The Risk Report - March 26

Lapsus$ is taking over the headlines and with it, our newsletter. First, they breached Nvidia, Samsung, and Vodafone. This week, they’ve gone after two more household names. Who’s behind these attacks? And what do they want?

BREACHES OF THE WEEK

🔐 Lapsus$ pt. 1

Okta is simply one of those companies that simply cannot afford to be hacked. Their identity management platforms are used by thousands of companies around the world to manage security features like single sign-on and multi-factor authentication. And, this week, they got hacked. Just 24 hours after Lapsus$ started leaking company data, Okta’s Chief Security Officer published a memo on what just happened. Altogether, only 366 (around 2.5%) of Okta corporate customers were impacted. Lapsus$, meanwhile, found its way into Okta via a subprocessor that Okta uses for outsourced customer support. Given Okta’s place in the industry, folks were not happy. Okta’s stock dropped nearly 10% in one day after the news broke, but its security team insists that the scale of the attack the minimal.

Read the full story

💻 Lapsus$, encore

Microsoft was the other victim of Lapsus$ this week. In a lengthy blog post published on Tuesday, Microsoft's security team outlined that the attack was caused by a compromised account of one lone employee, who seemed to be in on the maleficence. Due to their unauthorized access, Lapsus$ was able to comb through Microsoft’s internal databases, running off with the source codes of the Bing web browser and the Cortana virtual assistant. Fortunately, no customer data was impacted. Microsoft, in an apparent effort to downplay the severity of the attack, has written that “viewing source code does not lead to elevation of risk." Whether or not that's true remains to be revealed as time goes on. The compromised account has since been remediated.

Read the full story

🏥 Again? Really?

Spokane Regional Health District (”SRHD”), a medical group serving eastern Washington, has suffered its second data breach in just four months. An initial investigation concluded that 1,260 people were impacted, with such information as full names, medication & treatment information, and test results being accessed by an unauthorized third party via a phishing email. No Social Security numbers were accessed. SRHD has contacted those who have been impacted and has set up telephone and email hotlines.

Read the full story
‍

‍

NOTEWORTHY THIS WEEK

🇺🇸 Privacy, OK

The Oklahoma State House of Representatives voted 74-15 to pass the Oklahoma Computer Data Privacy Act (”CDPA)”, a bill modeled largely after California’s CCPA. It now goes to the Senate for further deliberation. The CDPA would apply to businesses in the state with revenues in excess of $15 million, far lower than the CCPA’s $25 million. The CDPA, if it becomes law, would require consent for the collection of personal information, and for the sale of personal information. It would also grant residents the right to request records of information that businesses have on file about them. Pending further voting, the bill would go into effect at the start of next year.

Read the full story

🤒 Health issues

Health data breaches impacted nearly 45 million Americans in 2021, according to data from the Department of Health and Human Services, a nearly threefold increase in just three years. Healthcare companies in every state but South Dakota reported breaches last year, and half of those states had more than 10% of resident data impacted by these incidents.

So, what’s going on? Why is this industry so susceptible? In part, Covid-related adjustments are to blame. More remote work, more information stored digitally and on multiple systems, and more data stored on personal devices. But the main issue comes down to the value of the data. Personal health information means the world to hackers, and that shouldn’t come as a surprise.

As we mentioned earlier, Microsoft having its source code leaked didn’t even phase them. But if someone were to leak your source code—your DNA—it would be an entirely different issue. So, it’s safe to say that healthcare breach attempts are here to stay. Now it’s just time to use protection.

Read the full story

‍

🥷 What is Lapsus$?

This new hacking group has been making the headlines rather consistently over the past few weeks and has already breached six major tech companies, with no signs of slowing down. But who are they? And what do they want? There isn’t a lot of certainty when it comes to either of those questions.

Law enforcement and cybersecurity researchers currently believe they have identified seven individuals around the world associated with the group, with many believing the mastermind to be a 16-year-old British boy. Lapsus$ isn’t like most other high-profile hacking groups. For one thing, they’re very open about their antics, advertising their phishing attacks on social media and even posting job offers for employees at target companies willing to get in on the action for a quick buck. Lapsus$ members will reportedly even join Zoom calls at the attacked companies and taunt their victims. Nothing seems to hold them back.

Though they rely heavily on insiders for access, their hacking skills are nonetheless very strong, which is the ultimate issue. One researcher initially thought he was observing automated hacking due to the speed at which Lapsus$'s ransacking took place. It’s unclear what (or who) Lapsus$ will target next. But one thing is for sure: we should all close the doors to socially-engineered hacks. We should all enforce strong MFA methods, require VPNs, use password managers, and get our team members (and friends and family) on board with good, easy, everyday operational security. If we can do all of that, the odds will be in our favor.

Read the full story

‍

Want to receive this newsletter weekly? Subscribe for the latest news on data breaches and privacy legislation.