24 hours, 15 breaches: A day in the life of a cyber security observer, and why reporting matters

I only started covering the cyber security beat in December, after a career spent writing about consumer technology. To say that every day on the job since then has been an adventure is, as they say, an understatement.

When I got to put some faces to names at a recent Gartner event, everyone I met looked at me with the same sense of curiosity and mild pity, like I clearly had no idea what I had gotten myself into.

“Welcome to the madhouse” was a common refrain.

But here’s the thing — I’m just reporting on the space. I can knock off, go home, and effectively not think about all the breaches that are happening while I’m not on the clock. If I make an error in my reporting — it’s a fast-moving space, and one I am still getting to grips with — it might look bad for me, but it’s hardly going to cause the kind of angst and actual damage that a breach might cause a company or its security team.

However, even being one remove from the coalface, as it were, I’m still astounded at the sheer pace of events. Reporting on breaches is only a part of what we do at Cyber Security Connect, and honestly, it’s impractical to report on all of them. And if I’m having issues keeping up with cyber security incidents, I cannot imagine how a professional must feel.

So I want to share my perspective on a single day of security incidents and how they are reported, and the sources I and others use to track data breaches and similar hacks.

Threat actor reporting

Monday, 10 April, was a busy day for the BlackByte ransomware group, so let’s start there. The Telegram channel Venari does some very basic reporting, based on announcements and posts made by the threat actors themselves, on various dark web forums and pages.

On Monday, BlackByte reported that it had compromised four targets: the City of Collegedale and Crown Grinding & Machining in the United States, Cement Bio Bio in Chile, and Création Baumann AG in Switzerland.

VIEW ALL

Since Venari only states that an incident has happened, we need to dig a little deeper if we want to learn more.

The City of Collegedale has not reported any incidents or breaches on its own site or socials, which is still up as of the time of writing, but other sites have reported the incident, and security specialist Dominic Alvieri even posted screenshots of BlackByte’s own dark web post. So though we don’t know much about the incident, we can assume it’s real.

Crown Grinding & Machining’s website is currently down, however, but other security accounts and sites back up Venari’s reporting. The same goes for BlackByte’s other two victims, though, again, neither has posted any information regarding the possible incidents on their own sites.

Either they are unaware of the possible breach or are just being circumspect about their reporting. Many organisations will likely not know they have been hacked until they are contacted by a threat actor, and even then they may not know how to proceed.

On the same day, according to Venari, the LockBit group claimed two scalps as well — a company called AEK in Macedonia and the Mundo Cuervo tequila company in Mexico. Again, AEK’s website is down, and while Mundo Cuervo’s site is up, it’s not made any notice of compromise. Other sites do, however, confirm the hacks.

Venari reported two other hacks on Monday. The Medusa group claimed to have compromised Scantibodies Laboratory, and the Royal ransomware group hacked flooring company Tom Duffy, both in the US. Again, both hacks are confirmed by other sources, and — sadly, again — neither company has any reporting on their own sites.

One thing we do know about the Tom Duffy hack is that it comprised 10 gigabytes of data — not a small incident.

So from one Telegram channel, that’s eight discrete cyber incidents, all ransomware attacks. And remember, this isn’t based on reporting by the victims, but rather the threat actors themselves. The nature of the victims also reveals that ransomware operators will target any industry they can. A tequila company may not think it needs to worry about cyber security, but that’s just not how the bad guys work.

If you have data, and it is unsecured, it will be compromised. One phrase I have heard repeated over the last six months is, “it’s not if you get hacked; it’s when”.

Mandatory reporting

Thankfully, some jurisdictions have very clear guidelines for how companies should report cyber incidents themselves, and arguably the best of them is the state of Maine in the US. The Office of the Maine Attorney General requires any breach of a Maine resident’s personal information to be fully reported, which it then shares online, along with any correspondence the affected company has shared with its customers.

It’s one of the most thorough reporting regimes we’ve seen and is another essential source — so long as the incident being investigated affects a Maine resident.

So, again, Monday, 10 April, was a busy day, with Maine’s data breach notification page listing seven separate incidents. And with the nature of the reporting, we know a lot more about each breach.

Upper Thompson Sanitation District, Colorado
57 people affected, including one Maine resident
Breach occurred: 20 January 2023
Breach discovered: 24 February 2023
Personal information, including social security number affected.

Kline and Specter, Pennsylvania
3,334 people affected, including nine Maine residents
Breach occurred: 13 March 2023
Breach discovered 13 March 2023
Personal information, including social security number affected.

Webster Bank, Connecticut
191,563 people affected, including 240 Maine residents
Breach occurred: between 27 November 2022 and January 2022
Breach discovered: 27 January 2023
Personal information, including social security number affected.

Harrington Raceway, Delaware
12,723 people affected, including four Maine residents
Breach occurred: between 12 December 2022 and 27 December 2022
Breach discovered: 10 March 2023
Personal information, including driver’s licence affected.

Woodward Communications, Iowa
12,467 people affected, including four Maine residents
Breach occurred: 19 January 2023
Breach discovered: 19 January 2023
Personal information, including social security number affected.

Our Lady of the Lake University, Texas
41,826 people affected, including three Maine residents
Breach occurred: 30 August 2022
Breach discovered: 3 March 2023
Personal information, including social security number affected.

Flatiron Solutions, Colorado
1,528 people affected, including four Maine residents
Breach occurred: between 15 December 2022 and 1 January 2023
Breach discovered: 23 February 2023
Personal information, including bank details and passwords affected.

Each listing also includes who filed the breach notice (which could be the company in question or their lawyers), as well as what identity protection services were offered to affected individuals. It’s the best reporting system in the US, and one that we could learn a lot from here in Australia. It is completely transparent.

But it also shows the scale of these breaches. In a single day, in seven reported incidents, over 250,000 individuals were affected. Of course, the breaches are spread out over time, but the disclosure time means that those individuals were notified around the time the breach notices were posted.

In the last month or so, those 250,000 people would have gotten a rude shock in the mail or in their inboxes.

And these are just the breaches that affected Maine residents. Other states are far less transparent about their reporting, and many don’t report such incidents at all — which makes it very hard to track how a company or organisation is handling a given incident. Monday was a particularly busy day, we admit, but at the same time, it’s a small window into a far wider world. Millions more individuals could easily have been affected in that same time frame, just in the US alone.

In terms of things that security specialists need to be on top of, that’s just the tip of the iceberg. I’ve not even touched on vulnerability reports that need to be monitored, the challenge of keeping up with detailed threat reporting of emerging actors, or even just the global news cycle. Simply knowing that your country is sending arms to Ukraine, for example, could be reason enough to keep a closer-than-usual eye on your security.

These are the events that security teams are facing on a daily basis. They affect businesses, large and small, companies and government agencies at every level. And while the financial and reputational damage to a business can be immense, it’s real people who are at risk of identity theft, fraud, and worse.

Knowing the scale and scope of these events is vitally important to managing response plans and building a robust security framework — no matter the scale of your organisation.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.