350 posts categorized "Data Breaches" Feed

LinkedIn Data Breach Was Larger And Worse Than Consumers First Told. 117 Million Persons Affected

LinkedIn.com logo The 2012 data breach at LinkedIn.com was far larger and worse than originally thought. Motherboard reported:

"A hacker is trying to sell the account information, including emails and passwords, of 117 million LinkedIn users. The hacker, who goes by the name “Peace,” told Motherboard that the data was stolen during the LinkedIn breach of 2012. At the time, only around 6.5 million encrypted passwords were posted online, and LinkedIn never clarified how many users were affected by that breach... The paid hacked data search engine LeakedSource also claims to have obtained the data. Both Peace and the one of the people behind LeakedSource said that there are 167 million accounts in the hacked database. Of those, around 117 million have both emails and encrypted passwords."

So, the breach included 167 records affecting as many persons, not 6.5 million. And, 117 million people are at risk now. To make matters worse, hackers have already cracked the encryption method LinkedIn.com used to protect users' passwords:

"The passwords were originally encrypted or hashed with the SHA1 algorithm, with no “salt,” which is a series of random digits attached to the end of hashes to make them harder to be cracked. One of the operators of LeakedSource told Motherboard in an online chat that so far they have cracked “90% of the passwords in 72 hours..."

And, the incident cast doubt on both LinkedIn.com's breach detection methods and the response by the company's executives:

"... LinkedIn spokesperson Hani Durzy told Motherboard that the company’s security team was looking into the incident, but that at the time they couldn’t confirm whether the data was legitimate. Durzy, however, also admitted that the 6.5 million hashes that were posted online in 2012 were not necessarily all of the passwords stolen. “We don’t know how much was taken,” Durzy told me in a phone call. The lesson: For LinkedIn, the lesson is the same as four years ago: don’t store password in an insecure way..."

LinkedIn released a statement yesterday. Relevant portions:

"Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach... For several years, we have hashed and salted every password in our database, and we have offered protection tools such as email challenges and dual factor authentication. We encourage our members to visit our safety center to learn about enabling two-step verification, and to use strong passwords... We're moving swiftly to address the release of additional data from a 2012 breach, specifically: We have begun to invalidate passwords for all accounts created prior to the 2012 breach​ that haven’t update​d​ their password since that breach. We will let individual members know​ ​if they need to reset their password. However, regularly changing your password is always a good idea..."

Many people use the LinkedIn.com social site to network with professionals in their field, and find jobs. If you use the site, experts advise consumers to change your password immediately and don't reuse the same password at multiple websites.


Breach Notifications Rise More Than 40 Percent In New York

Breach notifications involving New York State residents have risen more than 40 percent compared to a year ago. Attorney General Eric T. Schneiderman announced on Wednesday that his office:

"... has received 459 data breach notices from the first of the year through May 2, 2016, as compared with 327 through the same time last year. In the year 2015 alone, the office received 809 data breach notices. The office is expecting to receive well over 1000 notices for the year, a new record."

The New York State Information Security Breach & Notification Act requires companies to provide notice to the Attorney General office and to affected consumers. Companies use an online submission form. Previously, notifications were submitted via postal mail, fax, or email.

The Attorney General's office released a data breach report in July 2014 which found:

"... the number of reported data security breaches in New York more than tripled between 2006 and 2013. In that same period, 22.8 million personal records of New Yorkers were exposed in nearly 5,000 data breaches, which cost the public and private sectors in New York upward of $1.37 billion in 2013. In addition, the report also found that hacking intrusions – in which third parties gain unauthorized access to data stored on a computer system – were the leading cause of data security breaches, accounting for roughly 40 percent of all breaches."

If you receive a breach notification letter, the Identity Theft Resource Center advises consumers to (links added):

"1. Call the three credit bureaus (Experian, Equifax, and Transunion) and request a 90-day fraud alert be placed on your credit reports.

2. Request your annual free credit report from each of the aforementioned credit bureaus and review them for any inaccuracies...

3. If you do find any inaccuracies, call the three credit bureaus and request a security freeze be placed on your credit reports. This may cost a nominal fee depending on the state that you are in and does not allow new credit lines to be processed until you personally unfreeze your credit. Even if you do not find any inaccuracies, you may want to consider putting a security freeze on your credit as a precautionary measure.

4. File your tax returns as early as possible to avoid an identity thief filing a tax return under your name in order to receive fraudulent tax refunds.

5. Contact the Social Security Administration and request your wage report to ensure that an identity thief has not reported fraudulent wages which you may have to pay taxes on if not resolved.

6. For more details on what to do if you have received a data breach notification letter, please read our ITRC Fact Sheet FS 129."

Learn how to spot fake breach notices from scammers. To help residents confirm breach notifications, A few states (Maryland, New Hampshire, Vermont, Wisconsin) post online breach notices they have received.

Comments? Opinions? If you know of any states that post breach notices online, please tell us below.


Report: Lawsuits Resulting From Corporate Data Breaches

Chart 1: Bryan Cave LLP: 2016 Breach Litigation Report. Click to view larger version

This week, the law firm of Bryan Cave LLP released its annual review of litigation related to data breaches. 83 cases were filed, representing a 25 percent decline compared to the prior year. Other Key findings from the 2016 report:

"Approximately 5% of publicly reported data breaches led to class action litigation. The conversion rate has remained relatively consistent as compared to prior years... When multiple filings against single defendants are removed, there were only 21 unique defendants during the Period. This indicates a continuation of the “lightning rod” effect noted in the 2015 Report, wherein plaintiffs’ attorneys are filing multiple cases against companies connected to the largest and most publicized breaches, and are not filing cases against the vast majority of other companies that experience data breaches..."

Slightly more than half (51 percent) of all cases were national. The most popular locations were lawsuits were filed included the Northern District of Georgia, the Central District of California, the Northern District of California, and the Northern District of Illinois. However:

"Choice of forum, however, continues to be primarily motivated by the states in which the company-victims of data breaches are based."

Charges of negligence were cited in 75 percent of lawsuits. Which industry were frequently sued and which weren't:

"... the medical industry was disproportionately targeted by the plaintiffs’ bar. While only 24% of publicly reported breaches related to the medical industry, nearly 33% of data breach class actions targeted medical or insurance providers. The overweighting of the medical industry was due, however, to multiple lawsuits filed in connection with two large scale breaches... There was a 76% decline in the percentage of class actions involving the breach of credit cards... The decline most likely reflects a reduction in the quantity of high profile credit card breaches, difficulties by plaintiffs’ attorneys to prove economic harm following such breaches, and relatively small awards and settlements.."

57 percent of cases included sensitive personal information (e.g., Social Security numbers), 23 percent of cases included debit/credit card information, and 18 percent of cases included credit reports. The law firm reviewed lawsuits occurring during a 15-month period ending in December, 2015. Data sources included Westlaw Pleadings, Westlaw Dockets, and PACER databases.

Historically, some lawsuits by consumers haven't succeeded when courts have dismissed cases because plaintiffs weren't able to prove injuries. According to the Financial Times:

"However, decisions from a number of high-profile cases are likely to make it easier for consumers to bring suits against companies in the event of a data breach... For example, in July 2015, the Seventh US Circuit Court of Appeals, overturning a previous judgment, ruled that customers of Neiman marcus could potentially sue the retailer because they were at substantial risk of identity theft or becoming victims of fraud..."

Learn more about the Neiman Marcus class-action. Criminals hack corporate databases specifically to reuse (or resell) victims' stolen sensitive personal and payment information to obtain fraudulent credit, drain bank accounts, and/or hack online accounts -- injuries which often don't happen immediately after the breach. That's what identity thieves do. Hopefully, courts will take a broader, more enlightened view.

I look forward to reading future reports which discuss drivers' licenses data and children's online privacy, and the Internet of Things (ioT). View the "2016 Data Breach Litigation Report" by Bryan Cave LLP. Below is another chart from the report.

Chart 2: Bryan Cave LLP: 2016 Breach Litigation Report. Click to view larger version


New Federal Agency For Stronger Protections Of Background Investigations

Office of Personnel Management logo Fallout continues from the massive data breach at the Office of Personnel Management (OPM) in 2015. The U.S. Federal government announced a reorganization to provide stronger protections of sensitive information collected during background investigations for federal employees and contractors. The reorganization features several changes including a new agency, the National Background Investigations Bureau (NBIB). The WhiteHouse.gov site announced:

"... the establishment of the National Background Investigations Bureau (NBIB), which will absorb the U.S. Office of Personnel Management’s (OPM) existing Federal Investigative Services (FIS), and be headquartered in Washington, D.C.  This new government-wide service provider for background investigations will be housed within the OPM. Its mission will be to provide effective, efficient, and secure background investigations for the Federal Government. Unlike the previous structure, the Department of Defense will assume the responsibility for the design, development, security, and operation of the background investigations IT systems for the NBIB."

After the massive data breach at OPM, several federal agencies conducted a joint 90-Day Suitability and Security review. The agencies involved included the Performance Accountability Council (PAC), the Office of Management and Budget (OMB), the Director of National Intelligence (DNI), the Director of the U.S. OPM, the Departments of Defense (DOD), the Treasury, Homeland Security, State, Justice, Energy, the Federal Bureau of Investigation, and others.

According to its Fact Sheet, the OPM’s Federal Investigative Services (FIS) unit currently conducts investigations for more than 100 Federal agencies. The FIS conducts more than 600,000 security clearance investigations and 400,000 suitability investigations annually. An NBIB Transition Team will oversee the migration to the new information technology systems and procedures. Transition project goals include:

  1. Establish a five-year re-investigation requirement for all personnel with security clearances, regardless of the level of access,
  2. Reduce the number of personnel with active security clearances by 17 percent
  3. Introduce programs to continuously evaluate personnel with security clearances to determine whether ongoing security clearances are necessary, and
  4. Develop recommendations to enhance information sharing between State, local, and Federal Law Enforcement agencies regarding background investigations.

The changes were announced jointly on January 22, 2016 by James R. Clapper (the Director of National Intelligence), Beth Cobert (Acting Director of the OPM), Marcel Lettre (Under Secretary of Defense for Intelligence, Department of Defense), Tony Scott (U.S. Chief Information Officer), and J. Michael Daniel (Special Assistant to the President and Cybersecurity Coordinator, National Security Council, The White House).


How To Recognize Bogus OPM Breach Letters From Scammers

Earlier this year, a data breach at the Office of Personnel management (OPM) federal government agency exposed the sensitive personal information of government employees, former government employees, and their families. Identity criminals and fraudsters are taking advantage of the breach by sending bogus breach letters supposedly from the OPM.

The Better Business Bureau (BBB) advised consumers how to recognize valid letters from the OPM:

"Real Letters Contain>: a) A 25 digit PIN to register for credit and identity monitoring services. Make sure your PIN is real by entering it at opm.gov/cybersecurity; b) Instructions to visit the website opm.gov/cybersecurityto get more information and sign up for monitoring"

How to spot bogus OPM solicitations from scammers:

  1. The OPM will not ask you to confirm your personal information. So, do not share it with anyone asking
  2. The OPM is not using e-mail. They are using surface postal mail.

If you lost your PIN number or didn't receive a breach notice from the OPM and think that you are affected, then you can confirm your status at the OPM security site. If you receive a bogus letter from scammers about this or other breaches, report it to the BBB.


Data Breach: Unprotected Online Database Exposed The Sensitive Information Of About 3.3 Million Hello Kitty Users

Hello Kitty logo A security researcher found online a database containing the sensitive information of customers of the Hello Kitty gaming site. Just before the Christmas holiday, C|Net reported:

"Personal information for fans who connect through SanrioTown.com has been sitting openly viewable on the Internet and easily accessible with the click of a mouse, no hack required... SanrioTown.com, designed for fans of Sanrio characters like Hello Kitty, hosts all the accounts for players of a popular game called Hello Kitty Online."

C|Net also reported that the security researcher:

"... showed CNET a sample of the records he saw, which includes a list of usernames, scrambled up passwords, first and last names, genders, birth dates and answers to security questions like "What is your favorite food." In the random sample of 15 records, two appeared to be of minors. Sanrio declined to verify whether the data listed in the sample was from its database. Vickery found the database, he said, while looking for unprotected information on the Internet by searching a website that can find data stored in the cloud."

Reportedly, the database sat open and exposed for about a month. This breach was found by the same security researcher that found earlier in December a flaw in the Mackeeper security software, which exposed the sensitive information of 13 million Apple users. SanrioTown is still investigating its breach, and its users must change both their passwords and security questions.

The Washington Times reported:

"Sanrio Digital, a subsidiary of the Japanese owner of “Hello Kitty,” a popular children’s brand, told Reuters on Tuesday that it patched a security glitch that had affected one of its databases being tipped off by Chris Vickery, a U.S.-based researcher who helps identify and fix vulnerable computer systems... Sanrio has insisted that evidence has so far failed to suggest that anyone other than Mr. Vickery had accessed the database with authorization..."

Reportedly, the breach exposed the following data elements: full names, birthdays, genders, email addresses and related information about 3.3 million account holders. That included information about 186,261 persons under the age of 18. Payment information (e.g., credit cards) was not exposed, according to the SanrioTown security statement.

Two items about this breach need to be highlighted:

  1. The operative phrase in the company's statement is, "that evidence so far..." More evidence may surface later; and
  2. The company did not discover its own database sitting open, unprotected in the wild. An external security researcher found it. That fact does not bode well for the company's security team and data security processes.

What are your opinions of this data breach?


iFit Data Breach Exposes The Sensitive Information of More Than Half A Million Users

Plenty of stationary, mobile, and wearable devices -- including their apps -- collect and store consumers' sensitive personal data, including health information. The Data Breaches blog reported a breach involving the popular mobile fitness app, iFit, affecting as many as 576,274 users. A researcher discovered the breach on December 10.

The iFit app includes customize-able workouts designed by fitness trainers. It is incorporated into wristbands, smart watches, and stationary exercise equipment such as NordicTrack. The stationary equipment includes treadmills, elliptical machines, stength-training machines, and exercise bikes used in homes and gyms. iFit also operates a wellness program with corporate partners for their employees.

The iFit Privacy policy provides a clear indication of the massive amount of data collected, archived, and reportedly exposed or stolen during this breach:

"... two types of information from users of our Site: "Personally Identifiable Information" which is information that can be used to locate you,contact you, or determine your specific identity (such as name, e-mail address, mailing address, phone number, user name, credit card information, etc.) and "Aggregate Information" which is information about your activities on the Site or in connection with the services that cannot be used to identify, locate, or contact you (such as frequency of visits to the Site, data entered when using the Site, gender, age, weight, height, food intake, activity level, interests, workout history and results, exercise equipment, Site pages most frequently accessed, browser type, links a User clicks, IP address, and other similar information)... When you register for an account (free or paid), we collect your name, a user name, a password, date of birth, current weight, target weight, height, gender, measurement system, activity level, fitness goal, intensity level, and the retail location where you purchased your iFit® equipment. When you use a credit card to pay for any of our services or products, we ask for your name, address, credit card and credit card-related information."

Besides archiving customers exercise types, date, time, geo-location, and exercise duration the app foten calculates calories burned. All of this data would be immensely valuable to insurance firms, health care organizations, and others. The data elements exposed or stolen open the breach victims to financial fraud, medical fraud, stalking, and spam.

For consumers the either want to keep their exercise activity private or expect fitness app developers to secure and protect sensitive information like health care organizations, the data breach presents a very troubling event. It is unclear if breach victims are limited to only the United States.

ICON Health and Fitness makes a lot of the exercise bikes, ellipticals, and strength-training equipment that use the iFit app.

At press time, a check of the iFit site and blog did not find any announcements of the breach. What are your opinions of the breach? Of the data collected? Of the company's post-breach response so far?


University of Rochester Medical Center Settles With New York State Attorney General For Data Breach

University of Rochester Medical Center logo Earlier this month, the New York State Attorney General announced a settlement agreement with the University of Rochester Medical Center (URMC) about a data breach earlier this year. URMC will pay a $15,000 find and is required to train its staff on proper data security procedures for protected health information.

The settlement agreement was dated November 20, 2015. The April 2015 events surrounding the data breach:

"... a URMC nurse practitioner gave a list containing 3,403 patient names, addresses, and diagnoses to her future employer, Greater Rochester Neurology (“GRN”), without first obtaining authorization from the patients.  On April 21, 2015, GRN used the information to mail letters to the patients on the list informing them that the nurse practitioner would be joining the practice and advising them of how to switch to GRN. URMC learned of the breach three days later, when calls began coming in from patients who were upset about the letter. The nurse practitioner was subsequently terminated, notification letters were sent to the affected patients... GRN has attested that all health information transmitted by URMC has been returned or deleted."

State attorney generals were empowered by law in 2009 to enforce Health Insurance Portability and Accountability Act (HIPAA) violations. Hospitals are required by law to provide patients with a Notice of Privacy Practices document, which patients and their families should read. Read the URMC NPP (Adobe PDF).

This is not the first data breach at URMC. There were three prior data breaches with the latest in 2013. HIPAA requires health care organizations to report data breaches affecting 500 or more persons. The URMC settlement agreement (Adobe PDF) contains more stringent reporting requirements for URMC to the New York State Office of Attorney General (OAG):

"For a period of three (3) years, commencing from the execution of this Agreement, if URMC determines that a member of the workforce has breached unsecured protected health information, consistent with the HIPAA Breach Notification Rule, URMC is to notify the OAG of the breach within sixty (60) days of the breach if the number of individuals affected by the breach is fifteen (15) or more (for beaches of fourteen (14) or fewer URMC to notify the OAG annually), in addition to the existing notification responsibilities."

A survey earlier this year found that 45 percent of patients were “very” or “moderately concerned” about the security of their medical records, including access by unauthorized persons which would lead to identity theft and fraud. A breach earlier this year at electronic records vendor Medical Informatics Engineering highlighted the fact that data breaches at health care organizations expose patients to both medical and financial fraud.

While the fine in this case is tiny compared to the multi-billion fines paid recently by several big banks, it is still important because people expect health care organizations to properly secure and protect sensitive patient information. Experts have warned resolving medical identity fraud can be costly, time, consuming and require plenty of effort and expertise since the victim's medical records have often been corrupted with the thief's medical and health information.

If URMC experiences more data breaches, steeper fines and a longer period of more stringent breach reporting would seem applicable, given URMC's breach history. What are your opinions of the settlement agreement?

[Editor's note: In the interest of full disclosure, I have no relationship with URMC except that I am a graduate and alum of the University of Rochester.]


Experian Has Paid $20 Million (So Far) In Post Breach Costs

Experian logo Just before the Thanksgiving holiday, The National Law Review reported:

"Experian’s most recent earnings report shows that it has spent $20 million to date on its response to the September 2015 data breach that exposed the personal information of nearly 15 million wireless carrier customers. The exposed information included names, addresses, birthdates, social security numbers, driver’s license numbers, and passport numbers – all information Experian uses to process credit checks as part of the customer registration process. The $20 million spent so far on notification and credit monitoring for affected individuals may only be just the beginning of Experian’s financial woes – the credit monitoring firm still has several pending class action lawsuits to manage as well as cooperating with the government’s investigations in to the matter."

Details about the September breach area available here.

Not good.As I wrote in October,Experian CEO Brian Cassin should resign. The credit reporting agency's track record of breaches is troubling. Paying post-breach related costs (again) is not enough of an incentive to change executives' behavior. Companies won't change until there are direct consequences for executives. Experian executives know better. It is in the business of collecting, archiving, and protecting consumers' sensitive personal and financial information.

If they can't protect it, don't collect it; and go do something else.


Target Settles With Banks And Credit Unions. Retailer To Pay More Than $39 Million

Target Bullseye logo After a settlement with Visa earlier this year, Target has finalized settlement agreements with several banks and credit unions concerning its 2013 data breach. The retailer has agreed to pay $39.4 million to affected banks and credit unions. It will pay $20.25 million to banks and credit unions, plus $19.11 million to reimburse MasterCard Inc card issuers.

The banks include Umpqua Holdings Corporation (Oregon), Mutual Bank in Whitman (Massachusetts), Village Bank (Minnesota), CSE Federal Credit Union (Louisiana), and First Federal Savings of Lorain (Ohio). Reportedly, the retailer has spent $290 million in post-breach related costs with insurance companies expect to cover about $90 million. Several lawsuits are still outstanding.


Learning Apps Company Confirms Data Breach Affecting 11.6 Million Persons

Vtech logo Earlier today, educational toy maker VTech confirmed a data breach affecting 11.6 million persons. On November 27, Motherboard first reported the breach affecting 5 million parents and 200,000 children. The data breach is larger than first reported by many news organizations.

In its FAQ page, VTech confirmed that on November 14 hackers accessed its customer database:

"... on our Learning Lodge app store customer database and Kid Connect servers. Learning Lodge allows our customers to download apps, learning games, e-books and other educational content to their VTech products.  Kid Connect allows parents using a smartphone app to chat with their kids using a VTech tablet."

The company learned of the data breach on November 24 when a journalist inquired. During its current breach investigation, During its breach investigation, Vtech has temporarily suspended operations at Learning Lodge, the Kid Connect network, and a dozen websites including both PlanetVtech and VSmileLink sites in the US, France, Germany, United Kingdom, and Spain. Vtech's customer data includes the USA, Canada, United Kingdom, Ireland, France, Germany, Spain, Belgium, the Netherlands, Denmark, Luxembourg, Latin America, Hong Kong, China, Australia and New Zealand.

The number of persons affected by the breach:

"In total 4,854,209 customer (parent) accounts and 6,368,509 related kid profiles worldwide are affected, which includes approximately 1.2 million Kid Connect parent accounts.  In addition, there are 235,708 parent and 227,705 kids accounts in PlanetVTech. Kid profiles unlike account profiles only include name, gender and birthdate."

The VTech FAQ page also listed the number of breach victims by country. Parent accounts include the following data elements: name, e-mail address, security question and answer for password retrieval, IP address, mailing address, download history, and encrypted password. VTech's customer database does not contain credit card payment information, nor Social Security and similar identification information.

VTech describes itself as a global leader in electronic learning products for children and the world's largest manufacturer of cordless phones. Founded in 1976, VTech is headquartered in Hong Kong and has operations in 11 countries including manufacturing facilities in China. It employs about 30,000 employees, with 1,500 research and development professionals in Canada, Germany, Hong Kong, and China.

Even though customers' passwords were encrypted, VTech advised breach victims to change their passwords anyway, as skilled hackers may break the encryption. This is critical if breach victims used the same passwords, security questions, and security answers at other online sites.

This is not good. Whatever security detection software VTech used needs to be upgraded or replaced. A company should not learn about a breach from a journalist. The data elements stolen are sufficient for criminals to impersonate data breach victims, attempt to break into victims' other online accounts (e.g., banking), and send spam e-mail messages.

Do you or your children use VTech apps, games, or e-books? If so, what breach notifications have you received?


How The Teenager Hacked The CIA Director's Email Account

Central Intelligence Agency logo You've probably heard about it, or read some of the initial news reports. The New York Post broke the story about a teenager hacking into the e-mail account of John Brennan, Director of the Central Intelligence Agency (CIA). The methods the hacker used are a good example of pretexting: when a criminal pretends to be somebody they aren't in order to acquire sensitive information about the target(s).

Wired provided a detailed report about the incident, which I've distilled into seven steps:

  1. The hacker did a reverse number lookup of Brennan's mobile phone number. Several websites provide this feature. From that, the hacker learned that Verizon was Brennan's provider of phone services.
  2. Pretending to be a Verizon technician, the teenage hacker and his accomplices, called Verizon asking for details about Brennan's account. The Verizon phone rep asked for their Vcode, a unique number assigned to each Verizon technician. The hacker provided a fake Vcode which somehow passed Verizon's security. From that, the hacker learned Brennan’s account number, four-digit PIN, the backup mobile number on Brennan's account, Brennan’s AOL email address, and the last four digits on Brennan's bank card.
  3. The hacker accessed Brennan's AOL e-mail account on October 12, and read several e-mail messages including messages forwarded from his work e-mail account. From that, the hacker learned Brennan's secure White House e-mail address, his security clearance application, topics discussed by Brennan and other intelligence officials, and work-related documents attached to several e-mail messages. One attachment included a spreadsheet with names and Social Security numbers of several persons, including intelligence officials.
  4. The hackers posted photos of several documents online via a Twitter account they had set up. The hackers accessed Brennan's account for at least three days.
  5. On October 16, the hacker posted via Twitter that Brennan had deleted his AOL e-mail account supposedly because the hackers had accessed it.
  6. Brennan reset the password on his AOL account, which the hackers accessed again. This suggests that they called AOL customer service pretending to be Brennan and reset the password on his account so they could access it. Reportedly, the dueling password resets happened three times.
  7. The hackers called Brennan's mobile phone number and told him his account had been hacked. After asking them what they wanted, the hackers reportedly answered, "We just want Palestine to be free and for you to stop killing innocent people."

What should consumers make of this incident? First, the incident provides a window into the hassles and inconveniences when your e-mail account is hacked and taken over by a criminal. The hackers could have sent out spam messages from Brennan's account to his friends, family, and coworkers. Second, the incident highlights the necessity of not using the same password on multiple accounts. When consumers do this, it makes it easy for criminals to access several of your online and financial accounts. Hackers will try the same stolen password at other online accounts to see where else they access.

Third, the incident is a reminder for consumers never to disclose sensitive personal and financial information over the phone. Why? Simply, the caller's identity is unknown and unverified. We consumers frequently receive calls from identity thieves from fake computer support vendors or bogus cardholder services.

Verizon logo Fourth, Verizon should improve its security processes. A fake Vcode should not allow access to customers' sensitive information. There should be consequences for Verizon for this breach. Fifth, the hackers' techniques provide a tiny view of the activities spies and counter-intelligence agencies perform, and why these entities want to hack into government agencies' websites, such as the Office of Personnel Management breach earlier this year.

Sixth, adding your mobile phone number to your social networking and e-mail accounts is not a data security cure-all. Smart hackers will target your mobile phone number so that they receive any notifications  you've set up about changes to your account.

Seventh and perhaps most troubling, the Brennan and Clinton e-mail incidents suggest that many government officials highly value convenience (just as consumers do), by forwarding work-related e-mails and documents from secure work systems to less secure commercial systems. You could argue that this desire for convenience is a security weakness. Fifth, you can bet that spies will try to take advantage of this weakness by replicating pretexting attacks on other high-value executive targets, in both the public and private sectors. If a teenager can do it, then so can an experienced spy.

What are your opinions of the hacking incident? Of Verizon's role?


Update: Target Breach Settlements And Pending Court Action

Target Bullseye logo Tying some loose ends: Target settled with Visa in August to resolve claims from the retailer's massive 2013 data breach in which 110 million consumers' records were stolen, including 40 million credit- and debit-card numbers. The value of that settlement was up to $67 million, depending upon how many card issuers worldwide accept that deal. A $19 million settlement with MasterCard fell through.

In March, the retailer agreed to pay $10 million to settle lawsuits by consumers. While the July 31, 2015 deadline has passed for affected shoppers to submit claims, the Target Settlement website listed the next important date is a November 10, 2015 hearing for the Court to approve the settlement. Payments to consumers will happen after the Court approves the settlement.


Experian Data Breach Affects 15 Million T-Mobile Customers, And Highlights Privacy Concerns

Experian logo Experian, one of the three major credit-reporting agencies in the United States, announced last week a data breach at affected at least 15 million T-Mobile customers. Unauthorized persons accessed an Experian server which contained personal information about consumer who had applied for T-Mobile USA services between September 1 and September 16, 2015.

Experian discovered the breach on September 15, 2015. The information accessed and stolen included names, addresses, Social Security Numbers, birth dates, identification numbers (e.g., driver's license, military ID, passport number, etc.), and additional data related to T-Mobile's credit-check process. The credit reporting agency also said:

"Experian’s consumer credit database was not accessed in this incident, and no payment card or banking information was obtained."

Thank heavens for little favors. Thankfully, at least one Experian employee had the good sense to segregate its database of T-Mobile customers from its database of everyone else. Otherwise, the hackers would have accessed and stolen sensitive personal information for 250 million persons. And, the "no payment card or banking information was obtained," is like saying bank thieves stole everything but not the one-, five-, and ten-dollar bills. This is bad folks, and Experian should not issue statements in a failed attempt to perfume-a-pig. The pig still stinks.

Experian has notified and is working with both federal and international law enforcement agencies. The post-breach investigation is ongoing. The company is notifying affected persons and will offer two years of free credit monitoring and identity resolution services. Some security experts are skeptical, and questioned whether Experian deployed the data-breach-detection services of 41st Parameter, a wholly owned subsidiary.

John Legere, the t-Mobile Chief Executive, said in a statement:

"Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian..."

Understandable and justified anger. No doubt, lawsuits will result.

This is not good. The data elements stolen are sufficient for criminals to apply for fraudulent loans, create fraudulent identification cards, and effectively approach the family, friends, coworkers, and classmates by impersonating breach victims.

This is not the first data breach at Experian. In February 2014, hackers used a client's login credentials to access an undisclosed number of consumers' records. The data stolen included consumer credit reports, names, addresses, Social Security Numbers, birth dates, and additional information commonly found in credit reports. In May 2012, Experian announced a breach where hackers accessed an undisclosed number of consumers' records between October 19, 2011 and February 13, 2012. A breach in 2009 affected Maryland residents, and a lawsuit was filed in July 2015 against Experian for allegedly selling consumer information to a criminal posing as a data broker. That criminal allegedly resold data to other identity thieves.

Some critics demand stronger consequences. Fight for the Future's Jeff Lyon said:

"Experian CEO Brian Cassin has put the profits of his company above the well-being of his customers and our nation's cybersecurity. Why should Experian bother fixing their security when they can just lobby their way out of the messes they make?"... This type of thinking is putting millions of people at risk. Cassin should resign..."

I agree. Cassin should resign. Lyon's comments allude to the Cybersecurity Information Sharing Act (CISA) of 2013, which is making its way through Congress. Privacy advocates argue that the bill fails to provide adequate data security protections and instead promotes data sharing of consumers' information with the federal government to facilitate surveillance. Some argue that the bill will actually hurt privacy.

I agree. It's poor legislation. Now, back to Experian. The credit reporting agency's track record of breaches is troubling. Paying post-breach related costs (e.g., free credit monitoring), again, is not enough of an incentive to change executives' behavior. Companies won't change until there are direct consequences for executives. Experian executives know better. It is in the business of collecting, archiving, and protecting consumers' sensitive personal and financial information.

What are your opinions?


Luxury Trump Hotel In Las Vegas Begins Notification Of Consumers About Data Breach

Trump International Hotel and Tower Las Vegas logo The law firm representing the luxury Trump International Hotel and Tower property in Las Vegas announced at data breach affecting its client. To comply with breach notification laws in many states, corporations (or their agents) typically submit breach notices (e.g., sample or final) to the attorney general or applicable legal agency in each state where there are affected residents.

The breach notice at the California Attorney General website (Adobe PDF) read, in part:

"... we are providing notice of a security incident possibly affecting certain individuals who made payment card purchases at Trump International Hotel & Tower Las Vegas, located at 2000 Fashion Show Drive, Las Vegas, NV... Although an independent forensic investigation has not conclusively determined that any particular customer’s payment card information was taken from the Hotel’s payment card system or misused as a result of the incident, we are providing this notice out of an abundance of caution to inform potentially affected customers of the incident... it appears that there may have been unauthorized malware access to payment card information as it was inputted into the payment card systems... including payment card account number, card expiration date, security code, and cardholder name) of individuals who used a payment card at the Hotel between May 19, 2014, and June 2, 2015, may have been affected..."

It seems that payment information was stolen by malware installed within infected terminals. The breach notice also mentioned that the hotel is working with law enforcement, banks, and an independent forensic investigation vendor. All, pretty standard stuff. The notice did not disclose the total number of records or consumers affected.

The breach notice includes instructions for affected customers to sign up for one year of free fraud resolution and identity protection services with Experian ProtectMyID. The offer is only for U.S. residents who used a payment card at the Hotel between May 19, 2014, and June 2, 2015. (Since the hotel's website includes content in several languages besides English, I guess that deep-pocketed customers from other countries are simply screwed.) That duration seems skimpy, since many other corporations have offered two years. The breach notice lists a hotel toll-free number for affected customers to get assistance and ask questions.

A check this morning of the hotel's home page did not find a link to a breach notice. Typically, a well-organized post-breach response also includes a website providing affecting customers with more information (or dedicated pages at their main site).

So, there seems to be two massive failures in this data breach. The first was a failure to promptly detect the unauthorized access. The second was a lengthy delay of more than a year to notify affected consumers. And, the investigation is still underway so things could be even worse.

Note: the Krebs On Security blog first broke news in July about data breaches at several hotels, including the Trump hotel in Las Vegas. One wonders why the hotel didn't announce the breach then.


Medical Informatics Engineering, Concentra, Employers, Data Sharing, And Privacy

Medical Informatics Engineering logo After receiving the breach notice from Medical Informatics Engineering (MIE) via postal mail, my wife and I wondered how MIE acquired her information. MIE's breach notice mentioned Concentra, a healthcare company we haven't and don't do business with. Today's blog post describes what we learned during our search for answers, and how consumers aren't in control of our sensitive personal information.

Background

The breach was massive. The Journal Gazette reported 3.1 million breach notices sent to affected consumers nationwide. The U.S. Department of Health & Human Services listed 3.9 million consumers affected.  Readers of this blog have reported breach notices received via postal mail in Alabama, California, Colorado, Florida, Georgia, Idaho, Indiana, Kansas, Kentucky, Maryland, Massachusetts, New Hampshire, Tennessee, Texas, and the District of Columbia. Concentra was one of many health care providers involved.

During our search for answers, my wife contacted her employer and a local clinic. Neither does business with No More Clipboard (MIE's cloud-based service) or with Concentra. On her behalf I contacted Concentra's nearest office in Wilmington, Massachusetts. The office's administrative person searched for information about my wife in Concentra's database. No record. The administrator referred me to regional human resources representative, who confirmed the breach and suggested that Concentra may have obtained my wife's information from data-sharing during a sales pitch with employers. We continued to look for firmer answers.

Select Medical logo The HR representative referred me to Edwin Bodensiek, the Vice President of Public Relations at Select Medical, the corporation that acquired Concentra in May, 2015. Select Medical's First Quarter 2015 10-Q Filing (Adobe PDF) explained:

"[Select Medical Holdings] announced on March 23, 2015 that MJ Acquisition Corporation, a joint venture that the Company has created with Welsh, Carson, Anderson & Stowe XII, L.P. (“WCAS”), has entered into a stock purchase agreement, dated as of March 22, 2015 (the “Purchase Agreement”), as buyer with Concentra Inc. (“Concentra”) and Humana Inc. (“Humana”) to acquire all of the issued and outstanding equity securities of Concentra from Humana. Concentra, a subsidiary of Humana, is a national health care company that delivers a wide range of medical services to employers and patients, including urgent care, occupational medicine, physical therapy, primary care, and wellness programs... For all of the outstanding stock of Concentra, MJ Acquisition Corporation has agreed to pay a purchase price of $1.055 billion..."

Humana had acquired Concentra in 2010. Now, Concentra is part of Select Medical. i contacted Mr. Bodensiek asking when, why, and how Concentra obtained my wife's sensitive personal information. My wife and I weren't sure we'd get any answers, and if so how long it would take.

What We Learned

After about a month, Mr. Bodensiek called with some answers. My wife had taken a temporary part-time job in February 2014 and that second employer used the Humana Wellness (e.g., Concentra) health care services. Mr. Bodensiek explained that the second employer sent an "eligibility file" to Concentra with data about its employees that were eligible for the employer-sponsored health care plan. That's when my wife's name, address, phone, and Social Security Number were transmitted to Concentra; and then to MIE, the electronic medical records vendor for Humana Wellness. Mr. Bodensiek described this as standard business practice.

My wife and I have health care coverage elsewhere, so she never had any intentions nor did not register for health care through this second employer. My wife's situation is not unique since five percent of the U.S. workforce works two or more jobs. (Vermont, South Dakota, Nebraska, Kansas, and Maine lead the nation with people working two or more jobs.) It's great that this second employer offered health care to its employees, but not so great that employees' sensitive information was shared regardless of whether or not the employees expressed an interest in coverage.

I'd like to publicly thank Mr. Bodensiek for his hard work and diligence. He didn't have to help, but he did. It gave us a good first impression of Select Medical. Hopefully, other breach victims have had success getting answers.

Implications And Consequences

Our experience highlights a business practice consumers should know: your employer may share your information with their health care provider whether you subscribe or not, and maybe without your knowledge. Maybe this sharing was for employees' convenience (e.g., faster, easier sign-up for health care), or for the employer's convenience (e.g., minimize processing effort and expense) by sending one, massive eligibility file. Regardless, the business practice has implications and consequences.

First, when an employer's administrative process sends to their health care vendor data about all employees (without an opt-out mechanism), then more data is shared than otherwise, and the process is arguably less private. Why? The health care provider receives and archives information about both subscribers and non-subscribers; patients and non-patients. A process based upon opt-in would be better and more private, since the data shared includes employees who want to sign up for their employer's health care plan. Simply, fewer employee records with sensitive data (e.g., name, address, phone, Social Security Number) are shared, and less data for the health care provider to archive and protect (and further share with a cloud vendor).

Regarding the MIE breach, eligibility-file-sourced data about my wife was archived by MIE. That means MIE archived eligibility-file data about many other employees. So, MIE's database includes data about health-care subscribers and non-subscribers; patients and non-patients. When data breaches happen, the stolen archived data about non-subscribers opens those non-subscribers to identity theft and fraud risks. How long will this data about non-subscribers be archived? When will data about non-subscribers be deleted? Select Media didn't say. I can only assume the archiving will continue as long as they decide, either solely or in combination with their employer clients.

Second, costs matter. The more data shared, the more records the health care provider and electronic records vendor must archive and protect. When data breaches happen, more data is lost and data breach costs (e.g., investigation, breach notification, identity protection services) are greater. A 2015 study by IBM found that the average total cost of a data breach was $3.8 million, up 23 percent from 2013. Given this high cost, you'd think that employers and health care providers would work together to minimize data sharing. Probably not as long as consumers bear the risks.

Third, if my wife had signed up for health care services with Concentra, then much more sensitive information would have been stolen in the MIE breach. One may argue who is to blame for the data security failure (e.g., breach), but at the end of the day: the employer hired Concentra, and Concentra hired MIE. There is enough blame to go around.

Fourth, the MIE breach highlights some of the places employees' sensitive information can be shared without their knowledge (or consent). If the MIE breach hadn't happened, would employees know their medical records were stored in the cloud? Would employees know about the eligibility-file sharing? One wonders. Employees deserve to know upfront.

Your sensitive personal information also moves when companies (e.g., health care providers, employers, cloud vendors) buy, sell, and merge with other companies. that includes your medical records. Since eligibility-file sourced data is archived, you don't have to be a health care plan subscriber or patient.

Fifth, for information to be private there must be control. The eligibility-file sharing suggests that employers have the control and not employees. Consumers like my wife have been taken steps to protect themselves and their sensitive information by locking down their credit reports with Security Freezes. That data protection is largely undone by eligibility-file sharing with health care providers. Not good.

Consumers need a comparable mechanism to lock down their medical records and prevent eligibility-file sharing. Without a mechanism, then consumers have no control over both their medical and personal information. Without control, consumers lack privacy. You lack privacy.

It will be interesting to watch how Select Medical manages its new acquisition. The Select Medical website lists these core values:

"We deliver superior quality in all that we do. At Select Medical, we set high standards of performance for ourselves and for others. We provide superior services to our patients. We continually strive to uphold and improve our reputation for excellence.

We treat others as they would like to be treated. At Select Medical, we treat each other with respect and promote a positive environment where people feel valued. We are honest and open in our relationships and straightforward in our communications.

We are results-oriented and achieve our objectives. At Select Medical, we are focused and decisive in achieving our objectives and helping others achieve theirs. We accept responsibility for our decisions and actions. We are accountable for using our time, talents and resources effectively."

My wife and I know how we want to be treated. We wanted to be treated with respect. We know how we want our sensitive personal and health information treated:

  • Don't collect it unless we're patients,
  • Don't archive it unless we're patients,
  • Don't share it without notice and consent. Consent must be explicit, specific, for a stated duration, and for specific purposes,
  • Don't collect and archive it if you can't protect it,
  • Be transparent. Provide clear, honest answers about breach investigations and data-sharing practices,
  • Don't try to trick us with promises of convenience,
  • Hold your outsourcing vendors to the same standards,
  • Don't make consumers assume the risk. You benefited from data sharing, so you pay the costs, and
  • Two years of credit monitoring is insufficient since the risk is far longer.

What are your opinions? Does the data sharing by employers bother you?


OPM And DOD Hire ID Experts For Credit Monitoring And Post-Breach Services

Office of Personnel Management logo Just before the long holiday weekend, the Office of Personnel Management (OPM) and the Department of Defense (DOD) announced a contract with Identity Theft Guard Solutions LLc (a/k/a ID Experts) to assist the 21.5 persons affected by the massive breach first reported in June. The contract provide three years of free services for persons with sensitive information stolen, such as Social Security numbers.

Breach victims will be notified during September. The contract includes coverage for breach victims and their dependent children under the age of 18. ID Experts will provide credit monitoring, identity monitoring, identity theft insurance, and identity restoration services. Beth Cobert, the Acting Director at OPM, said:

“We remain fully committed to assisting the victims of these serious cybercrimes and to taking every step possible to prevent the theft of sensitive data in the future.. Millions of individuals, through no fault of their own, had their personal information stolen and we’re committed to standing by them, supporting them, and protecting them against further victimization. And as someone whose own information was stolen, I completely understand the concern and frustration people are feeling.”

To learn more, the OPM suggested that breach victims sign up for email alerts and visit https://www.opm.gov/cybersecurity. The OPM announcement included advice for all breach victims to protect themselves and their sensitive information, plus additional information for residents of California, Kentucky, Maryland, and North Carolina.

Read the OPM announcement about its contract with ID Experts.