HC3 Warns Of Mailchimp’s Data
Breach To Healthcare Providers

Learn how PurpleSec’s experts can protect your business against the latest cyber attacks.

Author: Rich Selvidge, CISSP / Last Updated: 6/06/2022

Reviewed By: Jason Firch, MBA, Josh Allen, &  Michael Swanagan, CISSP, CISA, CISM

View Our: Editorial Process

A data breach affecting a reputable email marketing platform that has been used to send phishing emails has been discovered by the Health Sector Cybersecurity Coordination Center (HC3).

While the unlawful access was used to target users in the cryptocurrency and financial sectors, it’s feasible that the unauthorized access may be used to target users in the Healthcare and Public Health (HPH) sector as well.

These businesses should be aware of the threat and take the necessary precautions.

What Happened?

Mailchimp, an email marketing platform company, revealed a compromise affecting one of its internal technologies used by its customer service and account management staff on April 4, 2022.

Although Mailchimp disabled the compromised employee accounts upon the breach’s discovery, threat actors were still able to see about 300 Mailchimp user accounts and gain audience data from 102 of them, according to the company’s CISO.

Additionally, threat actors gained access to an unspecified number of customers’ API keys, which enabled attackers to develop custom email campaigns, such as phishing campaigns, and send them to mailing lists without logging into the MailChimp client interface.

While HC3 is currently aware of only one phishing campaign that exploited this unauthorized access to send phony data breach notification emails to users in the cryptocurrency and finance sectors (which was reportedly carried out with exceptional sophistication and planning), the Healthcare and Public Health (HPH) sector should remain vigilant for suspicious emails originating from legitimate email marketing platforms such as Mailchimp.

It’s critical to remember that APT groups have previously used legitimate mass-mailing providers to launch malicious email campaigns against a diverse range of businesses and industry verticals.

Preventing Social Engineering Attacks

There are a variety of ways you can prevent social engineering attacks whether in the office, working remotely, or surfing the web at home including:

• User awareness training continues to be one of the most effective defenses against phishing attempts, which are a type of social engineering, particularly in this campaign, which used emails from a reputable source.
• Additional mitigation measures include the implementation of antivirus and network intrusion prevention systems, as well as the restriction of web-based information that is not required for business operations.
• A Vulnerability Management system that keeps workstations continually patched can help to mitigate any vulnerabilities that an attacker would use to gain a foothold in your network is vital.
• Anti-spoofing and email authentication technologies can also be used to filter communications based on the sender domain’s authenticity (through SPF) and the message’s integrity (using DKIM).
• Enabling these processes within an organization (through policies such as DMARC) may enable recipients to undertake comparable message filtering and validation (both intra- and cross-domain).

Related Articles:

• How To Perform A Successful HIPAA Risk Assessment
• Free Data Security Policy Template (Updated 2022)
• 9 Data Security Strategies & Best Practices For 2022
• How To Develop An Effective Cyber Security Strategy
• Social Engineering: What Is It And Why Is It Effective?