Infosec in brief Nearly a year on from the discovery of a massive data theft at healthcare biz Harvard Pilgrim, and the number of victims has now risen to nearly 2.9 million people in all US states.

Pilgrim's problems were first admitted last year after a March ransomware infection that affected systems tied to the health services firm's commercial and Medicare Advantage plans. While the intrusion occurred on March 28, 2023, it wasn't discovered until April 17. Pilgrim says it believed customer data was extracted in the interim period.

"After detecting the unauthorized party, we proactively took our systems offline to contain the threat," Harvard Pilgrim said in its latest notification letter sent out this month. "We notified law enforcement and regulators and are working with third-party cybersecurity experts to conduct a thorough investigation into this incident and remediate the situation."

Names, physical addresses, phone numbers, birth dates, clinical information including lab results, and social security ID numbers were all compromised, Harvard Pilgrim said. 

The latest notification letters mark the fourth time Harvard Pilgrim has updated the total number of victims. An update in February put the total number at 2,632,275 individual records exposed; now it is reporting a total of 2,860,795 people. 

As is usually the case in these sorts of dramas, credit monitoring and identity protection services are being offered, and the business doesn't believe any of the stolen data has been misused as a result of the theft - that it knows about at least. 

It's not uncommon for victim numbers to increase during the course of an investigation, though 2.8 million is a lot of people and may not be the final tally yet.

"Our investigation is still underway and we will continue to provide notification in the event we identify additional individuals whose information may have been impacted," a spokesperson told The Register.

That's no moon - it's a compromised EoL SOHO router!

It's been a decade since we reported on a worm dubbed TheMoon that was taking over Linksys routers, and wouldn't you know it - it's back in a new campaign that's targeting end-of-life small home/small office routers and IoT devices.

TheMoon's waxing cycle was spotted by researchers at Lumen Technologies' Black Lotus Labs, who found it infecting outdated routers to be used as part of a crime-focused proxy network known as Faceless, in what they say is likely a long-term campaign. 

According to Black Lotus Labs, TheMoon's botnet has grown to include more than 40,000 systems in 88 countries, and it's picking up speed. In one campaign in early March it added more than 6,000 ASUS routers in less than 72 hours. 

Since it's targeting end-of-life routers and IoT devices (which weren't specified in the Black Lotus report), don't rely on vendors to deploy patches. As is often the case when a nightmare like this is discovered, it's time to spend some cash on new kit.

Sellafield Ltd to be prosecuted for cybersecurity failures

The UK Office for Nuclear Regulation announced this month it plans to prosecute Sellafield Ltd, which runs the eponymous nuclear decommissioning site in Cumbria, for "alleged information technology security offences during a four-year period between 2019 and early 2023." 

The ONR didn't give many details in its statement, other than to say it isn't suggesting public safety was compromised due to the issue. The decision to prosecute the firm followed a probe by the ONR. 

It was alleged at the end of last year that Sellafield had been hit with malware by Russia and China. The UK government and ONR both denied those claims, and it isn't immediately clear if last year's kerfuffle is related to the prosecution. Neither Sellafield Ltd or the ONR will comment further. ®

https://www.theregister.com//2024/04/01/in_brief_security/