Why it’s not “weis” to try and keep things under embargo…
On September 4, 2024, Weiser Memorial Hospital noted “network issues” that disrupted systems and caused phone outages for several weeks. Ransomware gang Embargo then claimed the attack (and alleged theft of 200 GB of data) on September 30. This prompted a new statement from Weiser on October 2, which confirmed its “network issues” were in fact a cyber attack.
Fast forward to this week, and it's just started issuing data breach notifications to 34,249 people with medical data, Social Security numbers, and Medicaid info among the data affected.
ReFrain-ing from issuing a prompt data breach notification…
Andy Frain’s notification letter also came a fair few months after its attack. This week, the security firm for the NFL, NBA, NHL, MLB, and NASCAR started notifying 100,964 people of a data breach following an attack back in October 2024. Names, addresses, and Social Security Numbers were among the data affected.
In this case, Black Basta came forward to claim the attack in November 2024 and alleged it had stolen 750 GB of data.
Network issues…connectivity issues…ransomware attack…
On April 22, 2025, Gloucester County notified residents it was struggling with “network issues.” A day later, this continued as “connectivity issues.” Then, radio silence.
That was until BlackSuit came forward to claim the attack yesterday, alleging that company executives were trying to cover up the attack and were aware that personal staff data was going to be made public.
When we contacted Gloucester County, it confirmed it had suffered a cyber attack on April 21 and that investigations into data theft were underway. It also noted that critical operations were never impacted.
Do stolen SSNs even matter anymore?
Hardly a week (sometimes hardly a day!) goes by when we don't hear about another ransomware attack and data breach. And in almost every situation, the list of stolen data reads just about the same:
- Full names
- Email addresses
- Phone numbers
- Social security numbers
In fact, a class-action lawsuit filed in September 2024 made the bold claim that 2.9 billion records (yes, with a B) from a US database called "National Public Data" was hacked and released on the Dark Web forum "Breached" by a criminal gang called USDoD.
If you're doing the mental math here, yes. The US population is only 340 million, only about 1/8 of the number of records reported stolen. Multiple news headlines at the time went thermonuclear on their interpretation, claiming that "every American's SSN was stolen."
This was...not likely the case. It comes down to understanding that "record" in a database is not the same as "an individual person." Each person in the database likely had multiple records associated with them. As The Verge later reported in October 2024, only 270 million people's SSNs were likely stolen.
270 million is still no laughing matter. That's more than the total number of people in the US over the age of 18, meaning it's possible that every single American has had their SSN stolen and published on the web for all the underworld to see.
That begs a very serious question: does it even matter if your SSN gets stolen again?
Unfortunately, more volume = more risk
On one hand, with nearly every American adult’s SSN already lurking somewhere on the dark corners of the web, another breach might seem like just another drop in an overflowing bucket. If your SSN has been compromised once, or twice, or 20 times, does another theft really increase your risk?
Surprisingly, yes, it can still matter.
Even if your SSN is already "out there," each new breach increases the visibility and ease of access for identity thieves. More thieves having your information means more opportunities for various types of identity fraud:
- Opening credit accounts
- Filing fake tax returns
- Committing medical identity theft in your name
Each incident potentially multiplies the mess you have to clean up, and the cost (both financially and emotionally) of repairing your identity can escalate with each breach.
However, there's a deeper issue at play: the system itself.
The fact that additional breaches still matter highlights how fundamentally broken our reliance on SSNs as secure identifiers really is. Every new incident underscores the urgent need to move beyond a system that continues to rely on static, easily compromised numbers.
At least in the US, legislation that actually matters is hard to get off the floor. Repeated breaches don't seem to have pushed us toward more secure identification methods. This is why security experts advocate for dynamic, multifactor systems that significantly reduce risks even when breaches inevitably occur.
Businesses are still responsible for breached PII, even if it's been breached before
Businesses shouldn't take this as a "rest easy, that data is already out there" moment. Even if someone's PII has already been released into the wild from a previous data breach, companies that are responsible for holding and protecting that data can still be held liable when a breach does happen.
The expectation and legal obligation to protect personal data remains unchanged, regardless of previous breaches. That means, at a minimum, investing in strong cybersecurity tools, hiring and training enough IT staff to protect networks and data, training staff on proper security procedures, and regularly performing security risk assessments.
None of that is a guaranteed "get out of data breach free" card. Criminal gangs are crafty. If they have their sights on your organization, a breach is likely only a matter of time. But you can delay how long it takes for criminals to finally break through your firewalls.
Until next week! Let's keep that zero day at zero.