About half a million patients have been notified so far, but the number of affected individuals is likely far higher.
© 2024 TechCrunch. All rights reserved. For personal use only.
U.S. realty trust giant Brandywine Realty Trust has confirmed a cyberattack that resulted in the theft of data from its network.
In a filing with regulators on Tuesday, the Philadelphia-based Brandywine described the cybersecurity incident as unauthorized access and the “deployment of encryption” on its internal corporate IT systems, consistent with a ransomware attack.
Brandywine said the cyberattack caused disruption to the company’s business applications that support its operations and corporate functions, including its financial reporting systems.
The company said it shut down some of its systems and believes it has contained the activity. The company confirmed that hackers took files from its systems, but it was still investigating whether any sensitive or personal information was taken.
Brandywine is one of the largest real estate trusts (REIT) in the United States, with a portfolio of about 70 properties across Austin, Philadelphia, and Washington DC as of its last earnings report in April.
Some of the company’s biggest tenants reportedly include IBM, Spark Therapeutics, and Comcast.
Since the introduction of new rules in December, U.S. publicly traded companies are obliged to disclose to investors cybersecurity events that may have a material impact on the business. As of the filing, Brandywine said it does not believe the incident is “reasonably likely to materially impact” its operations.
The ransomware gang that hacked into U.S. health tech giant Change Healthcare used a set of stolen credentials to remotely access the company’s systems that weren’t protected by multi-factor authentication, according to the chief executive of its parent company, UnitedHealth.
UnitedHealth CEO Andrew Witty provided the written testimony ahead of a House subcommittee hearing on Wednesday into the February ransomware attack that caused months of disruption across the U.S. healthcare system.
This is the first time the health insurance giant has given an assessment of how hackers broke into Change Healthcare’s systems, during which massive amounts of health data were exfiltrated from its systems. UnitedHealth said last week that the hackers stole health data on a “substantial proportion of people in America.”
Change Healthcare processes health insurance and billing claims for around half of all U.S. residents.
According to Witty’s testimony, the criminal hackers “used compromised credentials to remotely access a Change Healthcare Citrix portal.” Organizations like Change use Citrix software to let employees access their work computers remotely on their internal networks. Witty did not elaborate on how the credentials were stolen.
However, Witty did say the portal “did not have multi-factor authentication,” which is a basic security feature that prevents the misuse of stolen passwords by requiring a second code sent to an employee’s trusted device, such as their phone. It’s not known why Change did not set up multi-factor authentication on this system, but this will likely become a focus for investigators trying to understand potential deficiencies in the insurer’s systems.
“Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data,” said Witty.
Witty said the hackers deployed ransomware nine days later on February 21, prompting the health giant to shut down its network to contain the breach.
UnitedHealth confirmed last week that the company paid a ransom to the hackers who claimed responsibility for the cyberattack and the subsequent theft of terabytes of stolen data. The hackers, known as RansomHub, are the second gang to lay claim to the data theft after posting a portion of the stolen data to the dark web and demanding a ransom to not sell the information.
UnitedHealth earlier this month said the ransomware attack cost it more than $870 million in the first quarter, in which the company made close to $100 billion in revenue.
A financially motivated criminal hacking group says it has stolen a confidential database containing millions of records that companies use for screening potential customers for links to sanctions and financial crime.
The hackers, which call themselves GhostR, said they stole 5.3 million records from the World-Check screening database in March and are threatening to publish the data online.
World-Check is a screening database used for “know your customer” checks (or KYC), allowing companies to determine if prospective customers are high risk or potential criminals, such as people with links to money laundering or who are under government sanctions.The hackers told TechCrunch that they stole the data from a Singapore-based firm with access to the World-Check database, but did not name the firm.
A portion of the stolen data, which the hackers shared with TechCrunch, includes individuals who were sanctioned as recently as this year.
Simon Henrick, a spokesperson for the London Stock Exchange Group, which maintains the database, told TechCrunch: “This was not a security breach of LSEG/our systems. The incident involves a third party’s data set, which includes a copy of the World-Check data file. This was illegally obtained from the third party’s system. We are liaising with the affected third party, to ensure our data is protected and ensuring that any appropriate authorities are notified.”
LSEG did not name the third-party company, but did not dispute the amount of data stolen.
The portion of stolen data seen by TechCrunch contains records on thousands of people, including current and former government officials, diplomats, and private companies whose leaders are considered “politically exposed people,” who are at a higher risk of involvement in corruption or bribery. The list also contains individuals accused of involvement in organized crime, suspected terrorists, intelligence operatives, and a European spyware vendor.
The data varies by record. The database contains names, passport numbers, Social Security numbers, online crypto account identifiers and bank account numbers, and more.
World-Check is currently owned by the London Stock Exchange Group following a $27 billion deal to buy financial data provider Refinitiv in 2021. LSEG collects information from public sources, including sanctions lists, government sources, and news outlets, then provides the database as a subscription to companies for conducting customer due diligence.
But privately run databases, like World-Check, are known to contain errors that can affect entirely innocent people with no nexus or connection to crime but whose information is stored in these databases.
In 2016, an older copy of the World-Check database leaked online following a security lapse at a third-party company with access to the data, including a former advisor to the U.K. government that World-Check had applied a “terrorism” label to his name. Banking giant HSBC shut down bank accounts belonging to several prominent British Muslims after the World-Check database branded them with “terrorism” tags.
A spokesperson for the U.K.’s data protection authority, the Information Commissioner’s Office, did not immediately comment on the breach.
To contact this reporter, get in touch on Signal and WhatsApp at +1 646-755-8849, or by email. You can also send files and documents via SecureDrop.
Hotel chain giant Omni Hotels & Resorts has confirmed cybercriminals stole the personal information of its customers in an apparent ransomware attack last month.
In an update on its website posted on Sunday, Omni said the stolen data includes customer names, email addresses, and postal addresses, as well as guest loyalty program information. The company said the stolen data does not include financial information or Social Security numbers.
Omni said it shut down its systems on March 29 after identifying intruders in its systems. Guests reported widespread outages across Omni’s properties, including phone and Wi-Fi issues. Some customers said that their room keys stopped working. The hotel chain restored its systems a week later on April 8.
Omni operates dozens of properties across the United States and Canada, and employs more than 14,000 staff, per its website.
A ransomware gang called Daixin has taken credit for the breach.
The Daixin gang said in a post on its dark web site that it would soon leak reams of customer records dating back to 2017. Ransomware gangs typically use such dark web sites to publish stolen information to extort a ransom from their victims.
The gang did not post evidence of their claims, but shared portions of the allegedly stolen files with veteran data breach watcher DataBreaches.net. Per the publication, the gang claimed to steal 3.5 million Omni customer records. A sample of the stolen data shared with DataBreaches.net matched the types of customers’ personal information that Omni said was taken.
A spokesperson for Omni did not immediately respond to a request for comment.
Daixin was the subject of a public advisory by U.S. cybersecurity agency CISA in October after the ransomware crew began targeting businesses across the U.S., including healthcare organizations. The Daixin gang previously took credit for several cyberattacks targeting U.S. hospitals and medical facilities.
Do you know more about the Omni Hotels breach? To contact this reporter, get in touch on Signal and WhatsApp at +1 646-755-8849, or by email. You can also send files and documents via SecureDrop.
An extortion group has published a portion of what it says are the private and sensitive patient records on millions of Americans stolen during the ransomware attack on Change Healthcare in February.
On Monday, a new ransomware and extortion gang that calls itself RansomHub published several files on its dark web leak site containing personal information about patients across different documents, including billing files, insurance records and medical information.
Some of the files, which TechCrunch has seen, also contain contracts and agreements between Change Healthcare and its partners.
RansomHub threatened to sell the data to the highest bidder unless Change Healthcare pays a ransom.
It’s the first time that cybercriminals have published evidence that they have in their possession medical and patient records from the cyberattack.
For Change Healthcare, there’s another complication: This is the second group to demand a ransom payment to prevent the release of stolen patient data in as many months.
UnitedHealth Group, the parent company of Change Healthcare, said there was no evidence of a new cyber incident. “We are working with law enforcement and outside experts to investigate claims posted online to understand the extent of potentially impacted data. Our investigation remains active and ongoing,” said Tyler Mason, a spokesperson for UnitedHealth Group.
What’s more likely is that a dispute between members and affiliates of the ransomware gang left the stolen data in limbo and Change Healthcare exposed to further extortion.
A Russia-based ransomware gang called ALPHV took credit for the Change Healthcare data theft. Then, in early March, ALPHV suddenly disappeared along with a $22 million ransom payment that Change Healthcare allegedly paid to prevent the public release of patient data.
An ALPHV affiliate — essentially a contractor who earns a commission on the cyberattacks they launch using the gang’s malware — went public claiming to have carried out the data theft at Change Healthcare, but that the main ALPHV/BlackCat crew stiffed them out of their portion of the ransom payment and vanished with the lot. The contractor said the millions of patients’ data was “still with us.”
Now, RansomHub says “we have the data and not ALPHV.” Wired, which first reported the second group’s extortion effort on Friday, cited RansomHub as saying it was associated with the affiliate that still had the data.
UnitedHealth previously declined to say whether it paid the hackers’ ransom, nor did it say how much data was stolen in the cyberattack.
The healthcare giant said in a statement on March 27 that it obtained a dataset “safe for us to access and analyze,” which the company obtained in exchange for the ransom payment, TechCrunch learned from a source with knowledge of the ongoing incident. UHG said it was “prioritizing the review of data that we believe would likely have health information, personally identifiable information, claims and eligibility or financial information.”
An extortion group has published a portion of what it says are the private and sensitive patient records on millions of Americans stolen during the ransomware attack on Change Healthcare in February.
On Monday, a new ransomware and extortion gang that calls itself RansomHub published several files on its dark web leak site containing personal information about patients across different documents, including billing files, insurance records and medical information.
Some of the files, which TechCrunch has seen, also contain contracts and agreements between Change Healthcare and its partners.
RansomHub threatened to sell the data to the highest bidder unless Change Healthcare pays a ransom.
It’s the first time that cybercriminals have published evidence that they have in their possession medical and patient records from the cyberattack.
For Change Healthcare, there’s another complication: This is the second group to demand a ransom payment to prevent the release of stolen patient data in as many months.
UnitedHealth Group, the parent company of Change Healthcare, said there was no evidence of a new cyber incident. “We are working with law enforcement and outside experts to investigate claims posted online to understand the extent of potentially impacted data. Our investigation remains active and ongoing,” said Tyler Mason, a spokesperson for UnitedHealth Group.
What’s more likely is that a dispute between members and affiliates of the ransomware gang left the stolen data in limbo and Change Healthcare exposed to further extortion.
A Russia-based ransomware gang called ALPHV took credit for the Change Healthcare data theft. Then, in early March, ALPHV suddenly disappeared along with a $22 million ransom payment that Change Healthcare allegedly paid to prevent the public release of patient data.
An ALPHV affiliate — essentially a contractor who earns a commission on the cyberattacks they launch using the gang’s malware — went public claiming to have carried out the data theft at Change Healthcare, but that the main ALPHV/BlackCat crew stiffed them out of their portion of the ransom payment and vanished with the lot. The contractor said the millions of patients’ data was “still with us.”
Now, RansomHub says “we have the data and not ALPHV.” Wired, which first reported the second group’s extortion effort on Friday, cited RansomHub as saying it was associated with the affiliate that still had the data.
UnitedHealth previously declined to say whether it paid the hackers’ ransom, nor did it say how much data was stolen in the cyberattack.
The healthcare giant said in a statement on March 27 that it obtained a dataset “safe for us to access and analyze,” which the company obtained in exchange for the ransom payment, TechCrunch learned from a source with knowledge of the ongoing incident. UHG said it was “prioritizing the review of data that we believe would likely have health information, personally identifiable information, claims and eligibility or financial information.”
Founded in 2017, Atoms Lanka Solutions is a provider of IT consulting and software development services. Throughout the company’s history, we have worked with over 160 customers from 5+ countries..
