Published on March 15th, 2017 | by Joel Roy
Breach of the Month — February 2017
Every week on our Twitter stream we share news on the top breaches making the headlines. At the end of each week one ‘unlucky winner’ — the largest, the weirdest, the most dangerous, or the most high-profile — is chosen as the SS8 #breachoftheweek. But out of all the February breaches we chose for the honor, which was the one we chose as February’s #breachofthemonth? This month’s breach threat analysis is courtesy of engineer Akshay Nayak.
Contestant #1 — Witcher 3 Dev forums
CD Projekt Red, the maker of the popular Witcher series of games, recently suffered a data breach in which close to 1.9M records were stolen. The stolen records were first reported by the breach notification website HaveIBeenPwned. The records consisted of usernames, passwords and email addresses associated with Witcher 3 forums. The actual breach occurred in March 2016, when an ‘unauthorized party’ accessed CD Projekt Red’s old database that used to power the forums at the time.
Contestant #2 — Polish Financial Supervision Authority
Contestant #2 — Coachella Breach
The website for the popular Coachella Music Festival got compromised and led to the leak of 950,000 account details. The data was first seen on the Tochka dark web where it was being sold for $300. Out of the 950K accounts, 360,000 accounts were for the Coachella website, while the rest were for the message boards.
Contestant #4 — Citizens Memorial Hospital hack
Citizens Memorial Hospital was the victim of a data breach that led to the leak of all 2016 W2 tax forms for current as well as former employees. The cause of the breach was a phishing email masquerading as a legitimate looking internal hospital request.
The winner for the month of Feb is… the Citizens Memorial Hospital breach:
This was chosen as the breach of the month because it involved compromise of W2 tax forms that contain PII (Personally Identifiable Information) such as Social Security Numbers and Date of Birth.
Following the breach, Citizens Memorial Hospital in Bolivar, MO reached out to the FBI, IRS and other state tax authorities. However, the incident was not reported to the HHS Office for Civil Rights — normally a requirement for health-related breaches affecting more than 500 people. The reason cited by Citizens Memorial for not reporting the breach to HHS this was that the breach was it was not considered a violation of HIPAA (Health Insurance Portability and Accountability Act) compliance since W2 forms were not covered under HIPAA.
All affected employees did receive a free 2-year subscription to Experian’s credit monitoring service – ProtectMyID — but that certainly does not make things easier for them. Credit Monitoring services normally don’t kick in until identity theft has already done damage.
Hospitals and medical institutions alike must practice defense in depth and create and adhere to a robust security policy. Security awareness training must also be provided to employees to look for ‘phishing’ red flags in emails which could be posing as legitimate messages using a variety of social engineering tricks. Without such training an employee will always choose to open an attachment, respond to or forward the email, or click on any embedded link rather than second guessing. After all, in a medical institution someone’s life could be hanging in the balance and wrongly flagging a legitimate email as a malicious phishing email could prove fatal for the patient.
That’s it for this month! Check in with us again next month for more breach analysis — and you can help us nominate breaches throughout the month using the hashtag #breachoftheweek.
Akshay Nayak is a Threat Researcher at SS8. In addition to threat hunting, he likes listening to Bollywood music and playing FIFA. A big Game of Thrones fan, he is one of those people who likes the books better than the TV series.