Pages

Wednesday, June 28, 2023

Cyber Insecurity

Siemens and UCLA say data compromised in MOVEit data breach

Reuters, June 27, 2023

Siemens Energy (ENR1n.DE) and the University of California, Los Angeles (UCLA) said on Tuesday they were among victims of the MOVEit hack that has affected scores of corporations, governments and other institutions in recent weeks. The hackers behind the wide-ranging breach, Cl0p, had earlier boasted on their website about stealing data from UCLA and Siemens. Cl0p also claimed to have stolen data from biopharmaceutical company Abbvie Inc (ABBV.N) and French industrial group Schneider Electric (SCHN.PA).

Schneider said in a statement that it was "currently investigating this claim." Abbvie did not immediately comment. Cl0p did not immediately return a message. The FBI said in a statement it was "aware of and investigating the recent exploitation of a MOVEit vulnerability by malicious ransomware actors".

Siemens and UCLA provided few additional details about the scope or consequences of the breaches. Siemens said none of its critical data had been compromised and its operations remained unaffected. UCLA said its campus systems were unaffected and that "all of those who have been impacted have been notified".

The MOVEit software is used by organizations around the world to share sensitive data. Last week, U.S. pension fund Calpers and insurer Genworth Financial (GNW.N) said personal information of their members and customers had been compromised as part of the hack.

Source: https://www.reuters.com/technology/siemens-energy-no-critical-data-was-compromised-after-moveit-data-breach-2023-06-27/.

===

UC Regents seeks millions in reimbursement from insurer over cyber breach

City News Service, June 26, 2023, ABC-7

The UC Regents allege in a new lawsuit that an insurer is wrongfully denying payment for millions of dollars in losses incurred after cyber attackers obtained access to parts of UCLA Health's computer network in 2014. The regents filed the lawsuit Friday in Los Angeles Superior Court against Certain Underwriters at Lloyd's, London, alleging breach of contract and seeking unspecified compensatory damages. Lloyd's has not honored its obligations under the cyber insurance policy signed with the regents in July 2014, repeatedly denying coverage for any losses related to the UCLA Health cyber breach based on its reading of a condition in the coverage that is contrary to California rules of policy interpretation, the suit states. A Lloyd's representative did not immediately reply to a request for comment.

According to the complaint, the regents determined in May 2015 that the attackers may have accessed parts of the network that contain personal identifying information of UCLA Health patients, including names, addresses, dates of birth, Social Security numbers, medical record numbers, Medicare or health plan identification numbers and some medical information.

As part of its investigation, UC paid certain third parties to conduct forensic analyses of the UCLA Health network, in part to identify whether the incident had potentially exposed any personal identifying information, according to the suit, which also states that the regents hired a law firm to inform the regents regarding their notification obligations as well as another third party to provide those notices.

The regents notified the insurer of the breach in June 2015, the suit states. After UCLA Health announced the breach a month later, the regents were sued in 17 class-action lawsuits in Los Angeles Superior Court by then-current or former patients whose personal information was stored on the parts of the UCLA Health computer network potentially accessed by the cyber attackers, the suit states.

The patients said the regents failed to properly protect their personal data. The parties signed a settlement in February 2019 that required the regents to pay $2 million into a claims fund for class members affected by the incident and $5 million into a cybersecurity enhancement fund to address vulnerabilities that allegedly contributed to the breach, the suit states.

The settlement also obligated the regents to fund identity theft monitoring services for two years for interested class members, pay all settlement administration costs and class notification costs and pay the class plaintiffs' attorneys' fee award, according to the suit, which further states that preliminary approval was given to the accord in February 2019 and final approval in June of that year.

The regents have incurred substantial investigation and defense costs since the first case and continue to pay money because the settlement administration process is ongoing, the suit states. The regents also have been spending money to investigate and issue notifications to various federal and state regulators about the cyber breach and to respond to inquiries from some of the state regulatory agencies that received those notifications, according to the suit.

In a June 2017 letter, Lloyd's denied coverage under the policy for all losses incurred by UC to date in connection with the UCLA Health cyber breach, including the response costs and defense costs for the patient lawsuits, the suit states.

Source: https://abc7.com/uc-regents-lawsuit-cyber-attack-ucla-health-computer-network/13429090/.

===

And, of course, there was the Accellion breach a few years back that affected UC and other organizations. Remember that one? If not, you can use the search engine for this blog.

No comments:

Post a Comment