Security News Survey – January 25, 2019

A look at the DHS’s emergency DNS directive, a data leak of millions of bank records, and another healthcare breach.

If the first few weeks of January are any indication of what’s in store for the rest of the year, we can be sure that 2019 will see more than its share of data breaches. An important reminder that this year has emphasized so far is that it doesn’t take a malicious actor to compromise data; many organizations have been suffering from inadvertent data leaks.

And on that note, let’s look at a few headlines from the week that stood out to us.

Millions of loan and mortgage records leaked online

Around 24 million financial and banking documents related to loans and mortgage from major U.S. banks were discovered online by a security researcher. The server, which ran an unprotected Elasticsearch database, housed records dating back to 2008 and contained sensitive financial and personal data of millions of individuals who conducted business with institutions like Citigroup, Wells Fargo, CapitalOne, and more. The leak has been attributed to Ascension, a data and analytics company that serves financial institutions. The server was promptly shut down after discovery.  

DHS emergency directive

On January 22, the U.S. Department of Homeland Security (DHS) issued an emergency directive ordering government agencies to secure their domain name system (DNS) records. According to the directive, the DHS and partnering cybersecurity agencies have been tracking a “series of incidents involving DNS infrastructure tampering” that involved the interception and redirection of web or mail traffic. The DHS warned that compromised user credentials can allow attackers to tamper with DNS records and redirect users through malicious servers, so agencies are being asked to add multi-factor authentication to their DNS accounts, refresh passwords, and conduct a thorough audit of their DNS records.   

Unfortunately, the ongoing government could make it challenging to follow through on this order, especially given that the directive has given agencies only 10 days to comply.  

Kansas data breach exposes patient data of 70,000

Another week, another healthcare data breach. Kansas’s Valley Hope Association, a system of addiction treatment centers, have started notifying 70,000 patients about a security breach that may have compromised their personal data. According to an investigation of the breach, a phishing attack granted an attacker access to an employee email account, which contained personal information of patients in messages and attachments. The breach is said to have occurred between October 9th and 10th last year. As with most healthcare breaches, the type of data exposed was highly sensitive: names, addresses, medication data, social security numbers, financial accounts, driver’s licenses, dates of birth, insurance data, and more.

This attack is all too reminiscent of ones we’ve seen before. Compromised accounts are a frequent culprit of data breaches, and it’s often human error that enables it. If you haven’t already, be sure to check out our blog on the potential danger of a single compromised account: Most Wanted Insider Threats: The Tale of a Compromised Account.

We’ve also seen some interesting news come through in the world of GDPR, but stay tuned for our thoughts on that this coming Monday—January 28th is Data Privacy Day!