The Ohio History Connection (OHC) has posted a breach notification in which it discloses that a ransomware attack successfully encrypted internal data servers. During the attack, the cybercriminals may have had access to names, addresses, and Social Security Numbers (SSNs) of current and former OHC employees (from 2009 to 2023). Additionally, they may have gained access to W-9 reports and other records revealing the names and personal SSNs of vendors who contracted to provide services to OHC. They also may have gained access to images of checks provided to OHC by some members and donors beginning in 2020.
OHC is a statewide history nonprofit chartered in 1885 that manages more than 50 sites and museums across the state. As the State Archives for the state, OHC preserves the historical records of Ohio's legislative, executive, and judicial branches.
The ransomware attack took place in early July of 2023, after which OHC notified the FBI and retained forensic IT consulting firms to help it determine the extent of the data breach and to assist in reconstructing its systems and restoring its data.
In total, the information of 7,600 individuals was potentially exposed. Notification letters were mailed on August 23, 2023 to all individuals who were impacted by this data breach.
While OHC hasn't said which ransomware group was behind the attack, we have information that it was LockBit, although I was unable to locate the OHC data on LockBit’s leak site at the time of writing (it was there earlier this month).
screenshot taken early August 2023
OHC said that it made an offer to the cybercriminals to prevent the release of the data, but the offer was rejected on August 7, 2023. OHC hasn't disclosed how the attackers got in.
Those impacted may sign up for free credit monitoring for one year and take advantage of their rights to the free fraud alert services offered by the three major credit bureaus. At the time of writing, there is no evidence that there has been any use or attempted use of the information exposed in this incident.
What to do if you've been caught in a data breach
There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.
- Check the vendor's advice. Every breach is different, so check with the vendor to find out what's happened, and follow any specific advice they offer.
- Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don't use for anything else. Better yet, let a password manager choose one for you.
- Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
- Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
- Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
How to avoid ransomware
- Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
- Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
- Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
- Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
- Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
- Don’t get attacked twice. Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.
Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.