On a mission - to steal a loooot of data
Yesterday, RansomHub continued its onslaught of ransomware claims with California’s Mission Bank. The Bank recently issued data breach notifications following a cyber attack in early December 2024 with various data affected, including social security numbers and financial account information.
RansomHub alleges that 2.7TB of data was stolen so it remains to be seen exactly how many people have been caught up in this breach.
Are “ransomware days” the new “snow days?”
A high school in Chester, UK, had to shut its doors to students this week following a ransomware attack on January 17. Initially, the closure at Blacon High School was only due to last Monday and Tuesday, but after remaining closed on Wednesday it reopened to students in Years 10 and 11 on Thursday.
Sadly, downtime due to ransomware attacks isn’t uncommon. Our recent study found that, on average, educational institutions lose 10.7 days to downtime when they’re hit with one of these attacks.
If it's a day ending in "Y," a healthcare organization got hacked
Unfortunately, this was no less true for these four US healthcare companies this week.
- CODAC Behavioral Health - Rhode Island’s largest non-profit opioid treatment provider started issuing data breach notifications following a cyber attack in July 2024. This attack was claimed by ransomware gang Qilin in August with 9GB of data allegedly stolen.
- HCF Management, Inc. - Continued to issue data breach notifications following an attack in October 2024. Over 20 of its senior care facilities and 57,900 people are now confirmed to have been involved in the breach. Claimed by RansomHub.
- Pacific Pulmonary Medical Group - Confirmed the number of people caught up in its October 2024 data breach was 12,723. This was claimed by Everest.
- Regional Obstetrical Consultants - Began notifying individuals of a data breach following a cyber attack in May 2024. INC claimed this one.
How Frequently Should Employees Get Data Security Training?
This is a question that easily plagues every company's leadership team. To avoid what feels like a burdensome task and a time sink, most companies make data security training and courses an annual affair.
That's probably too infrequent, for two key reasons:
1. Average employees are not IT and security experts. They will easily forget what they've learned in these security trainings. Combine that with how overworked people are these days, and you have tired employees mindlessly clicking on phishing emails. Yikes.
2. Average employees skip right through these trainings. Look, people hate what they perceive as a waste of time, and most employees are overconfident in their ability to spot security risks. They will skip through these, and forget everything they saw within a week.
So how frequently should you have trainings? More frequently than once a year. KnowBe4 confirmed this in a study that found that "In 84% of cases, security awareness training increased employees’ understanding of security instructions."
Take note: Security training costs money, but it's not a cost center. Better-informed employees reduce the heavy financial losses that result from data breaches.
Until next week. Let’s keep that zero-day count at zero!