Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management
Breach Roundup: S&P Says Poor Remediation A Material Risk
Also: Breaches at OnePoint Patient Care and French ISP FreeEvery week, ISMG rounds up cybersecurity incidents and breaches around the world. This week: S&P said poor material vulnerability remediaton can be a material risk factor, OnePoint in the United States and French ISP Free suffered data breaches, a Russian court sentenced REvil members, Five Eyes published security guidelines for small businesses.
See Also: Cyber Insurance Assessment Readiness Checklist
S&P: Unpatched Flaws Can Be a Material Risk
Poor corporate remediation of vulnerabilities can be a material risk factor, said S&P Global Ratings. An analysis of vulnerability data of the more than 7,000 companies rated by S&P found that four out of 10 fix known system flaws "infrequently."
Infrequent remediation can be especially problematic for long-tail flaws such as Log4Shell (see: Log4Shell Among Chinese Hackers' Fave Vulns, Say Feds).
The oldest vulnerability in the dataset analyzed by S&P was discovered more than two decades ago, affecting software no longer supported by the vendor. "Furthermore, that vulnerability was present for eight months at one entity, giving attackers plenty of opportunity to exploit it," the ratings agency said.
Citing data from the latest Verizon Data Breach Investigations Report, S&P said vulnerability exploitation almost tripled in 2023, marking an acceleration of a long-term increase in the number of vulnerabilities unearthed each year.
Still, not all vulnerabilities are created equal. One way to track remediation efforts is to check their Exploit Prediction Security Score, a cyber-defender developed model for estimated the probability that any one vulnerability will be exploited in the wild. The data set analzed by S&P showed that rated corporations had a average EPSS score of .33, "suggesting that, on average, vulnerabilities on their attack surface had a low probability of exploitation."
Some companies did worse, with an unnamed corporation recording an EPSS score of greater than .9, indictating a high probability of hacking. The vulnerability in question had a CVSS score of 5.3, underscoring a gap between how the two systems calculate risk.
"Poor vulnerability management might be an indication of generally weak cyber risk management, which could be a consideration in our assessment of broader management and governance," it warned.
OnePoint Reports Data Breach Affecting 800,000
Arizona hospice pharmacy services provider OnePoint Patient Care notified nearly 800,000 individuals of a data breach involving personal and health information. OnePoint detected suspicious activity on its network on Aug. 8, confirming unauthorized access to sensitive data. The exposed data potentially exposed names, addresses, medical record numbers, diagnosis and prescription details. The breach also affected Social Security numbers for a subset of individuals.
Ransomware group INC Ransom took responsibility, claiming on its dark web leak site to have encrypted and exfiltrated OPPC data in September.
French ISP Free Confirms Data Breach Exposing Customer Information
French ISP Free, a subsidiary of telecom giant Iliad Group, confirmed a data breach impacting customer information of 22.9 million mobile and fixed-line subscribers. Details such as passwords, payment card details and communication content were not compromised, according to Free.
The attack targeted a management tool, with Free telling to Agence France-Presse on Saturday that no operational impact was observed on activities and services.
Data stolen in the breach is now for sale on criminal forum BreachForums, with threat actor "drussellx" claiming to sell a data set with more than 19 million customers.
Russian Court Sentences Four REvil Ransomware Members to Prison
A Russian court sentenced four members of the REvil ransomware group to prison on Friday, following a crackdown on the gang in early 2022. The sentences, ranging from 4.5 to 6 years, come after Russian authorities made arrests in January 2022, with part of their sentences already served. Russian state news agency TASS reported that the four were prosecuted separately from other detained REvil members.
Russia initially targeted REvil, also known as Sodinokibi, after U.S. pressure over the group’s high-profile cyberattacks. Following Russia’s announcement of action against REvil in January 2022, eight individuals were detained. U.S.-Russia cooperation ceased after Russia's invasion of Ukraine. The accused have only been charged under Russian law for crimes such as payment card fraud and malware distribution.
Five Eyes Alliance Issues Security Guidelines to Help Small Businesses
The Five Eyes intelligence alliance, comprising agencies from the United States, United Kingdom, Canada, Australia and New Zealand, released security guidelines to help small businesses, particularly tech startups, protect themselves from cyber threats. These recommendations aim to counteract hacking attacks from state-backed groups, with a focus on securing intellectual property from nation-state actors like China, according to MI5 Director General Ken McCallum.
The "Five Eyes Secure Innovation" guidelines cover essential security measures, such as appointing security managers, maintaining asset inventories, managing data on third-party services, and regulating data access from partners. In addition to addressing state-backed threats, the advice includes strategies to defend against criminal hacking groups and unscrupulous competitors.