[BreachExchange] Fortune 500 service provider says ransomware attack led to leak of more than 500k SSNs

[Terrell Byrd]

https://www.zdnet.com/article/fortune-500-service-provider-says-ransomware-attack-led-to-leak-of-more-than-500k-ssns-more/

Morley Companies, an organization that provides business services to dozens
of Fortune 500 companies, said this week it was hit with a ransomware
attack last year that led to the leak of sensitive information for more
than 500,000 people.

In a press release, the company said the ransomware attack began on August
1 and made their data "unavailable." Despite requests for comment, the
company would not explain why it waited until now to notify the 521,046
people affected, some of whom had their Social Security numbers leaked in
the attack.

The company said the attack affected the information of "current employees,
former employees and various clients." The information leaked includes
names, addresses, Social Security numbers, dates of birth, client
identification numbers, medical diagnostic and treatment information, and
health insurance information.

Morley said it hired cybersecurity experts to respond to the situation but
needed six months to collect the "contact information needed to provide
notice to potentially affected individuals."

Morley does not say it was a ransomware attack in the public notice, but in
the letters sent to victims, they provide more information. In filings with
the Maine's Office of the Attorney General, the company explains that
521,046 people were affected.

"That investigation revealed that a ransomware-type malware had prevented
access to some data files on our system beginning August 1, 2021, and there
was an unauthorized access to some files that contained personal
information. We then worked diligently to prevent further access and
identify impacted individuals. Special programming was required, and unique
processes had to be built in order to begin analyzing the data," Morley
said.

"The data complexity also required special processes to search for and
identify key information. This process was lengthy but necessary to ensure
appropriate notification occurred. On January 18, 2022, it was confirmed
that your information was involved."

The company said it would provide credit monitoring and identity theft
protection services to those affected. A call center has been established
to answer questions about the issue.

The company offers back-office processing, meetings and incentives
management as well as exhibits and displays production to its clients.

Cerberus Sentinel's Chris Clements said it is overwhelmingly likely that
the attackers had access to Morley data for weeks or even months before
they ran their ransomware, locking Morley and their customers out of their
data.

"During this timeframe, people exposed to risk of fraud or identity theft
may have been actively targeted while being oblivious to their risk. It's
incumbent upon any organization that stewards potentially sensitive data
provided by their users that they not only defend it as well as possible
but that they also have the capabilities to quickly identify potentially
compromised information and notify those affected should the worst happen.
Those processes should be part of any incident response plan and regularly
tested," Clements said.

"The unfortunate reality is that far too many organizations don't have
effective auditing controls to identify when data is access and by whom, or
means to detect unusually high levels of access or exfiltration that can
indicate that an attack is happening. Monitoring or controls to limit speed
and volume of data access is a critical control that is often overlooked
when planning cybersecurity strategy. Actions like alerting if a user's
account is accessing data during unusual or non-work hours or pulling 200
records in an hour when they normally access 20 can be instrumental in
proactively detecting and limiting exposure from a potential breach."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220207/7d0a9ccd/attachment.html>