Major Third-Party Data Breaches Revealed in February 2021
Written by: Black Kite
Across the globe, organizations lose nearly $3 million to cybercrime per minute. That means that—despite February being the shortest month of the year—the world lost almost $121 billion to cyber breaches. Although not every attack made headlines, the harsh reality is that they not only happened, but were extremely costly.
While overall impact is still being substantiated, the six largest attacks in February didn’t just negatively impact the targeted organizations themselves. In fact, third-party involvement increases the total cost of a breach by over $200,000. Let’s take a closer look at the major third-party data breach developments from February 2021.
1. The impact of the Accellion attack continues to develop, naming Goodwin Procter, Washington State Auditor, University of Colorado and more victims.
Initially detected in December 2020, the impact of strategic attack on Accellion’s outdated File Transfer Application (FTA) has reached new heights. Goodwin Procter, QIMR Berghofer Medical Research Institute, Allens, Jones Day Washington State Auditor, SingTel, University of Colorado were added to the list of victims affected by the leak in February.
Several vulnerabilities in the FTA product have also come to light. Revealed by the company through a GitHub repository, issues included an SQL injection flaw in the web interface, an XSS flaw in its file manager, a blind SQL injection and command injection flaw in the administrative interface, and an unauthorized upload vulnerability.
Recently, a group of threat actors dubbed the UNC2546 and UNC2582 were identified as well. Although there was no sign of ransomware, the groups leveraged their ties with FIN11 and Clop Ransomware to demand money via their link sites. The companies are now receiving extortion emails and being threatened to have stolen data published.
2. Major U.S. cities were impacted by a ransomware attack on Automatic Funds Transfer Services (AFTS).
Ransomware attacks on supply-chains are on the rise. Recently, major U.S. cities using AFTS as a payment vendor were breached by a cybercrime gang, ‘Cuba Ransomware’. Those affected included Washington cities Seattle, Redmond, Lynnwood, Monroe and more. The hack was discovered after hackers began selling the stolen data on their website.
According to the information released on the leak page, Cuba Ransomware gained access to databases consisting of “financial documents, correspondence with bank employees, account movements, balance sheets, and tax documents.” This potentially exposed resident names, addresses, phone and license plate numbers, credit card and VIN information, scanned checks and billing details.
3. Leveraging US Fertility, hackers gained access to healthcare partners including Shady Grove Fertility, Reproductive Science Center San Francisco, IVF Florida, and Fertility Center of Illinois.
Another ransomware attack wreaked havoc on the healthcare industry, affecting Shady Grove Fertility, Reproductive Science Center San Francisco, IVF Florida, and Fertility Center of Illinois. The largest network of fertility centers, USF was hacked after threat actors gained access using one of its business associates in September 2020.
During this window, threat actors exfiltrated various types of information including confidential patient data such as Social Security numbers and Protected Health Information. Following this violation of HIPAA’s Security Rule, which requires covered entities to assess the security readiness of their business associates, patients have now filed lawsuits against USF.
Black Kite’s cyber rating can be directly leveraged before a covered entity enters into an agreement with a business associate under HIPAA or in any due-diligence process.
4. The platform hosting the Florida Healthy Kids Corporation (FHKC) website potentially exposed childrens’ data.
FHKC, a non-profit organization providing health and dental insurance for children in Florida, was involved in a cyberattack. Dating back to November 2013, significant vulnerabilities were detected in the third-party hosting platform, Jelly Bean Communications Design. All records submitted through the website during this period were potentially exposed, including thousands of SSNs.
5. Jamaican Government contractor exposed over 70,000 negative COVID-19 lab results, and 425,000 immigration documents.
Amber Group, responsible for building Jamaica’s COVID-19 website and mobile application, inadvertently exposed thousands of resident records. Storing mostly travel application documents, the cloud-based storage system was left unprotected and without a password. The majority of victims were from the U.S. and had personal information including passport numbers stolen.
As revealed in this year’s Third-Party Breach Report, misconfigured cloud servers were the primary cause of data leaks in 2021. Use of default usernames/ passwords, accessible directories, and outdated software all present substantial risk. Hackers often see them as an open invitation to leverage for their own malicious activities.
6. The French Government Experienced a Data Breach Caused by a Cybersecurity Provider.
According to French cybersecurity firm StormShield, an unknown third party hacked into its database. Attackers were able to exfiltrate customer accounts as well as the source code related to its Stormshield Network Security product. Being an Airbus subsidiary, its customers in the public sector included the French Government as one of its public sector customers.
To avoid becoming the next victim of a supply chain attack, organizations, of any size, must perform due diligence while onboarding any vendor to their digital ecosystem. After onboarding, continuous monitoring of such vendors is a must to maintain the safety of the data shared with third-party vendors.
For a comprehensive list that’s updated in real time, visit our Third-Party Data Breaches page.