New, by me: U.S. pharma giant Cencora says Americans’ personal and health information were stolen in a Feb. data breach.
Cencora, previously AmerisourceBergen, said it obtained patients’ data through partnerships with drug makers, including Abbvie, Acadia, Bayer, Novartis, Regeneron.
Cencora's disclosures with U.S. states so far show at least half a million people are affected. But Cencora said it is unwilling to say if it knows how many people are affected.
If you received a letter from Cencora in the last few days, you are likely affected. Even then, Cencora says it “does not have address information to provide direct notice” for some affected individuals.
Cencora handles around 20% of the pharmaceuticals sold and distributed throughout the United States, and says on its website that the company has served at least 18 million patients to date.
A busy edition of ~ this week in security ~ is now out:
• FBI seizes BreachForums (again)
• CISA official breaks ranks on SS7 flaws
• May's Patch Tuesday fixes plenty of zero-days
• Jamaica's state-run agency hit by ransomware
• Australian prescription company hacked
• CSC ignores "free laundry" bug
• A brand new pair of cyber cats, and more.
NEW, by me: Since mid-2023, a cybercrime operation called Estate has allowed hundreds of members to carry out thousands of automated phone calls aimed at tricking victims into turning over their one-time passcodes.
Oftentimes, that one-time passcode is all the attacker needs to break into a victim’s online account.
But a bug in Estate's code exposed the site's backend database, which was not encrypted. A security researcher shared the database with TechCrunch.
Estate's leaked database provides a rare insight into how a one-time passcode interception operation works.
But while Estate's owner promised privacy for its members, stating "We do not log any data," that wasn't true.
Estate's database has logs of more than 93,000 call attacks dating back to the site's launch last year, as well as detailed server logs that gave Estate's owner a real-time window into what was happening on Estate’s server at any given time.
UK defense minister Grant Shapps confirms cyberattack and data breach involving a payments system for the UK Armed Forces — names, bank account information, and some addresses of military personnel.
"This is an external system... operated by a contractor," says Shapps.
I think a big question here is why U.K. military personnel data was being handled by a third-party contractor? Government systems might not be much stronger, but another consequence of privatization?
The FT is reporting that the hacked contractor, SSCL, holds the payroll details of most of the British armed forces and 550,000 public servants, including central government.
The key line: "It was set up in 2013 [under a Conservative government] as a joint venture between the cabinet office and Paris-based Sopra Steria, a digital services company, as part of a wider drive by the government to reform the civil service and save taxpayer money by centralising functions."
New, by me: The ransomware gang that hacked into U.S. health tech giant Change Healthcare used a set of stolen credentials to remotely access the company's systems that weren't protected by MFA, according to the CEO of its parent company UnitedHealth.
It’s not known why Change did not set up MFA on this system, but this will likely become a focus for investigators trying to understand potential deficiencies in the insurer’s systems.
To put this into context, one of the world's wealthiest companies storing some of America's most sensitive data was hacked with relative ease because the company couldn't be bothered to switch on a basic security feature for its employees' logging in.
Once in awhile, and it's becoming more frequent, someone emails me to ask why some very bad privacy practice — like sharing someone's sensitive search terms on a medical provider's website with third-party advertisers — is allowed to happen or isn't illegal.
Elect better lawmakers, and demand better from them. That's it. Nothing will change until lawmakers start serving the interests of their electorate and not the big tech giants that fund their political campaigns.
UPDATED, by me: U.S. health conglomerate Kaiser disclosed a data breach affecting 13.4 million members.
Kaiser confirmed it was sharing patients’ information with third-party advertisers, including Google, Microsoft, and X (formerly Twitter).
In a statement, Kaiser blamed "certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors.”
It sounds like Kaiser got caught out by the use of online trackers on its website and apps. These trackers are often embedded in web pages and mobile apps and designed to collect information about users’ online activity for analytics, but often also share that data with third-party organizations.
Over the past year, Cerebral, Monument and Tempest have pulled tracking code from their apps that shared patients' personal and health information with advertisers.
BREAKING: UnitedHealth has confirmed that a ransomware attack on its health tech subsidiary Change Healthcare earlier this year resulted in a huge theft of Americans’ private healthcare data.
In a statement, UHG said the criminal hackers stole files containing personal data and protected health information that it says may “cover a substantial proportion of people in America.”
UnitedHealth spokesperson confirmed in an email that a ransom was paid to the cybercriminals "as part of the company’s commitment to do all it could to protect patient data from disclosure.”
The company would not confirm the amount it paid. @brett reports that RansomHub has delisted Change Healthcare from its dark web leak site.
Post News, which sought to be a Twitter alternative, is shutting down. I have 5.8k followers there but rarely use it. I decided I’ve bandwidth for only two platforms after putting my Twitter accounts in suspended animation — Threads is one of them and Mastodon is the other. https://www.theverge.com/2024/4/19/24135011/twitter-alternative-post-news-shutdown
Frontier, a major ISP and cloud provider, has confirmed a cyberattack on April 14, saying a cybercrime group gained access to an unspecified amount of personally identifiable information — though, unclear if this is customers or employees.
Frontier said it "believes it has contained the incident and has restored its core information technology environment and is in the process of restoring normal business operations."
"On its website, Frontier says it is experiencing technical issues with its internal support systems and provided a phone number for those in need of assistance."
NEW, by me: Hackers are threatening to publish a confidential database containing millions of records used by companies for screening prospective customers for links to financial crimes.
The financially motivated hacking group says it took 5.3 million records from the World-Check database.
TechCrunch was provided a sample of the records. The London Stock Exchange Group, which maintains the database, confirmed a third-party breach.
As I note in the piece, even though this database is sourced from public information, like sanctions lists, the database itself is confidential.
A major problem is that these databases can contain errors — as some have found before — which means you could be on the list and have no idea, and that can be enough of a reason for your bank to close your account.