The Weekly breach Breakdown Podcast by ITRC - Breach Of Trust - S4E26

Show Transcript

Welcome to the Identity Theft Resource Center's (ITRC) Weekly Breach Breakdown for September 15, 2023. Thanks to Sentilink for their support of the podcast and the ITRC. Each week, we look at the most recent events and trends related to data security and privacy. This week, we give you an August data breach summary, with all of the notable compromises coming from the MOVEit data event. This week's podcast title "Breach of Trust" comes from the Canadian band formed in 1994. While they have since changed their band name, it is an applicable title for this episode.

August Data Breach Summary

The ITRC tracked 227 data compromises in August, impacting more than 20 million people. Of the 227 data events, 29 were related to MOVEit. An additional 82 organizations were also affected by MOVEit through a vendor or multiple vendors. The top three breaches in the month by victim counts were IBM Consulting, CareSource and PH TECH, impacting approximately nine million people. All three compromises were affected by MOVEit.

MOVEit Data Event Update

As of September 11, the ITRC has tracked 213 U.S. organizations impacted by MOVEit, either directly or indirectly. (The number of organizations affected around the world is over 1,000.) Seventy-one (71) organizations have been impacted directly, and 142 through a single vendor or multiple vendors. The ITRC estimates the total U.S. victim count to be 48 million. 

More companies who are users of MOVEit or who have vendors who use MOVEit software are continuing to issue data breach notices. Sometimes, but not always, the notices include the number of estimated victims. Because the number of impacted companies and people continues to grow, there is currently no highly accurate view of the impact of this attack and the resulting data breaches.

ITRC Continues to See Breaches of Vendors' Vendors

A trend the ITRC continues to see around the MOVEit event is breaches at vendors and vendors' vendors. Two of the top three compromises highlighted in our August data breach summary impacted other organizations. The IBM Consulting data compromise affected the Colorado Department of Health Care Policy & Financing and the Missouri Department of Social Services. PH TECH impacted the Oregon Health Plan.

According to Cybersecurity Dive, the number of organizations hit by the MOVEit attack increased by nearly 40 percent in the second to last week of August, illustrating the scope of impact and challenges organizations are encountering to determine potential exposure. For almost two-thirds of the victims, breaches occurred because their third-party vendor used MOVEit or the vendor's vendors used the file transfer service. 

The data highlighted in the Cybersecurity Dive article aligns directly with what the ITRC continues to see. The MOVEit attack and its impact on vendors' vendors is why the ITRC built our Breach Alert for Business service (currently available for a Proof of Concept) – to ensure companies are alerted to compromises at their vendors' vendors. If you would like to learn more about Breach Alert for Business or are interested in taking part in our Proof of Concept, email notifiedbyITRC@idtheftcenter.org.

What to Do if You Receive a Data Breach Notice

If you receive a data breach notice, follow the advice offered by the impacted company. Freeze your credit to ensure no new credit accounts can be opened in your name. Immediately change your password and switch to a 12+-character passphrase, change the passwords of other accounts with the same password as the breached account, use multi-factor authentication (MFA) with an app – SMS can be spoofed – and keep an eye out for phishing attempts that claim to be from the breached organization. 

Contact the ITRC

For more information on the data compromises mentioned in our August data breach summary, visit the ITRC's data breach tracking tool, notified. Also, next month, we will release our data breach findings for the third quarter of the year, which will highlight additional data breach trends. More information will follow in the coming weeks.

If you want to know more about how to protect your business or personal information or if you think you have been the victim of an identity crime, you can speak with an expert ITRC advisor on the phone, chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Sentilink for their support of the ITRC and this podcast.