The university of Virginia (UVA) has undergone issuing an apology for to the patients that had been effected by a data breach. On December 23, 2017, UVA became aware of an unauthorized third party that has had access to patient information from May 3, 2015 to December 27, 2016 through a laptop that was owned by one of the physicians of the university’s health system. The physician had access to patient records that would allow him to see information which includes: Patient name, diagnoses, treatment, date of birth and home address. A patient’s financial status or social security number was mentioned to not be accessible, but a patient’s healthcare information was not detailed in the report.
The university has been working with the FBI, where an internal investigation was done. The FBI has arrested the third party individual and can confirm from interrogation that patients’ information was not used or shared in any way. Letters have been sent out to the effected patients, about 1900 or so individuals, to review statements and verify information sent from their health insurance provider. If patients find incorrect info, a dedicated support line was opened by UVA for this matter. The call center specializes in assisting patients that look to correct or invalidate inquiries regarding the incident.
As for the security of UVA, they issued this statement: “We are sorry this happened and regret any inconvenience or concern this incident may cause our patients. To help prevent something like this from happening in the future, we are enhancing the security measures required to remotely access UVA Health System information.” The details behind UVA enhancing security has not been disseminated yet.
— Serge Louis
Equifax is a very large credit reporting company who has experienced a cyber attack over the summer. The attack was discovered on July 29 but didn’t become public information until last Thursday, the 5th of September. This data breach could have affected 143 million people. The information that was exposed includes social security numbers, address, and birthday information. Equifax is also saying 209,000 credit cards were exposed including some from the UK and Canada. A big problem with this attack is Equifax was a service used to protect from identity theft but now the integrity of the site has been compromised by this attack.
Once Equifax discovered the breach they began working with private security companies to figure out what happened and how they should go about fixing it. The FBI is also investigating the attack to try and find who is responsible. Another big problem with this breach is it could affect you even if you have never been a customer of Equifax. Equifax collects info. from credit card companies to create credit scores so it is possible your card is one of the ones exposed.
The hack has been reported to have been caused by a vulnerability from a “website application” Not much has been said on the details of the hack. Another problem has popped up from this attack. Equifax has created a website to enter your information and see if you have been exposed to this attack. According to George Weidman Founder of the security firm Shevirah “It’s teaching people entirely the wrong things about using the internet securely”. If this new website has vulnerabilities it could expose even more people.
Excellus Blue Cross Blue Shield, a local Rochester based health insurance provider that operates in Central and Western New York State has learned of a major breach within their system. According to the Excellus website, they insure about 7 million customers and patients, but over 10 million people were affected because the breach also included associates Lifetime Benefit Solutions, Lifetime Care, Lifetime Health Medical Group, The MedAmerica Companies, and Univera.
It has been found that there was unauthorized access to Excellus’ IT systems as early as December 2013 and it is estimated that 10.5 million records have been compromised. With help from Mandiant, a cyber-security firm, it was found that names, birth-dates, Social Security numbers, addresses, phone numbers, member id numbers, financial information and even medical records were affected. However, it has not yet been determined if this information was removed from the Excellus systems, and there have been no reports of any of this information being used in any malicious or inappropriate way.
Executives from Exellus stated that their data was encrypted but hackers gained unauthorized administrative access to their systems, allowing them to access the data. On the home page of the Excellus website as well as all of it’s affected associates’, a notice appears giving information about the recent cyber attack. Excellus is offering free identity protection to all who are affected, and the FBI is currently investigating this attack.
Today Apple had what quickly becoming know as their largest account theft, due to malware. Palo Alto Networks and Weip Tech came across a server that held over 225, 000 valid user names and passwords that had been stolen via a new malware family named KeyRaider in the iOS.
The malware only effects users with jailbroken iOS devices has struck users in 18 countries. According to Claud Xiao, “The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device.”
KeyRaider is also stealing Apple’s push notifications and private keys, but it’s also sharing the App store’s purchasing information. These stolen credentials eventually allow users to make purchases for free using iOS jailbreak tweaks.
They’ve also been locking down devices, and holding them for ransom. It disables unlocking operations, and demands a ransom without going through the Apple push servers.
According to Jonathan Sander (the Lieberman Software VP), and Tim Erlin (Tripwire’s Director of IT Security and Risk Strategy), jailbreaking your iPhone paints a target on your back, and in this case it was taken advantage of.
US banks are finally rolling out a new and more secure type of debit and credit card technology that should strengthen their security. Currently cards use a magnetic strip that holds the card number and expiration date which provides very little security since the card number is being transmitted over the point of sale device and the magnetic strip makes it easy to clone a credit card with stolen information. The EMV “smart card” technology (a joint effort of Europay, MasterCard, and Visa) cards have a built in chip that replaces the functionality of the magnetic strip. However, the chip provides much more security because every time it is used, it generates a one-time transaction code that is cryptographically signed and transmitted. This means that if thieves are able to skim a point of sale terminal or hack into a retailer’s network the codes they steal are worthless. This could have prevented much of the damages caused by breaches like Target, where millions of card numbers where stolen.
These EMV card are not exactly new technology since they have been available since the early 2000’s and most of the rest of the world has already adopted them as the gold standard. The roll out in the US has been very slow because of the great costs of issuing new cards and upgrading point of sale terminals at retail locations. However, with the rise in identity theft and credit card fraud at an all time high, the credit card companies are pushing for the new more secure technology. They are forcing the retailers to transition to the EMV chip and pin terminals by setting a deadline of October 1st, 2015. After that all any company that accepts credit and debit card payments but doesn’t have chip and PIN readers in place could face increased liability and fines for fraudulent transactions incurred if card data is stolen from them.
Author: Charles Leavitt