Welcome back to our Data Breach of the Month series, where we look at a notable cyber incident or data breach from the past month. Sometimes we’ll offer deeper analysis of the latest big breach, and other times we’ll focus on a lesser known incident that has outsized implications for the security industry.
In each case, you’ll learn the type of data breached, the vulnerabilities or gaps that were exploited, and what organizations can do to remediate effectively and address potential root causes.
So without further ado, our breach of the month for August 2018 is… the insider attack against Adams County, Wisconsin.
The government of Adams County Wisconsin announced that they had confirmed a data breach resulting from unauthorized access to their systems over a five-year span from January 2013 to March 2018. The attack is alleged to be the work of an elected County Clerk, who accessed data in numerous departments, including Health and Human Services, the Sheriff’s Office, and the Veteran Service Office. An estimated 258,120 people had their data compromised, including personally identifiable information, private health information, and tax information. Because of the health information involved, HIPAA was notified, and the incident will likely end up on HIPAA’s “wall of shame”.
A news release from Adams County says that the suspect’s account was immediately suspended, the software control measures they manipulated were disabled, and a long-term solution to prevent future breaches is being examined.
How did it Happen?
According to the news release from Adams County, the breach was discovered during an IT incident investigation by a consultant. A County Clerk—who is named in a statement of charges obtained by a Wisconsin TV station—installed keylogging software to steal usernames and passwords and gained access rights beyond the scope of their role. They were able to move within the Adams County systems for five years before being detected. According to the statement of charges, in addition to accessing and exfiltrating data, they were able to delete records and establish unauthorized chequing accounts.
How to Minimize the Risk of this Type of Breach
No one likes to think that their own people pose a significant risk to their information security, but insider threats are a major problem. Some studies have found insider threats to be the number one cause of data breaches, resulting in some of the highest costs to remediate. From our perspective as a SOAR vendor, there are a few things organizations can do to make it easier to detect and prevent unauthorized activity by insiders.
The unauthorized access that led to the Adams County breach went unnoticed for over five years, which points to the potential for insider threats to evade conventional methods for detection. To overcome this problem, organizations should avoid the patchwork of security systems that are all too common in government offices, where tools are acquired over time, resulting in an environment of systems that don’t work well together, and make it hard for consistent rules to be applied. With a well-integrated security infrastructure, rules can be defined that highlight unusual activity, such as immediately creating a security incident when a user attempts to access data that is unrelated to their role or is active within the system outside of normal work hours.
Better detection also results from having documented and standardized workflows wherever possible. If normal procedures are universally recognized, and even codified into playbooks, unusual activity will stand out glaringly.
Finally, sensitive assets, such as databases containing private information, should be designated as high-priority, so that security alerts in which they are implicated are immediately escalated to analysts via a SOAR or incident response platform.
Thanks for joining us. We’ll see you back here next month for a new Data Breach of the Month.