Week in Breach 5/17/-5/23/23

Risk to Business: 1.281 = Extreme

Credit Control Corporation (CCC), a Virginia-based debt collection company that primarily handles medical debt, has admitted that it suffered a data breach in March 2023 that resulted in the exposure of personal information for 286,699 people. The company told the Maine Attorney General’s Office that an unauthorized party gained access to its network between March 2 and March 7, 2023, and illegally copied some files. The unauthorized party stole data including consumers’ names, addresses, and Social Security numbers as well as data related to the individual’s accounts with CCC business partners, such as account numbers, account balances and dates of service. CCC says it is working with law enforcement to resolve the investigation.

Risk to Business: 1.592 = Severe

U.S.-based SaaS connectivity and network communications provider ScanSource says that it has been the victim of a ransomware attack that has impacted its systems, business operations and customer-facing portals. ScanSource confirmed that the attack hit on May 14, taking down customer portals and websites. The company warns that there will be delays in the provision of services to customers in North America and Brazil. ScanSource also said that it has enlisted the help of a third-party forensics firm and law enforcement in its investigation. No group had claimed responsibility at press time.

Risk to Business: 2.769 = Moderate

The Illinois Department of Healthcare and Family Services (HFS) has disclosed that it has experienced a data breach that has exposed data for residents. HFS said that the data breach occurred in the State of Illinois Application for Benefits Eligibility (ABE) system’s Manage My Case (MMC) portal, a system also used by the Illinois Department of Human Services (IDHS). The ABE system is used to determine the eligibility of applicants for medical and poverty relief programs including Medicaid, the Supplemental Nutrition Assistance Program (SNAP) and Temporary Assistance for Needy Families (TANF). The agency said that the exposed data includes names, social security numbers, recipient identification numbers, addresses, phone numbers and income information for program applicants.  

Risk to Business: 1.719 = Severe

Utah’s Uintah Basin Healthcare has disclosed that a data breach has led to the exposure of data for some 100,000 patients who have been treated within the system in the last 10 years. Uintah Basin Healthcare began notifying patients last week that it experienced unusual activity on its network in November 2022 that resulted in data exposure for 103,974 patients treated between March 2012 and November 2022. The rural health system said that the stolen data includes clinical information, diagnoses, medications and test results.

Risk to Business: 2.781 = Moderate

A data leak on La Malle Postale’s system has exposed the personal data of an estimated 90K of their clients. A research team reported uncovering a publicly accessible database with more than 4GB of personal data belonging to the company’s clients, including more than 13,000 SMS messages sent between the company and its customers. The leaked personal data included the names, emails and phone numbers of nearly 90K customers along with lightly secured passwords and employee credentials. The company appears to have since secured the data.

Risk to Business: 2.866 = Moderate

French electronics manufacturer Lacroix said that it has experienced a cyber-attack on its operations at sites in France, Germany and Tunisia. The company said that it was forced to temporarily shut down several online systems to contain the attack and assess the damage. Lacroix said that it is implementing backups and conducting analysis to identify any exfiltrated data. Based on reports of the attack encrypting some local infrastructure at Lacroix’s sites along with data exfiltration, experts say this is likely a ransomware attack. Lacroix is expected to resume full operations at the shut down sites this week and the company said that it does not anticipate any significant impact on the overall performance projected for the group in 2023. 

Risk to Business: 1.883 = Severe

Latvia’s airBaltic has begun informing customers that they may have had personal data exposed after an internal error led to some customers being sent other customers’ flight information erroneously. The airline said that only “a small number” of customers had data exposed. That exposed information may have included the passengers’ full names, birth dates, itinerary and email addresses. airBaltic was quick to reassure customers that no financial or payment data was involved. However, the PNR/reservation number for the impacted passengers was exposed and that could allow the recipient to make changes to the itinerary. The airline said that it will change the number for any customer who requests it.

Risk to Business: 1.386 = Extreme

The LockBit ransomware group has published 1.5TB of data that it claims to have snatched from Indonesia’s largest Islamic bank, Bank Syariah Indonesia. The published records include the personal and financial information of about 15 million of the state-owned bank’s customers and employees. Up until now, the bank had claimed that widespread service outages in the last few weeks were the result of maintenance, but it was forced to admit that the problems were actually the result of a cyberattack. Bank Indonesia, the country’s central bank, said last Thursday that it had helped Bank Syariah Indonesia restore its real-time gross settlement, national clearing system and Bank Indonesia Fast Payment services. ATMs and bank branch services became available last week. Screenshots of ransom negotiations released by LockBit show that the bank dangled the possibility that it would pay the gang $10 million to recover its stolen data, but LockBit demanded $20 million before the negotiations broke off.