3rd Party Risk Management,
Cybercrime,
Fraud Management & Cybercrime
Absolute Dental Reports Data Breach Linked to Third-Party Services
Absolute Dental, a dental practice operating over 50 locations in Nevada, has informed more than 1.2 million individuals about a data breach that compromised sensitive health and personal information. Initial reports filed in May identified a placeholder estimate affecting approximately 501 individuals, but that figure has since been revised significantly upward, according to reports submitted to several state attorneys general.
The breach is characterized by the “unintentional execution of a malicious version of a legitimate software tool,” executed through an account linked to Absolute Dental’s third-party managed services provider. Experts suggest this incident may relate to a series of recent attacks targeting Salesforce applications, known for their susceptibility to exploitation.
Mike Hamilton, Field Chief Information Security Officer at Lumifi Cyber, noted that the breach report implies that the compromised account was used to initiate contact with Absolute Dental employees under the guise of resolving a technical issue, leading to the installation of the malicious software. This aligns with MITRE ATT&CK’s tactics such as initial access and persistence through credential theft.
Data indicates that unauthorized access occurred between February 19 and March 5 of this year, predating many of the notable Salesforce-related incidents reported as of late. A concerning trend has emerged, where hackers impersonate IT support staff in vishing attacks, resulting in the inadvertent installation of harmful applications associated with Salesforce’s Data Loader.
While the exact correlation between Absolute Dental’s breach and these vishing attacks remains undetermined, cybersecurity professionals highlight that many breaches stem from credential theft combined with inadequate vulnerability management practices. As Zach Moore, Senior Manager of Cybersecurity at NWN, points out, maintaining robust account controls and implementing zero trust principles could mitigate the extent of damage from such incidents.
Information compromised in this breach potentially includes names, contact details, Social Security numbers, and comprehensive health data, along with a small subset of financial account details. The practice has notified law enforcement about the incident and is also facing a proposed federal class-action lawsuit, as other law firms are exploring the implications of the breach for legal action.
Overall, the Absolute Dental incident serves as a stark reminder of the vulnerabilities associated with third-party service providers and the critical importance of cybersecurity protocols in safeguarding sensitive data against evolving threats.
