DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Failure to terminate access can be costly. Very costly.

Posted on December 3, 2024 by Dissent

Earlier today, DataBreaches posted an HHS OCR announcement of a settlement with a HIPAA covered entity. A former contractor had accessed its electronic medical record system on three occasions without authorization to retrieve PHI for use in potential fraudulent Medicare claims. OCR imposed a monetary penalty of $1.19 million for the entity’s failure to:

  • conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems;
  • implement procedures to regularly review records of activity in information systems;
  • implement procedures to terminate former workforce members’ access to ePHI; and
  • implement procedures for establishing and modifying workforce members’ access to information systems.

That’s a costly failure to terminate access.

A Second Example

The following is a second recently disclosed example of  how failure to ensure termination of access contributed to a massive data breach. DataBreaches spotted this one in a court filing from Canada concerning Connor Riley Moucka, aka “Judische,” “Waifu,” and other monikers. The victims mentioned in the court filings refer to entities who suffered intrusions of their Snowflake instance.

On May 29, 2024, representatives from Victim-3 met with the FBI and confirmed that three categories of its information had been stolen from its cloud instance, including customer information for approximately 20 million customers, gift card information, and internal company business documents.

… Victim-3 hired an incident response company to investigate the breach and confirmed its instance had been compromised using stolen login credentials belonging to a former contractor located outside the United States. According to the incident response firm’s investigation, this former contractor’s credential was likely compromised via a credential stealer in approximately 2021 and available in cybercriminal marketplaces as early as May 2021. Stolen credentials are generally available for free and for purchase on the dark web.

Was the contractor still working for the firm in 2021 after their credentials were stolen? When did the contractor terminate employment? How often does this major retailer require all employees and contractors to reset their passwords? Does this retailer require 2FA? What procedures did this retailer have in place to terminate access for employees?

And why, oh why, did those credentials still work three years later in 2024?

How much will their failure to ensure termination of the former contractor’s access ultimately cost this retailer?

Category: Breach IncidentsBusiness SectorInsiderSubcontractorU.S.

Post navigation

← FBI, CISA say Chinese hackers are still lurking in US telecom systems
Unprecedented increase in liability for personal data leaks in the Russian Federation to take effect in May 2025 →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials
  • Proposed class action settlement in In re Netgain Technology litigation
  • Qilin Offers “Call a lawyer” Button For Affiliates Attempting To Extort Ransoms From Victims Who Won’t Pay
  • Ireland’s Data Protection Commission publishes 2024 Annual Report
  • The headlines suggested Freedman Healthcare suffered a ransomware attack that affected patient data. The reality was quite different.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.