France's Largest ever data breach | Bank of America breached through Infosys
CyberInsights #129 - Healthcare data of 33 Mn French Citizens breached | Third party risks are and the Friday Evening Cybersecurity Phenomenon
1 in 2 French citizens affected by data breach
Viamedis and Almerys, the affected companies, together handled 33 million data points.
33 million French citizens’s data breached. Just for comparison, the population of France is 64 million. It’s a breach of epic proportions. [LINK]
The two breached companies were service providers for medical insurance. The data stolen was “the marital status, date of birth and social security number, the name of the health insurer and the cover provided by the policy” [LINK]
The website of Viamedis was still down at the time of writing. You can check if it is still down. This is the [LINK]. They had to put up the breach notification on their LinkedIn page. [LINK].
The news articles alludes to ‘one click’ phishing breach. That’s scary. If one click by a slightly distracted employee can lead to massive data breaches, it brings into question the security architecture as well as tools used.
Take Action:
Does your environment have an exposure where one click of a phishing link can lead to large scale data breach? Red teaming exercises will help you answer this question.
Identify key users who have access to large scale data environments (high risk users) and have additional focused training sessions for these users
If you are French, urge your government to run an awareness campaign to watch out for insurance frauds based on the data leak. This will be an outcome of the massive data breach.
If you are a cyber insurer - first, be very careful of underwriting the healthcare sector. If you decide to do it, check for regular exercises of red teaming and phishing simulation as controls
Data of 57k BofA customers breached
The leak was at the third party tech service provider Infosys’ end.
This piece of news is not sensational. Neither is it massive. 57k user data breach barely raises an eyebrow. The attack vector is banal - third party. The malicious code is boring - Lockbit. And yet, it matters.
Urban legend says that 80% of all jobs are boring. It’s definitely true for cybersecurity. Days are are blur. If you are a cybersecurity professional who is responsible for the acronym VSA (short for Vendor Security Assessment), you know what I mean. Poring over vendor responses who believe they have been smart enough to sidestep the core question and provide 6 attachments to confuse you is not anyone’s idea of fun.
Add to that what I call the ‘Friday Evening Cybersecurity Phenomenon’. You guessed it. Vendor security questions come in at 5 pm on a Friday and need to be responded to before Monday morning. It’s a life and death situation for the business. Going by the number of Friday evening life and death requests, cybersecurity professionals would have saved more businesses than CFOs and General Counsels together.
Coming back to the breach, Infosys, a vendor for BofA was breached. [LINK]. Everything was dutifully filed. Affected customers were provided with the customary 2 years of credit monitoring and identity theft protection. All’s well that ends well.
Take Action:
Cyber insurers - use a thumb rule. The more the number of vendors a business has, the higher the chances of a breach.
If you are a cybersecurity professional handling VSA, remember that your work has a huge impact on the business. Don’t succumb to deadline pressures. Do a risk based assessment of the vendors. If the vendors are above a particular risk level as per your criteria, do a deep dive.