Data Security, Security Management, Incident Response, Ransomware, Supply chain

Cyberattacks Compromise Crypto, College and Healthcare

A computer popup box screen warning of a system being hacked, compromised software environment.

A trio of separate security breaches closed 2023, hitting a crypto trader, a healthcare facility and a community college, as cyberattackers carried out digital burglaries on common targets.

Most recently, a third party service provider for crypto trader INX Digital was struck by a security breach on December 20, 2023 that reverberated to one of its subsidiaries. INX publicly reported the attack on December 29, 2023, which cost the subsidiary roughly $1.6 million.

Supply chain cyberattacks of significance have grown in number and prominence of late. Most recently, discount retailer Dollar Tree was hit by a supply chain attack that put at risk the personal information of some 2 million people after a digital break-in at a third-party service provider.

According to a study by KPMG, 73% of organizations have experienced at least one significant disruption from a third-party attack in the last three years.

No Impact to Customers, INX Assures

INX said that none of its customers were affected by the incident and the security breach had no effect on its platforms or servers. The company said that it holds some $36 million in a reserve account not connected to its operational capital to cover its customers and its own losses from a cyber event. The account also covers losses in which counterparties have participated. Should the third party service provider in this case lack sufficient resources, INX will cover the supplier’s losses from its reserve fund.

No personal information or other data of INX's customers were compromised, the crypto trader said. It has placed additional security measures in place and will continue to actively monitor any suspicious activity, officials said.

Healthcare Patient Information Exposed

In a second event, a healthcare digital break-in at Columbus Aesthetic and Plastic Surgery on September 22, 2023 exposed some patient information. Columbus did not make the attack public until three months later on December 22.

Columbus said that on the date of the attack it had identified suspicious activity within its network environment and hired external cybersecurity experts to investigate. The healthcare operator concluded that an unknown actor had gained unauthorized access to a limited portion of its network and potentially acquired certain files.

At this point, there is no evidence that the attacker(s) have made their way into the company’s electronic medical records system. However, on December 22, 2023, Columbus revealed that some patient information may have been affected.

The information may vary by individual, and could include name, Social Security number, driver's license, state, or government identification number, date of birth, financial account information, medical or health information, health care treatment or diagnostic information, health insurance information, and payment for services. Columbus said it will notify affected individuals.

Community College Endures Ransomware Attack

In a third incident, Bunker Hill Community College reported a ransomware attack on May 23, 2023 that compromised certain individuals’ personal information. The college disclosed the incident publicly on December 29, 2023, but did not indicate a financial demand.

The education market is a favored target of ransomware crews, often for its lack of data lockdown systems. However, Bunker credited its backups for saving it from a much more destructive result, enabling it to continue its academic calendar on schedule.

The Boston, Massachusetts-based college said it “engaged leading security professionals” to help with its investigation and response to the attack.

The investigation concluded that the following personal data had been exposed for some, but not all, individuals: name, date of birth, Social Security Number, driver's license number, state identification number, U.S. alien identification number, passport number, financial account number in combination with routing number or code, credit/debit card number, username and password, medical information, and health insurance information.

Bunker said that it has reset and strengthened passwords, implemented new network security tools and adopted new network access policies to safeguard its systems from subsequent attacks.

To date, there is no indication that the unauthorized actor has misused any information for identity theft or fraud in connection with the event, officials said. The school is offering affected individuals credit monitoring services for the next two years.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.