Somewhat unnoticed in the midst of tax-season fraud and other cybersecurity headlines is the fact that the U.S. business sector has seen a 54% jump in the number of total breaches reported so far.

As of April 11, the total number of breaches captured in the 2017 ITRC Breach Report from the San Diego-based Identity Theft Resource Center now totals 431, an increase of 37.3% over last year's record pace (314) for the same time period. The total number of reported records exposed totals almost eight million, with the business category representing more than half of the breaches and more than six million records.

With 21 breaches added in just the last week reported, the five industry sectors are broken down by number of breaches as follows: Business = 54.1%, Medical/Healthcare= 24.1%, Educational = 14.4%, Government = 5.6% and Banking/Credit/Financial = 1.9%. The total number of reported records by category were: Banking/Credit/Financial = 20,000, Business = 6,194,367, Educational = 41,448, Government/Military = 170,683 and Medical/Healthcare = 1,499,258.

The business category encompasses retail services, hospitality and tourism, professional, trade, transportation, utilities, payment processors and other entities not included in the other four sectors. It also includes nonprofit organizations, industry associations and non-government social service providers, as well as life insurance companies and insurance brokers (non-medical).

In other cybersecurity news, McAfee reported attackers are exploiting a previously unidentified vulnerability in Microsoft Word, which security researchers said can install malware, even on fully-patched computers. Because the HTML application is executable, the attacker can run code on the affected computer while evading memory-based mitigations designed to prevent these kinds of attacks.

Activation of the vulnerability takes place when a mark opens a fake Word document, which downloads a malicious HTML application from a server, masked as a rich text document file. The HTML application meanwhile downloads and runs a malicious script that can stealthily install malware. The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content and executes it as an .hta file. Because .hta is executable, the attacker gains full code execution on the victim's machine.

“Thus, this is a logical bug and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft,” McAfee said in a blog post. “At McAfee, we have put significant efforts in hunting attacks such as advanced persistent threats and zero days. Yesterday, we observed suspicious activities from some samples. After quick but in-depth research, we have confirmed these samples are exploiting a vulnerability in Microsoft Windows and Office that is not yet patched.”

The samples detected are organized as Word files (more specially, RTF files with “.doc” extension name). The exploit works on all Microsoft Office versions, including the latest Office 2016 running on Windows 10. The earliest attack McAfee detected dates back to late January.

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).