Comments

Zsolt September 21, 2021 7:26 AM


In response, the state of Alaska is offering free credit monitoring to “any concerned Alaskan.”

What’s up with all these free credit monitorings? It sounds like all major corporations (and apparently states) think that a user’s personal information is worth approximately the costs of a free credit monitoring. 😮

I’ve read about this kind of compensation for a breach so many times, I stopped counting. 🙁

anonymous September 21, 2021 7:36 AM

UC San Diego Health had a huge data breach a few months ago as well, thanks to some employee who clicked on a link in a phishing email, apparently. Lots and lots of medical records full of sensitive PII were stolen. Their response? Offer of one year of identity theft protection! Not very meaningful protection against nation states.

Do employees who handle our data get NO security training?

Clive Robinson September 21, 2021 7:38 AM

@ Bruce, ALL,

Apparently, a nation-state hacked Alaska’s Department of Health and Social Services.

In the UK we have solved this problem entirely.

Our current political encumbrants have “outsourced it” by giving all UK citizens medical records to Google and Palantir… So that they can haemorrhage the data to foreign nation states and interested others for the knock down price of a couple of cents a record, or just wander down to the all you can eat data buffet.

Jon September 21, 2021 7:55 AM

What nation-state wouldn’t want the complete confidential records on the next Sarah Palin and her family? A little ‘kompromat’ can go a long way. J.

Steve September 21, 2021 8:53 AM

@anonymous

Do employees who handle our data get NO security training?

All the training in the world does not guard against simple human fallibility.

People forget, they make errors, even the most competent, well trained individual messes up every once and a while.

Until the “singularity” and the emergence of our AI overlords, people are always going to be the weak link.

Of course, once people are eliminated, there will be no more personal information to leak.

CarpetCat September 21, 2021 8:54 AM

How do they know you’re you signing up for the free year? Isn’t it possible you could be the thieves with your stolen information signing up?

Jokes aside, an interesting point: How do thieves and criminals handle identity theft?

JonKnowsNothing September 21, 2021 9:15 AM

@anonymous

re: thanks to some employee who clicked on a link…

If you are in any aspect of computing: design, software, marketing then ask yourself:

Who taught people to click on links in the first place?

Everyone ever attached to the computing industry did. And we continue to promote, and expand the uses of all “click, scan, swipe” technologies.

A fair few folks are employed to streamline, improve and MakeCleaner, interface UIs and reduce the number of interactions people take in order for them to Buy-Stuff-Clickbait.

That includes BuyStuff-Clickbait that looks like it comes from a SuperBoss that you MUST respond to ASAP (btdt). Hey, how was I supposed know he was into weirdo shyte…

The fix isn’t that hard but no one will do it and no one will tolerate it.

Peter A. September 21, 2021 9:59 AM

@Bruce: As for ‘why’ I have a few ideas:

  1. Just because they can.
  2. As a field exercise.
  3. To ridicule their opponent government further.
  4. To target one (or a few) individual(s) known to use Alaskan health services without hinting who exactly they are after.

Aaron September 21, 2021 12:27 PM

“In response, the state of Alaska is offering free credit monitoring to any concerned Alaskan.”

That’s like offering a homeowner a security camera to watch the thief break into the house and still steal all their stuff. But hey, you got a free camera… to bad your jewelry, safe and 55″ TV are gone.

This kind of hack highlights two things:

1) nation state cyber attacks against the US are acceptable (from the stance of the US Government) so long as the data compromised isn’t about the government itself; meaning no data of government protection was compromised (classified data security was maintained). Citizens are collateral damage, so long as the overarching entity is not harmed. However, the citizens comprise the overarching government and are now MORE vulnerable to blackmail, extortion, etc., which in turn makes for MORE weak points within the overarching government.

You don’t die from most poisonous snake bites; you die from failing to treat the poison which eventually destroys the entire entity, not just the limb that was bitten.

2) less security-centric agencies, like state based agencies (DHSS), FCC, CDC, etc., CAN’T prioritize proper security postures because their budget won’t allow it, effective network engineers are expensive. Meanwhile agencies like NSA, FBI, CIA, etc., exists BECAUSE their primary purpose is security-centric processes. One government, incapable to doing the same things across hundreds of agencies, because of budgets and priorities.

Your bought a motorcycle but you spent all your money on the motorcycle and didn’t have enough left over to buy a helmet and safety gear. Who will weep for you when you have an accident and die because you didn’t prioritize and budget properly for operational safety FIRST rather then with your leftovers?

anonymous September 22, 2021 10:19 AM

Re the UCSD Health data theft, the San Diego Union Tribune lists (as exfiltrated information):

“Full names, addresses, dates of birth, email addresses, fax numbers, claims information including dates and costs of care received, laboratory results, medical diagnoses and conditions, medical record numbers, prescription information, treatment information, Social Security numbers, government identification numbers, financial account numbers, student identification numbers, usernames and passwords”

So, it’s easy to understand why a nation state would target health care records…especially once they collate it with data from, say, the OPM and Equifax breaches.

@Everybody, thanks for the replies above.

unbob September 22, 2021 2:14 PM

@Zsolt

What’s up with all these free credit monitorings? It sounds like all major corporations (and apparently states) think that a user’s personal information is worth approximately the costs of a free credit monitoring.

Lawyers are what’s up. Lawyers decided that the cost of identity loss was purely potential damage to your credit score and that the compensation was credit monitoring. Personally, I’d like to see someone sued into oblivion for other damages.

Feel sorry for those poor DoE folks who’s identities, including fingerprints, were lost to the Chinese in the OPM breach. Hey, free credit monitoring though! 😉

Steve September 22, 2021 4:25 PM

@unbob:

Lawyers are what’s up.

Lawyers and marketing.

The credit agencies see things of this sort as marketing opportunities. One year of “free” credit reporting gets the punters hooked and then after that, it’s a yearly fee.

Cha-ching.

Sort of like those class action suits where the “recompense” is a coupon to buy more stuff from the company that ripped you off in the first place.

Everybody wins.

If, by everybody you mean the lawyers and the marketers. Consumers not so much.

Axel F September 30, 2021 3:47 PM

Just because the hack is done by some advanced group in Russia does not necessarily mean it is the Russian government. Just because it is some group in Hong Kong does not mean it is the Chinese government. And so on.

Although, if they implanted some APT on the network just for gathering data then maybe. AK Department of Health and Social Services probably has some trusted connections to some other US gov’t network(s).

Clive Robinson September 30, 2021 4:10 PM

@ Axel F,

And so on.

Which is why one or two of us around here say,

1, Attribution is very hard.
2, False flag is not that hard.

It’s why we are sceptical of many of the US issued “It was XXX wot dun it” statments. Especially when XXX is only one at a time of China, Iran, North Korea, Russia.

It’s got so bad even George Orwell is getting embarrassed by it as a tactic.

But hey that’s politics for you…

And it does amuse six months or a year or two down the line when you get a very small story saying “It was not North Korea, but Russia”(Korean Olympics) or “Yes North Korea was the real target not Iran”(stuxnet) and so on.

But when you get a fairly solid attribution on US Agency “False Flag tools” software, and people still just accept “It was XXX wot dun it” as though it was gospel, you have to start wondering what it would take to make them say “Hey show us real evidence” or similar…

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.