Exploit: Unauthorized database access
Thinkful: E-learning website for developers
By leveraging an employee’s stolen credentials, an unauthorized third party was able to access the company’s database. While sensitive data, such as social security information, was not exposed, it’s possible that other personal information was accessed. In response, Thinkful has notified its users of the data breach, and is requiring password resets on all accounts. While the company wrote to its users that it is taking additional steps to enhance security, these efforts will not help those whose credentials were already compromised in the breach. This incident follows on the heels of the company being acquired by Chegg.
Users’ Social Security numbers were not compromised in the breach, but other personal information could have been accessed by hackers. Users should create unique passwords, enroll in multi-factor authentication, and monitor their accounts for suspicious activity in the wake of the attack.
Thinkful’s data breach announcement is especially problematic since it immediately followed news that the company was being acquired by Chegg. It’s unclear how this cyber-security incident will impact the deal, but cyber-criminals often target small companies before an acquisition, hoping to infiltrate their IT infrastructure before coming under the protection of the larger, more robust system of their new parent company. Therefore, businesses must consider cyber-security as both a moral imperative and a financial necessity, especially in the realm of mergers and acquisitions.
Campbell County Memorial Hospital: Healthcare provider operating as part of the Campbell County Health Department
A ransomware attack on Campbell County Memorial Hospital forced the healthcare provider to divert ambulance services, cancel surgeries, and stop admitting patients. The hospital’s emergency room remains operational, but many services are curtailed. Hackers did not send a ransom demand, leaving hospital IT administrators grappling for a solution. Campbell County Memorial Hospital reports that no patients were harmed because of the outage. However, with no solution in sight, patient care remains dubious and the long-term financial ramifications of the incident could be extensive.
Exploit: Malware attack
Southeastern Pennsylvania Transport Authority: American transport authority
The online store for the Southeastern Pennsylvania Transport Authority was victimized by Magecart malware, a data skimming attack that steals customer data at checkout. In response, the department permanently closed their online store. The malware was spotted on July 16th, but it took the agency more than two months to gather relevant data and notify customers. The lengthy delay could have compromised additional users while also exacerbating the inevitable PR nightmare that always accompanies a breach.
Hackers gained access to the most sensitive form of e-commerce data, including names, credit card numbers, and addresses. Since this information can quickly spread on the Dark Web and then used to perpetuate additional financial or identity fraud, those impacted by the breach should notify their financial institutions and enroll in identity and credit monitoring services as soon as possible.