Cybercriminals Are Always Evolving Their Techniques; Your Cyber Team Should Too

cybercriminalsCybercriminals are persistent and determined. These are great qualities to have in a technical field, but for your organization, it means risk and threats are never static. They are always changing, evolving their techniques to exploit weaknesses and vulnerabilities. As a result, your cyber team must as well. You can’t use the same methods against new challenges.

While some of this upskilling is technical, much of it involves soft skills and developing the attributes that enable flexibility, proactiveness, and perseverance. In this post, we’ll review trends related to cybercriminals and their approaches and discuss ways to arm your technical folks with the right skills to win the cyber war.

Cybercriminal Trends

Cybercriminals diversify their attacks and find new avenues to pursue all the time. The trends in cybersecurity relating to their approaches offer some insights for cybersecurity professionals.

Vulnerable Entry Points Are Attractive Targets

The proliferation of IoT (Internet of Things) devices has been a monumental implementation for many industries. They collect data for various applications that deliver intelligence to organizations, including health care, manufacturing, and retail.

For all the benefits they bring, they are also the most vulnerable endpoints. Cybercriminals are becoming IoT experts and have infiltrated these devices and been able to transfer between them. It’s familiar ground for hackers to find out how to endanger security through something that helps businesses operate based on data-driven decisions.

The QR Code Comeback

Cybercriminals look for ways to use technology trends to plan attacks. QR codes have been around for some time and had a resurgence during the pandemic, including scanning them for menus. Advertisers use them in CTV (connected TV) and broadcast TV ads, prompting users to scan them while watching. A Super Bowl commercial in 2022 for Coinbase featured a QR code (and not much else). It was so popular that the site crashed.

Hackers follow consumer preferences and create malicious QR codes that direct people to fake sites.

Ransomware Keeps Adapting

Cybercriminals invested lots of time and energy into ransomware attacks in 2022. According to data, ransomware increased by 13% in 2022. Cybersecurity has great concerns over ransomware, as many organizations experience it regularly, some with dire consequences, such as disrupting healthcare delivery.

The attraction to this method is the money. Many businesses have paid the ransom to retrieve access to data. Even those with backups and mature cybersecurity defenses can be a victim. The adaptation of ransomware occurs as hackers attempt to breach networks.

Hackers Expose Multifactor Authentication Shortcomings

Multifactor authentication (MFA) has been a tenet of cybersecurity and access control. The premise is to require more than a password, but hackers have found ways around this. One example is an attack created by Lapsus$ and Yanluowang threat actors. It bypasses the MFA framework through spamming original account holders, referred to as MFA bombing, MFA spamming, or MFA fatigue. It’s worked successfully in incidents involving Microsoft and T-Mobile.

Phishing and Social Engineering Are So Sophisticated

The earliest days of phishing were almost comical in delivery. The misspellings and awkward phrases were easy to spot. That was long ago, and hackers are more advanced and sophisticated in social engineering efforts.

It hinges on manipulation and the receiver believing the hacker is truly someone else. More of this is happening at the business level, with employees receiving communications from leadership asking for help. This email spoofing to impersonate others has become very effective. Hackers also use multiple channels, including email, SMS, SIM jacking, and piggybacking.

There has also been an increase in the use of Google properties for phishing. Millions of people use Google Drive and Google Ads for business. Hackers are attempting to “share” documents, “tagging” in the comments of documents, or inviting you to access a Google Ad account. For many, it would seem a logical email to receive and click, and that’s what hackers are counting on them doing.

Cybercriminals Focus More on Smaller Fish

Most of the headlines about cyberattacks involve well-known companies. It’s more newsworthy since these can cause outages and downtime and impact millions. However, most hackers don’t put a target on these whales. Smaller fish are easier to penetrate, and many have valuable data. Small- and medium-sized businesses (SMBs) often have less robust cybersecurity protocols and may be dealing with being understaffed as well.

It’s an ideal scenario for hackers eager to infiltrate a network and take control. The result can be a data breach with the aim of selling these assets on the dark web or ransomware. SMBs are highly aware that they are a target but lack the resources to combat them in many cases.

Cybercrime as a Service Lowers the Barrier to Entry

A new phenomenon, cybercrime as a service, is another troubling hacking trend. Hackers are for hire, so bad actors no longer need technical aptitude. Rather, they can find a cybercriminal on the dark web to do their bidding. These groups operate like legit businesses in many ways, with developers and engineers.

Seeing the commoditization of cybercrime is a concern for tech teams. It’s increasing the number of attacks, and their sophistication is improving daily.

As you can see, hackers never rest on their laurels. They evolve their methods consistently to reach their goals. It’s the same approach the good guys should also take. Here’s how to keep pace with cybercriminals.

Keeping Pace with Cybercriminals; Cyber Professionals Must Adapt Too

Developing your team’s capabilities and expanding them should be a priority for you as a leader. Such a strategy involves both technical and people skills. Focusing on continuous improvement is a requirement to outperform today’s hackers. Here are some critical steps you can take.

Being Proactive versus Reactive

A lot of cybersecurity is reactive. It’s how you’ll respond to a threat or attack. All that’s necessary. You have to have a cyber resilience and contingency plan in place. It can often overshadow being proactive, which is something organizations find difficult.

The barrier to being proactive is not so much technical failures. Much of the time, it’s the people and the way they communicate, collaborate, and operate. Cyber professionals tend to think in black and white and crave certainty. There’s much fear around what they perceive as new territory, so they stay set in their ways. As a result, you incur more risk because there’s limited exchange of information or ideas.

To be more proactive, you’ve got to break down those silos and create an environment where communication and collaboration are a priority. You must be an example and find ways to hone these people skills through exercises and other activities. If everyone’s not on the same page, you’ll be stuck in reactive mode, which gives hackers an edge.

Creating a Cybersecurity Culture

cybersecurity culture, in this respect, alludes to the principles and values of your technical team. Building a team that can swiftly adapt requires healthy people skills, including communication, awareness of self and others, trust, a growth mindset, and empathy. It may seem daunting to pursue this, but it’s critical in the cyber war.

When these things are absent, your company increases risk. The environment may be toxic, with bullying, posturing, and disengagement. Any hacker would love to attack such an organization, so it’s critical not to be one of these!

Constructing and maintaining this culture requires several key elements:

  • Employees need to know that their contributions matter and how they align with the company’s goals and wins.
  • Encouraging the growth of each individual and acknowledging their improvements.
  • Continuous development of strong communication skills, including what people say, how they say it, and how they listen.
  • Removing self-centered thinking patterns and embracing cognitive empathy.

Emphasizing Innovation

Cyber professionals understand innovation, often more from a technical lens. That’s crucial, but a culture of innovation is where new ideas thrive. If you open up your team to operate this way, many great things can happen regarding security. One way to make it front and center is to define what innovation means to your team and discuss ways to sustain it over time.

There is often a misnomer about security being the downfall of innovation. That’s not true, and the two can work in tandem, such as in the framework of DevSecOps. There should be a constant link between security and innovation. It’s a continuous cycle of improvement that enables better results, which are easy to understand for technical folks.

Cybercriminals vs. Cyber Professionals: Winning the War

On the battlefield, cybercriminals and cyber professionals are at war. Cybercriminals have had many advantages, much of which are due to their constant evolution and adaptability. Keeping up with hackers involves cyber professionals doing the same thing.

With these tips, your team can forge ahead. You can find more advice and resources for this in my book, The Smartest Person in the Room, which features the Secure Methodology™, a seven-step guide to transforming technical people into better communicators and collaborators. Get your copy today.

Top 10 Organized Cybercrime Syndicates

cybercrimevCybercrime has become so widespread and lucrative that well-organized groups of cybercriminals collaborate to carry out large-scale online heists. These cybercrime gangs consist of hackers, developers, and other tech outlaws who pool their expertise and resources to perform massive crimes that would otherwise be impossible to carry out.

In this article, we’ll be discussing ten of the most notorious organized cybercrime syndicates and how they operate.

Traditional Organized Crime vs. Cybercriminal Hacking Groups

Traditional organized crime and cybercrime have historically been two separate divisions. However, one overarching message emerges from Europol’s Serious and Organized Crime Threat Assessment 2017: organized crime has gone digital, erasing the distinction between the two.

Hackers infiltrating computer networks for the sake of amusement or glory are no longer the norm in the present era of cybercrime. The digital economy’s growth and expansion have radically altered the criminal landscape.

Cybercriminals seek to join with criminal bosses who have the vision, power, and connections to carry out complicated, far-reaching schemes and hacks, much like traditional organized crime does. These cybercriminal kingpins are only becoming better at what they’re doing.

The activities and business models of these global cybercrime syndicates are patterned after legitimate businesses. Security analysts believe they are educating new recruits, using collaborative programs, and even employing service agreements amongst the experts they hire.

Organized Cybercrime Activities

Hacking, fraud, creation, and distribution of malware, DDoS assaults, extortion, and intellectual property theft are just a few of the cybercrimes that cyber-organized criminals have committed. Cybercrime of this nature results in financial, psychological, social, and sometimes bodily harm, and they’ve also been used to support other major crimes like terrorism.

Criminal organizations that participate in cybercrime also offer services that aid in the commission of crimes and cybercrime (crime as a service), such as:

  • Stolen data and identity documents (including but not limited to voter registration identifications, health and financial data, and passports)
  • Malware
  • Botnet services
  • Distributed denial of service (DDoS) attacks
  • Keyloggers
  • Phishing or spear-phishing tools
  • Hacking tutorials
  • Information on flaws and vulnerabilities, as well as directions on how to abuse them

According to Europol, ransomware remains a high-value focus for criminal groups, with crypto mining malware entering the fray as a less risky alternative. Card skimming is still a popular way for gangs to make money, and many old scams, including advanced-fee fraud, technical support, and romance scams, continue to victimize a substantial number of people. Europol also reports that computer hackers that previously attacked conventional financial institutions are now eyeing businesses and cryptocurrency users.

10 Most Notorious Organized Cybercrime Syndicates

Here are some of the most infamous organized cybercrime groups in history.

1. Cobalt Cybercrime Gang

The Carbanak and Cobalt malware attacks, which attacked 100 financial firms in more than 40 countries around the globe, were carried out by this cybercrime organization. These thieves were able to plunder over $11 million in every heist thanks to their sophisticated cybercrime campaigns targeting multiple banks. It cost the banking sector more than a billion dollars in total losses.

A typical Cobalt assault compromised financial firms by targeting bank personnel using spear-phishing emails with malware attachments. After the malware was downloaded, hackers acquired access to the compromised computer and breached the internal network system. They examined the bank’s processes and routines for months inside the infiltrated networks.

When they began hacking the systems that controlled the ATMs, things became much more horrific. During the final robbery, ATMs were programmed to remotely disburse cash at scheduled intervals at designated points, where a money mule awaited to collect the funds, a technique known as “jackpotting.”

The suspected ringleader was apprehended in 2018, but authorities now believe the surviving members have carried on from where he had left off after witnessing similar attacks on several other institutions immediately after his capture.

2.    Lazarus Gang

The Lazarus group, which some suspect is tied to North Korea, is responsible for many heinous cyberattacks on organizations and institutions. The most well-known of them was the Sony Pictures hack in 2014, as well as the insidious WannaCry cyber-attack that crippled England’s NHS (National Health Service).

Sony Pictures Leak

Employees were surprised to learn that their company’s network had been compromised during the notorious Sony Pictures incident. Hackers seized terabytes of sensitive information, destroyed specific files, and threatened to release the data if Sony did not comply with their demands.

For days, systems were offline, and whiteboards had to be used by staff. After a few days, the hackers began exposing classified info that they had stolen to the media.

WannaCry Ransomware Attack

The Lazarus organization is also suspected of being responsible for the WannaCry ransomware assault in 2017, which infected over a quarter-million systems in 150 countries. It devastated several businesses and institutions, such as the NHS in the United Kingdom. It was the worst attack on the NHS in its history.

WannaCry paralyzed the NHS for days, canceling over 6,000 appointments and costing them approximately $100 million.

3. MageCart Syndicate

This large e-commerce hacking ring, which was made up of various gangs operating under a single umbrella, became known for collecting consumer and credit card information. This was accomplished by malware used for software skimming, which intercepted payment services on e-commerce websites and recorded credit card information. Scores of e-commerce platforms, and other sites where customers regularly provide their credit card information, have been attacked by MageCart gangs over the years.

A MageCart group, for example, breached British Airways’ data in 2018. Customers’ financial and personal information was compromised in the incident, which affected 380,000 people. The assault on the airline, however, was only the beginning.

A few days following the British Airways hack, MageCart launched a large credit card skimming operation against hardware vendor Newegg. MageCart is also suspected of being behind the Ticketmaster data breach, which exposed the personal information of 40,000 customers.

4. Evil Corp

The name of the organization alone suggests that they are looking to initiate chaos. This global cybercrime organization, located in Russia, utilizes various viruses to attack a variety of entities, such as a Pennsylvania school system.

Many of their victims are European and American institutions, and they have eluded capture for years. The sophisticated Dridex banking Trojan, which allowed Evil Corp to steal login details from numerous banks and other financial institutions spanning 40 countries, has made the cybercriminal gang famous. Evil Corp was able to steal approximately $100 million at the peak of the Dridex operation.

They’re so brazen that videos of the suspected leaders parading their sportscars and extravagant lifestyles have gone viral. While U.S. authorities legally charged them in December 2019, numerous analysts believe that bringing their leaders to trial in the U.S. will be tough.

The group was unaffected by the charges. Evil Corp has been associated with a series of new assaults against small and medium-sized businesses in the United States in 2020. This involves Symantec’s discovery of a plot to target hundreds of U.S. firms in June 2020. WastedLocker, a new type of ransomware, was used to target eight Fortune 500 firms.

5. GozNym Gang

The terrifying GozNym malware, a potent Trojan hybrid designed to elude discovery by security software, is the work of this worldwide cybercrime network.

GozNym is a two-headed beast that combines Nymaim with Gozi malware. Thanks to the nefarious union, the malware could infiltrate a customer’s PC via malicious email attachments or URLs. The malware then remained practically undetected, lying in wait for a person to log into a bank account.

Login credentials were taken, funds were swiped and routed away to U.S. and overseas accounts, and then money mules laundered it all clean. Over 41,000 machines were hacked, and account holders were defrauded of more than $100 million.

Europol has reported that the perpetrators behind GozNym malware have since been dismantled.

6. DarkSide

The Colonial Pipeline ransomware operation last May, which halted the U.S. Colonial Pipeline’s fuel distribution system, causing gasoline supply issues, was carried out by DarkSide.

The gang initially appeared in August of last year. It primarily targets being large corporations that will be damaged if their services are disrupted — a crucial factor because they are more inclined to shell out ransom if their services are disrupted. Cyber insurance is more common in such businesses, which implies easy money for crooks.

DarkSide’s business strategy is to provide ransomware services. To put it another way, it executes ransomware assaults in place of other unknown culprits to reduce their culpability. The loot is subsequently split between the executor and the mastermind.

Cybercrime-as-a-service providers also offer online forums for anyone who wants to enhance their hacking capabilities. This might include instructing someone on how to mix DDoS and ransomware assaults to increase the pressure on a negotiation. A ransomware assault would keep a company from acting on previous and present orders, whereas a DDoS attack will prevent any new orders from being placed.

7. REvil

Because of the ongoing Kaseya issue and another recent attack on international meat processing giant JBS, the ransomware-as-a-service outfit REvil has made headlines. This organization has been quite aggressive in 2020 and 2021.

REvil hacked Quanta Computer, a Taiwan business that assembles Apple computers, in April and obtained technical data about upcoming Apple devices. A sum of $50 million has been demanded to stop the public dissemination of the stolen information. It is unknown whether this payment was made.

8. Clop

Clop ransomware was launched in 2019 by a profit-driven gang accountable for stealing half a billion dollars. The Clop group specializes in “double-extortion,” which entails paying a ransom in return for a decryption key that allows the company to regain access to stolen information. On the other hand, victims will have to pay an additional ransom to prevent the data from being made public.

According to historical evidence, companies that have previously paid a ransom are more willing to do so again in the future. As a result, hackers will repeatedly attack the same firms, requesting a larger amount each time.

9. Syrian Electronic Army

The Syrian Electronic Army, unlike most cybercrime gangs, has been waging online attacks to spread political propaganda since 2011. They’ve been labeled a hacktivist organization because of their motivation.

While the organization has ties to Bashar al-, Assad’s dictatorship, it’s most probably composed of online vigilantes attempting to act as a media wing for the Syrian army.

Their strategy is to disseminate fake news via credible outlets. In 2013, they published a single tweet from the official handle of the Associated Press, the world’s largest news organization, that caused the stock market to plummet by billions of dollars.

The Syrian Electronic Army takes advantage of the fact that most online users interpret and respond to information with an inherent trust. They’re also a prime illustration of how the lines between criminal and terrorist organizations online are less clear than in the real world.

10. FIN7

FIN7, a Russian-based organization, is possibly the most successful organized cybercrime syndicate in history. It has been in operation since 2012 and primarily serves as a business.

For years, most of its activities went unnoticed. Its security breaches have made use of cross-attack events, in which a cyber-attack is used for several objectives. For instance, it may facilitate ransomware extortion while also enabling the perpetrator to exploit victims’ data by selling it to another party.

In 2017, FIN7 was accused of being behind a cyberattack on corporations that filed documents with the Securities and Exchange Commission in the United States. This private data was exploited and utilized to extort a ransom, which was subsequently invested in the stock market.

As a result, the groups profited handsomely from the trade of classified material. Because the hacking-enabled insider trading scam lasted so long, it’s impossible to calculate the exact measure of financial damage. However, it is believed to be in the billions of dollars.

Takeaway Points

One of the most critical measures in the battle against organized cybercrime syndicates is understanding how they work. Experts hope that by analyzing them, they will be able to prevent attacks before they occur.

Professionals in the field of cybersecurity can also help. Organizations can gain from cybersecurity experts who can assist them in evaluating their security protocols regularly, recognize potential weaknesses, and devise new ways to protect mission-critical data. Furthermore, cybersecurity consultants can aid in employee education by updating them with the latest hacker avoidance techniques and secure online behaviors.

Need help with cybersecurity? Connect with me.

Check Out The Smartest Person in The Room

Top 10 Largest Healthcare Data Breaches by Number of Records Stolen

healthcare data breachData breaches impact millions and millions, if not billions, of individuals in today’s data-driven society. The amount of circulating data has increased because of digitalization, and security breaches have risen in tandem as cybercriminals prey on people’s daily data reliance.

Healthcare data breaches have increased in both scale and regularity during the last decade, with the worst breaches affecting up to 80 million people. These breaches frequently leak incredibly sensitive data, ranging from personally identifiable information like names, addresses, and Social Security numbers to personal health information like health insurance information, patients’ past medical history, and Medicaid ID numbers. In this article, we have compiled 10 of the largest data breaches by the number of stolen records.

Top 10 Largest Data Breaches by Number of Stolen Records

10.  Newkirk Products

  • Number of Stolen Records: 3.47 million
  • Date Discovered: July 6, 2016

Newkirk Products, a provider of healthcare ID cards, revealed a data breach in mid-2016 involving approximately 3.47 million individuals. Multiple branches of Blue Cross Blue Shield, one of the major health insurance companies in the United States by enrollment, were among those affected.

The attacker was able to get unauthorized access to information by exploiting a vulnerability in the third-party software’s administrative portal on a single isolated server. Hackers acquired access to sensitive personal information such as names, birthdates, Medicaid ID numbers, group ID numbers, and premium invoice information, and in addition to primary care provider information. There was no financial information, medical records, insurance claim data, or social security numbers on the server.

To date, Newkirk has found no evidence that such information has been misused. Those affected by the data breach were sent letters that included an explanation of the occurrence, an offer of free identity protection services for two years, and advice on other ways to safeguard themselves.

9.  Banner Health

  • Number of Stolen Records: 3.62 Million
  • Date Discovered: late June 2016

Banner Health, a healthcare company based in Arizona, revealed in mid-2016 that 3.62 million patients’ data had been exposed due to a cyber-attack. Banner contracted a cybersecurity expert to investigate after staff saw strange activity on its private servers. The firm identified two intrusions in which hackers acquired patient information and payment system data. Names, birth dates, addresses, Social Security numbers, credit card numbers, internal verification codes, expiration dates, as well as doctors’ names, and medical records, may have been compromised.

A class-action lawsuit was launched by the victims of the data breach shortly after. The judge dismissed several of the first allegations, but the parties negotiated a provisional settlement in December 2020. According to court records, victims of data breaches will be entitled to file claims for reimbursement of expenses spent because of the violation.

The maximum amount that can be compensated per breach victim is $500 for regular expenses and $10,000 for exceptional costs, including out-of-pocket expenses and missed time due to identity theft or fraud. All breach victims will also receive two years of free credit monitoring from Banner Health, which will not duplicate what was supplied at the health system’s original breach notification.

8.  Medical Informatics Engineering

  • Number of Stolen Records: 3.9 million
  • Date Discovered: June 10, 2015

Medical Informatics Engineering (MIE), an electronic medical records software company, reported a data breach in mid-2015 that compromised at least 3.9 million patients. Patients who were affected received notices in the mail informing them of their stolen PII, including their names, birthdates, mailing addresses, phone numbers, diagnoses, Social Security numbers, and other sensitive data.

According to news outlets, cyber hackers accessed the company’s network remotely by using credentials that were not consistently secure. According to an investigation, the organization did not do a thorough risk analysis to analyze the possible threats and hazards to the security, integrity, and accessibility of an individual’s electronic protected health information before the breach occurred. This is a HIPAA-required activity, and MIE’s violation led them to pay $100,000 as settlement.

7.  Advocate Health Care

  • Number of Stolen Records: 4.03 million
  • Date Discovered: August 2013

Advocate Health Care confirmed three different data breaches affecting Advocate Medical Group (AMG), a doctors’ organization with over 1,000 physicians, from July to November 2013. The initial breach happened on July 15 when AMG’s administrative headquarters in Park Ridge, Illinois, was robbed of four desktop computers carrying the records of roughly 4 million patients.

The second breach occurred between June 30 and August 15, 2013, when an unauthorized third party gained unauthorized network access to AMG’s billing service provider, potentially exposing the health records of over 2,000 AMG patients. Then, the last case of stolen PHI involved the theft of a laptop holding the health records of over 2,230 patients from an AMG employee’s car on November 1, 2013.

Advocate settled a lawsuit over the breach in August 2016 for $5.55 million.

6. University of California, Los Angeles Health

  • Number of Stolen Records: 4.5 million
  • Date Discovered: May 5, 2015

In mid-2015, the UCLA Health System revealed that hackers gained access to patient records of approximately 4.5 million individuals. Worse yet, UCLA announced that its patient data was not secured, which brought immediate and scathing criticism from security specialists.

In 2019, UCLA Health negotiated a settlement with the 4.5 million present and past patients affected by the patient data leak in a class-action lawsuit. UCLA Health consented to several resolutions as part of the agreement. All class action participants are eligible to sign up for free two-year identity protection services. The health organization also committed to compensating patients for costs paid in attempting to safeguard themselves from identity theft and expenses incurred because of identity theft or fraud. UCLA Health has also committed to revising its cybersecurity policies and practices.


  • Number of Stolen Records: 4.9 million
  • Date Discovered: September 2011

Science Applications International Corporation (SAIC) reported a data breach in late 2011 that affected about 4.9 million military clinic and hospital patients participating in TRICARE, the military healthcare provider for the federal government. This transpired when records were taken from a SAIC staff’s car.

According to TRICARE authorities, the tapes contain phone numbers, addresses, Social Security numbers, and other sensitive information, including prescriptions, laboratory tests, and clinical notes. They also stated that the records did not contain any financial information, such as bank accounts or credit card numbers.

A federal district judge dismissed most of the combined class action lawsuits brought against TRICARE in 2014.

4.  Community Health Systems

  • Number of Stolen Records: 6.1 million
  • Date Discovered: June 2014

Community Health Systems (CHS), which manages 200+ hospitals across the United States, disclosed a serious healthcare breach affecting 6.1 million patients in mid-2014. Attackers took advantage of a software flaw to gain access to personal information such as phone numbers, physical addresses, birthdates, and Social Security numbers. The breach impacted anybody who has received care from an affiliate hospital in the last five years and anybody who had been recommended to CHS by a physician outside of CHS during that time.

CHS enlisted the help of cybersecurity professionals to investigate the breach. They discovered that the hackers were from China and that the attacks took place between April and June of 2014. The cybercriminals utilized high-end, complex malware to carry out their operations.

Federal authorities and cybersecurity consultants informed the hospital network that the attackers had previously committed industrial espionage and stole valuable medical device information. Instead, the intruders stole patient information this time. They were unable to obtain information about patients’ past medical history, clinical procedures, or credit card details.

The breach cost CHS and its partners $10.4 million in compensation.

3. Excellus Bluecross Blueshield

  • Number of Stolen Records: 10+ million
  • Date Discovered: September 2015

Excellus uncovered a cyber-attack in August 2015 that exposed the personal information of around 10 million members. Following a wave of cyber-attacks in early 2015 that targeted healthcare data, Excellus had its own systems forensically reviewed. What they found ended up being the world’s third-largest healthcare data breach.

Names, phone numbers, mailing addresses, birth dates, Social Security numbers, and various account information, such as claims and payment details, were all exposed in the breach, which dated back to December 2013.

Excellus will pay a $5.1 million fine for violating HIPAA’s privacy and security standards as part of the settlement.

2.  Premera Blue Cross

  • Number of Stolen Records: 11+ million
  • Date Discovered: January 29, 2015

Premera Blue Cross revealed in early 2015 that 11 million customers’ medical information had been compromised due to a cyberattack. Hackers were able to put malware on Premera’s servers using a phishing email, giving them access to the data of its members. The hack disclosed bank account data, birthdates, claims information, and Social Security numbers, among other things. The company found that the first attack took place on May 5, 2014, after working with cybersecurity specialists and the FBI to examine the attack. To resolve suspected HIPAA violations in the security breach, Premera Blue Cross was made to pay $6.85 million and submit a remedial action plan in 2020.

1.  Anthem Blue Cross

  • Number of Stolen Records: 78.8 million
  • Date Discovered: January 29, 2015

Anthem revealed in 2015 that 78.8 million patient information was stolen in the largest healthcare data breach in history. An anonymous hacker gained access to a database holding personal information such as names, birthdates, addresses, social security numbers, email addresses, and information about jobs and income. According to the company, the hack did not expose credit card or medical information.

Anthem agreed to pay $39.5 million in 2020 to resolve a probe by a consortium of state attorneys general. The corporation also consented to pay $115 million to settle the lawsuit, making it the largest data breach settlement ever.

Interested in preventing a data breach? Contact me.

Ransomware – Should You Pay?

cybersecurity certificationsLast night I watched an episode of Chicago Med (Season 2, Episode 19). It happened to be about ransomware. Chicago Med was infected with ransomware, rendering all computer systems (doctor’s tablets, MRI machines, patient history systems, diagnostic systems, etc.) useless. The staff of Chicago Med had to resort to “manually” doing everything – filling out paper lab requests, using a whiteboard for patient status, using old school methods to diagnose patients, etc.

A debate ensued about whether Chicago Med should just pay the ransom, which was around $30k. The staff had differing opinions in the episode.

This is a debate worth discussing, as I do not see a clear answer to the question “should I pay the ransom”, other than “it depends”.

Ransomware Attack - Manual method

The reliance on medical technology makes manually processes like this prone to mistakes

I tend to look at everything from a risk perspective. Sure, it’s easy to say “our policy is we do not pay the ransom”, but at what cost? Many people have polarizing opinions on just about everything, including this topic. It’s easy to make recommendations from afar. What if your spouse was in a hospital and needed immediate emergency treatment, but treatment was delayed because of ransomware? Every second in this delay increased the risk that your spouse might die. Would you still support the policy “we do not pay the ransom”, even if it meant your spouse may die? Is $30k worth more than your spouse?

Also, the rationale for the “we do not pay the ransom” policy goes something like this – “if the hackers know we do not pay the ransom, they won’t attack us”. This is flawed logic because many cybercriminals release ransomware into the “wild”, non-directed, to spread to as many systems as possible, so they can maximize odds of success and returns.

The Chicago Med hospital administrator was adamant about not paying the ransom, but one of the doctors paid the ransom himself. After the ransom was paid, all the systems came back online and everything went back to “normal”. The doctor that paid the ransom simply stated that the risk was too great and that he had calculated the ROI and it was an easy decision.

But, wait…what if you pay the ransom and the hackers just take your money and don’t decrypt your systems? 

This is certainly a possibility, although it is almost never the case. Most cybercriminals are in the business of making money, so their business models support this objective. Cybercriminals probably analyze risk in greater depth than most IT Staff of Cybersecurity Staff.

Risk is a real issue that is almost always overlooked. Sure, screw paying the ransom if:

  • Your IT/Cybersecurity Staff has an up-to-date and rehearsed Incident Response Plan
  • Your IT/Cybersecurity Staff has current, up-to-date backups that can be restored quickly
  • Your IT/Cybersecurity Staff can source the ransomware infection and prevent it from occurring again after the backup restoration
  • Your IT/Cybersecurity Staff knows which vulnerability the ransomware exploited
  • Your IT/Cybersecurity Staff knows the extent of the infection – did the infection hit the backup systems?

In the Chicago Med episode, they had to end up diverting patients to other hospitals because of the ransomware. The Chicago Med IT Staff seemingly did not have a plan, at least a timely one, to restore the hospital systems.

I’m certainly not advocating people pay the ransom, but blindly making blanket policies without understanding risk is a huge problem, especially at places where time is of the essence, such as hospitals.

So, what can you do to help with RANSOMWARE? I recommend 3 things to start:

  1. Perform a risk assessment against your environment – identify your critical assets (data and systems). Not everything is critical. Narrowing your focus to what is critical, then prioritizing accordingly allows you to better protect these systems and restore them in a prioritized manner. Too many organizations try to equally protect everything. This is a huge mistake, as everything is half-ass protected, which doesn’t cut it. It’s better to protect your 10 critical assets 100% and leave the 90 noncritical assets at 50%. This is better than all 100 assets being protected at 60%, which is a common mistake.

  2. Once you know your critical systems, make sure those systems (and the applications installed on them) are patched routinely and that they are backed up (the system itself as well as the data on the system) as frequently as needed.

  3. Critical system backups security and testing. Make sure the backup system is secure. If the ransomware hits the backup system, the backups are no good. Also, make sure you know how to restore from backups. This seems simple, yet it is often overlooked. I’ve seen many organizations back up their data routinely and religiously and never once test the restoration procedures. During an incident, they found out that the restoration procedures did not work at all or only partially worked.

If you’re unclear on how to perform the risk assessment or need help with a cybersecurity plan, Alpine Security can help you with our CISO-as-a-Service.

70% of Cyber Attacks Will Be Against Small Businesses in 2020

cybersecurity certifications


In 2020 it is estimated the percentage of cyber attacks against small businesses will be close to 70%. It’s also estimated that in 2020 the cost of cyber attacks is going to be around $5 trillion. That’s trillion with a T. And if 70% of the attacks are against small businesses, then obviously the small businesses are going to be paying for a lot of that $5 trillion. Cyber attacks affect small businesses in a few ways. This post discusses how cyber attacks affect small businesses and what can be done about it.

The Effect of Ransomware and Stolen Data on Small Business

One way cyberattacks affect a small business is if a small business is attacked with something such as ransomware. The ransomware can render systems useless for maybe one week or two weeks. So the small business can’t provide the service they need to provide to generate revenue or they can’t produce the product they need to produce to generate revenue. So basically they’re dead in the water for one or two weeks and they can’t produce anything to generate revenue. That alone can take a small business out of business.  

The other primary method or primary way that small businesses have to pay for a cyber attack is if a small business’s client data is stolen. Typically, for every record that’s stolen the small business has to pay for credit monitoring for all those records. There’s a clinic in Missouri that was put out of business. They had 20,000 patient records stolen by an attacker. They had to pay for credit monitoring for all 20,000 of those patients. The credit monitoring, I’m not exactly sure the price, but I think it was around $20 per person. So if you had 20,000 records stolen and you have to pay $20 per record, that’s $400,000 that that small business had to pay per year in credit monitoring fees. Most small businesses do not have a cash reserve of $400,000 so that took that clinic out of business.

Why Do Cybercriminals Attack Small Businesses?

You may ask yourself, “Why do attackers go after small businesses? Why is the percentage so high towards small businesses?” There are two main reasons. The first reason is most small businesses do not have a very mature cybersecurity program. They don’t have a dedicated staff to solely work on cybersecurity, it’s typically somebody’s additional duty. The attackers know this and they know that they can more easily get into a small business than a larger business because most large organizations have a dedicated cybersecurity staff and a mature cybersecurity program.

The second reason is attackers will attack a small business and use that business as a foothold to attack a larger business. Small businesses typically have relationships with larger businesses. If the large business is fairly secure but the small business is not, the attacker’s going to go after the small business and then leverage that relationship from the small business to attack the larger business.

An example of this is Target. Target’s a large store. Obviously, they’re all over the place, but Target wasn’t attacked directly because they have a fairly mature cybersecurity program. The HVAC vendor or heating, ventilation and air conditioning vendor was attacked. The HVAC vendor for Target was a small business. So the attackers attacked the HVAC vendor and then from there, they leveraged the HVAC vendor’s relationship with Target. The attackers rode the trusted connection from the HVAC vendor to attack Target and compromise Target’s point of sale machines which stole everyone’s credit card numbers.

As a recap, the two reasons small businesses are attacked:

  1. They are typically not very mature in the cybersecurity maturity process
  2. They are often leveraged to attack the larger business

What Can You Do?

My company, Alpine Security believes small businesses are vital to the economy. We’re a small business and we want to support other small businesses. So we’ve come up with our fractional virtual CISO service – that offers an affordable means for small businesses to develop cybersecurity capabilities in alignment with risk tolerance, industry, and business objectives. To learn more about our CISO service, you can call us at (844) 925-7463, email us at [email protected], or visit: https://alpinesecurity.com/services/ciso-as-a-service/

It is in our interest to help small business owners protect your environment from being attacked.