Major Data Breaches in August 2023

Maximus

Organization description: US government services contractor that manages and administers US government sponsored programs, including health services and student loan servicing.

Breach size: 8-11 million

Data exposed: Social Security numbers, protected health information, and/or other personal information.

Maximus disclosed a data breach warning stemming from the recent MOVEit Transfer data-theft attacks. The Clop ransomware gang exploited a zero-day flaw in the MOVEit file transfer application used to compromise the data of hundreds of well-known global companies. Initial investigations by Maximus found no evidence that the hackers progressed beyond the MOVEit environment. Despite the limited access and isolating the hackers from the rest of the corporate network, a large number of individuals have been affected. Link to source.

Colorado Department of Healthcare and Policy Financing (HCPF)

Organization description: Colorado HCPF is a state government agency that manages the Health First Colorado (Medicaid) and Child Health Plans Plus programs, providing healthcare support for low-income families, the elderly, and disabled citizens.

Breach size: > 4 million

Data exposed: Full names, Social Security numbers, medical ID numbers, dates of birth, home addresses, income information, clinical data and health insurance information.

Like Maximus, the Colorado Department of Health Care Policy & Financing’s data exposure occurred through their contractor IBM, which uses the MOVEit software. The department confirmed that their systems were not directly compromised, but protected health information was accessible from certain HCPF files on the MOVEit application. Link to source.

Alberta Dental Service Corporation

Organization description: Alberta Dental Service Corporation (ADSC) administers the dental benefits for Alberta’s Low-Income Health Benefit Programs and the Dental Assistance for Seniors Program (DASP) for the Government of Alberta.

Breach size: > 1.4 million

Data exposed: Names, addresses, and, potentially, banking information.

In a news release, Alberta Dental Service Corporation says the records of more than 1.4 million residents enrolled in the government benefits programs were the target of a cyberattack in July. The corporation stated that less than 7,300 had personal banking information leaked and will offer complimentary credit monitoring for affected Albertans. Link to source.

Indiana Family and Social Services Administration

Organization description: Indiana Family and Social Services Administration (FSSA) is a healthcare and social services funding agency serving more than 1.5 million Indiana residents.

Breach size: 744,000

Data exposed: Names, addresses, case numbers, and Medicaid numbers

The far-reaching effects of the MOVEit application breach continues as the Indiana Family and Social Services Administration announced earlier in August that its contractor, Maximus Health Services, was compromised by the software. Link to source.

University of Minnesota

Unknown Number of Breached Customers Icon IDSeal

Organization description: The University of Minnesota is a public land-grant research university in the Twin Cities of Minneapolis and Saint Paul.

Breach size: Unknown, but the hacker claims to have broken into a database with seven million Social Security numbers.

Data exposed: The University has confirmed they’re investigating the possible theft of personal data but hasn’t confirmed the validity of the hacker’s claim or the extent of the data exposure at this time.

The University of Minnesota contacted law enforcement and launch an investigation after a hacker claimed to have extracted 7 million Social Security numbers stored in its database dating back to 1989. Although the University hasn’t officially confirmed the claim or the potential scope of impact, a spokesperson for the University has commented on the preliminary investigation started on July 21. Link to source.

Seiko

Organization description: Seiko is a Japanese maker of watches, clocks, electronic. devices, semiconductors, jewelry, and optical products.

Breach size: Unknown

Data exposed: Not yet released, but the company has reached out to customers and business partners to advise them to be vigilant against email or other communication attempts potentially impersonating Seiko.

On August 10th, 2023, the world-famous watch maker, Seiko, posted a notice of a data breach in which an unauthorized third-party gained access to part of its IT infrastructure and accessed or exfiltrated data. The BlackCat/ALPHV ransomware gang has claimed responsibility for the attack. The cybercriminals leaked samples of the data allegedly stolen during the attack, which included, production plans, employee passport scans, new model release plans, specialized lab test results, and confidential technical schematics and Seiko watch designs. Link to source.

Hacking News

Ransomware Attacks on Schools Increase

A global survey of 3,000 IT and cybersecurity professionals across 14 countries, including 400 in the education sector, reveals a rise in ransomware attacks targeting schools. 80% of those working at lower education institutions (K-12) and 79% of those working at higher education institutions (colleges and universities) reported they were hit by ransomware in the last year, up from 56% and 64% compared to the 2022 survey.

The Sophos survey also highlighted that School IT professionals were more likely to report an attack than IT professionals from other industries.

Schools often face challenges in gaining the adequate resources to defend against cyber threats. Once hackers gain access to the school’s or district’s network, they encrypt and hold students’ sensitive information hostage until payment is made. When schools refuse, the data is made public.

Even for those institutions who may be able to afford a ransom, the FBI discourages paying cybercriminals as it’s no guarantee that data will be returned and systems will be restored. Each organization that makes a payment also encourages the hacking to find new victims.

The decision not to pay can have agonizing consequences on students. The sensitive information dumped online by hackers often extend well beyond Social Security numbers and include deeply personal and traumatic details like sexual assaults, psychiatric hospitalizations, abusive parents, truancy, discrimination complaints, and even suicide attempts.

When Minneapolis Public Schools refused to pay a $1 million ransom, hackers released more than 300,000 files on the 36,000 students in the district, exposing these kinds of sensitive details.

In an effort to mitigate future attacks, the US Department of Education announced the establishment of a Government Coordinating Council to fortify cybersecurity resilience in K-12 schools. Meanwhile, states like Texas and Minnesota, and are ramping up how much money they allocate to their schools’ cybersecurity.

Multiple Listing Services (MLS) Software Hack Puts Real Estate Deals on Hold

Real estate agents using Rapattoni’s Multiple Listing Services are locked out of the database after the California-based software company fell victim to a cyberattack. Rapattoni has clients primarily in Florida, Massachusetts, Michigan, Indiana, New York, and California, but real estate agents from Lynchburg, Virginia to Northwest Indiana are scrambling to deal with the crisis that some agents say has been more challenging than navigating the COVID-19 pandemic.

Agents are unable to add new property listings, make price adjustments, and access the latest property information for showings. Attendance at open houses have taken a nose dive and left buyers and sellers confused and disappointed.

An estimated 5% of agents across the country have been affected by the attack which commenced on August 9.

While the FBI and Rapattoni investigate the cyberattack, real estate agents like Miguel Gonzalez, have had to take an old school business approach to keep real estate deals flowing. Since his buyers can’t refresh websites like Zillow or Realtor.com for accurate listing information, he’s picking up the phone to check in with sellers and update buyers on new options.

In an article by Ars Technica, it’s reported that the incident is a ransomware attack. Rumors are circulating among agents that Rapattoni recovered the hacked data, but there’s no update on if the company paid a ransom, and access to the listing information hasn’t been restored yet.