Yahoo Says 1 Billion User Accounts Were Hacked                                           

The newly disclosed 2013 attack involved sensitive user information, including names, telephone numbers, dates of birth, encrypted passwords and unencrypted security questions that could be used to reset a password.
                          

Yahoo Breach Could Be ‘Tip of the Spear’

By THE ASSOCIATED PRESS

Advertisement

LIVE

00:00

00:00

00:52

YOUR VIDEO WILL START IN 00 SECONDS

View the original article from The New York Times here.


SAN FRANCISCO — Yahoo, already reeling from its September disclosure that 500 million user accounts had been hacked in 2014, disclosed Wednesday that a different attack in 2013 compromised more than 1 billion accounts.

The two attacks are the largest known security breaches of one company’s computer network.

The newly disclosed 2013 attack involved sensitive user information, including names, telephone numbers, dates of birth, encrypted passwords and unencrypted security questions that could be used to reset a password. Yahoo said it is forcing all of the affected users to change their passwords and it is invalidating unencrypted security questions — steps that it declined to take in September.

It is unclear how many Yahoo users were affected by both attacks. The internet company has more than 1 billion active users, but it is not clear how many inactive accounts were hacked.

Yahoo said it discovered the larger hacking after analyzing data files, provided by law enforcement, that an unnamed third party had claimed contained Yahoo information.
Security has taken a back seat at Yahoo in recent years, compared to Silicon Valley competitors like Google and Facebook. Yahoo’s security team clashed with top executives, including the chief executive, Marissa Mayer, over the cost and customer inconvenience of proposed security measures.

And critics say the company was slow to adopt aggressive security measures, even after a breach of over 450,000 accounts in 2012 and series of spam attacks — a mass mailing of unwanted messages — the following year.

“What’s most troubling is that this occurred so long ago, in August 2013, and no one saw any indication of a breach occurring until law enforcement came forward,” said Jay Kaplan, the chief executive of Synack, a security company. “Yahoo has a long way to go to catch up to these threats.”

Yahoo has made a steady trickle of disclosures about the 2014 hacking, which it has been investigating with the help of federal authorities. The company said Wednesday that it now believes the attacker in that breach, which it says was sponsored by a government, found a way to forge credentials to log into some users’ accounts without a password.

Bob Lord, Yahoo’s chief information security officer, said in a statement that the state-sponsored actor in the 2014 attack had stolen Yahoo’s proprietary source code. Outside forensics experts working with Yahoo believe that the state-sponsored hackers used Yahoo’s code to access user accounts without their passwords by creating forged “cookies,” short bits of text that a website can store on a user’s machine. By forging these cookies, attackers were able to impersonate valid users, gaining information and performing actions on behalf of their victims. The company has not disclosed who it believes was behind the attack.

In July, Yahoo agreed to sell its core businesses to Verizon Communications for $4.8 billion. Verizon said in October that it might seek to renegotiate the terms of the transaction because of the hacking, which had not been disclosed to Verizon during the original deal talks.

After the latest disclosure Wednesday, a Verizon spokesman, Bob Varettoni, essentially repeated that position.

“As we’ve said all along, we will evaluate the situation as Yahoo continues its investigation,” he said. “We will review the impact of this new development before reaching any final conclusions.”

Mr. Lord said Yahoo had taken steps to strengthen Yahoo’s systems after the attacks. The company encouraged its users to change passwords associated with their Yahoo account and any other digital accounts tied to their Yahoo email and account.

In the hacking disclosed Wednesday, Mr. Lord said Yahoo believed an “unauthorized third party” managed to steal data from one billion Yahoo user accounts. Mr. Lord said that Yahoo had not been able to identify how the hackers breached Yahoo’s systems, but that the company believed the attack occurred in August 2013.


Changing Yahoo passwords will be just the start for many users. They will also have to comb through other services to make sure passwords used on those sites are not too similar to what they were using on Yahoo. And if they were not doing so already, they will have to treat everything they receive online, such as email, with an abundance of suspicion, in case hackers are trying to trick them out of even more information.

Yahoo recommended that its customers use Yahoo Account Key, an authentication tool that verifies a user’s identity using a mobile phone and eliminates the need to use a password on Yahoo altogether.

Security experts say the latest discovery of a breach that happened so long ago is another black mark for the company. “It’s not just one sophisticated adversary that gets in,” said Ben Johnson, co-founder and chief security strategist at Carbon Black, a security company. “Typically companies get compromised multiple times due to the same vulnerability or employee culture.”

Mr. Johnson added that the scale of the breaches is only increasing as companies store more and more troves of information in similar databases. “When you have these huge databases of information, it’s millions — and now billions — of accounts lost,” he said.

Correction: December 14, 2016
An earlier version of this article misstated the day Yahoo announced 1 billion user accounts had been compromised. It was Wednesday, not Thursday.

Passengers Ride Free on San Francisco Subway after Ransomware Attack

Hard-drive-scrambling ransomware menaced more than 2,000 systems at San Francisco's public transit agency on Friday and demanded 100 bitcoins to unlock data.

View the original article from The Register here.


Ticket machines were shut down and passengers were allowed to ride the Muni light-rail system for free on Saturday – a busy post-Thanksgiving shopping day for the city – while IT workers scrambled to clean up the mess.


A variant of the HDDCryptor malware infected 2,112 computers within the San Francisco Municipal Transportation Agency, the ransomware's masters claimed in email correspondence seen by El Reg.


These systems appear to include office admin desktops, CAD workstations, email and print servers, employee laptops, payroll systems, SQL databases, lost and found property terminals, and station kiosk PCs. We told that the worm-like malware automatically attacked the agency's network, and was able to reach the organization's domain controller and compromise network-attached Windows systems. There are roughly 8,500 PCs, Macs and other boxes on the agency's network.


After the vulnerable computers were infected and their storage scrambled, they were rebooted by the malware and, rather than start their operating system, they instead displayed the message: "You Hacked, ALL Data Encrypted, Contact For Key (cryptom27@yandex.com) ID:601."


HDDCryptor and its cousins encrypt local hard drives and network-shared files using randomly generated keys and then overwrite the hard disks' MBRs, where possible, to prevent systems from booting up properly. A machine is typically infected by an employee accidentally opening a booby-trapped executable in an email or download, and then the infection spreads out across the network.


When the 100-bitcoin ransom – right now about $73k – is paid, the crooks supposedly hand over a master decryption key to restore the ciphered drives and files. A bitcoin wallet into which the transit agency is expected to pay remains empty.


The extortionists behind the malware have complained that no one at the agency has so far spoken to them let alone offered to pay. The crooks said they will give Muni officials another day or so to get in touch before walking away. They also offered to decrypt one machine for one bitcoin to prove restoration is possible.


"Our software [is] working completely automatically and we don't [launch] targeted attacks ... SFMTA's network was very open and 2,000 server/PCs [were] infected by software," the ransomware's masterminds claimed in a statement in broken English on Sunday via email. "So we are waiting for contact [from] any responsible person in SFMTA but I think they don't want a deal. So we close this email [account] tomorrow."

You've been hacked ... Message left on a PC screen at a San Francisco Muni kiosk on Saturday (Photo by Colin Heilbut)

Buses and the underground-overground Muni rail system continue to run. The Muni's turnstiles were left open from Friday night, though, allowing people to travel for free. Ticketing systems were halted with "out of service" messages in the wake of the infection.


"There’s no impact to the transit service, but we have opened the fare gates as a precaution to minimize customer impact," the transit agency's spokesman Paul Rose said on Saturday. "Because this is an ongoing investigation it would not be appropriate to provide additional details at this point."


San Francisco's public transit system joins the ranks of hospitals, businesses, police stations and other organizations hit by ransomware. Some cough up cash to the extortionists who spread the file-encrypting software nasties, some don't. Meanwhile, Cisco-owned Talos has an open-source tool for protecting MBRs from ransomware and other malware. ®

Computer Virus Forces Hospitals to Cancel Operations

A computer virus has forced three hospitals offline and caused the cancellation of all routine operations and outpatient appointments.

The hospital says the "major incident" means patients should avoid visiting if possible.

Image: ZDNet

View the original article from ZDNet here.


The Northern Lincolnshire and Goole NHS Foundation Trust says a "major incident" has been caused by a "computer virus" which infected its electronic systems on Sunday. As a result of the attack, the hospital has taken the decision to shut down the majority of its computer networks in order to combat the virus.


"A virus infected our electronic systems [on Sunday] and we have taken the decision, following expert advice, to shut down the majority of our systems so we can isolate and destroy it," said Dr Karen Dunderdale, the trust's deputy chief executive, according to the BBC.

The use of a shared IT system also means the United Lincolnshire Hospitals Trust has been taken offline as staff attempt to combat the attack.

As a result of the attack, all outpatient appointments and diagnostic procedures that were set to take place at the infected hospitals on Monday and Tuesday have been cancelled, while medical emergencies involving major trauma and women in high-risk labor are being diverted to neighboring hospitals.


The NHS Trust hasn't provided specific information about the sort of virus or malware which has infected its systems -- or how it managed to breach any defenses.


The hospital says that from Wednesday appointments in some areas -- audiology psiological measurement, antenatal, community and therapy, chemotherapy, pediatrics, and gynecology -- will be going ahead and it will be contacting patients who are able to be seen.


Northern Lincolnshire and Goole NHS Foundation Trust says it is reviewing the situation on an hourly basis and offers its apologies to patients who are being affected.

October 2016 Security Awareness

Throughout October, Technology Services will offer interactive educational activities to help you achieve those goals—for each activity you complete, you will be entered into a drawing at the end of the month for an Apple TV. As well, participation in each week’s activity will gain you access to the weekly drawing for a $25 Amazon gift card!

Watch CougarTrack for the weekly activity announcement!

Who's on the other end of that line? An imposter

Who's on the other end of that line? An imposter

View original article here on Fraud.org

In an imposter scam, fraudsters take on the identity of someone else -- a government agency, a sweepstakes company, or even a relative desperate for help -- to pressure victims into paying money for taxes, a prize, or a quick personal loan. Regardless of the ruse, these scams are designed to do one thing: quickly separate victims from their money.

Imagine the scenario: Your phone rings and the voice on the other end congratulates you for winning a sweepstakes. Great news, right?

Now imagine another scenario: You receive a call from someone claiming to be tech support for your computer. They say they’ve received reports that your machine may be infected with a virus and they need you to give them access so they can look into it.

Here’s an even worse thought: Your phone rings, but the caller says that they’re with the IRS, that you owe the government money, and that you will go to jail if you do not pay up immediately.

Depending on which scenario plays out on your phone line, you could be overjoyed or afraid. The odds are, however, that regardless of whether the caller says you’re a sweepstakes winner or that you owe the government money, you have just become a victim of one of the most popular scams around: the imposter scam.

In imposter scams, con artists pose as someone else -- the IRS, a sweepstakes company, or a long-lost relative in need. The caller might say they need money for unpaid “taxes” owed to the IRS, or “processing fees” to claim a prize, or “lawyers fees” to get a loved one out of a jam. The set-ups vary, but these high-pressure con artists are good at what they do -- convincing victims they need to pay up -- or hand over personal information -- in order to quickly resolve an issue.

If the victim agrees to pay, scammers typically ask for payment via a hard-to-track method such as a wire transfer, reloadable debit card, or iTunes gift card.

Unfortunately, these high pressure and often intimidating tactics appear to be working. Last year, these scams were the third most common complaint that the Federal Trade Commission (FTC) received, with more than 350,000 consumers reporting they’d fallen victim. They’re also one of the top scams that we hear about at Fraud.org year in and year out.

A consumer complaint we received at Fraud.org recently is typical of this scam. A grandfather in Florida received a phone call from a girl in tears pretending to be his granddaughter. His “granddaughter” said that she was arrested after an auto accident and that drugs were found in her car. The girl was supposedly overseas at the time and said that the American Embassy needed $1,150 to be wire transfered to her attorney overseas so that her lawyer could pay her bond, and then get her on an evening flight back home.

In this case and many others, the consumer fell victim to the imposter scam and lost the money he was tricked into sending the scam artist.

With the imposter scam coming in so many different variations, how can you and your loved ones learn to spot it and avoid becoming its next victim? Here are some basic tips you can use to help identify and protect yourself from a potential imposter scammer:

1. You can’t trust Caller ID. Scammers are pro’s at tricking Caller ID systems into showing the caller information they want it to show. Just because the Caller ID says “IRS,” “police,” or “National Consumers League,” that does not guarantee that the person on the other end is with that organization.
2. Don’t engage. Hang up. If you receive a call from someone urgently requesting money, don’t try and figure out whether they’re legitimate or not while they’re on the phone with you. Scammers are professionals who know exactly what buttons to push to get you to make a quick decision. The best thing you can do is simply hang up.
3. Be careful of emails, too. Scammers also run the imposter scam over email. If you receive an email from someone demanding money right away, it’s probably a scam. Instead of replying, simply delete the email. Don’t click on any links or attachments that come with the email. They could contain malware that will infect your computer and steal your personal information.
4. Look up the information on your own. If you’re concerned that the caller or email sender was for real, look up the phone number for the individual or agency in your phonebook or on the agency’s or company’s official website. Call that number yourself and check to see if what you were told by the caller is accurate.
5. Never pay for a prize. If someone informs you that you won a prize, you should not have to pay any taxes, delivery fees, or insurance payments to collect it. If they tell you otherwise, it’s a scam.
6. If asked for payment with a wire transfer, cash-reload card, or gift card--it’s a scam. These are all ways that scammers love to be paid because it’s practically impossible to track.
7. Report suspected fraud. If you become a victim of an imposter scam or you suspect you have spotted one, report it! You can file a complaint at Fraud.org via our secure online complaint form. We’ll share your complaint with our network of more than 90 law enforcement and consumer protection agency partners who can and do put fraudsters behind bars. The Federal Trade Commission also has many great resources on imposter scams available atwww.ftc.gov/imposters.
8. Print our Avoid Imposter Scams graphic and leave it by your phone to help loved ones know what to do in case they receive a call.

HHS Office of Civil Rights and $15 Million in HIPAA Settlement Payments in 2016

HHS Office of Civil Rights and $15 Million in HIPAA Settlement Payments in 2016

View original article from National Law Review here.

For years, many questioned whether the HIPAA privacy and security rules would be enforced. The agency responsible for enforcement, Health and Human Services’ Office for Civil Rights (OCR), promised it would enforce the rules, but just after a period “soft” enforcement and compliance assistance. That period appears to be ending. During the first seven months of 2016, OCR has announced nearly $15,000,000 in settlement payments to the agency relating to a wide range of compliance failures alleged against covered entities and business associates. At the same time, OCR is conducting audits of covered entities around the country, and plans similar audits of business associates later this year. If you have been waiting to tackle HIPAA compliance, it is probably a good time to get it done.

Below is a summary of the circumstances that led to some of the settlements and civil monetary penalties:

• Stolen laptop, vulnerable wireless access. Following notification to OCR of a breach involving a stolen laptop (not an uncommon occurrence!), OCR investigated and reported discovering that electronic protected health information (ePHI) on the covered entity’s network drive was vulnerable to unauthorized access via its wireless network – users could access 67,000 files after entering a generic username and password. OCR also cited among other things failures to implement policies and procedures to prevent, detect, contain, and correct security violations, to implement certain physical safeguards. Settlement $2.75M
• Vulnerabilities identified must be timely addressed. In another case, a covered entity had conducted a number of risk analyses since 2003, but the OCR claimed these analyses did not cover all ePHI at the entity. OCR also reported that the covered entity did not act timely to implement measures to address documented risks and vulnerabilities, nor did it implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure, despite having identified this lack of encryption as a risk. Settlement $2.7M.
• Not-for-profits serving underserved communities not immune. A data breach affecting just over 400 persons caused by the theft of a company-issued iPhone triggered an OCR investigation. The iPhone was unencrypted and was not password protected, and contained extensive ePHI including SSNs, medical diagnosis, and names of family members and legal guardians. According to OCR, among other things, the covered entity had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident. In its public announcement, OCR acknowledged that the $650,000 settlement was afterconsidering that the covered entity provides unique and much-needed services to elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS.
• No business associate agreement. When a covered entity’s business associate experienced a breach affecting over 17,000 patients, OCR again investigated. It claimed no business associate agreement was in place, leaving PHI without safeguards and vulnerable to misuse or improper disclosure. Settlement $750,000.
• Civil monetary penalties against home care provider. In only the second time OCR has sought civil penalties under HIPAA, a judge awarded $239,800 in penalties due to privacy and security compliance failures. In this case, a patient complaint led to an OCR investigation – the patient complained that an employee of the covered entity left PHI in places where an unauthorized persons had access and in some cases abandoned the information altogether. Other compliance issues included covered entity’s maintaining inadequate policies and procedures to safeguard PHI taken offsite, and storing PHI in employee vehicles for extended periods of time.

It is true that these are only a handful of cases with large settlement amounts. But the agency does seem to be sending a message – that is, it wants to see compliance and it is not afraid to seek significant settlement amounts from covered entities or business associates, large or small. In some cases, relatively simple steps such as making sure to have business associate agreements in place, can help avoid these kinds of enforcement actions.

Keep your friends close and your passwords closer...

Incidents of Ransomware on the Rise

Incidents of Ransomware on the Rise: Protect Yourself and Your Organization

View original article from the FBI here.

Hospitals, school districts, state and local governments, law enforcement agencies, small businesses, large businesses—these are just some of the entities impacted recently by ransomware, an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them.

The inability to access the important data these kinds of organizations keep can be catastrophic in terms of the loss of sensitive or proprietary information, the disruption to regular operations, financial losses incurred to restore systems and files, and the potential harm to an organization’s reputation.

And, of course, home computers are just as susceptible to ransomware, and the loss of access to personal and often irreplaceable items—including family photos, videos, and other data—can be devastating for individuals as well.

Ransomware has been around for a few years, but during 2015, law enforcement saw an increase in these types of cyber attacks, particularly against organizations because the payoffs are higher. And if the first three months of this year are any indication, the number of ransomware incidents—and the ensuing damage they cause—will grow even more in 2016 if individuals and organizations don’t prepare for these attacks in advance.

In a ransomware attack, victims—upon seeing an e-mail addressed to them—will open it and may click on an attachment that appears legitimate, like an invoice or an electronic fax, but which actually contains the malicious ransomware code. Or the e-mail might contain a legitimate-looking URL, but when a victim clicks on it, they are directed to a website that infects their computer with malicious software.

One the infection is present, the malware begins encrypting files and folders on local drives, any attached drives, backup drives, and potentially other computers on the same network that the victim computer is attached to. Users and organizations are generally not aware they have been infected until they can no longer access their data or until they begin to see computer messages advising them of the attack and demands for a ransom payment in exchange for a decryption key. These messages include instructions on how to pay the ransom, usually with bitcoins because of the anonymity this virtual currency provides.

Ransomware attacks are not only proliferating, they’re becoming more sophisticated. Several years ago, ransomware was normally delivered through spam e-mails, but because e-mail systems got better at filtering out spam, cyber criminals turned to spear phishing e-mails targeting specific individuals.

And in newly identified instances of ransomware, some cyber criminals aren’t using e-mails at all. According to FBI Cyber Division Assistant Director James Trainor, “These criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.”

The FBI doesn’t support paying a ransom in response to a ransomware attack. Said Trainor, “Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”

So what does the FBI recommend? As ransomware techniques and malware continue to evolve—and because it’s difficult to detect a ransomware compromise before it’s too late—organizations in particular should focus on two main areas:

• Prevention efforts—both in both in terms of awareness training for employees and robust technical prevention controls; and
• The creation of a solid business continuity plan in the event of a ransomware attack. (See sidebar for more information.) 

“There’s no one method or tool that will completely protect you or your organization from a ransomware attack,” said Trainor. “But contingency and remediation planning is crucial to business recovery and continuity—and these plans should be tested regularly.” In the meantime, according to Trainor, the FBI will continue working with its local, federal, international, and private sector partners to combat ransomware and other cyber threats.

If you think you or your organization have been the victim of ransomware, contact your local FBI field office and report the incident to the Bureau’s Internet Crime Complaint Center.

For tips on dealing with ransomware, check out the FBI ransomware brochure here.

Your Smart Watch Can Steal Your ATM PIN

View original article from IEEE Spectrum here.

Mobile systems and cyber security expert Yan Wang doesn’t wear a smart watch.

“It knows too much,” says Wang, an assistant professor of computer science at Binghamton University in Upstate New York. “If you are using a smart watch, you need to be cautious.”

He would know. Wearable devices can give away your PIN number, according to research he and colleagues presented in June at the 11th annual Association for Computing Machinery Asia Conference on Computer and Communications Security (ASIACCS) in Xi’an, China. By combining smart watch sensor data with an algorithm to infer key entry sequences from even the smallest of hand movements, the team was able to crack private ATM PINs with 80 percent accuracy on the first try and more than 90 percent accuracy after three tries.

“I have to admit, at the beginning, I thought this would be science fiction,” says Wang. “But it can actually be done. There are just so many sensors on these wearable devices. It provides sufficient information of your hand movements.”

There has long been concern over the security of smart watches, fitness trackers, and other internet-connected wearables that gather sensitive information, such as what time of day a user leaves their home. To infer user inputs on keyboards, past cyber security studies have used cameras to observe how a hand moves over a keypad or machine-based learning techniques to train a program to detect user movements.

Now, spying on a PIN just got way easier, thanks to sensors that measure acceleration, orientation and direction in our wrist devices. Led by Chen Wang and Yingying Chen at the Stevens Institute of Technology in Hoboken, New Jersey, the researchers conducted 5,000 key-entry tests on three different keypads—a detachable ATM pad, a keypad on ATM machine, and a QWERTY keyboard. Twenty adults performed the tests wearing one of three different devices: the LG W150 or Moto360 smart watches or the InvensenseMPU-9150, a nine-axis motion tracking device.

The team downloaded sensor data from the tests, which recorded hand movements down to the millimeter. Using an algorithm they called the “Backward PIN-sequence Inference Algorithm,” the team was able to break the codes with alarming accuracy.

The most challenging part of the process was eliminating errors that emerge when trying to calculate distance moved based on acceleration, says Wang. The team found the best way to minimize those errors was to work backwards: Most people end a PIN entry by pressing ‘Enter’, so the team started with the Enter key, then traced backwards to each preceding key—a hacker’s version of connect-the-dots.

The method does not require an attacker to be anywhere near an ATM or other key-entry pad (such as an electronic door lock or computer keyboard). Instead, data can be stolen by either a wireless sniffer placed close to a keypad to capture Bluetooth packets sent by the wearable to a smartphone, or by installing malware on the wearable or smartphone to eavesdrop on the data and send it to the attacker’s server.

Wang is unaware of anyone currently stealing PIN numbers in this way, but he says it would not be a stretch. To eliminate this security breach, wearable manufacturers could better secure the data, or even just add noise so it is not so easily translated into physical hand movements.

Until then, you can mask your own data by moving your hand randomly between key clicks when entering a PIN number. “It may look weird, but it helps,” says Wang. “If you’re just moving from key to key, we can track that.”

View original article from IEEE Spectrum here.

4 Stolen Health Databases Reportedly for Sale on Dark Web

4 Stolen Health Databases Reportedly for Sale on Dark Web

View original article from Data Breach here.

A hacker is reportedly selling on the dark web copies of databases stolen from three unidentified U.S. healthcare organizations and one unnamed health insurer containing data on nearly 10 million individuals for prices ranging from about $96,000 to $490,000 in bitcoin for each database.

The hacker taking credit, who calls himself "thedarkoverlord," is operating on the TheRealDeal dark web marketplace and is offering to sell "a unique one-off copy" of each of the databases, according to dark net news reporting website DeepDotWeb and other news sites. Some of the data being offered for sale appears to be old, according to news reports.

The hacked data being sold, according to DeepDotWeb, Databreaches.net and other media sites, includes:

• A database containing plaintext data of 9.3 million individuals from a large, unidentified U.S. health insurer, which the apparent hacker told Databreaches.net was "retrieved using a zero day within the RDP protocol that gave direct access to this sensitive information;"
• A database containing plaintext data of 397,000 patients of a healthcare organization based in Georgia, which was "retrieved from an accessible internal network using readily available plaintext usernames and passwords," the hacker toldDeepDotWeb;
• A database containing plaintext data of 210,000 patients from a healthcare provider operating in the central and Midwestern region of the U.S., which the hacker claims "was retrieved from a severely misconfigured network using readily available plaintext usernames and passwords."
• A database containing data of 48,000 patients of a Farmington, Mo.-based healthcare organization, which the hacker claims "was retrieved from a Microsoft Access database within their internal network using readily available plaintext usernames and passwords.

Media website The Daily Dot, which says it examined TheRealDeal listings for the three healthcare organization databases, reports that among the data being sold are patients' names, dates of birth, addresses, phone numbers and Social Security numbers.Databreaches.net reports the insurance database includes similar information.

DeepDotWeb reports that the self-proclaimed hacker, over an encrypted Jabber conversation, told the news site he used "an exploit in how companies use RDP [remote desk protocol]. So it is a very particular bug. The conditions have to be very precise for it."

The hacker is selling each of the databases for prices ranging from 151 to 750 bitcoins, according to various news reports. DeepDotWeb says the hacker provided it with images of the three hacked databases from healthcare organizations, with all the identifiable information redacted "so the target company can remain anonymous for now."

The hacker also left a note on the dark web that appears to indicate that the attacker attempted to extort payments from the healthcare entities before putting the data up for sale on the dark web, according to DeepDotWeb.

"Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come," the hacker warns, according to the DeepDotWeb report.

Monetizing a security breach by asking for "hush money" is a classic ploy, says researcher Stephen Cobb of security services firm ESET. "If the attacker gains access to a sensitive database, his top three options to make money are to ransom it, sell it on the black market or simply ask for money to keep quiet," he says. "In this case it looks like the hush money request did not work out, hence the offer for sale."

The sale of health information on the dark web is commonplace, research organizations and law enforcement agencies have confirmed in numerous reports, notes Mac McMillan, CEO of the security consultancy CynergisTek .

"Once information has been stolen, it can be resold over and over again, which is why healthcare information is so valuable and at the same time so dangerous - it's not perishable."

So, if an entity is breached and data stolen, "there is a good chance it will be sold," McMillan says.

Organizations that get a warning from hackers or other third-parties about their stolen data purportedly being for sale on the dark web should immediately conduct a forensics examination to determine whether the report is accurate and the data is authentic and contact law enforcement authorities, McMillan says.

To prevent this kind of data theft, McMillan advises healthcare entities to "eliminate passwords as a single factor for authentication, encrypt your data and employ data loss protection [technology] to identify other instances of the information, like the Access database, and stop the exfiltration of the information."

But it's not only breaches involving hacker attacks that can result in health data being sold on the dark web, warns Ann Paterson, senior vice president and program director of the non-profit coalition Medical Identity Fraud Alliance.

"While MIFA doesn't delve into the dark web, we don't take for granted that lost data, whether through malicious hacking or inadvertent loss such as a lost laptop, is immune to being sold on the dark web. Such cases are not surprising, since those who work in this area understand that selling protected health information is lucrative - it's one of the drivers why this type of crime is growing."

Paterson advises healthcare entities that experience PHI data loss to work with law enforcement and cyber investigators to try to determine if the data has made its way to the dark web. "However, this is often difficult to determine, since data may not be advertised immediately after the loss happens. Fraudsters often 'sit' on the data for a while before attempting to sell it."

Consumers also need to become more educated about the details of medical identity theft and fraud to understand how they might be affected when their PHI is compromised, she says.

"As a society, many of us are experiencing 'data breach fatigue' and may not be paying as close attention to the potential fraud threats when we've been part of a breach. This is dangerous, since there are plenty of indications that PHI is being bought and sold forfraudulent purposes."

And although the owners of the three healthcare databases reportedly being sold on the dark web haven't yet been publicly identified, affected healthcare organizations can often recognize if any of their stolen data is showing up on the dark web, McMillan says. "These records should be an exact match for ones in someone's system," he says. "They should be able to search their system and match them."

But Cobb says confirming the source of stolen data appearing for sale on the dark web can be complicated.

"This can be quite difficult, given that records for one patient may be in dozens of databases belonging to different participants in the highly complex U.S. healthcare delivery and reimbursement system," he says. "Sometimes the seller will reveal the data structure or the database software in which the records were stored, but again, this is not necessarily conclusive, since many institutions use the same software. If a seller has logs of the breach activity, this would be more conclusive, but the seller might not have these and may not be the original breach [source]."

And the same data may be breached numerous times, by multiple attackers, using either the same or different attack vectors, Cobb notes, "particularly if the target organization is not closely monitoring for attacks."

Keep your information safe