Hey, Rhysida! Leave those teachers alone…
Pennsylvania State Education Association started notifying nearly 520,000 people of a data breach this week. This was due to a cyber attack in July 2024 which was later claimed by Rhysida with a $1.14 million ransom demand.
Data affected includes Social Security Numbers, passport numbers, credit/debit card numbers, PINs, and expiration dates, medical information, and more.
A frightful diagnosis–but one we should have seen coming…
Fog claimed responsibility for a November 2024 data breach at University Diagnostic Medical Imaging which compromised 138,080 patients’ names, addresses, dates of birth, referring physicians, medical treatments, and diagnoses.
This becomes Fog’s biggest confirmed data breach via ransomware to date.
Don’t bank on a third party keeping you safe…
Western Alliance Bank started notifying 21,899 people about an October 2024 data breach that compromised various data, including Social Security Numbers, tax ID numbers, passports, and financial account numbers.
Ransomware gang Clop claimed the breach as part of its exploitation of vulnerabilities in the Cleo file transfer software, which is used by many organizations. Over 300 victims were listed as part of this exploit in total.
Here we go again: Third-party software is a threat you can't ignore
Look, we get it. Building every solution in-house is practically impossible for most companies. It requires hiring a team of developers, spending a lot of time and money on development, and then even more time and money on maintenance. The reason SaaS software is the go-to solution for so many B2B companies is because it tends to solve a unique problem at a fraction of the cost of building and maintaining that type of solution in-house.
But you, unfortunately, can't control the security posture of the companies you partner with. Even if everything looks good on paper, they're as prone to simple human errors that are responsible for most data breaches as you are.
Just take PowerSchool, for example. As NBC reported recently:
"An interim report prepared by CrowdStrike and disseminated to some school officials, the contents of which had not previously been public and which was acquired by NBC News, found no evidence that the hackers used malware or found a backdoor into PowerSchool’s systems. Instead, the hacker simply obtained a single employee’s password. That granted access to a “Maintenance Access” function that let them download millions of children’s personal information."
In this case, one of two things likely happened:
1. The employee in question clicked on a phishing link in an email.
2. The employee was using a weak password shared across multiple accounts, at least one of which was already breached
This is also an indication that PowerSchool was either not using multi-factor authentication for account access, or that it was not strictly requiring all account users to establish it.
This is the exact problem that account takeover tools were designed to solve. Okta is one of my personal favorites, particularly in the way it creates a distinct MFA-focused barrier between the user and company account access. Okta and tools like it add an extra step that some employees might find annoying, but their annoyance can save your company millions of dollars.
Okta's not paying us for the accolades (but if you're reading this Okta, we'll happily take a donation!). It's just a legitimately good solution to strengthen your security posture.
Until next week. Let’s keep that zero-day count hardened at zero!