In a note to clients Saturday, CDK for the first time acknowledged that the hackers that made its dealer management system, or DMS, unavailable to clients for days, are demanding a ransom to restore its systems.
“Thank you for your patience as we recover from the cyber ransom event that occurred on June 19th,” CDK said in a memo to clients on Saturday, according to a copy of the email obtained by CBS MoneyWatch.
CDK added in the note that it has started restoring its systems and expects the process of bringing major applications back online “to take several days and not weeks.”
Beware of phishing
In its memo, the company also warned car dealerships to be alert to phishing scams, or entities posing as CDK but who are in fact bad actors trying to obtain proprietary information like customers’ passwords.
A CDK spokesperson told CBS MoneyWatch that it is providing customers “with alternate ways to conduct business” while its systems remain inoperative.
The cybercriminals behind the CDK attack are linked to a group called BlackSuit, Bloomberg reported on Monday, citing Allan Liska of computer security firm Recorded Future. In a June 21 story, the media outlet also said the hackers were demanding tens of millions of dollars and that CDK planned to pay the ransom.
Liska didn’t immediately respond to a request for comment. CDK itself hasn’t pointed to any group behind the attack on its system that has disrupted car dealerships across the U.S. since last week. Companies targeted in ransomware schemes are often reluctant to disclose information in the midst of negotiations with hackers on a payment.
“When you see an attack of this kind, it almost always ends up being a ransomware attack,” Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, told the Associated Press. “We see it time and time again unfortunately, [particularly in] the last couple of years. No industry and no organization or software company is immune.”
“Doing everything manually”
The hack has left some car dealers unable to do business altogether, while others report using pen and paper, and even “sticky notes” to record transactions.
Tom Maoli, owner of Celebrity Motor Car Company, which operates five luxury car dealerships across New York and New Jersey, on Monday told CBS MoneyWatch his employees “are doing everything manually.”
“We are trying to keep our customers happy and the biggest issue is the banking side of things, which is completely backed up. We can’t fund deals,” he said.
Asbury Automotive Group, a Fortune 500 company operating more than 150 new car dealerships across the U.S., in a statement on Monday said the attack has “adversely impacted” its operations and has hindered its ability to do business. Its Koons Automotive dealerships in Maryland and Virginia, however, which don’t rely on CDK’s software, have been able to operate without interruption, the company said.
Ransomware attacks are on the rise. In 2023, more than 2,200 entities, including U.S. hospitals, schools and governments were directly impacted by ransomware, according to Emisoft, an anti-malware software company. Additionally, thousands of private sector companies were targeted. Some experts believe that the only way to stop such attacks is to ban the payment of ransoms, which Emisoft said would lead bad actors to “quickly pivot and move from high impact encryption-based attacks to other less disruptive forms of cybercrime.”
Earlier this year, the U.S. Department of State offered $10 million in exchange for the identities of leaders of the Hive ransomware gang, which since 2021 has been responsible for attacks on more than 1,500 institutions in over 80 countries, resulting in the theft of more than $100 million.
Megan Cerullo is a New York-based reporter for CBS MoneyWatch covering small business, workplace, health care, consumer spending and personal finance topics. She regularly appears on CBS News 24/7 to discuss her reporting.
Car dealers across the U.S. are floundering after cyberattacks this week on CDK Global, a maker of software used to operate their businesses, made it all but impossible to sell vehicles.
Tom Maioli, who owns Celebrity Motor Car Company, which operates five luxury car dealerships across New York and New Jersey, told CBS MoneyWatch his business is “completely shut down.”
“We cannot process paperwork. Everything is frozen, everything is tied up — we cannot move money back and forth to pay off cars, to finance our customers’ transactions,” he said.
Such disruptions are particularly damaging to sales-driven businesses like auto dealerships, where car shoppers who are primed to lay down their cash on a vehicle may walk away when faced with frustrating delays. Maioli said that while he’s trying to keep customers engaged, he has no sense of when his sales systems will be fully functional again, leaving the business in limbo.
The company’s dealer management system, which is used by some 15,000 dealerships, remained unavailable Thursday and Friday, causing headaches for dealers and would-be car buyers.
For one family in New Jersey, the outage meant they couldn’t drive away with their new Audi Q5. Daniel Lanni told Bloomberg his family was expecting the vehicle to be delivered on June 19, but that it now remains unclear when they’ll take possession.
“The kids were really excited,” Lanni, a 41-year-old commercial real estate broker, told Bloomberg. “They’re upset and now they’re just regularly asking about it.”
On Wednesday, CDK Global took down its services as a precaution, effectively bringing sales to a halt for its customers. A second cyberattack this week has compounded the problem.
CDK has indicated that the outage could last several days and has not publicly announced when it expects its services to be fully restored. The financial repercussions of the tech failure are expected to be substantial given that CDK powers sales for roughly half of the car dealerships in the U.S.
“Royal pain in the rear”
Geoff Pohanka, chairman of Pohanka Automotive Group, told CBS MoneyWatch that 20 of the company’s dealerships rely on CDK’s dealer management system, or DMS, to operate.
“We are very dependent upon the DMS, and it affects all parts of our business,” he said. “It generates all of our forms. If you come in, we enter you in the system, it builds a file in terms of paperwork and finance papers, and right now none of that is functioning.”
Pohanka, who said the dealership still has phone and internet service, said the business is doing its best to keep sales rolling. “We may not be able to have all the documents signed and will need to bring the customer back in to complete them, but we still can function,” he said, while conceding that “everything takes longer [and] is more complicated.”
The DMS outage also affects the company’s service and parts department. Typically, the dealership uses CDK software to generate electronic contracts and print out work orders. Now, they’re operating manually, which is slower.
“We will certainly lose business because it takes longer to complete transactions, and some things will fall through the cracks. There will be losses,” Pohanka said. “It’s debilitating, and the longer it goes on the harder it will be for dealers. I know we will lose revenue. It really is a royal pain in the rear.”
Sport Honda, a Honda dealer and CDK customer in Silver Spring, Md., is also scrambling to continue serving customers.
“It’s a difficult task, but there was paper before there were computers so we have to go about it that way,” a dealership manager told CBS MoneyWatch. “You can move around the computer software and go back and do things like you did back in the day.”
Employees at other dealerships took to social media forums to say they were tracking orders on “sticky notes” or using Excel spreadsheets to log transactions.
For CDK, the fallout may not only be technological. Maioli, the car dealership owner, said he’s retained legal counsel and is mulling a class-action lawsuit against the company.
Megan Cerullo is a New York-based reporter for CBS MoneyWatch covering small business, workplace, health care, consumer spending and personal finance topics. She regularly appears on CBS News 24/7 to discuss her reporting.
Nissan suffered a data breach last November in a ransomware attack that exposed the Social Security numbers of thousands of former and current employees, the Japanese automaker said Wednesday.
Nissan’s U.S.-based subsidiary, Nissan North America, detailed the cyberattack in a May 15 letter to affected individuals. In the letter, Nissan North America said a bad actor attacked a company virtual private network and demanded payment. Nissan did not indicate whether it paid the ransom.
“[U]pon learning of the attack, Nissan promptly notified law enforcement and began taking immediate actions to investigate, contain and successfully terminate the threat,” the car maker said in the letter, adding that “Nissan worked very closely with external cybersecurity professionals experienced in handling these types of complex security incidents.”
Nissan told employees about the incident during a town hall meeting in December 2023, a month after the attack. The company also told staffers that it was launching an investigation and would notify employees privately if their personal information had been compromised. Nissan said it’s providing free identity theft protection services to impacted individuals for two years.
Nissan North America also notified state officials across the U.S. of the attack, noting that data belonging to more than 53,000 current and former workers was compromised. But the company saidits investigation found that affected individuals did not have their financial information exposed.
Nissan North America “has no indication that any information has been misused or was the attack’s intended target,” the automaker said in its letter.
Ransomware attacks, in which cybercriminals disable a target’s computer systems or steal data and then demand payment to restore service, have become increasingly common. One cybersecurity expert said someone likely got a password or multi-factor authentication code from an existing Nissan employee, enabling the hacker to enter through the company’s VPN.
“It is unfortunate that the breach ended up involving personal information, however Nissan has done the right thing by continuing to investigate the incident and reporting the update,” Erich Kron, a cybersecurity awareness advocate at KnowBe4, told CBS MoneyWatch in an emailed statement. “In this case, targeting the VPN will often help bad actors avoid detection and bypass many of the organizational security controls that are in place.”
Khristopher J. Brooks is a reporter for CBS MoneyWatch. He previously worked as a reporter for the Omaha World-Herald, Newsday and the Florida Times-Union. His reporting primarily focuses on the U.S. housing market, the business of sports and bankruptcy.
UnitedHealth Group CEO Andrew Witty disclosed that a cyberattack on one of its subsidiaries earlier this year might affect up to a third of all Americans.
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.
Cybersecurity investigators worry ransomware attacks may worsen as young, native-English speaking hackers in the U.S., U.K. and Canada team up with Russian hackers.
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.
In the past year — hospitals, pharmacies, tech companies, Las Vegas’ biggest hotels and casinos have been paralyzed by “ransomware” attacks, in which hackers break into a corporate network, encrypt, or lock up critical files and hold them hostage until a ransom is paid. It’s a crime that has been growing more costly and disruptive every year. Now cybersecurity researchers fear it’s about to get worse, with the emergence of an audacious group of young criminal hackers from the U.S., U.K. and Canada the FBI calls Scattered Spider. More troubling, they have teamed up with Russia’s most notorious ransomware gang.
This past September, one of the most pernicious ransomware attacks in history was unleashed on MGM Resorts – costing the hotel and casino giant more than $100 million. It disrupted operations at a dozen of the most renowned gaming palaces on the Las Vegas strip: MGM Grand, Aria, Mandalay Bay, New York-New York, the Bellagio.
Anthony Curtis is a Las Vegas fixture. He’s so good at counting cards, he’s been banned from card games here. He now publishes the “Las Vegas Advisor,” a monthly newsletter on all things Vegas.
Anthony Curtis: Incredibly, when it happened, I was in an MGM property, and it happened while we were having dinner and there just began to be a rumbling that something was going on. When I went down into the casino, I could see then that slot machines were sitting dark, people were scrambling around. The shutdown was starting to take effect.
Anthony Curtis
60 Minutes
Across the Vegas strip… thousands of slot machines suddenly stopped paying out.
Anthony Curtis: So all of a sudden now people are goin’, “How do I get my money? What’s wrong?” And the people were sitting there waiting and couldn’t get paid.
Bill Whitaker: Were they angry?
Anthony Curtis: They were getting angry, yeah. And this was just the tip of the iceberg.
Elevators were malfunctioning… parking gates froze… digital door keys wouldn’t work. As computers went down, reservations locked up and lines backed up at the front desks.
Anthony Curtis: Anything that required technology was not working.
Bill Whitaker: Sounds like chaos.
Anthony Curtis: Nobody knew what to do and including the employees. The employees just had to, you know, beg forgiveness and patience.
Bill Hornbuckle (at October conference): Look, it’s corporate terrorism at its finest.
The company declined our interview request, but at a conference a month after the hack, MGM’s CEO admitted the disruptions were devastating.
Bill Hornbuckle (at October conference): For the next four or five days with 36,000 hotel rooms and some regional properties we were completely in the dark.
The hackers demanded $30 million to unlock MGM’s data. The company refused. But they still paid a price – $100 million in lost revenue and millions more to rebuild their servers.
So how did the intruders get in? Through a technique of deception and manipulation called social engineering. First hackers zeroed in on an employee, gathering information from the dark web and open sources like LinkedIn. Next, a smooth-talking hacker, impersonating the employee, called the MGM Tech Help Desk and convinced them to reset his password.
With that, the hacker was inside MGM’s computers and unleashed the destructive malware. Anthony Curtis says it was the cybercriminal’s version of an Ocean’s Eleven heist.
Anthony Curtis: They’re doing it the old-fashioned way. I mean, they’re doin’ it the new way but with the old-fashioned goal. They wanna get the money.
Bill Whitaker: What do you make of that?
Anthony Curtis: I don’t wanna be too glowing like I– like I like these guys ’cause they’re– they’re just crooks, right? But these hackers were able to turn the tables. The casinos have their– they have their systems. They have their protections. They have their experts. They have their security. These guys are better.
Later, MGM’s biggest competitor, Caesars, admitted it also suffered a social engineering attack around the same time, suspected by the same group. But Caesars paid a ransom, reportedly $15 million, and suffered no disruptions.
Bryan Vorndran: From an FBI perspective, our position is we recommend a ransom not be paid. But we understand it’s a business decision during a time of crisis.
Bryan Vorndran
60 Minutes
Bryan Vorndran is head of the FBI’s Cyber Division. He told us ransomware attacks have grown increasingly brazen.
Bryan Vorndran: Any way you look at the numbers it’s a problem for the global economy, and for the U.S. economy, and for the security of the United States. There’s estimates that global losses exceed $1 billion U.S. per year.
Bill Whitaker: Have you made any arrests in the Las Vegas cases?
Bryan Vorndran: We’re not gonna talk about specific cases or specific companies.
But he did point us toward the prime suspect.
Bryan Vorndran: When we talk about the actors behind some of the more recent ransomware attacks, the name that’s generally raised is Scattered Spider. And that’s a criminal group that we have a lot of attention on because of the havoc they’re wreaking across the United States.
Scattered Spider is what the FBI calls a loose-knit web of predominantly native English-speaking hackers responsible for the casino hacks – and dozens more. Their specialty is social engineering.
Allison Nixon: Part of their success is because they are fluent in Western culture. They know how our society works. They know what to say to get someone to do something.
Allison Nixon is chief research officer at Unit 221b, a cybersecurity firm that focuses on English-speaking cybercriminals. She says Scattered Spider is just one of many illicit hacking groups — all part of a sprawling collection of online criminals calling themselves “the Community, “or “the Com.”
Allison Nixon: The Com is a subculture. It is specifically an English-speaking youth subculture that has arisen in the past few years. It’s very new, but it’s surprisingly disruptive.
Members of the Com have hacked into companies like Microsoft, Nvidia, and Electronic Arts.
Bill Whitaker: How many people are involved?
Allison Nixon: Years ago, it was maybe a few hundred people. But since 2018 the population has exploded because of the money coming into these groups. And there’s thousands of people involved at this point.
Bill Whitaker: How are they connected?
Allison Nixon: They connect over the internet. Social spaces where people hang out. Gaming servers. It’s almost analogous to like maybe the back alley where the bad kids hang out but on the internet.
Allison Nixon
60 Minutes
Bill Whitaker: How old are we talking about?
Allison Nixon: Males under the age of 25.
Bill Whitaker: Under 25 down to how young?
Allison Nixon: Like 13, 14.
Bill Whitaker: Involved in pulling off major crimes?
Allison Nixon: Yeah.
Members communicate and post pictures on messaging apps like Telegram – their chatter, a toxic stew of racism, sexism… boasting about the money they’ve scammed, and how menacing they are.
Allison Nixon: There are these toxic online spaces where young people can socialize and mingle with criminals and gang members. And the end result of all of this is this online subculture has formed that glorifies crime, that measures one’s personal worth by how much harm they can cause the world.
Scattered Spider is one of the most sophisticated offshoots of “the Com.” Their criminal exploits caught the attention of cybersecurity companies… and other hackers… including the most notorious Russian ransomware gang, BlackCat. They saw the young native English-speaking Westerners as a force multiplier. Both claimed credit for the MGM attack.
Allison Nixon: Historically speaking, Russian cyber criminals did not like working with Western cyber criminals. There was not only a language barrier, but also they kinda looked down on them and viewed them as unprofessional.
The Russian and Western hackers met in the shadowy corners of the dark web and now are powerful partners in crime. Scattered Spider uses its English and social engineering skills to break into Western companies’ networks. BlackCat provides its experience and its malware – used in some of the most shocking ransomware attacks.
…. including the 2021 attack on Colonial Pipeline, which caused gas shortages up and down the East Coast… and this year’s attack on UnitedHealth Group, which disrupted pharmacies nationwide. The State Department is offering a $15 million reward for information on Russia’s BlackCat.
Jon DiMaggio, a former analyst at the National Security Agency, now investigates ransomware as chief security strategist for the cybersecurity company Analyst1.
Jon DiMaggio: So there’s a term. It’s called “ransomware as a service,” that’s been given to the structure and the format of these gangs.
Jon DiMaggio with Bill Whitaker
60 Minutes
DiMaggio says “ransomware as a service” has taken the crime to a new level. The long-established Russian gangs, like BlackCat, offer their services – malware, experience negotiating ransoms and laundering money – to what they call “affiliates,” like Scattered Spider.
Jon DiMaggio: So in return, when a victim pays an extortion, the profit that comes from it is now shared amongst those criminals.
The most successful Russian gangs are run like legitimate companies with easy-to-navigate online platforms… 24-hour service desks … even human resources to hire software developers.
Jon DiMaggio: There are people that specialize in developing malware and ransomware, and they’re in very high demand.
Bill Whitaker: You said you’ve gotten to know some of these people.
Jon DiMaggio: Yes.
Bill Whitaker: Are they mostly young men?
Jon DiMaggio: The leadership are– are, you know, people in their 40s, late 30s. They’re people who’ve got experience. They’re people that have a financial background.
DiMaggio says the Russian government provides a safe haven for ransomware gangs.
Jon DiMaggio: As long as they don’t target, you know, an organization that falls within Russia or the former Soviet state, they don’t get prosecuted. It’s not considered a crime.
Bill Whitaker: It’s not considered a crime to attack American businesses?
Jon DiMaggio: It’s crazy, right? That’s– that’s how it works though.
Bill Whitaker: So it’s like they operate with impunity.
Jon DiMaggio: 100%. That’s the whole reason why this is such a popular crime.
Russian ransomware has become such a threat…the elite cyber warriors at the National Security Agency have joined the fight.
Before retiring last month, Rob Joyce was NSA’s director of cybersecurity. He told us the Colonial Pipeline attack was a wake-up call.
Rob Joyce
60 Minutes
Rob Joyce: It caused us to step back and decide that we had to put more resources into this foreign threat. So one of the things NSA has, we have hackers. And it really, at times, takes a hacker to defeat a hacker. That’s the value NSA can bring is, we can identify people, specific people involved in some of these activities.
The NSA helped identify the Russian hacker responsible for the Colonial Pipeline attack. And in January 2022 – after months of negotiations – Russia arrested him and other accomplices. But five weeks later – it all came undone.
Rob Joyce: Following the Ukraine invasion, those people were let outta jail.
Bill Whitaker: So they’re back in business?
Rob Joyce: Yes, sir.
And now, they’ve teamed up with the young native English speakers of Scattered Spider. The FBI’s Bryan Vorndran calls it an evolution of cybercrime.
Bryan Vorndran: In the case of Scattered Spider, is it powerful that they are with BlackCat? Of course. I think that it’s important to know that we are against a very capable set of adversaries, they’re very good at their work. We’re also very good at our work.
In January, the Bureau arrested a 19-year-old from Florida, Noah Urban, charged with stealing cryptocurrency. He’s pleaded not guilty. Cyber investigators have tied him to Scattered Spider, but so far not to the casino heists. The Scattered Spider hackers who did pull off the attack are still online – hiding in plain sight – in unholy alliance with Russians. Allison Nixon calls Las Vegas a harbinger.
Allison Nixon: The level of cybercrime has risen to the point where it feels overwhelming. And every year it gets worse. And it feels like as defenders we’re– it’s almost like we’re winning every battle and losing the war.
Produced by Graham Messick. Associate producer, Jack Weingart. Field associate producer, Eliza Costas. Broadcast associate, Mariah B. Campbell. Edited by Matthew Lev.
Bill Whitaker is an award-winning journalist and 60 Minutes correspondent who has covered major news stories, domestically and across the globe, for more than four decades with CBS News.
ARDEN HILLS, Minn. — Minnesota’s National Guard is capitalizing on one of its longest-standing partnerships in an entirely new way this weekend.
As the guard goes through bi-annual cyber defense training, it’s welcoming in members of the Norwegian Armed Forces – expanding on a relationship that’s lasted for more than a half-century.
“These exercises are incredibly important for us to keep our skills technically sharp, but the other part is being the first time the Norwegians have come to train with us, is the communication and the intractability,” said Lt. Kai Pederson of the Minnesota National Guard. “If we’re going to respond to something with our allies, especially our NATO allies, we need to know how each other operate.”
WCCO
The weekend’s training focused on analyzing and solving a hypothetical scenario stemming from a cyber attack.
“We’re playing the role of a team that has been called in to help defend a network that’s under attack,” said Major Peter Kapelanski of the Minnesota National Guard. “It’s been very interesting working with the Norwegians. Some of the things we do are very similar.”
“We’re really eager to learn the Americans,” said Markus Holmby of Norway. “(To see) how they work and what they can do.”
Holmby says his group, three in total, plans to try a jucy lucy during their first ever trip to Minnesota. He says the also paid a visit to the Mall of America.
“We came here and everyone was like, ‘You’re a big deal,’ and we were like, ‘Oh wow,;” he said.
In 2023, Minnesota’s National Guard signed a state partnership agreement with Norway, paying the path to expand military relationships with the NATO partner.
Last month’s suspected ransomware attack on a major health technology company has sent the health care system reeling — costing providers an estimated $100 million daily as payment disruptions continue, according to an estimate from First Health Advisory, a digital health risk assurance firm.
“This is by far the biggest ever cybersecurity attack on the American healthcare system ever,” Dr. Céline Gounder, a CBS News medical contributor and editor-at-large for public health at KFF Health News, said Tuesday. “This is a system, Change Healthcare, that processes medical payments and touches one out of every three patients in this country. So the magnitude of the scope of this attack is really quite large.”
Change Healthcare is a Tennessee-based company, part of the health services provider Optum, Inc. and owned by the massive conglomerate UnitedHealth Group. It first reported experiencing company-wide connectivity problems in February.
Here’s what else to know:
What is the attack impacting?
Gounder says providers are facing numerous challenges due to the cyberattack, including impacts to a provider’s ability to bill and process things like prior authorizations.
“Can you get those medications? Can you get an estimate, say, on a surgery that you want to schedule? What is that going to look like in terms of your insurance coverage, and so on. All of those kinds of things are being affected,” she said.
It’s also affecting patients’ ability to fill their prescriptions at some hospitals.
“Here, for example, we’re only able to give some patients only two weeks of refill,” Gounder said. “So it means that they may need to come back over and over again. And some patients are even having to pay out of pocket for their refills.”
Is the government doing anything to help?
On March 5, almost two weeks after Change Healthcare first reported what it initially called a cybersecurity “issue,” the U.S. Department of Health and Human Services announced several assistance programs for health providers affected.
“The government is trying to create some supports for health care systems — not directly supporting patients, but the systems,” Gounder explains. “This is because without revenue coming in through the billing process, you don’t have money to make payroll to be able to pay your doctors and your nurses and your janitors and all the staff that you need to run a health care system.”
It’s also interfering with the ability to order needed medications and supplies, she adds.
“So the idea is to try to help support health care systems through this, but especially Medicaid providers, those who have less of a buffer, so to speak, financially — they’re really in deep trouble here,” Gounder said.
HHS Secretary Xavier Becerra, White House domestic policy chief Neera Tanden and other administration officials met Tuesday with United Health CEO Andrew Witty and urged him to take more steps to stabilize the U.S. health system amid the payment crisis, two sources briefed on the meeting told CBS News.
Officials encouraged UnitedHealth and other insurers in attendance to account for premiums that they’re collecting from patients but not paying out to health care providers, as unpaid bills pile up for hospitals, medical practices and pharmacies nationwide.
Doesn’t HIPAA protect health information?
While there are tight controls around patient records, Gounder says there are potential loopholes hackers could exploit. For example, a medical device connected to the hospital’s internet or an HVAC system could be vulnerable.
“Those provide backdoors to enter and hack the internet system of a health care system,” Gounder explains.
Sara Moniuszko is a health and lifestyle reporter at CBSNews.com. Previously, she wrote for USA Today, where she was selected to help launch the newspaper’s wellness vertical. She now covers breaking and trending news for CBS News’ HealthWatch.
Margaret Parsons, one of three dermatologists at a 20-person practice in Sacramento, California, is in a bind.
Since a Feb. 21 cyberattack on a previously obscure medical payment processing company, Change Healthcare, Parsons said, she and her colleagues haven’t been able to electronically bill for their services.
She heard Noridian Healthcare Solutions, California’s Medicare payment processor, was not accepting paper claims as of earlier this week, she said. And paper claims can take three to six months to result in payment anyway, she estimated.
“We will be in trouble in very short order, and are very stressed,” she said in an interview with KFF Health News.
A California Medical Association spokesperson said March 7 that the Centers for Medicare and Medicaid Services had agreed in a meeting to encourage payment processors like Noridian to accept paper claims. A Noridian spokesperson referred questions to CMS.
The American Hospital Association calls the suspected ransomware attack on Change Healthcare, a unit of insurance giant UnitedHealth Group’s Optum division, “the most significant and consequential incident of its kind against the U.S. health care system in history.” While doctors’ practices, hospital systems and pharmacies struggle to find workarounds, the attack is exposing the health system’s broad vulnerability to hackers, as well as shortcomings in the Biden administration’s response.
To date, government has relied on more voluntary standards to protect the health care system’s networks, Beau Woods, a co-founder of the cyber advocacy group I Am The Cavalry, said. But “the purely optional, do-this-out-of-the-goodness-of-your-heart model clearly is not working,” he said. The federal government needs to devote greater funding, and more focus, to the problem, he said.
The crisis will take time to resolve. Comparing the Change attack to others against parts of the health care system, “we have seen it generally takes a minimum of 30 days to restore core systems,” said John Riggi, the hospital association’s national adviser on cybersecurity.
In a March 7 statement, UnitedHealth Group said two services — related to electronic payments and medical claims — would be restored later in the month. “While we work to restore these systems, we strongly recommend our provider and payer clients use the applicable workarounds we have established,” the company said.
“We’re determined to make this right as fast as possible,” said company CEO Andrew Witty.
Providers and patients are meanwhile paying the price. Reports of people paying out-of-pocket to fill vital prescriptions have been common. Independent physician practices are particularly vulnerable.
“How can you pay staff, supplies, malpractice insurance — all this — without revenue?” said Stephen Sisselman, an independent primary care physician on Long Island in New York. “It’s impossible.”
Jackson Health System, in Miami-Dade County, Florida, may miss out on as much as $30 million in payments if the outage lasts a month, said Myriam Torres, its chief revenue officer. Some insurers have offered to mail paper checks.
Relief programs announced by both UnitedHealthand the federal government have been criticized by health providers, especially hospitals. Sisselman said Optum offered his practice, which he said has revenue of hundreds of thousands of dollars a month, a loan of $540 a week. Other providers and hospitals interviewed by KFF Health News said their offers from the insurer were similarly paltry.
In its March 7 statement, the company said it would offer new financing options to providers.
Providers pressure government to act
On March 5, almost two weeks after Change first reported what it initially called a cybersecurity “issue,” the Health and Human Services Department announced several assistance programs for health providers.
One recommendation is for insurers to advance payments for Medicare claims — similar to a program that aided health systems early in the pandemic. But physicians and others are worried that would help only hospitals, not independent practices or providers.
Anders Gilberg, a lobbyist with the Medical Group Management Association, which represents physician practices, posted on X, formerly known as Twitter, that the government “must require its contractors to extend the availability of accelerated payments to physician practices in a similar manner to which they are being offered to hospitals.”
HHS spokesperson Jeff Nesbit said the administration “recognizes the impact” of the attack and is “actively looking at their authority to help support these critical providers at this time and working with states to do the same.” He said Medicare is pressing UnitedHealth Group to “offer better options for interim payments to providers.”
Another idea from the federal government is to encourage providers to switch vendors away from Change. Sisselman said he hoped to start submitting claims through a new vendor within 24 to 48 hours. But it’s not a practicable solution for everyone.
Torres said suggestions from UnitedHealth and regulators that providers change clearinghouses, file paper claims, or expedite payments are not helping.
“It’s highly unrealistic,” she said of the advice. “If you’ve got their claims processing tool, there’s nothing you can do.”
Mary Mayhew, president of the Florida Hospital Association, said her members have built up sophisticated systems reliant on Change Healthcare. Switching processes could take 90 days — during which they’ll be without cash flow, she said. “It’s not like flipping a switch.”
Nesbit acknowledged switching clearinghouses is difficult, “but the first priority should be resuming full claims flow,” he said. Medicare has directed its contractors and advised insurers to ease such changes, he added.
Health care leaders including state Medicaid directors have called on the Biden administration to treat the Change attack similarly to the pandemic — a threat to the health system so severe that it demands extraordinary flexibility on the part of government insurance programs and regulators.
Beyond the money matters — critical as they are — providers and others say they lack basic information about the attack. UnitedHealth Group and the American Hospital Association have held calls and published releases about the incident; nevertheless, many still feel they’re in the dark.
Riggi of the AHA wants more information from UnitedHealth Group. He said it’s reasonable for the conglomerate to keep some information closely held, for example if it’s not verified or to assist law enforcement. But hospitals would like to know how the breach was perpetrated so they can reinforce their own defenses.
“The sector is clamoring for more information, ultimately to protect their own organizations,” he said.
Rumors have proliferated.
“It gets a little rough: Any given day you’re going to have to pick and choose who to believe,” Saad Chaudhry, an executive at Maryland hospital system Luminis Health, told KFF Health News. “Do you believe these thieves? Do you believe the organization itself, that has everything riding on their public image, who have incentives to minimize this kind of thing?”
What happens next?
Wired Magazine reported that someone paid the ransomware gang believed to be behind the attack $22 million in bitcoin. If that was indeed a ransom intended to resolve some aspect of the breach, it’s a bonanza for hackers.
Cybersecurity experts say some hospitals that have suffered attacks have faced ransom demands for as little as $10,000 and as much as $10 million. A large payment to the Change hackers could incentivize more attacks.
“When there’s gold in the hills, there’s a gold rush,” said Josh Corman, another co-founder of I Am The Cavalry and a former federal cybersecurity official.
Longer-term, the attack intensifies questions about how the private companies that comprise the U.S. health system and the government that regulates them are defending against cyberthreats. Attacks have been common: Thieves and hackers, often believed to be sponsored or harbored by countries like Russia and North Korea, have knocked down systems in the United Kingdom’s National Health Service, pharma giants like Merck and numerous hospitals.
The FBI reported 249 ransomware attacks against health care and public health organizations in 2023, but Corman believes the number is higher.
But federal efforts to protect the health system are a patchwork, according to cybersecurity experts. While it’s not yet clear how Change was hacked, experts have warned a breach can occur through a phishing link in an email or more exotic pathways. That means regulators need to consider hardening all kinds of products.
One example of the slow-at-best efforts to mend these defenses concerns medical devices. Devices with outdated software could provide a pathway for hackers to get into a hospital network or simply degrade its functioning.
The FDA recently gained more authority to assess medical devices’ digital defenses and issue safety communications about them. But that doesn’t mean vulnerable machines will be removed from hospitals. Products often linger because they’re expensive to take out of service or replace.
Senator Mark Warner (D-Va.) has previously proposed a “Cash for Clunkers”-type program to pay hospitals to update the cybersecurity of their old medical devices, but it was “never seriously pursued,” Warner spokesperson Rachel Cohen said. Riggi said such a program might make sense, depending on how it’s implemented.
Weaknesses in the system are widespread and often don’t occur to policymakers immediately. Even something as prosaic as a heating and air conditioning system can, if connected to a hospital’s internet network, be hacked and allow the institution to be breached.
But erecting more defenses requires more people and resources — which often aren’t available. In 2017, Woods and Corman assisted on an HHS report surveying the digital readiness of the health care sector. As part of their research, they found a slice of wealthier hospitals had the information technology staff and resources to defend their systems — but the vast majority had no dedicated security staff. Corman calls them “target-rich but cyber-poor.”
“The desire is there. They understand the importance,” Riggi said. “The issue is the resources.”
HHS has proposed requiring minimum cyberdefenses for hospitals to participate in Medicare, a vital source of revenue for the entire industry. But Riggi says the AHA won’t support it.
“We oppose unfunded mandates and oppose the use of such a harsh penalty,” he said.
This article was produced by KFF Health News, formerly known as Kaiser Health News (KHN), a national newsroom that produces in-depth journalism about health issues and is one of the core operating programs at KFF — the independent source for health policy research, polling, and journalism. KFF Health News is the publisher of California Healthline, an editorially independent service of the California Health Care Foundation.
Washington — A cyberattack on the health technology provider Change Healthcare is wreaking havoc nationwide, as some hospitals and pharmacies cannot get paid, and many patients are unable to get prescriptions.
Change Healthcare is a subsidiary of the UnitedHealth Group, one of the nation’s largest healthcare companies. In a federal filing this week, UnitedHealth said that Change Healthcare first discovered the hack on Feb. 21, disconnecting impacted systems “immediately.”
“So I mean we’ve seen a lot of claims coming through as a rejected claim, where obviously the insurance provider are not able to pay because of this attack,” said Amrish Patel, a pharmacist in Dallas, Texas. “Elderly patients that have a fixed income, and they’re trying to get their medicine…unfortunately there’s no way around it at this point.”
Change Healthcare says it processes 15 billion transactions annually, touching one in three U.S. patient records.
“I can tell you that this cyberattack has affected every hospital in the country one way or another,” said John Riggi, national advisor for cybersecurity and risk at the American Hospital Association.
“It’s not a data crime, it’s not a white-collar crime, these are threats to life,” Riggi added.
In a since-deleted post on the dark web, a Russian-speaking ransomware group known as Blackcat claimed responsibility, alleging they stole more than six terabytes of data, including “sensitive” medical records.
“Change Healthcare can confirm we are experiencing a cybersecurity issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat,” UnitedHealth told CBS News in a statement Thursday of Blackcat’s claim. “Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Network, on this attack against Change Healthcare’s systems.”
UnitedHealth added that its investigation has so far provided “no indication” that the systems of its other subsidiaries — Optum, UnitedHealthcare and UnitedHealth Group — “have been affected by this issue.”
Change Healthcare says it has established workarounds for payment, but more than one week after the hack was first detected, systems remain down, creating billing headaches for hospitals and pharmacies. Smaller hospitals are particularly vulnerable.
“The smaller, less resourced hospitals, our safety net critical access rural hospitals, certainly do not operate with months of cash reserves,” Riggi said. “Could be just a matter of days, or a couple of weeks.”
In a previous statement Wednesday, UnitedHealth estimated that more than 90% of the nation’s pharmacies “have modified electronic claim processing to mitigate impacts” of the cyberattack, and “the remainder have offline processing workarounds.”
UnitedHealth has not provided an estimate on when it believes its systems will return to normal. The FBI is also investigating.
Two cities in Contra Costa County were on the receiving end of cyberattacks on the same day.
As city officials in Oakley and Pleasant Hill investigate what took place, cybersecurity experts say it’s a threat that cities must prepare for.
Professor Levant Artul, the department chair of computer sciences at Cal State East Bay, expressed his concerns following Thursday’s ransomware attack on the city of Oakley.
“Local governments are pretty small and they lack of resources and they lack of security planning for these systems,” he said.
There was a local state of emergency is in place for Oakley. While the attack did not impact emergency services, the city said people should expect delays for non-emergency services, while services are restored.
Danielle Navarro, assistant manager for the city of Oakley released the following statement on Friday:
“The city of Oakley team continues to perform an extensive analysis of the ransomware attack that began yesterday. The city’s network remains offline at this time as city departments develop plans to continue to provide services safely to the public. We are committed to being as transparent as we can without compromising the investigation.”
Meanwhile in Pleasant Hill, they were also dealing with a cyberattack on Thursday.
It’s not clear if the two incidents are related, but police said the one in Pleasant Hill also targeted the city’s infrastructure. They added that it was spotted quickly and isolated and didn’t cause any damage or delay to city services or public safety.
As for the future of cyberattacks, Artul believes the time is now for cities to get prepared.
“They have to train people but most importantly before anything else, they have to back up their data. They don’t have to keep data in one place,” he said.
U.S. health insurance giant UnitedHealth Group said Thursday in a filing with government regulators that its subsidiary Change Healthcare was compromised likely by government-backed hackers.
UHG did not attribute the cyberattack to a specific nation or government, or cite what evidence it had to support its claim.
A company spokesperson did not respond to a request for comment at the time of writing.
Change Healthcare provides patient billing across the U.S. healthcare system. The company processes billions of healthcare transactions annually and claims it handles around one-in-three U.S. patient records, amounting to around a hundred million Americans.
Change Healthcare has not yet disclosed the specific nature of its cyberattack.
Pharmacies across the U.S. are reporting that they are unable to fulfill prescriptions through patients’ insurance due to the ongoing outage at Change Healthcare, which handles much of the billing process.
Several people who work in the healthcare space and whose work is affected by the outage tell TechCrunch that they are experiencing downtime because of the ongoing cyberattack.
UHG said in its filing that it has “retained leading security experts, is working with law enforcement and notified customers, clients and certain government agencies.”
Washington — A ransomware service provider that has targeted over 2,000 systems across the globe, including hospitals in the U.S., with demands for hundreds of millions of dollars was taken down Monday, and Russian nationals were charged as part of an international plot to deploy the malicious software, the Justice Department announced Tuesday.
Known as LockBit, the network of cybercriminals targets critical components of manufacturing, healthcare and logistics across the globe, offering its services to hackers who deploy its malware into vulnerable systems and hold them hostage until a ransom is paid. The attackers have so far extorted more than $120 million from their victims, officials said, and their program has evolved into one of the most notorious and active.
As part of this week’s operation, the FBI and its law enforcement partners in the United Kingdom seized numerous public-facing platforms where cybercriminals could initiate contact with and join LockBit. Investigators also seized two servers in the U.S. that were used to transfer stolen victim data.
The front page of LockBit’s site has been replaced with the words “this site is now under control of law enforcement,” alongside the flags of the U.K., the U.S. and several other nations, the Associated Press noted.
A screenshot from Feb. 19, 2024 shows a take down notice that a group of global intelligence agencies issued to a dark web site called Lockbit.
Handout via Reuters
According to Attorney General Merrick Garland, the U.S. and its allies went “a step further” by obtaining the “keys” that can unlock attacked computer systems to help victims “regain access to their data,” releasing them from having to pay a ransom. The move could help hundreds of victims worldwide.
Two Russian nationals who allegedly used LockBit’s ransomware against companies across the U.S. — in Oregon, New York, Florida and Puerto Rico — were also indicted in New Jersey as part of the Justice Department’s latest play against the group.
Artur Sungatov and Ivan Kondratyev joined a growing number of defendants accused by federal prosecutors of attacking American institutions as part of the LockBit scheme. A total of five have now been charged, including an individual who allegedly targeted Washington, D.C.’s police force.
LockBit was the most commonly used version of ransomware in 2022, according to a joint cybersecurity advisory published by the FBI and the Cybersecurity and Infrastructure Security Agency last year, and targeted an “array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation.”
The LockBit network was first seen on Russian-speaking cybercrime platforms in 2020 and continued to evolve and grow, targeting computer platforms and various operating systems. By 2022, 16% of ransomware attacks in the U.S. were deployed by the LockBit group, according to the advisory.
Criminals conventionally gain access to vulnerable systems through phishing emails or when users visit an infected site while browsing the internet. And U.S. officials consistently warn users to avoid paying ransoms and instead contact law enforcement.
Federal investigators have recently developed a new approach to combat ransomware attacks that can be both costly to victims and damaging to the normal functioning of society: arming victims with the tools necessary to counter a malware attack.
Similar to the LockBit operation, in July 2022, the FBI toppled an international ransomware group called Hive and collected decryption keys for its penetrated computer networks it had breached to conduct what officials called a “21st-century high-tech cyber stakeout.” FBI agents then distributed the keys to the victims whose networks were being ransomed.
And in August, investigators took down a criminal network known as the Qakbot botnet — a grouping of computers infected by a malware program that was used to carry out cyberattacks. Law enforcement gained access to the QakBot infrastructure and “redirected” the cyber activity to servers controlled by U.S. investigators, who were then able to inject the malware with a program that released the victim computer from the botnet, freeing it of the malicious host.
Victims of LockBit attacks are encouraged to contact the FBI for further assistance.
Robert Legare is a CBS News multiplatform reporter and producer covering the Justice Department, federal courts and investigations. He was previously an associate producer for the “CBS Evening News with Norah O’Donnell.”
PENNSYLVANIA (WPVI) — Portions of the Pennsylvania Courts’ website went down on Sunday night due to a denial of service cyberattack, officials say.
The courts released a statement saying, “At this time, there is no indication that any court data was compromised, and the courts will remain open and accessible to the public.”
A denial of service cyberattack occurs when someone floods the network with traffic until the target cannot respond or simply crashes, preventing access for legitimate users, officials say.
“Our court information technology and executive team is working closely with law enforcement, including the CISA, the U.S. Department of Homeland Security, and the F.B.I to investigate the incident,” Chief Justice of Pennsylvania Debra Todd said in a statement.
The cyberattack is impacting court web services including PACFile, the use of online docket sheets, PAePay, and the Guardianship Tracking System.
Washington — Hackers backed by the Chinese government are targeting U.S. water treatment plants and electrical grids, strategically positioning themselves within critical infrastructure systems to “wreak havoc and cause real-world harm to American citizens and communities,” FBI Director Christopher Wray told Congress Wednesday.
“There has been far too little public focus on the fact that PRC hackers are targeting our critical infrastructure,” Wray warned the House Select Committee on the Chinese Communist Party, according to excerpts of his remarks obtained by CBS News. “The risk that poses to every American requires our attention — now.”
The head of the FBI and other national security officials — including Jen Easterly, who leads the Cybersecurity and Infrastructure Security Agency — are testifying at a congressional hearing focused on the cybersecurity threat posed by China’s government.
Wray told Congress that much of the framework upon which Americans rely for daily tasks, like oil and natural gas pipelines and transportation systems, is vulnerable to a cyberattack by hackers supported by China’s ruling party.
FBI Director, Christopher Wray, testifies during a Congressional full committee hearing on the “The CCP [Chinese Communist Party] Cyber Threat to the American Homeland and National Security” in Washington, DC, January 31, 2024.
JULIA NIKHINSON/AFP via Getty Images
The Justice Department and FBI announced Wednesday that they’ve disrupted the hacking operation known as “Volt Typhoon,” a China-backed hacking operation that officials said targeted critical infrastructure in the U.S. and other nations.
Active since mid-2021, researchers at Microsoft previously determined it “could disrupt critical communications infrastructure between the United States and Asia region during future crises.”
U.S. investigators obtained a court order to delete the botnet malware on infected routers and later took measures to prevent future reinfection. Remotely disabling hackers behind cyberattacks as they did in this case is a new weapon in the U.S. government’s cyber defense arsenal.
Volt Typhoon utilizes botnets – networks of infected internet-connected devices that can be used to bring down sensitive targets. Typically, initial access is gained through unsecured home routers or modems.
“Through the course of an investigation, the FBI determined the best action was to conduct a technical operation to decisively neutralize the botnet in a timely and coordinated manner,” the senior FBI official said, “curtailing the PRC’s ability to further target U.S. entities.”
“The United States will continue to dismantle malicious cyber operations – including those sponsored by foreign governments – that undermine the security of the American people,” Attorney General Merrick Garland said in a statement Wednesday.
Activity by the China-based hacking group reportedly alarmed U.S. officials, given its proximity to Andersen Air Force Base in Guam. China has ramped up its military activities near the island in recent years in response to what Beijing claims is “collusion” between Taiwan and the U.S.
The naval port in Guam would play a critically important role in launching any U.S. military response in the event of a Taiwanese invasion. Microsoft noted at the time that Chinese intelligence and military hackers routinely prioritize espionage and the gathering of information.
Last week, senior officials from the National Security Agency (NSA) warned that part of the PRC’s strategy behind Volt Typhoon could be to distract the U.S. in the event of conflict over Taiwan.
“This is unique in that it’s prepositioning on critical infrastructure, on military networks, to be able to deliver effects at the time and place of their choosing so that they can disrupt our ability to support military activities or to distract us, to get us to focus on a domestic incident at a time when something’s flaring up in a different part of the world,” said Rob Joyce, cybersecurity director at NSA, adding that the PRC doesn’t “want us facing the foreign aspects of that.”
“[T]he reason it’s a whole-of-government effort is because every sector, potentially, is being targeted and impacted and we really have to be all in unison on how we’re doing mitigation,” added Morgan Adamski, chief of the NSA’s Cybersecurity Collaboration Center, which works with private sector companies to detect and prevent against cyber threats.
Joyce said efforts were ongoing across the government to convince China’s leadership that civilian targets should be out of bounds.
“We have to get to the point where PRC leadership decides that the embarrassment in the international community of being caught at this, the horror of the international community that somebody would hold civilians at risk with cyber is intolerable,” he said.
Earlier this month, the FBI and CISA also pushed out a new alert, warning that Chinese-manufactured drones, or UAS, pose a “significant risk” to critical infrastructure and U.S. national security.
“The use of Chinese-manufactured UAS in critical infrastructure operations risks exposing sensitive information to PRC authorities, jeopardizing U.S. national security, economic security, and public health and safety,” the bulletin read.
Other top public officials, like Attorney General Merrick Garland, have also warned of the threat China’s government poses to Americans’ well being, economic prosperity and innovation. In the last year, the Justice Department has announced novel cases calling out Chinese chemical companies for aiding the fentanyl epidemic and secret Chinese police stations working to quiet Chinese dissidents living in the U.S.
“Today, and literally every day, they’re actively attacking our economic security, engaging in wholesale theft of our innovation, and our personal and corporate data,” Wray told Congress Wednesday. “They target our freedoms, reaching inside our borders, across America, to silence, coerce, and threaten our citizens and residents.”
Last year, the Justice Department launched the Disruptive Technology Strike Force to target rival nations like China that seek to use American high-tech advances to undermine national security and upset the rule of law.
U.S. officials are paying more attention to how foreign adversaries try to use investments to gain access to American technology and data. In announcing the department’s new initiative last February, Deputy Attorney General Lisa Monaco said the Biden administration is looking at options to enable federal regulators to monitor the flow of American money into foreign tech sectors, while making sure those funds do not advance the national security interests of other nations, including China.
Robert Legare is a CBS News multiplatform reporter and producer covering the Justice Department, federal courts and investigations. He was previously an associate producer for the “CBS Evening News with Norah O’Donnell.”
LoanDepot did not say what kind of sensitive and personal customer data was stolen. When reached by email, LoanDepot spokesperson Jonathan Fine declined to tell TechCrunch what specific types of customer data was taken.
While LoanDepot says on its cyber incident updates page that it has brought some customer portals back online, many of its online services remain inaccessible into their second week. LoanDepot chief executive Frank Martell said in the filing that the company is making progress in “quickly bringing our systems back online and restoring normal business operations.”
LoanDepot said it has “not yet determined” whether the cybersecurity incident will materially impact the company’s financial condition.
Do you work at LoanDepot and know more about the incident? You can contact Zack Whittaker on Signal and WhatsApp at +1 646-755-8849, or by email. You also can contact us via SecureDrop.
A funny — but true — joke at TechCrunch is that the security desk might as well be called the Department of Bad News, since, well, have you seen what we’ve covered of late? There is a never-ending supply of devastating breaches, pervasive surveillance and dodgy startups flogging the downright dangerous.
Sometimes though — albeit rarely — there are glimmers of hope that we want to share. Not least because doing the right thing, even (and especially) in the face of adversity, helps make the cyber-realm that little bit safer.
Bangladesh thanked a security researcher for citizen data leak discovery
When a security researcher found that a Bangladeshi government website was leaking the personal information of its citizens, clearly something was amiss. Viktor Markopoulos found the exposed data thanks to an inadvertently cached Google search result, which exposed citizen names, addresses, phone numbers and national identity numbers from the affected website. TechCrunch verified that the Bangladeshi government website was leaking data, but efforts to alert the government department were initially met with silence. The data was so sensitive, TechCrunch could not say which government department was leaking the data, as this might expose the data further.
That’s when the country’s computer emergency incident response team, also known as CIRT, got in touch and confirmed the leaking database had been fixed. The data was spilling from none other than the country’s birth, death and marriage registrar office. CIRT confirmed in a public notice that it had resolved the data spill and that it left “no stone unturned” to understand how the leak happened. Governments seldom handle their scandals well, but an email from the government to the researcher thanking them for their finding and reporting the bug shows the government’s willingness to engage over cybersecurity where many other countries will not.
Apple throwing the kitchen sink at its spyware problem
It’s been more than a decade since Apple dropped its now-infamous claim that Macs don’t get PC viruses (which while technically true, those words have plagued the company for years). These days the most pressing threat to Apple devices is commercial spyware, developed by private companies and sold to governments, which can punch a hole in our phones’ security defenses and steal our data. It takes courage to admit a problem, but Apple did exactly that by rolling out Rapid Security Response fixes to fix security bugs actively exploited by spyware makers.
Taiwan’s government didn’t blink before intervening after corporate data leak
When a security researcher told TechCrunch that a ridesharing service called iRent — run by Taiwanese automotive giant Hotai Motors — was spilling real-time updating customer data to the internet, it seemed like a simple fix. But after a week of emailing the company to resolve the ongoing data spill — which included customer names, cell phone numbers and email addresses, and scans of customer licenses — TechCrunch never heard back. It wasn’t until we contacted the Taiwanese government for help disclosing the incident that we got a response immediately.
Within an hour of contacting the government, Taiwan’s minister for digital affairs Audrey Tang told TechCrunch by email that the exposed database had been flagged with Taiwan’s computer emergency incident response team, TWCERT, and was pulled offline. The speed at which the Taiwanese government responded was breathtakingly fast, but that wasn’t the end of it. Taiwan subsequently fined Hotai Motors for failing to protect the data of more than 400,000 customers, and was ordered to improve its cybersecurity. In its aftermath, Taiwan’s vice premier Cheng Wen-tsan said the fine of about $6,600 was “too light” and proposed a change to the law that would increase data breach fines by tenfold.
Leaky U.S. court record systems sparked the right kind of alarm
At the heart of any judicial system is its court records system, the tech stack used for submitting and storing sensitive legal documents for court cases. These systems are often online and searchable, while restricting access to files that could otherwise jeopardize an ongoing proceeding. But when security researcher Jason Parker found several court record systems with incredibly simple bugs that were exploitable using only a web browser, Parker knew they had to see that these bugs were fixed.
Parker found and disclosed eight security vulnerabilities in court records systems used in five U.S. states — and that was just in their first batch disclosure. Some of the flaws were fixed and some remain outstanding, and the responses from states were mixed. Florida’s Lee County took the heavy-handed (and self-owning) position of threatening the security researcher with Florida’s anti-hacking laws. But the disclosures also sent the right kind of alarm. Several state CISOs and officials responsible for court records systems across the U.S. saw the disclosure as an opportunity to inspect their own court record systems for vulnerabilities. Govtech is broken (and is desperately underserved), but having researchers like Parker finding and disclosing must-patch flaws makes the internet safer — and the judicial system fairer — for everyone.
Google killed geofence warrants, even if it was better late than never
It was Google’s greed driven by ads and perpetual growth that set the stage for geofence warrants. These so-called “reverse” search warrants allow police and government agencies to dumpster dive into Google’s vast stores of users’ location data to see if anyone was in the vicinity at the time a crime was committed. But the constitutionality (and accuracy) of these reverse-warrants have been called into question and critics have called on Google to put an end to the surveillance practice it largely created to begin with. And then, just before the holiday season, the gift of privacy: Google said it would begin storing location data on users’ devices and not centrally, effectively ending the ability for police to obtain real-time location from its servers.
Google’s move is not a panacea, and doesn’t undo the years of damage (or stop police from raiding historical data stored by Google). But it might nudge other companies also subject to these kinds of reverse-search warrants — hello Microsoft, Snap, Uber and Yahoo (TechCrunch’s parent company) — to follow suit and stop storing users’ sensitive data in a way that makes it accessible to government demands.
Tulsa, Oklahoma — Annie Wolf’s open-heart surgery was just two days away when the Hillcrest Medical Center in Tulsa, Oklahoma, called, informing her that her procedure had been postponed after a major ransomware attack.
“I’ve got a hole in my mitral valve, and basically walking around, I can’t breathe,” Wolf told CBS News. “And I get very fatigued, very tired, very quickly. If I go to the store, I’ve got to ride the scooter.”
Wolf is just one of the patients impacted after Ardent Health Services says it became aware of the cyber breach on Thanksgiving day affecting 30 hospitals and more than 200 health care sites across six states.
J.D. Bloomer has had an annual cancer check since he was diagnosed in 2008. However, the cyberattack turned his routine visit at the University of Kansas Healthcare System St. Francis campus in Topeka into a scheduling headache.
“They informed me that my procedure for tomorrow had been canceled,” Bloomer told CBS News. “…I said, ‘OK, when will be rescheduling?’ And she said, ‘When the network returns.’”
In a statement, Ardent said it immediately began safeguarding confidential patient data, and protectively took its computer network offline, which required some facilities, including two in New Jersey, to divert ambulances to nearby medical centers.
Ardent said that “in an abundance of caution, our facilities are rescheduling some non-emergent, elective procedures and diverting some emergency room patients to other area hospitals.”
Ardent has not announced a timeline for when the issue could be resolved.
According to the Institute for Security and Technology, at least 299 hospitals have suffered ransomware attacks in 2023.
“Well, I think, there’s always the concern of loss of life,” Kiersten Todt, former chief of staff at the Cybersecurity and Infrastructure Security Agency, said about the impact on the 911 infrastructure when a hospital system is crippled by a cyberattack.
Dr. Christian Demef, co-director of the UC San Diego Center for Healthcare Security, is a hacker turned emergency room physician who saw firsthand how a ransomware attack impacted his San Diego hospital after a 2021 hack crippled a nearby facility.
“We saw three times the number of ambulances one day than we ever had before because of a ransomware attack in our community,” Demef said.
“Life-threatening time-sensitive medical conditions like stroke, trauma, heart attacks, all of these minutes truly matter,” he added. “And when these systems are down, we can’t do our job effectively.”
“Malicious actors want to make money off of it,” Todt said.
“It absolutely is” motivated by profit, according to Todt. “It’s an economic model. The tragedy is that it’s an economic model that…happens to capitalize on an infrastructure that is responsible for human lives.”
On Thanksgiving Day, Ardent Health Services was forced to put its network offline after a cyber breach affected 30 hospitals and more than 200 health care sites in six states. Nicole Sganga has more.
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.
