Major Third-Party Data Breaches in March 2021: Airlines, Healthcare & More Take a Hit
Written by: Black Kite
March officially marked one year since the pandemic altered the world as we knew it. Alongside the world’s rapid acceleration in digital transformation, cybercrime has become a nightmare of its own, welcoming a 300% increase in cybercriminal activity.
As we continue to witness with Accellion, SolarWinds and other data breaches of that scale, identification doesn’t always equal immediate containment—especially when it comes to those parties in your supply chain. Although we’ll continue to evaluate the magnitude of these data breaches as they unfold, let’s recap the latest cyber incidents caused by third parties.
1. Customers of nearly dozens of major airlines worldwide were impacted by a third-party vendor.
Perhaps the most impactful attack to come to light this March, 22 air carriers may have been impacted by the SITA-induced attacks that affected Singapore Airlines, Air New Zealand, British Airways, American Airlines, Lufthansa and more. Initially detected in late February, details around the highly sophisticated cyber attack have not been released.
Sensitive data was gathered from the shared Star Alliance database that houses personal information of those members that belong to the airlines’ frequent flyer programs. Serving 90% of the airline industry, SITA had ample access to the collection of frequent flyers. One airline alone, Singapore Airlines revealed about 580,000 of its members have been affected.
2. Universities, health institutions, financial organizations and many more are the latest additions to the Accellion tal.
Initially detected in December 2020, the impact of strategic cyberattack on Accellion’s outdated File Transfer Application (FTA) has reached new heights. In March, Flagstar Bank, Qualys, Royal Dutch Shell, Trillium Community Health Plan and the University of Miami Health have all been added to the already long list of victims.
Not only were names, social security numbers and home addresses of Flagstar Bank’s own banking customers leaked, but also those of whom used Flagstar to purchase their home mortgage. Despite claiming the breach had minimal impact, the information at risk for Qualys, a cybersecurity vendor, is still yet to be known.
3. MultiCare, WoodCreek Healthcare and Ramsey County are also affected by the supply-chain ransomware.
Ransomware threat actors targeting supply chains have yet to lose pace in 2021. More than 200,000 patients, providers and employees of Tacoma-based MultiCare Health System seem to have been affected by a ransomware attack on Netgain. Although Netgain was hit in late November, the toll of the attack just started to come to light in mid-February.
Despite Netgain’s prompt deployment of an incident response plan and notification of law enforcement, the attackers were able to seize the data and deploy a ransomware in early December of 2020, resulting in an encryption of some of Netgain’s clients and internal networks.
The healthcare industry remains one of the most vulnerable and targeted in all of cybersecurity attacks. Despite several promises by hackers to not attack healthcare facilities during the crisis, the healthcare sector is feeling the heat. The changes and enhancements needed to manage the pandemic, such as remote services, has caused even more disruption.
4. Wake Forest Baptist Health, Lexington Medical Center were the victims another supply-chain healthcare attack.
Another addition to the growing list of attacks on the healthcare industry, Wake Forest Baptist Health and Lexington Medical Center (LMC) were recently notified that patients’ protected health information was exposed through a breach on a former vendor platform. At-risk data included names, addresses and social security numbers from 2010 – 2011.
5. Two more ransomware attacks against US government organizations were detected.
Both the US Geospatial Intelligence Foundation and the Armed Forces Communications and Electronics Association recently confirmed a data breach through a third-party ransomware attack. SPARGO, Inc., a Virginia-based event management vendor, supports both organizations with event management. The breach possibly included names, addresses and phone numbers of attendees through event registrations.
6. Leaked footage from schools, jail cells, hospital ICUs, and more reached the internet.
The hack of video surveillance provider Verkada exposed video footage from over 150,000 internet-connected security cameras being used inside schools, jail cells, hospital ICUs, and major companies such Tesla, Nissan, Equinox, Cloudflare. The hack was believed to come from an anti-corporate hactivist group called APT-69420.
According to a group spokesperson, the attack was intended to show how common safety cameras are and how quickly they can be hacked. The group also said that they had access to Verkada’s complete video archive in addition to live feeds. The footage contained quite sensitive data such as patients in ICUs, prisoners and a manufacturing line at a Tesla’s facilities.
7. An election polling app leaked personal data of 6.5 million Israelis.
One of the largest and most compromising leaks of Israelis’ personal information in the nation’s history was recently caused by a flaw in the polling app promoted by the Likud party. The app, developed by Elector Software, enables political parties to perform real-time data collection on election day and display crucial groundbreaking statistics on individual voters.
A web interface bug gave the entire database an “admin pass” that allowed anyone to access and copy the Israel electoral register. In addition to personal details like IDs, phone numbers and home addresses, anyone can access the voting number and polling location of every eligible Israeli citizen.
According to those that uncovered the breach, the system was kept online for several days following the identification of the breach, and information was still accessible. There was no indication that the involved parties confirmed it was closed, and nothing was done to uncover which entities obtained the data.
Recently, a group of 20 Israelis filed a NIS 1 million ($286,370) lawsuit against the Likud party and developers of the app. Although the consequences of data breaches are not clear for a number of years, in the past such leaks have contributed to “identity stealing, incarnation, and even national security impairment ” as the plaintiff was based on this argument.
For a complete list of third-party data breaches visit our dedicated webpage.