.png?width=200&height=78&name=CH%20Diligence%20(thicker%20line).png "CH Diligence (thicker line).png")
Know Your Breach: Christie Clinic
Apr 14, 2022 3:14:00 PM
The Target: Christie Business Holdings Company, a major medical firm based out of Illinois in the United States.
The Take: Personally Identifiable Data belonging to 500,000 individuals. The data accesses contained: names, addresses, medical and insurance information, and Social Security Numbers.
The Vector: The threat actors gained access through BEC attack (Business Email Compromise) on an employee’s email account, therefore able to act with all the permissions of said employee, and attempted to intercept business transactions as well as view the exposed personal data.
This breach is a stark reminder of the important not only robust employee credential authentication and password hygiene, but also the principle of least privilege. When a firm’s employee account is breached, it’s critical to note the attackers can access and perform all the same actions as the employee. Locking down appropriate permissions, admin access, and ensuring users only need the tools they need to do their jobs, and no more, will reduce the risk of these attacks.
