Welcome back to MSP Incident Insights, the only identity-centric threat briefing series tailored to MSPs and help desks. This week, we’re looking back at three major breaches in late 2023 and 2024 and the lessons you can take away from them. Let’s get started:
Dell Data Breach Exposes Personal Information for 49 Million Users
On April 28, 2024, a cyber attacker known as Menelik attempted to sell a Dell databasevia Breach Forums, a cybercrime website.
In their online forum post, the threat actor explained how they had stolen personal data from 49 million Dell users sometime in March. The attacker used a fake company to obtain customer records through a partner portal API.
While the threat actors did not unlawfully leak financial information, they did release personal information, including the full names of customers, their addresses, and Dell hardware order details (warranty information, service tags, and more). Specifically, individuals that fell victim to the breach were Dell customers from 2017 to 2024. While this breach had a global impact, reports from BleepingComputer indicate that a majority of victims were based in the United States, China, India, Australia, and Canada.
Why This Matters
This data breach reflects the reality of today’s cybersecurity landscape, where millions of victims may have personal information exposed to malicious actors. While threat actors did not exfiltrate customer payment details in this incident, the information they did collect is more than enough for threat actors to launch sophisticated phishing attacks against the 49 million impacted users.
For example, one report proposed that the cyber criminals responsible (or anyone who buys this stolen data from them) could send millions of phishing emails claiming to be Dell. Moreover, users may be targeted by fraudsters claiming to represent Dell tech support or debt collectors after an unpaid invoice to collect the remaining financial information or gain privileged access into your endpoints.
Key Takeaways and Mitigation Steps
MSPs and help desks that support Dell devices and may be supporting users whose personal information was stolen in this breach should take the following steps to secure their end users:
- Notify any customers that may have purchased a Dell device in the timeframe above that cyber criminals are targeting Dell customers with sophisticated phishing attacks and remind them to be vigilant. MSPs should remind end users that they should be the primary point of contact for all technical support for their devices, and that they will never ask for sensitive data, such as financial information, or credentials on a call.
- Implement identity verification into your support workflows to ensure that end users who call into your help desk are who they claim to be.
Medical Transcription Firm Breach Impacts 9 Million Patients
On October 31st, 2023, Perry Johnson & Associates, a medical transcription company disclosed a massive data breach where threat actors exfiltrated personal information from almost 9 million patients.
Key Takeaways
In this instance, the threat actors gained access via an undisclosed initial access vector on March 27th, 2023, and maintained persistent access until May 2nd, 2023. The stolen data included patients’ personally identifiable information (PII), including full names, birthdays, Social Security numbers, insurance information, medical transcripts, record numbers, account numbers, and more.
At the time of publication, Concentra, a major healthcare provider in Texas, Cook County Health, the largest healthcare provider in Chicago, and New York’s largest healthcare provider, Northwell Health have disclosed that their patients, which collectively account for 5 million of the compromised patients. According to letters sent to impacted patients, PJ&A served as a vendor to all of these healthcare providers.
Why This Matters
This incident demonstrates the major risks that supply chain attacks pose to organizations of all sizes. Moreover, MSPs and help desks, regardless of whether or not they serve clients in the healthcare sector, continue to face elevated risks because they serve a large number of customers that threat actors could target with a successful compromise.
Guidance
MSPs and help desks serving the healthcare sector should remain vigilant against their end users regarding phishing attacks that may result as a result of this breach. By implementing security awareness training, and sharing information about the risks from this breach, they can help their customers proactively prepare for the fallout of this incident.
British Columbia Government Network Breached by State-Sponsored Threat Actors
On May 8, 2024, the government of British Columbia released a statement that state-sponsored threat actors were responsible for three “sophisticated cyberattacks” that threat actors had launched over the past month (beginning on April 10, 2024) against Canadian government systems.
After working with the Canadian Centre for Cyber Security (CCCS) and other law enforcement authorities, the head of B.C.’s public service concluded that a nation state (or state-sponsored actor) had launched these attempts, based on sophisticated techniques the threat actors used to hide their presence.
British Columbia’s Public Safety Minister has said the findings do not indicate that threat actors had successfully stolen PII, and that the threat actors had not left a ransom note. However, British Columbia’s CIO did direct government workers to rotate their passwords to “ensure the security of government email systems.”
Why This Matters
The sophistication of these attacks reflects the important role MSPs and help desks play in helping small-and-medium sized businesses secure themselves in the face of evolving cyber threats. According to Canadian coverage, the government of British Columbia keeps 76 people on staff to prevent, detect, and respond to cyber attacks. With today’s talent gap in cybersecurity, MSPs, Managed Security Service Providers (MSSPs), and help desks must step in to offer the security that the majority of businesses and organizations cannot, due to the restrictive cost of building an in-house security team.
Thanks for reading MSP Incident Insights. Next time, we’ll be diving into CMMC, FedRAMP, and how these frameworks apply to MSPs. Stay tuned!
