LockBit3.0 claims to have hit CapitalHealth.org in New Jersey. In a listing posted on their site on January 7, the threat actors write, “We purposely didn’t encrypt this hospital so as not to interfere with patient care. We just stole over 10 million files. Over 7 terabytes of medical confidentiality data valued at $250,000. That’s…
Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking
A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset. Pavan Karthick M writes: Executive Summary In October 2023, PRISMA, a developer, uncovered a critical exploit that allows the generation of persistent Google cookies through token manipulation. This exploit enables…
Resources: Breach notification laws: US and GDPR
The law firm of BakerHostetler has recently released several free resources of note: EU GDPR Data Breach Notification Interactive Map State Data Breach Notification Law Interactive Map PDF Version of State Data Breach Notification Laws They have also released their annual Data Security Incident Response Report for 2023. Thanks, as always, to Joe Cadillic for…
How 50% of telco Orange Spain’s traffic got hijacked — a weak password
Kevin Beaumont explains: So here’s a funny story. Earlier today, I noticed Orange Spain had an outage, caused by what appeared to be a BGP hijack: […] So, how did it happen? The threat actor accessed Orange’s RIPE account. RIPE look after internet IP addresses, basically the phone book of the internet. From their RIPE…
Personal, pregnancy details of Midwives of Windsor patients breached
CBC reports: A data breach involving email has exposed the personal and pregnancy information of an unknown number of clients of the Midwives of Windsor, CBC News has learned. The breach was reported to Ontario’s Information and Privacy Commissioner months before it was disclosed to clients of the practice. Read more at CBC.
Attorney General James Reaches Agreement with Refuah Health Center to Invest $1.2 Million to Protect Patient Data and Pay $450,000 in Penalties to State
January 5, 2024 NEW YORK – New York Attorney General Letitia James today announced an agreement with a Hudson Valley-area health care provider, Refuah Health Center, Inc. (Refuah), for failing to safeguard the personal and private health information of its patients. The Office of the Attorney General (OAG) found that Refuah failed to maintain appropriate controls to protect and limit access to sensitive data, including by failing to encrypt patient information and using multi-factor authentication. As…