Full Report
Blaming victims, months of silence, and suing security researchers all featured in cybersecurity in 2024. © 2024 TechCrunch. All rights reserved. For personal use only.
Analysis Summary
# Incident Report: Compilation of Major 2024 Security Incidents (Focusing on Poor Handling)
## Executive Summary
This summary covers several high-profile security incidents from the past year, characterized by significant data exposure resulting from poor security hygiene (like lack of MFA) and compounded by inadequate response strategies such as blaming victims or extreme handling delays. The collective impact spanned healthcare systems, genetic data repositories, and financial services, leading to massive data breaches and severe operational disruptions.
## Incident Details
- Discovery Date: Varied (Incidents spanned the year, e.g., Change Healthcare in February, Synnovis in June)
- Incident Date: Varied (Incidents spanned the year)
- Affected Organization: 23andMe, Change Healthcare (UnitedHealth Group), Synnovis, Evolve Bank, pcTattletale, mSpy (via Brainstack)
- Sector: Genetic Testing, Healthcare Tech, Pathology Services, Banking/Fintech, Spyware/Stalkerware
- Geography: USA, UK (London, South-East London)
## Timeline of Events
### Initial Access
- **23andMe (Approx. late 2023/early 2024):** Vector: Brute-force access against user accounts.
- **Change Healthcare (February 2024):** Vector: Compromised basic user account lacking Multi-Factor Authentication (MFA).
- **Synnovis (June 2024):** Vector: Ransomware attack (claimed by Qilin group); experts suggest Two-Factor Authentication (2FA) could have prevented entry.
- **pcTattletale (Sometime before May 2024):** Vector: Breach leading to exposure of data on spyware victims.
- **Evolve Bank (May 2024):** Vector: Ransomware attack by the LockBit gang.
- **mSpy (Pre-2024 exposure):** Vector: Data breach exposed support emails dating back to 2014, revealing operator Brainstack.
### Lateral Movement
- **23andMe:** Attackers scraped data on millions of customers after gaining initial account access.
- **Change Healthcare:** Implied internal movement led to a shutdown of the entire network, grinding U.S. healthcare transactions to a halt.
### Data Exfiltration/Impact
- **23andMe:** Genetic and ancestry data on close to 7 million customers lost.
- **Change Healthcare:** Private health information (PHI) of over 100 million people stolen; took 7 months to confirm the scope.
- **Synnovis:** Disrupted pathology services in South-East London for months, leading to cancelled appointments and surgical procedures.
- **Evolve Bank:** Private financial data on approximately 7.6 million people exposed.
- **pcTattletale:** Exposed data on users of spyware applications.
### Detection & Response
- **23andMe:** Belatedly rolled out MFA after the breach. Attempted to deflect blame onto users for weak credential security. Investigated by UK and Canadian authorities.
- **Change Healthcare:** Company shut down the entire network immediately. Paid $22M ransom, then a second ransom to another group for data deletion. Took until October (7 months later) to disclose the full scope of the 100M+ records stolen.
- **Synnovis:** Months of disruption; led to staff strikes over subsequent reorganisation and unsafe working conditions.
- **Evolve Bank:** Opted to send a cease and desist letter to a journalist reporting on their breach, rather than focusing solely on remediation.
- **pcTattletale:** Subsequently shut down following the breach.
## Attack Methodology
| Category | Methods Observed |
| :--- | :--- |
| **Initial Access** | Brute-forcing user accounts (23andMe), Unsecured basic user accounts lacking MFA (Change Healthcare), Ransomware deployment (Evolve Bank/LockBit, Synnovis/Qilin). |
| **Persistence** | Not explicitly detailed, but implied by the prolonged operational outages in healthcare. |
| **Privilege Escalation** | Not detailed, but achieved by compromising user-level accounts to cause massive system shutdowns. |
| **Defense Evasion** | Not detailed, but the success of the attacks suggests failures in preventative controls (MFA/2FA). |
| **Credential Access** | Theft of login credentials via brute force or exploitation of weak authentication. |
| **Discovery** | Not detailed. |
| **Lateral Movement** | System-wide network shutdown at Change Healthcare suggests wide internal compromise. |
| **Collection** | Scraping genetic data (23andMe), Mass exfiltration of PHI (Change Healthcare), Theft of private financial data (Evolve Bank). |
| **Exfiltration** | Data stolen by threat actors for ransom or public release (implicit in ransomware attacks). |
| **Impact** | Severe operational disruption (healthcare systems paralyzed, appointments cancelled), Massive PII/PHI exposure (100M+ records), Company financial distress (23andMe layoffs). |
## Impact Assessment
- **Financial:** Change Healthcare paid $22 million to one threat actor, plus a second ransom. 23andMe laid off 40% of its staff due to financial uncertainty following the incident. Legal actions and regulatory fines are likely for all involved.
- **Data Breach:** Up to 7 million customers (genetic data); 100 million+ people (health data); 7.6 million people (financial data).
- **Operational:** Change Healthcare ground U.S. healthcare billing/insurance to a halt for months. Synnovis disrupted essential blood testing services for over three months in London.
- **Reputational:** Significant criticism directed at 23andMe for blaming victims, and at Change Healthcare for response delays and dual ransoms.
## Indicators of Compromise
*Due to the nature of the input context summarizing multiple retrospective incidents, specific, defanged IoCs are not provided, as they were not detailed for generalized reporting.*
- **Network indicators:** (Not detailed/defanged)
- **File indicators:** (Not detailed)
- **Behavioral indicators:** Credential stuffing/brute-forcing against customer portals; Network shutdown following ransomware deployment.
## Response Actions
- **Containment:** Change Healthcare shut down its entire network.
- **Eradication:** Not detailed, but implied that threat actors were negotiated with (ransom payments).
- **Recovery:** For Change Healthcare, recovery took months, with full scope confirmation only occurring seven months post-incident. 23andMe belatedly implemented MFA.
## Lessons Learned
- The failure to implement widely available security controls like Multi-Factor Authentication (MFA/2FA) remains a primary, preventable initial access vector across multiple sectors (23andMe, Change Healthcare, Synnovis).
- Companies must avoid blaming victims for security failures, as this severely damages trust and invites regulatory scrutiny.
- Extreme delays in disclosing the scope and nature of a breach (Change Healthcare taking seven months) compound reputational and operational damage.
- Paying ransoms (Change Healthcare paying twice) is not a guaranteed path to data recovery and incentivizes further criminal activity.
- Attempts to silence reporting journalists (Evolve Bank) are counterproductive and damage the organization’s standing.
## Recommendations
1. **Mandate MFA/2FA:** Immediately enforce Multi-Factor Authentication across all customer-facing accounts and internal privileged access systems.
2. **Improve Breach Transparency:** Establish strict internal guidelines to communicate accurate risk and scope assessment to the public within days of confirmation, not months.
3. **Incident Response Drills:** Conduct frequent, realistic exercises simulating ransomware attacks to test containment and recovery procedures without relying on paying threat actors.
4. **Review Third-Party Security Posture:** For providers like Synnovis and Change Healthcare, rigorously audit the security posture of all critical suppliers whose failure could lead to widespread public disruption.