2021: Breaches and Ransomware Off to Scary Start
Despite daily reminders from any tech news source, there remains a hesitancy to invest in information security at every business level. Whether it is the reluctance to retain an outside security firm or invest in necessary equipment, personnel, or software, refusals to invest in cybersecurity and information assurance will result in long-term deficits. For any reader requiring fodder for a board, supervisor, Chief Financial Officer, or any other bean counter as to why investments in security should be mandatory, not discretionary, review these fresh 2021 attacks:
1. Jones Day is a mega law firm. According to Am Law, it is the 10th largest law firm in the USA. Its clients include “blue-chips” like Google, Walmart, and McDonalds. It also represents former President Donald J. Trump. On February 3, 2021, the Clop ransomware group claims that it notified Jones Day that it stole privileged client information directly from the Jones Day servers. Jones Day claims that it was part of a third-party vendor breach, namely a file sharing service called Accellion, which also affected Goodwin Procter LLP (another mega law firm). Regardless of the source of the breach (why would Clop lie?), Clop posted snippets of Jones Day data on the dark web to prove its position. Jones Day is investigating the breach and will undoubtedly end up in litigation. If Accellion is the determined to be source and this is ultimately a supply-chain vulnerability issue, Jones Day and other Accellion clients will have to answer questions about whether they properly vetted Accellion as a vendor, especially given its history with security vulnerabilities.
2. On February 13, 2021, Kia Motors received a $20 Million price-tag from the DoppelPaymer ransomware gang, with the threat that delayed payment will result in an increase in ransom to $30 Million. In exchange for such substantial sums, Kia will receive the encryption key that will unlock its IT and information infrastructure, which is otherwise frozen. In addition to halting critical IT operations, DoppelPaymer engages in what is known as “double extortion” by threatening to post Kia’s most sensitive stolen data on the dark web as additional leverage. Kia has not yet released how the ransomware infiltrated its system. However, such attacks most often occur through phishing campaigns in emails, where an untrained user with sufficient network credentials clicks on a malicious link.
3. On February 9, 2021, T-Mobile sent data breach notices to affected customers of “SIM swapping,” in which cyber criminals use social engineering to steal SIM card credentials for T-Mobile users. The SIM card credentials give the criminal access to the user’s phone number, messages, and calls, allowing them to bypass multi-factor authentication to access various types of user accounts. The criminals can then access the user’s banking and social media accounts and the FBI recently released guidance on SIM swap defenses. According to T-Mobile, which counts this event as its fifth data breach in four years, "T-Mobile identified this activity—terminated the unauthorized access and implemented measures to protect against reoccurrence."
In addition to the major targets hit above, California’s Department of Motor Vehicles announced on February 18, 2021 that it was likely breached through a supply-chain vulnerability. California used the Seattle-based Automatic Funds Transfer Services (AFTS) to verify certain record changes against the national database for the last 20 months; AFTS was victimized by an unspecified strain of ransomware earlier in February 2021. And, supermarket chain, Kroger, was also a victim of the Accellion hack by the Clop Ransomware gang, learning of the breach on January 23, 2021 and immediately discontinued Accellion services. Kroger confirmed that human resources data and pharmacy records were affected by the breach. Thus, Kroger will likely now have to self-report to DHHS.