The month of May brought glimmers of economic hope to the country as many states began lifting stay-at-home orders, just in time for summer. But, as usual, the recent data breaches of 2020
have revealed that cybercriminals are relentlessly hacking away at our data, with no deference to the state of the economy or how society is faring.
Last month, bad actors continued to target the healthcare industry, despite the COVID-19 crisis. These attacks take on various forms, like phishing, ransomware, and DDoS.
The Top 5 Cyberattacks of May 2020
5. BJC HealthCare Employee Email Breach Potentially Exposes Patient Information
BJC Healthcare, a St. Louis-based healthcare provider, discovered that an unauthorized user acquired access to three employee email accounts back on March 6. Details of the BJC healthcare breach
were shared with the public in early May.
BJC immediately hired a computer forensic firm to investigate. Although the investigation was unable to pin down specific emails that may have been viewed, it was able to confirm that the accounts were only accessed for a short time. BJC continued to review all emails in each of the accounts in question to determine what patient information may have been accessed.
The company followed up with each potential victim through the mail to let them know what happened, and offered credit monitoring and identity protection to anyone whose sensitive information was found in the emails. At this time, there is no evidence that any patient information was misused.
While the BJC Healthcare data breach took place in March, the healthcare provider completed a thorough investigation and learned all the details before reporting the breach to the public on May 5.
- Records Exposed: Undetermined
- Type of Attack: Phishing
- Industry: Health Care
- Date of Attack: March 6, 2020
- Location: St. Louis, MO
There are many positive lessons to learn from this breach. BJC did a great job taking immediate action when they learned of the suspicious activity.
- BJC’s ability to recognize the potential cyberthreat and investigate it right away is model cybersecurity behavior. These things can’t always be prevented, so detection and responsive action are key.
- BJC’s transparency and scrutiny in dealing with this incident are also commendable. In addition to the investigation, it reviewed each and every email from the flagged accounts to find out who may have been affected and went on to notify them and offer immediate support.
4. Magellan Health Falls Victim to Phishing
Phoenix-based healthcare company, Magellan Health, confirmed in a company notice that they suffered a ransomware attack. Over a period of five days, attackers gained access to a corporate server containing very sensitive employee information.
The Magellan Health data breach
took place on April 6, but the company didn’t realize it was under attack until April 11 because the phishing scheme deployed by the hackers was engineered to impersonate a client. As soon as the company was aware of the attack, it hired a cybersecurity forensics team to investigate. A month later the investigation concluded, and on May 12 Magellan Health employees were notified
of the cyberattack, how it may affect them, and what they can do to protect themselves.
The Magellan Healthcare breach response was thorough. The company immediately reported the attack to the FBI and continued to work with them for the duration of their investigation. Magellan has since implemented tighter security measures designed specifically for their system.
- Records Exposed: Unidentified number of Magellan client records
- Type of Attack: Phishing/Ransomware
- Industry: Healthcare
- Date of Attack: April 6, 2020
- Location: Phoenix, AZ
This latest data breach is part of an ongoing trend. During the COVID-19 pandemic hackers have been aggressively targeting the healthcare industry. In this instance, fortunately, the Magellan healthcare data breach was handled well.
- Attacks are on the rise in the healthcare industry. The best way to prevent attacks like this is bolstering security with personalized programs and measures that build awareness among employees about what to look out for and how to respond.
- Magellan was quick to get the authorities involved and start an investigation. They also offered a very clear guide to identity theft protection and other resources to their employees. Magellan handled this incident in an exemplary way.
3. Asheville Plastic Surgery Studio Struck by Maze Ransomware
On May 1, Asheville Plastic Surgery Institute suffered a Maze ransomware attack
. Among recent security breaches, this is one of the most ruthless in terms of the prompt release of personal client information.
The group of hackers known as “Maze” stole and published a trove of sensitive information from the Asheville Plastic Surgery Institute, as well as a similar load of information from a plastic surgeon in Washington state. The data includes patient names, birthdays, insurance details, order forms, and before-and-after photos. What’s more, the data already published may be only the beginning. If the company doesn’t pay the ransom, more data will likely be published.
The exact ransom amount hasn’t been released, and neither victim has released a statement concerning the incident or whether they will pay. Most incidents like this are caused by failures in basic security, which means that organizations clearly need to focus on upgrading their cybersecurity defenses and protocols.
Ransomware attacks today threaten organizations in different ways than they did in the past. Before, groups would steal data and make it inaccessible until the ransom was paid. Now, ransomware groups often threaten to release the stolen information if organizations refuse to pay.
- Ransom Demanded: Undisclosed
- Type of Attack: Ransomware
- Industry: Healthcare
- Date of Attack: May 1, 2020
- Location: Asheville, NC (and Bellevue, WA)
This attack was certainly a tough lesson to learn for these plastic surgery institutions. To be clear, ransomware attacks are increasingly dangerous and commonplace. The only way to avoid them is to continually ramp up cybersecurity.
- Ransomware attackers prey on companies with weak cybersecurity. Important ways to immediately strengthen security include changing credentials so they’re tougher to crack and patching remote access systems for any vulnerabilities.
- It appears that this attack wasn’t handled well by the plastic surgery organization. There has been no word on patient notification or how they may increase security measures in response. Letting the public (and other hackers) know that you respond quickly and aggressively to such attacks sends a message of strength.
2. Japanese Telecom Giant NTT Recent Data Breach 2020
The largest telecommunications company in Japan, and one of the largest in the world, Nippon Telephone and Telegraph (NTT), experienced one of the more recent cyberattacks on May 7. The attack on the Fortune 500 company
remained undetected until May 11.
The exact method that the hackers used for the initial infection is unclear, but NTT launched an investigation and took down the hacked systems as soon as it became aware of the attack. In addition to those actions, NTT also put stronger security measures in place to prevent future incidents. According to a translation of the report
NTT released on May 28th, the company is contacting its customers now that it has identified what happened and who has been affected.
The attack used an NTT base in Singapore as an entry point to reach a cloud server located in Japan, then moved to a private server on NTT Communications’ internal network, finally accessing the Active Directory server within that private server. Unfortunately, such access provides a worst-case scenario. At this point the hackers essentially have the keys to the kingdom, which warrants a wholesale rebuild of that server.
- Records Exposed: 621 customer data records
- Type of Attack: Undisclosed
- Industry: Telecommunications
- Date of Attack: May 7, 2020
- Location: Tokyo, Japan
Cyberattacks on companies as large as NTT impact countless individuals. The hackers obtained data from 621 companies that are NTT customers. NTT had an immediate and aggressive response, but could it have done more to protect itself before the attack?
- NTT already had high levels of cybersecurity in place, but some companies as large and far-reaching still need to actually hire in-house cybersecurity teams. Just like companies hire security guards for physical safety, cybersecurity experts are essential for protecting a corporate network and systems.
- NTT did a few things right. The specificity in its planning for the future and transparency about what went wrong in its report are key elements in its ability to regain public and customer trust.
1. DDoS Attack Minneapolis City Government Systems
The distributed denial-of-service (DDoS) attack flooded the city’s servers with so much traffic that they all crashed. This resulted in “some staff and residents’ inability to access” information and records, according to city CIO Fadi Fadhil
. However, the attack did not have a lasting impact. By 9 a.m. that same morning, most systems had returned to normalcy, while the remainder were back up by the next morning.
The city has not publicly identified the attacker and, luckily, no data was stolen or compromised. The city has measures in place to deal with disruptions, but now its IT staff is monitoring its systems in order to prevent more attacks. This is all occurring as staff and resources of the government and city at large are responding to the death of George Floyd, which has sparked national and international protests and outrage.
- Records Exposed: None
- Type of Attack: DDoS
- Industry: Government
- Date of Attack: May 28, 2020
- Location: Minneapolis, MN
Cyberattacks such as this are not completely avoidable. As a matter of fact, they’re quite common. All a city can really do is have measures in place to mitigate the damage as quickly as possible.
- The Minneapolis city government stated that they had measures in place to deal with this type of unavoidable incident. This paid dividends when most of the servers that had crashed were back up and running within a few hours and the rest were restored within a day.
- Unfortunately, because of its timing, many of the warning signs of the DDoS attack were overshadowed or even undetectable due to the protests.
The Next Attack
Recent cyberattacks of 2020 have shown us that hackers don’t care if there’s a global pandemic or protests and riots in the streets. They attack those most vulnerable.
As the pandemic continues, the healthcare industry can count on a continued concentration of attacks. Looking back at cybercrime trends from 2019
, it’s clear that no one is safe. Whether public or private, large or small, all businesses are a target. How vulnerable they are depends on how prepared are. Is your organization prepared?
Stay Ahead of Cyberthreats with Arctic Wolf: The Leaders in Security Operations
Cybersecurity incidents keep trending upward and there’s no end in sight. With this in mind, security is more important than ever. All companies and government agencies risk being attacked, especially if they don’t continue to raise their cybersecurity posture.