Another week, another round of hacks. While everyone hears about a big Facebook breach or a major government attack like the one that the City of Atlanta experienced earlier this year, there are plenty of other stories each week that receive little attention outside of the affected organization’s immediate circles. We think it’s important to highlight these incidents occasionally so that organizations remember that cyber attacks are not just isolated incidents, but rather an ongoing threat that needs to be monitored continuously. So, to help in that effort we will, from time to time, publish a “breaches of the week” blog. Welcome to the inaugural post!
3 Data Breaches Reported Last Week
Healthcare: Bankers Life
Bankers Life, a subsidiary of CNO Financial Group, and provider of health and life insurance plans with 1.4 million policyholders, was forced to notify more than 566,000 individuals—more than one-third of their clientele—that personal information was exposed in a hacking incident. Information stolen by hackers included names, addresses, dates of birth, insurance policy numbers, insurance type, premium amounts, dates of service, claim amounts, and the last four digits of Social Security numbers.
Prior to alerting policyholders, CNO first reported the incident to the Department of Health and Human Services (HHS), citing an "unauthorized access/disclosure breach.” The insurers stated that employee credentials were compromised, enabling third parties to gain unauthorized access to company websites housing personal data on policyholders and applicants.
According to the HIPAA Journal, this is the fifth largest healthcare data breach of 2018, and it has already made the HHS’s list of major breaches affecting over 500 people, commonly called the "wall of shame." DSM recently covered the biggest healthcare data breaches of 2018, why hackers love the healthcare industry, and how organizations can fight back. Read more here: Healthcare Data Breaches in 2018: A Bad Year for Data Privacy.
Corporate: Radisson Hotels
Last week, the Radisson Hotel Group—a network of more than 1,400 hotels in more than 70 countries—reported that a data breach within its Radisson Rewards program compromised the personal data of a “small percentage” of members. What’s more worrisome for the hotel group is that those affected were not informed until more than a month later—far beyond the 72 hour notification as required by the European Union’s (EUs) General Data Protection Regulation (GDPR).
For the hotel group, which is headquartered in Brussels within the EU, steep fines could be forthcoming. If the breach is found to have infringed upon the organization’s obligations, the Radisson Group could be fined up to 10 million Euros (over $11 million), or 2% annual global turnover, whichever is higher. If the breach is found to have infringed upon any individual’s privacy rights, the group could be liable for up to 20 million Euros (nearly $22.5 million) or 4% annual global turnover, whichever is higher.
Ross Rustici, senior director of intelligence services at Boston-based firm Cybereason, said the breach will be an interesting test case under the GDPR, which went into effect May 25, 2018. “Each major company that suffers an incident is going to be a test bed for how stringently GDPR gets enforced and what the private sector can actually expect from the regulations,” Rustici said.
Financial: HSBC Bank
HSBC Bank, the world’s seventh largest bank, warned approximately 14,000 U.S. customers last week that their personal data, including name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information and statement history, was compromised in a breach. The bank did state that despite the breach, it did not appear that any fraudulent activity was carried out using the information.
HSBC believes the breach is the result of a credential stuffing cyberattack. Credential stuffing, a term coined by former Deputy Assistant Secretary of Defense Sumit Agarwal, refers to hackers automating logins for thousands or millions of users on one site utilizing previously discovered credential pairs from another site. Due to people’s habit of reusing passwords across multiple sites, hackers are almost guaranteed access into multiple accounts. "We responded to this incident by fortifying our log-on and authentication processes, and implemented additional layers of security for digital and mobile access to all personal and business banking accounts," an HSBC release stated.
DSM has been a long-time advocate of organizations requiring frequent password changes and having other security protocols in place. You can read more here: Securing Business Intelligence Within the Cloud.
Data breaches and cyber-attacks can happen to any organization at any time. For organizations unprepared to defend themselves, a third-party provider can help evaluate current systems of security and manage security concerns. DSM, Florida’s predictable cloud provider, can help keep data protected through continuous monitoring and data protection services. Contact one of our IT experts today to learn more.