Wedding planners and medical device security

Sometimes, hackers don’t need to literally breach a company’s systems in order to do damage.  In the case of Zola, a wedding planning startup, all the hackers needed was access to user accounts to steal funds or charge thousands of dollars to their credit cards (which is still considered a data breach).  Existing accounts that had already been compromised were used as part of a credential stuffing attack, whereby cyber criminals will try to find other sites and accounts that share the same credentials.  Once inside, if left unprotected, the data will still be eminently valuable; encrypting your database helps to protect your company’s assets and keep your website secure.

Unfortunately, in this scenario the credential stuffing just happened to work on Zola’s site.  Messages from Zola users have warned against using the site for the time being, instead recommending sticking to the app.  The hackers have apparently been using the former to order gift cards that are then sent to their own email addresses – most of which have since been refunded, according to Zola.  TechCrunch has revealed less than 0.1% of Zola users had been impacted, although what that equates to in plain numbers is unclear.  Zola was also less forthcoming about accounts lacking two-factor authentication, a crucial factor in thwarting attacks like this. 

This particular incident didn’t involve a traditional breach of a company’s network, but such security incidents are as prevalent and dangerous as ever.  Any vulnerabilities need to be addressed immediately before they can be discovered and exploited by cyber criminals.  Medical devices are especially critical in this regard.  Electronic protected health information (ePHI) is PHI that is produced, saved, transferred or received in an electronic form. In the United States, ePHI and PHI management is covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. NetLib Security’s high performance data security software, Encryptionizer, can help you protect your patient data and meet HIPAA compliance in physical, virtual and cloud healthcare environments.  

Becton, Dickinson and Company (BD) recently revealed two vulnerabilities in their medical device security, specifically in Pyxis and Synapsys devices.  These exploits have the potential to compromise protected health information (PHI).  In BD Pyxis products, which are automated medication dispensing systems, “Threat actors could exploit this vulnerability to gain privileged access to the underlying file system and exploit or gain access to ePHI or other sensitive information,” according to the Cybersecurity and Infrastructure Security Agency (CISA).  Hackers exploiting the Synapsys vulnerabilities, meanwhile, could allow for modification or deletion of people’s sensitive data.

For the two products, BD’s recommendations are a useful standard in many situations: stringent controls to ensure that only authorized users have access; monitoring and logging network traffic for suspicious activity; ensuring proper security policies and procedures are followed, to name a few.

No matter how cyber criminals gain access to an organization’s stored data, whether it’s a wedding planner or medical devices, once it occurs, it’s a major headache for the firm in question, to try to remediate the damage.  Organizations must watch for weak points in their services and products and be proactive in their elimination.  NetLib Security’s Encryptionizer helps protect stored data through transparent database encryption, providing a simple and effective solution for securing this critical asset.


By: Jonathan Weicher, post on June 9, 2022
Originally published at: https://www.netlibsecurity.com
Copyright: NetLib Security