McDonalds, Wegman’s, medical industry victimized by data breaches
McDonald’s Get Bit
The fast-food giant was hit with a data breach early last month, and the Wall St. Journal reported that the attackers were able to obtain contact information for US employees and franchises, as well as customer data in Taiwan and South Korea. In a statement made by the company, McDonald’s said that they were able to “quickly identify and contain recent unauthorized activity on our network”, but they have not released any further details about how the hack actually occurred. There was no specific information given regarding when the breach occurred versus when it was detected and halted.
Elekta health bandages wounds
From Providence to Chicago to Reno, patients nationwide have been affected by an attack on the Swedish medical company named Elekta. Elekta makes applications and equipment for cancer therapies, and on April 6th of this year, they saw their cloud server breached by hackers. Roughly 300,000 users across 42 unique health systems were victimized by the breach, and the company’s public response was issued 20 days after the attack, on April 26th.
Clean up on aisle: Wegman’s
On June 21st this year, the grocery chain disclosed that two of their databases had been breached and that emails and passwords were stolen by hackers. In mid-April, an independent security researcher informed them of a server misconfiguration vulnerability, and Wegman’s then hired a security firm to investigate the incident further and correct the configuration issue. The data thieves that made use of the vulnerability were able to access customer names, email addresses, passwords, home addresses, birth dates, and their Wegman’s unique shopper IDs. According to the company, the passwords were hashed and salted properly, meaning the risk of password cracking by the thieves is minimal.
What “hack”-ens in Vegas, ends up on the Dark Web
The Associated Press reported that a hospital in Las Vegas, NV was targeted by the infamous ransomware group known as REvil, exfiltrating data that included highly sensitive pictures of driver’s licenses and passports of the hospital’s patients and employees. The attackers posted a handful of the pictures on their website as proof, and the hospital system confirmed the breach occurred in mid-June. The hospital is still working with local authorities to determine the origin and scope of the breach, they only confirmed that there was an unauthorized access to the impacted server. REvil has hit several targets within the medical industry this year, and are a major player in the Ransomware-as-a-Service (RaaS) marketplace.
Who is your primary ransomcare provider?
Late last year, the Mississippi Center for Advanced Medicine (MCAM) was also hit with ransomware. MCAM hired a consulting firm to determine the entry point of the malicious code, and in mid-April, were told by the consultants that the attackers had breached “an internal server containing documents about its programs, services, and some personal patient information” including medical history and Social Security Numbers. MCAM’s public disclosure to affected parties was released on June 23rd, six months after the breach had occurred.
Maximus “Oh really? Us?”
Earlier this year, a Medicaid contractor in Ohio named Maximus, Inc was targeted by hackers, potentially revealing the personal information of over 300,000 healthcare providers. According to the Hipaa Journal, the information accessed included names, date of birth, as well as Social Security and DEA numbers. Maximus was made aware of the breach and stopped the attack on May 19, just two days after it began. The public dissemination of information about the breach was made on June 18.
6-Pack Tasting Notes
A disturbing trend seen throughout the Beers on Breaches series is that companies oftentimes are hit with attacks, find a way to mitigate the attacks, then wait as long as possible before releasing the information publicly. Within the EU, GDPR protections ensure that companies must notify of a breach within 72 hours of discovery to the relevant regulatory agencies, and now in the US, Senator Mark Warner (D-VA) has released his draft of a similar bill that will require entities to disclose breaches to CISA within 24 hours.
There are no consumer notifications outlined in the Senator’s bill, and the GDPR does not require affected users to be notified in most circumstances. Users shouldn’t have to find out about breaches from websites like “Have I Been Pwned”; responsible disclosure goes both ways.