In a recent podcast interview with Cybercrime Magazine's host, David Braue, Cyber Expert, Author of "Hacked Again," and CEO of Berkeley Varitronics Systems, Scott Schober discusses the potential repercussions of the HealthEquity data breach. The podcast can be listened to in its entirety below.
David: Joining us today is Scott Schober, cyber expert, CEO of Berkeley Veritronic Systems, and author of the popular books Hacked Again and Senior Cyber. Scott, thanks for joining me today.
Scott: Yeah. Wonderful to be here with you, David,
David: So very interested in hearing your thoughts about one of the big breaches that's been happening recently. This is the data breach of health equity, which is an interesting company. What's HealthEquity about? What's happened in this bridge?
Scott: This breach is a little bit different because we hear about many traditional breaches, and the healthcare sector is certainly a target. But, health equity is considered one of the largest HSAs (health saving account) custodians in the United States. So they're not only just holding people's money tied to their healthcare, but also flexible spending accounts tied to health reimbursements, even 401ks. So it's kind of interesting. It's a mix of our financial data, our personal, financial information that they hold, as well as our health information about us. A lot of personal information combined, all under one roof that they guard and protect.
David: That seems like a cornucopia for hackers, I mean. Not only do they get healthcare information, but there's probably a fairly large amount of financial information there as well. So 2 birds with one stone really.
Scott: Exactly.
David: The breach has reportedly affected 4.3 million people in the U.S. What kind of data are we talking about here?
Scott: Yeah, a significant number of people. And then, as they dug into this and more and more unfolds. It's the typical, the full name, the address, the telephone number, employee IDs, but also social security number, information about dependents, and what scared me is payment card information. It's not the full information per see, the actual card number. But enough that somebody could use these bits and pieces as a puzzle, putting it all together and perform identity theft or other types of breaches. And that's really scary. When you combine breach information, it becomes very powerful and a lot more valuable to hackers.
David: Well, it is scary on so many levels, and particularly in something like this, where you're talking about dependent information. That would provide someone with not only the information that they need to assume your identity, but also the information they need to know who to target. For example, extortion attempts, or the "Hey Mom" scams, or whatever it is, it's really basically a playbook for cyber criminals, isn't it?
Scott: Absolutely, you make a great point. I was even thinking about it. Say you have a child as a dependent. They may not actively have accounts out there, credit cards, or taking out loans, or this or that, but getting their information as a dependent, it's prime opportunity for a cyber criminal now to say, "Hey, let me use this information to go take out credit in their name, or take over their identity," whatever else the case may be, and it may not be monitored actively because they're younger. I mean, I have 2 kids, and I think about that all the time. What if somebody goes after their identity or tries to take out credit in their name. They're just getting established because they're in high school or starting in college. It just makes you think of the what ifs? And that's what's so scary about a breach like this, having that degree and wide swath of personal information about not just these individuals, but even their dependents. That is a spooky path to go down and think about what could possibly happen.
David: It really is a concern, and people often wouldn't be aware of how much information these companies have and really how it can be used in many different ways for quite nefarious purposes. Now, the companies filed an 8K form, which is the breach disclosure form in which it described, "Anomalous behavior by a personal use device belonging to a business partner." Can you translate this to English for our listeners?
Scott: Yeah, what that sounds like to me is one of their third-party vendor accounts. Somebody accessed it, and this is very common. Every company and their network has third parties that they have agreements, and they partner with that allow them to have access to the network. And oftentimes, if it's done properly, they have the proper login credentials. They're using multi-factor authentication. It's in the right hands, and they regularly will do audits to make sure. You know, in case somebody leaves, or a disgruntled employee in that third-party, that they change the data for the login credentials, the password, so on and so forth. Maybe those type of things didn't happen, and it was used for malicious purposes, unfortunately. So it's basically an easy way for somebody on the outside to get into a company's network and then start exploiting those vulnerabilities. That's probably what happened very similar to other breaches when we reflect back on J.P. Morgan Chase, or I think back years ago, 10 plus years ago, to the Target data breach through a third party HVAC vendor that there was access there to get into the system. So that's very, very common, and that's probably the biggest weakness in most companies that allow outside access to a network. They really need to be vigilant and make sure they shore that up so it's properly secured, and then regularly monitored, too. Oftentimes they'll set it up thinking it's secure, but they don't maintain it. They don't monitor. They don't do the audits and checks to make sure things are secure. That's another very big weakness.
David: Yeah, that's so very important. In the subsequent disclosures, the company has fingered Microsoft Sharepoint, specifically partners' access to its Sharepoint site. So this was a setup where the partner was being given access to an internal site within the company, using something that probably most companies are using. Sharepoint's very, very common. How common is it for cybercriminals to target something like SharePoint?
Scott: I think it's very common, unfortunately, and Microsoft's been kind of the brunt of a lot of these jokes lately of not having adequate security, and they partner with everybody, even with the recent IT data outage and Microsoft, in conjunction with Crowdstrike. They keep getting black eyes, unfortunately, but part of the reason is because Microsoft is everywhere, and they've got good packages, and they do have good security. But the problem is, it's hard to keep up with that. It's ever-changing. And it's not always the current package that's out there that has the vulnerabilities. Oftentimes, it's the older software, and companies are not patching the software. They're not updating to the latest and greatest that has the fixes, and cybercriminals know this. So all they gotta do is get it right one time, and they want to find somebody that has older legacy software. I was joking here, even in our company yesterday. We were trying to dig up something for a customer that has a product that's about 6, 7 years old. And back then, the software that happened to be used with it was Microsoft 7. So right away, we're like, well, let's find an older machine with an older operating system with older software. And then we stop and say, "Wait a minute. What are the potential security implications here?" But we're not alone. I mean, we're in cyber security business, but other companies, I hear this all the time. So sometimes to support things that are a little bit older. You have to go back in time so you're not using the latest and greatest operating system or apps or whatever else that has those security patches in there to keep you safe, and that very well could happen here as well.
We'll be right back after a quick word from our sponsor.
Cimcor develops innovative next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak. That's C-I-M-C-O-R.com slash C-I-M-T-R-A-K.
And now back to the podcast
David: Now, HealthEquity has implemented a global password reset for the third-party vendor. Isn't this really closing the barn door after the horse has already bolted?
Scott: Yeah, too little, too late. I think it does need to be done so is that a proactive step, probably not proactive, but it is a step that is necessary. So this doesn't keep happening. It doesn't get worse because sometimes we think about it like, well, it happened. It's over. That's it. Keep in mind, though, this particular company, HealthEquity, they've got 14 million members across 120,000 organizations, and they do other things, too. They're involved with COBRA and different types of benefits, and as I mentioned, flexible spending accounts. So there is a much wider potential to take this breach to the next level and garnish yet even more personal information from far more, you know, 10 million more members if they really keep pursuing it. So sometimes, once they get into the network, they will place malware and different things so they can lie dormant for a while. So, depending upon how much they can actually garnish and get out of here and extorting people and ransomware attacks and phishing emails. They take this to the next level and use the data that they have taken to sell. They might now say, "Okay, let's go hit these other 10 million members as well, and see what other rich trove of information we can use to our advantage."
David: Well, this is the thing, isn't it? So? You say? Oh, 4.3 million. Well, that sounds like a very precise number, which means that they've decided that 10 million people weren't affected. But, as you're saying, who knows? The best or the, as the case may be, the worst could still be yet to come.
Scott: Yeah, we really don't know. They are also, they reacted relatively quickly, which I always appreciate. They didn't drag this out. Sometimes we hear these breaches a year or 2 later, which is way, way too late, obviously. And, of course, they're offering the 2-year credit monitoring identity theft protection through Equifax. So you get a letter. If you want to enroll in that, you can personally do. I think it's that valuable medium. The damage is done. The information's out there.
What you're gonna do now is just get an alert quicker that your information is being compromised and being used for malicious purposes somewhere else, so it might help. It allows you to, as an end user, to be at least vigilant to respond. If something happens, I typically like to recommend to people if you haven't done so already. Consider having your credit frozen. That's 1 step that you, as an individual, a consumer, can take to prevent somebody from trying to steal your identity or take credit out in your name, or a loan, or so on and so forth. It's a little bit of a pain. I've done it. It takes about an hour. You make a few phone calls. You authenticate to provide about all your personal information which you entrust them to not have compromised, and hopefully, they'll protect it and keep it frozen. And the second you need to take out a car loan or something else. Then you have to unfreeze it to dethaw your credit. But that's a good step you can take, and then I obviously really safety tips, I think, is important. Monitor any health accounts that you have. Just be extra vigilant. Look at those accounts regularly. Make sure that you already have a long, strong password in place. Probably update that after the breach, multi-factor authentication just about all these have it now. Do you have it enabled? Are you using it? And then just being extra careful about all these phishing attempts. Anything tied to any of these healthcare accounts that you have that looks suspicious. A phishing attempt. Don't click on any of those attachments. Don't click on the pop-ups. Just really be careful. You know, as I mentioned having credit monitoring, they're going to offer that for free. Follow through on that, and just make sure you respond if you get an alert or something that you question, and be very careful.
David: Definitely. That's all very sage advice for people that want to protect their information. A breach like this is particularly interesting as well because this company actually has access to a lot of money. It's the gatekeeper for retirement funds, as you said, for these health funds, which can be accessed after age 65. Seems like there would be potentially the risk of cyber criminals using the details that they've stolen to actually try and scam health equity as well and try and take that money and say, "Oh, I've got a new account here, can you, please? And you know I want to take my retirement fund, and I'll do that as cash. Thank you very much." This sort of thing potentially could be the triple whammy, as it were.
Scott: Definitely. And you make a really good point of just thinking about that, building on your point. Sometimes we're told, and we had a recent 401k meeting. Put money into your account. Sometimes you're better off, don't even look at it. Sometimes we're encouraged not to monitor our account. Put the money in there, pretend you don't even have it. So you build up your nest egg, so on and so forth. Now here's an opportunity where somebody's innocently saving money or putting away some funds in case they need it for the future. They may not be actively monitoring it for any fraudulent use or problems that may pop up. So here we're telling you. Don't just put your money under the mattress and hope that it's safe. Regularly look at your accounts because it could be stolen or taken out there or misused. So it's really important to be vigilant for any fraudulent activity.
David: Yeah, that's a very good point because this is a very long-tail investment. Typically and people may not even notice if you're not checking this regularly, and you're not using it like you would a bank account as a transactional account. It's not like you're going to go to buy something with your credit card and it's going to get rejected because some cybercriminal has maxed out your card. This money will sit there just kind of accumulating over time generally, and if people aren't vigilant about it, they may not even know that something's happened to it until well, after it's happened.
Scott: Yeah, absolutely. So, this breach has got legs, I think. And we're going to learn a lot more probably in the months to come where some of this information ends up. Unfortunately.
David: very, very true. I mean, there's so much stolen data on the dark web already. Is it still profitable for hackers to sell this data? Given that, basically, everybody seems to have had their personal details leaked online somewhere by now.
Scott: In general, our general information, our name, home address, telephone number, and all that, doesn't have that much value. But when you start adding in additional layers, your social security's got some value, but again, very easy to swipe someone's social security number here nowadays. Add in that payment card information. Now add in the healthcare aspects and coding and dependent information. So it really does become more valuable. And that could be why companies like this are actually targeted. You're gonna get away with a lot more return on your investment for your hacking dollars when you're going after a big fish like this than a bunch of small businesses or things where it's got minimal value. Because, like you said, our information has been hacked and part of a data breach 10 times over now. You could find it in so many. In fact, a lot of the hackers are now taking multiple breaches and merging that data, filtering out the things that are older, you know. That's an old address. Let me update the address and stuff. So they're doing their due diligence to keep the database as modern as possible, and and that way they can get the top dollar when they sell them on the dark web.
David: Well, look at the bright side. At least, if you ever forget one of your key passwords, all you have to do is just look it up online, and it'll be right there waiting for you.
Scott: That's right. Make one think, "Oh, why don't I just reuse the same password all the time, so I never forget," and I still hear that all the time people telling me I can't remember these passwords. It's easier just to have one password, and I'm hoping I don't get compromised. And I'm like, oh.
David: Hope is not exactly a good cybersecurity strategy, that's for sure.
Scott: Not at all.
David: Scott, thanks so much for your time today. It was a pleasure chatting as always.
Scott: Yeah, wonderful to catch up with you. Thank you again, David.
