A Third of Americans' Healthcare Data Breached, Amid Other Threats

A Very Busy Cybersecurity Week In Review

(Focal Foto, Flickr, CC BY-NC 2.0 DEED)

A breach at UnitedHealthcare compromised the records of roughly “a third [of Americans],” the company’s C.E.O. admitted under duress to the House on Wednesday. The breach, the C.E.O. admitted in a separate Senate hearing earlier the same day, was facilitated by stolen credentials and the lack of multi-factor authentication on a sensitive system. The revelations indicate that the custodian of one of the largest collections of protected U.S. healthcare data lacked effective security auditing, which would have caught the vulnerability.

Kaiser Permanente was also in the news for all the wrong reasons this week. The insurance giant reported that it inadvertently shared the personal information of 13.4 million of its policyholders with advertisers. The shared information reportedly included names, I.P. addresses and searches that policyholders entered in Kaiser’s online health encyclopedia.

But perhaps the worst of this week’s compromises is a GitLab flaw now being exploited to hijack code repositories. Once hijacked, adversaries may covertly plant backdoors and trojan code into existing codebases, potentially to be leveraged long after the GitLab flaw itself is fixed. GitLab users are encouraged to install a patch, available since January.

Also last week, Biden signed legislation intended to force China’s ByteDance Ltd. to sell TikTok to a U.S. owner. Reuters reported this week that ByteDance intends to file a constitutional challenge and would rather shut down TikTok’s U.S. operations than divest it. Reading between the lines, ByteDance seems willing to wager that U.S. users will work around a U.S.-app-store ban, just like, the world learned this week, that “tens of millions” of Chinese and other nationals are skirting their countries’ bans of U.S. apps like WhatsApp.

In what may be the first instance of spyware changing a national election’s outcome, U.S. cybersecurity researches and journalists found long-running uses of Pegasus spyware against Polish citizens and government and opposition officials under the country’s last administration. The controversial software suite was allegedly used to steal politically sensitive text messages and swing the nation’s last presidential race. Pegasus is produced by NSO Group, an Israeli company recently blacklisted in the U.S.

Security experts also believe, but can not yet prove, that North Korea is behind a social-engineering campaign that lures software developers into installing a remote-access trojan (RAT) on their systems. Software developers are advised to exercise caution if they receive a job solicitation asking them to install Python libraries from a GitHib repository.

Surprising few, Microsoft, too, had a bad cybersecurity week. For four years, according to ArsTechnica, Microsoft failed to disclose that Russian-state hackers were exploiting a security flaw in the Windows print spooler. A separate issue also arose from Microsoft’s April security updates, which reportedly break various virtual private network (V.P.N.) clients. Microsoft is yet to address the V.P.N. issue, leaving users unable to uninstall the April security updates or forcing them to uninstall the updates to restore their V.P.N.s.

Last weekend Apple also had security issues. Users reported being locked out of their Apple I.D.s and thus their devices. “The outage comes at a time when Apple is currently grappling with Active Theft issues that have allowed bad actors to compromise Apple IDs and lock victims out of their devices,” noted The Times of India. “However, it's unclear if Friday's events were related to those previous attacks.”

Not to be left out, Amazon recently paid $5.6 million in refunds to Ring doorbell customers for privacy violations, and Google is working to address an issue with some Android T.V.s that exposes users' Gmail accounts to anyone with physical access.

In stranger news, a Baltimore public-school athletic director was arrested for circulating a fake, A.I.-generated audio recording of the school’s principal. The audio purported to contain the principal’s racist and anti-Semitic comments to a colleague. But the principal told police that he had warned the athletic director that poor job performance would prove problematic to renewing his contract, and denied ever making the remarks. Multiple experts concluded the audio was computer-generated.

Across the pond, again, the United Kingdom became the first nation to ban default usernames and passwords on Internet-of-Things (I.O.T.) devices, which have long been a security issue. Separately, Britain’s domestic intelligence agency warned British universities that they have become targets of state-sponsored espionage, especially concerning defense research.

Washington would be smart to follow Britain’s lead. Last week Bloomberg revealed that the controversial Chinese telecom manufacturer Hauwei is “secretly funding cutting-edge research at American universities, including Harvard.”

Subscribe to receive next week’s security roundup in your inbox or via the Substack app.