360 posts categorized "Data Breaches" Feed

Some Android Phones Infected With Surveillance Malware Installed In Firmware

Security analysts recently discovered surveillance malware in some inexpensive smartphones that run the Android operating system (OS) software. The malware secretly transmits information about the device owner and usage to servers in China. The surveillance malware was installed in the phones' firmware. The New York Times reported:

"... you can get a smartphone with a high-definition display, fast data service and, according to security contractors, a secret feature: a backdoor that sends all your text messages to China every 72 hours. Security contractors recently discovered pre-installed software in some Android phones... International customers and users of disposable or prepaid phones are the people most affected by the software... The Chinese company that wrote the software, Shanghai Adups Technology Company, says its code runs on more than 700 million phones, cars and other smart devices. One American phone manufacturer, BLU Products, said that 120,000 of its phones had been affected and that it had updated the software to eliminate the feature."

Shanghai ADUPS Technology Company (ADUPS) is privately owned and based in Shanghai, China. According to Bloomberg, ADUPS:

"... provides professional Firmware Over-The-Air (FOTA) update services. The company offers a cloud-based service, which includes cloud hosts and CDN service, as well as allows manufacturers to update all their device models. It serves smart device manufacturers, mobile operators, and semiconductor vendors worldwide."

Firmware is a special type of software store in read-only memory (ROM) chips that operates a device, including how it controls, monitors, and manipulates data within a device. Kryptowire, a security firm, discovered the malware. The Kryptowire report identified:

"... several models of Android mobile devices that contained firmware that collected sensitive personal data about their users and transmitted this sensitive data to third-party servers without disclosure or the users' consent. These devices were available through major US-based online retailers (Amazon, BestBuy, for example)... These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI). The firmware could target specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices.

The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users' consent and, in some versions of the software, the transmission of fine-grained device location information... Our findings are based on both code and network analysis of the firmware. The user and device information was collected automatically and transmitted periodically without the users' consent or knowledge. The collected information was encrypted with multiple layers of encryption and then transmitted over secure web protocols to a server located in Shanghai. This software and behavior bypasses the detection of mobile anti-virus tools because they assume that software that ships with the device is not malware and thus, it is white-listed."

So, the malware was powerful, sophisticated, and impossible for consumers to detect.

This incident provides several reminders. First, there were efforts earlier this year by the U.S. Federal Bureau of Investigation (FBI) to force Apple to build "back doors" into its phones for law enforcement. Reportedly, it is unclear what specific law enforcement or intelligence services utilized the data streams produced by the surveillance malware. It is probably wise to assume that the Ministry of State Security, China's intelligence agency, had or has access to data streams.

Second, the incident highlights supply chain concerns raised in 2015 about computer products manufactured in China. Third, the incident indicates how easily consumers' privacy can be compromised by data breaches during a product's supply chain: manufacturing, assembly, transport, and retail sale.

Fourth, the incident highlights Android phone security issues raised earlier this year. We know from prior reports that manufacturers and wireless carriers don't provide OS updates for all Android phones. Fifth, the incident highlights the need for automakers and software developers to ensure the security of both connected cars and driverless cars.

Sixth, the incident raises questions about how and what, if anything, President Elect Donald J. Trump and his incoming administration will do about this trade issue with China. The Trump-Pence campaign site stated about trade with China:

"5. Instruct the Treasury Secretary to label China a currency manipulator.

6. Instruct the U.S. Trade Representative to bring trade cases against China, both in this country and at the WTO. China's unfair subsidy behavior is prohibited by the terms of its entrance to the WTO.

7. Use every lawful presidential power to remedy trade disputes if China does not stop its illegal activities, including its theft of American trade secrets - including the application of tariffs consistent with Section 201 and 301 of the Trade Act of 1974 and Section 232 of the Trade Expansion Act of 1962..."

This incident places consumers in a difficult spot. According to the New York Times:

"Because Adups has not published a list of affected phones, it is not clear how users can determine whether their phones are vulnerable. “People who have some technical skills could,” Mr. Karygiannis, the Kryptowire vice president, said. “But the average consumer? No.” Ms. Lim [an attorney that represents Adups] said she did not know how customers could determine whether they were affected."

Until these supply-chain security issues get resolved it is probably wise for consumers to inquire before purchase where their Android phone was made. There are plenty of customer service sites for existing Android phone owners to determine the country their device was made in. Example: Samsung phone info.

Should consumers avoid buying Android phones made in China or Android phones with firmware made in China? That's a decision only you can make for yourself. Me? When I changed wireless carriers in July, I switched an inexpensive Android phone I'd bought several years ago to an Apple iPhone.

What are your thoughts about the surveillance malware? Would you buy an Android phone?


Adobe Settles With 15 States Regarding 2013 Data Breach

The Indiana Attorney General announced a multi-state $1.0 million settlement agreement with Adobe Systems, Inc. after a data breach in 2013 where the information about 2.9 million customers nationwide was stolen. The data elements stolen included names, addresses, telephone numbers, e-mail addresses, usernames, encrypted payment card numbers and expiration dates.

14 states which joined Indiana in the settlement agreement: Arkansas, Connecticut, Illinois, Kentucky, Maryland, Massachusetts, Missouri, Minnesota, Mississippi, North Carolina, Ohio, Oregon, Pennsylvania, and Vermont. The states alleged in a lawsuit that Adobe failed to use reasonable security measures to protect its computing systems from hacks or had proper intrusion detection methods installed. The multi-state settlement agreement covers about 552,000 residents from the 15 states.

Indiana's share of the settlement was $53,718.36 for 24,049 Indiana residents affected by the breach. Indiana AG Greg Zoeller said:

"This case is yet another example of the importance of protecting your personal and financial information... I continue to be an advocate for Indiana’s credit freeze protections and encourage all Hoosiers to place credit freezes with the major credit bureaus.”

Connecticut's share was $135,095.71. Connecticut AT George Jepsen  said:

"Consumers should have a reasonable expectation that their personal and financial information is properly safeguarded from unauthorized access... Adobe worked in good faith with my office and the states affected by this incident to better protect consumer information going forward, and for that it deserves some credit. My office will continue to be diligent in protecting Connecticut consumers by strictly enforcing our privacy laws."

46,465 Maryland residents were affected by the breach. Maryland AG Brian E. Frosh said:

“Reasonable security measures must be implemented to maintain the safety and security of consumers’ personal information... As a result of this agreement, Adobe has agreed to bolster its security to prevent another similar occurrence.”

More settlement agreements may be forthcoming.


News About The Massive Data Breach At Yahoo Isn't Pretty

Yahoo logo The news about Yahoo's massive data breach seems to be getting worse. The Oregonian reported:

" "Data breaches on the scale of Yahoo are the security equivalent of ecological disasters," said Matt Blaze, a security researcher who directs the Distributed Systems Lab at the University of Pennsylvania, in a message posted to Twitter. A big worry is a cybercriminal technique known as "credential stuffing," which works by throwing leaked username and password combinations at a series of websites in an effort to break in, a bit like a thief finding a ring of keys in an apartment lobby and trying them, one after the other, in every door in the building. Software makes the trial-and-error process practically instantaneous. Credential stuffing typically succeeds between 0.1 percent and 2 percent of the time..."

Apply those success rates to half a billion stolen credentials and criminals have plenty of opportunities to break into consumers' online accounts. And, this list of seven ways the breach has exposed consumers to online banking fraud is definitely accurate.

The tech company's stock has dropped 4 percent since September 22. During an interview, Tim Amstrong, the head of Verizon's AOL would not comment about whether Verizon might renegotiate its $4.8 billion purchase price cash offer for Yahoo's core business. Experts have speculated about whether or not the breach might trigger the "material adverse effect" clause in the purchase transaction.

Tech Week Europe reported:

"Cybersecurity specialist Venafi conducted research into how well Yahoo reacted to the breach, in particular the cryptographic controls Yahoo still has in place, and said the results were “damning.” Researchers said Yahoo had still not “taken the action necessary to ensure they are not still exposed and that the hackers do not still have access to their systems and encrypted communications.” Furthermore Venafi warned that “Yahoo is still using cryptography (MD5) that has been known to be vulnerable for many years now.” "

On Monday, U.S. Senator Mark R. Warner (D-VA) requested that the U.S. Securities and Exchange Commission (SEC) investigate Yahoo and its executives. Senator Warner said in a statement:

"Data security increasingly represents an issue of vital importance to management, customers, and shareholders, with major corporate liability, business continuity, and governance implications," wrote Sen. Warner, a former technology executive. "Yahoo’s September filing asserting lack of knowledge of security incidents involving its IT systems creates serious concerns about truthfulness in representations to the public. The public ought to know what senior executives at Yahoo knew of the breach, and when they knew it."

Senator Warner called on the SEC:

"... to investigate whether Yahoo and its senior executives fulfilled their obligations to keep investors and the public informed, and whether the company made complete and accurate representations about the security of its IT systems. Additionally, since published reports indicate fewer than 100 of approximately 9,000 publicly listed companies have reported a material data breach since 2010, I encourage you to evaluate the adequacy of current SEC thresholds for disclosing events of this nature,

Also, six U.S. Senators sent a letter on September 27 to Marissa Meyer, the Chief executive Officer at Yahoo, demanding answers about precisely how and why the massive breach went undetected for so long. The letter by Senators Richard Blumenthal (D-CT), Al Franken (D-MN), Patrick Leahy (D-VT), Edward J. Markey (D-MA), Elizabeth Warren (D-MA), and Ron Wyden read in part:

"We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week. That means millions of Americans' data may have been compromised for two years. That is unacceptable. This breach is the latest in a series of data breaches that have impacted the privacy of millions of Americans in recent years, but it is by far the largest. Consumers put their trust in companies when they share personal and sensitive information with them, and they expect all possible steps to be taken to protect that information."

Indeed. Consumers have these reasonable and valid expectations. The letter demands that the tech company provide a briefing to the Senators' staffs with answers to a set of eight questions including a detailed timeline of events, specific systems and services affected, steps being taken to prevent a massive breach from happening again, and how it responded to any communications and warnings by government officials about state-sponsored hacking activity.

Elizabeth Denham, the Information Commissioner of the United Kingdom (UK), released a statement on September 23 demanding answers from Yahoo:

"The vast number of people affected by this cyber attack is staggering and demonstrates just how severe the consequences of a security hack can be. The US authorities will be looking to track down the hackers, but it is our job to ask serious questions of Yahoo on behalf of British citizens and I am doing that today. We don’t yet know all the details of how this hack happened, but there is a sobering and important message here for companies that acquire and handle personal data. People’s personal information must be securely protected..."

Some consumers aren't waiting for lawmakers. The Mercury News reported:

"... a class-action suit accusing the Sunnyvale tech firm of putting their finances at risk and failing to notify them earlier about the breach. “While investigating another potential data breach, Yahoo uncovered this data breach, dating back to 2014,” the lawsuit, filed Thursday in U.S. District Court in San Diego, said. “Two years is unusually long period of time in which to identify a data breach.” On Friday in U.S. District Court in San Jose, a second class-action suit was filed over the hack. Plaintiff Ronald Schwartz, of New York, claims his personal information was stolen. His suit calls Yahoo’s treatment of users’ data “grossly negligent” and alleges that circumstantial evidence indicates “Yahoo insiders” knew of the breach “long before it was disclosed.” "

Reportedly, one of the plaintiffs has already experienced financial fraud as a result of identity theft from the data breach.


Yahoo Confirms Massive Data Breach. Unclear If Users At Its Outsourcing Clients Were Also Affected

Yahoo logo After reports about a rumored announcement, Yahoo confirmed late on Thursday a massive data breach affecting half a billion users -- 500 million persons. Yahoo believes the breach was performed by a "state-sponsored actor."

Data elements exposed and stolen during the breach include full names, e-mail addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, security questions and answers. The breach dated back to 2014. This is very serious, and by far the largest breach ever. The data elements stolen facilitate spam and a variety of scams; plus access to email contacts such as clients, customers, and patients.

Yahoo's breach announcement stated:

"The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter..."

Yahoo is in the process of notifying affected persons. Affected users should change their passwords, security questions, and answers.

The breach announcement did not state if users at outsourcing clients were affected. Other companies and entities can outsource their e-mail services to Yahoo, or to other e-mail providers offering similar services. One such company appears to be AT&T. The "AT&T Email Basics" page (see image below) references a co-branded AT&T-Yahoo website for AT&T customers to check their e-mail.

AT&T Email Basics page references Yahoo site for email. Click to view larger version I reached out to AT&T for a comment. A reply was not received by press time. If its email users were affected by the breach, then those users will probably want to know who is going to assist them, and what assistance will be offered.

Given the pending acquisition of Yahoo by Verizon, several AT&T customers already discussed in an online forum concerns about what might happen to their e-mail service operated by a competitor. (Verizon said on Thursday it learned about the breach two days ago.) If users at outsourcing clients were also affected by the breach, then this might add to their uncertainty.

If you received a breach notice from Yahoo, what is your opinion of the response?


4 States Strengthen Their Breach Notification Laws

The National Law Review summarized breach notification laws strengthened in four states: Nebraska, Nevada, Rhode Island, and Tennessee. The stronger laws include several changes: expanded definitions, encryption, requirements to notify the state's attorney general, and requirements to notify affected persons within forty-five (45) days.

Several states expanded their definitions of "personal information" to better protect consumers:

"Nevada now includes in its definition of “personal information” a medical identification number, a health insurance identification number, and a user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that permits access to an online account. Similarly, Rhode Island now counts as “personal information” any medical information, health insurance information, and an email address in combination with any required security code, access code or password that allows access to an individual’s personal, medical, insurance or financial account..."

Some of the expanded definitions made by Tennessee:

"Tennessee broadened its definition of “unauthorized persons” to include an employee of a covered entity who is discovered to have obtained personal information and intentionally used it for an unlawful purpose. Tennessee also removed the word “unencrypted” from its definition of “Breach of the security system” in order to ensure that partial encryption of compromised personal information does not evade the statute."

Read the rest of the changes in the National Law Review article.


Data Breaches At HEI Hotels & Resorts Affects 20 Properties In At Least 10 States

HEI Hotels and Resorts logo On Friday, Hei Hotels and Resorts (HEI) announced data breaches that affected 20 properties in 11 states. According to the company's breach notice, hackers installed malware within the company's payment processing systems to collect customers' payment data.

The payment information stolen included the names, payment card account numbers, card expiration dates, and verification codes of customers who used their payment cards at point-of-sale terminals. The list of hotels by state:

State City & Property
California La Jolla: San Diego Marriott La Jolla
Pasadena: The Westin Pasadena
San Diego: Renaissance San Diego Downtown Hotel
San Francisco: Le Meridien San Francisco
Santa Barbara: Hyatt Centri Santa Barbara
Colorado Snowmass Village: The Westin Snowmass Resort
District of Columbia Washington: The Westin Washington DC City Center
Florida Boca Raton: Boca Raton Marriott at Boca Center
Fort Lauderdale: The Westin Fort Lauderdale
Miami: Royal Palm South Beach Miami
Tampa: InterContinental Tampa Bay
Illinois Chicago: Hotel Chicago Downtown
Minnesota Minneapolis: The Hotel Minneapolis Autograph Collection
Minneapolis: The Westin Minneapolis
Pennsylvania Philadelphia: The Westin Philadelphia
Tennessee Nashville: Sheraton Music City Hotel
Texas Fort Worth: Dallas Fort Worth Marriott Hotel & Golf Club
Vermont Manchester Village; Equinox Resort Golf Resort & Spa
Virginia Arlington: Le Meridien Arlington
Arlington: Sheraton Pentagon City

The exact date of the breaches varied by property. Some breaches occurred as early as March, 2015 while others continued until as recent as June 17, 2016. A card processor notified HEI of the breach. The HEI breach notice stated:

"We are treating this matter as a top priority, and took steps to address and contain this incident promptly after it was discovered, including engaging outside data forensic experts to assist us in investigating and re mediating the situation and promptly transitioning payment card processing to a stand-alone system that is completely separated from the rest of our network. In addition, we have disabled the malware and are in the process of re configuring various components of our network and payment systems to enhance the security of these systems. We have contacted law enforcement and will continue to cooperate with their investigation. We are also coordinating with the banks and payment card companies. While we are continuing to review and enhance our security measures, the incident has now been contained and customers can safely use payment cards at all HEI properties."

HEI is notifying affected customers and consumers that may have been affected:

"... We recommend that customers review credit and debit card account statements as soon as possible in order to determine if there are any discrepancies or unusual activity listed. We urge customers to remain vigilant and continue to monitor statements for unusual activity going forward. If they see anything they do not understand or that looks suspicious, or if they suspect that any fraudulent transactions have taken place, customers should immediately notify the issuer of the credit or debit card. In instances of payment card fraud, it is important to note that federal laws and cardholder policies may limit cardholders’ responsibility for fraudulent activity; we therefore recommend reporting any suspicious activity in a timely fashion to the bank that issued the card..."

The HEI breach notice contains more information for affected consumers to review their credit reports, place Fraud Alerts, and place Credit Freezes.

HEI appears to have been caught unprepared. It did not detect the intrusion, and its breach notice did not arrange for any free credit monitoring for affected consumers. Hopefully, more information is forthcoming.

If you received a breach notice from HEI, what are your opinions of the breach? Of HEI's response so far?


Retailer's Data Breach Exposes Military And Government Workers To Terrorism Risk

McClatchyDc news service reported a chilling story about the intersection of cyber-crime and terrorism. After inserting malware into an Illinois-based retailer's computer systems, the hacker demanded payment in Bitcoins to remove the malware. This type of hacking is commonly called "ransomware" and isn't especially noteworthy. What is notable: the hacker's motivation was driven by money, but devolved into terrorism. Reportedly, the hacker:

"... had ties to the Islamic State Hacking Division, a terrorist cyber unit, and before it was over he’d put together a “kill list” for the Islamic State with the identities of 1,351 U.S. government and military personnel from the 100,000 names, credit card records and Social Security numbers he’d extracted from the host server."

The hacker, currently in prison in the USA, was identified as Ardit Ferizi, also known as the "Albanian hacker." McClatchyDC also reported:

"Ferizi’s case is also notable because his handiwork generated one of the first “kill lists” issued by the Islamic State designed to generate fear and publicity. FBI agents used the early list of U.S. military and government employees to notify the targeted individuals. More recent lists have included thousands of ordinary civilians and even U.S. Muslims the terrorist group considers apostates."

McClatchyDC did not disclose the name of the retailer, who reportedly learned of the breach only when the hacker demanded payment. That suggested poor data security and intrusion detection.

There are plenty of implications. First, no longer can company (and government) executives claim that it was just a breach, or it happens to every business. It is no longer acceptable for corporate executives to downplay the breach and hope it quietly goes away. There are real-world risks and threats to customers and prospective customers from corporate data breaches. Second, this breach reinforces the fact that we live in an inter-connected world. Criminals are smart, persistent, and have learned how take advantage of those online connections.

Third, these online connections and cyber-crime make politicians' goals to limit immigration futile and pointless. Similarly, physical border walls may deter poor and unskilled migrants, but do nothing to stop cyber-crime and terrorism. Government and business need to work together to build better, stronger online and digital defenses.

What do you think?


Data Breach Of Online Database Affects 154 Million U.S. Voters

An online database of voter profiles about 154 million Americans suffered a data breach. A security researcher discovered the unprotected online database. HelpNetSecurity reported:

"It was a CouchDB database that required no authentication to be accessed, hosted on Google’s Cloud services. Luckily, an ID associated with each record pointed [the security researcher] in the right direction regarding the owner of the data... the data was originally collected by a data brokerage company named L2... The client told us that they were hacked, the firewall was taken down and then the probing began..."

The voter profiles include full names, addresses, phone numbers, age, gender, marital status, estimated income, political party, congressional district affiliation, state senate district affiliation, and more:

"Some of the records also contained information about the voters’ marital status, whether they had children or owned a gun, their stance on gay marriage, the language(s) they speak, and their email address."

This is the type of information a political party would collect. The report did not state which political organization. The security researcher also discovered that the unprotected online database was accessed by others, including a user in Europe. The database is no longer online.

The report did not state who would notify affected persons, or when this might happen.


Data Breaches At Maryland Parking Garages Affect Thousands

Data breaches at three parking garages in downtown Annapolis, Maryland habe put the sensitive personal and payment data of thousands of consumers at risk. WJZ, the CBS affiliate in Annapolis, reported a:

"... preliminary investigation shows that the breach took place from December 23, 2015 to June 11, 2016 — nearly six months — at the Noah Hill, Gott’s Court and Knighton garages... The breach affects drivers who used the daily parking option, not those who have monthly plans or residents."

After learning about the breach, the city switched to cash-only payments. While the city responded quickly, questions remain. The news report did not mention when and how affected persons would be notified of the breach. A brief scan on Monday of the Annapolis Parking website didn't not find any breach notices. Consumers need to be notified promptly.

Also, the nature of the breach suggests that the payment terminals were compromised. Many consumers are probably thinking: I don't live in nor visit Annapolis, so no problem.

Well, big problem. We all visit and park our vehicles at downtown city locations. Some people visit more often than others. You don't have to look far to find breaches at parking garages in Chicago, Cleveland, and at this parking vendor which serves several cities.

This Annapolis parking-garage breach is a reminder of the vulnerability of payment terminals at all parking garages. Like the pumps at gas stations, parking garages have free-standing payment terminals that are unattended for long periods of time. This creates an opportunity for criminals to tamper with the terminals, and install skimming devices either inside or on the exterior of terminals. It is a popular tactic by criminals on both ATM machines and gas stations.

So, when you pay using a debit- or credit card at a parking garage, you are betting that the garage operator regularly inspects their payment terminals for skimming devices, and adequately protects their computer systems from hacks and malware.


Emails And Passwords For Sale From The Massive Tumblr Data Breach

Tumblr logo Things seem to be getting worse as Tumbler, a blogging platform Yahoo acquired in 2013. First, Tumblr announced on May 12 a possible data breach, which stated:

"We recently learned that a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013, prior to the acquisition of Tumblr by Yahoo. As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password."

That early May announcement directed users to reset their passwords, and use secure https connections. It didn't state the number of affected accounts. Well, now we know more.

Softpedia reported on May 30 that valid Tumblr passwords are available online for sale:

"Independent security researcher Troy Hunt revealed today that he received a data dump that contains 65,469,298 emails and hashed passwords, which the anonymous donor said belonged to Tumblr users. The researcher tracked the data dump to The Real Deal Dark Web marketplace, where a hacker by the name of Peace (also known as Peace_of_mind) is selling it for 0.4255 Bitcoin ($225)..."

That's 65.4 million passwords compromised. A massive breach affecting about one out of every eight Tumblr users. The good news: Tumblr had encyrpted its users' passwords. The bad news: the hackers have broken the encryption. That means Tumblr users probably should, a) change their passwords again, and b) inquire what Tumblr is doing to better protect sensitive information so this doesn't happen again.

It seems that Tumblr's breach detection and security processes are both lacking. Softpedia also reported:

"Peace, the hacker that's selling the data, is the same person that put up for sale the MySpace and LinkedIn data dumps, but also other online services such as Fling.com and the Linux Mint forum."

Hmmm. It seems that several social networking sites need to improve their defenses.


LinkedIn Data Breach Was Larger And Worse Than Consumers First Told. 117 Million Persons Affected

LinkedIn.com logo The 2012 data breach at LinkedIn.com was far larger and worse than originally thought. Motherboard reported:

"A hacker is trying to sell the account information, including emails and passwords, of 117 million LinkedIn users. The hacker, who goes by the name “Peace,” told Motherboard that the data was stolen during the LinkedIn breach of 2012. At the time, only around 6.5 million encrypted passwords were posted online, and LinkedIn never clarified how many users were affected by that breach... The paid hacked data search engine LeakedSource also claims to have obtained the data. Both Peace and the one of the people behind LeakedSource said that there are 167 million accounts in the hacked database. Of those, around 117 million have both emails and encrypted passwords."

So, the breach included 167 records affecting as many persons, not 6.5 million. And, 117 million people are at risk now. To make matters worse, hackers have already cracked the encryption method LinkedIn.com used to protect users' passwords:

"The passwords were originally encrypted or hashed with the SHA1 algorithm, with no “salt,” which is a series of random digits attached to the end of hashes to make them harder to be cracked. One of the operators of LeakedSource told Motherboard in an online chat that so far they have cracked “90% of the passwords in 72 hours..."

And, the incident cast doubt on both LinkedIn.com's breach detection methods and the response by the company's executives:

"... LinkedIn spokesperson Hani Durzy told Motherboard that the company’s security team was looking into the incident, but that at the time they couldn’t confirm whether the data was legitimate. Durzy, however, also admitted that the 6.5 million hashes that were posted online in 2012 were not necessarily all of the passwords stolen. “We don’t know how much was taken,” Durzy told me in a phone call. The lesson: For LinkedIn, the lesson is the same as four years ago: don’t store password in an insecure way..."

LinkedIn released a statement yesterday. Relevant portions:

"Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach... For several years, we have hashed and salted every password in our database, and we have offered protection tools such as email challenges and dual factor authentication. We encourage our members to visit our safety center to learn about enabling two-step verification, and to use strong passwords... We're moving swiftly to address the release of additional data from a 2012 breach, specifically: We have begun to invalidate passwords for all accounts created prior to the 2012 breach​ that haven’t update​d​ their password since that breach. We will let individual members know​ ​if they need to reset their password. However, regularly changing your password is always a good idea..."

Many people use the LinkedIn.com social site to network with professionals in their field, and find jobs. If you use the site, experts advise consumers to change your password immediately and don't reuse the same password at multiple websites.


Breach Notifications Rise More Than 40 Percent In New York

Breach notifications involving New York State residents have risen more than 40 percent compared to a year ago. Attorney General Eric T. Schneiderman announced on Wednesday that his office:

"... has received 459 data breach notices from the first of the year through May 2, 2016, as compared with 327 through the same time last year. In the year 2015 alone, the office received 809 data breach notices. The office is expecting to receive well over 1000 notices for the year, a new record."

The New York State Information Security Breach & Notification Act requires companies to provide notice to the Attorney General office and to affected consumers. Companies use an online submission form. Previously, notifications were submitted via postal mail, fax, or email.

The Attorney General's office released a data breach report in July 2014 which found:

"... the number of reported data security breaches in New York more than tripled between 2006 and 2013. In that same period, 22.8 million personal records of New Yorkers were exposed in nearly 5,000 data breaches, which cost the public and private sectors in New York upward of $1.37 billion in 2013. In addition, the report also found that hacking intrusions – in which third parties gain unauthorized access to data stored on a computer system – were the leading cause of data security breaches, accounting for roughly 40 percent of all breaches."

If you receive a breach notification letter, the Identity Theft Resource Center advises consumers to (links added):

"1. Call the three credit bureaus (Experian, Equifax, and Transunion) and request a 90-day fraud alert be placed on your credit reports.

2. Request your annual free credit report from each of the aforementioned credit bureaus and review them for any inaccuracies...

3. If you do find any inaccuracies, call the three credit bureaus and request a security freeze be placed on your credit reports. This may cost a nominal fee depending on the state that you are in and does not allow new credit lines to be processed until you personally unfreeze your credit. Even if you do not find any inaccuracies, you may want to consider putting a security freeze on your credit as a precautionary measure.

4. File your tax returns as early as possible to avoid an identity thief filing a tax return under your name in order to receive fraudulent tax refunds.

5. Contact the Social Security Administration and request your wage report to ensure that an identity thief has not reported fraudulent wages which you may have to pay taxes on if not resolved.

6. For more details on what to do if you have received a data breach notification letter, please read our ITRC Fact Sheet FS 129."

Learn how to spot fake breach notices from scammers. To help residents confirm breach notifications, A few states (Maryland, New Hampshire, Vermont, Wisconsin) post online breach notices they have received.

Comments? Opinions? If you know of any states that post breach notices online, please tell us below.


Report: Lawsuits Resulting From Corporate Data Breaches

Chart 1: Bryan Cave LLP: 2016 Breach Litigation Report. Click to view larger version

This week, the law firm of Bryan Cave LLP released its annual review of litigation related to data breaches. 83 cases were filed, representing a 25 percent decline compared to the prior year. Other Key findings from the 2016 report:

"Approximately 5% of publicly reported data breaches led to class action litigation. The conversion rate has remained relatively consistent as compared to prior years... When multiple filings against single defendants are removed, there were only 21 unique defendants during the Period. This indicates a continuation of the “lightning rod” effect noted in the 2015 Report, wherein plaintiffs’ attorneys are filing multiple cases against companies connected to the largest and most publicized breaches, and are not filing cases against the vast majority of other companies that experience data breaches..."

Slightly more than half (51 percent) of all cases were national. The most popular locations were lawsuits were filed included the Northern District of Georgia, the Central District of California, the Northern District of California, and the Northern District of Illinois. However:

"Choice of forum, however, continues to be primarily motivated by the states in which the company-victims of data breaches are based."

Charges of negligence were cited in 75 percent of lawsuits. Which industry were frequently sued and which weren't:

"... the medical industry was disproportionately targeted by the plaintiffs’ bar. While only 24% of publicly reported breaches related to the medical industry, nearly 33% of data breach class actions targeted medical or insurance providers. The overweighting of the medical industry was due, however, to multiple lawsuits filed in connection with two large scale breaches... There was a 76% decline in the percentage of class actions involving the breach of credit cards... The decline most likely reflects a reduction in the quantity of high profile credit card breaches, difficulties by plaintiffs’ attorneys to prove economic harm following such breaches, and relatively small awards and settlements.."

57 percent of cases included sensitive personal information (e.g., Social Security numbers), 23 percent of cases included debit/credit card information, and 18 percent of cases included credit reports. The law firm reviewed lawsuits occurring during a 15-month period ending in December, 2015. Data sources included Westlaw Pleadings, Westlaw Dockets, and PACER databases.

Historically, some lawsuits by consumers haven't succeeded when courts have dismissed cases because plaintiffs weren't able to prove injuries. According to the Financial Times:

"However, decisions from a number of high-profile cases are likely to make it easier for consumers to bring suits against companies in the event of a data breach... For example, in July 2015, the Seventh US Circuit Court of Appeals, overturning a previous judgment, ruled that customers of Neiman marcus could potentially sue the retailer because they were at substantial risk of identity theft or becoming victims of fraud..."

Learn more about the Neiman Marcus class-action. Criminals hack corporate databases specifically to reuse (or resell) victims' stolen sensitive personal and payment information to obtain fraudulent credit, drain bank accounts, and/or hack online accounts -- injuries which often don't happen immediately after the breach. That's what identity thieves do. Hopefully, courts will take a broader, more enlightened view.

I look forward to reading future reports which discuss drivers' licenses data and children's online privacy, and the Internet of Things (ioT). View the "2016 Data Breach Litigation Report" by Bryan Cave LLP. Below is another chart from the report.

Chart 2: Bryan Cave LLP: 2016 Breach Litigation Report. Click to view larger version


New Federal Agency For Stronger Protections Of Background Investigations

Office of Personnel Management logo Fallout continues from the massive data breach at the Office of Personnel Management (OPM) in 2015. The U.S. Federal government announced a reorganization to provide stronger protections of sensitive information collected during background investigations for federal employees and contractors. The reorganization features several changes including a new agency, the National Background Investigations Bureau (NBIB). The WhiteHouse.gov site announced:

"... the establishment of the National Background Investigations Bureau (NBIB), which will absorb the U.S. Office of Personnel Management’s (OPM) existing Federal Investigative Services (FIS), and be headquartered in Washington, D.C.  This new government-wide service provider for background investigations will be housed within the OPM. Its mission will be to provide effective, efficient, and secure background investigations for the Federal Government. Unlike the previous structure, the Department of Defense will assume the responsibility for the design, development, security, and operation of the background investigations IT systems for the NBIB."

After the massive data breach at OPM, several federal agencies conducted a joint 90-Day Suitability and Security review. The agencies involved included the Performance Accountability Council (PAC), the Office of Management and Budget (OMB), the Director of National Intelligence (DNI), the Director of the U.S. OPM, the Departments of Defense (DOD), the Treasury, Homeland Security, State, Justice, Energy, the Federal Bureau of Investigation, and others.

According to its Fact Sheet, the OPM’s Federal Investigative Services (FIS) unit currently conducts investigations for more than 100 Federal agencies. The FIS conducts more than 600,000 security clearance investigations and 400,000 suitability investigations annually. An NBIB Transition Team will oversee the migration to the new information technology systems and procedures. Transition project goals include:

  1. Establish a five-year re-investigation requirement for all personnel with security clearances, regardless of the level of access,
  2. Reduce the number of personnel with active security clearances by 17 percent
  3. Introduce programs to continuously evaluate personnel with security clearances to determine whether ongoing security clearances are necessary, and
  4. Develop recommendations to enhance information sharing between State, local, and Federal Law Enforcement agencies regarding background investigations.

The changes were announced jointly on January 22, 2016 by James R. Clapper (the Director of National Intelligence), Beth Cobert (Acting Director of the OPM), Marcel Lettre (Under Secretary of Defense for Intelligence, Department of Defense), Tony Scott (U.S. Chief Information Officer), and J. Michael Daniel (Special Assistant to the President and Cybersecurity Coordinator, National Security Council, The White House).


How To Recognize Bogus OPM Breach Letters From Scammers

Earlier this year, a data breach at the Office of Personnel management (OPM) federal government agency exposed the sensitive personal information of government employees, former government employees, and their families. Identity criminals and fraudsters are taking advantage of the breach by sending bogus breach letters supposedly from the OPM.

The Better Business Bureau (BBB) advised consumers how to recognize valid letters from the OPM:

"Real Letters Contain>: a) A 25 digit PIN to register for credit and identity monitoring services. Make sure your PIN is real by entering it at opm.gov/cybersecurity; b) Instructions to visit the website opm.gov/cybersecurityto get more information and sign up for monitoring"

How to spot bogus OPM solicitations from scammers:

  1. The OPM will not ask you to confirm your personal information. So, do not share it with anyone asking
  2. The OPM is not using e-mail. They are using surface postal mail.

If you lost your PIN number or didn't receive a breach notice from the OPM and think that you are affected, then you can confirm your status at the OPM security site. If you receive a bogus letter from scammers about this or other breaches, report it to the BBB.


Data Breach: Unprotected Online Database Exposed The Sensitive Information Of About 3.3 Million Hello Kitty Users

Hello Kitty logo A security researcher found online a database containing the sensitive information of customers of the Hello Kitty gaming site. Just before the Christmas holiday, C|Net reported:

"Personal information for fans who connect through SanrioTown.com has been sitting openly viewable on the Internet and easily accessible with the click of a mouse, no hack required... SanrioTown.com, designed for fans of Sanrio characters like Hello Kitty, hosts all the accounts for players of a popular game called Hello Kitty Online."

C|Net also reported that the security researcher:

"... showed CNET a sample of the records he saw, which includes a list of usernames, scrambled up passwords, first and last names, genders, birth dates and answers to security questions like "What is your favorite food." In the random sample of 15 records, two appeared to be of minors. Sanrio declined to verify whether the data listed in the sample was from its database. Vickery found the database, he said, while looking for unprotected information on the Internet by searching a website that can find data stored in the cloud."

Reportedly, the database sat open and exposed for about a month. This breach was found by the same security researcher that found earlier in December a flaw in the Mackeeper security software, which exposed the sensitive information of 13 million Apple users. SanrioTown is still investigating its breach, and its users must change both their passwords and security questions.

The Washington Times reported:

"Sanrio Digital, a subsidiary of the Japanese owner of “Hello Kitty,” a popular children’s brand, told Reuters on Tuesday that it patched a security glitch that had affected one of its databases being tipped off by Chris Vickery, a U.S.-based researcher who helps identify and fix vulnerable computer systems... Sanrio has insisted that evidence has so far failed to suggest that anyone other than Mr. Vickery had accessed the database with authorization..."

Reportedly, the breach exposed the following data elements: full names, birthdays, genders, email addresses and related information about 3.3 million account holders. That included information about 186,261 persons under the age of 18. Payment information (e.g., credit cards) was not exposed, according to the SanrioTown security statement.

Two items about this breach need to be highlighted:

  1. The operative phrase in the company's statement is, "that evidence so far..." More evidence may surface later; and
  2. The company did not discover its own database sitting open, unprotected in the wild. An external security researcher found it. That fact does not bode well for the company's security team and data security processes.

What are your opinions of this data breach?


iFit Data Breach Exposes The Sensitive Information of More Than Half A Million Users

Plenty of stationary, mobile, and wearable devices -- including their apps -- collect and store consumers' sensitive personal data, including health information. The Data Breaches blog reported a breach involving the popular mobile fitness app, iFit, affecting as many as 576,274 users. A researcher discovered the breach on December 10.

The iFit app includes customize-able workouts designed by fitness trainers. It is incorporated into wristbands, smart watches, and stationary exercise equipment such as NordicTrack. The stationary equipment includes treadmills, elliptical machines, stength-training machines, and exercise bikes used in homes and gyms. iFit also operates a wellness program with corporate partners for their employees.

The iFit Privacy policy provides a clear indication of the massive amount of data collected, archived, and reportedly exposed or stolen during this breach:

"... two types of information from users of our Site: "Personally Identifiable Information" which is information that can be used to locate you,contact you, or determine your specific identity (such as name, e-mail address, mailing address, phone number, user name, credit card information, etc.) and "Aggregate Information" which is information about your activities on the Site or in connection with the services that cannot be used to identify, locate, or contact you (such as frequency of visits to the Site, data entered when using the Site, gender, age, weight, height, food intake, activity level, interests, workout history and results, exercise equipment, Site pages most frequently accessed, browser type, links a User clicks, IP address, and other similar information)... When you register for an account (free or paid), we collect your name, a user name, a password, date of birth, current weight, target weight, height, gender, measurement system, activity level, fitness goal, intensity level, and the retail location where you purchased your iFit® equipment. When you use a credit card to pay for any of our services or products, we ask for your name, address, credit card and credit card-related information."

Besides archiving customers exercise types, date, time, geo-location, and exercise duration the app foten calculates calories burned. All of this data would be immensely valuable to insurance firms, health care organizations, and others. The data elements exposed or stolen open the breach victims to financial fraud, medical fraud, stalking, and spam.

For consumers the either want to keep their exercise activity private or expect fitness app developers to secure and protect sensitive information like health care organizations, the data breach presents a very troubling event. It is unclear if breach victims are limited to only the United States.

ICON Health and Fitness makes a lot of the exercise bikes, ellipticals, and strength-training equipment that use the iFit app.

At press time, a check of the iFit site and blog did not find any announcements of the breach. What are your opinions of the breach? Of the data collected? Of the company's post-breach response so far?


University of Rochester Medical Center Settles With New York State Attorney General For Data Breach

University of Rochester Medical Center logo Earlier this month, the New York State Attorney General announced a settlement agreement with the University of Rochester Medical Center (URMC) about a data breach earlier this year. URMC will pay a $15,000 find and is required to train its staff on proper data security procedures for protected health information.

The settlement agreement was dated November 20, 2015. The April 2015 events surrounding the data breach:

"... a URMC nurse practitioner gave a list containing 3,403 patient names, addresses, and diagnoses to her future employer, Greater Rochester Neurology (“GRN”), without first obtaining authorization from the patients.  On April 21, 2015, GRN used the information to mail letters to the patients on the list informing them that the nurse practitioner would be joining the practice and advising them of how to switch to GRN. URMC learned of the breach three days later, when calls began coming in from patients who were upset about the letter. The nurse practitioner was subsequently terminated, notification letters were sent to the affected patients... GRN has attested that all health information transmitted by URMC has been returned or deleted."

State attorney generals were empowered by law in 2009 to enforce Health Insurance Portability and Accountability Act (HIPAA) violations. Hospitals are required by law to provide patients with a Notice of Privacy Practices document, which patients and their families should read. Read the URMC NPP (Adobe PDF).

This is not the first data breach at URMC. There were three prior data breaches with the latest in 2013. HIPAA requires health care organizations to report data breaches affecting 500 or more persons. The URMC settlement agreement (Adobe PDF) contains more stringent reporting requirements for URMC to the New York State Office of Attorney General (OAG):

"For a period of three (3) years, commencing from the execution of this Agreement, if URMC determines that a member of the workforce has breached unsecured protected health information, consistent with the HIPAA Breach Notification Rule, URMC is to notify the OAG of the breach within sixty (60) days of the breach if the number of individuals affected by the breach is fifteen (15) or more (for beaches of fourteen (14) or fewer URMC to notify the OAG annually), in addition to the existing notification responsibilities."

A survey earlier this year found that 45 percent of patients were “very” or “moderately concerned” about the security of their medical records, including access by unauthorized persons which would lead to identity theft and fraud. A breach earlier this year at electronic records vendor Medical Informatics Engineering highlighted the fact that data breaches at health care organizations expose patients to both medical and financial fraud.

While the fine in this case is tiny compared to the multi-billion fines paid recently by several big banks, it is still important because people expect health care organizations to properly secure and protect sensitive patient information. Experts have warned resolving medical identity fraud can be costly, time, consuming and require plenty of effort and expertise since the victim's medical records have often been corrupted with the thief's medical and health information.

If URMC experiences more data breaches, steeper fines and a longer period of more stringent breach reporting would seem applicable, given URMC's breach history. What are your opinions of the settlement agreement?

[Editor's note: In the interest of full disclosure, I have no relationship with URMC except that I am a graduate and alum of the University of Rochester.]


Experian Has Paid $20 Million (So Far) In Post Breach Costs

Experian logo Just before the Thanksgiving holiday, The National Law Review reported:

"Experian’s most recent earnings report shows that it has spent $20 million to date on its response to the September 2015 data breach that exposed the personal information of nearly 15 million wireless carrier customers. The exposed information included names, addresses, birthdates, social security numbers, driver’s license numbers, and passport numbers – all information Experian uses to process credit checks as part of the customer registration process. The $20 million spent so far on notification and credit monitoring for affected individuals may only be just the beginning of Experian’s financial woes – the credit monitoring firm still has several pending class action lawsuits to manage as well as cooperating with the government’s investigations in to the matter."

Details about the September breach area available here.

Not good.As I wrote in October,Experian CEO Brian Cassin should resign. The credit reporting agency's track record of breaches is troubling. Paying post-breach related costs (again) is not enough of an incentive to change executives' behavior. Companies won't change until there are direct consequences for executives. Experian executives know better. It is in the business of collecting, archiving, and protecting consumers' sensitive personal and financial information.

If they can't protect it, don't collect it; and go do something else.


Target Settles With Banks And Credit Unions. Retailer To Pay More Than $39 Million

Target Bullseye logo After a settlement with Visa earlier this year, Target has finalized settlement agreements with several banks and credit unions concerning its 2013 data breach. The retailer has agreed to pay $39.4 million to affected banks and credit unions. It will pay $20.25 million to banks and credit unions, plus $19.11 million to reimburse MasterCard Inc card issuers.

The banks include Umpqua Holdings Corporation (Oregon), Mutual Bank in Whitman (Massachusetts), Village Bank (Minnesota), CSE Federal Credit Union (Louisiana), and First Federal Savings of Lorain (Ohio). Reportedly, the retailer has spent $290 million in post-breach related costs with insurance companies expect to cover about $90 million. Several lawsuits are still outstanding.