikes more than 2.7 million victims nationwide
Kroger Pharmacy: 1,474,284
Health Net: 1,236,902
Trillium Health Plan: 50,000
Arizona Complete Health: 27,390
Stanford Medicine (Palo Alto, Calif.): Unknown
Trinity Health Of New England alerting patients to January data breach
Santa, a Trinity Health Of New England patient, received a letter alerting him his information may have been stolen during a data breach that took place on January 29, 2021. According to the letter, Trinity Health was notified by Accellion, a third-party vendor, of a security incident involving a file transfer appliance. Those files contained personal information including name, address, email, date of birth, and medical records. Click to read entire article.
Class-action lawsuit targets Roper St. Francis Healthcare over patient data breach
Charleston, S.C.-based Roper St. Francis Healthcare is accused in a lawsuit of “negligent acts and omissions” that led to a data breach last year compromising patients’ financial and medical information. Click to read entire article.
Ransomware Corner
Florida School District Hit with ‘Bizarre’ $40M Ransomware Demand
The Fort Lauderdale-based district said it is working with cybersecurity experts “to investigate the incident and remediate affected systems. Efforts to restore all systems are underway and progressing well. We have no intention of paying a ransom.” The district did, after two weeks of back and forth, offer to pay $500,000, at which point the ransomware criminals apparently ended negotiations, according to the hackers’ screenshots. Click to read entire article.
Ransomware Extortion Threat Actors Post Data from 4 Healthcare Entities
Recent dark web postings of data allegedly stolen from healthcare entities show that ransomware extortion threat actors will continue to target healthcare in 2020.
Avaddon ransomware actors recently published about 2.09GB of data allegedly stolen from New Jersey-based Bridgeway Senior Healthcare, including financial information on the organization and its employees and tax information. Click to read entire article.
How Misconfigured Amazon S3 Buckets Can Lead to a Ransomware Attack
Recent research from Rhino Security Labs shows that ransomware can be distributed through the cloud via Amazon Simple Storage Service (Amazon S3) buckets. While there may be a variety of ways an attacker can distribute ransomware within an S3 bucket, malicious files top the list as one of the most dangerous methods as they can easily evade detection. Click to read entire article.
Higher Ed
University of California advises of personal information at risk after cyberattack
“This was part of a national cyberattack involving several hundred institutions across the United States,” the university’s Office of Emergency Management said in an advisory Tuesday, noting that Social Security numbers and bank account information “may be at risk.” Click to read entire article.
CU Community Advised To ‘Not Respond’ To Hackers In Massive Data Breach
The University of Colorado is learning more about a massive data breach that compromised personal records. It may be the largest in university history. On April 9, the university announced more than 310,000 university records were compromised in the data breach. Click to read entire article.
Students learn of second data breach from Cardinal Care insurance provider
Personal and medical data from students using Stanford’s Cardinal Care health insurance service — including medical conditions and treatment information — was compromised in a data breach in January. Click to read entire article.
Tech/ Mobile App
LinkedIn: How To Check If Your Details Are Among 500 Million Leaked
A scraping operation that aggregated publicly available data from Linked is understood to have affected more than 500 million site profiles. Click to read entire article.
Over 1.3M Clubhouse user accounts posted to hacker forum
Posted to a forum and openly visible, the SQL database includes many details about the users of the highly popular audio-based social network. Approximately data from 1.3 million users was scraped and placed into the database. Click to read entire article.
Public Entity
Washington State educational organizations targeted in cryptojacking spree
US educational organizations are being targeted by threat actors intent on compromising their networks to covertly mine cryptocurrency. Otherwise known as cryptojacking attacks, this form of assault is usually mired in stealth as the overall aim is to quietly install cryptocurrency mining components that leech stolen computational power. Click to read entire article.
Financial Services
Idaho Central Credit Union Data Breach Class Action Settlement
Class Members may be able to recover up to $20,000 if they can prove their monetary loss was fairly traceable to the data breach. Click to read entire article.
Capital One Warns of More Data Leaked in 2019 Breach
Capital One is warning additional customers that their Social Security numbers may have been exposed in a massive 2019 breach. Click to read entire article.
Cryptocurrency
Ledger faces class action from phishing scam victims
Ledger and Shopify (NYSE:SHOP) have been hit by a class-action lawsuit over a major data breach that saw the personal data of 270,000 hard wallet customers stolen between April and June 2020. Click to read entire article.
Paxful says data breach of ‘third-party supplier’ did not compromise user data
Someone with the username “mafufi” posted the listing around 2AM EST this morning for a price of 1 BTC. They claim to have a database including first name, last name, date of birth, gender, address, phone number, email and passwords of 4.8 million Paxful users and employees. Click to read entire article.
Legal Updates
Data Breach Class Actions – Eleventh Circuit Finds Allegations of “Increased Risk” of Harm Insufficient to Confer Standing
In Tsao v. Captiva MVP Restaurant Partners, LLC, 986 F.3d 1332, 1339 (11th Cir. 2021), the Eleventh Circuit held that evidence of a “mere data breach” is not sufficient to establish standing where the hackers accessed only credit card information (not personal information) and where the plaintiff did not allege that any class member suffered actual misuse of data. Click to read entire article.
Utah is the 2nd State to Create a Safe Harbor for Companies Facing Data Breach Litigation
Utah is the second state to establish an affirmative defense to claims arising from a data breach. Back in 2018, Ohio enacted the Ohio Data Protection Act (SB 220), similarly providing a safe harbor for businesses implementing and maintaining “reasonable” cybersecurity controls. Click to read entire article.
Research
U.S. Data Breaches Dropped by 30 Percent in 2020
Breaches went down but costs went up, with an average data breach costing an organization $8.64 million. The number of data breaches in the United States totaled 1,001 cases in 2020, a 32 percent drop year-over-year, according to data compiled by BuyShares.co.uk, a London-based financial educational hub for investors. Click to read entire article.
EU
Booking.com Hit With $558K Fine For Late Data Breach Report
Amsterdam hotel booking website Booking.com has agreed to pay a fine of €475,000 ($558,000) after waiting nearly a month to tell authorities that cybercriminals had stolen personal data belonging to 4,000 customers, Dutch regulators have said. Click to read entire article.
Asia Pacific
Moneycontrol.com data breach: Personal details of over seven lakh users up for sale on Hackers forums
According to the hacker who has posted the dump on the hackers’ forum, the database contains 773,000 records with personal data of the users. Click to read entire article.
