top of page
  • Writer's picture Avantia Threat Update


This Past Week AMEX users have been targeted with a new type of virus that evades AntiVirus software; NAB discloses 13,000 Customer Data Breach; Equifax coughs up US$ 700 million to Consumers over 2017 breach; Huawei in the news again for all the wrong reasons; Hackers plant Trojan Viruses in Microsoft Outlook; Apple disables Walkie-Talkie Watch; Data breach at Lancaster University nets 12,000 students details and major data breaches in Bulgaria, USA & Australia.

This Past Week’s Top Dark Web Exploits:

Top Source Hits: ID Theft Forums Top Compromise Type: Domain Top Industry: Education & Research Top Employee Count: 1 - 10 Employees

This Past Weeks Top Targeted Industries.

Finance Hits: 595 | Targets: Equifax Inc, PayPal, QuickBit Ltd., Desjardins Group, Westpac Banking Corp

Software Hits: 191 | Targets: Cambridge Analytica, Microsoft, Yahoo, Sytech (Moscow company), Citrix Systems

Manufacturing Hits: 174 | Targets: BASF, Siemens, Bayer, Sony Corp, Lenovo Group Ltd

Chemicals Hits: 147 | Targets: BASF, Henkel, Bayer, Dow Chemical, Covestro AG

Chemicals Hits: 137 | Targets: BASF, Henkel, Covestro AG, Dow Chemical, Shin-Etsu Chemical

This Week’s Top Threat Actors:

Axiom Hacking Group Hits: 24 | Targets: Germany, Google, China, South Korea, Anthem

FIN8 Hits: 23 | Targets: POS devices, US Hotel, United States, Point of Sale, Credit Cards

GCHQ (UK) Hits: 17 | Targets: Proximus Group, United Kingdom, Belgium, Israel, Germany

APT17 Deputy Dog Hits: 13 | Targets: United States, Carbon Black, Inc., Japan, Bryce Boland, Google

APT15 Vixen Panda Hits: 12 | Targets: India, United Kingdom, Government of the United Kingdom, U.S. Defense Industrial Base, Ministry of Foreign Affairs

This Past Week’s TOP Malware Exploits:

Monokle Hits: 58 | Targets: Android, Apple, Syria, Skype, Domain Name System

Triada Hits: 42 | Targets: Android, Smartphone, Telecommunications network, Web, Google

Winnti Hits: 25 | Targets: Germany, Siemens, BASF, Henkel, Switzerland

Sodinokibi Hits: 23 | Targets: Oracle WebLogic Server, Microsoft Windows, Germany, InfoSec, Oracle Corp

Stuxnet Hits: 22 | Targets: Iran, North Korea, Industrial Control Systems, SCADA and ICS Products and Technologies, United States




Researchers have uncovered a new type of phishing campaign that is targeting American Express card users. In these incidents, attackers are sending a hyperlink as part of a phony account update to access the victim’s credentials and other account details, Virginia-based security firm Cofense disclosed this week. Researchers stumbled across one phishing email held in an inbox using Microsoft’s Office 365 Advanced Threat Protection, according to Cofense. What makes this phishing attack different is that instead of using a hyperlink to send victims to a malicious landing page, this scheme deploys an embedded “base href” URL to help hide the true intent from anti-virus and other security tools, Cofense says. The attackers behind this phishing campaign also sought out as many American Express users as possible and did not discriminate between corporate users or consumers, according to Milo Salvia, a researcher at Cofense, who wrote about the issue this week. The attack targeted users four types of American Express accounts: actual credit cards, membership reward accounts, merchant accounts and American Express @Work accounts, Salvia notes. The number of affected customers, the date of the attack or whether any data has appeared on dark net forums remains unknown. But Salvia says this type of scheme is an efficient way to target customers in bulk, especially when the emails are sent in such high volumes. "The broad stroke attack would be very efficient when sent en masse, especially with its clever technique for bypassing URL filters and email gateways, Salvia wrote in a blog. In 2018, American Express added about 12 million card members, and card activity increased about 9 percent last year compared to the previous year, according to the company's 2018 revenue report. A spokesperson for American Express did not reply to a request for comment. As part of this new phishing campaign, attackers used the base HTML links to split the phishing URL into two pieces, which allowed the malicious URL to evade filters. Current scanning devices do not have the ability to detect it as one malicious entity, according to Cofense. At the same time, the base URL acted as the building block for other URLs within the phishing message, Cofense reports. "This tactic helps the attacker evade URL filters and gateways that have active URL scanning services, which currently do not have the capability to combine these inert pieces into a scannable malicious URL," Salvia says. Cofense researchers found that the attackers in this campaign targeted cardholders with a phishing email requesting they update their card details for system maintenance or face a temporary shutdown of their account. Despite many grammatical and spelling mistakes, the message created a sense of urgency, Cofense says. The campaign is just one example of how attackers are blurring the lines between consumers and business users. Amazon Prime users also were recently targeted in a similar way by a phishing kit called 16Shop (see: Phishing Campaign Tied to Amazon Prime Day). The phishing kit sent an email requesting Amazon Prime account holders update their information ahead of the Amazon Prime Day. In 2018, 16Shop had targeted Apple users in the same way. In the 2019 Internet Security Threat Report, researchers from Symantec found that spear-phishing emails remained the most popular mechanism for attack, used by 65 percent of cybercriminal groups during 2018. The study also noted that for almost 96 percent of these groups, intelligence gathering was the main focus. David Finn, a former healthcare CIO who is now executive vice president of security consulting firm CynergisTek, previously told Information Security Media Group that phishing is one of the top causes for data breaches. "We will certainly need the [security] technology, but the phishers or spammers are actually relying on the human frailties of trust," Finn said (see: Phishing: Mitigating Risk, Minimizing Damage). On Thursday, Barracuda Networks published a report that found so-called lateral phishing, where attackers use hijacked accounts they've recently compromised to send phishing emails to an array of recipients, is a problem for one in seven organizations in the U.S.


NAB disclosed a data breach late Friday after a dataset containing the personal details of approximately 13,000 customers was uploaded to the servers of “two data service companies”. It was announced just-after-6PM late on Friday – a time often used to take-out-the-trash in the hope that bad news disappears amid the weekend’s sport and other frippery. The bank notified the Office of the Australian Information Commissioner (OAIC) earlier on Friday afternoon, then started to contact customers, and then made news of the breach public with an online statement. Chief data officer, Glenda Crisp, said the compromised data “included customer name, date of birth, contact details and in some cases, a government-issued identification number, such as a driver’s licence number.” Crisp attributed the issue to “human error”. She said the uploads to the data service providers were done “in breach of NAB’s data security policies.” Crisp said it “was not a cyber-security issue”. While she did not detail the exact reason the dataset was uploaded, it would appear the bank was performing some form of data analytics work on the dataset using third-party tools or services. NAB said its security teams had contacted the two companies, “who advise that all information provided to them [was] deleted within two hours”. NAB said it would call, email or write “to each impacted customer individually.” “A dedicated, specialist support team is in place, available to them 24/7,” she said. “If government identification documents need to be reissued, NAB will cover the cost. “NAB will also cover the cost of independent, enhanced fraud detection identification services for affected customers.” The bank said there was “no evidence to indicate that any of the information has been copied or further disclosed.”


Police in the UK have cuffed a 25-year-old man from Bradford on suspicion of committing ‘Computer Misuse Act’ crimes after Lancaster University suffered a data breach affecting more than 12,000 students and applicants. In a statement the National Crime Agency said: "Officers from the NCA's National Cyber Crime Unit arrested the man on Monday (22 July) and he has since been released under investigation while enquiries are ongoing. As reported yesterday, Lancaster University admitted that a phishing attack had resulted in person or persons unknown accessing the personal data of people applying for undergraduate degree courses starting this year and in 2020. Students paid fraudulent invoices. Names, addresses, email addresses and phone numbers were among the categories of data visible to the hackers. Fraudulent invoices were sent to some, the university admitted. With overseas applicants (of which Lancaster had 575 last year from non-EU countries and 375 from other EU countries) paying fees measured in the tens of thousands of pounds per year, the potential for high returns is great. The highest undergraduate fees for overseas (non-EU) students is Lancaster's Bachelor of Medicine, Bachelor of Surgery (MBChB) course at UK £31,540. Sources with knowledge of the situation said that the breach could potentially have affected 20,000 people all told. Some estimates of UK applicants affected by the breach stand at 12,500 people based on public UCAS data. We are further informed that the attackers' route in was through the compromise of a staff account with administrator credentials, handing the attackers a golden ticket with which to rampage through the university's systems. Lancaster University declined to comment. Back in April JISC, the authority formerly known as the UK Academic Joint Information Systems Committee, warned that they had a 100 per cent success rate when researchers phished universities as part of a red-teaming exercise. Evidently someone wasn't listening.


Equifax and U.S. government agencies announced on Monday that the credit reporting agency is prepared to pay up to $700 million to settle charges related to the massive 2017 data breach that impacted roughly 147 million people. According to the U.S. Federal Trade Commission (FTC), Equifax has agreed to pay at least $575 million, but the amount could be increased to $700 million if necessary. The money will be used to compensate consumers and settle charges brought by the FTC, the Consumer Financial Protection Bureau (CFPB), and 50 states. Equifax will set up a $300 million fund to provide credit monitoring services to affected customers and compensate them for credit and identity monitoring services and other expenses for which they paid themselves in response to the data breach. In addition, $175 million will be paid to 48 states, the District of Columbia and Puerto Rico, and $100 million represents civil penalties paid to the CFPB. On a website set up by Equifax for the consumer class action settlement, the company has pointed out that a federal court will need to approve the deal. If the settlement is approved, customers can receive free credit monitoring or $125 in cash if they already benefit from credit monitoring services for at least another 6 months. Impacted customers are also eligible for up to $20,000 in cash for the time spent dealing with the breach, including for losses resulting from the incident, and dealing with fraud, identity theft or other misuse of personal information. “Equifax denies any wrongdoing, and no judgment or finding of wrongdoing has been made,” the company said on the consumer settlement website. As part of the settlement with authorities, Equifax has also agreed to implement a comprehensive cybersecurity program, which will be assessed every two years by a third party. “This comprehensive settlement is a positive step for U.S. consumers and Equifax as we move forward from the 2017 cybersecurity incident and focus on our transformation investments in technology and security as a leading data, analytics, and technology company,” said Mark W. Begor, CEO of Equifax. “The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data - and reflects the seriousness with which we take this matter. We have been committed to resolving this issue for consumers and have the financial capacity to manage the settlement while continuing our $1.25 billion EFX2020 technology and security investment program. We are focused on the future of Equifax and returning to market leadership and growth.” Hackers gained access to a database associated with Equifax’s Automated Consumer Interview System (ACIS) after the company failed to address a critical vulnerability it learned of a couple months earlier. The attackers gained access to the database in mid-May 2017 and made roughly 9,000 unauthorized database queries before Equifax detected suspicious activity in July 2017. The hackers gained access to names, social security numbers, dates of birth and other information belonging to over 145 million individuals. Roughly 209,000 payment card numbers and associated expiration dates were also compromised. Following the disclosure of the incident, Equifax was accused of failing to implement a policy for efficiently patching vulnerabilities, failing to segment its network to prevent attackers from moving laterally, failing to install robust intrusion detection systems, and storing sensitive information in plain text. “I’m far from an Equifax apologist, but the truth is it could have been anyone. It’s not an excuse, but rather the reality we live in,” Adam Laub, CMO of STEALTHbits Technologies, told SecurityWeek. “The best outcome isn’t Equifax making the situation right - although that is important for all of those affected - it’s everyone else learning that the price to be paid outweighs the inconvenience of ensuring proper measures are taken to secure the data that puts them at risk in the first place. And it’s got to be from the ground up too. There’s no silver bullet. There’s no one thing that mitigates the exposure. A multi-layered, multi-faceted approach is critical to making the juice not worth the squeeze for bad actors looking to score quickly and easily,” Laub added.


The Czech unit of telecoms giant Huawei secretly collected personal data of customers, officials and business partners, Czech public radio reported Monday, fanning concerns about security risks linked to the Chinese group. Two former Huawei managers who spoke on condition of anonymity told the radio that Huawei required them to enter the data into computer systems that could be accessed from China. "Managers who worked for the company for many years told our reporters that they had been forced to enter people's personal data into a system that was separate from commercial data," the report said. The information included the number of children, hobbies and financial situation of designated subjects. "Access to this information in the Customer Relationship Management (CRM) system is only managed by Huawei headquarters in China," one of former managers told Czech radio. In reaction to the report, Huawei's Czech unit said in a statement that it was in compliance with the EU's General Data Protection Regulation (GDPR) rules designed to protect the privacy of EU citizens. The Czech National Cyber and Information Security Agency said in December 2018 that Huawei's software and hardware posed a threat to state security. "Chinese laws require private companies headquartered in China to cooperate with intelligence services," warned the Czech agency at the time. The United States has banned government agencies from buying equipment from Huawei over fears Beijing could spy on communications and gain access to critical infrastructure if the firm is allowed to develop foreign 5G networks offering instantaneous mobile data transfer. Europeans are divided on the issue, with Germany having in principle accepted Huawei's participation in the construction of its 5G network.


U.S. Cyber Command has issued a warning via Twitter that attackers are attempting to exploit an older vulnerability in Microsoft Outlook to plant remote access Trojans or other types of malware within government networks. It recommends immediate patching of the vulnerability. This particular vulnerability in Outlook, was first discovered in 2017, and Microsoft issued a patch for it in October of that year. Since then, however, security researchers have warned that attackers are still taking advantage of this flaw and can execute arbitrary commands on infected systems to spread malware or cause other types of damage to unpatched Windows-based devices. While the warning from Cyber Command did not offer many details, some security researchers, including analysts with Chronicle - the cybersecurity arm of Alphabet - suspect that this latest attack is related to the activity of an advanced persistent threat group known as APT33, which also goes by the name Shamoon. In research that FireEye published in 2017, analysts found that APT33 has possible ties to Iranian intelligence and has previously targeted aerospace and energy firms in the Middle East. Over the last two weeks, the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Agency has warned about an increase in Iranian espionage and cyber activity, including increasing use of so-called "wiper" attacks that render computers unusable One the largest wiper attacks ever recorded targeted the oil giant Saudi Aramco in 2012. In that case, the attackers used malware also called Shamoon, which has appeared in other attacks over the course of the last several years. Despite researchers investigating the connections between APT33 and the deployment of the Shamoon wiper malware over the years, an exact link between the two has never been established. After the latest warning from the U.S. Government, however, Brandon Levene, the head of applied intelligence at Chronicle, downloaded the samples published by Cyber Command and determined that some of the malicious code bears similarities to the Shamoon malware found by other researchers in 2017. The code shared by Cyber Command are downloaders dating back to Shamoon campaigns from 2016. These downloaders use PowerShell to download and execute Pupy - an open-source, Python-based, multi-platform Remote Access Trojan (RAT), according to Levene. In addition, the malicious code published by Cyber Command shows that the attack uploads three malicious tools that are likely used for the manipulation of an exploited web server, according to Levene. Each tool has a slightly different purpose, but there is a capability for the attacker to interact with servers they may have compromised, which can then allow for the spreading of malware and other malicious activity, Levene says. Levene and his team believe that there are ties between APT33 and the other Iranian-backed group called MagicHound, which uses similar techniques, including the Pupy RAT. "Assuming the timing is not coincidental, this would indicate a more concrete linkage between what was previously classified as a separate Iranian nexus of state actors in MagicHound, which is the label for this threat group from Palo Alto Networks Researchers, and what is classified as APT33," Levene tells Information Security Media Group. The latest warnings come at a time when several other security firms have taken notice of an increasing amount of APT33 activity. In March, for instance, Symantec researchers published their own analysis, noting that APT33 had started targeting more businesses and organizations in the Middle East and elsewhere, including the U.S. Symantec noted the group attempted to take advantage of a vulnerability in WinRAR - a widely used file archiving and compression utility capable of creating self-extracting archive files. Symantec also noted the similarities between Shamoon attacks and APT33 attacks, but stressed that researchers could not specifically tie the group to the wiper attacks. In the last month, the New York Times and other publications have reported that the U.S. Cyber Command, which issued the warning has stepped up its offensive cyber capabilities against Iran's intelligence agencies as tensions between the two countries simmer.


Apple has disabled the Walkie-Talkie app on the Apple Watch after learning of a serious vulnerability that can be exploited to spy on users. The Walkie-Talkie app installed on the Apple Watch allows users to communicate with other users with a compatible Watch just as they would through a traditional walkie-talkie — you press a button to talk and release it when you’re ready for the other party to talk. According to TechCrunch, Apple has temporarily disabled the app after someone informed the company of a security hole through its vulnerability disclosure program. Until Apple releases a patch, the application will continue to be installed on watches, but it will not work. The vulnerability reportedly allows an attacker to use another user’s iPhone as a listening device, but no other details have been made public. “Although we are not aware of any use of the vulnerability against a customer and specific conditions and sequences of events are required to exploit it, we take the security and privacy of our customers extremely seriously,” Apple stated. “We concluded that disabling the app was the right course of action as this bug could allow someone to listen through another customer’s iPhone without consent. ”The news comes a few months after Apple disabled the Group feature in FaceTime due to a vulnerability that could have been exploited to spy on users through their device’s microphone and camera. Lawmakers and state authorities raised concerns about how Apple handled the flaw.


THREAT FOCUS: National Revenue Agency – BULGARIA

Exploit: Unauthorized database access National Revenue Agency: Government agency responsible for tax collection and social security contributions

Risk to Small Business: 1.555 = Severe: When a hacker gained access to the government agency’s network, the personal information for virtually every Bulgarian adult was compromised. The data theft, the largest ever reported in the Balkans, prompted emergency meetings at the country’s national security agencies. While government agencies have worked hard to secure critical IT infrastructure, they have paid less attention to protecting information databases, a shortcoming that is exposed in the breach. Now, the agency faces the financial costs of repairing the damage and the heightened media scrutiny that accompanies such an expansive data breach.

Individual Risk: 2.428 = Severe: While there is some evidence that people’s personal data was stolen in a messaging attempt directed at the Bulgarian government, this information can be quickly sold on the Dark Web where bad actors use it to perpetuate identity and financial fraud. The data includes names, addresses, incomes, and social security information. Those impacted by the breach need to closely monitor their accounts, and they should acquire the monitoring services necessary to secure their personal information.

Customers Impacted: 5,000,000

Effect on Customers: In an email to journalists, the hacker described the agency’s cybersecurity standards as “parody,” intonating that he was motivated, in part, to expose the lax security standards guarding people’s most sensitive personal information. Especially for government agencies storing personally identifiable information, data security standards are of paramount importance. When these initiatives fail, there is an inherent responsibility not only to improve security standards but to help victims sufficiently recover by providing the credit or identity monitoring services necessary to help them attain peace-of-mind about their data’s security.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


Exploit: Unauthorized network access Henry County, Georgia: Local government serving residents in Henry County, Georgia

Risk to Small Business:1.888 = Severe Risk: A cyberattack forced government agencies to take their network infrastructure offline, which prevented employees from accessing servers for email and daily operations, including tax collections, business licenses, building permits, and phone services. In addition, court records were not available, and department heads are considering temporarily adopting paper records to keep business moving. Public safety infrastructure was not impacted by the attack and some offices, like the motor vehicle department, were operational. Officials did not present a timetable for full system restoration, a process that likely won’t be quick and certainly won’t be cheap. Individual Risk: No personal information was compromised in the breach

Customers Impacted: Unknown

Effect On Customers: A cyberattack that diminishes working capacity has serious repercussions for any organization. Not only is there often an incredible cost to restore normal business operations, but the unquantifiable opportunity and reputational cost can be even more damaging. Comparatively, cybersecurity services are a bargain, and they can help ensure that your organization isn’t brought offline by cybercriminals.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: Town of Collierville, Tennessee – UNITED STATES

Exploit: Ransomware The Town of Collierville: Town in Shelby County, Tennessee

Risk to Small Business: 1.777 = Severe Risk: In an extensive attack that cut-off computer access for more than 550 government employees, attackers infected the Town of Collierville’s computer network with Ryuk ransomware. The malware made some computer systems unusable and encrypted other files, restricting the government’s access to the information. Consequently, government employees are unable to complete many tasks, including permit requests, public record requisitions, and business services. Fortunately, the town’s emergency services were not impacted by the attack. The city is enacting its response plan, but they have a long road to fully restoring operations.

Individual Risk: No personal information was compromised in the breach.

Customers Impacted: Unknown

Effect On Customers: Ransomware attacks are a top cybersecurity threat for local governments, making a holistic response plan a must-have element to any government’s IT strategy. Fortunately, the Town of Collierville prepared for this scenario, which allowed them to avoid paying the ransom. Regardless, full recovery is still an arduous process, which means that any measures that can help prevent a ransomware attack should be a top priority for local governments looking to avoid being the next victim of a ransomware attack.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


Exploit: Phishing attack Wise Health System: Medical provider serving patients in Decatur, Texas

Risk to Small Business: 2 = Severe Risk: On March 14th, several employees fell for a phishing scam and entered their usernames and passwords on a false form. Hackers used this information to access an employee kiosk where they attempted to divert payroll deposits. IT administrators don’t believe that the hackers pursued patient data, but this information was included in the compromised accounts. Now, Wise Help System is responsible for providing a year of identity theft protection services to thousands of victims while also facing increased regulatory scrutiny because of their failure to report the incident within 60 days.

Individual Risk: 2.428 = Severe Risk: In addition to the employee account details compromised in the breach, patient data was available to hackers. This includes patients’ medical record numbers, diagnosis, treatment information, and insurance data. Therefore, patients should monitor their accounts for unusual activity while also taking advantage of the identity theft monitoring services offered by Wise Health System.

Customers Impacted: 35,899

Effect On Customers: Phishing attacks are entirely preventable because they rely on employee ignorance and indifference to perpetuate data theft. However, with the right training, employees can be trained to spot phishing scams, effectively rendering them useless. It’s a cost-effective way to mitigate a serious risk to any company’s data security initiatives.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


Risk to Small Business: 1.777 = Severe: A ransomware attack on WMNF 88.5 FM forced the station to stop its live broadcasts, leaving listeners with pre-recorded shows instead. The attack also impacted their AudioVault system that includes much of the station’s programming, including advertising material that constitutes a significant share of their revenue. In addition, ransomware restricted access to office files and forms. However, rather than paying the ransom, the station reported the incident to authorities and brought in a cybersecurity contractor to restore their files. Of course, these services alongside the opportunity cost incurred when the station’s material wasn’t accessible will still be an expensive solution for the local radio station.

Individual Risk: No personal information was compromised in the breach.

Customers Impacted: Unknown

Effect On Customers: Even without paying a ransom demand, recovering from a ransomware attack is extremely expensive. Therefore, every organization needs to take every precaution possible to prevent these attacks in the first place. This certainly includes analyzing IT infrastructure for vulnerabilities, but it should also mean attaining the services necessary to know if your employee’s credentials are for sale on the Dark Web where they can be used to facilitate a ransomware attack.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


Exploit: Unauthorized email account access Adirondack Health: Full-service healthcare provider serving patients in the Adirondack region of New York

Risk to Small Business: 1.555 = Severe: In March 2019, a remote hacker gained access to an employee’s email account that contained copious amounts of personal data. Although only one email contained patients’ personally identifiable information, it included an attachment for a “gap-in-care” analysis spreadsheet that provided hackers with access to a deluge of patient data. HIPAA guidelines mandate that companies report a data breach within 60 days, so it’s unclear why the company waited longer to notify the agency. In addition to the PR disaster that always accompanies a data breach, Adirondack Health could face fines and penalties because of their slow response time.

Individual Risk: 2.142 = Severe: A significant amount of personal information was compromised in this breach, including names, treatment data, health insurance information, and dates of birth. Because this information is frequently sold on the Dark Web, those impacted by the breach should carefully monitor their accounts for suspicious activity. Moreover, identity and credit monitoring services can help ensure that credentials remain secure.

Customers Impacted: 25,000

Effect On Customers: Small mistakes can have catastrophic consequences for personal data. In this case, brief access to a single email account provided hackers with just one document that compromised data integrity for thousands of people. While companies should take every measure possible to protect their data before a breach, understanding what happens to people’s information after it’s compromised is an important step in the recovery process.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: Syracuse City School District, New York – UNITED STATES

Exploit: Ransomware Syracuse City School District: Public school district based in Syracuse, New York

Risk to Small Business: 2 = Severe: Ransomware brought services to a stop at the Syracuse City School District. The attack prevented the district from accessing their systems, and the malware spread to the city’s library system, which is now similarly hamstrung. While the district used backups to restore some services, including payroll, human relations, and student management, many of its online infrastructure remains inaccessible. What’s more, the district is embroiled in a debate about the best approach to recover their network as their insurance provider encourages them to pay the ransom and law enforcement agencies suggest that they refrain from making a payment. Regardless of the eventual approach, the district expects to incur six-figure losses from the incident. Individual Risk: No personal information was compromised in the breach.

Customers Impacted: Unknown

Effect On Customers: The incident at Syracuse City School District illuminates a fierce debate about the most advantageous response to a ransomware attack. Many see paying the ransom as the fastest and most affordable way to recover crucial IT infrastructure. However, responding to ransom demands can incentivize bad behavior, making it more likely that these attacks will continue to wreak havoc on organizations and municipalities around the world. Therefore, it’s important to remember that the best response plan is based around a robust defense that includes identifying network vulnerabilities before an attack occurs.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


Exploit: Unauthorized email account access Northwood, Inc.: Provider of medical equipment, prosthetics, and supplies

Risk to Small Business: 1.555 = Severe: On May 6th, hackers gained access to an employee’s email account that contained patients’ personally identifiable information. A forensics investigation determined that hackers accessed company data for three days, and it’s unclear why Northwood waited more than two months to notify the public. In response, all employee passwords were reset, and Northwood encouraged employees to be vigilant about identifying suspicious emails. In addition, the company is upgrading its email security to try and prevent suspicious emails from reaching employees’ inboxes.

Individual Risk: 2 = Severe: The hacked email account contained sensitive client data and personally identifiable information. This includes names, dates of birth, dates of service, provider names, medical record numbers, patient identification numbers, and other health-related information. In addition, some clients had their Social Security numbers, driver’s license numbers, and health insurance information exposed. Northwood cannot confirm if this information was viewed or accessed by hackers, so those impacted by the breach need to be especially vigilant about monitoring their accounts for suspicious activity. Moreover, they should acquire identity and credit monitoring services to ensure the long-term integrity of their data.

Customers Impacted: Unknown

Effect On Customers: In today’s interconnected digital environment, small mistakes can have catastrophic consequences. In this case, a single email gave bad actors expansive access to people’s sensitive data. While Northwood is taking all the right steps to recover from the breach, companies that truly prioritize data security will take these actions before a breach occurs, which will not only help protect critical information, but it will save companies the incredible expense and reputational cost associated with a data breach.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.



Trust is a must for wary Australian consumers: new study reveals data security influences purchasing habits:

Three out of four (74 per cent) Australian consumers claim their confidence in a brand’s data security influences how they spend money with that brand, according to new global research conducted by payment security specialists PCI Pal together with cloud telephony platform provider Natterbox. More than 2,000 consumers participated in the ‘This is Australia’ research which investigated the sentiment towards data security and the impact on consumer behaviour. The rising rate of credit card fraud, scammer activity and security breaches in Australia is giving consumers pause when they hand over their payment and personal data. The research revealed that more than one in three (34 per cent) consumers have been a victim of a security breach or hack – the statistics are even greater (40 per cent) for baby boomers and high-income earners. “The way companies safeguard their customers’ personal data is impacting which brands are trusted and how much consumers spend with those brands,” observed James Barham, CEO at PCI Pal. “The combination of high-profile breaches and personal data loss experiences has made data security top-of-mind for Australians when they reach for their wallets,” Barham explained. Around half (49 per cent) of respondents are not comfortable giving their credit card details over the phone while 56 per cent would opt for an alternative payment method. One third of young consumers (aged 18 – 24 years old) claimed to ‘absolutely refuse’ to share their payment information over the phone. The retail sector was the least trusted industry for protecting the customer’s personal data security. “At a time when Australian retailers are experiencing challenging times, these findings indicate businesses must take data security seriously to ensure, and in some cases win back, consumer confidence and brand loyalty,” said Barham. With 43 per cent of consumers saying they would never return to a brand post-breach, and a further 43 per cent reporting they would suspend purchasing in the aftermath of a breach, many Australian consumers are unwilling to forgive a company that compromises their personal data. The consequences of a security breach are severe and immediate for businesses. The small business sector in Australia is also perceived to be in the low-trust category. Over half of consumers surveyed trusted large national companies over small local businesses, based largely on the belief that larger organisations invest more in security. Charles Heunemann, Managing Director, VP Asia Pacific of Natterbox Limited Australia believes the solution for business is to stay one step ahead of the hackers to protect themselves and their customers. “Contrary to popular belief, pausing call recording during a Cardholder Not Present (CNP) transaction is not PCI DSS compliant. Any consumer-facing business, large or small, should be prepared for the increasing likelihood of an attempted hack and invest in technology that does not require customers verbally give their credit card details over the phone. Consumer confidence has been eroded by increasingly common data breaches, so businesses must intensify their efforts to reassure consumers that their data is safe,” he said.

Disclaimer*: Avantia Corporate Services Pty Ltd and Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, and up to 56 other countries who provide cyber breach information to us in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions before taking any action.

bottom of page