Full Report
Blaming victims, months of silence, and suing security researchers all featured in cybersecurity in 2024. © 2024 TechCrunch. All rights reserved. For personal use only.
Analysis Summary
This summary focuses on the incidents detailed in the provided text (23andMe, Change Healthcare, Synnovis, and MoneyGram).
# Incident Report: Review of High-Profile Data Breaches and Poor Incident Handling
## Executive Summary
The past year saw multiple severe security incidents across the genetics, healthcare technology, and retail sectors, characterized by critical failures in basic security practices like Multi-Factor Authentication (MFA). Incidents at 23andMe, Change Healthcare, and Synnovis demonstrated massive operational impacts, ranging from healthcare system paralysis to millions of compromised genetic and health records. Response efficacy was frequently criticized, marked by delayed disclosures, blaming victims, and high-profile ransom payments, leading to subsequent regulatory scrutiny and severe long-term financial and operational consequences.
## Incident Details
- **Discovery Date:** Varies by incident (e.g., Change Healthcare in February, Synnovis in June, MoneyGram in September, 23andMe ongoing reporting).
- **Incident Date:** Varies by incident (e.g., the 23andMe breach occurred over the past year/when data scraping began).
- **Affected Organization:** 23andMe, Change Healthcare (UnitedHealth Group), Synnovis, MoneyGram, Hot Topic.
- **Sector:** Genetic Testing, Healthcare Technology, Pathology Services, Financial Services/Money Transfer, Retail.
- **Geography:** Primarily US and UK.
## Timeline of Events
### Initial Access
- **Date/Time:** Varies.
- **Vector:** **Brute-force attacks** against user accounts lacking MFA (**23andMe, Change Healthcare**); **Ransomware attack** (**Synnovis**); Unspecified "cybersecurity issue" (**MoneyGram**).
- **Details:** Attackers utilized accessible credentials (often due to lack of MFA) to gain entry, leading to massive data scraping or network shutdown.
### Lateral Movement
- (Details not explicitly stated for all, but implied by scale of data theft and network takeover in Change Healthcare and Synnovis incidents).
### Data Exfiltration/Impact
- **23andMe:** Genetic and ancestry data on close to 7 million customers scraped.
- **Change Healthcare:** Private health information (PHI) for over 100 million Americans stolen; massive, prolonged shutdowns of U.S. healthcare billing and insurance systems.
- **Synnovis:** Qilin ransomware group exfiltrated 400 GB of data; caused months-long disruption to UK (NHS) pathology services, leading to canceled appointments and procedures.
- **MoneyGram:** Stole customer data including SSNs, government IDs, and transaction data.
- **Hot Topic:** Stole PII (email, address, phone, DOB) and partial payment card data for 57 million customers.
### Detection & Response
- **Detection:** Detection varied; Change Healthcare shut down its network proactively; MoneyGram confirmation was delayed over a week post-outage. Hot Topic incident was only made known via third-party breach notification sites.
- **Response actions taken:**
- **23andMe:** Belatedly rolled out MFA; publicly deflected blame onto users.
- **Change Healthcare:** Paid a **$22 million ransom** initially, then paid a second group to delete data; faced congressional grilling; took seven months to fully confirm the scope of the data theft.
- **Synnovis:** Experienced prolonged operational paralysis; resulted in UX/staffing disputes and potential strikes.
- **Hot Topic:** Failed to publicly confirm, alert customers, or notify state AGs despite massive scale.
## Attack Methodology
- **Initial Access:** Credential stuffing/Brute-force login attempts (23andMe); Compromised basic user account credentials lacking MFA (Change Healthcare); Ransomware deployment (Synnovis).
- **Persistence:** (Not detailed)
- **Privilege Escalation:** (Not detailed)
- **Defense Evasion:** (Not detailed, but successful due to MFA absence)
- **Credential Access:** Exploitation of weak authentication practices.
- **Discovery:** (Not detailed)
- **Lateral Movement:** (Implied in Change Healthcare/Synnovis due to widespread operational shutdown)
- **Collection:** Bulk scraping of user profiles (23andMe); Theft of massive datasets including PHI (Change Healthcare).
- **Exfiltration:** Ransomware payoff/negotiation cycle (implied data transfer).
- **Impact:** Severe operational disruption across entire sectors (healthcare, pathology); Massive loss of highly sensitive personal and genetic data.
## Impact Assessment
- **Financial:** Change Healthcare paid two ransoms ($22M+); 23andMe laid off 40% of staff due to fallout; Significant costs associated with operational downtime and regulatory fines for all parties.
- **Data Breach:** Millions of records lost, including sensitive genetic data (23andMe), PHI (Change Healthcare), SSNs/Gov IDs (MoneyGram), and PII/partial payment data (Hot Topic).
- **Operational:** Change Healthcare halted vast portions of U.S. healthcare transactions for months; Synnovis led to canceled medical procedures for months in London.
- **Reputational:** Significant public outcry; Regulatory investigations launched (UK/Canada privacy authorities into 23andMe); Companies faced public shaming and executive grilling by lawmakers.
## Indicators of Compromise
- *Note: Specific IoCs were defanged or not provided in the text, this lists behavioral IoCs.*
- **Network indicators:** (Not specified, defanged)
- **File indicators:** (Not specified)
- **Behavioral indicators:** Mass account takeover via password spraying/brute-force; Prolonged network shutdowns requiring manual operations; Failure to timely disclose breaches.
## Response Actions
- **Containment:** Imposing internal network shutdowns (Change Healthcare); Investigation and disclosure delay (Hot Topic).
- **Eradication:** (Not detailed, implied by subsequent ransom payments/system recovery).
- **Recovery:** Belated implementation of MFA (23andMe); System restoration following ransom payments (Change Healthcare, Synnovis).
## Lessons Learned
- The absence of basic security controls like **Multi-Factor Authentication (MFA)** remains a primary, preventable cause of catastrophic breaches.
- Companies are demonstrating poor incident handling by delaying disclosures, downplaying impact, or blaming customers for security failures.
- Ransomware payments do not guarantee data deletion and may encourage further criminal activity.
- Large-scale data breaches can lead to massive staff layoffs and severe, long-term uncertainty regarding data security viability (23andMe).
## Recommendations
- Mandate and strictly enforce MFA across all user accounts, especially for sensitive services dealing with PII, PHI, or genetic data.
- Establish clear, rapid, and transparent communication protocols for data breach disclosure, ensuring immediate notification to affected individuals and relevant regulatory bodies.
- Develop robust Business Continuity Plans (BCPs) that do not rely on the availability of IT systems, mitigating operational paralysis seen at Change Healthcare and Synnovis.
- Review vendor security requirements rigorously, as third-party access (Synnovis) can cause widespread impact.