A South Dakota news site reveals that the June 2020 “BlueLeaks” massive data breach resulted in the exposed identities of the state’s citizens who tested positive for COVID-19: Massive data breach affects SD COVID-19 patients. In response, cybersecurity experts offer thoughts.
Protecting personal information is more important than ever as attackers become more sophisticated and data privacy regulations are enacted. Given the current pandemic, an individual’s COVID-19 status is likely to be one of the hottest personal information topics. This data breach was originally due to failure to properly secure the affected websites, as attackers used methods that are decades old to break in. This was compounded in South Dakota when Texas-based web hosting company Netsentinel didn’t properly secure personal records, which gave attackers access to each individual’s COVID-19 status on top of other personal data.
As we continue to see, overprovisioned access to sensitive information can have devastating results. When access to data in a network is properly provisioned with a least privilege model, then the risk of data being stolen is drastically reduced even in the event of a breach. Users should only have access to the minimum amount of data required to perform their functions as an employee, otherwise even a single compromised user can give an attacker the keys to your data kingdom.
We don’t know how the attacker or group of attackers got into the data or what vulnerability was exploited, but it appears that resources and information that were easy to find online and that could\’ve been tagged by anti virus software as malicious were used, so at least some of the websites were possibly out of date. This serves as yet another reminder that local and state websites – even if maintained by third parties – are often out of date and their software isn’t patched on time. Out of date software puts both data and people at risk. Never use the oldest versions of anything, whether it\’s Windows Operating Systems or website infrastructure, because the majority of times that a technology vendor releases an update, it has patches to vulnerabilities intended to protect us and our sensitive data. When a full name, personal address, and birthdate are out there, it creates a risk to identity theft.
Patient status data is particularly sensitive. Some of those afflicted with COVID-19 have reported that when they tell others of their status, friends, neighbors and family don’t know how to react. There are good reasons why public health records are sealed shut and even family members can’t access them without permission. In these times of heightened tensions due to the pandemic, the last thing we want is for anyone to shun vulnerable members of the community.
Also, there’s plenty of blame to go around – the problem doesn’t sit solely with the third party vendor. It’s up to every organization to regularly get assurances from their vendors about the security and currency of their technologies.
It’s a reminder to those who patch & update software – which can be among the more mundane of IT tasks — are everyday heroes doing necessary and important work.
Security breaches are the \”Gift that keeps on giving\” in the worst possible way. It should come as no surprise that there have been ongoing repercussions from the BlueLeaks breach in June. The revelation of some people\’s COVID-19 status in the database has only come to light now, but shows the depth of data revealed and the potential consequences that may not have been realized at the start.
The only bright spot to this revelation is the revealed information is largely time-sensitive, which somewhat reduces the impact. Unfortunately, it doesn\’t eliminate it, or in any way excuse the breach.