Jun 182019

Kelly Brennan reports:

The personal information of 160 Temple University students was exposed after an employee accidentally uploaded a document containing information like dates of birth, cell phone numbers and passport information to a public university website.

An employee in Temple’s Risk Management office uploaded the document to the Temple University Travel Registry Site on March 22 where it was public for about three weeks before it was taken down, said Larry Brandolph, Temple’s chief information security officer and vice president of Computer Service and Infrastructure.

Affected students were notified on May 22 that their names, passport numbers, issuing passport country, passport issue date, dates of birth, travel dates and cell phone numbers were exposed on the website.

Read more on Temple News.

Jun 172019

Alfred Ng reports:

Multiple government agencies are relying on a security measure that can be easily bypassed thanks to massive breaches like the Equifax hack, the US Government Accountability Office has found. In a report released Friday, the government watchdog group found that the US Postal Service, the Department of Veterans Affairs, the Social Security Administration and the Centers for Medicare and Medicaid Services have still been using “Knowledge-Based Verification” to make sure people who apply for benefits online are authentic.

This verification method asked applicants questions like their date of birth, Social Security numbers and addresses, assuming that only the applicant would have that information. But in Equifax’s breach in 2017, that information had been stolen from 145.5 million Americans, rounding out to more than half the US population.

Read more on CNET.

Jun 152019

Zach Clemens reports that Estes Park Health suffered a ransomware attack on June 2. No data was exfiltrated, but it was locked up, and after consulting with their cyberinsurer and IT people, they decided that they had to pay the ransom.

“At that point in time we are looking at the patients we have internally, we are looking at what is coming through the door and monitoring everything that was going on,” Leaming said.

And THAT’s what people who are not in healthcare don’t “get” when they blithely just advise entities to never pay ransom. If you are a healthcare facility you have to try to determine whether you can protect patient safety and health if you don’t pay the ransom. If your computer system got locked up but you have usable backups, then you are in a different situation than if your computer system was locked up and you’re the trauma center for your region.

“I think it is important to say that likely the only way to restore the software in the clinic and the only way we were able to restore the imaging and so forth is because our insurance company paid the ransom money and we were able to get the keys to unlock those files,” Leaming said.

Leaming did not mention having usable backups, and that is something that I expect the insurer asked about and that OCR will ask about.

EPH had to pay a $10,000 deductible to the insurance company for their payment of the ransom. Yet Leaming did say that an initial amount was paid, and as they were unlocking files, they found more locks, which they had to go back and pay the hackers more.

It is not clear how much they paid, total. Nor do they reveal the type of ransomware used.

Read more on the Estes Park Trail-Gazette.

Jun 142019

Corey Vallas reports N.E.O. Urology in Boardman, Ohio paid attackers $75,000 after their computer systems were encrypted by ransomware.

Police say the fax listed “Pay4Day.io” as the contact for further information.

Read more on WFMJ.

There is no notice on the medical practice’s web site as of the time of this posting, but it’s interesting that the practice decided to pay the ransom as it was losing $30k – $50k per day that it was unable to access its system. At that rate, it would have been much more costly not to pay the ransom — assuming (and it’s a big assumption) that: (1) the hackers provide a working decryption key and (2) they don’t come back and strike again.


Jun 142019

Sue Dremann reports the follow-up on a hack that occurred in 2015 and that was previously reported on this site.

The 36-year-old man who hacked and temporarily shut down Palo Alto Online and other Embarcadero Media websites nearly four years ago was sentenced Wednesday in San Jose federal court to time already served, one-year of home incarceration with electronic monitoring, three years of supervised release and $27,130 in restitution to the company.

Read more on Palo Alto Online.  Dremann provides a lot of details about the case, including why sentencing had been delayed.