Previous month:
November 2015
Next month:
January 2016

14 posts from December 2015

Those Quizzes On Facebook. How Accurate Are They?

If you use Facebook, then you've probably seen the quizzes. There are dozens of them, and they are popular. You can easily spot them because they have similar titles: "What [blank] are you?" or "Analyze Your [blank]." Invariably, the quizzes collect your personal information, and often that of people you are connected with.

How accurate are these quizzes? Below is a clue, including the results after a user submitted their (unique) profile photo for analysis:

Click to view larger image

How To Recognize Bogus OPM Breach Letters From Scammers

Earlier this year, a data breach at the Office of Personnel management (OPM) federal government agency exposed the sensitive personal information of government employees, former government employees, and their families. Identity criminals and fraudsters are taking advantage of the breach by sending bogus breach letters supposedly from the OPM.

The Better Business Bureau (BBB) advised consumers how to recognize valid letters from the OPM:

"Real Letters Contain>: a) A 25 digit PIN to register for credit and identity monitoring services. Make sure your PIN is real by entering it at; b) Instructions to visit the website get more information and sign up for monitoring"

How to spot bogus OPM solicitations from scammers:

  1. The OPM will not ask you to confirm your personal information. So, do not share it with anyone asking
  2. The OPM is not using e-mail. They are using surface postal mail.

If you lost your PIN number or didn't receive a breach notice from the OPM and think that you are affected, then you can confirm your status at the OPM security site. If you receive a bogus letter from scammers about this or other breaches, report it to the BBB.

Data Breach: Unprotected Online Database Exposed The Sensitive Information Of About 3.3 Million Hello Kitty Users

Hello Kitty logo A security researcher found online a database containing the sensitive information of customers of the Hello Kitty gaming site. Just before the Christmas holiday, C|Net reported:

"Personal information for fans who connect through has been sitting openly viewable on the Internet and easily accessible with the click of a mouse, no hack required..., designed for fans of Sanrio characters like Hello Kitty, hosts all the accounts for players of a popular game called Hello Kitty Online."

C|Net also reported that the security researcher:

"... showed CNET a sample of the records he saw, which includes a list of usernames, scrambled up passwords, first and last names, genders, birth dates and answers to security questions like "What is your favorite food." In the random sample of 15 records, two appeared to be of minors. Sanrio declined to verify whether the data listed in the sample was from its database. Vickery found the database, he said, while looking for unprotected information on the Internet by searching a website that can find data stored in the cloud."

Reportedly, the database sat open and exposed for about a month. This breach was found by the same security researcher that found earlier in December a flaw in the Mackeeper security software, which exposed the sensitive information of 13 million Apple users. SanrioTown is still investigating its breach, and its users must change both their passwords and security questions.

The Washington Times reported:

"Sanrio Digital, a subsidiary of the Japanese owner of “Hello Kitty,” a popular children’s brand, told Reuters on Tuesday that it patched a security glitch that had affected one of its databases being tipped off by Chris Vickery, a U.S.-based researcher who helps identify and fix vulnerable computer systems... Sanrio has insisted that evidence has so far failed to suggest that anyone other than Mr. Vickery had accessed the database with authorization..."

Reportedly, the breach exposed the following data elements: full names, birthdays, genders, email addresses and related information about 3.3 million account holders. That included information about 186,261 persons under the age of 18. Payment information (e.g., credit cards) was not exposed, according to the SanrioTown security statement.

Two items about this breach need to be highlighted:

  1. The operative phrase in the company's statement is, "that evidence so far..." More evidence may surface later; and
  2. The company did not discover its own database sitting open, unprotected in the wild. An external security researcher found it. That fact does not bode well for the company's security team and data security processes.

What are your opinions of this data breach?

Blocking The Ad Blockers

The digital advertising arms race is well underway. Since many consumers have installed ad blocking software on their computing devices for privacy and a better online experience, some publishers have responded by blocking those online users... or at least those users' web browsers.

While attempting to stream the latest episode of a popular television show, I encountered the message below, which is an extremely poor implementation. It suggested that i disable all ad blocking software. A better, responsible implementation would include messaging about the specific advertising mechanism:

Blocked ad blocker at CBS website. Click to view larger image

Have you encountered any similar messages at other sites?

Attorney General Invites New York State Residents To Check Their Internet Speed

The Attorney General for the State of New York has started a program to help residents with high speed Internet services. The program is part of an investigation to determine if Internet service providers deliver the broadband speeds promised in their advertisements.

Everyone expects to receive the services they paid for. Attorney General Schneiderman said in a statement:

"“New Yorkers should get the Internet speeds they pay for. Too many of us may be paying for one thing, and getting another... By conducting these tests, consumers can uncover whether they are receiving the Internet speeds they have paid for.”

After completing the online broadband speed test at the site, New York residents are encouraged to submit test results to the Attorney General using this form. (If you want to take the speed test, read these instructions first. I takes a couple minutes.) The Attorney General sent a letter a October to several Internet service providers inquiring about their broadband speed claims.

Chuck Bell, Programs Director for Consumers Union, said:

“As Consumer Reports has pointed out, internet speeds can vary considerably, and consumers do not always get  the ‘blazingly fast’ internet speeds they are are paying for,” said Chuck Bell, Programs Director for Consumers Union.  “We have heard from dozens of customers in New York who are concerned that they are not getting the internet speeds promised by internet providers.   We therefore welcome and applaud Attorney General Schneiderman’s statewide investigation to ensure consumers are getting the full benefit of what they are paying for.”

This makes one wonder why attorneys general in other states aren't doing the same for their residents. Did you complete the Internet speed test? If so, are you getting the download speed advertised?

iFit Data Breach Exposes The Sensitive Information of More Than Half A Million Users

Plenty of stationary, mobile, and wearable devices -- including their apps -- collect and store consumers' sensitive personal data, including health information. The Data Breaches blog reported a breach involving the popular mobile fitness app, iFit, affecting as many as 576,274 users. A researcher discovered the breach on December 10.

The iFit app includes customize-able workouts designed by fitness trainers. It is incorporated into wristbands, smart watches, and stationary exercise equipment such as NordicTrack. The stationary equipment includes treadmills, elliptical machines, stength-training machines, and exercise bikes used in homes and gyms. iFit also operates a wellness program with corporate partners for their employees.

The iFit Privacy policy provides a clear indication of the massive amount of data collected, archived, and reportedly exposed or stolen during this breach:

"... two types of information from users of our Site: "Personally Identifiable Information" which is information that can be used to locate you,contact you, or determine your specific identity (such as name, e-mail address, mailing address, phone number, user name, credit card information, etc.) and "Aggregate Information" which is information about your activities on the Site or in connection with the services that cannot be used to identify, locate, or contact you (such as frequency of visits to the Site, data entered when using the Site, gender, age, weight, height, food intake, activity level, interests, workout history and results, exercise equipment, Site pages most frequently accessed, browser type, links a User clicks, IP address, and other similar information)... When you register for an account (free or paid), we collect your name, a user name, a password, date of birth, current weight, target weight, height, gender, measurement system, activity level, fitness goal, intensity level, and the retail location where you purchased your iFit® equipment. When you use a credit card to pay for any of our services or products, we ask for your name, address, credit card and credit card-related information."

Besides archiving customers exercise types, date, time, geo-location, and exercise duration the app foten calculates calories burned. All of this data would be immensely valuable to insurance firms, health care organizations, and others. The data elements exposed or stolen open the breach victims to financial fraud, medical fraud, stalking, and spam.

For consumers the either want to keep their exercise activity private or expect fitness app developers to secure and protect sensitive information like health care organizations, the data breach presents a very troubling event. It is unclear if breach victims are limited to only the United States.

ICON Health and Fitness makes a lot of the exercise bikes, ellipticals, and strength-training equipment that use the iFit app.

At press time, a check of the iFit site and blog did not find any announcements of the breach. What are your opinions of the breach? Of the data collected? Of the company's post-breach response so far?

13,000 Complaints Submitted By Consumers About Comcast's Usage Based Internet Pricing

Comcast logo Nobody wants to pay more than they have to. Earlier this week, Cut Cable Today reported that consumers have filed 13,000 complaints with the U.S. Federal Trade Commission (FTC) about Internet charges by Comcast. Many consumers have objected because the pricing change resulted in higher monthly Internet bills.

First, some background. Comcast announced in 2012 its plan to move from data caps to usage based pricing. Usage based pricing means if you use or download more, you pay more. CNN Money reported in 2012:

"Comcast on Thursday decided to get rid of its controversial 250 gigabyte-per-month cap for its broadband customers, replacing it with a usage-based billing system. The company put its current cap in place in 2008. The decision was aimed at a small number of Internet users who Comcast felt were abusing their all-you-can-eat privileges by downloading a steady stream of HD movies... Video drove the majority of consumer Internet traffic for the first time in 2010, making up 53% of all uploads and downloads... Comcast said it would lift its cap and instead put in place a tiered system like the ones Verizon and AT&T use for their wireless data services..."

Comcast Internet customers would get 300 Gigabytes (GB) per month and pay $10.00 for every 50 GB of additional data. The broadband provider ran regional tests in several locations: Savannah and Atlanta, Georgia; Jackson, Mississippi; Charleston, South Carolina; Huntsville and Mobile, Alabama; and central Kentucky. Comcast's plan is to roll out the new pricing wherever possible nationwide after trials are completed.

It its report, Cut Cable Today said:

"We were told that more than 13,000 complaints had already been filed with the Federal Communications Commission that fit our search criteria about Comcast’s unethical practice of imposing data caps. Due to the time it would take to process all 13,000+ of these complaints, we weren’t able to get our hands on all of these complaints, but we did obtain just under 2,000 complaints filed since Comcast started rolling out the caps."

Some of the complaints are about Comcast's data usage meter:

"... they offer a ‘data usage meter’ online that simply tells you how much data you have used every month with no detailed statement as to the accuracy of it with no way to view where the data every month is being allocated, an example would be how much data is being used on Netflix or other streaming services. At the moment it simply says you’ve gone over without any real feedback to tell you exactly where the data was used and could potentially be used to fraud people into paying more for services as there is no way to dispute the data usage."

Not good. Feedback is useful only when it is relevant. Another similar complaint highlights both the problem and the need for independent verification:

"... For every 50GB we consume over the 300GB allotment we pay a fee of $10. However, every month they grossly overestimate the usage on our account... they currently place us at 271GB of 300GB (according to their online meter) used for the month of September. However, our FreeBSD router tracks the total data used (outgoing or incoming) on WAN and only reports a total of ~147.054GB consumed in the same time period. There appears to be a huge discrepancy between what Comcast reports and what is actually being consumed... the difference is too large to be considered normal and it has been consistently overestimated in the past year..."

Not good. Feedback is useful only when it is accurate. One complaint from Nashville, Tennessee indicated how much higher monthly overage charges could be:

"Comcast just surprised me with a bill that shows that I owed $180 for over cap surcharges. I called the same day I got the bill, and they also let me know that I owe another $220 for over cap surcharges. (That’s right, a surprise $400)."

Unreliable or inaccurate usage meters place the burden on consumers to independently track their broadband usage, and then apply for credits. See Lifehacker, C/Net, and PC Magazine for suggestions about how to monitor your usage. The situation is intensified by websites that automatically display multiple video advertisements which consumers often can't stop. Maybe usage-based internet pricing will push more consumers to install ad blocking software on their computers.

The Internet has continued to evolve since 2012. The internet has become indispensable for entertainment, shopping, telecommuting, small business start-ups, education, online classes, and a lot more.  Add in video advertisements, and today's Internet can easily increase consumers' usage. A consumer from Georgia concluded:

"There is no way that [Comcast] can justify this as being fair or right: it’s price gouging, pure and simple."

I've been around business long enough to know that any skilled executive can hide a price increase with a usage-based pricing plan. It's all about where the triggers are inserted.

A complaint by a consumer in Loganville, Georgia highlighted two key problems: the inherent conflict of interest and lack of competition:

"This practice is anti-competitive because Comcast is a content provider. There is no reduction of your data limit if you have one of their TV packages and watch OnDemand content. However, OnDemand programming provided by other providers like DirecTv or internet services like Netflix will result in a reduction in your allotted data limit. This practice steers consumers into Comcast TV packages. Modern internet content is show in [high definition] or even 4K and the allotted data mandated by Comcast is not sufficient to enjoy the content from the provider of my choice. This practice is also deceptive. I have all data usage alerts provided by Comcast turned on. This month, September 2015, I received my first notice that I had reached my data allotment by phone call. The phone call stated that I was reaching my data limit. When I logged into my account I was already 64GB over my 300GB allotment. There was no notice that I had reached my included data allotment. I believe Comcast practices price gauging because they know that there is not a competitive broadband provider in my market. AT&T does service this market but only offer DSL at 6Mbps [download] maximum. The only significant provider of broadband is Comcast. This leaves me with no option but to pay whatever Comcast wants to charge for service..."

That DSL download speed mentioned is below the minimum benchmark of 25 megabits download and 3 megabits upload set by the FTC. This worldwide study found that municipal or community broadband networks provide consumers with the best value (e.g., highest speeds at the lowest prices via wired lines). Regular readers of this blog are aware that there are 19 states with laws that prevent local towns and cities from forming their own municipal broadband networks. These laws contribute to the lack of competition, and keep your monthly Internet prices higher than otherwise.

Several politicians and Presidential candidates support these states' laws that limit competition, under the guise of "states rights" freedoms. This subterfuge helps their corporate donors, and limits (and ignores) both the freedoms and rights of people in local cities and towns to get and develop their own faster, more affordable high-speed Internet services.

What are your opinions of Comcast's usage-based pricing? If you are a Comcast Internet customer, has your monthly Internet bill gone up? Did you file a complaint with the FTC?

University of Rochester Medical Center Settles With New York State Attorney General For Data Breach

University of Rochester Medical Center logo Earlier this month, the New York State Attorney General announced a settlement agreement with the University of Rochester Medical Center (URMC) about a data breach earlier this year. URMC will pay a $15,000 find and is required to train its staff on proper data security procedures for protected health information.

The settlement agreement was dated November 20, 2015. The April 2015 events surrounding the data breach:

"... a URMC nurse practitioner gave a list containing 3,403 patient names, addresses, and diagnoses to her future employer, Greater Rochester Neurology (“GRN”), without first obtaining authorization from the patients.  On April 21, 2015, GRN used the information to mail letters to the patients on the list informing them that the nurse practitioner would be joining the practice and advising them of how to switch to GRN. URMC learned of the breach three days later, when calls began coming in from patients who were upset about the letter. The nurse practitioner was subsequently terminated, notification letters were sent to the affected patients... GRN has attested that all health information transmitted by URMC has been returned or deleted."

State attorney generals were empowered by law in 2009 to enforce Health Insurance Portability and Accountability Act (HIPAA) violations. Hospitals are required by law to provide patients with a Notice of Privacy Practices document, which patients and their families should read. Read the URMC NPP (Adobe PDF).

This is not the first data breach at URMC. There were three prior data breaches with the latest in 2013. HIPAA requires health care organizations to report data breaches affecting 500 or more persons. The URMC settlement agreement (Adobe PDF) contains more stringent reporting requirements for URMC to the New York State Office of Attorney General (OAG):

"For a period of three (3) years, commencing from the execution of this Agreement, if URMC determines that a member of the workforce has breached unsecured protected health information, consistent with the HIPAA Breach Notification Rule, URMC is to notify the OAG of the breach within sixty (60) days of the breach if the number of individuals affected by the breach is fifteen (15) or more (for beaches of fourteen (14) or fewer URMC to notify the OAG annually), in addition to the existing notification responsibilities."

A survey earlier this year found that 45 percent of patients were “very” or “moderately concerned” about the security of their medical records, including access by unauthorized persons which would lead to identity theft and fraud. A breach earlier this year at electronic records vendor Medical Informatics Engineering highlighted the fact that data breaches at health care organizations expose patients to both medical and financial fraud.

While the fine in this case is tiny compared to the multi-billion fines paid recently by several big banks, it is still important because people expect health care organizations to properly secure and protect sensitive patient information. Experts have warned resolving medical identity fraud can be costly, time, consuming and require plenty of effort and expertise since the victim's medical records have often been corrupted with the thief's medical and health information.

If URMC experiences more data breaches, steeper fines and a longer period of more stringent breach reporting would seem applicable, given URMC's breach history. What are your opinions of the settlement agreement?

[Editor's note: In the interest of full disclosure, I have no relationship with URMC except that I am a graduate and alum of the University of Rochester.]

Survey: 40 Percent Of Companies Expect Data Breaches Caused By Employees

eSecurity Planet reported the results of a recent survey of information technology managers and employees. The survey included workers in the United States, United Kingdom, Germany, and Australia. The key findings:

"... 40 percent of companies expect to experience a data breach resulting from employee behavior in the next 12 months... 75 percent of employees believe their company doesn't give them enough information about data policies... 58 percent don't understand what would actually constitute a security breach... 50 percent of respondents admitted that they disregard their companies' data protection policies in order to get their jobs done."

The phrase "insider data breach" refers to data breaches caused by employees. Companies seem focused on external threats from hackers, while not focusing also upon insider threats. Lax or untrained employees and poor internal processes are often the root causes.

These survey results are not good. The results indicate that companies are not doing everything they can (and should) to protect the sensitive customer, client, employee, and retiree information they have collected.

Experian Has Paid $20 Million (So Far) In Post Breach Costs

Experian logo Just before the Thanksgiving holiday, The National Law Review reported:

"Experian’s most recent earnings report shows that it has spent $20 million to date on its response to the September 2015 data breach that exposed the personal information of nearly 15 million wireless carrier customers. The exposed information included names, addresses, birthdates, social security numbers, driver’s license numbers, and passport numbers – all information Experian uses to process credit checks as part of the customer registration process. The $20 million spent so far on notification and credit monitoring for affected individuals may only be just the beginning of Experian’s financial woes – the credit monitoring firm still has several pending class action lawsuits to manage as well as cooperating with the government’s investigations in to the matter."

Details about the September breach area available here.

Not good.As I wrote in October,Experian CEO Brian Cassin should resign. The credit reporting agency's track record of breaches is troubling. Paying post-breach related costs (again) is not enough of an incentive to change executives' behavior. Companies won't change until there are direct consequences for executives. Experian executives know better. It is in the business of collecting, archiving, and protecting consumers' sensitive personal and financial information.

If they can't protect it, don't collect it; and go do something else.

Target Settles With Banks And Credit Unions. Retailer To Pay More Than $39 Million

Target Bullseye logo After a settlement with Visa earlier this year, Target has finalized settlement agreements with several banks and credit unions concerning its 2013 data breach. The retailer has agreed to pay $39.4 million to affected banks and credit unions. It will pay $20.25 million to banks and credit unions, plus $19.11 million to reimburse MasterCard Inc card issuers.

The banks include Umpqua Holdings Corporation (Oregon), Mutual Bank in Whitman (Massachusetts), Village Bank (Minnesota), CSE Federal Credit Union (Louisiana), and First Federal Savings of Lorain (Ohio). Reportedly, the retailer has spent $290 million in post-breach related costs with insurance companies expect to cover about $90 million. Several lawsuits are still outstanding.

Learning Apps Company Confirms Data Breach Affecting 11.6 Million Persons

Vtech logo Earlier today, educational toy maker VTech confirmed a data breach affecting 11.6 million persons. On November 27, Motherboard first reported the breach affecting 5 million parents and 200,000 children. The data breach is larger than first reported by many news organizations.

In its FAQ page, VTech confirmed that on November 14 hackers accessed its customer database:

"... on our Learning Lodge app store customer database and Kid Connect servers. Learning Lodge allows our customers to download apps, learning games, e-books and other educational content to their VTech products.  Kid Connect allows parents using a smartphone app to chat with their kids using a VTech tablet."

The company learned of the data breach on November 24 when a journalist inquired. During its current breach investigation, During its breach investigation, Vtech has temporarily suspended operations at Learning Lodge, the Kid Connect network, and a dozen websites including both PlanetVtech and VSmileLink sites in the US, France, Germany, United Kingdom, and Spain. Vtech's customer data includes the USA, Canada, United Kingdom, Ireland, France, Germany, Spain, Belgium, the Netherlands, Denmark, Luxembourg, Latin America, Hong Kong, China, Australia and New Zealand.

The number of persons affected by the breach:

"In total 4,854,209 customer (parent) accounts and 6,368,509 related kid profiles worldwide are affected, which includes approximately 1.2 million Kid Connect parent accounts.  In addition, there are 235,708 parent and 227,705 kids accounts in PlanetVTech. Kid profiles unlike account profiles only include name, gender and birthdate."

The VTech FAQ page also listed the number of breach victims by country. Parent accounts include the following data elements: name, e-mail address, security question and answer for password retrieval, IP address, mailing address, download history, and encrypted password. VTech's customer database does not contain credit card payment information, nor Social Security and similar identification information.

VTech describes itself as a global leader in electronic learning products for children and the world's largest manufacturer of cordless phones. Founded in 1976, VTech is headquartered in Hong Kong and has operations in 11 countries including manufacturing facilities in China. It employs about 30,000 employees, with 1,500 research and development professionals in Canada, Germany, Hong Kong, and China.

Even though customers' passwords were encrypted, VTech advised breach victims to change their passwords anyway, as skilled hackers may break the encryption. This is critical if breach victims used the same passwords, security questions, and security answers at other online sites.

This is not good. Whatever security detection software VTech used needs to be upgraded or replaced. A company should not learn about a breach from a journalist. The data elements stolen are sufficient for criminals to impersonate data breach victims, attempt to break into victims' other online accounts (e.g., banking), and send spam e-mail messages.

Do you or your children use VTech apps, games, or e-books? If so, what breach notifications have you received?