Temperatures rose in June, and the threat of serious cyber attacks soared along with them. The start of summer saw revelations of major breaches in confidential medical information, a case study for changing-up hacked passwords, another round of victimization for people whose data has already been sold once before, and one high-profile threat to undermine an entire democracy.
Let’s take a closer look at these troubling instances, plus one controversial effort to rein in the crimewave.
June’s Biggest Cyber Attacks
Costa Rica’s Social Security is Held Hostage
In one of the more frightening displays of cybercriminals’ willingness to endanger the lives and livelihoods of strangers, the agency that administers social security for Costa Rica was shut down by a late May ransomware attack . The May 31 hack by the ransomware-as-a-service group known as The Hive came on the heels of a flurry of similar attacks on Costa Rican government agencies in April by the Russia-based Conti gang. The two criminal groups are thought to be working together to at least some degree.
Why exactly Costa Rica has been targeted is unclear, but the damage has been extensive. President Rodrigo Chaves Robles declared a state of national emergency after the first round of attacks, which saw Conti members making verbal threats to overthrow the government via repeated hacks. The latest hit became evident when printers in government offices suddenly began firing off sheets of “gibberish.” The attack ultimately forced multiple public health services offline and shut down healthcare facilities in some rural communities, although it does not appear as though the personally identifiable information of citizens was impacted.
We’ve all seen plenty of heinous acts of cybercrime over the past several years, but overt attempts to destabilize a government on what seems to be a whim take things to an entirely different level.
Records Exposed: Government network sites
Type of Attack: Ransomware
Date of Attack: May 31, 2022
Location: Costa Rica
Key takeaway: With little reason to fear real consequences, cybercrime groups are getting more brazen with both their targets and their demands. Costa Rica’s recent experiences can be taken as a cautionary tale for organizations of all sizes: an ounce of prevention beats a pound of cure. Investing in a proactive cybersecurity system that keeps attackers out in the first place is much more effective than trying to clean up a mess after the fact.
MGM Resorts Data Theft Victims Get Re-Victimized
The MGM Resorts hotel chain has had some well-publicized cybersecurity issues in the past, but a recent report revealed the surprising breadth of those attacks.
After reports of a breach were published in 2020, MGM Resorts owned up to a 2019 hack in which members of the GnosticPlayers collective stole records of around 142 million resort guests. The group originally sold off that data—including names, addresses, phone numbers, emails, and dates of birth on the Dark Web for a reported $3,000 . That violation was bad enough, but in late May the group unceremoniously posted all of that personally identifiable information again on the messaging app Telegram for free.
No one is quite sure what prompted this unprofitable dump of sensitive data, although there is speculation that it simply wasn’t sellable anymore and the perpetrators decided to wreak some extra havoc on their victims. That roster includes some noteworthy names, including pop star Justin Bieber, Twitter CEO Jack Dorsey, and other rich and famous resort patrons. Unfortunately, there is little that can be done to protect the victims from another round of scam attempts, beyond publicizing the breach yet again.
Records Exposed: Personally identifiable customer information
Type of Attack: Network intrusion
Date of Attack: Summer 2019
Location: Las Vegas, Nevada, USA
Key takeaway: They say that nothing on the internet ever truly goes away. That includes stolen data, as the victims of this hack have learned twice over. Once personal information has been accessed, there is very little to stand in the way of it being used as many times as the thieves see fit. Again, shoring up your organization’s defenses to keep attackers out in the first place is your surest approach to keeping your customers from being victimized over and over.
Credential Stuffing Costs GM Customers Their Rewards
An early June report from General Motors (GM) confirmed that it was a victim of a large-scale credential-stuffing scam. Credential stuffing is an act of cybercrime in which criminals use stolen data from one site to access accounts on another. In this case, usernames and passwords stolen in various data breaches were entered into GM’s customer rewards database. Whenever that led to a successful login, the customer’s rewards points were promptly stolen.
While GM was not technically at fault here—it does not appear as if the stolen credentials came from any of their sites—the company has stepped up and offered to restore the stolen rewards points . For everyone else, this should be a clear reminder to not reuse passwords, and that those data breach emails you get about changing your passwords are not to be ignored, no matter how many of them are clogging your inbox this week.
Records Exposed: Usernames, passwords, rewards accounts
Type of Attack: Credential stuffing
Date of Attack: April, 2022
Location: Michigan, USA
Key takeaway: At this point, pretty much everyone has data theft fatigue. We’ve all gotten so many data breach notifications that it can be tempting just to ignore them if they don’t appear to be a direct threat. Through no fault of their own, General Motors has gotten a costly lesson in why we all need to remain diligent in changing passwords and taking the basic steps of personal cybersecurity every time.
Shields Health Care User Data is Unshielded
Criminals took advantage of lax security and the eccentricities of the United States healthcare system to score a trove of personal data from patients at a large New England medical imaging facility.
An early June announcement from Shields Health Care Group revealed that hackers had accessed the company’s network sometime in March , making off with a large volume of personally identifiable information, including names, Social Security numbers, medical diagnoses, insurance numbers, and other highly sensitive data.
The theft impacts around 2 million patients of more than 30 medical facilities around New England. Since patients often pay for medical imaging procedures such as MRI, PET, and CT scans using credit cards, the thieves have access to a significant amount of financial data as well.
While Shields has taken measures to inform all affected patients of the breach, that seems unlikely to rectify this type of violation during some uniquely vulnerable times of their lives. Especially now that impacted patients have joined a class-action lawsuit against Shields alleging that the company should have done more to keep their data protected.
Records Exposed: Personal, medical, and financial data
Type of Attack: Network intrusion
Date of Attack: March, 2022
Location: Massachusetts, USA
Key takeaway: The more sensitive the information your business handles, the more crucial it is to keep it closely protected. The Shields hack jeopardizes both medical and financial records, which is about as sensitive as customer data gets. However the class-action suit is settled, the reputational damage incurred here will take years to repair.
Canada Hopes to Curb Cybercrime with Mandatory Reporting
As officials in Canada become more and more alarmed with the rapid increase of cyberattacks against Canadian businesses and government organizations , some members of Parliament are hoping that daylight proves to be the best disinfectant. Canada’s Public Safety Minister Marco Mendicino announced in June that the governing body is considering introducing legislation that would require organizations impacted by cybercrime to report it to the Canadian Centre for Cyber Security.
The thinking behind the proposed regulation is that a considerable amount of cybercrime currently goes unreported in Canada and other countries. That’s often because businesses worry about the loss of reputation that might come with revealing their victimhood, or because ransomware groups threaten further retaliation if their crimes are reported.
Proponents of mandatory reporting say that sweeping those incidents under the rug makes it harder for authorities to identify criminals and to understand the scope of cybercrime in Canada. Opponents say required reporting would only add an extra layer of stress and complication onto a situation that’s already complex and exhausting for victims.
Records Exposed: N/A
Type of Attack: General cybercrime
Industry: All industries in Canada
Date of Attack: Recent years
Key takeaway: Clearly, there are no easy fixes when it comes to stemming the tide of cybercrime, but it’s encouraging to see national governments taking the issue seriously. Whether or not mandatory reporting would have a measurable impact on cutting down cyber attacks remains to be seen. Even so, Canada’s Parliament making the effort to look for active solutions is a promising step.
If there is a lesson to be taken from June’s round-up of cybercrime, it may be that the best defense is a good defense. While hacks and breaches appear to be an unfortunate reality for most organizations for the foreseeable future, taking the proactive effort to shore up your networks and systems against incoming attacks is preferable to the headaches that come in their wake.