As many people are going online to register for their COVID-19 vaccinations with healthcare organizations such as doctors’ groups, hospitals, and pharmacies, one such provider announced that it has suffered a data breach. Kroger announced that on January 23rd, data in their pharmacy and money order systems were stolen as a result of using Accellion file transfer software.
As we reported in our February 19th, Be Cyber Safe newsletter, the Washington State Auditor’s Office experienced a similar data breach in December from using the same file transfer software that Kroger used resulting in 1.4 million Washingtonians’ personal information stolen while being transferred from the unemployment office to the auditor’s office during a fraud investigation.
Could The Kroger Company have prevented this breach after learning what happened to Washington State a month earlier using the same software? Yes, had they been aware of the breach. But more disgraceful is that the clients of Accellion, the software developer, had been encouraging its clients to upgrade to a newer version of the software. The legacy system was nearly 20 years old.
Upon learning of the Washington State breach on December 16th Accellion developed and released a patch by December 20th and claims to have notified their customers within 72 hours. Several factors could have impacted the lack of response by customers to patch their systems. First, it occurred during the Christmas holidays. Second, it occurred around that same time as the Solar Winds hack which definitely dominated the headlines for several days.
So maybe it happened because IT personnel were not paying attention to their emails over the holidays or because the media was covering a bigger cyber security story. Unfortunately, there will always be a holiday, vacation, or sick day and there will always be big headlines.
The better solution is for processes to be in place to monitor updates to the software an organization uses to ensure the most up-to-date, safest version is being used. This requires dedicated personnel to cyber security. Not just an IT person or team.
Secondly, there must be accountability. How often have each of us received a letter from a commercial organization, healthcare provider, or even a government agency (like the Washington State Auditor’s Office, OPM, or even the Kentucky Office of Unemployment Insurance – three times!) telling us that they will pay for one or two years of credit monitoring? Does this really fix the problem? It may mitigate our personal damage.
The most important thing is change. Improve. Learn from the incident. Put processes in place so that it does not happen again.
To that end, be sure to read our story in “Cyber News” about the continued impacts of the Microsoft Exchange Server exploits. Even if you, or your ISP, patched the Microsoft Exchange Server, you must also ensure that cyber criminals are not already in your system waiting to attack from within.
Contact Commonwealth Sentinel for assistance today at (502) 320-9885.