shutterstock_490960141-1

Industry News: ESG5

      Know Your Breach: Ernst & Young

      The Target: Sixty-two clients of Big Four accounting firm Ernst & Young

      The Take: 3 terabytes of critical information about Ernst & Young clients including financial reports and accounting documents in client folders, passport scans, Visa scans, risk and asset management documents, contracts and agreements, credit agreements, audit reports and account balances.

      The Vector: The hacking campaign came to light after the Russian-speaking cybercrime group Clop began targeting a previously unknown vulnerability in MOVEit around May 27 and May 28.

      This breach highlights the extreme importance of timely software updates for known software vulnerabilities, not only in systems directly under a firm’s control, but in third-party systems the firm relies upon as well. The longer a firm, or its vendors, hold out on deploying the most up-to-date software for their systems, the greater the chance an attacker will exploit the issue.

      Read more...

      Know Your Breach: HCA Healthcare

      The Target: U.S. healthcare giant HCA Healthcare, an American for-profit operator of healthcare facilities that was founded in 1968.

      The Take: Patient names; address data, such as city, state and ZIP code; patient email addresses; phone numbers; dates of birth; gender; and patient service dates, such as locations, and details about next appointments.

      The Vector: DataBreaches.net first reported the seller’s forum post on July 5, in which the seller claimed to have 27 million rows of information. Some of the column headers in the stolen file include data that HCA says was stolen, such as names, gender and dates of birth.

      This breach is a stark reminder of how important authentication controls are in an overall robust cybersecurity posture. In particular, the information exposed here is perfect for crafting highly believable phishing campaigns as it would allow push notifications. 

      Read more...

      Know Your Breach: Senior Choice, Inc.

      The Target: Senior Choice, Inc., which manages and does business as three (3) residential facilities, The Atrium (216 Main Street, Johnstown, PA 15901), Beacon Ridge (1515 Wayne Ave, Indiana, PA 15701), and The Patriot (495 W Patriot St, Somerset, PA 15501).

      The Take: Personal information including names and dates of birth, medical information including diagnosis and treatment information.

      The Vector: There is evidence that unauthorized actors accessed some internal systems used for business operations during the period between April 18, 2023, and April 24, 2023.

      This breach is a stark reminder of how important authentication controls are in an overall robust cybersecurity posture, and more critically, ensuring these controls are in place on all third-party vendors which have access to a firm’s data. 

      Read more...

      Know Your Breach: CalPERS

      The Target: California’s Public Employees' Retirement System, the largest public pension fund in the U.S., managing more than $477 billion in assets for over 1.5 million public employees, retirees, and their families in California.

      The Take: First and last names; dates of birth; and social security numbers. It could have also included the names of former or current employers, spouse or domestic partner, and child or children.

      The Vector: The organization said that it was informed on June 6 by a third-party vendor – PBI Research Services/Berwyn Group – that data was accessed by hackers exploiting the MOVEit file transfer tool.

      This breach serves as a reminder of the risks associated with third-party vendors and highlights the need for stringent security measures and oversight when handling sensitive customer information.

      Read more...

      Know Your Breach: Intellihartx

      The Target: Intellihartx, a company providing patient balance resolution services to hospitals.

      The Take: Personal information of roughly 490,000 individuals, including names, addresses, insurance data and medical billing, diagnosis and medication information, birth dates, and Social Security numbers.

      The Vector: The cyberattack exploited a zero-day vulnerability in Fortra’s GoAnywhere managed file transfer software. Tracked as CVE-2023-0669 and leading to remote code execution, the flaw had been exploited starting January 28.

      This breach is critical reminder that zero-day exploits do happen, and furthermore that patching software in a timely, effective manner is a key component of ensuring customer data is protected. Ensuring third-party vendors are deploying patches and fixes in accordance with a firm’s cybersecurity policy is an important step in an overall robust security posture.

      Read more...

      Know Your Breach: Scranton Cardiology

      The Target: Scranton Cardiology

      The Take: Exposure of Personally Identifiable Information including: full names, physical addresses, dates of birth, social security numbers, driver’s license, passport numbers, credit card and bank number details, and some medical information.

      The Vector: The breach occurred through a “brute-force” attack where the threat actor uses a program to sequentially try every combination to a password protected system.

      This breach is a critical reminder of standards and processes around password hygiene. Length and complexity for passwords, no matter where in a firm’s system they are set, is crucial for a robust overall cyber-security posture. When attackers gain access to legitimate employee credentials, they can act with all the permissions and privileges belong to the user.  

      Read more...

      Know Your Breach: Neho

      The Target: Neho, a Swiss-based online real estate agency.

      The Take: Exposure of sensitive login credentials to Neho’s systems, potentially allowing attackers full access to databases, source-code, configuration profiles and more.

      The Vector: A misconfiguration on Neho’s website exposed login credentials to their systems to the public, allowing anyone with internet access who obtained these credentials to login as an authenticated Neho user.

      This breach is a critical reminder of how important access control is for overall cybersecurity. If an attacker obtains access to vetted credentials, they can pivot their movements into possibly every system belonging to the firm, making the attack an order of magnitude more deadly. Safe and secure storage of login credentials is essential to protecting a firm and their customers.

      Read more...

      Know Your Breach: Toyota

      The Target: Toyota, a Japanese car manufacturer

      The Take: Two cloud databases exposed Personally Identifiable Information including: physical address, name, phone number, email address, customer ID, vehicle registration number, and vehicle identification numbers.

      The Vector: Several misconfigured cloud databases were left open and unsecured with no password, meaning anyone with an internet connection could have downloaded the data.

      Securing access to databases through rigorous password hygiene is an essential component of security, and cloud databases are no exception. Furthermore, the data stolen in this attack can be used for crafting highly effective automotive-based phishing attacks. Regular security compliance reviews can help prevent these breaches.

      Read more...

      Know Your Breach: NextGen Healthcare

      The Target: NextGen Healthcare, a U.S based maker of electronic records software and management services.

      The Take: Exposure of 1 Million records of Personally Identifiable Information including: names, addresses, dates of birth, and social security numbers.

      The Vector: An employee’s credentials were compromised through a credential stuffing attack. These breaches rely on employees reusing passwords between platforms, which allowed the attackers to login to NextGen systems.

      This breach is a stark reminder of how important authentication controls and password hygiene are in an overall robust cybersecurity posture. Regular social engineering, phishing awareness training, and in this case, tightly enforced password and identity management, are effective strategies to mitigate these kinds of breaches to protect a firm’s customer base.

      Read more...

      Know Your Breach: Brightline

      The Target: Brightline, a pediatric mental and behavioural health provider.

      The Take: Exposure of Personally Identifiable Information including: full names, physical addresses, dates of birth, member identification numbers, date of health plan coverage and employer names.

      The Vector: A zero-day exploit was used to breach a third-party vendor, Fortra, of Brightline’s, targeting their file transfer software which let the attackers gain access to sets of files throughout the third-party vendor’s systems.

      This breach is critical reminder that zero-day exploits do happen, and furthermore that patching software in a timely, effective manner is a key component of ensuring customer data is protected. Ensuring third-party vendors are deploying patches and fixes in accordance with a firm’s cybersecurity policy is an important step in an overall robust security posture.

      Read more...

      About Castle Hall Diligence

      Castle Hall helps investors build comprehensive due diligence programs across hedge fund, private equity and long only portfolios More →

      Subscribe to Cyber Updates