Friday Five: 3/2 Edition
Government data breaches, healthcare software vulnerabilities, and more -- catch up on the week's infosec news with this roundup!
Scores of people - 21,426 Marines, sailors, and even civilians - were impacted this week when an email with an attachment containing their data was mistakenly sent to the wrong email distribution list. According to the Marine Corps Times, which reported on the incident Thursday, the attachment contained a slew of sensitive information: truncated social security numbers, bank electronic funds transfer (EFT) and bank routing numbers, truncated credit card information, mailing addresses, residential addresses and emergency contact information. The email was sent through Defense Travel System (DTS), a travel management system that helps military personnel with setting up trips and settling expenses. The Marines are reportedly working to identify and implement changes to better safeguard personally identifiable information in wake of the breach.
Dutch technology company Philips sounded the alarm over vulnerabilities in its IntelliSpace Portal imaging software this week, bugs that if exploited, could let an attacker modify or access data on affected systems or steal authentication credentials. The portals help clinicians at hospitals and integrated health networks visualize and analyze data workflows. The platform is commonly used in radiology, cardiology and oncology departments. While there don't appear to be patches for the issues yet there are workarounds, something healthcare IT adminstrators will likely want to implement ASAP.
Troubling news for members of the FS-ISAC, or the Financial Services Information Sharing and Analysis Center, this week. The group, a forum for sharing intel on threats facing the FinServ or financial services sector, sent a letter to members this week admitting that one of its employees was successfully targeted with a phishing attack, something in turn that theoretically opened the door for attacks on other members. Phishing attacks have always been a dime a dozen; as Krebs, who reported the news, notes "anyone can get phished." The FS-ISAC was already planning on deploying multi-factor authentication across its email platforms but this incident will apparently quicken that.
4. French News Site L'Express Exposed Reader Data Online, Weeks Before GDPR Deadline by Zack Whittaker and Rayna Stamboliyska
It's a safe bet this won't be the last story of its kind to come out before GDPR goes into effect later this year. Nice scoop by way of ZDNet: Turns out L'Express, a French news site that covers everything from sports to politics left a MongoDB server containing data on its readers exposed online for anyone to see. While the data wasn’t critical – it didn't include passwords or bank details and was "old" according the site's editor in chief, it still serves as a valuable lesson for the publication, especially now that we're weeks away from GDPR, the General Data Protection Regulation, from going into effect.
The true impact of last year's NotPetya ransomware attacks continue to reverberate seven months after the fact. Nuance Communications, a popular embedded speech recognition company headquartered in Burlington, Mass. said this week the attack hit it hard; to the tune of $92 million in revenue. The company announced the news and said it expects to lose more in 2018 in a 10-Q filing with the Securities and Exchange Commission (SEC) disclosed this week. Container shipping company A.P. Moller Maersk said last August the June attack cost the company as much as $300 million.