Spotting the mistakes and vulnerabilities that led to a breach
1. TCM Bank
If you applied for a credit card through TCM Bank (a subsidiary of ICBA Bancard) between March 2017 and July 2018, your data may have been exposed. About twenty-five percent of applicants from that timeframe were affected, exposing data including names, addresses, dates of birth, and Social Security numbers.
The fault, though, was not exactly TCM’s, though it is, in the end. The misconfiguration was from a website managed by a third party. This has since been corrected and TCM is now requiring their vendors doublecheck their technologies and procedures.
The lesson to take away from this is that major companies need to thoroughly vet the technology being used by their partners. Assessing third-party risk can be a challenge, but managing that risk is important in ensuring customer data is kept safe.
2. Mary’s Hospital
SSM Health St. Mary’s Hospital in Jefferson City was recently made aware that supporting medical documents were discovered in their former campus when it was being prepared for demolition. SSM secured the documents and launched an investigation, learning that they were not transferred during the hospital’s 2014 move to a new facility.
This material, luckily, consisted totally of support documents. While many included demographic and financial information, some only featured patient names and numbers. That in mind, this still represents a privacy breach in violation of HIPAA, possibly exposing confidential patient information.
SSM Health has taken this breach very seriously and sent notifications to all of its affected patients, as well as notified the Office of Civil Rights. They are also revising their policies and procedures regarding proper record storage, retention, and destruction, in order to make sure this does not happen again.
3. Hudson’s Bay Company
Two subsidiaries of the Hudson’s Bay Company – Lord & Taylor and Saks 5th Avenue – were targeted by a threat actor known as Fin7. This hacker released the details of 125,000 cards stolen from the two luxury department stores, putting thousands at risk. The breach affected every Lord & Taylor location, as well as almost one hundred Saks stores.
Fin7 has advertised a sale of their stolen information, claiming to possess the details of 5 million payment cards. It is assumed that the criminals have only released a small fraction of what they actually have, and will sell the remainder in the near future.
Dark web monitor Gemini Advisory suggests that this information was leaked due to the use of older credit card machines that require a swipe. Chip-reading is considered a safer way to ensure a credit card transaction, so using a chip reader could prevent such a breach from occurring again.
4. Eastern Maine Community College
An advanced EMOTET computer virus may have stolen the personal information of thousands of students, graduates, and workers affiliated with the Eastern Maine Community College of Bangor. This type of malware is considered one of the most dangerous on the Internet, according to the Department of Homeland Security, and can be downloaded as easily as clicking on the wrong link.
While there is no evidence that the breach has resulted in any identity theft, the malware made social security information available, as well as other financial data.
Luckily, Trojans such as EMOTET can be boxed out of networks by using simple anti-virus programs. Keeping anti-virus programs up to date and remaining vigilant when clicking suspicious links can save organizations a headache that comes with such a breach.
5. Air Canada
Air Canada recently reported a breach in its mobile app, resulting in the improper access of about 20,000 accounts. While credit card information is safely encrypted, other data such as passport number, Nexus number, known traveler number, gender, birth date, nationality, passport expiration date, passport country of issuance, and country of residence could have been accessed if such data were logged into the users’ accounts.
While this breach may not be as bad as some others – due to the lack of vulnerable credit card and social security data – it still represents a major issue. Cybersecurity research scientist Chester Wisniewski suggests that this hack may have been done by a lone cybercriminal who discovered a security gap in the app’s application programming interface – the interface that allows the app to communicate with Air Canada’s servers.
So, while this breach could certainly have been worse than it was, it does force Air Canada to consider its security measures. Perhaps hiring a cybersecurity firm to assess the app’s safety could have prevented this breach, and would prevent future issues as well.
T-Mobile, one of the largest mobile carriers in the world, recently found its cybersecurity breached. While financial data and social security information was protected from the breach, personal data such as addresses and phone numbers may have been stolen from about 2 million users.
This pales in comparison to the 2015 breach, in which 15 million customers were vulnerable in a hack that included social security numbers. However, the repeated breach of T-Mobile’s security makes one thing clear: either hacker are getting smarter, or companies are not keeping up with cybersecurity trends.
Fortunately, there are some cybersecurity firms that specialize in staying ahead of the curve, allowing companies large and small to avoid the perils of recent data breaches – or seriously mitigate any impact. And we’re one of them.
Absolute Logic’s clients across four states and 40 industries are guided safely through the threat landscape. Our wide array of services includes system security suites, risk assessment, education, and training and disaster recovery. If you’d like us to put our expertise to work for you, we’d be happy to help. Call us at 844-315-9882 or use our contact form for a free consultation.