Breach at DocuSign Led to Targeted Email Malware Campaign – Krebs


#

Krebs on Security

Computer security breach

DocuSign, a major provider of electronic signature technology, acknowledged today that a series of recent malware phishing attacks targeting its customers and users was the result of a data breach at one of its computer systems. The company stresses that the data stolen was limited to customer and user email addresses, but the incident is especially dangerous because it allows attackers to target users who may already be expecting to click on links in emails from DocuSign.

San Francisco-based DocuSign warned on May 9 that it was tracking a malicious email campaign where the subject line reads, Completed: docusign.com Wire Transfer Instructions for recipient-name Document Ready for Signature. The missives contained a link to a downloadable Microsoft Word document that harbored malware.

Computer security breach

A typical DocuSign email. Image: DocuSign.

The company said at the time that the messages were not associated with DocuSign, and that they were sent from a malicious third-party using DocuSign branding in the headers and body of the email. But in an update late Monday, DocuSign confirmed that this malicious third party was able to send the messages to customers and users because it had broken in and stolen DocuSign s list of customers and users.

As part of our ongoing investigation, today we confirmed that a malicious third party had gained temporary access to a separate, non-core system that allows us to communicate service-related announcements to users via email, DocuSign wrote in an alert posted to its site. A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed; and DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.

The company is asking people to forward any suspicious emails related to DocuSign to [email protected], and then to delete the missives.

They may appear suspicious because you don’t recognize the sender, weren’t expecting a document to sign, contain misspellings (like “docusgn.com” without an ‘i’ or @docus.com), contain an attachment, or direct you to a link that starts with anything other than https://www.docusign.com or https://www.docusign.net, reads the advisory.

If you have reason to expect a DocuSign document via email, don t respond to an email that looks like it s from DocuSign by clicking a link in the message. When in doubt, access your documents directly by visiting docusign.com, and entering the unique security code included at the bottom of every legitimate DocuSign email. DocuSign says it will never ask recipients to open a PDF, Office document or ZIP file in an email.

DocuSign was already a perennial target for phishers and malware writers, but this incident is likely to intensify attacks against its users and customers. DocuSign says it has more than 100 million users, and it seems all but certain that the criminals who stole the company s customer email list are going to be putting it to nefarious use for some time to come.

This entry was posted on Monday, May 15th, 2017 at 11:34 pm and is filed under Other. You can follow any comments to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.


23/09/2017

Posted In: NEWS

Tags: , ,

Leave a Comment

Data Centers and HIPAA Compliance #hipaa #compliant #data #center, #data #center


#

Data Centers and HIPAA Compliance

Thanks for visiting! If this is your first time on our site, we encourage you to sign up for our monthly Data Cave Echoes newsletter. to stay up to date with the latest data center industry news!

There have been questions about what role a data center plays when it comes to HIPAA. We want to address what requirements and obligations data centers have when working with clients in the healthcare industry.

First of all, what is HIPAA? The acronym stands for the Health Insurance Portability and Accountability Act of 1996, enacted to protect the health information of patients. When you visit a doctor’s office or the emergency room at your local hospital, all the people seeing your medical history have signed some sheet of paper, promising to keep your information private. This means to disclose healthcare information, they must have your permission (or authorization from the proper authorities in cases of child abuse, etc.). HIPAA also covers how physical and electronic data is handled and secured. Healthcare entities must backup their data and have a disaster recovery plan in place. This is where data centers come in.

The Health Information and Technology for Economic and Clinical Health (HITECH) Act was enacted on February 17, 2009. This Act requires covered entities to disclose breaches in Protected Health Information (PHI). The covered entities and their business associates that “access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured PHI” are required to notify the Department of Health and Human Services or any breaches. The business associates must notify the covered entity of a breach who in turn notifies the individuals involved (patients) and the HHS if more than 500 individuals were affected. From the statement above, data centers like Data Cave, would be considered a business associate.

The problem is there is much to speculate on what this actually means. Some data centers use HIPAA compliance as a marketing tool. Let me make something clear, there is no certification for HIPAA. A data center can be HIPAA compliant, which is what we at Data Cave consider ourselves. Some pay an outside source to come in, look around, and put their stamp of approval on the facility. For Data Cave, meeting HIPAA compliance means limiting people with access to equipment, including our own staff. This also means notifying the proper channels when someone has been near a healthcare entity’s equipment. With most healthcare companies, they are going to want to manage their own equipment, which means our staff wouldn t need to touch it anyway. However, for a data center doing managed services, facility staff would be responsible. In that case the facility would enter into an agreement with the customer to maintain confidentiality. In the event of a breach, whether virtual or physical, a data center would notify the customer (the covered entity) who would, in turn, notify the HHS if applicable.

In other words, no one can claim HIPAA certification. To take it a step further, the essence of a data center is to be secure; so in that case, aren’t we all HIPAA compliant?

To find out more about Data Cave and HIPAA compliance, call us at 866-514-2283 or Contact Us via our website.

More from my site

  • HIPAA, Health Care and Social Media
  • Indiana Data Center Disaster Recovery
  • The Data Cave Advantage, Part 1
  • Disaster Recovery Planning Can Save Your Business
  • Data Center Dictionary: Colocation
  • Whitepaper: Understanding HIPAA and HITECH Compliance

03/08/2017

Posted In: NEWS

Tags: , , , , , , , , , , , , , ,

Leave a Comment