Delta Dental of California Data Breach Exposed Info of 7 Million People (bleepingcomputer.com) 20
Delta Dental of California announced that they've suffered a data breach that exposed the personal data of almost seven million patients. BleepingComputer reports: Delta Dental of California is a dental insurance provider that covers 45 million people across 15 states and is part of the Delta Dental Plans Association. According to a Delta Dental of California data breach notification (PDF), the company suffered unauthorized access by threat actors through the MOVEit file transfer software application.
The software was vulnerable to a zero-day SQL injection flaw leading to remote code execution, tracked as CVE-2023-34362, which the Clop ransomware gang leveraged to breach thousands of organizations worldwide. Delta Dental of California learned about the compromise on June 1, 2023, and five days later, following an internal investigation, it confirmed that unauthorized actors had accessed and stolen data from its systems between May 27 and May 30, 2023. The second, more lengthy investigation to determine the exact impact of the security incident was completed on November 27, 2023.
Based on this, the data breach has so far impacted 6,928,932 customers of Delta Dental of California, who had their names, financial account numbers, and credit/debit card numbers, including security codes, exposed. Delta Dental of California provides 24 months of free credit monitoring and identity theft protection services to impacted patients to mitigate the risk of their exposed data. Details on enrolling in the program are enclosed in the personal notices.
The software was vulnerable to a zero-day SQL injection flaw leading to remote code execution, tracked as CVE-2023-34362, which the Clop ransomware gang leveraged to breach thousands of organizations worldwide. Delta Dental of California learned about the compromise on June 1, 2023, and five days later, following an internal investigation, it confirmed that unauthorized actors had accessed and stolen data from its systems between May 27 and May 30, 2023. The second, more lengthy investigation to determine the exact impact of the security incident was completed on November 27, 2023.
Based on this, the data breach has so far impacted 6,928,932 customers of Delta Dental of California, who had their names, financial account numbers, and credit/debit card numbers, including security codes, exposed. Delta Dental of California provides 24 months of free credit monitoring and identity theft protection services to impacted patients to mitigate the risk of their exposed data. Details on enrolling in the program are enclosed in the personal notices.
my teeth (Score:1)
Oh no, they have 3D xrays of my fucked up teeth. When I see my teeth in a horror movie or on a video game villian, I going to sue the pants off of Delta Dental.
Re: (Score:3)
You think you are funny but DD doesn't have any of that. They do have all the info for some jackwagon to take out loans in your name and a whole bunch of other shit.
You aren't as funny as you think you are. /troll
Re: my teeth (Score:3)
You're not familiar with Delta Dental obviously. No one takes them because they are an enormous PITA to deal with. You have to pay yourself and then file for reimbursement. We are switching away from them 1/1 because they are so worthless.
Zero-day SQL injection flaw ? (Score:4, Informative)
Re: (Score:2)
+1 insightful/informative! Very good point especially since there are ways to eliminate SQL injections. It sounds like they were still concatenating user input to a SQL query string filtering everything on a per input basis which is retarded. Hints: named queries, parametrized queries, heck, even stored procs might do it for the ones into them.
Re: (Score:3)
“The SQL injection exploit was first documented in 1998 [malwarebytes.com] by cybersecurity researcher and hacker Jeff Forristal”
To me, this means that the CDC has reason to fine Delta Dental for negligent exposure of PHI.
If this is the case. Delta Dental could be subject to a fine of up to $482 billion. is a reasonable primer on how bad the fines could get. [hipaajournal.com]
credit/debit card numbers, including security code (Score:2)
As I remember, the PCC code for handling CC transactions explicitly states that the security code must not be stored...
Re: (Score:2)
As I remember, the PCC code for handling CC transactions explicitly states that the security code must not be stored...
I haven't looked at the code in years, but the last time I did, storing the codes meant that the merchant was responsible for any fraudulent charges in the event of a data breach. I've mercifully not had to store credit card data for a few years now. Back then it wasn't strictly prohibited, just a really bad idea from a risk management perspective.
Re: (Score:1)
This particular hole isn't that old.
It is a familiar type of vulnerability but they bought a popular software package no doubt specifically so that they could show up in court and say "it's an industry standard and they said it was secure!"
What you can get a judge to believe is more important than actually securing people's data after all, it's the capitalist way.
Time to change my CC# (Score:2)
...customers of Delta Dental of California, who had their names, financial account numbers, and credit/debit card numbers, including security codes, exposed.
Yep. gotta change my CC#.
Delta Dental of California provides 24 months of free credit monitoring and identity theft protection services to impacted patients to mitigate the risk of their exposed data.
Oh Yeah? Fuck You too.
But for-profit healthcare loves you! (Score:3)
Number 3 (Score:3)
This is the 3rd outfit that has my data that got hacked via Moveit. There are probably more to come.