MENTIS

Week of October 19, 2018

MENTIS
news

Week of October 19, 2018

HealthCare.gov Suffered Data Breach as Hackers Stole 75,000 Records*:

Amidst all the data breaches regarding the US voters data, here comes another blow for the Americans.

The government’s health insurance system, HealthCare.gov, allegedly suffered a cyber-attack that let the hackers pilfer thousands of patients’ records.

HealthCare.gov is primarily a health insurance portal allowing customers to sign up for Obama’s Affordable Care Act.

Reportedly, HealthCare.gov suffered data breach of 75,000 records.

According to the Centers for Medicare & Medicaid Services (CMS), they noticed some suspicious activity in the Direct Enrollment Pathway meant for agents and brokers.

Upon investigation, they found that hackers have allegedly stolen 75,000 records from the system, but CMS didn’t reveal details about the types of information lost in this attack.

Nonetheless, one can certainly speculate the extent of the data by the fact that the hackers compromised the HealthCare.gov system’s sign-up process, which requires the customers to enter explicit personal details and social security numbers.

For now, CMS confirmed that the hacking attack only affected the portal, and the direct HealthCare.gov website remains unaffected.

*Source: Latest Hacking News, October 22, 2018

 


Facebook to Buy a Major Cyber Security Firm to Prevent Future Breaches*:

Facebook is finally looking at some solid solutions to reinforce the security of its platform, in the wake of a major security breach that took place last month.

According to a report by The Information, Facebook is shopping for a cybersecurity company, so that it can prevent any security breach in the future.

Apparently, Facebook is in advanced talks with one ‘major’ cybersecurity company, while it has offered deals to ‘several’ other companies as well.

The identity of these candidate companies hasn’t been revealed, but according to the report, Facebook is likely to buy software that could fold into its existing services, such as tools for signalling hacking attempts or securing individual accounts.

This move comes amid a massive security breach of the platform in late September, where Facebook suspected that some 50 million user accounts may have been affected.

However, recently, Facebook reviewed the breach and now believes that it compromised the personal information for 29 million users, including phone numbers, email addresses and recent searches.

This vulnerability was found to be rooted to Facebook's "View As" feature, which lets users see what their profiles look like to other people.

Attackers apparently exploited the code associated with the feature, allowing them to steal "access tokens", which were used to take over 29 million people's accounts.

*Source: First Post, October 22, 2018

 


Audits: The Missing Layer in Cybersecurity*:

There is a broad spectrum of cybersecurity preparedness on the enterprise landscape, but even organizations that are relatively well-resourced and committed to cybersecurity stand to benefit from cybersecurity audits.

Recent audit findings revealed gaps in the Washington Metropolitan Area Transit Authority's cybersecurity posture, and deficiencies were similarly pinpointed in an audit of the Michigan Department of Technology, Management and Budget.

Cybersecurity audits provide a key, additional layer of assurance to organizations that they are safeguarding the data that has become increasingly essential in driving and transforming virtually every business process.

The audit function is well-positioned to assess the data protection and controls around those business processes.

Organizations that have mature security teams in place might figure they have cybersecurity covered, but how is the effectiveness of that security team being evaluated, and who is ensuring that new threats are being considered on a regular basis? Audit teams need to be part of these mission-critical answers.

Unless organizations have robust risk management processes in place — and many do not — there are common gaps in organizations' cybersecurity posture that cyber audits can help identify, most notably insufficient controls around data management.

Not only can cyber audits identify these gaps, they also counteract the tendency for organizations to become complacent and reactive by assuring that risk assessments are being conducted regularly.

Involving the audit team in cybersecurity helps make sure that the attention is not just on technology implementations; auditors also can identify instances when technology solutions are sitting on the shelf or being underutilized, rather than being deployed to strategically address security risks.

Additionally, audits can help evaluate critical challenges such as coverage models, skill sets, training, and gaps in key resource capabilities.

When organizations are astute enough to turn to their audit teams for cybersecurity support, auditors must be prepared to deliver value, aligned to the speed of their business.

This can be challenging, considering many IT auditors received much of their professional training many years ago, when the word cybersecurity did not command the attention it does today, and before transformative technologies such as artificial intelligence, connected Internet of Things devices, and cloud-based platforms were so prevalent and impactful.

With few exceptions, enterprises depend upon their technology more than ever to swiftly deliver value.

Reliance upon effective and secure technology deployment has spread well beyond a centralized IT department.

Having the needed controls in place to contend with an ever-growing array of threats, risks, and vulnerabilities can be the difference between thriving and floundering in today's digital economy.

With so much at stake, enterprises cannot afford to take any shortcuts.

Activating the additional line of sight that the audit function is uniquely equipped to provide can make all the difference.

*Source: Dark Reading, October 18, 2018

 


Second Data Breach Lawsuit Filed Against Yale*:

In 2005, Andrew Mason gave his Social Security number and other personal information to Yale when registering for one of the University’s summer programs.

In July of 2018, Yale notified him that his personal data had been hacked.

Now, Mason has filed a class-action lawsuit against the University for “negligence,” “reckless, wanton and wilful misconduct” and “unfair trade practices.”

According to the complaint, between April 2008 and January 2009, hackers broke into a Yale’s database, which contained information on then-current and former members of the Yale community, and were able to access their names, Social Security numbers and — in some cases — dates of birth as well as email and physical addresses.

The lawsuit, which was filed Oct. 15, is the second class-action complaint filed against Yale for the data breach.

The first was filed Aug. 1 by Julie Mason. It is unclear whether the two plaintiffs are related.

University spokesperson Tom Conroy told the News that the University has not yet reviewed the second lawsuit.

The University discovered the breach this June – 10 years after the fact – but notified those affected by the breach more than a month after learning about the data breach; the breach included the personal information of more than 119,000 Yale alumni, faculty, and staff members.

*Source: Yale Daily News, October 22, 2018

 


Hack on 8 Adult Websites Exposes Oodles of Intimate User Data*:

A recent hack of eight poorly secured adult websites has exposed megabytes of personal data that could be damaging to the people who shared pictures and other highly intimate information on the online message boards.

Included in the leaked file are (1) IP addresses that connected to the sites, (2) user passwords protected by a four-decade-old cryptographic scheme, (3) names, and (4) 1.2 million unique email addresses, although it’s not clear how many of the addresses legitimately belonged to actual users.

Robert Angelini, the owner of wifelovers.com and the seven other breached sites, said that in the 21 years they operated, fewer than 107,000 people posted to them.

He said he didn’t know how or why the almost 98-megabyte file contained more than 12 times that many email addresses, and he hasn’t had time to examine a copy of the database that he received on Friday night.

Still, three days after receiving notification of the hack, Angelini finally confirmed the breach and took down the sites on early Saturday morning.

A notice on the just-shuttered sites warns users to change passwords on other sites, especially if they match the passwords used on the hacked sites.

Besides wifelovers.com, the other affected sites are: asiansex4u.com, bbwsex4u.com, indiansex4u.com, nudeafrica.com, nudelatins.com, nudemen.com, and wifeposter.com.

The sites offer a variety of pictures that members say show their spouses.

It's not clear whether all of the affected spouses gave their consent to have their intimate images made available online.

*Source: Ars Technica, October 21, 2018

 

Get in Touch With Us!

Are you interested in receiving more information about our products? Do you have questions about sensitive data security? Would you like a demo? Complete the details below and one of our specialists will get in touch with you.

We love to help our customers solve their data security problems. Please tell us about what you are trying to accomplish, details about your environment, and any other information that will help us understand your needs better.

Image CAPTCHA
scroll top