New York-Based Debt Collector Company Files for Bankruptcy Due to Data Breach
Retrieval-Masters Creditors Bureau, Inc., a New York-based company that collects debt on behalf of third parties under the name American Medical Collection Agency, has filed for bankruptcy, citing large-scale data breach as the main cause of the bankruptcy.
Russell Fuchs, Founder and Chief Executive Officer of Retrieval-Masters Creditors Bureau, Inc., filed last June 17 a bankruptcy petitionbefore the U.S. District Court for the Southern District of New York. Fuchs, who has a total of 40 years of experience working at the company, said that the large-scale data breach that the company had been exposed to and the avalanche of events thereafter resulted in a “severe drop-off” of the company’s business, which ultimately led the company to seek relief in the form of a bankruptcy petition in court.
The Data Breach
A significant portion of the business of Retrieval-Masters Creditors Bureau, Inc. deals with collecting bills on behalf of clinical diagnostic laboratories. Two of the top 4 clients of the company, Quest Diagnostics and Laboratory Corporation of America, are the 2 largest clinical diagnostic laboratories in the U.S.
According to Fuchs, because of the nature of the company’s work of collecting bills for clinical diagnostic laboratories, it collects personally identifiable information transmitted by its clients, including names, home addresses, social security numbers, bank account information, credit card information, as well as dates of birth and certain medical information related to any laboratory tests for which payment is sought. Fuchs said that the company has held personally identifiable information of millions of individuals within its IT system.
Fuchs said the company became aware of the data breach on its network in March 2019 when it received a series of “CPP notices” that suggested that an unusual number of credit cards had interacted with the company’s web portal. To prevent further compromises, the company shut down its web portal and hired outside IT professionals and consultants from 3 different firms who later confirmed that the company’s servers had been hacked as early as August 2018.
Court document showed that the company spent approximately $400,000 for the IT professionals and consultants. These IT professionals and consultants, however, weren’t able to determine what particular data had been hacked, leaving the company under the assumption that all data within its servers were compromised.
Court document also showed that as a result of the data breach, Retrieval-Masters Creditors Bureau, Inc. spent approximately $3.8 million for the legal requirement of notifying by mail 7 million individuals whose information may have been accessed. After the discovery of the data breach, 4 of the company’s largest clients, including Quest Diagnostics and Laboratory Corporation of America, stopped sending new work to the company and terminated their business relationships with the company. In the bankruptcy petition, Fuchs, on behalf of the company, said that as a result of the data breach and its aftermath, the company is no longer “optimistic that it will be able to rehabilitate its business”.
Cybersecurity Best Practices
Companies like Retrieval-Masters Creditors Bureau, Inc. that collect and maintain thousands or millions of personally identifiable data have the legal obligation to protect these data away from malicious actors. As shown in the case of Retrieval-Masters Creditors Bureau, Inc., the survival of the company may rely on how well the company protects these data.
According to Retrieval-Masters Creditors Bureau, Inc., in 2015, it transitioned from an unconnected IT system to an internet-connected network to meet the ever-increasing market demands for enhanced interconnectivity between the company’s and its clients’ systems. It wasn’t revealed in the bankruptcy petition how the company’s servers were compromised.
Here are some cybersecurity best practices in order to protect your organization’s server from malicious actors and to prevent a data breach similar to what Retrieval-Masters Creditors Bureau, Inc. experienced:
1. Use Multi-Factor Authentication
Many servers are easily compromised by attackers through brute force attacks. In a brute force attack, an attacker guesses the username and password used by the server’s system administrator using a tool that automates this guesswork utilizing tens of thousands of commonly used usernames and passwords.
Researchers at Guardicorediscovered that 50,000 Microsoft SQL and PHPMyAdmin servers from different parts of the globe and belonging to companies in the healthcare, telecommunications, media and IT sectors had been compromised and infected with a cryptocurrency mining malware. Guardicore researchers said that Microsoft SQL servers, in particular, were compromised by the attackers through brute force attacks. The use of multi-factor authentication puts a stop to these brute force attacks, which rely mainly on guessing the username and password.
2. Update Server OS
Outdated server OS (operating system) is often the entry point in order to compromise a server. Server OS is categorized as “outdated” when the latest security update hasn’t been installed. Server OS vendors issue security updates from time to time in order to fix known security vulnerabilities. Cyberattackers know that there’s a population that delays the installation of these security updates and they are quick to attack those that delay the installation of these updates.
3. Use VPN
VPN, which stands for virtual private network, is used to create a secure connection with another network over the internet. VPN applications aren’t immune to security vulnerabilities. In April this year, security researchers discovered a similar security vulnerability across many VPN applications. This security vulnerability caused VPN applications to store the authentication and/or session cookies insecurely in memory and/or log files.
Many VPN applications have issued patches fixing this particular security vulnerability. As with all other software, it’s important to keep your organization’s VPN up-to-date.