Being Honest About Security Breaches

posted by Roy Schestowitz on Oct 08, 2023

THE Web (or web) we weaved in nearly 37 years combined (adding the age of this site to its sister site's) is a very large web of nearly 300,000 page, which all reside on the same server now, served in static form without a visitor-accessible (as opposed to user-accessible) back end. Throughout these years there were no known security incidents and now we're extra secure because scripts are not reachable by visitors of the sites or their respective Gemini capsules.

The half dozen [1-6] or so stories below focus on security incidents (via DataBreaches), which are not only very very very costly [2] but involve elaborate cover-ups [1], implicating governments [3] and impacting companies profoundly [4]. They try to blame other nations [5] (not the holes) or downplay the issues [6] (blaming human error) though the net effect is the same.

During my (almost) 12 years at Sirius I witnessed several security breaches. As noted at the time in some videos and articles, those affected were not being notified. Even staff of Sirius was barely made aware at times. Sometimes clients were given a hint, but as far as I can tell, those further down the chain were left in the dark.

A culture of lousy managers in charge (liars without technical skills) is part of the problem. They only care how they're seen, not about people's safety or any sense of integrity. █

Related/contextual items from the news:

1. OrthoAlaska notifies 176,203 patients of breach. When was the breach?

   On October 12, 2022 — almost a full year ago — OrthoAlaska discovered unauthorized activity on their systems. On March 3, 2023, they learned that information on former employees was stored in the system. On April 3, 2023, they notified those affected.

   And that’s where things remained until September 22, 2023, when OrthoAlaska notified HHS that 176,203 patients were affected by a breach.

   Was this the same breach first discovered in October 2022? We do not know because there is no notice on OrthoAlaska’s website at this time.

2. Data breach at MGM Resorts expected to cost casino giant $100 million

   The data breach last month that MGM Resorts is calling a cyberattack is expected to cost the casino giant more than $100 million, the Las Vegas-based company said.

   The incident, which was detected on Sept. 10, led to MGM shutting down some casino and hotel computer systems at properties across the U.S. in efforts to protect data.

3. Citizen data leak: NID wing suspends access for suspected govt, pvt partner organisations

   The national identity registration wing of the Election Commission [of Bangladesh] has suspended data access to a number of its government and private partner organisations over suspicions of leaking citizens’ data online, while putting all of its 174 service recipient organisations under watch.

4. Clorox Expects Double-Digit Sales Drop Following Cyberattack

   Household cleaning product giant Clorox said Wednesday that an August cyberattack had taken a big swipe out of the bleach maker’s sales and profits in the quarter that ended Sept. 30.

   The Oakland, California-based manufacturer maker expects organic sales to drop between 21% and 26% due to widespread disruption, order processing delays and product outages after the August cyberattack.

5. North Korea Suspected in Massive Hack of DeFi Project Mixin (1)

   The massive breach of a decentralized finance project bears the hallmarks of a North Korean attack, according to a senior White House official.

   Mixin Network, which helps blockchains handle transactions more efficiently, said it had lost less than $150 million in a late-September attack. Originally the company estimated it lost $200 million but reduced it after a final inspection.

6. NL Health Services Reveals Pediatrics Privacy Breach

   NL Health Services has another privacy breach on its hands.

   The news came quietly in a news release sent out just after 5:30 Friday evening.

   The breach is related to an email sent to the parents and guardians of 253 pediatric patients with diabetes.

   Officials say “the recipients of that email were inadvertently not blind copied,” allowing everyone on the list to see each other’s email addresses.