Another Week, Another Hack

I don’t like to be a fearmonger.  There is a part of me that wishes people would care about network security because it’s the right thing to do.  They should care about protecting their client’s data.  Largely however, they don’t.  Not until it’s too late.  I guess it’s time to spread some fear.  It seems like that is the only thing that works.  Here we are again with a couple more terrible examples of that hit close to home.  Another week, another hack.

Infotrax Hack

My college Morgan Frame posted on LinkedIn today and tagged an article about a local company InfoTrax here in Orem UT.  I don’t typically call companies that are victims of a hack out by name, but the article here already did so the secret is out. The thing that sets this hack apart in my mind is that Infotrax develops software for multi-level marketing companies.  That means that they should have some level of tech savviness within their organization.  They’re also not a startup or a tiny mom and pop shop with no resources.  According to Manta they have a revenue of over 20 million a year and a staff of about 125 employees.  In other words, they have NO EXCUSE. The breach happened all the way back in May of 2014, and the hacker remained undetected until March of 2016.  That’s almost 2 years they had access to the network!  In addition, the article states that the hacker exploited vulnerabilities in their network which gave them remote control over its server.  This sounds like the company had an open RDP port on their firewall.  There is absolutely no excuse for this.  ARS technia gave some details on the breach. “Then on March 2, 2016, the intruder accessed personal information for about 1 million consumers. The data included full names, social security numbers, physical addresses, email addresses, phone numbers, and usernames and passwords for accounts on the InfoTrax service. The intruder accessed the site later that day and again on March 6, stealing 4,100 usernames, passwords stored in clear-text, and hundreds of names, addresses, Social Security numbers, and data for payment cards.

The Lawsuit

InfoTrax’s “failure to provide reasonable security for the personal information of distributors and end consumers has caused or is likely to cause substantial injury to consumers in the form of fraud, identity theft, monetary loss, and time spent remedying the problem,” FTC lawyers wrote in the complaint. They said a call center retained by one InfoTrax client seeking help with the breach response received more than 238 complaints of unauthorized payment card charges, 34 complaints of new credit lines opened, 15 complaints of tax fraud, and one complaint of misuse of information for employment purposes.” – ARS Technica Ironically, one of Infotrax clients is LegalShield.  They are a MLM organization that sells identity theft protection.  I’m sure this breach is damaging not only to Infotrax, but to the reputation of their clients as well.

The Fallout

Costs are still being calculated for this breach and we may not ever get a full picture.  On average the cost of a data breach is around $148 per record.  That would put the cost of their million records at $148MM dollars.  Couple that with the lawsuit that has been filed by the FTC, and things don’t look good for Infotrax.  Who knows how things will shake out in court?  Even if lawyers can get them off the hook for damages the cost of their defense against the FTC might be enough to sink the business.

Example 2 – Premier Family Medical

This one hit home for me because they were my primary care physician.  I got a letter in the mail from them recently that told about the breach.  They apparently got ransomware on their network had had 300,000 patient records that were exposed. “On July 8, 2019, Premier Family Medical (Premier) experienced a ransomware attack from an unknown, unauthorized third party. As a result, Premier was temporarily unable to access data from certain systems within its organization. Premier promptly informed law enforcement and engaged technical consultants to investigate and regain access,” the company said in a statement. “We love being in the business of caring for patients and understand that includes protecting their health information,” said Robert Edwards, Premier’s chief administrator who oversees Premier’s cybersecurity and privacy programs. “Even though our investigation has found no reason to believe patient information was accessed or taken, we are very concerned that this event even occurred and have taken steps to further enhance the security of our systems.”

HIPAA Compliance

All healthcare organizations are required to be HIPAA compliant and they have special standards they must live up to in order to secure personal health information.  To their credit, Premier Family did exactly what they were supposed to in reporting the breach to HIPAA.  They’re also required to notify all patients whose information could have been compromised.  Hence the letter. By complying with HIPAA protocol in this manner they will likely avoid any fines or penalties.  However, the cost of notifying patients is substantial.  Letters in the mail will likely cost about $1 each to send once you print, stuff, and pay postage.  That means that they’re 300K in cost just to notify their patients without spending a penny on remediation, downtime, or anything else. Dark reading explained in a recent article that cyber attacks are on the rise for those in healthcare. “Cyberattacks against healthcare organizations jumped 60% in the first nine months of the year, compared to all of 2018, according to a report published this week by anti-malware firm Malwarebytes.”

Its time to get serious

If you’re not scared yet you should be.  Especially if you work in healthcare.  Right now, is the time to get serious about protecting your network from security threats.  This is likely one of the biggest threats out there that could sink a business in a heartbeat, and its being largely ignored by business owners and c-levels. i.t.NOW is here to help.  I don’t like to sell fear, but the reality is that you should be scared.  You should be thinking about security and there should be a plan in place.  The good news is that there are professionals in the market that can take care of security and allow you to continue to do what you do best.  Call us today for a free security audit on your network and we’ll let you know if you’re at risk.  Don’t let your business be the subject of my next another week, another hack blog post.