RISKS
What happened
In November 2021, lead-generation company Astoria informed the Maine Attorney General’s Office that it was notifying 940,000 consumers about a breach that was discovered in January 2021, when the threat intelligence team at a security company found several databases offered for sale on the Dark0de (Darknet Market) by the popular hacking group Shiny Hunters.
It was previously reported that Social Security numbers for as many 40 million Astoria users were exposed, among other personally identifiable information (PII). That data was reportedly exposed by a malicious insider, which Astoria Company officials identified as a developer based in India, who took advantage of a previously reported file disclosure vulnerability that allows hackers to populate the connection window with their remote MySQL server.
Astoria originally disputed the reported extent of the breach, claiming that only a little of the data was theirs. On April 27, they notified 70 consumers nationwide, based on the sample of data that they had received and that they had confirmed came from their system. The November notification of 940K consumers identified impacted information as including name, mailing address, email address, phone number, DOB, SSN, and/or driver’s license number.
Why is this important?
Handling the response to a data breach is almost as important as avoiding one in the first place. Taking nearly ten months to notify 940,000 customers that their data may have been compromised has put Astoria in an awkward position, with several law firms reaching out to notified customers about the possibility of joining a class action lawsuit.
What does this mean to me?
It’s important to know what the data breach notification laws are in your jurisdiction. All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have Security Breach Notification Laws requiring private businesses, and in most states, governmental entities as well, to notify individuals of security breaches of information involving personally identifiable information.
APPROACHES
A governance program that includes a robust incident response readiness program can help organizations to reduce dwell time, assist forensic investigators, and reduce overall liability. Breach notifications that linger show weak governance and increases liability to the company.
Helpful Controls
- Includes all known security and privacy requirements
- Based on Duty of Care Risk Analysis standard
Incident Response Readiness (IRR)
- Incident Response Plan (IRP)
- Tabletop exercises
- First Responder Training
- Technology review of monitoring, alerting, and logging solutions – SIEM, EDR, MDR, IPS, Log aggregation, Threat monitoring
Commonality of attack
High
Article on story
Update: Astoria notifying 940,000 consumers after breach earlier this year
HALOCK Security Briefing Archives: Updates on cybersecurity trends, threats, legislation, reasonable security, and more that impact your risk management program.
SCHEDULE YOUR FULL HALOCK SECURITY BRIEFING