Flair Data Systems Cybersecurity News Update 5-1-2024

Good evening! 

Today’s update brought back a wave of memories. I am reflecting on stories like the one about UnitedHealth, particularly regarding a significant turning point in my perspective on security. It's disheartening to see parallels between UnitedHealth's ordeal and an experience I had during a pen test years ago. The scenario of compromised credentials leading to unauthorized access via a non-MFA system, such as Citrix, feels all too familiar. 

For me, that incident occurred over a decade ago during a sanctioned and paid engagement. However, for UnitedHealth, it unfolded as an unauthorized and paid engagement, resulting in widespread distress for countless individuals. It serves as a poignant reminder of the real-world consequences of security vulnerabilities and the importance of proactive measures to safeguard sensitive information. 

With that, let’s get into today’s cybersecurity news update.... 

UnitedHealth Group CEO faces congress & cause of hack revealed 

It has been publicly confirmed that UnitedHealth paid the $22 million ransom 

• The method of access was through compromised credentials that were used to access UnitedHealth's Citrix platform that lacked MFA 
• Not being a part of their Infrastructure or Security teams, I will not try to understand how that was allowed to occur in 2024 

Link (1): https://therecord.media/unitedhealth-ceo-testifies-senate-hearing 

ByteDance on the clock to divest TikTok 

ByteDance, the parent company of TikTok, has been given 9 months to sort out a deal to divest TikTok with the ability to extend for another 3 months if necessary 

• TikTok is planning to challenge this in court, stating it is unconstitutional to ban 

Link (1): https://www.theverge.com/2024/4/24/24139036/biden-signs-tiktok-ban-bill-divest-foreign-aid-package 

Kaiser Permanente website tracking tools may have compromised customer data 



Kaiser Permanente, a healthcare giant, has been notifying more than 13 million customers of their personal information had been potentially shared with third-party vendors 

• Information would have included: IP Addresses, names, information on how a member/patient was signed into their account, information showing how a member/patient interacted with and navigated through the website/mobile application, and search terms used in the health encyclopedia 
• Financial information or Social Security Numbers were not included 
• Third-party vendors included Google, Microsoft Bing, and X 

Link (1): https://therecord.media/kaiser-permanente-potential-third-party-data-exposure 

Avast gets GDPR fine:  

Avast, a Czech endpoint protection company, was fined by GDRP for $14.9 million for processing customers' data illegally per GDPR rules 

• NGO Facua (Spanish not-for-profit) focuses on consumer rights brought it to the attention of Spain's Agency for Data Protection where Avast had collected and sold private browsing data, including identifying data, with the knowledge or authorization from its customers 
• The type of data being collected included Google Maps location searches and GPS coordinates, videos viewed on YouTube, profiles on LinkedIn, and Google Searches 
• Per Avast, this was shut down in January of 2020 

Link (1): https://www.techradar.com/news/avast-hit-with-multimillion-euro-fine-for-gdpr-failure 

Major U.S. wireless carriers face $200M FCC fine 

AT&T, Sprint, T-Mobile, and Verizon are all being levied fines totaling nearly $200 million for illegally sharing access to customer's location information without consent 

• The investigation started over four-years ago (Feb 2020) 
• Each of the four above sold access to its customers' location information to 'aggregators' who then resold access to the information to third-party location-based service providers 

Link (1): https://krebsonsecurity.com/2024/04/fcc-fines-major-u-s-wireless-carriers-for-selling-customer-location-data/ 

Marriott backtracks claims of encryption protection 

Over the past 5 years, Marriot has defended its 2018 data breach by arguing that its encryption (AES-128) was strong enough and that it should be dismissed 

• However, this past April (the 10th) the attorneys for Marriot admitted that it never used AES-128 during the time of the breach 
• It had been using hashing (SHA-1) and not encryption but claimed it had been doing so 
• Interesting though, how did third-party forensic firms (Accenture, Verizon, and Crowdstrike) did not notice that there were in no encryptions put in place 
• Another valid question is around, if the above teams DID notice it why then did Marriot stick behind the original story (AES-128) 
• Lastly, when and how did Marriot discover the truth after the past 5 years 

Link (1): https://www.csoonline.com/article/2096365/marriott-admits-it-falsely-claimed-for-five-years-it-was-using-encryption-during-2018-breach.html 

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!