Skip links

Nearly 3M people hit in Harvard Pilgrim healthcare data theft

Infosec in brief Nearly a year on from the discovery of a massive data theft at healthcare biz Harvard Pilgrim, and the number of victims has now risen to nearly 2.9 million people in all US states.

Pilgrim’s problems were first admitted last year after a March ransomware infection that affected systems tied to the health services firm’s commercial and Medicare Advantage plans. While the intrusion occurred on March 28, 2023, it wasn’t discovered until April 17. Pilgrim says it believed customer data was extracted in the interim period.

“After detecting the unauthorized party, we proactively took our systems offline to contain the threat,” Harvard Pilgrim said in its latest notification letter sent out this month. “We notified law enforcement and regulators and are working with third-party cybersecurity experts to conduct a thorough investigation into this incident and remediate the situation.”

Names, physical addresses, phone numbers, birth dates, clinical information including lab results, and social security ID numbers were all compromised, Harvard Pilgrim said. 

The latest notification letters mark the fourth time Harvard Pilgrim has updated the total number of victims. An update in February put the total number at 2,632,275 individual records exposed; now it is reporting a total of 2,860,795 people. 

As is usually the case in these sorts of dramas, credit monitoring and identity protection services are being offered, and the business doesn’t believe any of the stolen data has been misused as a result of the theft – that it knows about at least. 

It’s not uncommon for victim numbers to increase during the course of an investigation, though 2.8 million is a lot of people and may not be the final tally yet.

“Our investigation is still underway and we will continue to provide notification in the event we identify additional individuals whose information may have been impacted,” a spokesperson told The Register.

Critical vulnerabilities: A very Cisco week

There weren’t a ton of critical vulnerabilities to report this week, though Cisco did have a pretty busy few days with a series of updates going out for IOS and other products.

  • CVSS 8.6 – CVE-2024-20271: Cisco access point software is improperly processing IP packets, opening it up to denial of service attacks from unauthenticated remote attackers.
  • CVSS 8.6 – CVE-2024-20307/8: Cisco IOS and IOS XE software contain an internet key exchange vulnerability that could allow an attacker to cause heap overflow or corruption of vulnerable systems.
  • CVSS 8.6 – CVE-2024-20311: Cisco IOS and IOS XE’s locator ID separation protocol contains a vulnerability that could cause devices to restart when exploited.
  • CVSS 8.6 – CVE-2024-20259: Cisco IOS XE’s DHCP snooping feature contains a vulnerability that can be used to reboot affected devices.
  • CVSS 8.6 – CVE-2024-20314: Cisco IOS XE contains a vulnerability in IPv4 software-defined access fabric edge node that could stop traffic processing if abused. 
  • CVSS 8.7 – Multiple CVEs: Rockwell Automation PowerFlex 587 AC drives are improperly validating input and can uncontrollably consume resources, potentially crashing devices and requiring a manual restart.

A few known critical vulnerabilities have been reported as under exploit this week, too:

  • CVSS 10.0 – CVE-2019-7256: Linear eMerge E3-Series access control systems are vulnerable to command injections, and are being attacked.
  • CVSS 9.8 – CVE-2021-44529: Ivanti EPM Cloud Services Appliances allow unauthenticated users to execute arbitrary code, and this is being exploited in the wild.
  • CVSS 9.8 – CVE-2023-48788: FortiClient Endpoint Management Server contains an SQL Injection flaw, and under active use by criminals.

That’s no moon – it’s a compromised EoL SOHO router!

It’s been a decade since we reported on a worm dubbed TheMoon that was taking over Linksys routers, and wouldn’t you know it – it’s back in a new campaign that’s targeting end-of-life small home/small office routers and IoT devices.

TheMoon’s waxing cycle was spotted by researchers at Lumen Technologies’ Black Lotus Labs, who found it infecting outdated routers to be used as part of a crime-focused proxy network known as Faceless, in what they say is likely a long-term campaign. 

According to Black Lotus Labs, TheMoon’s botnet has grown to include more than 40,000 systems in 88 countries, and it’s picking up speed. In one campaign in early March it added more than 6,000 ASUS routers in less than 72 hours. 

Since it’s targeting end-of-life routers and IoT devices (which weren’t specified in the Black Lotus report), don’t rely on vendors to deploy patches. As is often the case when a nightmare like this is discovered, it’s time to spend some cash on new kit.

Sellafield Ltd to be prosecuted for cybersecurity failures

The UK Office for Nuclear Regulation announced this month it plans to prosecute Sellafield Ltd, which runs the eponymous nuclear decommissioning site in Cumbria, for “alleged information technology security offences during a four-year period between 2019 and early 2023.” 

The ONR didn’t give many details in its statement, other than to say it isn’t suggesting public safety was compromised due to the issue. The decision to prosecute the firm followed a probe by the ONR. 

It was alleged at the end of last year that Sellafield had been hit with malware by Russia and China. The UK government and ONR both denied those claims, and it isn’t immediately clear if last year’s kerfuffle is related to the prosecution. Neither Sellafield Ltd or the ONR will comment further. ®