Orrick, Herrington & Sutcliffe, the San Francisco-based company revealed last week that that during an attack in March 2023, threat actors stole personal information and critical health data of more than 637,000 data breach victims.
Orrick said that the hackers had taken massive amounts of data from its systems related to security incidents at other organizations, for which he provided legal assistance, in a series of letters notifying those impacted of the data breach.
Orrick informs that the data involved in the breach involved its customers’ data, including those with dental policies with Delta Dental, a major healthcare insurance network that covers millions of Americans' dental needs, and those with vision plans with insurance company EyeMed Vision Care.
The company further added that it had contacted with the U.S. Small Business Administration, the behavioral health giant Beacon Health Options (now Carelon), and the health insurance provider MultiPlan that their data was also exposed in Orrick's data breach.
Apparently, the stolen data includes victims’ names, dates of birth, postal address and email addresses, and government-issued identification numbers, such as Social Security numbers, passport and driver license numbers, and tax identification numbers. Also, information about patient’s medical treatment and diagnosis details, insurance claim like date and service-charges, and healthcare insurance numbers and provider details have been compromised.
Orrick further says that credit or debit card details as well as online account credentials were also involved in the breach.
Since the initial announcement of the breach, the number of affected individuals have been on the rise. In its recent breach notice, Orrick states that it “does not anticipate providing notifications on behalf of additional businesses,” however the company did not specify how it came to this conclusion.
Orrick said in December to a federal court in San Francisco that it reached a preliminary settlement to end four class action lawsuits that claimed Orrick failed to disclose the breach from victims for months after it had occurred.
“We are pleased to reach a settlement well within a year of the incident, which brings this matter to a close, and will continue our ongoing focus on protecting our systems and the information of our clients and our firm,” added Orrick’s spokesperson.
While the name of the threat actors is indeed new to the list, the tactic however remains conventional. Ransomware gangs use malware to infect computers within an organization, making the contents unreadable. They then demand payment, usually in Bitcoin, to unlock the files.
However, in recent years, ‘double extortion’ is a tactic in trend, in which a majority of ransomware groups steal the data simultaneously and threaten to leak it online.
This week, the threat actor in question – Rhysida uploaded low-quality pictures of the personal data that was obtained during the attack to the internet. On her leak site, Rhysida threatened to sell the stolen information for a starting price of 20 bitcoin, or almost £590,000.
According to Rafe Pilling, director of threat research at cybersecurity firm Secureworks, this is “a classic example of a double extortion ransomware attack and they are using the threat of leaking or selling stolen data as leverage to extort a payment.”
While the British Library is the current high-profile victim of the ransomware gang, Rhysida has also notably attacked government institutions in Portugal, Chile and Kuwait. In August, the group also claimed responsibility for attacking the US hospital group Prospect Medical Holdings.
In regards to these emerging cases, the US government agencies have released an advisory note on Rhysida, stating that the “threat actors leveraging Rhysida ransomware are known to impact “'targets of opportunity,' including victims in the education, healthcare, manufacturing, information technology, and government sectors.”
The advisory noted that the Rhysida gang has been running a “ransomware as a service” (Raas) operation, in which it deploys malware to threat actors and shares any ransom proceeds.
Although Rhysida’s name is relatively new to the public, according to US cybersecurity firm Secureworks, the group first came to light in 2021. Secureworks refers to the group as Gold Victor, noting that it runs a ransomware scheme called Vice Society.
While the Rhysida gang's precise identity is unknown, Pilling assumes that it adheres to a pattern of comparable operators who are typically from Russia or the Commonwealth of Independent States, which is made up of Kazakhstan, Belarus, and Russia.
“I would assume that they are probably Russian-speaking but we don’t have any hard evidence,” said Pilling.
The US agencies claim that groups using the Rhysida ransomware have gained access to systems through virtual private networks (VPNs), generally used by staff to access their employers' systems from distant locations. They have also used the well-known tactic of phishing attacks, in which victims are duped—typically through email — into clicking on a link that downloads malicious software or divulges personal information like passwords.
After gaining access to the systems, the gang continues to lurk in the system for a while, in order to evade detection. According to Securework, when compared to that of 2022, this dwell time has now been significantly reduced to less than 24 hours for cybercrime groups.
The US agencies further note that, like other members of the criminal hacking community, Rhysida attackers frequently seek cryptocurrencies as payment for their extortion. Ransomware gangs are drawn to digital assets like Bitcoin because they are decentralized, meaning they operate outside of traditional financial systems and avoid routine checks. Additionally, transactions can be hidden, making them more challenging to follow.
While the company has acknowledged this as a “cyber-security issue,” and addressed the problem by taking down certain systems, it confirms that the facilities remained “operational.”
The customers have also been facing issues owing to the security breach. In one instance, a customer staying at the MGM Grand in Las Vegas reported that she ended up into the wrong room due to the malfunctioning of hotel’s digital keys. Following this, the staff had to substitute it with physical keys. The customer was further offered a complimentary stay as a compensation.
Also, a TikTok video has also been posted by the customer, showing how the slot machines and gambling games at the resort was not operating at the moment.
Moreover, many complaints were seen surfacing on social media where users complained about their reservation getting canceled, or about their inability to check in, pay by card, or log in. One customers claimed that he had to leave the MGM Grand premise, in order to look for cash for buying food.
In regards to this, MGM Resorts stated in their X post (known formerly as Twitter) that it has started an investigation "with assistance from leading external cybersecurity experts."
"We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems," the company stated. The company further noted that the investigation was ongoing with “nature and scope” of the cyber-attack, which is yet to be defined.
In another statement, the company noted in their post that their “resorts including dining, entertainment and gaming are still operational.” "Our guests continue to be able to access their hotel rooms and our Front Desk is ready to assist our guests as needed," it added.
However, the MGM’s official website is still not working. On its homepage, a notice informs users that the website is "currently unavailable" and offers phone numbers or links to external websites for getting in touch with the business. A similar message was displayed on the websites of the company’s resorts.
This is the second time that the MGM Resorts are witnessing a cyber-security incident.
2019 saw a breach in one of the company's cloud services, and more than 10 million client records were taken by hackers. Names, addresses, and passport numbers of individuals were stolen.
It is unknown at this time if this most recent cyber-attack resulted in the theft of similar data.
It is worth mentioning about the MGM Resort attacks, since casinos are not very popular targets for hackers. Moreover, MGM businesses are not just another casino supplier, but a giant corporate empire, with its hotels and casinos stretching across the US, with some of the best known locations in Las Vegas.
A local news outlet in Las Vegas broke the news on Monday, owing to the numerous complaints filed by the customers of MGM business. According to the reports, some complaints were in regards to the ATMs at affiliated hotels and casinos that did not appear to be functioning. Others claimed that their hotel room keys failed to function; while some noted that bars and restaurants inside MGM complexes had abruptly closed. Meanwhile, the official website of MGM also clearly is not functioning like it should.
To put a halt to further speculations, MGM published a short statement mentioning that the organization has in fact been a victim of an undisclosed “cybersecurity issue.” According to The Associated Press, computer failures related to this problem appear to be affecting MGM properties all across the country, including in Vegas and far-flung locations like Mississippi, Ohio, Michigan, and significant portions of the northeast.
The statement posted by MGM to X (previously Twitter) reads: “MGM Resorts recently identified a cybersecurity issue affecting some of the Company’s systems. Promptly after detecting the issue, we quickly began an investigation with assistance from leading external cybersecurity experts. We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems. Our investigation is ongoing, and we are working diligently to determine the nature and scope of the matter.”
Later, the company acknowledged being the victim of a "cyberattack" and said the attack was disrupting some of its computer systems, in a statement shared with Bloomberg. However, it is still unclear exactly what kind of attack has disrupted their functioning. Apparently, ransomware would be the most likely suspect in this situation.
While casinos are not the frequent targets of cyberattacks, such exceptional cases have certainly been known to occur.
It is worth mentioning that a ransomware attack will undoubtedly have a significant impact on MGM's business operations, taking into account that the company is not just some casino supplier, but rather a giant corporate empire with many interconnected enterprises. Further information in regards to the issue awaits, along with its customary in situations involving "cyber incidents," to determine the exact details on the MGM issues.
The AP Stylebook is a widely popular guide for grammar enthusiasts, used for a better insight in punctuations and writing styles by journalists, magazines and newsrooms.
The Associate press came up with a warning this week, informing AP Stylebook of their old third-party-managed site (no longer in use) that had apparently been under the hacker’s control between July 16 and July 22, 2023. The breach consequently led to the compromise of 224 customers’ data.
According to their report, the compromised data included customers’ personal information such as:
As stated by the AP, initial information regarding the possible breach reached them on July 20, 2023, when AP Stylebook users reported receiving phishing emails requesting that they update their credit card information.
After learning of the phishing attack, the AP disabled their outdated site in order to stop any further attacks.
By the end of July, the company began warning AP Stylebook customers about the phishing attacks, informing them that the fraudulent mails were sent from 'support@getscore.my[.]id' with a subject similar to "Regarding AP Stylebook Order no. 07/20/2023 06:48:20 am."
The Associated Press further advised AP Stylebook customers to reset their passwords upon their next login.
With only 224 customers affected, this was hardly a significant data breach, however hackers who are always on the lookout for journalists' and media businesses' login information, make the breach noteworthy.
Acquiring illicit access to networks belonging to any media organization could consequently result in a variety of cyberattacks like extortion and ransomware attacks, data theft or even cyber espionage.
Some other examples of local or global media organizations that suffered a ransomware or cyberespionage attack includes News Corp, the Philadelphia Inquirer and the German newspaper Heilbronn Stimme.