This month we’ve got four stories that neatly sum up the challenges IT security professionals face in their attempts to protect corporate data. They include a mix of breaches caused by human error, a lack of encryption, and some cleverly disguised malware.
Two States Suffer Medicaid-related Security Breaches
The South Carolina Department of Health and Human Services (SCDHHS) discovered on April 10 that an employee of the state’s Medicaid program had transferred personal information of 228,435 Medicaid beneficiaries to his personal email account.
After the department detected the transfers, it contacted the state law enforcement agency. The employee was terminated, and the affected individuals were notified of the security breach.
This occurred shortly after a similar breach in Utah:
A new tally of files stored on a server that contained Medicaid information at the Utah Department of Technology Services (DTS) reveals that 780,000 individuals have been affected by the theft of sensitive information. That’s far worse than initial estimates.
The data breach occurred on March 30, when a configuration error occurred at the password authentication level, allowing the hacker, located in Eastern Europe, to circumvent DTS’s security system.
In the Utah case, the problem was a test server with a weak password was put into production with no change to the password, which was a violation of policy. Probably that was simply an error, not a malicious act, as in the South Carolina case. But both stories point to the hard truth that humans are indeed the weakest link when it comes to security.
Nearly Half of all Mass. Residents had Personal Info Lost or Stolen
Massachusetts was also in the news in April, after the state’s Office of Consumer Affairs and Business Regulation issued a report stating that nearly half of the state’s residents had personal information lost or stolen over the past four years during one of about 1,800 data breaches. As The Boston Globe reports:
The report, the first of its kind in Massachusetts, found the financial services industry reported the greatest number of breaches over the last four years, with 955 incidents that exposed the data of 901,156 people. The vast majority of these breaches, however, involved credit card transactions that occurred at retail establishments. The financial services institutions then reported the incidents to state officials. The health care industry, meanwhile, had 214 breaches, but they exposed more people – about 983,746. That included the loss of more than 800,000 patient records at South Shore Hospital in Weymouth in 2010.
That one strikes close to home, as one of our Carousel Connect editors was born at South Shore Hospital, although probably long enough ago that he doesn’t have much to worry about.
One of the big reasons for all this data loss is a lack of encryption. As the Globe reports:
Of the 365 devices reported lost or stolen over the past four years, only 13 were encrypted, the state said.
“It’s taking businesses and institutions longer than we’d hope to encrypt these devices. That would certainly cut back enormously on the number of breaches where consumers data is more vulnerable,’’ said Barbara Anthony, the state’s consumer affairs and business regulation undersecretary. “Businesses, institutions, and others need to do a better job protecting the information of individuals. There is still a lot of work to be done.’’
Hard to argue with that.
Upstate NY Hotel Suffers Prolonged Breach from Foreign Hackers
This story, from the Desmond Hotel and Conference Center in upstate New York, has all the elements of the worst kind of security breach: a well-hidden piece of malware collects credit card data over a long period of time, and sends it to a perpetrator in another country.. As the Albany Times Union reports:
In an online letter to customers, operators of the 323-room hotel said the names, credit and debit card numbers and expiration dates, and other data been exposed between May 21, 2011 and March 10 of this year in what the hotel called a “serious data security breach.”
Debit card PIN numbers are not believed to have been affected, the hotel said.
While the U.S. Secret Service and a private firm continue to probe how the breach occurred, hotel General Manager John D’Adamo said the hack — like many cyber attacks — is believed to have come from a foreign country.
D’Adamo said The Desmond was tipped to the problem when Secret Service agents showed up in early March saying they were receiving fraud complaints from banks on accounts that seemed to trace back to the prominent hotel.
It’s likely not going to be a good day when the Secret Service shows up at your door talking about fraud. But in this case the hotel was warned months earlier by a customer who reported a charge from China on the card he had used shortly before at the Desmond – a card he rarely used. He got word back from a hotel official denying any culpability.
While there’s no telling how thoroughly the hotel investigated the customer’s complaint, it is true that such malware can be tough to find. As Professor Bulent Yener, director of Rensselaer Polytechnic Institute‘s Data Science Research Center, tells the Times Union:
Some of the attacks are so insidious, using what are known as rootkits, Yener said, that they take complete control of a computer and make it appear as though the security systems are working when they have long since been co-opted.
This story, and the Chinese connection, harkens back to last month’s Security Breach Report, which quoted Richard Clarke, a former terrorism, cybersecurity and cyberterrorism advisor for the White House, as saying, “Every major company in the United States has already been penetrated by China.”
And perhaps some not-so-major companies.