352 posts categorized "Data Breaches" Feed

Data Breaches At Maryland Parking Garages Affect Thousands

Data breaches at three parking garages in downtown Annapolis, Maryland habe put the sensitive personal and payment data of thousands of consumers at risk. WJZ, the CBS affiliate in Annapolis, reported a:

"... preliminary investigation shows that the breach took place from December 23, 2015 to June 11, 2016 — nearly six months — at the Noah Hill, Gott’s Court and Knighton garages... The breach affects drivers who used the daily parking option, not those who have monthly plans or residents."

After learning about the breach, the city switched to cash-only payments. While the city responded quickly, questions remain. The news report did not mention when and how affected persons would be notified of the breach. A brief scan on Monday of the Annapolis Parking website didn't not find any breach notices. Consumers need to be notified promptly.

Also, the nature of the breach suggests that the payment terminals were compromised. Many consumers are probably thinking: I don't live in nor visit Annapolis, so no problem.

Well, big problem. We all visit and park our vehicles at downtown city locations. Some people visit more often than others. You don't have to look far to find breaches at parking garages in Chicago, Cleveland, and at this parking vendor which serves several cities.

This Annapolis parking-garage breach is a reminder of the vulnerability of payment terminals at all parking garages. Like the pumps at gas stations, parking garages have free-standing payment terminals that are unattended for long periods of time. This creates an opportunity for criminals to tamper with the terminals, and install skimming devices either inside or on the exterior of terminals. It is a popular tactic by criminals on both ATM machines and gas stations.

So, when you pay using a debit- or credit card at a parking garage, you are betting that the garage operator regularly inspects their payment terminals for skimming devices, and adequately protects their computer systems from hacks and malware.


Emails And Passwords For Sale From The Massive Tumblr Data Breach

Tumblr logo Things seem to be getting worse as Tumbler, a blogging platform Yahoo acquired in 2013. First, Tumblr announced on May 12 a possible data breach, which stated:

"We recently learned that a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013, prior to the acquisition of Tumblr by Yahoo. As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password."

That early May announcement directed users to reset their passwords, and use secure https connections. It didn't state the number of affected accounts. Well, now we know more.

Softpedia reported on May 30 that valid Tumblr passwords are available online for sale:

"Independent security researcher Troy Hunt revealed today that he received a data dump that contains 65,469,298 emails and hashed passwords, which the anonymous donor said belonged to Tumblr users. The researcher tracked the data dump to The Real Deal Dark Web marketplace, where a hacker by the name of Peace (also known as Peace_of_mind) is selling it for 0.4255 Bitcoin ($225)..."

That's 65.4 million passwords compromised. A massive breach affecting about one out of every eight Tumblr users. The good news: Tumblr had encyrpted its users' passwords. The bad news: the hackers have broken the encryption. That means Tumblr users probably should, a) change their passwords again, and b) inquire what Tumblr is doing to better protect sensitive information so this doesn't happen again.

It seems that Tumblr's breach detection and security processes are both lacking. Softpedia also reported:

"Peace, the hacker that's selling the data, is the same person that put up for sale the MySpace and LinkedIn data dumps, but also other online services such as Fling.com and the Linux Mint forum."

Hmmm. It seems that several social networking sites need to improve their defenses.


LinkedIn Data Breach Was Larger And Worse Than Consumers First Told. 117 Million Persons Affected

LinkedIn.com logo The 2012 data breach at LinkedIn.com was far larger and worse than originally thought. Motherboard reported:

"A hacker is trying to sell the account information, including emails and passwords, of 117 million LinkedIn users. The hacker, who goes by the name “Peace,” told Motherboard that the data was stolen during the LinkedIn breach of 2012. At the time, only around 6.5 million encrypted passwords were posted online, and LinkedIn never clarified how many users were affected by that breach... The paid hacked data search engine LeakedSource also claims to have obtained the data. Both Peace and the one of the people behind LeakedSource said that there are 167 million accounts in the hacked database. Of those, around 117 million have both emails and encrypted passwords."

So, the breach included 167 records affecting as many persons, not 6.5 million. And, 117 million people are at risk now. To make matters worse, hackers have already cracked the encryption method LinkedIn.com used to protect users' passwords:

"The passwords were originally encrypted or hashed with the SHA1 algorithm, with no “salt,” which is a series of random digits attached to the end of hashes to make them harder to be cracked. One of the operators of LeakedSource told Motherboard in an online chat that so far they have cracked “90% of the passwords in 72 hours..."

And, the incident cast doubt on both LinkedIn.com's breach detection methods and the response by the company's executives:

"... LinkedIn spokesperson Hani Durzy told Motherboard that the company’s security team was looking into the incident, but that at the time they couldn’t confirm whether the data was legitimate. Durzy, however, also admitted that the 6.5 million hashes that were posted online in 2012 were not necessarily all of the passwords stolen. “We don’t know how much was taken,” Durzy told me in a phone call. The lesson: For LinkedIn, the lesson is the same as four years ago: don’t store password in an insecure way..."

LinkedIn released a statement yesterday. Relevant portions:

"Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach... For several years, we have hashed and salted every password in our database, and we have offered protection tools such as email challenges and dual factor authentication. We encourage our members to visit our safety center to learn about enabling two-step verification, and to use strong passwords... We're moving swiftly to address the release of additional data from a 2012 breach, specifically: We have begun to invalidate passwords for all accounts created prior to the 2012 breach​ that haven’t update​d​ their password since that breach. We will let individual members know​ ​if they need to reset their password. However, regularly changing your password is always a good idea..."

Many people use the LinkedIn.com social site to network with professionals in their field, and find jobs. If you use the site, experts advise consumers to change your password immediately and don't reuse the same password at multiple websites.


Breach Notifications Rise More Than 40 Percent In New York

Breach notifications involving New York State residents have risen more than 40 percent compared to a year ago. Attorney General Eric T. Schneiderman announced on Wednesday that his office:

"... has received 459 data breach notices from the first of the year through May 2, 2016, as compared with 327 through the same time last year. In the year 2015 alone, the office received 809 data breach notices. The office is expecting to receive well over 1000 notices for the year, a new record."

The New York State Information Security Breach & Notification Act requires companies to provide notice to the Attorney General office and to affected consumers. Companies use an online submission form. Previously, notifications were submitted via postal mail, fax, or email.

The Attorney General's office released a data breach report in July 2014 which found:

"... the number of reported data security breaches in New York more than tripled between 2006 and 2013. In that same period, 22.8 million personal records of New Yorkers were exposed in nearly 5,000 data breaches, which cost the public and private sectors in New York upward of $1.37 billion in 2013. In addition, the report also found that hacking intrusions – in which third parties gain unauthorized access to data stored on a computer system – were the leading cause of data security breaches, accounting for roughly 40 percent of all breaches."

If you receive a breach notification letter, the Identity Theft Resource Center advises consumers to (links added):

"1. Call the three credit bureaus (Experian, Equifax, and Transunion) and request a 90-day fraud alert be placed on your credit reports.

2. Request your annual free credit report from each of the aforementioned credit bureaus and review them for any inaccuracies...

3. If you do find any inaccuracies, call the three credit bureaus and request a security freeze be placed on your credit reports. This may cost a nominal fee depending on the state that you are in and does not allow new credit lines to be processed until you personally unfreeze your credit. Even if you do not find any inaccuracies, you may want to consider putting a security freeze on your credit as a precautionary measure.

4. File your tax returns as early as possible to avoid an identity thief filing a tax return under your name in order to receive fraudulent tax refunds.

5. Contact the Social Security Administration and request your wage report to ensure that an identity thief has not reported fraudulent wages which you may have to pay taxes on if not resolved.

6. For more details on what to do if you have received a data breach notification letter, please read our ITRC Fact Sheet FS 129."

Learn how to spot fake breach notices from scammers. To help residents confirm breach notifications, A few states (Maryland, New Hampshire, Vermont, Wisconsin) post online breach notices they have received.

Comments? Opinions? If you know of any states that post breach notices online, please tell us below.


Report: Lawsuits Resulting From Corporate Data Breaches

Chart 1: Bryan Cave LLP: 2016 Breach Litigation Report. Click to view larger version

This week, the law firm of Bryan Cave LLP released its annual review of litigation related to data breaches. 83 cases were filed, representing a 25 percent decline compared to the prior year. Other Key findings from the 2016 report:

"Approximately 5% of publicly reported data breaches led to class action litigation. The conversion rate has remained relatively consistent as compared to prior years... When multiple filings against single defendants are removed, there were only 21 unique defendants during the Period. This indicates a continuation of the “lightning rod” effect noted in the 2015 Report, wherein plaintiffs’ attorneys are filing multiple cases against companies connected to the largest and most publicized breaches, and are not filing cases against the vast majority of other companies that experience data breaches..."

Slightly more than half (51 percent) of all cases were national. The most popular locations were lawsuits were filed included the Northern District of Georgia, the Central District of California, the Northern District of California, and the Northern District of Illinois. However:

"Choice of forum, however, continues to be primarily motivated by the states in which the company-victims of data breaches are based."

Charges of negligence were cited in 75 percent of lawsuits. Which industry were frequently sued and which weren't:

"... the medical industry was disproportionately targeted by the plaintiffs’ bar. While only 24% of publicly reported breaches related to the medical industry, nearly 33% of data breach class actions targeted medical or insurance providers. The overweighting of the medical industry was due, however, to multiple lawsuits filed in connection with two large scale breaches... There was a 76% decline in the percentage of class actions involving the breach of credit cards... The decline most likely reflects a reduction in the quantity of high profile credit card breaches, difficulties by plaintiffs’ attorneys to prove economic harm following such breaches, and relatively small awards and settlements.."

57 percent of cases included sensitive personal information (e.g., Social Security numbers), 23 percent of cases included debit/credit card information, and 18 percent of cases included credit reports. The law firm reviewed lawsuits occurring during a 15-month period ending in December, 2015. Data sources included Westlaw Pleadings, Westlaw Dockets, and PACER databases.

Historically, some lawsuits by consumers haven't succeeded when courts have dismissed cases because plaintiffs weren't able to prove injuries. According to the Financial Times:

"However, decisions from a number of high-profile cases are likely to make it easier for consumers to bring suits against companies in the event of a data breach... For example, in July 2015, the Seventh US Circuit Court of Appeals, overturning a previous judgment, ruled that customers of Neiman marcus could potentially sue the retailer because they were at substantial risk of identity theft or becoming victims of fraud..."

Learn more about the Neiman Marcus class-action. Criminals hack corporate databases specifically to reuse (or resell) victims' stolen sensitive personal and payment information to obtain fraudulent credit, drain bank accounts, and/or hack online accounts -- injuries which often don't happen immediately after the breach. That's what identity thieves do. Hopefully, courts will take a broader, more enlightened view.

I look forward to reading future reports which discuss drivers' licenses data and children's online privacy, and the Internet of Things (ioT). View the "2016 Data Breach Litigation Report" by Bryan Cave LLP. Below is another chart from the report.

Chart 2: Bryan Cave LLP: 2016 Breach Litigation Report. Click to view larger version


New Federal Agency For Stronger Protections Of Background Investigations

Office of Personnel Management logo Fallout continues from the massive data breach at the Office of Personnel Management (OPM) in 2015. The U.S. Federal government announced a reorganization to provide stronger protections of sensitive information collected during background investigations for federal employees and contractors. The reorganization features several changes including a new agency, the National Background Investigations Bureau (NBIB). The WhiteHouse.gov site announced:

"... the establishment of the National Background Investigations Bureau (NBIB), which will absorb the U.S. Office of Personnel Management’s (OPM) existing Federal Investigative Services (FIS), and be headquartered in Washington, D.C.  This new government-wide service provider for background investigations will be housed within the OPM. Its mission will be to provide effective, efficient, and secure background investigations for the Federal Government. Unlike the previous structure, the Department of Defense will assume the responsibility for the design, development, security, and operation of the background investigations IT systems for the NBIB."

After the massive data breach at OPM, several federal agencies conducted a joint 90-Day Suitability and Security review. The agencies involved included the Performance Accountability Council (PAC), the Office of Management and Budget (OMB), the Director of National Intelligence (DNI), the Director of the U.S. OPM, the Departments of Defense (DOD), the Treasury, Homeland Security, State, Justice, Energy, the Federal Bureau of Investigation, and others.

According to its Fact Sheet, the OPM’s Federal Investigative Services (FIS) unit currently conducts investigations for more than 100 Federal agencies. The FIS conducts more than 600,000 security clearance investigations and 400,000 suitability investigations annually. An NBIB Transition Team will oversee the migration to the new information technology systems and procedures. Transition project goals include:

  1. Establish a five-year re-investigation requirement for all personnel with security clearances, regardless of the level of access,
  2. Reduce the number of personnel with active security clearances by 17 percent
  3. Introduce programs to continuously evaluate personnel with security clearances to determine whether ongoing security clearances are necessary, and
  4. Develop recommendations to enhance information sharing between State, local, and Federal Law Enforcement agencies regarding background investigations.

The changes were announced jointly on January 22, 2016 by James R. Clapper (the Director of National Intelligence), Beth Cobert (Acting Director of the OPM), Marcel Lettre (Under Secretary of Defense for Intelligence, Department of Defense), Tony Scott (U.S. Chief Information Officer), and J. Michael Daniel (Special Assistant to the President and Cybersecurity Coordinator, National Security Council, The White House).


How To Recognize Bogus OPM Breach Letters From Scammers

Earlier this year, a data breach at the Office of Personnel management (OPM) federal government agency exposed the sensitive personal information of government employees, former government employees, and their families. Identity criminals and fraudsters are taking advantage of the breach by sending bogus breach letters supposedly from the OPM.

The Better Business Bureau (BBB) advised consumers how to recognize valid letters from the OPM:

"Real Letters Contain>: a) A 25 digit PIN to register for credit and identity monitoring services. Make sure your PIN is real by entering it at opm.gov/cybersecurity; b) Instructions to visit the website opm.gov/cybersecurityto get more information and sign up for monitoring"

How to spot bogus OPM solicitations from scammers:

  1. The OPM will not ask you to confirm your personal information. So, do not share it with anyone asking
  2. The OPM is not using e-mail. They are using surface postal mail.

If you lost your PIN number or didn't receive a breach notice from the OPM and think that you are affected, then you can confirm your status at the OPM security site. If you receive a bogus letter from scammers about this or other breaches, report it to the BBB.


Data Breach: Unprotected Online Database Exposed The Sensitive Information Of About 3.3 Million Hello Kitty Users

Hello Kitty logo A security researcher found online a database containing the sensitive information of customers of the Hello Kitty gaming site. Just before the Christmas holiday, C|Net reported:

"Personal information for fans who connect through SanrioTown.com has been sitting openly viewable on the Internet and easily accessible with the click of a mouse, no hack required... SanrioTown.com, designed for fans of Sanrio characters like Hello Kitty, hosts all the accounts for players of a popular game called Hello Kitty Online."

C|Net also reported that the security researcher:

"... showed CNET a sample of the records he saw, which includes a list of usernames, scrambled up passwords, first and last names, genders, birth dates and answers to security questions like "What is your favorite food." In the random sample of 15 records, two appeared to be of minors. Sanrio declined to verify whether the data listed in the sample was from its database. Vickery found the database, he said, while looking for unprotected information on the Internet by searching a website that can find data stored in the cloud."

Reportedly, the database sat open and exposed for about a month. This breach was found by the same security researcher that found earlier in December a flaw in the Mackeeper security software, which exposed the sensitive information of 13 million Apple users. SanrioTown is still investigating its breach, and its users must change both their passwords and security questions.

The Washington Times reported:

"Sanrio Digital, a subsidiary of the Japanese owner of “Hello Kitty,” a popular children’s brand, told Reuters on Tuesday that it patched a security glitch that had affected one of its databases being tipped off by Chris Vickery, a U.S.-based researcher who helps identify and fix vulnerable computer systems... Sanrio has insisted that evidence has so far failed to suggest that anyone other than Mr. Vickery had accessed the database with authorization..."

Reportedly, the breach exposed the following data elements: full names, birthdays, genders, email addresses and related information about 3.3 million account holders. That included information about 186,261 persons under the age of 18. Payment information (e.g., credit cards) was not exposed, according to the SanrioTown security statement.

Two items about this breach need to be highlighted:

  1. The operative phrase in the company's statement is, "that evidence so far..." More evidence may surface later; and
  2. The company did not discover its own database sitting open, unprotected in the wild. An external security researcher found it. That fact does not bode well for the company's security team and data security processes.

What are your opinions of this data breach?


iFit Data Breach Exposes The Sensitive Information of More Than Half A Million Users

Plenty of stationary, mobile, and wearable devices -- including their apps -- collect and store consumers' sensitive personal data, including health information. The Data Breaches blog reported a breach involving the popular mobile fitness app, iFit, affecting as many as 576,274 users. A researcher discovered the breach on December 10.

The iFit app includes customize-able workouts designed by fitness trainers. It is incorporated into wristbands, smart watches, and stationary exercise equipment such as NordicTrack. The stationary equipment includes treadmills, elliptical machines, stength-training machines, and exercise bikes used in homes and gyms. iFit also operates a wellness program with corporate partners for their employees.

The iFit Privacy policy provides a clear indication of the massive amount of data collected, archived, and reportedly exposed or stolen during this breach:

"... two types of information from users of our Site: "Personally Identifiable Information" which is information that can be used to locate you,contact you, or determine your specific identity (such as name, e-mail address, mailing address, phone number, user name, credit card information, etc.) and "Aggregate Information" which is information about your activities on the Site or in connection with the services that cannot be used to identify, locate, or contact you (such as frequency of visits to the Site, data entered when using the Site, gender, age, weight, height, food intake, activity level, interests, workout history and results, exercise equipment, Site pages most frequently accessed, browser type, links a User clicks, IP address, and other similar information)... When you register for an account (free or paid), we collect your name, a user name, a password, date of birth, current weight, target weight, height, gender, measurement system, activity level, fitness goal, intensity level, and the retail location where you purchased your iFit® equipment. When you use a credit card to pay for any of our services or products, we ask for your name, address, credit card and credit card-related information."

Besides archiving customers exercise types, date, time, geo-location, and exercise duration the app foten calculates calories burned. All of this data would be immensely valuable to insurance firms, health care organizations, and others. The data elements exposed or stolen open the breach victims to financial fraud, medical fraud, stalking, and spam.

For consumers the either want to keep their exercise activity private or expect fitness app developers to secure and protect sensitive information like health care organizations, the data breach presents a very troubling event. It is unclear if breach victims are limited to only the United States.

ICON Health and Fitness makes a lot of the exercise bikes, ellipticals, and strength-training equipment that use the iFit app.

At press time, a check of the iFit site and blog did not find any announcements of the breach. What are your opinions of the breach? Of the data collected? Of the company's post-breach response so far?


University of Rochester Medical Center Settles With New York State Attorney General For Data Breach

University of Rochester Medical Center logo Earlier this month, the New York State Attorney General announced a settlement agreement with the University of Rochester Medical Center (URMC) about a data breach earlier this year. URMC will pay a $15,000 find and is required to train its staff on proper data security procedures for protected health information.

The settlement agreement was dated November 20, 2015. The April 2015 events surrounding the data breach:

"... a URMC nurse practitioner gave a list containing 3,403 patient names, addresses, and diagnoses to her future employer, Greater Rochester Neurology (“GRN”), without first obtaining authorization from the patients.  On April 21, 2015, GRN used the information to mail letters to the patients on the list informing them that the nurse practitioner would be joining the practice and advising them of how to switch to GRN. URMC learned of the breach three days later, when calls began coming in from patients who were upset about the letter. The nurse practitioner was subsequently terminated, notification letters were sent to the affected patients... GRN has attested that all health information transmitted by URMC has been returned or deleted."

State attorney generals were empowered by law in 2009 to enforce Health Insurance Portability and Accountability Act (HIPAA) violations. Hospitals are required by law to provide patients with a Notice of Privacy Practices document, which patients and their families should read. Read the URMC NPP (Adobe PDF).

This is not the first data breach at URMC. There were three prior data breaches with the latest in 2013. HIPAA requires health care organizations to report data breaches affecting 500 or more persons. The URMC settlement agreement (Adobe PDF) contains more stringent reporting requirements for URMC to the New York State Office of Attorney General (OAG):

"For a period of three (3) years, commencing from the execution of this Agreement, if URMC determines that a member of the workforce has breached unsecured protected health information, consistent with the HIPAA Breach Notification Rule, URMC is to notify the OAG of the breach within sixty (60) days of the breach if the number of individuals affected by the breach is fifteen (15) or more (for beaches of fourteen (14) or fewer URMC to notify the OAG annually), in addition to the existing notification responsibilities."

A survey earlier this year found that 45 percent of patients were “very” or “moderately concerned” about the security of their medical records, including access by unauthorized persons which would lead to identity theft and fraud. A breach earlier this year at electronic records vendor Medical Informatics Engineering highlighted the fact that data breaches at health care organizations expose patients to both medical and financial fraud.

While the fine in this case is tiny compared to the multi-billion fines paid recently by several big banks, it is still important because people expect health care organizations to properly secure and protect sensitive patient information. Experts have warned resolving medical identity fraud can be costly, time, consuming and require plenty of effort and expertise since the victim's medical records have often been corrupted with the thief's medical and health information.

If URMC experiences more data breaches, steeper fines and a longer period of more stringent breach reporting would seem applicable, given URMC's breach history. What are your opinions of the settlement agreement?

[Editor's note: In the interest of full disclosure, I have no relationship with URMC except that I am a graduate and alum of the University of Rochester.]


Experian Has Paid $20 Million (So Far) In Post Breach Costs

Experian logo Just before the Thanksgiving holiday, The National Law Review reported:

"Experian’s most recent earnings report shows that it has spent $20 million to date on its response to the September 2015 data breach that exposed the personal information of nearly 15 million wireless carrier customers. The exposed information included names, addresses, birthdates, social security numbers, driver’s license numbers, and passport numbers – all information Experian uses to process credit checks as part of the customer registration process. The $20 million spent so far on notification and credit monitoring for affected individuals may only be just the beginning of Experian’s financial woes – the credit monitoring firm still has several pending class action lawsuits to manage as well as cooperating with the government’s investigations in to the matter."

Details about the September breach area available here.

Not good.As I wrote in October,Experian CEO Brian Cassin should resign. The credit reporting agency's track record of breaches is troubling. Paying post-breach related costs (again) is not enough of an incentive to change executives' behavior. Companies won't change until there are direct consequences for executives. Experian executives know better. It is in the business of collecting, archiving, and protecting consumers' sensitive personal and financial information.

If they can't protect it, don't collect it; and go do something else.


Target Settles With Banks And Credit Unions. Retailer To Pay More Than $39 Million

Target Bullseye logo After a settlement with Visa earlier this year, Target has finalized settlement agreements with several banks and credit unions concerning its 2013 data breach. The retailer has agreed to pay $39.4 million to affected banks and credit unions. It will pay $20.25 million to banks and credit unions, plus $19.11 million to reimburse MasterCard Inc card issuers.

The banks include Umpqua Holdings Corporation (Oregon), Mutual Bank in Whitman (Massachusetts), Village Bank (Minnesota), CSE Federal Credit Union (Louisiana), and First Federal Savings of Lorain (Ohio). Reportedly, the retailer has spent $290 million in post-breach related costs with insurance companies expect to cover about $90 million. Several lawsuits are still outstanding.


Learning Apps Company Confirms Data Breach Affecting 11.6 Million Persons

Vtech logo Earlier today, educational toy maker VTech confirmed a data breach affecting 11.6 million persons. On November 27, Motherboard first reported the breach affecting 5 million parents and 200,000 children. The data breach is larger than first reported by many news organizations.

In its FAQ page, VTech confirmed that on November 14 hackers accessed its customer database:

"... on our Learning Lodge app store customer database and Kid Connect servers. Learning Lodge allows our customers to download apps, learning games, e-books and other educational content to their VTech products.  Kid Connect allows parents using a smartphone app to chat with their kids using a VTech tablet."

The company learned of the data breach on November 24 when a journalist inquired. During its current breach investigation, During its breach investigation, Vtech has temporarily suspended operations at Learning Lodge, the Kid Connect network, and a dozen websites including both PlanetVtech and VSmileLink sites in the US, France, Germany, United Kingdom, and Spain. Vtech's customer data includes the USA, Canada, United Kingdom, Ireland, France, Germany, Spain, Belgium, the Netherlands, Denmark, Luxembourg, Latin America, Hong Kong, China, Australia and New Zealand.

The number of persons affected by the breach:

"In total 4,854,209 customer (parent) accounts and 6,368,509 related kid profiles worldwide are affected, which includes approximately 1.2 million Kid Connect parent accounts.  In addition, there are 235,708 parent and 227,705 kids accounts in PlanetVTech. Kid profiles unlike account profiles only include name, gender and birthdate."

The VTech FAQ page also listed the number of breach victims by country. Parent accounts include the following data elements: name, e-mail address, security question and answer for password retrieval, IP address, mailing address, download history, and encrypted password. VTech's customer database does not contain credit card payment information, nor Social Security and similar identification information.

VTech describes itself as a global leader in electronic learning products for children and the world's largest manufacturer of cordless phones. Founded in 1976, VTech is headquartered in Hong Kong and has operations in 11 countries including manufacturing facilities in China. It employs about 30,000 employees, with 1,500 research and development professionals in Canada, Germany, Hong Kong, and China.

Even though customers' passwords were encrypted, VTech advised breach victims to change their passwords anyway, as skilled hackers may break the encryption. This is critical if breach victims used the same passwords, security questions, and security answers at other online sites.

This is not good. Whatever security detection software VTech used needs to be upgraded or replaced. A company should not learn about a breach from a journalist. The data elements stolen are sufficient for criminals to impersonate data breach victims, attempt to break into victims' other online accounts (e.g., banking), and send spam e-mail messages.

Do you or your children use VTech apps, games, or e-books? If so, what breach notifications have you received?


How The Teenager Hacked The CIA Director's Email Account

Central Intelligence Agency logo You've probably heard about it, or read some of the initial news reports. The New York Post broke the story about a teenager hacking into the e-mail account of John Brennan, Director of the Central Intelligence Agency (CIA). The methods the hacker used are a good example of pretexting: when a criminal pretends to be somebody they aren't in order to acquire sensitive information about the target(s).

Wired provided a detailed report about the incident, which I've distilled into seven steps:

  1. The hacker did a reverse number lookup of Brennan's mobile phone number. Several websites provide this feature. From that, the hacker learned that Verizon was Brennan's provider of phone services.
  2. Pretending to be a Verizon technician, the teenage hacker and his accomplices, called Verizon asking for details about Brennan's account. The Verizon phone rep asked for their Vcode, a unique number assigned to each Verizon technician. The hacker provided a fake Vcode which somehow passed Verizon's security. From that, the hacker learned Brennan’s account number, four-digit PIN, the backup mobile number on Brennan's account, Brennan’s AOL email address, and the last four digits on Brennan's bank card.
  3. The hacker accessed Brennan's AOL e-mail account on October 12, and read several e-mail messages including messages forwarded from his work e-mail account. From that, the hacker learned Brennan's secure White House e-mail address, his security clearance application, topics discussed by Brennan and other intelligence officials, and work-related documents attached to several e-mail messages. One attachment included a spreadsheet with names and Social Security numbers of several persons, including intelligence officials.
  4. The hackers posted photos of several documents online via a Twitter account they had set up. The hackers accessed Brennan's account for at least three days.
  5. On October 16, the hacker posted via Twitter that Brennan had deleted his AOL e-mail account supposedly because the hackers had accessed it.
  6. Brennan reset the password on his AOL account, which the hackers accessed again. This suggests that they called AOL customer service pretending to be Brennan and reset the password on his account so they could access it. Reportedly, the dueling password resets happened three times.
  7. The hackers called Brennan's mobile phone number and told him his account had been hacked. After asking them what they wanted, the hackers reportedly answered, "We just want Palestine to be free and for you to stop killing innocent people."

What should consumers make of this incident? First, the incident provides a window into the hassles and inconveniences when your e-mail account is hacked and taken over by a criminal. The hackers could have sent out spam messages from Brennan's account to his friends, family, and coworkers. Second, the incident highlights the necessity of not using the same password on multiple accounts. When consumers do this, it makes it easy for criminals to access several of your online and financial accounts. Hackers will try the same stolen password at other online accounts to see where else they access.

Third, the incident is a reminder for consumers never to disclose sensitive personal and financial information over the phone. Why? Simply, the caller's identity is unknown and unverified. We consumers frequently receive calls from identity thieves from fake computer support vendors or bogus cardholder services.

Verizon logo Fourth, Verizon should improve its security processes. A fake Vcode should not allow access to customers' sensitive information. There should be consequences for Verizon for this breach. Fifth, the hackers' techniques provide a tiny view of the activities spies and counter-intelligence agencies perform, and why these entities want to hack into government agencies' websites, such as the Office of Personnel Management breach earlier this year.

Sixth, adding your mobile phone number to your social networking and e-mail accounts is not a data security cure-all. Smart hackers will target your mobile phone number so that they receive any notifications  you've set up about changes to your account.

Seventh and perhaps most troubling, the Brennan and Clinton e-mail incidents suggest that many government officials highly value convenience (just as consumers do), by forwarding work-related e-mails and documents from secure work systems to less secure commercial systems. You could argue that this desire for convenience is a security weakness. Fifth, you can bet that spies will try to take advantage of this weakness by replicating pretexting attacks on other high-value executive targets, in both the public and private sectors. If a teenager can do it, then so can an experienced spy.

What are your opinions of the hacking incident? Of Verizon's role?


Update: Target Breach Settlements And Pending Court Action

Target Bullseye logo Tying some loose ends: Target settled with Visa in August to resolve claims from the retailer's massive 2013 data breach in which 110 million consumers' records were stolen, including 40 million credit- and debit-card numbers. The value of that settlement was up to $67 million, depending upon how many card issuers worldwide accept that deal. A $19 million settlement with MasterCard fell through.

In March, the retailer agreed to pay $10 million to settle lawsuits by consumers. While the July 31, 2015 deadline has passed for affected shoppers to submit claims, the Target Settlement website listed the next important date is a November 10, 2015 hearing for the Court to approve the settlement. Payments to consumers will happen after the Court approves the settlement.


Experian Data Breach Affects 15 Million T-Mobile Customers, And Highlights Privacy Concerns

Experian logo Experian, one of the three major credit-reporting agencies in the United States, announced last week a data breach at affected at least 15 million T-Mobile customers. Unauthorized persons accessed an Experian server which contained personal information about consumer who had applied for T-Mobile USA services between September 1 and September 16, 2015.

Experian discovered the breach on September 15, 2015. The information accessed and stolen included names, addresses, Social Security Numbers, birth dates, identification numbers (e.g., driver's license, military ID, passport number, etc.), and additional data related to T-Mobile's credit-check process. The credit reporting agency also said:

"Experian’s consumer credit database was not accessed in this incident, and no payment card or banking information was obtained."

Thank heavens for little favors. Thankfully, at least one Experian employee had the good sense to segregate its database of T-Mobile customers from its database of everyone else. Otherwise, the hackers would have accessed and stolen sensitive personal information for 250 million persons. And, the "no payment card or banking information was obtained," is like saying bank thieves stole everything but not the one-, five-, and ten-dollar bills. This is bad folks, and Experian should not issue statements in a failed attempt to perfume-a-pig. The pig still stinks.

Experian has notified and is working with both federal and international law enforcement agencies. The post-breach investigation is ongoing. The company is notifying affected persons and will offer two years of free credit monitoring and identity resolution services. Some security experts are skeptical, and questioned whether Experian deployed the data-breach-detection services of 41st Parameter, a wholly owned subsidiary.

John Legere, the t-Mobile Chief Executive, said in a statement:

"Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian..."

Understandable and justified anger. No doubt, lawsuits will result.

This is not good. The data elements stolen are sufficient for criminals to apply for fraudulent loans, create fraudulent identification cards, and effectively approach the family, friends, coworkers, and classmates by impersonating breach victims.

This is not the first data breach at Experian. In February 2014, hackers used a client's login credentials to access an undisclosed number of consumers' records. The data stolen included consumer credit reports, names, addresses, Social Security Numbers, birth dates, and additional information commonly found in credit reports. In May 2012, Experian announced a breach where hackers accessed an undisclosed number of consumers' records between October 19, 2011 and February 13, 2012. A breach in 2009 affected Maryland residents, and a lawsuit was filed in July 2015 against Experian for allegedly selling consumer information to a criminal posing as a data broker. That criminal allegedly resold data to other identity thieves.

Some critics demand stronger consequences. Fight for the Future's Jeff Lyon said:

"Experian CEO Brian Cassin has put the profits of his company above the well-being of his customers and our nation's cybersecurity. Why should Experian bother fixing their security when they can just lobby their way out of the messes they make?"... This type of thinking is putting millions of people at risk. Cassin should resign..."

I agree. Cassin should resign. Lyon's comments allude to the Cybersecurity Information Sharing Act (CISA) of 2013, which is making its way through Congress. Privacy advocates argue that the bill fails to provide adequate data security protections and instead promotes data sharing of consumers' information with the federal government to facilitate surveillance. Some argue that the bill will actually hurt privacy.

I agree. It's poor legislation. Now, back to Experian. The credit reporting agency's track record of breaches is troubling. Paying post-breach related costs (e.g., free credit monitoring), again, is not enough of an incentive to change executives' behavior. Companies won't change until there are direct consequences for executives. Experian executives know better. It is in the business of collecting, archiving, and protecting consumers' sensitive personal and financial information.

What are your opinions?


Luxury Trump Hotel In Las Vegas Begins Notification Of Consumers About Data Breach

Trump International Hotel and Tower Las Vegas logo The law firm representing the luxury Trump International Hotel and Tower property in Las Vegas announced at data breach affecting its client. To comply with breach notification laws in many states, corporations (or their agents) typically submit breach notices (e.g., sample or final) to the attorney general or applicable legal agency in each state where there are affected residents.

The breach notice at the California Attorney General website (Adobe PDF) read, in part:

"... we are providing notice of a security incident possibly affecting certain individuals who made payment card purchases at Trump International Hotel & Tower Las Vegas, located at 2000 Fashion Show Drive, Las Vegas, NV... Although an independent forensic investigation has not conclusively determined that any particular customer’s payment card information was taken from the Hotel’s payment card system or misused as a result of the incident, we are providing this notice out of an abundance of caution to inform potentially affected customers of the incident... it appears that there may have been unauthorized malware access to payment card information as it was inputted into the payment card systems... including payment card account number, card expiration date, security code, and cardholder name) of individuals who used a payment card at the Hotel between May 19, 2014, and June 2, 2015, may have been affected..."

It seems that payment information was stolen by malware installed within infected terminals. The breach notice also mentioned that the hotel is working with law enforcement, banks, and an independent forensic investigation vendor. All, pretty standard stuff. The notice did not disclose the total number of records or consumers affected.

The breach notice includes instructions for affected customers to sign up for one year of free fraud resolution and identity protection services with Experian ProtectMyID. The offer is only for U.S. residents who used a payment card at the Hotel between May 19, 2014, and June 2, 2015. (Since the hotel's website includes content in several languages besides English, I guess that deep-pocketed customers from other countries are simply screwed.) That duration seems skimpy, since many other corporations have offered two years. The breach notice lists a hotel toll-free number for affected customers to get assistance and ask questions.

A check this morning of the hotel's home page did not find a link to a breach notice. Typically, a well-organized post-breach response also includes a website providing affecting customers with more information (or dedicated pages at their main site).

So, there seems to be two massive failures in this data breach. The first was a failure to promptly detect the unauthorized access. The second was a lengthy delay of more than a year to notify affected consumers. And, the investigation is still underway so things could be even worse.

Note: the Krebs On Security blog first broke news in July about data breaches at several hotels, including the Trump hotel in Las Vegas. One wonders why the hotel didn't announce the breach then.