Image

December 27, 2023

Major Data Breaches and Hacking News in December 2023


Data Breaches 


Xfinity

Organization description: Comcast-owned Xfinity is an American telecommunications business providing cable television, internet, telephone, and wireless services across the United States. 

Breach size: 35.8 million 

Data exposed: Usernames, passwords, last four digits of Social Security numbers, dates of birth, and answers to security questions.

According to a data breach notification filed with Maine’s Attorney General, millions of Xfinity customers were affected by a recent hack. As the investigation unfolds, a vulnerability in cloud computing software from Citrix has been identified as the point of intrusion.

Despite issuing a patch for the vulnerability in October, hackers were still able to access customer information held in Xfinity's internal networks between October 16 and October 19. Dubbed the “Citrix Bleed,” the vulnerability has also been linked to the cyberattacks on a Boeing subsidiary and the Industrial Commercial Bank of China’s New York branch.

In response to the breach, Xfinity has contacted customers urging them to update their passwords and reset their usernames as well as enable two-factor authentication to protect their accounts.


Mr. Cooper  

Organization description: Mr. Cooper Group is a non-bank mortgage lender and servicer based in Texas.

Breach size:14.7 million

Data exposed: Names, addresses, dates of birth, phone numbers, Social Security numbers, and bank account numbers.

On December 15, Mr. Cooper notified customers that a data breach had occurred between October 30 and November 1, exposing personal information of nearly 15 million homeowners. In a data breach notification filed with Maine’s Attorney General, the mortgage loan servicer confirmed that names, addresses, dates of birth, phone numbers, Social Security numbers, and bank account numbers were compromised.

Although the company publicly announced the data breach in November, the extent of its impact on customers wasn’t discovered until further investigation. Current and former customers affected by the breach are being offered two years of free credit monitoring to mitigate risks of identity theft and fraud.

The FBI is involved in determining who is at the center of the breach while Mr. Cooper says it’s upgrading its cybersecurity practices to prevent another incident.


Blue Shield of California

Organization description: Blue Shield of California is based in Oakland, California and serves health plan members and physicians across the state.

Breach size: 7 million

Data exposed: Names of members, dates of birth, and information related to vision health care.

Another large data breach stemming from the MOVEit zero-day vulnerability occurred in the healthcare sector recently when 7 million records of Blue Shield of California members were stolen. Despite MOVEit’s creator, Progress Software, issuing several patches to fix the vulnerability in May and June, news of affected organizations continues to surface.

The latest related breach of Blue Shield of California likely exposed the names of members, dates of birth, and information related to vision health care. According to a press release, hackers may have accessed data from a Blue Shield server managing vision care data on May 28 and May 31.

The breach was later discovered by a vendor on August 23 and reported it to Blue Shield on September 1. Like many in the healthcare industry, Blue Shield of California relies on Progress Software’s MOVEit program for sharing digital files on members.

In response to the attack, Blue Shield has created a call center dedicated to answering questions, which can be reached at 1-8666-983-2632.


ESO Solutions

Organization description: ESO Solutions is a technology company that develops patient care software used by emergency medical services (EMS) agencies, fire departments, and hospitals.    

Breach size: 2.7 million

Data exposed: Full names, dates of birth, phone numbers, Social Security numbers, patient account numbers, and details of diagnoses, treatments, and procedures.

On December 12, ESO Solutions filed a data breach notice. After investigating the incident, ESO determined that hackers accessed a machine that contained various sensitive personal data of patients.

The ransomware attack was discovered and stopped on September 28, but the bad actors were able to encrypt portions of the company’s database. Shortly after, ESO worked with a third-party cybersecurity team to conduct an investigation and restore its systems.

Although breached information varies depending on the individual, it includes sensitive information that could be used for identity theft and fraud like Social Security numbers and dates of birth.


Norton Healthcare 

Organization description: Norton Healthcare is a Kentucky-based healthcare system with more than 40 clinics and hospitals in and around the city of Louisville. 

Breach size: 2.5 million

Data exposed: Names, contact information, Social Security numbers, dates of birth, health and insurance information, and medical ID numbers.

Norton Healthcare in Kentucky filed a data breach notification with Maine’s Attorney General in December related to a breach discovered on May 9. The breach exposed the sensitive data of 2.5 million people.

Holding data hostage can become an emergency situation when a hospital doesn’t pay the ransom. However, Norton Healthcare said it didn’t make any payments and didn’t report any disruption to its medical record system and services. Despite the hackers accessing network storage devices, systems were restored quickly from backups on May 10.


HTC Global Services 

Organization description: HTC Global Services provides IT and Business Process Services and Solutions with headquarters in Troy, Michigan.

Breach size: Unknown

Data exposed: Passports, contact lists, emails, and confidential documents.

BlackCat/ALPHV has claimed another victim. HTC Global Services confirmed in a post on X that it suffered an attack from the notorious ransomware group. In the brief announcement, they assured customers that they are “actively investigating and addressing the situation to ensure the security and integrity of user data.”  

The company’s post comes on the heels of the BlackCat ransomware gang (also known as ALPHV) adding screenshots of allegedly stolen documents from the company to their data leak site. Not much is known about the cyberattack as investigation is underway, but one cybersecurity expert, Kevin Beaumont, speculates that the breach is likely linked to the Citrix Bleed vulnerability.  

Beaumont has been following the impact of the Citrix Bleed vulnerability also known as CVE 2023-4966 across several sectors, including finance, technology, healthcare, and federal and local governments.  

Hacking News

Water Utility Providers Targeted by Cyberattacks 

Data isn’t the only valuable asset targeted in cyberattacks. When bad actors gain access to computer systems managing utilities, like clean drinking water, the health and safety of residents comes under threat.

Recently, a Pennsylvania water plant, the Municipal Water Authority of Aliquippa, was targeted by an Iran-backed group called the Cyber Av3ngers. The automated system monitoring the water pressure of a booster station was attacked and shut down. The motive was revealed as this message appeared on a screen: "You Have Been Hacked. Down With Israel, Every Equipment 'Made In Israel' Is Cyber Av3ngers Legal Target."

The Pittsburg plant uses an Industrial Control System known as Unitronics, which has components that are Israeli owned. After the system was shut down, the facility quickly switched to manual operations. However, there are more than 1,800 Unitronics automation control devices connected to the internet, and they are used across multiple sectors like energy production, chemical, and agriculture. So, cybersecurity experts are concerned about how these industrial control systems may be vulnerable to future attacks.

In another attack on a water facility, North Texas Municipal Water District (NTNWD), a ransomware group by the name of Daixin Team claimed responsibility on the Dark Web. Although the water district said there was no disruption of services to its more than 2 million customers, the hackers claimed to have stolen dates of birth, medical record numbers, and Social Security numbers from the NTNWD.

The water district is working with law enforcement and forensic specialists to determine the extent of the attack.

The potential damage from a cyberattack is becoming far greater than business email compromise and data breaches. Water and other municipal utility providers are a prime target for ransomware groups as affected organizations are more likely to pay to restore vital services.

One terrifying incident at a water treatment plant in Oldsmar, Florida involved a hacker adjusting the chemical levels in drinking water. The hacker tampered with the level of sodium hydroxide, used in liquid drain cleaners, from a safe level of 100 parts per million to a potentially dangerous 11,100 parts per million. Fortunately, a city staff member resolved the issue before contaminated water was delivered to any residents.

Municipal water providers face challenges fighting back against cyberattacks like these with a limited budget and staff. Despite the significant vulnerability of these utilities as vectors of widespread health and safety catastrophes, bureaucratic red tape can make cybersecurity improvements difficult to implement. Earlier this year, the Environmental Protection Agency attempted to implement mandatory water systems audits that included cybersecurity concerns, but legal challenges forced a withdrawal.

Cyberattack Recovery Startup Raises $6 Million in Funding 

As hackers ramp up their attacks on automated industrial control systems connected to the internet, one startup is working to counteract the potential damage. Salvador Technologies recently announced securing a $6 million investment to provide better business continuity and cyberattack recovery solutions.

The Israeli company will use the money to boost Salvador’s business opportunities in the United States and Europe. To that end, the company also announced hiring a VP of Sales for the Americas and a VP of Research and Development. It’s also in a hiring spree to find support, sales, and product management staff.

Founded in 2020 by two childhood friends, Oleg Vusiker and Alex Yevtushenko, Salvador Technologies offers a direct solution to critical infrastructures that become victims of cyberattacks. Their growing customer base includes companies across the globe working in the chemical, food, automotive, and aerospace industries as well as critical public and private infrastructure organizations like healthcare, water, and energy providers.

Salvador Technologies’ cyberattack recovery system works to prevent disruptions in services by a device connected to workstations and other computers via USB. The device contains NVMe disks to automatically save data, drivers, configurations and other operating information. If systems are shut down by a cyberattack, the user restarts affected devices and loads information from the Salvador device, restoring systems to the state of the most recent save. Backups can be automated for daily, 2-day, or weekly intervals.

In a press release, an investor in the project, Tal Yatsiv explained, “The company's innovative solution acts as an insurance policy for organizations, eliminating risk by ensuring an immediate full recovery following an attack or a system malfunction."