Posted on January 18, 2021 at 10:49 AM
A recent report has revealed that a suspected ransomware attack has left the data of a UPS and Norfolk Southern employee exposed.
The two companies pointed out that they have inquired into the incident that led to the compromise f employee health data after threat actors exposed medical records of rail workers and truck drivers online.
The data exposure was from occupational health provider Taylor Made Diagnostics on January 8, but it’s unclear how many Norfolk Southern and UPS employees’ data were actually affected by the breach.
However, the exposed data include multiple health records from both companies as well as several other smaller firms, U.S. defense contractors, and U.S. government agencies as recently December last.
Hacking incidences have increased in the healthcare sector
The exposed data include alcohol and drug testing reports for rail workers and truckers at multiple companies. It also includes completed U.S. Department of Transportation (DOT)-mandated medical exams.
There are also many documents containing personal information such as scans of the employees’ driver’s license, their full names, social security numbers, as well as their addresses.
Since last year, Ransomware groups have intensified their efforts in the health care sector, especially on logistics and transportation.
However, the data breach from Taylor Made shows that transport and logistics companies face serious security issues that can transcend beyond their systems. As a result, the need for these companies to secure their employees’ data has not been more important than now when the threat levels are high.
Both firms are looking into the issue
Parcel Delivery Company UPS has commented on the issue. The firm’s spokesperson Mathew O’Connor said UPS was looking into the breach but refuses to discuss how many of the company’s drivers are affected by the breach.
“The security of employees’ personal information is of the utmost importance,” he said.
Norfolk Southern spokesperson Jeff DeGraff also commented on the incident and reiterated that the security of its employees’ data is still the company’s priority.
“The security of our employees’ data is a priority for Norfolk Southern and a requirement for our vendors,” he stated.
DeGraff further stated that the company has no additional information about the breach, but says the company is looking into the issue.
The railway company presently operates in 22 states in the U.S. and currently has about 25,000 employees on its payroll.
Third parties increase the risk of a data breach
Also, these companies face the risk o vulnerability exposures from third parties. They usually contract the random alcoholic and drug testing of their employees to third parties. As a result, the employees’ data is needed by these third parties, which increases the risk of a data breach.
Chief Executive Officer and President of Scopelitis Transportation Consulting Dave Osiecki opined that trucking firms have the responsibility of ensuring their data is safe in the hands of third parties.
He pointed out that as an employer, it’s the responsibility of the firm to make sure employee data is handled with ultimate care. Since they are the ones that tender the data to the third parties, the employers are also responsible for the data. So, in his opinion, the employer of a CDL driver has to take measures to secure employees’ data, including those sent to third parties.
Same hackers also breached OmniTRAX
The Chief Executive Officer of Taylor Made Diagnostics Caroline Taylor didn’t reply when an email was sent to her for comment about the incident.
The hackers who are probably responsible for the hacking incident were also involved in a recent ransomware attack on short-line rail operator OmniTRAX. The gang has also attacked some other health care providers since the beginning of the year.
Norfolk Southern has its headquarters in the Hampton Roads region of Virginia, where Taylor Made Diagnostics has two clinics.
Taylor Made Diagnostics has customers and clients in a wide range of U.S. organizations. These include the Special Naval Warfare Development Group and the U.S. Secret Service. The former is also widely called the SEAL Team Six, which was responsible for the search, capture, and executive of Osama Bin Laden.