Friday Five: 10/12 Edition
New statistics on breached data in 2018 so far, HIPAA compliance or lack thereof, and a report on Pentagon security. Catch up on the week's news with this roundup!
1. 6 Months, 945 Data Breaches, 4.5 Billion Records by Ed Targett
We love looking at reports that boil down numbers around breached, stolen, or absconded data here and this story fits that mold to a 'T.' According to a study released this week by Gemalto, the world's largest manufacturer of SIM cards, there were 945 data breaches, totaling 4.5 billion records, in the first half of this year. That correlates to 291 records exposed every second. According to Computer Business Review, a U.K. publication that looked at the report, the data runs the gamut, from medical, credit card, and financial to personally identifiable information. Only one percent of it was encrypted. Don’t have time to read the blog? Check out this handy infographic, released in tandem with the post.
2. New U.S. Weapons Systems Are a Hackers’ Bonanza, Investigators Find by By David E. Sanger and William J. Broad
The U.S. Department of Defense has some work to do when it comes to securing their networks from attackers. This per a fairly critical report issued this week by the Government Accountability Office, a government watchdog that’s part of Congress. The report, released Tuesday, described how a red team group of GAO hackers were able to leverage a series of security holes in the Pentagon's systems to takeover them. According to the rather bluntly titled report – “DOD Just Beginning to Grapple with Scale of Vulnerabilities” - in one scenario it only took just two people an hour to gain access to a weapon system and another day to gain control of the system they were testing. The New York Times, which reported on the news Wednesday, said the teams discovered that many systems either had easy-to-crack passwords or had "few protections against 'insiders' working on elements of the programs.
3. Escaping Notice, by Laying Low by Matt Fisher
Great read here via Matt Fisher, a member of Mirick O'Connell's Health Law Group, a Massachusetts-based law firm, on HIPAA violations and the growing rift between fines, and publicly reported breaches. The post was prompted by a databreaches.net blog about the Office of Civil Rights and its sometimes lackadaisical response to breaches at small and medium-based healthcare entities. The post asks a lot of good questions, chief among them: Should the OCR be launching more enforcement actions? You’ll have to read the blog to get Fisher’s take but for what it’s worth, one of my favorite lines from the blog is: "Pushing punitive action can result in a climate based upon fear and could further drive entities to brush incidents under the rug in the hopes that no one will ever find out about the issue"
4. WhatsApp fixes bug that let hackers take over app when answering a video call by Catalin Cimpanu
Feels like this story flew under the radar this week but a big fix for WhatApp recently arrived, thanks to some sleuthing by Google's Project Zero. Natalie Silvanovich, a researcher with the group, discovered a memory corruption bug in the app that could let an attacker take over the app just by placing a call. The bug stemmed from how the app uses the Real-time Transport Protocol, or RTP, for video conferencing. Facebook, which owns WhatsApp, says it fixed the issue and doesn't believe it was exploited. Still, it’s a fascinating proof of concept.
5. Gold Coast Health Plan warns of data breach
Upwards to 37,000 Ventura, Calif.-area residents should expect a letter notifying them that their data might have been breached soon. Gold Coast Health Plan, a health plan provider based in Camarillo, Calif. - not the coastal city in the Australia - said this week that one of its employees fell victim to a phishing email attack back in June, something which gave an attacker access to an employee's email account, and in turn, access to data on health plan patients. According to VC Star, a Ventura-area USA Today newspaper, the breached data included health plan ID numbers, dates of medical service, and in some cases, names, dates of birth and medical procedure codes. One way to combat phishing attacks is via fake phishing exercises that test employees whether or not to open links and file attachments.