Cyber Risk News

We bring to your attention a sampling of recent media stories involving cyber risk & privacy liability. Among the stories we’re highlighting this month: Students learn of second data breach from Cardinal Care insurance provider, Ransomware Extortion Threat Actors Post Data from 4 Healthcare Entities, Capital One Warns of More Data Leaked in 2019 Breach, and more.

Healthcare

Accellion data breach strikes more than 2.7 million victims nationwide

Kroger Pharmacy: 1,474,284

Health Net: 1,236,902

Trillium Health Plan: 50,000

Arizona Complete Health: 27,390

Stanford Medicine (Palo Alto, Calif.): Unknown

Click to read entire article.

Trinity Health Of New England alerting patients to January data breach

Santa, a Trinity Health Of New England patient, received a letter alerting him his information may have been stolen during a data breach that took place on January 29, 2021. According to the letter, Trinity Health was notified by Accellion, a third-party vendor, of a security incident involving a file transfer appliance. Those files contained personal information including name, address, email, date of birth, and medical records. Click to read entire article.

Class-action lawsuit targets Roper St. Francis Healthcare over patient data breach

Charleston, S.C.-based Roper St. Francis Healthcare is accused in a lawsuit of “negligent acts and omissions” that led to a data breach last year compromising patients’ financial and medical information. Click to read entire article.

Ransomware Corner

Florida School District Hit with ‘Bizarre’ $40M Ransomware Demand

The Fort Lauderdale-based district said it is working with cybersecurity experts “to investigate the incident and remediate affected systems. Efforts to restore all systems are underway and progressing well. We have no intention of paying a ransom.” The district did, after two weeks of back and forth, offer to pay $500,000, at which point the ransomware criminals apparently ended negotiations, according to the hackers’ screenshots. Click to read entire article.

Ransomware Extortion Threat Actors Post Data from 4 Healthcare Entities

Recent dark web postings of data allegedly stolen from healthcare entities show that ransomware extortion threat actors will continue to target healthcare in 2020.

Avaddon ransomware actors recently published about 2.09GB of data allegedly stolen from New Jersey-based Bridgeway Senior Healthcare, including financial information on the organization and its employees and tax information. Click to read entire article.

How Misconfigured Amazon S3 Buckets Can Lead to a Ransomware Attack

Recent research from Rhino Security Labs shows that ransomware can be distributed through the cloud via Amazon Simple Storage Service (Amazon S3) buckets. While there may be a variety of ways an attacker can distribute ransomware within an S3 bucket, malicious files top the list as one of the most dangerous methods as they can easily evade detection. Click to read entire article.

Higher Ed

University of California advises of personal information at risk after cyberattack

“This was part of a national cyberattack involving several hundred institutions across the United States,” the university’s Office of Emergency Management said in an advisory Tuesday, noting that Social Security numbers and bank account information “may be at risk.” Click to read entire article.

CU Community Advised To ‘Not Respond’ To Hackers In Massive Data Breach

The University of Colorado is learning more about a massive data breach that compromised personal records. It may be the largest in university history. On April 9, the university announced more than 310,000 university records were compromised in the data breach. Click to read entire article.

Students learn of second data breach from Cardinal Care insurance provider

Personal and medical data from students using Stanford’s Cardinal Care health insurance service — including medical conditions and treatment information — was compromised in a data breach in January. Click to read entire article.

Tech/ Mobile App

LinkedIn: How To Check If Your Details Are Among 500 Million Leaked

A scraping operation that aggregated publicly available data from Linked is understood to have affected more than 500 million site profiles. Click to read entire article.

Over 1.3M Clubhouse user accounts posted to hacker forum

Posted to a forum and openly visible, the SQL database includes many details about the users of the highly popular audio-based social network. Approximately data from 1.3 million users was scraped and placed into the database. Click to read entire article.

Public Entity

Washington State educational organizations targeted in cryptojacking spree

US educational organizations are being targeted by threat actors intent on compromising their networks to covertly mine cryptocurrency. Otherwise known as cryptojacking attacks, this form of assault is usually mired in stealth as the overall aim is to quietly install cryptocurrency mining components that leech stolen computational power. Click to read entire article.

Financial Services

Idaho Central Credit Union Data Breach Class Action Settlement

Class Members may be able to recover up to $20,000 if they can prove their monetary loss was fairly traceable to the data breach. Click to read entire article.

Capital One Warns of More Data Leaked in 2019 Breach

Capital One is warning additional customers that their Social Security numbers may have been exposed in a massive 2019 breach. Click to read entire article.

Cryptocurrency

Ledger faces class action from phishing scam victims

Ledger and Shopify (NYSE:SHOP) have been hit by a class-action lawsuit over a major data breach that saw the personal data of 270,000 hard wallet customers stolen between April and June 2020. Click to read entire article.

Paxful says data breach of ‘third-party supplier’ did not compromise user data

Someone with the username “mafufi” posted the listing around 2AM EST this morning for a price of 1 BTC. They claim to have a database including first name, last name, date of birth, gender, address, phone number, email and passwords of 4.8 million Paxful users and employees. Click to read entire article.

Legal Updates

Data Breach Class Actions – Eleventh Circuit Finds Allegations of “Increased Risk” of Harm Insufficient to Confer Standing

In Tsao v. Captiva MVP Restaurant Partners, LLC, 986 F.3d 1332, 1339 (11th Cir. 2021), the Eleventh Circuit held that evidence of a “mere data breach” is not sufficient to establish standing where the hackers accessed only credit card information (not personal information) and where the plaintiff did not allege that any class member suffered actual misuse of data. Click to read entire article.

Utah is the 2nd State to Create a Safe Harbor for Companies Facing Data Breach Litigation

Utah is the second state to establish an affirmative defense to claims arising from a data breach. Back in 2018, Ohio enacted the Ohio Data Protection Act (SB 220), similarly providing a safe harbor for businesses implementing and maintaining “reasonable” cybersecurity controls. Click to read entire article.

Research

U.S. Data Breaches Dropped by 30 Percent in 2020

Breaches went down but costs went up, with an average data breach costing an organization $8.64 million. The number of data breaches in the United States totaled 1,001 cases in 2020, a 32 percent drop year-over-year, according to data compiled by BuyShares.co.uk, a London-based financial educational hub for investors. Click to read entire article.

EU

Booking.com Hit With $558K Fine For Late Data Breach Report

Amsterdam hotel booking website Booking.com has agreed to pay a fine of €475,000 ($558,000) after waiting nearly a month to tell authorities that cybercriminals had stolen personal data belonging to 4,000 customers, Dutch regulators have said. Click to read entire article.

Asia Pacific

Moneycontrol.com data breach: Personal details of over seven lakh users up for sale on Hackers forums

According to the hacker who has posted the dump on the hackers’ forum, the database contains 773,000 records with personal data of the users. Click to read entire article.


Vol. 231 – April 21, 2021

Download 2021 Cyber Claims Study

The annual NetDiligence® Cyber Claims Study uses actual cyber insurance reported claims to illuminate the real costs of incidents from an insurer’s perspective.

Download

© 2021 NetDiligence All Rights Reserved.