Cyber Roundup – June 2018
By Thomas J. DeMayo, Principal, Cyber Risk Management
There’s little doubt that the electronic revolution that we experienced, and continue to experience, is a force for tremendous good. Time-savings, accuracy, widening our personal knowledge and experience, medical breakthroughs, on and on cannot be fathomed without information technology. Eventually, the genius of IT will solve resultant cyber criminality – or, at the very least, ensure that it is minimal – so that we can reap the benefits without the fear. In the meantime, vigilance is the best practice … so that now brings us to this issue of Cyber Roundup.
Key Cyber Events
The following is a rundown of what happened during the month of May 2018. We welcome your comments, insights and questions.
- Students at the Bloomfield Hills High School in Michigan hacked into the school’s student management system. While the full details have yet to be released, it has been disclosed that a few students gained unauthorized access to the system and manipulated not only their grades, but the grades of other students as well in an attempt to cover their tracks. In addition to manipulating grades, the student hackers issued refunds for lunch purchases. In a similar story, the W.S. Neal High School in Alabama recently announced that its student management system had also been hacked and student grades had been changed since 2016. While the school investigates the breach, it has decided not to select a valedictorian or salutatorian for this year’s graduating class.
- The University of Greenwich in the U.K. was fined $160,000 by Britain’s Information Commissioner for a breach that disclosed the personal information of 19,500 staff, students, alumni and conference attendees. In 2004, the University set up a web server for a conference but had forgotten about it — leaving the server unmanaged and unpatched. The server is believed to have been breached initially in 2013 and several times in 2016.
- 211 LA County, a not-for-profit organization that provides information and referrals for Los Angeles county health and human services, exposed 3.2 million files containing personal information. The information was found in an unsecured Amazon cloud service S3 storage bucket. The storage bucket contained access credentials of employees of the organization as well as email addresses and sensitive call notes relating to people in need.
- On May 3, 2018, World Password Day — a day to celebrate better password habits — Twitter notified all of its 330 million users to change their passwords. Subsequently, Twitter identified that an internal log file was incorrectly storing the passwords of users in clear text and not in an encrypted format. While Twitter does not believe the file was accessed by any outside individual, as a precaution, Twitter advised users to change their password. No kidding.
- On May 25, 2018, the FBI issued an alert asking everyone to reboot their home router. A piece of malware, called VPN Filter, linked to a group connected to the Russian military, infected hundreds of thousands of home routers around the globe. The malware is designed to perform multiple functions such as information collection, attack other devices, block traffic, etc. Rebooting the router will not remove the malware; however, the FBI seized control of the network that led the attack. Specific to your home router, be on the lookout for an update from the vendor. However, in the interim, if you have not already done so, please unplug your router, wait 10-15 seconds, and plug it back in.
- An emergency room staffing company, USACS, reported a breach of 15,552 patient records. USACS is an Ohio-based company servicing 210 hospitals in 22 states. The breach was the result of an unauthorized individual gaining access to an employee’s e-mail account that contained patient information. This should serve as a reminder to all healthcare entities not to forget about the significance of their e-mail system when assessing their cyber and compliance risk.
- Chili’s restaurant chain reported a breach exposing customer payment card information. While the full details and scope have yet to be released, the incident is believed to be limited to between March and April 2018.
- A hacker was sentenced to 87 months in prison for attempting to hack a friend out of prison. Konrad Voits, the convicted hacker, attempted to gain access to a Washtenaw County, Michigan correctional system through phishing the employees. In the phishing attempt, Voits created a clone of the County’s website; however, in the domain registered by Voits, the last “W” was changed to two V’s [“VV”] — ewashtenavv.org as opposed to ewashtenaw.org. Voits then sent e-mails and called employees claiming to be from IT, asking them to download an important update from the website. The update was actually malware that allowed Voits to steal the credentials necessary to access the County’s system and adjust his friend’s sentence. The scheme was identified by an employee who manually checked the records for accuracy.
Thomas J. DeMayo, Principal, Cyber Risk Management
CISSP, CISA, CIPP/US, CRISC, CEH, CHFI, CCFE
PKF O’Connor Davies, LLP
665 Fifth Avenue, New York, NY, 10022
212.867.8000 or 646.449.6353 (direct)