Health insurance exchange exposed client data. Mattress company suffers Magecart attack. Mailchimp breach leads to phishing. – The CyberWire
At a glance.
Audit reveals health insurance exchange failed to protect client data.Mattress company loses sleep over Magecart attack. Mailchimp breach leads to phishing operation targeting crypto and financial sectors.
Audit reveals health insurance exchange failed to protect client data.
A recent state audit conducted by the Auditors of Public Accounts has found that Access Health CT, a health exchange that facilitates the purchase of Obamacare plans for Connecticut residents, does not do enough to protect personal client data and neglected to properly report forty-four breaches that occurred between July 2017 and March 2021. “Internal controls were not adequate to prevent the breaches of client data,” stated State Auditor John Geragosian. The Hour notes that a review of data from the state Attorney General’s Office shows that Access Health CT has reported experiencing the most breaches of any private or public organization in Connecticut since 2013. Of the forty-four breaches in question, the exchange’s call center vendor Faneuil Inc. was found to be responsible for thirty-four (and three additional breaches have already been reported this year), usually the result of a call center representative adding the wrong clients to customer accounts. Access Health CT spokesperson Kathleen Tallarita noted that most of the incidents impacted only one client at a time, and the exchange has acquired the support of cybersecurity firm JANUS Associates to improve the organization’s data handling processes.
Mattress company loses sleep over Magecart attack.
German mattress maker Emma Sleep Company has begun notifying customers that a Magecart attack that occurred between January 27 and March 22 resulted in the theft of customer data. The notification explains, “This was a sophisticated, targeted cyber-attack on the checkout process on our website and personal information entered, including credit card data, may have been stolen, whether you completed your purchase or not.” The company uses the popular Adobe Magento e-commerce platform, which was found earlier this year to have critical security vulnerabilities that were being actively exploited. (Adobe issued two patches to mitigate the issues.) Emma Sleep Company’s CEO Dennis Schmoltzi told the Register that upon detection of the attack, the company immediately secured the data, launched an investigation, and reported the incident to the relevant authorities.
Kunal Modasiya, senior director of product management at PerimeterX, sees a cautionary tale about supply chains:
“Magecart attackers continue to seek out creative ways to steal customers’ PII, in this case credit card information specifically. In this scenario, the bad actors created copycat URLs tailored to the company’s environment in order to avoid detection. Though the Magento platform was kept up to date, this is a primary example of the need to have continuous visibility into the JavaScript that powers a website and to get real-time alerts when risky behavior changes are observed. Given the risks of supply chain attacks in general, it is important that e-commerce companies look beyond static code analysis, external scanners and the limitations of CSP to solutions that provide real time visibility and control into their attack surface to identify vulnerabilities and anomalous behavior, and proactively mitigate the risk of stolen customer data.”
Mailchimp breach leads to phishing operation targeting crypto and financial sectors.
Popular US email marketing firm Mailchimp has confirmed that intruders gained access to internal customer support and account management tools in order to steal audience data and launch phishing attacks. The confirmation came after owners of Trezor hardware cryptocurrency wallets began tweeting that they’d received phishing notifications claiming the company had suffered a data breach. The scam emails directed the recipients to reset their hardware wallet PINs, but in fact tricked them into downloading malicious software that gave the hackers access to the cryptocurrency. Mailchimp told Bleeping Computer that the attack goes beyond Trezor customers, as Mailchimp employees were also targeted with a social engineering attack that resulted in an intruder accessing one of the company’s customer support and account administration tools. The attackers accessed approximately three hundred Mailchimp accounts and exported audience data from about one hundred, focusing on customers in the cryptocurrency and finance sectors. The hackers also gained access to API keys for an undisclosed number of customers, which gave the threat actors the ability to send spoofed emails. Mailchimp CISO Siobhan Smyth told TechCrunch, “When we become aware of any unauthorized account access, we notify the account owner and immediately take steps to suspend any further access. We also recommend two-factor authentication and other account security measures for our users as added measures to keep accounts and passwords secure.”