» A major breach hitting Tennessee-based Community Health Systems (CHS) started with the exploit of a VPN device, which was vulnerable to the Heartbleed bug. In late August, David Kennedy, principal security consultant and CEO at Ohio-based TrustedSec, cited three sources close to the CHS investigation who tipped him off to the initial attack vector – a VPN concentrator device manufactured by Juniper Networks. After leveraging the OpenSSL flaw, Heartbleed attackers were able to obtain VPN credentials stored in memory on the Juniper device. The CHS breach reportedly impacted four million patients, whose names, addresses, birthdates, phone numbers and Social Security numbers may have been compromised. Following news of the breach, a lawsuit was filed against CHS accusing the hospital operator of failing to meet security standards to protect patients' personal information.
» With CryptoLocker ransomware seemingly out of commission, its less well-known twin CryptoWall has stepped out of the shadows and thrived – in a five-month period infecting 625,000 victims worldwide, encrypting 5.25 billion files, collecting more than $1.1 million in ransoms and effectively surpassing its more famous sibling in infection rates, according to an August threat analysis from Dell SecureWorks Counter Threat Unit. Dell noted that, despite infecting more machines in less time than CryptoLocker, CryptoWall was responsible for less costly ransoms (37 percent of what CryptoLocker made). CryptoWall victims typically paid between $200 to $2,000 in ransom to unlock their files, the company said, though one victim forked over $10,000.
» JPMorgan Chase, as well as at least four other financial institutions, were hacked by what appeared to be Russian state-sponsored attackers. In the incursions, hackers were also thought to have exploited a zero-day flaw in at least one bank's website in order to weave through layers of complex security and gain access to sensitive information. Gigabytes of sensitive data were stolen in the attacks, including information from employee computers and information that could be used to drain funds from accounts, a Bloomberg report revealed.
» The PCI Security Standards Council published its Third-Party Security Assurance Information Supplement in August. The guidance focuses on how entities can better vet third-party service providers (TPSPs) before establishing business relationships with them, and aims to help merchants determine which third-party services fall under the scope of their Payment Card Industry Data Security Standard (PCI DSS) assessments. The document also clarifies which PCI DSS requirements are to be met by third parties or by the contracting entity, and walks businesses through crafting detailed written agreements when outsourcing, so that all parities are aware of their obligations.
