Welcome reader to your CybersecurityHQ report.

Headlines

One of the most shocking cybersecurity events of the new year rolled out this weekend as Lurie Children's Hospital in Chicago grappled with a network outage due to what they are calling a "cybersecurity matter." The incident affected phones, emails, internet service, and medical equipment. The issue lasted for two days, impacting a wide range of their network — from the main hospital to outpatient centers and primary care offices. Lurie Children is assuring the public that they are investigating the matter alongside law enforcement agencies and working hand-in-hand with cybersecurity experts.

Elective surgeries have had to be canceled, and the hospital started a call center solely to handle non-urgent patient requests. While Lurie scrambles to get things back on track, healthcare professionals are resorting to pen and paper for documentation. This is yet another incident in the rise of cyberattacks on hospitals. That’s likely because these institutions have a treasure trove of valuable data.

Web security company Cloudflare revealed on Thursday that a security breach in which a potentially state-sponsored threat actor accessed its internal systems. The threat actor stole credentials from the widely reported Okta hack in October 2023. Those were then used to access Cloudflare's internal wiki and bug database. The stolen credentials included an access token and three service account credentials — all of which were not rotated after the Okta breach.

Thanks to that slack, the attack was able to begin on November 14. The attacker viewed and downloaded some source code repositories related to Cloudflare's infrastructure, but the company says no exfiltration occurred. Cloudflare responded by terminating unauthorized accounts, implementing firewall rules, and conducting security improvements.

A major lawsuit was filed against Citibank by the Attorney General of New York, Letitia James, accusing the financial institution of failing to protect customers from hackers and refusing to reimburse victims. According to the lawsuit, Citibank's lax security protocols, ineffective monitoring systems, and slow response to fraud claims have cost New Yorkers millions of dollars due to cybercrime schemes.

The incidents mentioned in the lawsuit primarily involve social engineering tactics — where attackers manipulate people into handing over their credentials — rather than software vulnerabilities or system access. But the AG argues that Citibank should have more robust systems in place to prevent fraud, employing popular strategies like detecting unusual device locations or suspicious transactions. The bank is also accused of exploiting a loophole to deny reimbursement claims under the Electronic Fund Transfer Act. Citibank’s response to the suit includes, “Banks are not required to make customers whole when those customers follow criminals’ instructions and banks can see no indication the customers are being deceived.”

Interesting Read

We are still in early February, which means predictions for 2024 can still hold a certain fascination. This article for Spice Works gives insights from eight different cybersecurity experts on the trends that might come to shape the headlines for the rest of the year.

For the latest openings in cybersecurity careers, check CybersecurityHQ.

Stay Safe, Stay Secure.

The CybersecurityHQ Team