Security News Survey – March 15, 2019

This week, we look at the Citrix cyberattack, more healthcare data breaches, and a call for cybersecurity transparency in the Senate.

We’re back, readers. We missed last week’s Security News Survey as our team was enjoying some exciting conversations, demos, and the occasional rainstorm at the RSA Conference in San Francisco. If you haven’t yet, be sure to check out a recap of some of our key takeaways from this year’s show in our blog, written by Interset’s own Monica White.

Given our hiatus last week, we’ll use today’s survey to look at some of the top headlines from this week and last. Let’s jump right in.

The Citrix data breach is producing many unanswered questions

This is a big one from the end of last week. Citrix, a major software company headquartered in the United States, disclosed a breach of its internal network. According to a statement from the company, Citrix learned about the breach from the FBI, who warned that “international cyber criminals” were behind the attack. Citrix and the FBI are investigating the breach, and we haven’t really seen a whole lot of information come through. So far, what we know is that hackers may have accessed and downloaded “business documents” and that there’s currently no sign that any of Citrix’s products or services were affected. The FBI also seems to think the hackers used password spraying to brute force their way into logins.

The breach is enough of a media headache for Citrix, but it seems news cycles around the incident have been aggravated by new “findings” from an independent security company. The company published a blog post a couple of days after the initial disclosure, claiming that an Iranian hacker group was behind the data breach and several others. These claims remain unconfirmed by Citrix, the FBI, or anyone else, leaving some reporters with a taste of skepticism in their mouth—perhaps rightfully so. We’ve seen many security incidents blow up in a media frenzy due to new and often conflicting findings from third-party researchers (let’s recall the NotPetya hubbub of 2017). It may be a reminder for us all to pair our intake of data breach speculation with a grain of salt until it’s been verified.

U.S. Senators call for cyberattack transparency—internally

On Wednesday, U.S. Senators Ron Wyden (D-Ore.) and Tom Cotton (R-Ark.) issued a formal request for the Senate to disclose cyberattacks on any Senate members (with confidential details redacted, of course). In a letter to the U.S. Senate Sergeant at Arms, Wyden and Cotton point to previous attacks against government agencies, as well as a 2006 attack on Congressman Frank Wolf, and pleads for more transparency around any breaches or incidents that can help Senators better understand how to best protect themselves and the sensitive data that the Senate houses.

Wyden and Cotton make it a point to call out the potential double standard the Senate sets for not being transparent: “Companies and executive branches are required by state and federal law to report breaches. In contrast, Congress has no legal obligation to disclose breaches and other cyber incidents.” We’ve yet to hear what will become of these senators’ request, but we’ll keep an eye out. Their plea for more transparency is an important one; understanding historical attacks can make a difference in how you prepare for future ones.

Another day, another healthcare data breach

Healthcare companies are dropping like flies to the data breach count. In Michigan, 600,000 people may have been compromised in a cyberattack on a healthcare organization that partners with major healthcare groups like Blue Cross Blue Shield of Michigan, Health Alliance Plan, and more. Unfortunately, it appears the attack wasn’t a simple exfiltration job, but rather another case of ransomware. According to the targeted company, the attackers encrypted the company’s records and held them for ransom. The company was able to decrypt and recover the affected files, but it appears patient names, addresses, SSNs, and medical info was exposed along the way.

In Massachusetts, Emerson Hospital notified patients that their data (names, addresses, SSNs, and insurance info) may have been compromised in a cyberattack from May 2018, where an organization that partners with hospitals for payments sent patient files to an unauthorized third party. Looking at both this case and the Michigan case, we’re reminded that third-party partners are often a security weak link. Make sure your partners are adhering to the same security standards to which you commit your own business.