This Week In Hacks and Breaches
Too many attacks to write about individually, so I am just going to write a short blurb on each with a link. Oh, My!
British Airways – hackers accessed “tens of thousands” of frequent flyer accounts forcing BA to lock down the system, denying users access to the system and requesting that they change their passwords (see link). This does not appear to be a hack of the BA system itself, but rather accounts were used via compromised credentials (possibly via compromised PCs or phones?).
Puush, the screen sharing platform was hacked and users were told by the Puush update process to uninstall the old version and install the new (infected) version (see article). Puush is telling users to install a new, new, uninfected version. Puush says that passwords stored locally and in your browser – all of them – may be compromised, so change them all.
gitHub, the open source developer’s web site was hit by the largest denial of service attack they have seen. After 4 days, they seem to have gotten the attack under control (see article). The good news is that GitHub’s defenses seem to be holding. It is believed that the Chinese are mad that GitHub is storing programs that help access banned sites.
The Indiana State Medical Association reported on March 26th that two backup drives with policy information for 40,000 people were stolen on February 13th. Why they waited 6 weeks to report this is unclear. It contained all the usual stuff – names, addresses, socials, and medical history. The article does not say, but we should assume the drives were not encrypted (see article).
TheHill is reporting that thousands of Uber customer passwords are showing up for sale on the dark web. The price is cheap – selling for as little as a dollar.
Uber says they were not breached. Still, somehow, the userids and passwords are for sale. The fact that Uber can’t find a breach also does not mean there wasn’t one. Uber is particularly sensitive since the personal information for 50,000 of their drivers WAS taken from their servers last month. That was not caused by a smart hacker, but rather by an employee (?ex-employee?) who posted the credentials to the database online.
A hacked Uber account is of limited value – you can use it to get an Uber cab, check a customer’s history and get their home address, among a few other things.
St. Mary’s Health reported that several employee’s userids and passwords were compromised as a result of an email hacking attempt (it sounds like it was not an attempt but rather a successful attack). St. Mary’s said they found out about the breach on Dec 3, 2014 and on Jan 8, 2015 found out that the email accounts of these employees have protected health information for 4,400 patients.
This is small enough that I would not write about it normally, but it raises some questions. It is vague but appears that protected health information was found in email. Was it encrypted? Is this a HIPAA violation on top of everything else? Did they disclose this within the 60 day HIPAA requirement – this is not clear?
I assume the data was not encrypted, but if it was encrypted transparently, with the hackers knowing the userids and passwords of users, that does not help you in the least. This is why one has to be very careful when implementing encryption – it may give you some protection or just the illusion of protection.
In the “This is embarrassing” column, The Department Of Justice is charging two former agents – one from the Secret Service and one from the DEA with money laundering and wire fraud for stealing crypto currency (bitcoins) related to the Silk Road darknet takedown. Both were involved in the investigation (see article).
by 