Friday Five: 6/21 Edition
A $600,000 ransom is paid, a phishing attack yields more victims than expected, and a trio of university data breaches - catch up on the week's news with this roundup!
1. Three U.S. Universities Disclose Data Breaches Over Two-Day Span by Sergiu Gatlan
It was not a good week for American universities when it comes to cybersecurity as three institutions had to notify potential victims that their information may have been stolen. Graceland University, Oregon State University, and Missouri Southern State University all fell victim to the breaches this year. Information including full names, phone numbers and addresses, in addition to social security numbers and financial aid information were compromised. Oregon State launched an investigation into the breach and found that over 600 student accounts had been accessed and "used by the attackers to 'send phishing e-mails across the nation.'" All three universities have pledged to allocate more resources and research towards cybersecurity in hopes of avoiding another data breach in the future.
2. Phishing Attack Exposes Data of 645,000 Oregon DHS Clients by Ionut Ilascu
The healthcare industry is notorious for huge data breaches, and Oregon DHS was one of the recent healthcare institutions that was successfully targeted. After nine employees were fooled through phishing emails, the attacker was given access to emails that contained information from 645,000 clients. At first, the estimations of individuals impacted was only 350,000 which has almost doubled after they conducted their investigation in partnership with ID Experts. Almost 65% of their customer base was affected by the data breach and notifications to that unlucky majority will be sent out starting June 19th. The Oregon DHS tried to alleviate the pressure from victims by setting up an incident call center, gifting 12 months of identity theft monitoring and recovery services through the MyIDCare service.
Food bank photo via James Lee's Flickr photostream, Creative Commons
3. GandCrab ransomware shuts down after netting authors billions by Anthony Spadafora
The attackers behind the GandCrab strain of malware plans to close up shop after making about $2 billion from ransom payments. GandCrab’s operators incorporated jokes and taunts, as well as references to organizations and researchers, into its code; for instance, GandCrab’s command and control servers were domain names inspired by organizations who were known for ransomware research. Other ransomware operations released keys when they shuttered but the GandCrab attackers are urging victims to pay to have their files decrypted, otherwise their keys will be deleted by the end of the month.
4. Florida city pays $600,000 to ransomware gang to have its data back by Catalin Cimpanu
A police department employee in Riviera Beach, Florida opened an email on May 29 that exposed the city’s data to ransomware and left it locked and encrypted. All services, except 911, were unable to operate. Riviera Beach was forced to communicate with city residents over the phone, in person, and through the use of posters. City officials decided on June 3 they would spend $941,000 on 310 desktop computers, 90 laptops, as well as the necessary hardware to strengthen its IT infrastructure. At first, Riviera Beach officials did not intend on paying a ransom to regain access to their data, but because they hadn't backed up their data, they had no other way of retrieving it. City officials met again on June 17 and voted unanimously to pay the cybercriminals around $603,000.
5. Equifax breach impacted the online ID verification process at many US govt agencies by Catalin Cimpanu
Likely everyone is familiar with the story of Equifax, the consumer reporting agency that suffered a data breach in 2017, an incident that allowed hackers to gain access to the information of 145.5 million U.S. citizens. Unfortunately, it's still unclear who exactly accessed the data and where it is currently. Ths breach also affected the process that U.S. government agencies use to confirm the identity of U.S. citizens who apply for benefits on online portals. The process that government agencies used, known as identity verification or remote identity proofing, required government employees to make sure that the data provided by a U.S. citizen matched the data within a credit reporting agency (CRA) database. In 2017, the National Institute of Standards and Technology (NIST) advised government agencies to send a SMS to an individual's phone or have the individual submit a photo ID to a government agency instead of using the CRA databases for verification. Surprisingly, a report from the GAO found that only two of six government agencies actually follow NIST's guidance. The General Services Administration (GSA) and the Internal Revenue Service (IRS) use an identity verification process that does not require knowledge-based verification for their Login.gov and Get Transcript services. The other agencies eliminated knowledge-based verification for some individuals and either hope to change the process in the future or have no plans at all to stop using knowledge-based verification.