Over 180k Illinoisans affected as attackers steal Social Security numbers

The attack on Lutheran Social Services of Illinois (LSSI) resulted in hackers accessing medical diagnosis and treatment information, Social Security numbers (SSNs), individual names, and other highly sensitive data.

LSSI disclosed the organization was hit by a ransomware attack on January 27, 2022. The nonprofit is self-described as “one of the largest statewide social service providers.”

The nonprofit said it carried out an “extensive forensic investigation.” Worryingly, it took LSSI eleven months, until December 28, 2022, to determine whether threat actors accessed a pool of highly sensitive user data.

“The types of information potentially involved may include: individual names, dates of birth, Social Security numbers, financial account information, driver license numbers, biometric information, medical diagnosis and treatment information, and health insurance information,” reads the data breach notice.

Even though LSSI’s notice does not specify how many people were affected, a data breach notification to the Office of the Maine Attorney General states that the cyberattack affected over 184k people.

LSSI started sending out letters to potentially affected users on January 25, 2023, almost a year after the nonprofit noticed its systems were breached. LSSI found no evidence that stolen data has been used for identity theft or financial fraud.

However, threat actors can sit on stolen information for a while before selling it or try to collate data into larger sets to sell it at a higher margin.

Once stolen, SSNs, individual names, and other sensitive data quickly end up on underground marketplaces, where cybercriminals can buy the data to use in whichever way they like. Medical and treatment information is extremely sensitive, providing attackers with means to hit victims where they hurt the most.

Cybersecurity experts criticize companies for taking months to notify customers their data leaked online. While breached companies conduct internal investigations, threat actors may use leaked data to carry out attacks.

However, it has become a norm to inform affected users months or, as LSSI’s case shows, a year after the breach is discovered.

For example, it took Five Guys, a popular American fast-food chain, close to three months to inform its employees that threat actors might have accessed their sensitive data, such as Social Security numbers (SSNs).

Meanwhile, Nissan North America lingered for six months before issuing a data breach notification to over 18k users with their names and birth dates exposed.