Kentucky Employees' Health Plan Is Blaming the Latest Data Breach on Password Reuse

Kentucky Employees Health Plan Data Breach

The Kentucky Employees' Health Plan (KEHP), an organization that offers health insurance to more than a quarter of a million members, has partnered with StayWell, an easy-to-follow online program that is supposed to inspire people to have a healthier lifestyle. KEHP members are given specific tips on how to improve their physical well-being, and if they follow them closely, they can even get financial rewards in the form of gift cards. If only there was a similar program designed to improve their password management skills.

Last week, the Kentucky Personnel Cabinet announced that KEHP members have been targeted by not one, but two cyberattacks. We should point out from the outset that we're not talking about the biggest cybersecurity incident we've ever seen. In total, fewer than 1,000 of KEHP's 265 thousand members were affected, and although the attackers did manage to access some health assessment data, they couldn't get their hands on too much personal or financial information. That being said, criminals managed to make off with a total of $107 thousand in gift cards, which is not insignificant, especially when you consider how easy it was to organize the attack.

KEHP members fell victims to a credential stuffing attack

The cybercriminals first hit on April 21, and their operations continued for the next six days. During that period, the hackers compromised the accounts of 971 KEHP members at the StayWell program. Once they were inside, they managed to redeem a total of $100 thousand worth of gift cards.

An investigation revealed that the accounts were accessed using valid login credentials, and apparently, the attacker got the usernames and passwords from an unrelated data breach. The cybercriminals organized a credential stuffing attack and hoped that KEHP members would be reusing the same password across multiple services. Sure enough, their gamble paid off handsomely. They weren't done, though.

If it's reused once, it will be reused twice

On May 12, the attackers decided to see just how bad KEHP members' password reuse habits are. They mounted a second credential stuffing attack, but this time, they aimed it at the Commonwealth email accounts of the members affected by April's breach. The attack worked on 42 of the 971 targeted accounts, which may not seem like a lot, but it still resulted in the fraudulent redemption of a further $7,700 worth of gift cards.

According to Lexington Herald-Leader, after the first attack, StayWell pulled down the website in order to improve its security, and Kentucky Personnel Cabinet's said on Twitter that it won't be back until June 30. We've yet to see what sort of features it plans to introduce, but it's fair to say that unless people learn how dangerous it is to reuse the same password across multiple services, protecting them against credential stuffing attacks will be extremely hard.

June 10, 2020
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.