Cyber Intelligence Weekly (December 17, 2023): Our Take on Three Things You Need to Know // Echelon Risk + Cyber

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight Echelon's Top 10 Must-Read Cybersecurity Articles of 2023! Join us in reflecting on some of 2023's most important cyber topics and trends. Uncover the complexities of NYDFS regulations, harness the power of language models, and enhance your defense strategy against web app vulnerabilities.

From cyber gender diversity initiatives to navigating CISO decisions for small to mid-sized businesses, Echelon's Top 10 articles offer a comprehensive exploration of the ever-evolving world of cybersecurity. Empower yourself with knowledge for a safer digital future. Read More Here: https://lnkd.in/eed4Et4t

Away we go!

1. The Blame Game: 23andMe's Controversial Response to a Massive Data Breach

In a controversial response to the lawsuits following a significant data breach, genetic testing company 23andMe is now shifting the blame onto the victims themselves. The company, which faced over 30 lawsuits due to a breach that exposed the data of 6.9 million users, sent a letter to some of the victims claiming their negligence in password security led to the breach. TechCrunch reported that 23andMe's letter argued that users' failure to update their passwords, which were known to be compromised, was the root cause of the incident. This stance was taken despite the breach's extensive impact, originating from the hacking of only 14,000 accounts but eventually compromising millions more through the DNA Relatives feature on the platform.

Hassan Zavareei, representing the victims, criticized 23andMe's stance, stating that the company should have anticipated the use of recycled passwords and implemented stronger safeguards against such breaches. He emphasized that millions of customers had their data exposed not because of their password habits but through the DNA Relatives feature. This feature, when opted into, allowed the sharing of data with other users considered relatives on the platform, which the hackers exploited. Zavareei argued that blaming the victims for the breach was a baseless and irresponsible defense from 23andMe.

Additionally, 23andMe's lawyers claimed that the stolen data could not cause financial harm to the victims, as it didn't include sensitive financial information. This statement came alongside 23andMe's actions post-breach, which included resetting all customer passwords and mandating multi-factor authentication, previously optional. Furthermore, the company modified its terms of service to make collective legal actions against it more challenging, a move described by legal experts as self-serving and cynical. Despite these changes, numerous class action lawsuits have been initiated against 23andMe, reflecting the significant backlash from affected customers and the broader public.

2. HealthEC Data Breach Has Impact on Millions of Patients

A significant data breach at HealthEC, a New Jersey-based provider of artificial intelligence-enabled population health management services, has severely impacted the personal information of nearly 4.5 million patients. The breach, which also affected over a dozen U.S. healthcare systems, was reported to the U.S. Department of Health and Human Services as a HIPAA business associate incident on December 21. The unauthorized access, identified between July 14 and 23, 2023, involved a network server and resulted in the copying of certain files.

HealthEC, upon detecting suspicious network activity, initiated an immediate investigation. Although the specific date of discovery wasn't disclosed, the investigation revealed that an unknown actor accessed certain systems and copied files during the aforementioned period. By October 24, HealthEC completed a thorough review of the compromised files to ascertain the nature of the information and the affected clients. Notifications to its clients began on October 26, and the company is collaborating with them to inform potentially impacted individuals.

The breach's impact extends to about 17 of HealthEC's clients, including notable healthcare organizations such as Corewell Health and HonorHealth. The exposed data encompasses a wide range of sensitive information, including patients' names, addresses, birthdates, Social Security numbers, and medical details like diagnosis and prescription information. Additionally, health insurance data such as beneficiary and subscriber numbers, along with billing and claims details, were potentially compromised. In response, HealthEC is reviewing and updating its data privacy and security measures. The HealthEC incident currently ranks as the sixth-largest health data breach reported in 2023 and the fifth-largest reported by a business associate, according to the HHS' Office for Civil Rights' HIPAA Breach Reporting Tool website.

3. To Pay or Not to Pay: Estes' Stand Against Ransomware Demands

Estes Express Lines, one of the largest private freight companies in the United States, has been the victim of a significant cyberattack, resulting in the theft of personal information from over 20,000 customers. The incident, which occurred on October 1, 2023, involved an unauthorized entity gaining access to the company's IT network and deploying ransomware. Despite this, Estes chose not to pay the ransom demanded by the attackers.

The cyberattack was initially disclosed by Estes in early October, indicating that their IT infrastructure was compromised. By October 24, the company's chief operating officer, Webb Estes, confirmed the complete restoration of their system's capabilities. However, the situation escalated when the ransomware group Lockbit claimed responsibility for the breach in November, claiming to have leaked the stolen data. In a New Year's Eve data breach notification to the Maine Attorney General, Estes acknowledged the incident was a ransomware attack and cooperated with the FBI in a forensic investigation. The nature of the stolen data, which includes names and Social Security numbers, was detailed in the filing.

This incident raises broader questions about how companies should respond to ransomware attacks, balancing practical considerations like backup effectiveness and downtime costs against more philosophical concerns, such as the potential for funding criminal activities. The decision to pay vs. not to pay the ransom, as seen in cases like Caesars Entertainment and MGM Resorts, can have varied financial implications, with some companies experiencing significant financial losses. The U.S. government and federal law enforcement generally advises against paying ransoms, and there are discussions about banning such payments altogether.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about