In May of 2019, medical testing company, Quest Diagnostics had their second data breach in three years, where 11.9 million customer’s personal information was compromised. The breach likely came through their third-party billing system, the American Medical Collection Agency (AMCA). The data compromise included customer’s medical and financial information, which contains social security numbers, credit card numbers, and bank information. The breach surfaced on May 19, when researchers found payment card details for 200,000 of Quest Diagnostics patients for sale on the dark web.
Then, on June 6th, LabCorp, a competitor of Quest Diagnostics, announced its own breach of nearly 7.7 million records and noted it was related to the same AMCA website that Quest reported. That’s a total of 19.6 million financial and medical records suspected breached.
What may have happened…
The data breach likely came through the third-party vendor, the American Medical Collection Agency. The AMCA provides services to Optum360, a Quest billing contractor. Quest reported that they believe that the unauthorized activity took place on the “ACMA’s web payment page”, which may suggest that the intrusion came through skimming. Skimming on the Internet happens by someone maliciously injecting malware onto a website’s payment pages. This has happened many times in the past by a group that goes by the name of Magecart. Magecart is a group of hackers who are known for having stealthy and creative ways to inject malware onto webpages that is difficult to detect. Magecart was behind many high-profile breaches in the past including British Airways and TicketMaster.
There are three ways skimming typically occurs on a website: Keylogging, sniffing form submissions, and form jacking. All three steal information in different ways, but they all produce the same result. They all convince your browser to send your critical data (Credit Card for example) entered into the payment web page back to hackers without your knowledge.
Mitigating Controls for Web Applications:
There are a few ways companies can prevent something like this from happening to them. First, they could implement data encryption; encrypted data is useless to hackers as this data is unreadable without the decryption key. Secondly, they could perform regular risk web application assessments and scan for vulnerabilities, identify risk sources, and remediate them in a timely fashion. Thirdly, they could add another layer of protection by running different parts of the website under separate accounts and/or in front of a Web Application Protection solution that might identify data exfiltration as was reported here. Finally, businesses can implement fraud indicators (also known as red flags to some) which perform regular scans to identify when and if there has been a data breach of some kind.
Tips for Businesses with Web-facing Applications:
Businesses have never been under more sophisticated and frequent attacks. Cybersecurity spending on defenses is set to top 1 Trillion dollars in aggregate by the end of 2021. Web applications are one of the weak links hackers are exploiting. You must consider implementing some of the mitigating controls above to protect you and your clients from Internet attacks and to discover attacks as quickly as possible when hackers exploit some error in your web application.
Tips for Businesses who Grant Critical Data Access to 3rd Parties:
In this case, neither Quest nor Lab Corp themselves were compromised. It doesn’t really matter though does it? The damage to their brand has been done. Their names will forever come up in Google searches of major security breaches and stolen data. If you outsource your critical data processing to a 3rd party, you need to examine them for cybersecurity preparedness. Do not assume they know what they’re doing. Directly inspect them with a site visit or audit. Really review their auditor reports if they have them. At a minimum, send them a 3rd Party Cybersecurity Awareness Questionnaire which is available to clients of CyberHoot.com.
Tips for Individuals whose data was potentially Breached:
Individuals whose personal medical and financial data was breached including social security numbers should follow the same advice provided for the Experion and Anthem breaches. Freeze your Credit until you need to use it for your own purposes. I have frozen my credit at ALL FOUR credit agencies and twice lifted the freeze for myself – once to buy a car and once to change Credit Cards at my bank. Both times it was easy and painless… but I sleep better knowing I’ve made it as hard as possible for hackers to breach my personal credit with my compromised Social Security number, medical, and financial records. Freeze yours as well. Here’s how.
Author, Ty Mezquita, Blogger/Social Media – CyberHoot
Editor, Craig, Co-Founder – CyberHoot