Health insurance exchange exposed client data. Mattress company suffers Magecart attack. Mailchimp breach leads to phishing. – The CyberWire

Chp April 5, 2022
the cyberwire

At a glance.

Audit reveals health insurance exchange failed to protect client data.Mattress company loses sleep over Magecart attack. Mailchimp breach leads to phishing operation targeting crypto and financial sectors.

Audit reveals health insurance exchange failed to protect client data.

A recent state audit conducted by the Auditors of Public Accounts has found that Access Health CT, a health exchange that facilitates the purchase of Obamacare plans for Connecticut residents, does not do enough to protect personal client data and neglected to properly report forty-four breaches that occurred between July 2017 and March 2021. “Internal controls were not adequate to prevent the breaches of client data,” stated State Auditor John Geragosian. The Hour notes that a review of data from the state Attorney General’s Office shows that Access Health CT has reported experiencing the most breaches of any private or public organization in Connecticut since 2013. Of the forty-four breaches in question, the exchange’s call center vendor Faneuil Inc. was found to be responsible for thirty-four (and three additional breaches have already been reported this year), usually the result of a call center representative adding the wrong clients to customer accounts. Access Health CT spokesperson Kathleen Tallarita noted that most of the incidents impacted only one client at a time, and the exchange has acquired the support of cybersecurity firm JANUS Associates to improve the organization’s data handling processes. 

See also  The Big Squeeze: More Enrollees and Smaller Networks Plague Some ACA Plans

Mattress company loses sleep over Magecart attack. 

German mattress maker Emma Sleep Company has begun notifying customers that a Magecart attack that occurred between January 27 and March 22 resulted in the theft of customer data. The notification explains, “This was a sophisticated, targeted cyber-attack on the checkout process on our website and personal information entered, including credit card data, may have been stolen, whether you completed your purchase or not.” The company uses the popular Adobe Magento e-commerce platform, which was found earlier this year to have critical security vulnerabilities that were being actively exploited. (Adobe issued two patches to mitigate the issues.) Emma Sleep Company’s CEO Dennis Schmoltzi told the Register that upon detection of the attack, the company immediately secured the data, launched an investigation, and reported the incident to the relevant authorities.

Kunal Modasiya, senior director of product management at PerimeterX, sees a cautionary tale about supply chains:

“Magecart attackers continue to seek out creative ways to steal customers’ PII, in this case credit card information specifically. In this scenario, the bad actors created copycat URLs tailored to the company’s environment in order to avoid detection. Though the Magento platform was kept up to date, this is a primary example of the need to have continuous visibility into the JavaScript that powers a website and to get real-time alerts when risky behavior changes are observed. Given the risks of supply chain attacks in general, it is important that e-commerce companies look beyond static code analysis, external scanners and the limitations of CSP to solutions that provide real time visibility and control into their attack surface to identify vulnerabilities and anomalous behavior, and proactively mitigate the risk of stolen customer data.”

See also  Under New Illinois Law, Illinois Employers With Insured Group Health Plans Must Provide New Benefit Comparison Notice To Covered Illinois Employees - JD Supra

Mailchimp breach leads to phishing operation targeting crypto and financial sectors.

Popular US email marketing firm Mailchimp has confirmed that intruders gained access to internal customer support and account management tools in order to steal audience data and launch phishing attacks. The confirmation came after owners of Trezor hardware cryptocurrency wallets began tweeting that they’d received phishing notifications claiming the company had suffered a data breach. The scam emails directed the recipients to reset their hardware wallet PINs, but in fact tricked them into downloading malicious software that gave the hackers access to the cryptocurrency. Mailchimp told Bleeping Computer that the attack goes beyond Trezor customers, as Mailchimp employees were also targeted with a social engineering attack that resulted in an intruder accessing one of the company’s customer support and account administration tools. The attackers accessed approximately three hundred Mailchimp accounts and exported audience data from about one hundred, focusing on customers in the cryptocurrency and finance sectors. The hackers also gained access to API keys for an undisclosed number of customers, which gave the threat actors the ability to send spoofed emails. Mailchimp CISO Siobhan Smyth told TechCrunch, “When we become aware of any unauthorized account access, we notify the account owner and immediately take steps to suspend any further access. We also recommend two-factor authentication and other account security measures for our users as added measures to keep accounts and passwords secure.”

Related posts:

  1. Insurers Excluding Coverage for Motorcycle Crash Injuries – The National Law Review
  2. House panel OK's bill mandating HMOs, insurers provide hearing aid coverage for children – Florida Politics
  3. Democratizing Indian health insurance – ETHealthWorld
  4. How to Enroll in an Independence Blue Cross Health Insurance Plan
See also  Michigan Medicine data breach may have exposed some patients' health information - Detroit Free Press

More Stories

Harris Correct That Trump Fell Short on Promise To Negotiate Medicare Drug Prices

Harris Correct That Trump Fell Short on Promise To Negotiate Medicare Drug Prices

Chp October 3, 2024
Wyden Demands Penalties for Obamacare Enrollment Fraud

Amid Medicaid ‘Unwinding,’ Many States Wind Up Expanding

Chp October 2, 2024
A photo of JD Vance and Tim Walz standing at podiums in a TV studio.

Vance-Walz Debate Highlighted Clear Health Policy Differences

Chp October 2, 2024

You may have missed

How generative AI raises cyber risks for SMBs – and what they can do about it

How generative AI raises cyber risks for SMBs – and what they can do about it

Chp October 3, 2024
NDIS overhaul begins with new rules to streamline support, boost outcomes

NDIS overhaul begins with new rules to streamline support, boost outcomes

Chp October 3, 2024
CCR Re appoints Vaibhavi Mehta as director of life underwriting

CCR Re appoints Vaibhavi Mehta as director of life underwriting

Chp October 3, 2024
Artemis Live webinar - ILS Market Outlook 2025

ILS Market Outlook 2025 webinar. Reminder, register to watch

Chp October 3, 2024
How to support insurance clients through a "very analytical renewal"

How to support insurance clients through a "very analytical renewal"

Chp October 3, 2024