NBA confirms cyber breach and another zero-day vulnerability

Guess how many stories include third-party breaches in this week's newsletter?

a) 1

b) 2

c) 3

d) 4

In this week's Cyber Weekly:

1. We can't dribble past this incident
2. Good intentions. Bad Execution.
3. Hit with zero-day vulnerability
4. Major concern around this ransomware attack
5. Another Australian company hit

Thanks to all 13,614 subscribers. It really takes a community to fight against cyberattacks. By sharing  these newsletters, we can reach more people and help others from becoming a statistic. Share this post in the top right corner of the article. Also, follow me on LinkedIn for daily cyber security discussions >> Luigi Tiano.

1.NBA warns fans of cyber breach

The National Basketball Association (NBA) notified fans of a data breach after one of their email services got attacked. Fan information held by this third party was stolen. The NBA sent an email to an unknown number of fans that their name and email address were taken. They clarified that information of the NBA was not stolen. They also encouraged fans to look out for phishing scams.

"We recently became aware that an unauthorized third party gained access to, and obtained a copy of, your name and email address, which was held by a third-party service provider that helps us communicate via email with fans who have shared this information with the NBA," the NBA says.

NBA programming and games are broadcasted worldwide, in over 215 countries and territories, spanning over 50 languages. (bleepingcomputer)

My thoughts: Once again vendor management comes into play. Be sure to complete your due diligence. You are only as strong as your weakest vendor. Third party breaches will continue to plague the cyber security industry.

2.Good Intentions. Bad Execution.

QIMR Berghofer is a medical research institute based in Brisbane, Australia. They hired Datatime to review the data collected for a specific study to investigate how skin cancers and melanomas develop. Datatime had intentions to delete the information after 12 months but they were hacked before then. The hackers crippled Datatime by locking them out of their own systems last November.

Only when they were approached did QIMR Berghofer reveal that 1,128 people were affected by the breach. Worse of all, data subjects feel neglected. Those affected by the breach tried to reach out to the research institute but were ignored.

This is just what one man had to say about it:

"It just makes you a little bit crazy because you can't see the end of it … I don't know what's out there and I don't know how it's going to end and nobody seems to want to help me."

Mr. Woodbridge said the last time he heard from QIMR Berghofer was two weeks ago when the medical institute tried to recruit him into another study on Parkinson's disease.

"I felt outraged," he said.

"I'm probably not the only person like this, they probably sent emails to everybody else who participated in the QSKIN surveys and other surveys without telling them what's happening, and just say, 'Oh look trust us again with your data, she'll be right, she'll be right.'

"That doesn't make me feel good at all. They don't respond and then they invite me back again." (abc)

My thoughts: It is shocking that this is another third-party vendor breach. (sarcasm). I want to reiterate that companies need to involve their marketing organization when there is a breach. We discussed this last week. A breach means stopping ads and emails until things have settled. Or else, you could tarnish your brand and just look silly. Respect your clients!

3. Hitachi Energy hit by Zero-Day Vulnerability

Hitachi Energy is a department of Japanese engineering and technology giant, Hitachi. They focus on energy solutions and power systems and has an annual revenue of $10 billion.

Hitachi Energy confirmed that is suffered a data breach as the result of their third-party provider software provider called FORTRA GoAnywhere MFT (Managed File Transfer) was the victim of an attack by the CLOP ransomware group.

Unauthorized parties accessed employee data in some countries around the world. At this time, they took action to disconnect the impacted system and initiated an internal investigation.

“On February 6, 2023, an exploit for CVE-2023-0669 was publicly released, and on February 10, 2023, Clop declared that it had already breached 130 organizations leveraging the vulnerability in GoAnywhere MFT.” (bleepingcomputer)

My thoughts: I had no intentions on only writing about third party attacks, but this Cyber Weekly is proof that vendor and supplier management is 100% necessary for cyber security.

4.Another Australian Company hit

A non-bank financial lender, Latitude Financial, admitted they were the victim of a cyber attack that resulted in stolen customer data affected 330,000 customers. The data stolen included driver’s licenses, passports and Medicare numbers. They are treating this as an active investigation as they still do not know if the threat actors are still in their environment. They are warning that more customer may be affected. (securityweek)

My thoughts: Last year, 33% of Australia’s population were the victims of cyber attacks. That number keeps rising. It’s shocking there aren’t stricter policies in place yet. On the other hand, they are one of the only companies that actually warned that more customers might be affected. All too often, companies dimmish the severity of an attack and claim “it’s only X number of customers affected” before their investigation is over. Latitude Financial is setting expectations. I can applaud them for that.

5. In case you didn't know...

I started Assurance IT with my childhood friend Ernesto Pellegrino in 2011. Our mission is to help 100,000 companies become cyber resilient through our services and free content. We focus on helping mid-sized organizations with data protection and data privacy. Our primary services include: endpoint management, cloud backup, DRaaS, and Microsoft 365 backup.

‍