The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

The Planned Parenthood hack compromised intensely personal information

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! What was on your Spotify Wrapped? Apparently Aaron listened to way too much Phoebe Bridgers (if that's even possible). 

Below: The FBI never examined Jeff Bezos's phone after Saudi hacking allegations, and Facebook took down disinformation campaigns tied to state-backed groups.

Massive Planned Parenthood hack illustrates the cyberspace battle

Ransomware hackers hit the Los Angeles branch of Planned Parenthood in October, scooping up the personal and clinical information of roughly 400,000 patients, a spokesman told us.

The breach is staggering both for the number of victims and for the highly personal information hackers stole, which could identify people who’ve had abortions and other procedures. 

And it highlights how individuals and their most private experiences are increasingly part of the battlespace between companies that hold data and financially motivated hackers who want to shake them down. 

The damage

The stolen information included patients’ diagnoses, procedures and prescriptions as well as their names, addresses and other personal information, the organization told California’s attorney general. 

There’s no evidence any of the data has been used for fraud at this point, Planned Parenthood Los Angeles spokesman John Erickson said. Erickson did not respond to a question about whether the chapter paid a ransom. 

The fallout

The hackers’ prime motivation appears to have been to extort a ransom, but they could also release information to put pressure on Planned Parenthood to pay up. They could even use that information to try to extort individual patients by revealing to friends and employers that they’ve had abortions. 

“Ransomware actors are evil. … Anything they can do to get money, they will absolutely do it,” Allan Liska, director of threat intelligence at the cybersecurity firm Recorded Future, told us. 

In previous cases, hackers have tried to extort money directly from a hacked hospital’s patients

  • The hackers that breached a Dutch mental health clinic in 2020 reached out to patients directly, threatening to reveal information from their treatments if they didn’t pay ransoms that topped 600 euros. 
  • Ransomware attackers that compromised a Texas school district this year emailed parents threatening to release their children’s personal information if the district didn’t pay up.  

Any information that’s released publicly from the Los Angeles Planned Parenthood breach could also be used by groups that oppose abortion to target and harass the organization’s patients. 

“People who are doxed — either as abortion providers or recipients — face stalking, harassment and the potential for physical violence,” Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, told us, using a term for publicly revealing a person’s name and address. 

Planned Parenthood is no stranger to hacking

  • The Washington D.C. chapter was hit with a data breach last year that compromised both patient and donor information. So far, none of the information from that breach has landed on the extortion sites that ransomware gangs typically use to bully victims into paying, Liska said.
  • Another attack in 2015 linked to anti-abortion activists may have compromised the names and email addresses of Planned Parenthood employees.
  • Abortion providers routinely face digital threats from activist groups that oppose the practice along with physical threats.

“Abortion and abortion providers face very real and sophisticated threats by people who absolutely understand technology and are willing to use it against them,” Galperin said. 

From Planned Parenthood: “PPLA takes the safeguarding of patients’ information extremely seriously, and deeply regrets that this incident occurred and for any concern this may cause,” the organization said in a news release. The group said it notified law enforcement and hired a cybersecurity firm to investigate. 

U.S. organizations have been buckling under a wave of ransomware attacks this year

Victims range from high-profile targets, such as Colonial Pipeline and software provider Kaseya, to thousands of schools and small businesses. 

Those hackers are usually searching for organizations that haven’t patched their software or have other vulnerabilities rather than victims that are especially high profile or controversial. But they’ll make as much hay as possible when they breach high-profile organizations that hold sensitive data that they don’t want released. 

The intense political focus on abortion in recent months could have made Planned Parenthood more vulnerable to hacking

Organizations often let their cyber guard down when they’re in the political spotlight or embroiled in controversy, Liska said. Employees filled with panic or anxiety, for example, may be more likely to open up phishing emails that appear to be urgent without questioning them. 

The long-contentious debate over legal abortion has been superheated in recent months because of a Texas law that effectively banned abortion in the state and a Mississippi law that bans abortions after 15 weeks of pregnancy. The Supreme Court heard a challenge to the Mississippi case yesterday and appears likely to uphold the ban, my colleague Robert Barnes reports

While the Planned Parenthood breach is eye-catching, it’s just one of dozens of hacks that compromised patients’ medical information this year. 

For Americans whose highly personal medical information is held by an array of hospitals and other organizations, there’s little cause for optimism things will change — and effectively no way to opt out. 

“The public has very little control over these types of data,” Hannah Quay-de la Vallee, a senior technologist at the Center for Democracy and Technology, told us. “You can’t just not go to the doctor. You can’t just not use the Internet.”

The keys

The FBI never examined Bezos’s phone to investigate Saudi hacking claims

A security consultant working for Jeff Bezos accused Saudi Arabia of hacking the Amazon founder's phone in 2019. Bezos suggested that the nation targeted him because of The Washington Post’s coverage of the Saudi role in the killing of columnist Jamal Khashoggi. (Bezos owns The Washington Post.) 

FBI investigators met with Bezos but never looked at his phone to verify those claims, and the investigation wasn’t a major priority at the bureau, the Wall Street Journal’s Corinne Ramey, Dustin Volz and Aruna Viswanatha report

“The FBI was never full throttle” on the investigation into the possible hack, a person familiar with the matter told Ramey, Volz and Viswanatha. The FBI didn’t see the hacking of Bezos, one of the world’s richest people, as an urgent national security threat because he’s not a member of Congress or a top government official, a person familiar with the matter told them.

Saudi Arabia has denied hacking Bezos’s phone. A Bezos spokesman declined to comment to the Journal.

Facebook took down disinformation networks tied to numerous state-sponsored groups

The company took down disinformation networks related to the Palestinian militant group Hamas, Chinese state groups and groups that focused on the immigration crisis taking place on the border of Belarus and Poland, Elizabeth Dwoskin reports. The company also took down accounts that anti-vaccine groups were using to attack European doctors.

“Together, the cat-and-mouse game described in the company’s latest threat report continues to demonstrate how social media is an active battlefield where governments and motivated parties attempt to manipulate public opinion,” Elizabeth writes. “It also shows the might of the global platform, which has recently come under renewed fire for its role in spreading societal harms.”

Here’s more on the disinformation campaign tied to the Belarus border crisis from Isabelle Khurshudyan.

At least three U.S. government agencies bought banned Chinese technology

The Drug Enforcement Administration, Department of the Army, and Defense Finance and Accounting Service spent thousands of dollars on technology from the company Lorex, TechCrunch’s Zack Whittaker reports. Lorex is a subsidiary of Dahua, a Chinese firm that the U.S. government blacklisted in 2019 for allegedly being used in “China’s campaign of repression, mass arbitrary detention and high-technology surveillance” against Uyghurs and other minority groups in China’s Xinjiang region. Dahua denies the allegations. 

“Contractors that supply banned equipment to the government can lose their contracts,” Zack writes. “But industry groups have argued that federal contractors were given little time to comply with the ban before it took effect.”

Government scan

CISA announces members of advisory committee

The Cybersecurity and Infrastructure Security Agency described the list as the initial 23 members of its cybersecurity advisory committee. The list includes:

  • Suzanne Spaulding, a senior adviser for homeland security at the Center for Strategic and International Studies and former top Department of Homeland Security cyber official
  • Mandiant chief executive Kevin Mandia
  • Jeff Moss, the founder and president of DEF CON Communications
  • Former New York Times cybersecurity reporter Nicole Perlroth
  • Stanford Internet Observatory Director Alex Stamos

Check out the full list of members here. They’ll meet for the first time Dec. 10.

Biden expected to nominate first woman as Army Cyber chief (The Record)

CrowdStrike chosen by CISA for government endpoint security initiative (ZDNet)

Hill happenings

House passes bipartisan bills to strengthen networks security, cyber literacy (The Hill)

Industry report

Former Ubiquiti employee charged with hacking, extorting company (Reuters)

Cyber insecurity

Those cute cats online? They help spread misinformation. (The New York Times)

Mentions

  • Former CIA director and secretary of defense Leon Panetta is joining the Center for Tech Diplomacy at Purdue’s global advisory board.

Daybook

  • The House Transportation Committee holds a cybersecurity hearing today at 10 a.m.
  • The House Science Committee holds a hearing on microelectronics today at 10 a.m.
  • Michele Markoff, the State Department's deputy coordinator for cyber issues, and Amb. Andrey Krutskikh, who leads the Russian foreign ministry’s international information security department, speak at a United Nations Institute for Disarmament Research conference on Friday at 11 a.m.
  • Robert Cardillo, the former director of the National Geospatial-Intelligence Agency, speaks at a Center for Strategic and International Studies event on open-source intelligence on Friday at 2 p.m.
  • NATO Assistant Secretary General for Emerging Security Challenges David van Weel discusses artificial intelligence cooperation at an American Enterprise Institute event on Dec. 7 at 9:30 a.m.
  • The House Energy and Commerce Committee holds a hearing on pipeline security and reliability on Dec. 7 at 10:30 a.m.

Secure log off

Thanks for reading. See you tomorrow.

Loading...