While Christians over the globe were celebrating the Easter weekend, news of three separate data breaches surfaced. On Saturday, 20 April 2019, a popular health and fitness platform Bodybuliding.com alerted its customers of a security breach detected during February 2019 which was the direct result of a phishing email received back in July 2018. Bodybuilding.com is the world's largest fitness website, with a community of over 1,000,000 BodySpace members and more than 17,000,000 forum members, as well as over 32,000,000 orders shipped all over the world since its online shop was opened for business. Along with the announcement two separate health care companies also suffered data breaches. With regards to the health care companies, one company illustrated how an organization should deal with a breach and another the wrong way.
Returning to the Bodybuilding.com data breach, the company announced that the breach may have affected certain customer information and after investigating the incident with the help of “external forensic consultants that specialize in cyber-attacks,” Bodybuilding.com says that it “could not rule out that personal information may have been accessed.” The company further confirmed that no full debit or credit card numbers could be accessed and stolen as the company only stored the last four digits and only for customers who opted to have their cards stored with their account information. Further, no social security numbers were compromised. As a precaution the company has reset all user passwords, meaning that users would have reset their passwords when logging onto the platform again.
The company stressed that while there was no conclusive proof that customers' personal information has been accessed, it did inform customers what information could be accessed in the event of a future breach. This information includes name, email address, billing/shipping addresses, phone number, order history, any communications with Bodybuilding.com, birthdate, and any information included in your BodySpace profile. One of the future ramifications of the breach may include attackers using emails designed to look like coming from Bodybuilding.com might be used in phishing attack campaigns.
To that extent the company explained that:
“If the email you received about this issue prompts you to click on a link, suggests you download an attachment, or asks you for information, the email was not sent by Bodybuilding.com and may be an attempt to steal your personal data. Avoid clicking on links or downloading attachments from such suspicious emails. Any link included in our email to users directs users to insert the Bodybuilding.com FAQs URL into your browser and does not request your personal data.”
The Good and the Bad
As mentioned above two health care companies also suffered breaches. How these breaches were handled presents the InfoSec community with a good example of how to handle a breach and how not to. The data breach involving the substance rehabilitation clinic Steps to Recovery located in Levittown, Pennsylvania, is an example of how not to handle a breach. In total, approximately 4.9 million documents containing personally identifiable information of substance abuse patients were left exposed by a misconfigured ElasticSearch database publicly accessible for more than two years, from 2016 to late 2018. The database contained two indexes totaling 1.45 GB worth of data and was found by Cloudflare Director of Trust and Safety Justin Paine while searching for exposed internet-enabled devices using Shodan.
Paine contacted both the rehab center and the hosting provider they used to inform them of the exposed data. Steps to Recovery never responded, however, the hosting provider managed to get in touch with the rehabilitation clinic and “notified their customer who then promptly took action to disable access to the database.” Paine published his findings and stated that,
“Based on a random sample of 5,000 rows of data from the "infcharges" index, I observed 267 unique patients – or roughly 5.34% were unique. Assuming this trend continues, that would suggest the database contained roughly 146,316 unique patients. To reiterate – it's entirely possible this sample of 5,000 rows of data was not representative of the entire index of data though.”
At the time of writing Steps to Recovery has yet to acknowledge the leak. It is also unclear if they have informed patients possibly affected by the breach. Given the amount of personal information accessible, which includes the patient's age, birthdate, address, past addresses, the names of the patient's family members, their political affiliation, potential phone numbers, and email addresses, and stigma associated with substance abuse the company has been negligent in dealing with the problem. Ignoring the problem could potentially have unforeseen consequences for the patients whose data was exposed.
The second breach affecting a healthcare company involved Dallas, Texas-based firm EmCare Inc who announced the breach also on April 20, 2019. According to the company, a number of employees' email accounts had been accessed, potentially exposing the personal information of almost 60,000 people, including 31,000 patients. The company admitted personal information, including name, date of birth or age, and for some patients, clinical information. In addition, in some instances, Social Security and driver’s license numbers were exposed. The company also spoke to Bloomberg with the intention to minimize the impact of the breach. A measure never taken by Steps to Recovery.
EmCare’s response was an example of how companies should treat a breach, however, it was not without criticism. The criticisms center around the timeline followed by the company in notifying patients. The breach was discovered in February but it was not until April that the company began notifying those affected. Another criticism can be leveled at the company for allowing its employees to keep patients' clinical information unencrypted within their email accounts. However, for those employees and patients whose social security number or driving license numbers were impacted, EmCare has arranged a credit monitoring account with Experian's IdentityWorks. It will be of interest to see if Steps to Recovery takes any similar measures to help protect patients whose information was in entrusted to the company.