A BEC scam leads to a healthcare data breach

February 17, 2020
BEC (Business Email Compromise) scams are an ever present problem in the business world. This scam consists of impersonating someone important within an organisation’s structure in order to trick an employee into making a fraudulent bank transfer. According to the Financial Crimes Enforcement Network (FinCEN), these scams generate around £232 million every month, or £2.7 billion every year.

While this kind of scam generally aims to steal money, we have also seen cases where cyber criminals have other ends in mind. The latest such case was in New York.

A medical center in New York: victim of a BEC scam

On December 30, 2019, a medical center in New York City reported that it had suffered a BEC attack. The victim, who works in the VillageCare Rehabilitation and Nursing Center (VCRN), received an email that seemed to come from a senior staff member at the institution requesting information about VCRN patients.

According to the Notice of Data Privacy Incident statement published on the center’s website, “The unauthorised actor requested certain information related to VCRN patients.  Believing the request to be legitimate, the employee provided the information.”

Thanks to this ruse, the attacker exfiltrated information on 674 patients, including names and surnames; dates of birth; and medical insurance information, including the name of the provider and ID number.

VCRN explains that, “Once it became apparent that the email received by the employee was not a legitimate request, we immediately launched an investigation with the assistance of third-party forensic specialists to determine the full scope of this event.”

The medical center has stated that it is unaware of any of the patient information having been used in any malicious activity since the incident. The VCRN has said that it intends to carry out a review of its cyber security.

The center has taken measures to inform the patients that have potentially been affected, and has advised them “to remain vigilant against incidents of identity theft and fraud and to review account statements, credit reports, and explanation of benefits forms for suspicious activity and report any suspicious activity immediately to your insurance company, health care provider, or financial institution.”

Healthcare: a sector vulnerable to data breaches

Healthcare is one of the sectors that suffers most when dealing with the consequences of a data breach. According to the Ponemon Cost of a Data Breach Report, healthcare is the sector with the highest data breach costs: an average of £4.95 million per breach. What’s more, the cost per file in a healthcare sector breach is also the highest: £330 per files, 60% higher than the average cost.

In the sector, the consequences of a data breach also go beyond the financial aspect: abnormal customer turnover in healthcare after an incident of this kind is also the highest of any sector: 7% of customers are lost.

It is possible to protect yourself against BEC scams

As we’ve seen, BEC scams can have serious repercussions for a company falls victim to one, even if no money is stolen. As well as financial loss or information theft, a cyber attack of this type can have a negative impact on an organisation’s reputation.

The most important thing to protect against BEC scams is to have a zero-trust stance. This means not trusting any emails that seem out of the ordinary. If you have even the slightest doubt about the legitimacy of anything, don’t open it, don’t reply, and don’t open any attachments.

Even though the final phase of a BEC scam is an act of social engineering, malware is often employed in the attack as well. The messages must seem to come from trusted email addresses; for this reason, cyber attackers use spyware to steal credentials. This information is then used to create emails that are believable both in form and content, which can convince the victims that the request is legitimate.

This use of spyware or other kinds of malware means that it is vital to use an advanced cyber security solution. Adaptive Defense constantly monitors all activity on the network. This way, you can be sure that neither spyware nor any other kind of advanced threat will endanger your organisation.

BEC scams are a trend that is showing no signs of slowing down. What’s more, cyber criminals are finding ever more innovative ways to keep compromising the systems of organisations all over the world. Make sure your company isn’t the next victim.

It is important to test your systems

Even if you have the most advanced cyber security solutions in place, hackers will always find a way to get in. We can stay on top of this by regularly testing your systems to ensure vulnerabilities are discovered and patched. We can also perform BEC attacks against your business to see if your staff can spot unwanted emails.

Book a Free Cyber Clinic today to see how we can test your systems and Defend Your Business.
Book a Free Cyber Clinic

Follow Us

Be the first to know

You might also like

October 14, 2024
DevOps is a popular practice, especially among large organizations. However, while it comes with numerous benefits, it presents numerous risks as well. One notable challenge is the increased velocity of deployment, which often complicates how developers implement and ensure application security throughout the development and deployment process. DevOps is a popular practice, especially among large organizations. However, while it comes with numerous benefits, it presents numerous risks as well. One notable challenge is the increased velocity of deployment, which often complicates how developers implement and ensure application security throughout the development and deployment process. According to a recent survey, almost 80% of CIOs expressed concerns about the difficulty of discerning trusted elements from untrusted ones within DevOps environments. In particular, the pressure to deliver services at a faster pace sometimes prompts DevOps teams to take security shortcuts, resulting in potentially costly repercussions. These include data breaches, application downtime, and compliance violations.  So, how can you strike a balance between the demand for agile DevOps practices and the need to maintain robust security measures?
October 4, 2024
Testing applications for security flaws during production is a vital process of the development lifecycle, and this is where Dynamic Application Security Testing (DAST) comes in. DAST is a security testing approach in application security (AppSec), in which testers assess an application in real-time, while it’s actively running. This process can be conducted even without testers knowing the application’s internal interactions or system-level designs. Applications fuel the engine of the world’s economy, but enterprises can encounter substantial hurdles when striving to retain a competitive advantage in a rapidly changing digital landscape. Businesses must continuously pursue inventive solutions, even as they contend with sophisticated adversaries looking to exploit opportunities to disrupt operations, compromise vital information, and inflict harm. According to recent research, approximately 17% of cyberattacks aim to exploit vulnerable web applications. Yet, 98% of web applications are susceptible to attacks that can lead to malware infection or redirect users to malicious websites. All the while, 72% of these vulnerabilities result from coding errors. Testing applications for security flaws during production is a vital process of the development lifecycle, and this is where Dynamic Application Security Testing (DAST) comes in. DAST is a security testing approach in application security (AppSec), in which testers assess an application in real-time, while it’s actively running. This process can be conducted even without testers knowing the application’s internal interactions or system-level designs.  This is because DAST tools operate without access to the application’s source code. Instead, they emulate genuine attacks, akin to those carried out by real hackers, to identify security weaknesses. This “black box” testing method examines the application from an external perspective, scrutinises its runtime behaviour, and observes how it reacts to simulated attacks. These simulations help evaluate whether the application exhibits vulnerabilities and if it is potentially susceptible to malicious attacks.
September 25, 2024
In this blog post we look back at the origin of the term “hacking”, as well as how activities that might be described as hacking have existed throughout history, even prior to the advent of computer systems – and what if anything these can teach us today. Hacking is attacking and breaking into computer systems illegally… isn’t it? The meaning of the term “hacking” has in fact changed substantially over time, morphing from describing essentially benign (or at worst mildly disruptive) activities into its modern attribution to largely criminal and illegal activities. What’s more, in its original usage, “hacking” doesn’t necessarily even need to involve computer systems at all.  In this blog post we look back at the origin of the term “hacking”, as well as how activities that might be described as hacking have existed throughout history, even prior to the advent of computer systems – and what if anything these can teach us today.
More Posts
Share by: