Monthly Breach Report: September 2022 Edition

In the age of ransomware, knowledge about a cyber attack tends to spread quickly, and companies must respond promptly to help control the narrative. A faster response time helps protect both your business’ data and its reputation. Some organizations haven’t been so lucky, as this month’s report reflects.

T-Mobile Store Owner Hacks Accounts in A Multi-Year Scheme

The former owner of a T-Mobile retail store in Eagle Rock, CA, has been found guilty of a $25 million illegal operation selling unique cell phone services. From August 2014 to June 2019, Argishti Khudaverdyan, 44, used T-Mobile employees’ login credentials to access the company’s network to unlock and unblock cell phones. He then sold his services through brokers, email solicitations, and websites such as unlocks247.com, according to the US Attorney’s Office of California.

Mobile phone carriers will lock a phone so that it can only be used on the carrier’s network until the customer fulfills the terms of the service contract. Khudavedyan unlocked hundreds of thousands of phones on T-Mobile, Spring, AT&T, and other carrier networks so that the phones could be sold on the black market. He also unblocked cell phones were reported lost or stolen. Khudaverdyan marketed his services as legitimate and official, tricking many customers into believing it was legal to sell their unlocked or unblocked phones.

To carry out the multi-year scheme, Khudaverdyan used social engineering and phishing emails to gather the personal identifying information of high-level T-Mobile employees. He would then use the stolen credentials to trick T-Mobile Help Desk employees into resetting employee passwords. These passwords then allowed him to unlock and unblock cell phones. The attorney general’s office reports that Khudaverdyan stole “more than 50 different T-Mobile employees’ credentials from employees across the United States.” According to Business Insider, he faces up to 165 years in prison for wire fraud, money laundering, and accessing a computer without authorization.

Sources

• The United States Attorney General’s Office – Central District of California
• Business Insider
• BleepingComputer

Russian Ransomware Group Steals and Posts Patient Information on the Dark Web

An Indiana neurology practice, Goodman Campbell Brain and Spine, recently announced that the data of 363,000 patients and employees was stolen in a ransomware attack. Although the company has not named the attacker, reports implicate the Russian cybercriminal group Hive, according to Databreaches.net. Hive has posted samples of the highly sensitive personal data, known as a “proofpack,” on the dark web, including:

• Social Security numbers
• patient account numbers
• diagnosis and treatment information
• physician names
• insurance information
• dates of service

Databreach.net also reports Hive has posted “passwords for important accounts” and “leaked personal and financial information on doctors.” Goodman Campbell has demonstrated full transparency in sharing the breach information with patients, including notifying them of the leak on the dark web. Goodman Campbell, however, notified patients that the data was only on the dark web for 10 days, which DataBreaches.net disputes, claiming their own research uncovered the data was available for several weeks.

Sources

• Bank Info Security
• DataBreaches.net 
• ITSecurity Wire

“Scatter Swine” Hackers Prove Relentless in Smishing Attack on Twilio

A major American communications company, Twilio, was hacked in August after several of its employees fell victim to SMS phishing—or “smishing”—messages. The company provides communications services through its web service application programming interface (API). Claiming to be from Twilio’s IT department, the hackers sent messages to employees advising that “their passwords had expired or that their schedule had changed,” according to TechCrunch. They were then instructed to log in to a spoofed web address. The messages appeared legitimate, referencing SSO (single sign-on software) and Okta, a well-known provider of single sign-on software. In a company blog post, Twilio provided details of the crime, including screenshots of the texts used in the social engineering scam:

Notice! [Employee Name] login has expired! Please tap twilio-sso.com to update your password.

Alert!! Your Twilio schedule has changed. tap twilio-okta.com to see changes!

Twilio announced 163 out of 270,000 customer accounts were compromised. The company’s client base includes high profile companies like Facebook and Uber. The hackers also accessed 93 Authy—Twilio’s two-factor authentication (2FA) app—accounts out of its 75 million users and then registered devices to the compromised accounts.

In the company blog, Twilio assured the public it was working with US carriers to shut down the actors and the “hosting providers serving the malicious URLs to shut those accounts down.” Twilio noted, however, that despite its response efforts, the threat actors demonstrated sophisticated abilities and continued their relentless attack.

Sources

• TechCrunch
• Twilio Blog
• BleepingComputer
• Okta Help Center

Meta Accused of Gathering Sensitive Patient Information through Facebook Ads

Southeastern healthcare network Novant Health has confirmed that the data of 1.3 million patients may have been disclosed to Facebook. The leak occurred through promotional ads the company placed on Facebook beginning in May 2020. The ads contained a link to Novant’s patient portal along with a tracking pixel, a JavaScript tracking script placed in an ad image. The tracking pixel lets an ad buyer know if and when someone viewed the ad or email and provides basic information about the user, including their location and the type of device used.

The pixel used in the Novant ad campaign, however, tracked more than the usual marketing information. It tracked information from the text boxes and drop-down menus on the company’s patient portal. The leaked information included:

• computer IP addresses
• emergency contact information
• advanced care planning contacts
• appointment types and dates
• patients’ physicians

Novant has assured patients that there has been no illegal use of the information by Meta, the parent company of Facebook. On June 17, 2022, more than two years after the ad campaign launched, the company announced details of the exposed information due to the misconfigured pixel. Shortly afterwards, The Register reports that an anonymous patient filed a class-action lawsuit alleging that Facebook’s Meta Pixel feature collected patient data from at least 664 hospital systems or medical providers in violation of the Health Insurance Portability and Accountability Act (HIPAA).

Sources

• BleepingComputer 
• The Register
• Eventbrite Blog
• The Verge

Pakistan’s Securities and Exchange Commission Chairman Accused of Concealing A Major Data Breach

A recent data breach of the Securities and Exchange Commission of Pakistan (SECP)—which regulates and develops the nation’s corporate sector and non-bank financial markets—has led to a battle between the organization’s chairman, Amir Khan, and its commissioner, Sadia Khan. Sadia Khan lodged a formal protest to Finance Minister Miftah Ismai, accusing Amir Khan of keeping her in the dark’ about the breach, reports The News International. Although the breach occurred on July 27, Sadia Kahn claims she did not learn of the problem until August 18. In her complaint, Sadia Kahn noted she only happened to find out about the crime weeks after the incident due to a Pakistani citizen, Zaki Khalid, an open-source intelligence expert who discovered the breach and shared the information with the Prime Minister’s office.

Sadia Khan has emphasized the breach was not discovered by the SECP’s head of information security, Mubashir Sadozai. The breach comes on the heels of accusations from within the SECP that Sadozai has no IT experience and was hired because of a close relationship with the chairman. The chairman has denied this accusation and that he knowingly withheld information about the breach from Sadia Kahn.

The leaked information includes the names of CEOs registered with the SECP along with:

• company names
• identity cards and numbers
• email addresses
• residential addresses
• financial information

The news site ProPakistani has taken credit for alerting the SECP to the breach. The outlet also advised that the leaked SECP information was easily accessible to the public.

Sources

• The News International
• ProPakistani

Medical Information Gathered by California’s Prison System Exposed

The medical information of employees and visitors of the California Department of Corrections and Rehabilitation (CDCR) was exposed in August, according to a report by the Associated Press (AP). The breach revealed information on those tested for the coronavirus between June 2020 and January 2022, including:

• name
• personal address
• telephone number
• email
• date of birth
• COVID-19 testing results

Further investigation by the state also revealed the possible exposure of information in the facilities’ Mental Health Service Delivery System from 2008 to 2022 including:

• inmates’ names and treatment information
• inmates’ financial accounts
• driver’s license and Social Security numbers for parolees in substance use disorder treatment programs

The AP reports that the breach was linked to one computer, but officials have not identified who was ultimately responsible for the leak. The CDCR discovered the breach during routine maintenance. CDCR officials stated that a forensic investigation revealed no sign of improper use of the information so far.

Sources

• SecurityWeek
• HIPAA Journal 
• CDCR

Keep your organization out of breach headlines by ensuring that your organization not only knows where all its sensitive data is stored, but can also protect it wherever it lives and moves. This free demo shows you how PKWARE can help.