183 posts categorized "Breach Notification" Feed

Luxury Trump Hotel In Las Vegas Begins Notification Of Consumers About Data Breach

Trump International Hotel and Tower Las Vegas logo The law firm representing the luxury Trump International Hotel and Tower property in Las Vegas announced at data breach affecting its client. To comply with breach notification laws in many states, corporations (or their agents) typically submit breach notices (e.g., sample or final) to the attorney general or applicable legal agency in each state where there are affected residents.

The breach notice at the California Attorney General website (Adobe PDF) read, in part:

"... we are providing notice of a security incident possibly affecting certain individuals who made payment card purchases at Trump International Hotel & Tower Las Vegas, located at 2000 Fashion Show Drive, Las Vegas, NV... Although an independent forensic investigation has not conclusively determined that any particular customer’s payment card information was taken from the Hotel’s payment card system or misused as a result of the incident, we are providing this notice out of an abundance of caution to inform potentially affected customers of the incident... it appears that there may have been unauthorized malware access to payment card information as it was inputted into the payment card systems... including payment card account number, card expiration date, security code, and cardholder name) of individuals who used a payment card at the Hotel between May 19, 2014, and June 2, 2015, may have been affected..."

It seems that payment information was stolen by malware installed within infected terminals. The breach notice also mentioned that the hotel is working with law enforcement, banks, and an independent forensic investigation vendor. All, pretty standard stuff. The notice did not disclose the total number of records or consumers affected.

The breach notice includes instructions for affected customers to sign up for one year of free fraud resolution and identity protection services with Experian ProtectMyID. The offer is only for U.S. residents who used a payment card at the Hotel between May 19, 2014, and June 2, 2015. (Since the hotel's website includes content in several languages besides English, I guess that deep-pocketed customers from other countries are simply screwed.) That duration seems skimpy, since many other corporations have offered two years. The breach notice lists a hotel toll-free number for affected customers to get assistance and ask questions.

A check this morning of the hotel's home page did not find a link to a breach notice. Typically, a well-organized post-breach response also includes a website providing affecting customers with more information (or dedicated pages at their main site).

So, there seems to be two massive failures in this data breach. The first was a failure to promptly detect the unauthorized access. The second was a lengthy delay of more than a year to notify affected consumers. And, the investigation is still underway so things could be even worse.

Note: the Krebs On Security blog first broke news in July about data breaches at several hotels, including the Trump hotel in Las Vegas. One wonders why the hotel didn't announce the breach then.

Apple Removes Apps Infected During Malware Attack

Mashable reported on Monday:

"Dozens of iOS apps in Apple's App Store were infected with malware in recent days, including hugely popular Chinese social networking apps, in what appears to be the first major case of hackers breaching Apple's highly controlled mobile software ecosystem."

Some of the popular apps affected:

"WeChat, which has more than 500 million users in all, said its app was affected by the issue but that it had already fixed the problem earlier this month. It said its version 6.2.5, released on Sept. 10, was infected, but version 6.2.6, released Sept. 12, was not..."

How the breach happened:

"Both the app developers and Apple were apparently unaware that the apps had been infected. Hackers succeeded by tricking the app developers into downloading a modified version of Xcode, the software that developers use to create iOS apps. This fake version of Xcode included the malware, which then made its way into the apps, which were then uploaded to the App Store."

OPM And DOD Hire ID Experts For Credit Monitoring And Post-Breach Services

Office of Personnel Management logo Just before the long holiday weekend, the Office of Personnel Management (OPM) and the Department of Defense (DOD) announced a contract with Identity Theft Guard Solutions LLc (a/k/a ID Experts) to assist the 21.5 persons affected by the massive breach first reported in June. The contract provide three years of free services for persons with sensitive information stolen, such as Social Security numbers.

Breach victims will be notified during September. The contract includes coverage for breach victims and their dependent children under the age of 18. ID Experts will provide credit monitoring, identity monitoring, identity theft insurance, and identity restoration services. Beth Cobert, the Acting Director at OPM, said:

“We remain fully committed to assisting the victims of these serious cybercrimes and to taking every step possible to prevent the theft of sensitive data in the future.. Millions of individuals, through no fault of their own, had their personal information stolen and we’re committed to standing by them, supporting them, and protecting them against further victimization. And as someone whose own information was stolen, I completely understand the concern and frustration people are feeling.”

To learn more, the OPM suggested that breach victims sign up for email alerts and visit https://www.opm.gov/cybersecurity. The OPM announcement included advice for all breach victims to protect themselves and their sensitive information, plus additional information for residents of California, Kentucky, Maryland, and North Carolina.

Read the OPM announcement about its contract with ID Experts.

Medical Informatics Engineering Breach Highlights Breach Notice, Privacy, And Cloud-Storage Issues

Medical Informatics Engineering logo In early June,  Medical Informatics Engineering (MIE) announced a data breach where unauthorized persons accessed its systems. The breach at MIE, an electronic health records vendor used by many health providers, exposed the sensitive Protected Health Information (PHI) of an undisclosed number of patients in several states. MIE began to notify during June its corporate clients. MIE began notifying affected patients on July 17.

The July 24, 2015 MIE press release about the breach

"FORT WAYNE, Ind.--(BUSINESS WIRE--On behalf of itself, its NoMoreClipboard subsidiary and its affected clients, Medical Informatics Engineering is writing to provide updated notice of a data security compromise that has affected the security of some personal and protected health information relating to certain clients and individuals who have used a Medical Informatics Engineering electronic health record or a NoMoreClipboard personal health record or patient portal. We emphasize that the patients of only certain clients of Medical Informatics Engineering and NoMoreClipboard were affected by this compromise and those clients have all been notified."

No More Clipboard logo NoMoreClipboard.com (NMC) is a cloud-based service by MIE for storing patients' health records, and making the records easily accessible by a variety of devices: desktops, laptop,s tablets, and smart phones. The service is sold to doctors, hospitals, and related professionals.

According to its breach FAQ page, MIE's client list includes:

  • Concentra,
  • Allied Physicians, Inc. d/b/a Fort Wayne Neurological Center (including Neurology, Physical Medicine and Neurosurgery),
  • Franciscan St. Francis Health Indianapolis,
  • Gynecology Center, Inc. Fort Wayne,
  • Rochester Medical Group,
  • RediMed,and Fort Wayne Radiology Association, LLC (including d/b/a Nuvena Vein Center and Dexa Diagnostics, Open View MRI, LLC, Breast Diagnostic Center, LLC, P.E.T. Imaging Services, LLC, MRI Center — Fort Wayne Radiology, Inc. f/k/a Advanced Imaging Systems, Inc.)

NoMoreClipboard.com's client list includes many clinics, hospitals, physicians, specialists, attorneys, schools, and more (links added):

NoMoreClipboard.com Clients Affected By Data Breach
Advanced Cardiac Care
Advanced Foot Specialists
All About Childrens Pediatric Partners, PC
Allen County Dept of Health
Allied Physicians, Inc. d/b/a Fort Wayne Neurological Center
Altagracia Medical Center
Anderson Family Medicine
Arkansas Otolaryngology, P.A.
Auburn Cardiology Associates
Basedow Family Clinic Inc.
Bastrop Medical Clinic
Batish Family Medicine
Beaver Medical
Boston Podiatry Services PC
Brian Griner M.D.
Brightstarts Pediatrics
Burnsville Medical Center
Capital Rehabilitation
Cardiovascular Consultants of Kansas
Carl Gustafson OD
Carolina Gastroenterology
Carolina Kidney & Hypertension Center
Carolinas Psychiatric Associates
Center for Advanced Spinal Surgery
Chang Neurosurgery & Spine Care
Cheyenne County Hospital
Children's Clinic of Owasso, P.C.
Clara A. Lennox MD
Claude E. Younes M.D., Inc.
Coalville Health Center
Cornerstone Medical and Wellness, LLC
Cumberland Heart
David A. Wassil, D.O.
David M Mayer MD
Dr. Alicia Guice
Dr. Anne Hughes
Dr. Buchele
Dr. Clark
Dr. Harvey
Dr. John Labban
Dr. John Suen
Dr. Puleo
Dr. Rajesh Rana
Dr. Rustagi
Dr. Schermerhorn
Dr. Shah
Ear, Nose & Throat Associates, P.C.
East Carolina Medical Associates
Eastern Washington Dermatology Associates
Ellinwood District Hospital
Family Care Chiropractic Center
Family Practice Associates of Macomb
Family Practice of Macomb
Floyd Trillis Jr., M.D.
Fredonia Regional Hospital
Fremont Family Medicine
Generations Primary Care
Grace Community Health Center, Inc.
Grisell Memorial Hospital
Harding Pediatrics LLP
Harlan County Health System
Health Access Program
Heart Institute of Venice
Henderson Minor Outpatient Medicine
Henry County Hospital myhealth portal
Highgate Clinic
Hobart Family Medical Clinic
Howard Stierwalt, M.D.
Howard University Hospital
Hudson Essex Nephrology
Huntington Medical Associates
Huntington Medical Group
Hutchinson Regional Medical Center
Idaho Sports Medicine Institute
In Step Foot & Ankle Specialists
Independence Rehabilitation Inc
Indiana Endocrine Specialists
Indiana Internal Medicine Consultants
Indiana Ohio Heart Indiana Surgical Specialists
Indiana University
Indiana University Health Center
Indianapolis Gastroenterology and Hepatology
Internal Medicine Associates
IU — Northwest
Jackson Neurolosurgery Clinic
James E. Hunt, MD
Jasmine K. Leong MD
Jewell County Hospital
John Hiestand, M.D.
Jonathan F. Diller, M.D.
Jubilee Community Health
Kardous Primary Care
Keith A. Harvey, M.D.
Kenneth Cesa DPM
Kings Clinic and Urgent Care
Kiowa County Memorial Hospital
Kristin Egan MD
Lakeshore Family Practice
Lane County Hospital
Logan County Hospital
Margaret Mary Health
Masonboro Urgent Care
McDonough Medical Group Psychiatry
Medical Care, Inc.
Medical Center of East Houston
Medicine Lodge Memorial Hospital
MHP Cardiology
Michael Mann, MD, PC
Michelle Barnes Marshall, P.C.
Michiana Gastroenterology, Inc.
Minneola District Hospital
Mora Surgical Clinic
Moundridge Mercy Hospital Inc
Nancy L. Carteron M.D.
Naples Heart Rhythm Specialists
Nate Delisi DO
Neighborhood Health Clinic
Neosho Memorial Regional Medical Center
Neuro Spine Pain Surgery Center
Norman G. McKoy, M.D. & Ass., P.A.
North Corridor Internal Medicine
Nova Pain Management
Novapex Franklin
Oakland Family Practice
Oakland Medical Group
Ohio Physical Medicine & Rehabilitation Inc.
On Track For Life
Ottawa County Health Center
Pareshchandra C. Patel MD
Parkview Health System, Inc. d/b/a Family Practice Associates of Huntington
Parkview Health System, Inc. d/b/a Fort Wayne Cardiology
Parrott Medical Clinic
Partners In Family Care
Personalized Health Care Of Tucson
Phillips County Hospital
Physical Medicine Consultants
Physicians of North Worchester County
Precision Weight Loss Center
Primary & Alternative Medical Center
Prince George's County Health Dept.
Rebecca J. Kurth M.D.
Relief Center Republic County Hospital
Ricardo S. Lemos MD
Richard A. Stone M.D.
Richard Ganz MD
River Primary Care
Rolando P. Oro MD, PA
Ronald Chochinov
Sabetha Community Hospital
Santa Cruz Pulmonary Medical Group
Santone Chiropractic
Sarasota Cardiovascular Group
Sarasota Center for Family Health Wellness
Sarasota Heart Center
Satanta District Hospital
Saul & Cutarelli MD's Inc.
Shaver Medical Clinic, P. A.
Skiatook Osteopathic Clinic Inc.
Sleep Centers of Fort Wayne
Smith County Hospital
Smith Family Chiropractic
Somers Eye Center
South Forsyth Family Medicine & Pediatrics
Southeast Rehabilitation Associates PC
Southgate Radiology
Southwest Internal Medicine & Pain Management
Southwest Orthopaedic Surgery Specialists, PLC
Stafford County Hospital
Stephen Helvie MD
Stephen T. Child MD
Susan A. Kubica MD
Texas Childrens Hospital
The Children's Health Place
The Heart & Vascular Specialists
The Heart and Vascular Center of Sarasota
The Imaging Center
The Johnson Center for Pelvic Health
The Medical Foundation, My Lab Results Portal
Thompson Family Chiropractic
Trego County Hospital
Union Square Dermatology
Volunteers in Medicine
Wells Chiropractic Clinic
Wichita County Health Center
William Klope MD
Wyoming Total Health Record Patient Portal
Yovanni Tineo M.D.
Zack Hall M.D.

The MIE press release included few details about exactly how hackers accessed its systems:

"On May 26, 2015, we discovered suspicious activity in one of our servers. We immediately began an investigation to identify and remediate any identified security vulnerability. Our first priority was to safeguard the security of personal and protected health information, and we have been working with a team of third-party experts to investigate the attack and enhance data security and protection. This investigation is ongoing. On May 26, 2015, we also reported this incident to law enforcement including the FBI Cyber Squad. Law enforcement is actively investigating this matter, and we are cooperating fully with law enforcement’s investigation. The investigation indicates this is a sophisticated cyber attack. Our forensic investigation indicates the unauthorized access to our network began on May 7, 2015. Our monitoring systems helped us detect this unauthorized access, and we were able to shut down the attackers as they attempted to access client data."

The breach highlights the need for greater transparency by both health care providers and the outsourcing vendors they hire. The breach also highlights the fact that medical records are stored and accessible via cloud-based services. Did you know that? I didn't before. And, this raises the question: is storage of PHI in the cloud the best and safest way?

The breach notices from MIE to consumers may create confusion, since patients don't do business directly with MIE and probably won't recognize its name. My wife received a breach notice on Friday and did not recognize MIE by name. I hadn't heard of MIE, either, so I did some online research. During June, MIE notified both the California Attorney General's office (Aobe PDF) and the New Hampshire Attorney General's office (Adobe PDF) of residents in each state affected by the data breach. MIE is represented by the law firm of Lewis, Brisbois, Bisgaard and Smith LLP (LBBS). LBBS has offices in 35 states and the District of Columbia.

MIE probably notified several other states, but many states, including the Massachusetts Attorney General's office, do not post online breach notices they receive. (They should, since it helps consumers verify breach notices.) HIPAA federal law requires certain entities to send breach notices to affected patients for breaches of unprotected data affecting more than 500 patients. At press time, a check of the Health & Human Services site did not find an MIE breach listing. When posted, it should reveal the total number of patients affected by the breach.

The breach notice my wife received was dated July 17, 2015. It repeated information already available online and offered few, new details. It began:

"My name is Eric Jones and I am co-founder and COO of Medical Informatics Engineering, a company that provides electronic medical record services to certain health care provider clients, including Concentra. On behalf of Medical Informatics Engineering, I am writing to notify you that a data security compromise occurred at medical Informatics Engineering that has affected the security of some of your personal  and protected health information. This letter contains details about the incident and our response..."

My wife didn't recognize either Concentra nor No More Clipboard by name. The notice she received listed the following patients' information as exposed or stolen:

"While investigations into this incident are ongoing, we determined the security of some personal and protected health information contained on Medical Informatics Engineering's network has been affected. The affected information: SSN, Address, Phone, Birth Date"

This seemed vague. Which address: e-mail or residential street address? Which phone: mobile, land-line, or both? Were Social Security Numbers stored in open or encrypted format? And, if not encrypted, why not? The breach notice didn't say much.

Then, there is this: the breach letter my wife received included far fewer information elements than the July 24, 2015 press release:

"The affected data relating to individuals affiliated with affected Medical Informatics Engineering clients may include an individual’s name, telephone number, mailing address, username, hashed password, security question and answer, spousal information (name and potentially date of birth), email address, date of birth, Social Security number, lab results, health insurance policy information, diagnosis, disability code, doctor’s name, medical conditions, and child’s name and birth statistics. The affected data relating to individuals who used a NoMoreClipboard portal/personal health record may include an individuals’ name, home address, Social Security number, username, hashed password, spousal information (name and potentially date of birth), security question and answer, email address, date of birth, health information, and health insurance policy information."

This raised the question: which MIE document is correct? The breach notice, the press release, or neither? The notice seemed to raise more questions than it answered, so Monday morning we called the MIE hotline listed in its breach notice. After waiting 50 minutes on hold, a representative finally answered. The phone representative identified herself and her employer, Epic Systems based in Oregon. So, MIE outsourced the hotline support portion of its post-breach response.

I asked the representative to explain exactly how MIE acquired my wife's medical records. She looked up my wife's record in their system and replied that MIE had acquired it through business with Concentra. This was puzzling since neither my wife nor I have done business with Concentra. So, I was on the phone with one subcontractor who was pointing the finger at another subcontractor. Lovely. And, nobody on the phone actually from MIE. Disappointing.

Next, I called the nearest Concentra office, which is 17 miles away in Wilmington, Massachusetts. (We live in Boston.) The person in the billing department was helpful. (She admitted that she, too, had received a breach notice from MIE.) The representative attempted to find my wife's information in Concentra's systems. As my wife and I thought: no record. We have not done any business with Concentra. Confirmed.

The Wilmington-office representative's first answer was to give me the MIE breach hotline number. I explained that I had already called the MIE hotline. Then, the representative provided a regional contact in Concentra's human resources department. I have called Tyree Wallace twice, but so far no response. Not good.

What to make of this situation? One vendor's system has errors, but I can't yet tell which: MIE or Concentra. Maybe that's a result of the hack. May be not. The whole situation reminds me of the robo-signing and residential mortgage-back securities scandals by banks, where shortcuts were taken without proper documentation and items repackaged, sold, and resold without disclosures -- nobody knew exactly what was what. An epic mess. Could a similar epic mess happened with electronic medical records? I hope not.

I reviewed the breach notice again, bu this time focused upon MIE's offer of two years of free credit monitoring services with the Experian ProtectMyID Elite service. The ProtectMyID website lists the following features:

"Credit Monitoring: You may review your credit card statements every month for purchases you didn't make. But, every day, we check your credit report for other types of fraud that are much more dangerous. We watch for 50 leading indicators of identity theft. Each one, from a new loan to medical collections, poses a unique threat to your identity that we'll help you address."

"Internet Scan: ProtectMyID continually monitors a vast number of online sources where compromised credit and debit card numbers, Social Security numbers and other personal data is found, traded or sold, helping reduce your potential exposure to identity theft."

"National Change of Address Monitoring: Your bills and monthly statements can feed criminals important account and personal information. An identity thief may steal a single piece of your mail or all of it with a fraudulent change of address request at the post office. Every day, we look for the red flags. We monitor address changes at the national and credit report levels and help you resolve any issues."

Is this a good deal? Each affected patient can decide for their self, since you know your needs best. Plus, patients' needs vary. The Internet scan and address monitoring features sound nice, but only you can determine if you need those protections. While two years of free credit monitoring is better than one year, I couldn't find an explicit statement in the site where ProtectMyID monitors credit reports at all three credit reporting agencies (e.g., Experian, Equifax, TransUnion), or only one. Monitoring only one doesn't seem like effective coverage. In 8+ years of blogging, I've learned that criminals are smart and persistent. Monitor only one branded credit report (e.g., Experians), and criminals will approach lenders who use other branded credit reports, in order to take out fraudulent loans.

So, what to make of this breach? I see several issues:

  1. Transparency matters: the MIE breach and its post-breach response highlight the importance of transparency. Health care providers and outsourced vendors should make it easy for patients to determine who has their electronic health records and why. Breach notices should clearly state both the EHR vendor's name and the health care provider each patient specifically used. Don't use vague, confusing language MIE used. (See above.) Be specific and clear in breach notices. Something like this would be better: "We acquired your electronic health records during [year] from Concentra. It was acquired for [insert reasons]."
  2. Update online policies: health care provider's websites should identify the EHR vendors by name in their policies (e.g., terms of use, privacy). EHR vendor sites should identify their clients. Why? When breaches happen, patients need to quickly and easily verify the vendor's breach notice received. When policies don't mention vendors by name, verification is harder.
  3. Effective credit monitoring: ideally, provide a free service that monitors credit reports at all three major credit reporting agencies (e.g., Equifax, Experian, and TransUnion), not one.
  4. Cloud-based EHR services: is this the best, safest way to store PHI? Cloud storage offers speed, flexibility, and storage benefits. But what about security? Can PHI be effectively secured and protected in the cloud? If you want to learn more, read this 2013 report by the Center for Democracy & technology about HIPAA compliance and cloud storage (Adobe PDF). The MIE breach highlights the risk. Time will tell if experts were correct. Time will tell if cloud-storage vendors can adequately protect electronic health records (EHR).

In my opinion: an epic fail is brewing. It seems that MIE has done, so far, the minimum with its post breach response. The efforts seem focused upon avoiding liability instead of helping affected patients. So far, MIE has failed to provide a satisfactory answer about when, how, and why it acquired my wife's electronic medical records. I look forward to more disclosures by MIE about exactly how hackers breached its system, and what it will do so this doesn't happen again.

During the next day or so, my wife and I will file a HIPAA complaint. I encourage other patients in similar situations to file complaints, too.

Did you receive a breach notice from MIE? What are your opinions of the MIE data breach and the company's response? Of the free ProtectMyID credit monitoring arranged by MIE? If you have used Concentra, what are your opinions of it?

Update: Massive Data Breach At OPM Federal Agency

Office of Personnel Management logo Update on the massive data breach at the Office of Personnel Management (OPM). After discovering in April 2015 that the sensitive personal information of 4.2 million persons was compromised, on July 9 the OPM announced that the number of affected persons was far larger:

"... OPM discovered that additional information had been compromised: including background investigation records of current, former, and prospective Federal employees and contractors. OPM and the interagency incident response team have concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases. This includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, primarily spouses or co-habitants of applicants. Some records also include findings from interviews conducted by background investigators and approximately 1.1 million include fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen."

Additionally, The OPM has not yet notified all affected persons. It has promised to provide free credit monitoring services to persons whose Social Security numbers have been compromised or stolen.

As a result of the massive breach, OPM Director Katherine Archuleta resigned on Friday, July 10. Reportedly, the hacking began before Archuleta assumed the director position.

Some news organizations characterized the OPM breach as "epic." While the sensitive data stolen in the OPM breach is very troubling, there have been several larger data breaches, defined by the number of records compromised or stolen. The TJX Companies / TJ Maxx breach affected about 94 million persons. The Heartland Payment Systems data breach affected 130 million persons, affected both retail stores and banks, and resulted in numerous lawsuits. The Sony Playstation Network data breach affected 77 million persons; but totaled more than 100 million persons after adding the 25 million persons affected by the breach at Sony Online Entertainment (SOE). Earlier this year, the Anthem, Inc. breach breach affected 80 million persons, including patients and staff.

Many politicians had called for the OPM Director's resignation. If this is the expectation, then CEOs at corporations with massive data breaches should also lose their jobs, unless shareholders find these massive breaches acceptable.

Massive Data Breach At Federal Government Agency Exposes Sensitive Data of Government Workers

Office of Personnel Management logo Numerous media outlets have reported about the massive data breach at the Office of Personnel Management (OPM) where the personnel records of 14 million current and former federal employees were accessed. The original breach notification mentioned 4 million personnel records, but several news reports mentioned the higher 14 million figure. Several facts highlight the extreme seriousness of this data breach.

First, the OPM announced in its FAQ page that the data elements accessed and/or stolen included full names, Social Security Numbers, date of birth, place of birth, current residential address, and former residential addresses. The personnel records also included items:

"... such as job assignments, training records, and benefit selection decisions, but not the names of family members or beneficiaries and not information contained in actual policies..."

The OPM began in early June to notify breach victims. The OPM announced on June 4, 2015 several resources and tips for breach victims to protect themselves. These resources and tips were standard items, such as check credit reports for fraud, online FTC resources to combat identity theft and fraud, be suspicious of phone spam, place Fraud Alerts on credit reports, and don't disclose personal information over the phone nor on the Internet. Also, the OPM has arranged complimentary credit monitoring services via CSID for breach victims.

Second, the breach occurred in December 2014, and the OPM discovered it in April 2015. The OPM has been working with the U.S. Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT), and the Federal Bureau of Investigation (FBI) to determine the full impact of the breach.

Third, the OPM announced on June 15 that the breach was wider than first thought:

"Through the course of the ongoing investigation into the cyber intrusion that compromised personnel records of current and former Federal employees announced on June 4, OPM has recently discovered that additional systems were compromised. These systems included those that contain information related to the background investigations of current, former, and prospective Federal government employees, as well as other individuals for whom a Federal background investigation was conducted."

Fourth, the data stolen was more extensive than first thought. Federal Times reported on June 16 that the data breach:

"... might have led to the loss of all personnel data for federal employee and retirees, according to the American Federation of Government Employees. Union President J. David Cox said that the data breach – which took place in 2014 but was only discovered in April – means that hackers now have federal employee and retiree social security numbers, military records, insurance information, addresses and a wealth of other personal details."

While the data was not encrypted, officials stated that encryption would not have stopped the hackers. Clearly, more information about the breach will continue to surface. Fifth, many news reports have focused upon the alleged hackers and international espionage:

"Hackers working for the Chinese state breached the computer system of the Office of Personnel Management in December, U.S. officials said Thursday... It was the second major intrusion of the same agency by China in less than a year and the second significant foreign breach into U.S. government networks in recent months... One private security firm, iSight Partners, says it has linked the OPM intrusion to the same cyber­espionage group that hacked the health insurance giant Anthem. The FBI suspects that that intrusion, announced in February, was also the work of Chinese hackers, people close to the investigation have said."

Many news reports have focused upon the alleged hackers' interest in gaining background information on government officials and covert operatives (e.g., spies):

"In the current incident, the hackers targeted an OPM data center housed at the Interior Department. The database did not contain information on background investigations or employees applying for security clear­ances, officials said... in March 2014, OPM officials discovered that hackers had breached an OPM system that manages sensitive data on federal employees applying for clearances. That often includes financial data, information about family and other sensitive details. That breach, too, was attributed to China, other officials said."

Interestingly, the actual breach notices by the OPM never mentioned China.

Sixth, the June 4 announcement by the OPM have been intentionally vague about exactly how hackers breached the agency's systems:

"Because cyber threats are evolving and pervasive, OPM is continuously working to identify and mitigate threats when they occur. OPM evaluates its IT security protocols on a continuous basis to make sure that sensitive data is protected to the greatest extent possible, across all networks where OPM data resides—including those managed by government partners and contractors."

Based upon what we know so far, it seems that several senior executives at OPM need to replaced. Ars Technica reported:

"House Oversight Chairman Jason Chaffetz (R-Utah) told [OPM Director Katherine Archuleta] and OPM Chief Information Officer Donna Seymour, "You failed utterly and totally." He referred to OPM's own inspector general reports and hammered Seymour in particular for the eleven major systems out of 47 that had not been properly certified as secure—which were not contractor systems but systems operated by OPM's own IT department. "They were in your office, which is a horrible example to be setting," Chaffetz told Seymour. In total, 65 percent of OPM's data was stored on those uncertified systems."

It is a tricky balance between disclosing too much (to aid hackers) versus disclosing too little (failing reassure the public). More needs to be disclosed so that the public is confident that adequate fixes have been implemented so a breach like this doesn't happen again. And, executives must be held accountable for the security failures.

Massive Data Breach At Anthem Affects 80 Million People. Latest In A Series Of Incidents

Anthem On Friday, Anthem, Inc. announced that identity thieves had gained unauthorized access to its computer network and stole the sensitive personal information of patients and staff. Joseph R. Swedish, the President and CEO, stated in a letter to its members that the data elements compromised included personal information about:

"... current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data... Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised."

Affected patients included the following health care plans: Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, and Unicare. BlueCard members were also affected. While the Anthem breach notice did not mention 80 million affected patients, several news sources mentioned that statistics, including the Los Angeles Times and Forbes.

Anthem said it took steps to fix and close the data breach. It contacted the Federal Bureau of Investigation (FBI), and hired Mandiant, a respectable computer security firm, to evaluate its computer systems, networks, and data security processes. The health care provider launched the Anthem Facts website to keep members informed about the data breach and answer many questions. The site includes Mr. Swedish's breach notification letter. Members with questions can call the health care provider at 1-877-263-7995.

This is a massive data breach. Nor is it good news for several reasons. First, the data elements stolen are sufficient to allow criminals to commit financial fraud using the victims' identities. To the good, Anthem stated it wiil contact affected members and provide free credit monitoring services. However, the health care company's announcement did not state the number of years of complimentary credit monitoring services. Many companies provide one or two years, even though the stolen information retains value for a far longer period.

Second, since e-mail addresses and names were stolen, it means that breach victims are at risk of receiving e-mail spam and phishing attacks as the hackers resell the stolen data to other criminals worldwide. The FAQ page in the Anthem Facts site acknowledged this risk and advised members to:

"... be aware of scam email campaigns targeting current and former Anthem members. These scams, designed to capture personal information (known as "phishing") are designed to appear as if they are from Anthem and the emails include a "click here" link for credit monitoring. These emails are NOT from Anthem.DO NOT click on any links in email. DO NOT reply to the email or reach out to the senders in any way. DO NOT supply any information on the website that may open, If you have clicked on a link in email. DO NOT open any attachments that arrive with email."

Anthem also confirmed this in several tweets:

Anthem tweets about phishiing. Click to view larger image

Opening e-mail attachments from unknown persons can spawn computer viruses and malware on your desktop, laptop, tablet, or smart phone. So, it is wise to learn how to spot phishing e-mails. There is plenty of information in this blog.

Third, security experts are concerned that Anthem applied data encryption only to information during transit and not will it was "at rest" and stored in databases. Forbes reported:

"Encryption, which scrambles data so only authorized parties can read it, is considered the most effective way to achieve data security. Several data experts say the lack of encryption made it easier for hackers to gain access to up to 80 million customer records including Social Security numbers, e-mail addresses and other personal information... The Health Insurance Portability and Accountability Act, known more commonly under its acronym “HIPAA,” doesn’t require health care companies to encrypt such data."

Fourth, it is good that Anthem has hired a reputable, skilled computer security firm to help it understand exactly how the breach occurred and then apply the necessary fixes. After studying several breaches and companies' post-breach actions during the 7+ years I've written this blog, I've noticed that post-breach fixes don't happen quickly. The breach investigation takes time. Hence, you see in the announcement cautious words, such as "Based upon what we know now." The fixes often include a mixture of technical solutions and staff training. During the coming months we will see how transparent Anthem will be with sharing data about the breach and the fixes it applies to its networks, computers, and staff training.

The fact is: there is nothing to stop criminals from repeatedly attacking the company's networks. Hopefully, Anthem will implement fixes fast enough and sufficient enough to both identify and thwart future attacks.

Fifth and perhaps more troubling is the history of data breaches at Anthem. Anthem, Inc. was formed in 2004 with the merger of Anthem and WellPoint Health Networks. The company changed its name from WellPoint to Anthem in 2014. A March 2008 WellPoint breach affected 130,000 patients and a 2006 breach affected about 200,000 patients when backup computer tapes were stolen from a vendor.

In 2011, Wellpoint settled data security allegations with the State of Indiana Attorney General after a data breach during 2009-10 affected 32,000 Indiana residents. A faulty website security update exposed the personal, financial, and medical information of about 470,000 consumers nationwide. Wellpoint made a $100,000 payment to the state.

In 2013, WellPoint paid $1.7 million to the U.S. Department of Health and Human Services (HHS) to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules:

"The HHS Office for Civil Rights (OCR) began its investigation following a breach report submitted by WellPoint as required by the Health Information Technology for Economic and Clinical Health, or HITECH Act. The HITECH Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured protected health information. The report indicated that security weaknesses in an online application database left the electronic protected health information (ePHI) of 612,402 individuals accessible to unauthorized individuals over the Internet. OCR’s investigation indicated that WellPoint did not implement appropriate administrative and technical safeguards as required under the HIPAA Security Rule."

Sixth, In its breach notice, Mr. Swedish said:

"Safeguarding your personal, financial and medical information is one of our top priorities, and because of that, we have state-of-the-art information security systems to protect your data... I want to personally apologize to each of you for what has happened, as I know you expect us to protect your information. We will continue to do everything in our power to make our systems and security processes better and more secure, and hope that we can earn back your trust and confidence in Anthem."

The health care company's history suggests otherwise. Safeguarding patients' data may not be a top priority. An apology is nice, but actions speak louder than words. In 2012, Anthem settled a lawsuit with the Office of the California Attorney General. Terms of the settlement included a $150,000 payment, technical fixes to its computer networks, restricting access only to certain employees, and data-security training of all employees. Anthem allegedly printed Social Security numbers on letters it mailed to more than 33,000 persons from April 2011 and March 2012; a clear privacy and data security no-no. The lawsuit claimed that this practice violated state law prohibiting the disclosure of Social Security numbers. After that 2012 breach, Anthem offered affected members one year of free credit monitoring services.

The latest data security lapse at Anthem/WellPoint causes one to wonder if data security is truly a top priority, if the state-of-the-art systems Mr. Swedish described have truly kept pace with Internet and software developments, and if adequate employee training about data security stopped after terms of the 2012 settlement were fulfilled.

While writing this blog, I have learned that identity criminals are both creative and persistent. The "bad guys" possess the same computer skills and equipment as the "good guys." In my opinion, repeated security lapses will stop only when company executives go to prison. Fines are not enough.

What are your opinions of the Anthem breach? Of the company's statements and actions so far? If you receive a breach notice from Anthem, please share details (but exclude any information that would further compromise the security of your personal information).

A Fight Brews After Retailers Demand From Congress Better, Stronger, And Consistent Data Breach Laws

The National Retail Federation and 43 other retail associations sent a letter dated November 6, 2014 to Congressional leaders in House and Senate demanding laws that promote stronger data security, eliminate exemptions to certain industries from data breach notification laws, and provide consistent data breach notification rules.

There are currently 47 different breach notification laws across the states. The makes for a complicated, patchwork of state laws that retailers must navigate when informing affected shoppers about data breaches. The laws vary in defining the data elements to be protected, data formats, the methods of notification, and when affected consumers must be notified by.

The retail associations' letter to Congress (Adobe PDF) stated:

"Organized groups of criminals, often based in Eastern Europe, have focused on U.S. businesses, including financial institutions, technology companies, manufacturing, retail, utilities and others. These criminals devote substantial resources and expertise to breaching data protection systems... Given the breadth of these invasions, if Americans are to be adequately protected and informed, any legislation to address these threats must cover all of the types of entities that handle sensitive personal information. Exemptions for particular industry sectors not only ignore the scope of the problem, but create risks criminals can exploit. Equally important, a single federal law applying to all breached entities would ensure clear, concise and consistent notices to all affected consumers regardless of where they live or where the breach occurs."

The letter cited current banking practices:

"... the recently reported data breaches have taught us, it is that any security gaps left unaddressed will quickly be exploited by criminals. For example, the failure of the payment cards themselves to be secured by anything more sophisticated than an easily-forged signature makes the card numbers particularly attractive to criminals and the cards themselves vulnerable to fraudulent misuse. Better security at the source of the problem is needed. The protection of American’s sensitive financial information is not an issue on which sacrificing comprehensiveness makes any sense at all."

The letter described the threats retailers face data breaches at banks and payment processors:

"... some recent examples are instructive. This summer, it was reported that JPMorgan Chase had suffered a data security breach... affecting 83 million accounts that had been accessed online or through mobile devices. The criminals involved reportedly took over computers around the world... Given the sophistication of the attack, even months after initial disclosure, it is not clear whether the bank’s system is free of the hackers involved. It has also been reported that nine other banks suffered similar data breaches and there is evidence that there is a focused effort to breach financial institutions by these criminals... Despite all that reporters have uncovered to date, however, financial regulators have not required financial institutions to provide the same detailed notice to their customers as is required of other businesses under law... it was revealed in September that over 100 account subscribers to Apple’s widely-used iCloud service had suffered a series of targeted attacks that ultimately led to the unlawful acquisition of sensitive photographs stored on the iCloud servers. Merchants have also been attacked by criminals employing sophisticated and previously unseen tools to steal payment card numbers. Payment card data has been targeted by criminals in data breaches at every type of entity that handles such data – from financial institutions to retailers, card processors, and telecommunications providers."

The letter also cited a key industry study about where data breaches occurred:

"The Verizon Data Breach Investigations Report is the most comprehensive summary of these types of threats. The 2014 report (examining 2013 data) determined that there were 63,437 data security incidents reported by industry, educational institutions and governmental entities last year and that 1,367 of those had confirmed data losses. Of those, the financial industry suffered 34%, public institutions (including governmental entities) had 12.8%, the retail industry had 10.8%, and hotels and restaurants combined had 10%."

The Online Trust Alliance supports the retailer associations' letter with calls for better, stronger, consistent data breach laws. The American Bankers Association and several financial services groups responded with their own letter (Adobe PDF) to Congress dated November 12, 2014. The banking groups' letter said the retail associations' letter was:

"... inaccurate and misleading, and recommends solutions that leave consumers vulnerable to enhanced risk of data breaches... As evidenced by the massive breaches at Target, Home Depot, Michaels, Neiman Marcus, Jimmy Johns, Staples, Dairy Queen and others, retailers are being targeted by cyber criminals. While merchants and financial institutions are both the targets of these attacks, a key difference is that financial institutions have developed and maintain robust internal protections to combat criminal attacks and are required by Federal law and regulation to protect this information and notify consumers when a breach occurs that will put them at risk. In contrast, retailers are not covered by any Federal laws or regulations that require them to protect the data and notify consumers when it is breached."

Given the frequency and large size of data breaches, in my opinion, both groups have failed at adequately protecting consumers' sensitive personal and financial information. Neither is in a position to criticize the other.

The financial groups' letter cited "Strong Federal Oversight and Examination" and:

"Financial institutions on their own are aggressively implementing new systems and leading the development of new technologies like tokenization to combat the ever-changing criminal threat."

Banks may lead the way upon defending against external threats, but seem to have failed miserably against internal threats. Several examples illustrate my point. Banks have settled lawsuits about data breaches, settled lawsuits about residential mortgage back securities abuses, paid massive amounts ($128 billion and counting) in settlement payments and fines where terms are often kept secret and payments are tax deductible, and failed to solve their growing ethics problem where young bankers feel they must break the law to get ahead. Nobody forced banks to violate laws resulting in these lawsuits, settlements, and fines.

Rather than fight, both groups should stay focused on their shoppers and account holders: collaborate on better data security. Otherwise, they both look silly; like children at the dinner table arguing over who gets the last slice of chocolate cake.

View the full text of the retail associations' letter to Congress (Adobe PDF). Download the 2014 Verizon Dat Breach Investigations Report. Learn more about hacking attacks against Apple iCloud services.

Home Depot Discloses More Details About It Data Breach Affecting 53 Million Shoppers

Home Depot logo If you shop at Home Depot, then today's blog post is for you. On November 6, 2014, Home Deport disclosed more details about its data breach investigation. Criminals gained access to the retailer's computer network by using a third-party vendor's credentials (e.g., user name and password), and:

"These stolen credentials alone did not provide direct access to the company's point-of-sale devices. The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot's network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada...  separate files containing approximately 53 million email addresses were also taken during the breach. These files did not contain passwords, payment card information or other sensitive personal information."

The announcement did not explain how the criminals gained "elevated rights" with the stolen credentials. Home Depot did not disclose the name of the third-party vendor.

In a prior September 8, 2014 press release (Adobe PDF, 188.4K), the retailer confirmed the breach affecting shoppers who used credit cards in its stores during April to September of 2014. The retailer began its breach investigation on September 2 after several banks and law enforcement agencies notified it of a possible breach. Also on September 8, the retailer offered affected shoppers free credit monitoring services. To learn more about these services, interested shoppers should visit the Home Depot website or call in the USA 1-800-HOMEDEPOT (800-466-3337). Shoppers in Canada should call 800-668-2266.

In its latest announcement, Home Depot said it is notifying affected shoppers in the United States and Canada. The stolen e-mail data means that affected shoppers should also be on alert for phishing e-mail scams designed to trick consumers to reveal their sensitive personal and financial information.

How should consumers view the Home Depot's breach?

53 million affected shoppers is a massive breach. If your credit card payment information has been stolen, the hackers will likely sell the stolen information to other criminals who will then try to use the stolen information to make purchases and/or take out new loans fraudulently. This is what identity criminals do. So, it's wise to seriously consider the retailer's offer of free credit monitoring services.

As things progress, we will probably hear more details about its breach investigation. In its latest announcement, Home Depot did not disclose how many shoppers experienced both stolen e-mails and stolen credit card payment information. This overlap is important. If the overlap was 100 percent, then that says something very different than an overlap of 5 percent. If the overlap was concentrated in certain stores or states, then that says someting else. To feel comfortable about shopping at Home Depot, shoppers deserve an explanation of both the overlap and how the related security holes are being fixed.

Back in September, Home Depot took the opportunity in its breach announcement to also announce the upcoming availability of its smart loyalty cards with EMV chips embedded. It seems that the retailer hopes that its smart loyalty cards will help make shoppers feel comfortable. So, we'll probably hear more about its smart cards during the coming weeks. However, smart cards alone do not make a secure computer network and purchase transactions.

While consumers may not focus upon the "elevated rights" statement in Home Depot's latest announcement, you can bet that data security experts, banks, and other retailers are watching closely. Why? eWeek provided an interesting analysis:

"That's the real root cause, in my view—a privilege escalation flaw. Getting into the network itself is interesting, but without the right privileges, which the third-party vendor did not have, the attacker could not do any damage... Home Depot has also reiterated that the malware that was deployed by the attackers, once they had executed their privilege escalation attack, was malware that had previously been unknown. That means it was not the Backoff malware that has impacted 1,000 retailers. What the new Home Depot breach details clearly show is that the breach was a multistage attack that wasn't just about any one failure but rather several defensive inadequacies. Third-party access was breached by an attacker, so that's one point of failure. The privilege escalation issue is the second. The undetected malware itself is the third point of failure. Finally, the fact that the data was taken out from the network without detection is the icing on the cake."

EMV chips won't fix these four failures. Free credit monitoring services won't fix these four failures. The retailer needs to improve its computer systems end-to-end, as the eWeek analysis suggested. What are your opinions of the breach? Of Home Depot's breach investigation? Of the eWeek analysis?

Breach At Community Health Systems Affects 4.5 Million Patients Nationwide

Community Health Systems, Inc. (CHS) announced a data breach that affected 4.5 million patients nationwide. Breach victims are patients who have done business with any CHS hospitals, or whose physicians are associated with CHS hospitals. CHS said in its website that it includes 206 affiliated hospitals in 29 states, with 135,000 employees and 22,000 physicians.

CHS believes the attack, by hackers from China, occurred between April and June of 2014. Sensitive personal data elements stolen included patient names, addresses, birth dates, telephone numbers and social security numbers. This means that breach victims are vulnerable to identity theft and fraud, since the data elements stolen are sufficient for thieves to apply for and/or open fraudulent credit accounts and loans. The only good news was that the breach did not include patients' medical records and payment information (e.g., credit/debit cards).

CHS has notified federal law enforcement agencies and (links added):

"... engaged Mandiant, who has conducted a thorough investigation of this incident and is advising the Company regarding remediation efforts. Immediately prior to the filing of this Report, the Company completed eradication of the malware from its systems and finalized the implementation of other remediation efforts that are designed to protect against future intrusions of this type. The Company has been informed by federal authorities and Mandiant that this intruder has typically sought valuable intellectual property, such as medical device and equipment development data."

CHS is notifying breach victims, and will offer identity theft protection services. The announcement did not specify which, if any, data elements were encrypted. Usually, breach announcements state which items were encrypted. Hopefully, future announcements will provide the necessary details.

I browsed the CHS site Monday afternoon expecting to see a notice on the site about the breach. I didn't see one. May it is there and hidden. For context: after its massive breach, Target provided a notice and link on its home page for affected breach victims to easily access important information. CHS needs to do the same.

What's even more troubling is that the Social Security numbers weren't encrypted by CHS. How do I know this? The HIPAA Breach Notification Rule governs when hospitals must disclose data breaches. It says in part (links and bold text added):

"Covered entities and business associates must only provide the required notifications if the breach involved unsecured protected health information. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance... The guidance... specifies encryption and destruction as the technologies and methodologies for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals. Additionally, the guidance also applies to unsecured personal health record identifiable health information under the FTC regulations. Covered entities and business associates, as well as entities regulated by the FTC regulations, that secure information as specified by the guidance are relieved from providing notifications following the breach of such information."

In other words, if CHS had encrypted the information stolen, it probably would not have had to issue a breach notification (and incur the related costs). Since it did issue a breach notification, I conclude the data elements stolen -- especially Social Security numbers -- were not encrypted. Even though credit card data wasn't stolen in the breach, this makes one wonder if this payment information is encrypted. Hopefully, CHS will say more soon about what data is encrypted; and why or why not.

While browsing its website, I learned that CHS confirmed in an August 4 press release that it had:

"... resolved the investigation by the U.S. Department of Justice into short stay admissions through emergency departments at certain affiliated hospitals. The parties have entered into a settlement agreement, which concludes the government’s review into whether these 119 hospitals billed Medicare, Medicaid and TRICARE for certain inpatient admissions from January 2005 to December 2010 that the government believed should have been billed as outpatient or observation cases... Under the terms of the agreement, there is no finding of improper conduct by Community Health Systems or its affiliated hospitals, and the Company has denied any wrongdoing. The Company has agreed to pay $88,257,500 in resolution of all federal government claims, including Medicare, TRICARE and the federal share of the Medicaid claims, and an additional $892,500 to the states for their portions of the Medicaid claims."

To see if your hospital was affected, browse the list of CHS locations by state. Have you received a breach notice from CHS? What are your opinions of the notice? Of the identity theft protection services offered?

Florida Enacts Stronger Security And Data Breach Notification Law

On June 20, 2014, Florida Governor Rick Scott signed into law the “Florida Information Protection Act of 2014" (FIPA). FIPA went into effect on July 1, 2014. The positive elements:

  1. The entity must notify both affected customers and the Florida Department of Legal Affairs (DLA) when a breach occurs.
  2. Notice must be given within thirty (30) days after the breach is discovered or occurred, unless law enforcement warrants a delay. The previous law specified 45 days.
  3. The DLA now has the authority, under the Florida Deceptive and Unfair Trade Practices Act, to civilly prosecute violations.
  4. Failure to provide timely notice can results in civil penalties applied to violators.
  5. Covered entities include both commercial entities (e.g., corporations, sole proprietors, partnerships, associations, trusts, estates), and state government agencies. However, state agencies are exempted from civil penalties for failing to provide timely notice.
  6. Notice must be given for a breach affecting 500 or more persons in the State of Florida
  7. The law requires outsourcing companies (e.g., "third-party agents) to notify their hiring entity within ten (10) days after the breach is discovered or occurred
  8. The law requires outsourcing companies, contracted with by covered entities to maintain, process, and store personal information, to take "reasonable measures to protect and secure data in electronic format" for personal information.
  9. The new law expanded the definition of personal information to include a user name or e-mail address in combination with a password or security question used to access an online account.
  10. Covered entities are exempted from providing notice to affected persons individually and can provide notice via ads online or in print, if one of the conditions applies: the cost of notifying persons individually would exceed $250k, there are more than 500k persons affected, or the covered entities lacks both e-mail and snail-mail addresses.
  11. By February 1st of each year, the DLA must submit an annual report of breach notices received

The not-so-good elements of FIPA:

  1. The law defines a "data breach" in terms of files in electronic format, and seems to ignore breaches involving paper files.
  2. The law seems vague if notice is required for breaches affecting both less than 500 persons in Florida and more persons in other states. A better law would have stated 500 persons regardless of their location.
  3. While the law requires both physical and electronic customer records to be be disposed in a way that prevents personal information from being disclosed, government entities are exempted from this provision.
  4. The law seemed vague on what constitutes, "reasonable measures to protect and secure data in electronic format" for personal information. Some states' security and breach notification laws have specified encryption.
  5. The law does not create a private right of action.
  6. The law provides an exemption if there is a determination of no fraud or financial harm:

"... notice to the affected individuals is not required if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals who se personal information has been accessed. Such a determination must be documented in writing and maintained for at least 5 years. The covered entity shall provide the written determination to the department within 30 days after the determination."

47 states now have passed, amended or proposed data breach notification laws. Shame on the three laggards. I applaud Florida officials for strengthening their state's privacy and data breach notification law, but wish they'd gone further and addressed the above not-so-good items.

View the full text of FIPA (Adobe PDF). Read the summary of FIPA by Martindale.

What are your opinions of FIPA?

AOL Issued Statement About A Data Breach And Criminal Activity Affecting Its Customers

AOL logo Earlier today, AOL released a security statement about a data breach and criminal activity affecting its users. The statement read in part:

"We are writing to notify you that AOL is investigating a security incident that involved unauthorized access to AOL's network and systems... AOL's investigation began immediately following a significant increase in the amount of spam appearing as "spoofed emails" from AOL Mail addresses... AOL's investigation is still underway, however, we have determined that there was unauthorized access to information regarding a significant number of user accounts."

The statement said that 2 percent of its 3 million subscribers had been affected already by spam. The statement provided few details, maybe because it is still early in the breach investigation. The data elements hackers had unauthorized access to included AOL users' email addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions.

It is wise for AOL users to pay close attention to all upcoming security statements. In today's statement, AOL advised it members to change their passwords and:

"1. If you receive a suspicious email, do not respond or click on any links or attachments in the email.

2. When in doubt about the authenticity of an email you have received, contact the sender to confirm that he or she actually sent it.

3. Never provide personal or financial information in an email to someone you do not know. AOL will never ask you for your password or any other sensitive personal information over email.

4. If you believe you are a victim of spoofing, consider letting your friends know that your emails may have been spoofed and to avoid clicking the links in suspicious emails."

If you nhave questions, AOL suggested that its users visit FAQ.aol.com.

Michaels Stores Confirmed 3 Million Debit And Credit Card Customers Affected By Breach

Michaels Stores confirmed on Thursday that 3 million credit card and debit card users were affected by its recent data breach. The retailer's statement read in part:

"After weeks of analysis, we have discovered evidence confirming that systems of Michaels stores in the United States and our subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware... we have identified and fully contained the incident, and we can assure you the malware no longer presents a threat to customers... the attack targeted a limited portion of the point-of-sale systems at a varying number of stores between May 8, 2013 and January 27, 2014."

In some Michaels stores, the attack lasted for a short duration. Michaels announced its data breach in January. The attack lasted about the same duration, eight months, at Aaron Brothers stores:

"Regarding Aaron Brothers, the Company has confirmed that between June 26, 2013 and February 27, 2014, 54 Aaron Brothers stores were affected by this malware. The Company estimates that approximately 400,000 cards were potentially impacted during this period."

The retailer's statement did not explain what security steps were taken so that a breach like this does not happen again. In its statement, Michaels seemed to try to minimize the breach impacts by emphasizing the portion of customers affected:

"Regarding Michaels stores, the attack targeted a limited portion of the point-of-sale systems at a varying number of stores between May 8, 2013 and January 27, 2014. Only a small percentage of payment cards used in the affected stores during the times of exposure were impacted by this issue. he analysis conducted by the security firms and the Company shows that approximately 2.6 million cards may have been impacted, which represents about 7% of payment cards used at Michaels stores in the U.S. during the relevant time period."

If you were one of the affected customers, there is no minimizing the hassles and disruption you experienced to get a replacement card from your card issuer, reset online billing and automatic payments for your new card account, and report fraudulent charges and/or money stolen to your card issuer for reimbursement.

Affected Michaels stores (Adobe PDF) are in 49 states, excluding Hawaii. Affected Aaron Brothers stores (Adobe PDF) are in Arizona, California, Colorado, Nevada, Oregon, Texas, and Washington.

Neiman Marcus Discloses Some Details About Its Data Breach

Neiman Marcus logo The Neiman Marcus Group disclosed some detail about its recent data breach. In a letter to its customers, Karen Kay the President and CEO, stated that malware had been secretly installed in its systems, and stole shoppers' payment information from July 16, 2013 to October 30, 2013. As many as 1.1 million shoppers were affected. The letter also said:

"... Visa, MasterCard and Discover have notified us that approximately 2,400 unique customer payment cards used at Neiman Marcus and Last Call stores were subsequently used fraudulently."

The retailer notified thiese 2,400 breach victims on January 10. So far, only shopper's debit/credit card payment information has been stolen: card numbers, expiraton dates, and cardholders' names:

"Social security numbers and birth dates were not compromised. Our Neiman Marcus and Bergdorf Goodman cards have not seen any fraudulent activity. Customers that shopped online do not appear to have been impacted. PINs were never at risk because we do not use PIN pads in our stores."

Several state governments require companies to notify them about data breaches affecting their residents. In a breach notification letter (Adobe PDF) to the New Hampshire Department of Justice, the retailer provided more details about the breach:

"As a result of the investigation we initiated, using two of the leading computer forensice investigative firms, we learned for the first time on January 1, 2014 (preliminarily), and then more concretely on January 2 and 3, that sophisticated, self-concealing malware that can "scrape" (copy from temporary memory during execution of payment) payment card information ("the scraping malware") had been clandestinely inserted into our system. We later learned that this malware had been inserted in our system as early as July 2013... it appears that the scraping malware was active between July 16, 2013 and October 30, 2013... it appears that the scraping malware was not operating at all Neiman Marcus Group stores..."

So, the malware affected shoppers in several of the retailer's store chains. The usage of the term "system" seems to suggest that the retailer's network was infected with malware, not just point-of-sale (PoS) computers. It seems that multiple types of malware were involved in the breach:

"Separate, related malware that allows this scraping malware to function appears to have been clandestinely inserted earlier in 2013. Neiman Marcus was not aware of any of this hidden malware until it was discovered this month by our investigative experts..."

The retailer said it has postal (street) address information for only 31% of the 1.1 million shoppers, and it has identified 822 New Hampshire residents (with street addresses) affected by the breach. The Neiman Marcus Web site contains the breach letter and frequently-asked-questions; basic content for shoppers that have never experienced a data breach before.

Michaels Stores Says It Experienced a Potential Data Breach

On Saturday, Chuck Rubin the CEO of Michaels Stores released a statement to its customers that the retailer probably experienced a data breach:

"... We recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting we may have experienced a data security attack. We are working closely with federal law enforcement and are conducting an investigation with the help of third -party data security experts to establish the facts. Although the investigation is ongoing, based on the information we have received and in light of the widely-reported criminal efforts to penetrate the data systems of U.S. retailers, we believe it is appropriate to notify our customers that a potential issue may have occurred..."

The "recently learned" portion of the statement probably refers to a Krebs On Security blog post. Sources from four different banks reported frauluent charges affecting hundreds of customers, that traced back to Michaels stores.

Similar to the massive Target stores data breach, the U.S. Secret Service is also involved. Michaels is the third retailer to have experienced a data breach during the past two months or so. While Neiman Marcus confirmed earlier this month that it had experienced a data breach, the retailer announced few details.

In May 2011, criminals hacked the point-of-sale registers at Michaels stores in Chicago. A subsequent  investigaton found hacked terminals in stores in at least 20 states. In 2011, the retailer replaced 7,200 PIN pads in its stores. In March 2013, this blog reported about a questionable and restrictive return policy by Michaels stores.

Michaels customers should read the full January 25 statement (Adobe PDF). It advises shoppers to be vigilant (e.g., check your bank accounts and credit/debit-card bills for fraudulent charges). Michaels will provide updates at its Web site. Shoppers with questions about the data breach can also call the retailer toll-free at 1-877-412-7145 from Monday through Saturday from 8:00 am to 11:00 pm CST, and Sundays from 8:00 am to 8:00 pm CST.

Obviously, there will be a lot more news coming about this data breach.

Target Increases Number of Shoppers Affected By Data Breach. BBB Warns Shoppers To Expect More Spam

Target Bullseye logo On Friday, Target updatd details about the retailer's recent data breach. More people were affected and more data was stolen than first announced. The updated total includes 70 million persons affected, up from 40 million. More data was stolen, including names, mailing addresses, phone numbers, and e-mail addresses:

"As part of Target’s ongoing forensic investigation, it has been determined that certain guest information—separate from the payment card data previously disclosed—was taken from Target. This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals."

The retailer also announced the closing of eight stores in the United States. The following stores will close on May 3, 2014:

  • West Dundee, Illinois
  • Las Vegas
  • North Las Vegas
  • Duluth, Georgia
  • Memphis, Tennessee
  • Orange Park, Florida
  • Middletown, Ohio
  • Trotwood, Ohio

The additional data stolen makes the information stolen during the breach more valuable. the stolen data is simply more useful by identity thieves , spammers, and fraudsters. It also means that breach victims will probably experience spam and phishing attacks via e-mail and/or telephone spam. I've reported in this blog about many types of phishing attacks, including the fake Microsoft affiliate phone scam.

Also on Friday, the Better Business Bureau (BBB) warned consumers and Target breach victims to be alert for scams:

"Be on the lookout for scammers pretending to be Target or your banking institution. Prepare to get fake phone calls, emails and letters in the mail. They may ask for your personal information and direct you to click on links. The correspondence may look official, but do not respond. If you receive a phone call from someone claiming to be from your bank stating you've been affected by the Target hack, hang up. Then call the bank number on your credit card to confirm if you are actually a victim. If you receive an email claiming to be from Target, do not reply back. Instead go to Target.com/databreach. You can also contact Target’s victim hotline at 866-852-8680."

A fake Target data breach notification is already circulating on the Internet.

The New York State Attorney General, Eric T. Schneiderman, offered several tips for shoppers affected by the Target breach. Those tips include advice for shoppers considering Target's free credit monitoring offer, and how breach victims can protect themselves and their personal information.

In related news, several banks in Alaska are scrambling to reissue credit and debit cards to cardholders affected by the Target breach:

"Denali Alaskan Federal Credit Union said more than 2,200 debit and credit cards it issued were affected by the breach. About 2,000 cardholders were affected at First National Bank Alaska, and almost 1,100 customers of Alaska-based Northrim Bank were affected."

I expect we'll hear a lot more news in the coming weeks about banks reissuing cards for their cardholders. Somebody will pay for this, as T.J. Maxx learned.

As I warned in a prior blog post, any retailer or company cannot know the scope and extent of a data breach until after its breach investigation is completed. I am not surprised at all that the retailer increased both the number of shoppers affected and that data elements stolen. With this latest breach update and with Target offering free credit monitoring to breach victims, the retailer's tagline applies in several ways: "Expect more. Pay less."

This story is far from over.

Target Confirms Debit Card PIN Payment Information Stolen During Breach. Lawsuits Filed

Target Bullseye logo Almost immediately after its data breach, Target said that debit card PIN numbers were not stolen. You may remember this December 20, 2013 statement by Target CEO Gregg Steinhafel:

"There is no indication that PIN numbers have been compromised on affected bank issued PIN debit cards or Target debit cards. Someone cannot visit an ATM with a fraudulent debit card and withdraw cash."

In an updated December 27, 2013 breach notice (Adobe PDF), the retailer admitted that debit card PIN numbers had indeed been stolen during the data breach:

"... our ongoing investigation determined that strongly encrypted PIN data was removed from our system during the data breach incident..."

Then, its latest statement attempted to reassure shoppers:

"... These [PIN data] files are protected by triple DES encryption, the most secure standard... We never had access to the encryption key required to open or read the PIN files..."

Shoppers are supposed to be comforted by the disclosure that even though PIN payment data was stolen, the encryption was strong and the encryption keys were stored in a different place than the encrypted debit payment information. This assumes that the hackers didn't also breach the location with the stored encryption keys during the breach or previously. C/Net reported:

"However, one major U.S. bank is worried that the hackers might be able to crack the encryption code, giving [thieves] the ability to withdraw money from bank accounts..."

While writing this blog for the past 6+ years (including posts about the massive TJX Companies/T.J. Maxx data breach), I have learned that hackers are smart, persistent, and study their targets (no pun intended) before an attack. All of that seems to apply to the Target breach. Hackers use computers just like you do. And that includes software to break or decode encrypted data. It may take time, but hackers have time. That's one reason for long-term credit monitoring services for breach victims.

Breach victims are angry, and some are not buying the company's assurances. Some consumers have filed lawsuits against Target. ABC News reported:

"Angry shoppers are lashing out at Target, filing lawsuits in California and Oregon against the retailer, alleging the store "failed to implement and maintain reasonable security procedures" when credit and debit card data for about 40 million customers... On Thursday, Target customer Jennifer Kirk filed a lawsuit in San Francisco in the hopes of being certified as part of a class action..."

These lawsuits are not a surprise given the huge size of the breach, and that the U.S. banking system uses obsolete technology for debit/credit cards. The rest of the planet uses newer technology in their debit and credit cards.

That Target first denied PIN payment data was stolen, and then reversed itself by admitting that PIN data was stolen demonstrates the risk of executives making hasty statements before a forensic breach investigation is completed. A company can't really know until after the investigation is completed:

  1. Exactly what data elements (e.g., name, address, card numbers, PIN numbers, 3-digit security codes, etc.) were accessed and stolen,
  2. The specific computer sserver(s) and/or networks hacked,
  3. The technology(ies) the thieves used, and
  4. The duration of the attack and breach

While I am not a computer systems security expert, I have seen many data breaches since I started writing this blog over six years ago. History has taught me that a company can't reliably claim what was (or wasn't) stolen and that a breach is fixed until the investigation is completed, the extent of the attack and the damage are known, and then the appropriate technical solutions are implemented on the affected servers and networks -- and ideally, are hardened. Often, that fix also includes training employees to avoid risky behaviors that introduce malware and computer viruses.

At least 2,000 shoppers visiting from Europe were affected by the breach, and, the U.S. Secret Service is also investigating the Target breach. The findings from that agency's investigation may also affect the retailer's fixes.

The company's early statements, before all the facts were in, are why I have very little faith in what Target says. Shop at its stores, but use cash or credit cards. Breach victims should change their debit card PIN information; ideally, and replace affected bank accounts with new ones. Like other breach incidents, Target will likely pay for the costs banks incur to switch bank accounts for breach victims.

The whole incident is a reminder for consumers of the risks of shopping with their debit cards. Despite what the banking industry and retailers claim, the U.S. banking system uses obsolete technology for debit/credit cards. Plus, when you shop with your debit card, you are betting that criminals have not hacked:

  • The point-of-sale terminals (e.g., payment terminals) in the stores,
  • The wireless transmissions between the retail stores, and/or
  • The retail company's centralized databases and networks.

Plus, stolen debit card payment information provides thieves direct access to your checking accounts. Stay tuned. We will hear a lot more about the Target data breach during the coming weeks and months.

Data Breach At Target Stores In USA. How Affected Shoppers Can Protect Themselves

Target Bullseye logo Yesterday, Target stores announced a data breach affecting customers who purchased items in stores with their credit card or debit cards from November 27 to December 15, 2013. The specific payment information stolen included customers' names, card numbers, expiration dates, and the three-digit CVV security numbers.

While the Target breach announcement did not disclose the total number of shoppers affected, Mashable and TechCrunch reported that 40 million consumers were affected by the breach. That is a massive breach. Target has 1,797 stores in the USA and 124 in Canada. Shoppers at stores in Canada were not affected. DNB, Norway's largest bank, confirmed that at least 2,000 shoppers visiting from Europe were also affected.

Several media sources have reported that the Target breach is the second biggest in the USA to the TJX/TJ Maxx breach, but it is probably third biggest if you consider the Heartland breach. These size comparisons are useless because many companies don't disclose the number of breach victims affected.

TechCrunch also reported:

"The company moved quite slowly on this breach. On December 12 Brian Krebs reported the first rumors of the attack, suggesting it consisted of a wholesale scraping of “track data,” the data found on each credit card magnetic track. Krebs suggests that the thieves may have broken into the stores’ wireless networks and grabbed the card information as it was transferred from the cash registers."

The New York Times reported:

"By breaching point-of-sale systems, cybercriminals can create counterfeit cards. If they were able to intercept the PIN information, as well, it is also possible that thieves could withdraw money from a customer’s account through an A.T.M. A similar breach affected Barnes & Noble stores last year. In that case, customers at 63 Barnes & Noble stores across the country, including New York City, San Diego, Miami and Chicago, were affected."

The Target breach announcement did not disclose details about how the retailer's systems were hacked. The retailer's announcement included the usual comments: a forensics firm is helping it investigate the breach incident; it is working with local law enforcement, and it has notified banks financial institutions. The U.S. Secret Service is also investigating the Target breach.

Target listed several questions in its breach announcement. One claimed that the breach has been resolved:

"Has the issue been resolved?
Yes, Target moved swiftly to address this issue so guests can shop with confidence. We have identified and resolved the issue of unauthorized access to payment card data..."

I find this claim about resolution premature and difficult to believe, since the breach investigation is still ongoing. The hackers may have accessed Target's systems through several methods, not just the first method identified and closed.

The Target breach announcement advised affected shoppers to do the following to protect themselves and their payment information:

  • Read the breach notice closely,
  • Monitor your bank accounts and card statements for fraudulent transactions,
  • Watch your credit reports for fraudulent transactions,
  • Visit the official Annual Credit Report website to obtain your free credit reports,
  • Contact the major credit reporting agencies to learn more about credit reports and how to place a fraud alert on your credit files,
  • Contact the U.S. Federal Trade Commission (FTC) to learn more about identity theft and how to protect yourself

The Target breach announcement included additional information for consumers to contact the FTC, plus specific instructions for shoppers who live in Iowa, Maryland, Massachusetts, or North Carolina.

After writing this blog for over six years, I have learned a fair amount about data breaches. Affected shoppers should proactively monitor their financial accounts for the next couple years, because identity thieves usually resell stolen payment information to other thieves. So, the thieves that hacked Target's systems won't necessarily be the ones to attempt fraud with shoppers' stolen payment information. While thieves are in no hurry to use the stolen payment information, payment information stolen from the Target breach is already being sold online.

Usually, companies provide free credit monitoring services to breach victims, but Target has not offered that. After its data breach, IBM provided me and other affected breach victims with one year of free credit monitoring.

Consumers that shopped at Target during the above period with a debit card PIN number should change their PIN number, so theives cannot drain their bank accounts through ATM withdrawals. Wise shoppers will also change the passwords on their bank accounts. Shoppers that experience actual fraud (e.g., stolen money from their financial accounts, new accounts opened in their names) will probably want to request a fraud alert (or a security freeze for more protection) on their credit reports and have their banks issue replacement accounts (and cards).

Do I use a debit card to pay for purchases in retail stores? No. It is simply too risky. There have been many breaches at retail stores. When you use your debit card to pay for purchases, you are betting that identity thieves have not hacked:

  • The point-of-sale terminals (e.g., payment terminals) in the stores, and/or
  • The wireless transmissions between the retail stores, any centralized databases the store operates, and the banks.

Plus, stolen debit card payment information provides thieves direct access to your checking accounts.

And, it is especially risky at gas station pumps, which are also point-of-sale terminals due to pay-at-the-pump payment options. The problem: the gas pumps are unattended and accessible by the public for long hours when gas stations are closed. That makes it easy for identity thieves to tamper with gas pumps and insert skimming devices. And many have.

I expect much more news during the coming days or weeks as Target and the U.S. Secret Service share the results of their investigations. If the banks issue replacement debit cards and checking accounts to breach victims, then somebody will have to pay for the replacement cards: the banks or Target.

[Update Dec. 21: In a letter to its shoppers published on its website, Target CEO Gregg Steinhafel mentioned that the retailer will offer, in a future correspondence to affected shoppers, free credit monitoring services.]

JPMorgan Chase Bank: Data Breach Affects 500,000 Prepaid Card Holders, And The Bank's Sordid History

The bad news (and behavior) at JPMorgan Chase bank never seems to end. On Friday, NBC News reported that a data breach at the bank affected almost 500,000 prepaid card holders. Hackers gained unauthorized access to the bank's networks during July 2013. The bank's prepaid cards:

"... were issued for corporations to pay employees and for government agencies to issue tax refunds, unemployment compensation and other benefits. JPMorgan said Wednesday it had detected that the web servers used by its site www.ucard.chase.com had been breached in the middle of September..."

Unencrypted data was accessed. The bank is notifying the affect prepaid card holders, who comprise about two percent of 25 million UCard users. Network World reported that the bank will not issue replacement prepaid cards, and the card-holder notification focused on users who registered their cards between July and September of 2013.

In November, JPMorgan signed several settlement agreements with both federal and state agencies to resolve charges that the bank misrepresented residential mortgage-backed securities (RMBS) it sold to investors, including several banks that later failed. The bank paid about $13 billion in reimbursements and fines.

In September, the Consumer Financial Protection Bureau (CFPB) and the Office of the Comptroller of the Currency (OCC) ordered JPMorgan Chase bank to pay $309 million in refunds to more than 2.1 million customers for:

"... illegal credit card practices. This enforcement action is the result of work started by the Office of the Comptroller of the Currency (OCC), which the CFPB joined last year. The agencies found that Chase engaged in unfair billing practices for certain credit card “add-on products” by charging consumers for credit monitoring services that they did not receive."

In August, the New York Times first reported about an investigation of the bank for allegedly bribing officials in China to gain lucrative contracts:

"Federal authorities have opened a bribery investigation into whether JPMorgan Chase hired the children of powerful Chinese officials to help the bank win lucrative business... In one instance, the bank hired the son of a former Chinese banking regulator who is now the chairman of the China Everbright Group, a state-controlled financial conglomerate... After the chairman’s son came on board, JPMorgan secured multiple coveted assignments from the Chinese conglomerate... The Hong Kong office of JPMorgan also hired the daughter of a Chinese railway official..."

This would appear to be a violation of the Foreign Corrupt Practices Act (FCPA), a federal law that prohibits United States companies from making:

"... payments to foreign government officials to assist in obtaining or retaining business. Specifically, the anti-bribery provisions of the FCPA prohibit the willful use of the mails or any means of instrumentality of interstate commerce corruptly in furtherance of any offer, payment, promise to pay, or authorization of the payment of money or anything of value to any person, while knowing that all or a portion of such money or thing of value will be offered, given or promised, directly or indirectly, to a foreign official to influence the foreign official in his or her official capacity, induce the foreign official to do or omit to do an act in violation of his or her lawful duty, or to secure any improper advantage in order to assist in obtaining or retaining business...."

The investigation is still ongoing. This past weekend, several news sources reported about emails by the bank with hiring children of prominent Chinese families. Violations of the FCPA are fraud, folks. This is rare but not a first in the banking industry. As the New York Times reported:

"Only a handful of Wall Street employees have ever faced bribery accusations, including a former Morgan Stanley executive in China who pleaded guilty to criminal charges in 2012..."

The above instances are the tip of the proverbial iceberg. Read more about the bank's sordid history. To me, it seems rotten to the core, and needs to be dissolved with jail-time for all senior executives.

Adobe Data Breach Affects 2.9 Million Customers

On Thursday, Adobe announced a data breach that affected 2.9 million of its customers. The types of data elements accessed and stolen included customer names, ID numbers, encrypted passwords, encrypted credit- and debit card numbers, expiration dates, and information related to customers' software orders. At the time of the breach announcement, Adobe does not believe that unencrypted credit- and debit card numbers were stolen.

Adobe is working with its partners and law enforcement to investigate the breach and resolve the situation. Besides notifying affected customers' banks, Adobe is:

"... resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. If your user ID and password were involved, you will receive an email notification from us with information on how to change your password... notifying customers whose credit or debit card information we believe to be involved in the incident. If your information was involved, you will receive a notification letter from us with additional information on steps you can take to help protect yourself against potential misuse of personal information about you..."

Adobe will offer affect customers one year of free credit-monitoring services.Perhaps most troubling is that during the Adobe breach, hackers modified and/or stole the company's source code for several of its products. Reportedly, products with stolen source code included Adobe Acrobat and ColdFusion. Adobe produces several other proudcts including Photoshop, which is available through the company's Creative Cloud service.

The Krebs On Security blog announced the breach before Adobe confirmed it:

"... hackers accessed a source code repository sometime in mid-August 2013, after breaking into a portion of Adobe’s network that handled credit card transactions for customers... affected customers — which include many Revel and Creative Cloud account users... Adobe is still in the process of determining what source code for other products may have been accessed by the attackers, and conceded that Adobe Acrobat may have been among the products the bad guys touched..."

Krebs On Security reported that the hackers behind the Adobe breach are the the same group behind the NW3C breach:

"...the attackers appear to have initiated the intrusion into the NW3C using a set of attack tools that leveraged security vulnerabilities in Adobe’s ColdFusion Web application server..."

The modified and/or stolen source code for Adobe software products is particularly alarming and troublesome because it becomes very easy for hackers and thieves to insert malware inside of product software to do far more damage, identity theft, and data breaches. It undermines totally the security of the software.