At a glance.
- Illinois medical group settles data breach.
- Luxury Hong Kong hotel chain breached.
- Ransomware gang dumps LA school district data.
Illinois medical group reaches data breach settlement.
Top Class Actions reports that DuPage Medical Group has agreed to pay $3 million to settle claims linked to a 2021 data breach. The independent physician group, located in the US state of Illinois, suffered a cyberattack that caused a network outage that potentially compromised the data of approximately 600,000 patients. The plaintiffs claimed the breach was the result of DuPage’s negligence, stating the medical group should have implemented stronger cybersecurity measures and monitored its systems. Though DuPage has not admitted to any wrongdoing, under the terms of the settlement class members can receive a payment of up to $150 for ordinary expense reimbursement (such as credit report costs, credit monitoring expenses, bank fees, communication charges, travel expenses, and lost time), up to $5,000 for extraordinary expense reimbursement (including fraudulent charges and damages from identity theft), or an alternative payment of $50. In addition, DuPage has agreed to improve its data security over the next two years.
Luxury Hong Kong hotels impacted in data breach.
Chinese luxury hotel chain Shangri-La Group disclosed on Friday that eight of its hotels had suffered a cyberattack in July that potentially exposed the data of approximately 290,000 guests, Radio Television Hong Kong reports. "We immediately engaged cyber forensic experts to investigate and contain the issue. The investigation revealed that between May and July 2022, a sophisticated threat actor managed to bypass Shangri-La's IT security monitoring systems undetected, and illegally accessed the guest databases," Shangri-La Group stated. The affected hotels include Island Shangri-La, Kerry Hotel and the Kowloon Shangri-La, all in Hong Kong, as well as hotels in Singapore, Chiang Mai, Taipei, and Tokyo. The compromised data includes guest names, e-mail addresses, phone numbers, and street addresses, though the hotel group says personal info such as dates of birth, identity and passport numbers, and credit card details were encrypted. Hong Kong’s privacy watchdog said it had been informed of the incident by Shangri-La Group on Thursday evening, adding that it was disappointed Shangri-La had waited over two months to disclose the breach.
Vice Gang releases data stolen from Los Angeles Unified School District.
The Los Angeles Unified School District (LAUSD), the second-largest school district in the US, suffered a massive ransomware attack a month ago, and on Saturday threat group Vice Society released some of the stolen data, FOX 7 Austin reports. Cybersecurity Dive explains that on Friday the ransomware gang Vice Society listed the district on its leak site, threatening to publish the data on Monday, October 3rd if the district didn’t meet their ransom demands. The same day, LAUSD responded by reiterating their refusal to pay, stating, “Los Angeles Unified remains firm that dollars must be used to fund students and education. Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate."
The cybercriminals then jumped their own deadline, Bleeping Computer reports, releasing a dataset Sunday morning along with the message, "CISA wasted our time, we waste CISA reputation.” File names of the published data include “ssn,” “Secret and Confidential,” and “Passport,” and law enforcement says the data appears to include "confidential psychological assessments of students, contract and legal documents, business records, and numerous database entries." Superintendent Alberto M. Carvalho posted on Twitter, "Unfortunately, as expected, data was recently released by a criminal organization. In partnership with law enforcement, our experts are analyzing the full extent of this data release.” He included the number for a newly established hotline dedicated to answering constituents’ questions about the breach. The Wall Street Journal notes that the Federal Bureau of Investigation, the White House, and the Cybersecurity and Infrastructure Security Agency are all involved in the ongoing investigation. Ilia Kolochenko, Founder of ImmuniWeb, and a member of Europol Data Protection Experts Network, thinks that the cost-benefit calculus tends to run in favor of the ransomware gangs. The barriers to entry are low, the rewards are (potentially) large, and it can be difficult for police to run the operators to ground:
“We should expect a further surge of ransomware campaigns that are relatively simple to run, are hardly investigable by law enforcement agencies, and bring huge profits, being a perfect “business” compared to other cyber-attacks. With the new extortion tactics, not just the breached companies are blackmailed – but all the individuals whose contact details are available within the stolen data. So, if your personal data is stolen, you can pay a hundreds of dollars to prevent its publication if the breached company eventually refuses to pay the ransom.
"Sadly, victims are oftentimes under-compensated. We observe a strong increase of contractual clauses in all industries that exclude any liability for data breaches unless there is one prescribed by law and it cannot be excluded contractually. In the US, the situation is particularly challenging – as there is no federal regulation on personal data protection. States are, thus, enacting their own state-level laws, while some industries have specific data protection regimes, like HIPAA in healthcare or FERPA in the educational sector. FERPA, enacted in 1974, is obviously obsolete and cannot provide a sufficient level of data protection any more, let alone address such complicated cyber threats as ransomware.
"Of note, a data leak is not necessarily the worst outcome of a ransomware attack: many cases are known when even after paying the ransom, the data was nonetheless leaked for different reasons. The most important part of the incident response is to prevent actual damage to the victims and minimize operational downtime. Therefore, I would refrain from blaming any breached companies whose data eventually end up on the Dark Web. What counts is how they mitigate the harm and implement necessary security mechanisms and controls to avoid similar incidents in the future.”
Rebecca Moody, head of data research at Comparitech, puts this incident in the context of other attacks on educational organizations:
“So far this year, the Comparitech US ransomware tracker has logged 36 attacks on US education institutions for 2022, including the attack on LAUSD. As our recent research found, these attacks have devastating impacts on schools and colleges. These attacks not only put student records as risk but the downtime and recovery costs of these attacks often cost millions of dollars. Based on these recent findings, the impact on LAUSD could have cost tens of millions of dollars in downtime alone. In the last couple of months, Vice Society has also made claims on the School District of Elmbrook, Sierra College, Linn-Mar School District, and Grand Valley State University. The School District of Elmbrook just submitted a data breach report to the Maine Attorney General for 4,356 records. So far, over 94,000 student records have been impacted in educational ransomware attacks in 2022--but this figure will likely rise as more breach notifications are submitted.”