Commentary: What Constitutes Negligence in Company Data Breaches?

 Posted by at 2:49 pm  Breach Incidents, Commentaries and Analyses, Hack, Health Data
Sep 182018
 

Amy L. Hanna Keeney of Adams and Reese writes about an opinion in a court case that stemmed from one of TheDarkOverlord’s hacks: their attack on Athens Orthopedic Clinic (AOC). I had covered that breach extensively, including commenting on the fact that AOC did not offer any free services to patients whose data had not only been stolen, but had either been publicly dumped on Pastebin and/or reportedly put up for sale on dark net markets.

As Keeney explains in her article, only one of three named plaintiffs in Collins, et al. v. Athens Orthopedic Clinic actually alleged that they had actually experienced fraudulent charges on any of their accounts, and the complaint didn’t actually claim that the fraud had a causal connection to the hack. Basically, the plaintiffs were alleging that they incurred the cost of identity theft protection, credit monitoring, and credit freezes.

Together, the plaintiffs filed a putative class action alleging (1) violation of the Georgia Uniform Deceptive Trade Practices Act by AOC; (2) breach of an implied contract with AOC; (3) unjust enrichment of AOC; and (4) negligence by AOC.

AOC responded to plaintiffs’ complaint by filing a motion to dismiss pursuant to both O.C.G.A. §§ 9-11-12(b)(1) and 12(b)(6).

Disappointingly to privacy advocates, the court held that just an increased risk of harm was not sufficient to grant the plaintiffs standing.

The court explained, “[w]hile credit monitoring and other precautionary measures are undoubtedly prudent, we find that they are not recoverable damages on the facts before us, because the plaintiffs seek only to recover for an increased risk of harm.”

The trial court’s dismissal of plaintiffs’ complaint was affirmed.

That conclusion seems straightforward, right? Not quite. There are two aspects of the Collins opinion that either diminish its usefulness or give you hope, depending on which side of this battle you favor.

Read more on Daily Report.

From my perspective, the decision is an unfortunate one that once again fails to appreciate the harm and costs patients and consumers incur from a breach.

MI: Holland Eye Surgery & Laser Center notifies 42,200 patients about 2016 hack

 Posted by at 9:32 am  Breach Incidents, Hack, Health Data, Of Note, U.S.
Jun 022018
 

After his victim allegedly didn’t respond to his repeated demands for a “security fee,”  a hacker accuses the victim of covering up a hack for almost two years. 

One of the breaches added to HHS’s public breach tool this past week is a breach reported by Holland Eye Surgery and Laser Center in Michigan. The incident is noted on HHS’s breach tool as a hack affecting 42,200 patients.  But according to the self-identified hacker, there’s more to this story than the covered entity has disclosed.

In early April, DataBreaches.net was contacted by a hacker who had contacted this site in the past about a hack of a dental practice. He is known to this site as “Lifelock,” and signs his communications as “Todd Davis,”  aka “Lifelock.” After his first contact with this site in the Yaley case, DataBreaches.net did find him on some dark web markets as Lifelock, selling identity information and “fullz.”

According to Lifelock’s statement to this site: in June, 2016, he hacked Holland Eye Surgery & Laser Center in Holland, Michigan. He then reportedly contacted them and demanded a “security fee” of $10,000.00 for helping them secure their patient data. As he related it to this site:

I invoiced them a fee of 10000 USD a fair payment for my time and to help them secure their data. They turned off access immediately to the RDP server so I know they received communications from me. Over the course of weeks I requested them to pay my invoice to secure their patient data. They never once acknowledged me. But I am very persistent and communicate with staff members, faxes and all means where i can verify delivery. These pricks want to cover up the incident.

When the doctors didn’t pay his “security fee,” he claims he followed through on a threat he had made:  he began selling small amounts of their patients’ data on the dark web – first on AlphaBay, and then later on, on TradeRoute. He claims that each time he did, he informed or taunted the doctors that he was selling their patients’ information.

According to his statements to this site, Lifelock sold more than 200 patients’ information, but still,

the practice did not inform Michigan or HHS authorities that the data had been breached. Their patients had no fair warning that the data had been breached. I setup banks for dirty money transfers in these peoples names, my buyers used them for identity protection for when arrested, and to make cell phone accounts to purchase 5 iphones at a time from Verizon, ATT et al.

I have contacted the practice at least 30 times over the past 2 years to do the right thing for their patients.

As part of the proof he provided to this site, Lifelock included two databases: one called patients.csv, with 202,163 records and one called person.csv, with 42,229 records.  The files are date-stamped June 26, 2016. Holland Eye’s report to HHS seems to correspond to the number of patients in the person.csv file, but it is not clear what happened to all the people who had data in the patients.csv file. That database has names, addresses, insurance information, and some other fields. DataBreaches.net sent an inquiry to Holland Eye’s external counsel asking for an explanation on that point, but did not receive an immediate response. This post will be updated if an explanation is received. UPDATE of June 4: Lawyers for Holland Eye responded to this site’s inquiry: “We investigated the patients.csv file you have a copy of and determined that there is not anyone in it who was not also in the person.csv file. The patients.csv file merely has more than one line item for many individual patients. In short, these people were included in the report to HHS.”  DataBreaches.net appreciates their clarification.

In any event, according to Lifelock, in March of this year, Lifelock contacted the doctors yet again, and also contacted the mayor of Holland, Michigan, Nancy De Boer. Shortly after those unsuccessful attempts, he contacted DataBreaches.net, claiming that his goal was now to get the patients notified and the doctors exposed and shamed for allegedly covering up the breach:

Please find a way to let the people of Holland know that they have been breached and that the people who swore a hippocratic oath to do no harm, have done them immense harm. Further that the people who are supposed to be in charge do not have their best interests in mind and would rather suckle the cocks of the rich Dutchmen rather than inform the common rabble of their plight.

The reference to “people in charge” appears to be a response to his attempt to get a response from Mayor De Boer. According to Lifelock, when he contacted her in March:

She did not respond until I opened multiple lines of credit in her name, utility accounts, EIN’s, etc… She did respond, and appeared to take the breach seriously, but her motive was to find my identity rather than help the people of her town. She used a silly technique of embedding a tracking image to try and find me.

On May 16, after confirming that the breach had never been reported to HHS or the state of Michigan, DataBreaches.net sent Holland Eye Surgery a detailed message about the hacker’s claims with a request for a response.

On May 18, two days later and almost 60 days after they claimed to have first learned of the breach, the practice issued a media notice in the Holland Sentinel.

In that notice, they claim that they first learned of the breach on March 19, 2018 when they were contacted by someone claiming to be a pentester who informed them that he had their patients’ data and had sold some of it.

External counsel for the doctors later confirmed to DataBreaches.net that the “pentester” signed his communication in March as “Todd Davis.”

Notice of May 18 in Holland Sentinel. Courtesy of Holland Sentinel.

According to their media notice, then, although the practice appears to acknowledge that they had been hacked in 2016 and that the hacker was in possession of their patient data, they claim that the hacker “concealed the extent of his or her access until the recent email communications in March 2018.”  That, of course, is disputed by Lifelock’s claims, but this site has no proof of his claims as to any contacts prior to March, 2018. When asked for proof of any early emails, Lifelock had replied:

Unfortunately my original communications to HE have been deleted when sigaint.org went down. I normally delete communications frequently as I am not wanting to have excess evidence should Europol\RCMP\ICR\Scotland Yard et al kick in my door one day. My normal intent is not journalism unfortunately. I will look to see if I can find old email addresses I used and see if there is any evidence. Some email addresses as you can imagine get eliminated for TOS abuses. Sadly Gmail doesn’t like its services to be used for extortion schemes.

Lifelock never provided any additional evidence after that communication. That said, the doctors’ version makes little sense to this blogger, while Lifelock’s version does make sense.

Why would a hacker hack them in June, 2016 and then wait almost two years to first contact them with a (“security fee”) demand? Lifelock’s claims that he hacked them, promptly tried to extort them for a “security fee,” and then upped the pressure on them (or tried to) by selling patient data and letting them know that he was doing that makes a lot more sense, and we’ve certainly seen that scenario before.  TheDarkOverlord (TDO) frequently used such methods – releasing small amounts of patient information or claiming to have sold it – to increase pressure on their victims.

So… is this site being gamed by Lifelock to seek revenge on a reluctant victim or to send a message to other victims to pay up or face public exposure? Perhaps, but if his claims are true, then the doctors covered up a breach for almost two years and knowingly left their patients at risk.  But are his claims true? This site has no evidence or confirmation of the crucial claim that Holland Eye first became aware that they had been breached in June, 2016. Perhaps that is something that OCR should investigate.

DataBreaches.net contacted the Holland Police with a freedom of information request for the police report and any associated records, but has received no response as yet.  This site also contacted Mayor Nancy De Boer’s office to request a statement, but did not get any response.

Holland Eye’s media notice makes clear that they have contacted patients whose Social Security number was involved and offered them credit monitoring services. They have provided all patients with advice on how to protect themselves and to check their statements for signs of information misuse. And as noted at the outset of this report, they have notified HHS.

This post will be updated if more information becomes available.

So was TheDarkOverlord really arrested?

 Posted by at 2:29 pm  Commentaries and Analyses, Hack
May 182018
 

Over the past few days, I’ve been asked by many people what I think about reports that Serbian police arrested a member of TheDarkOverlord. Some journalists seem to be going even further and reporting that multiple arrests have been made.

I’ve said repeatedly and will repeat it here: I don’t know who did get arrested, but I do not believe reports and rumors by others suggesting that all operators have been arrested.  And there is no way I will believe that Grant West (“Courvoisier”) was/is any core part of TDO (or any part at all, for that matter) unless I see a lot of proof.  The idea of TDO putting a red laptop on a shelf in a train? Absurd. TDO spending a ton of money on a Las Vegas trip? Equally absurd, I think. Yes, Nathan Wyatt (“Crafty Cockney”) was affiliated with them, but I knew what he did for them and reported on him in the past.

So who was arrested in Serbia, and what, if anything, was/is his connection to TheDarkOverlord? Why hasn’t the FBI issued a press release?

But here’s the thing that makes me wonder whether they have been compromised: I do not know why TDO would email Joe Cox and Jeremy Kirk that they’re still standing but never get in touch with this site. Have they lost control of the account they used to contact this site? Or are they impostors who are afraid I would spot them as impostors? Could law enforcement be tweeting and sending their recent tweets and emails?

The writing of the tweets certainly looks like TDO’s, but it would be nice to see TDO actually authenticate themselves to me. There are non-public facts they should know that they can use to authenticate themselves if they want to. If they don’t want to, that’s their right, of course, but it’s puzzling that they wouldn’t contact this site, when it’s been this site that has published    proof when they wanted proof published.

Member of TheDarkOverlord arrested — reports

 Posted by at 8:09 am  Breach Incidents, Hack, Of Note
May 162018
 

There are reports in the news this morning that a member of TheDarkOverlord has been arrested by Serbian police. These are translations via Google, and I do not see any report yet naming the arrestee or a photo, but…

Serbian police arrested SS (1980) from Belgrade suspected of being one of the hackers from the group “The Dark Overlord”. The group is suspected of stealing personal information from US citizens and then blackmailing them.

SOURCE: https://www.krik.rs/beogradanin-uhapsen-kao-haker-vrhovnog-gospodara-tame/

Another source (translation):

Members of the MUP have identified and detained SS (38) from Belgrade, suspected of being one of the members of the hacking group “The Dark Overlord”.

The search of the apartment and other premises suspected to use has been found and seized digital equipment.

SOURCE: https://dnevnik.hr/vijesti/svijet/akcija-fbi-ja-u-beogradu-uhicen-haker-clan-grupe-vrhovni-gospodar-tame-koja-je-krala-podatke-i-ucjenjivala-zrtve—517309.html

Note:  The European convention is to provide initials and age, so the arrestee in this case is S.S., born in 1980 (age 38).

 

SOURCE: https://www.b92.net/info/vesti/index.php?yyyy=2018&mm=05&dd=16&nav_category=16&nav_id=1393096

H-E Parts Morgan hacked – TheDarkOverlord

 Posted by at 11:48 am  Business Sector, Hack
Mar 162018
 

In July, 2013,  H-E Parts International, a manufacturer of aftermarket parts and components for the mining industry, acquired The Morgan Group. Morgan already had an established reputation for servicing the mining, oil, and gas industries.

Together, H-E Parts International Morgan grew as a global corporation with offices in Canada, Chile, Australia, China, Peru, and throughout the  United States.

Unfortunately for them, however, they appear to have become a multinational victim of the criminal hackers known as TheDarkOverlord (TDO).  In an encrypted chat with this site, a spokesperson for TDO claimed that they had obtained all of H-E Part Morgan’s files – “everything.”

[DataBreaches.net refers to TDO in the plural as it appears there is more than one person involved, and TDO claims to be more than one person.]

DataBreaches.net does not know exactly when H-E Parts Morgan first became aware that they had been hacked, but the hack appears to have occurred – at least in part – in November.

As of today, however, DataBreaches.net has found no indication that there has been any public disclosure of the breach or notification to those affected. Two of the states in which the firm has offices – Montana and Washington – make breach reports submitted to the state publicly available on their websites, but there is currently no notification from H-E Parts Morgan on either site. Does the firm have any employees in those states? It would seem likely that they do, but have the employees been notified that TDO acquired their personal information?  If not, will they be notified? Or does H-E Parts Morgan dispute TDO’s claim that they acquired personnel information on U.S. employees?

H-E Parts Morgan did not respond to multiple inquiries from this site.

When asked whether H-E Parts Morgan definitely knew that they had been hacked, and whether they had actually responded to any contacts or extortion demands by TDO, a spokesperson for TDO reported that the firm definitely knew, and that one executive had responded to them, “Fuck you.”

As more objective proof of the hack, DataBreaches.net was provided a 1.4 GB sample of documents exfiltrated by TDO in November. The screenshot below shows the directory and filenames of just some of the files:

Some of the files were password-protected, such as a file containing emergency contact information. Other files contained records of orders and other business operations and finances.

I suspect regular readers of this site realize that the mining industry is not one of my personal priorities or interests. I do not know how large the extortion demand was that H-E Parts Morgan allegedly refused to pay, but once again I found myself wondering about the similarity between TDO’s methods and those of a group of hackers that Mandiant has called FIN10. And I wish I could offer readers some brilliant insight or definite answer as to whether there is a relationship between the two entities,  but alas, I can’t. Once again, I have questions but no answers.

But the bottom line of this particular post is that H-E Parts Morgan was hacked and so far, there does not appear to have been any public disclosure or notice of that.  If employees weren’t notified, were any clients notified, or did the firm assess risk and decide that no client notification was required? And apart from any notification requirements in the U.S., does this claimed hack trigger any notification or disclosure requirements in Canada or the other countries where they have a presence?

TDO’s spokesperson offered no clue as to what, if anything, the hackers might do with the data they exfiltrated.

 Older Entries