Year of the data breach

LITTLE ROCK (KATV) -

Recent credit card security scares at Home Depot and Target follow other hack attacks against Neiman Marcus, PF Chang, Michaels and Goodwill.

2014 has become the year of the data breach.

If every time you swipe your card it could one day compromise your account, you may be tempted to go back to paying with cash. But that creates some problems as well.

So here are a few things you can do…as well as what lawmakers might be able to do…to protect your money from hackers.

In the two weeks since the Home Depot data breach came to light, Arkansas banks have seen two steady streams of people coming in: those canceling cards before their account is compromised and those filling out paperwork after unauthorized withdrawals have been made.

While the customers may be inconvenienced, the banks will cover the losses.

Why?

“Because we’re the stewards of everybody’s financial background,” says Bill Holmes, President and CEO of the Arkansas Bankers Association. “Without a payment system the checks, credit cards, debit cards…it all flows through the banks.”

Because of data breaches at Target, Home Depot and elsewhere

Holmes will be going to Washington D.C. this week to lobby Arkansas’ congressional representatives to pass Senate Bill 1927, which will require retailers to raise security and share the costs that follow data breaches.

“We hope in the future we have a better field where we get it back from the merchant that was responsible for the breach,” says Holmes. “That we have some recourse back and there is some fee sharing on that. Right now the bank eats all of that and it’s the cost of doing business on the payment side.”

If you used a card at Home Depot since April, canceling that card and getting a new one is advised.

Short of that, keep a very close eye on your account or statements. Report any suspected fraud immediately. And request a free copy of your credit report at least once a year.

Air date: September 15th, 2014

Article source: http://www.katv.com/story/26539143/year-of-the-data-breach

,

No Comments

No action over data breach at South Central Ambulance Service

No action is to be taken against South Central Ambulance Service (SCAS) after the personal data of staff was accidentally published online.

The ethnicity, sexuality, religion and age of 2,826 staff members were posted on the service’s website in October.

The Information Commissioner’s Office (ICO) said it was satisfied at measures taken by SCAS to redress the errors.

Following the breach, SCAS said it took “information governance responsibilities very seriously”.

The ICO said its decision may be revisited if any similar problems occur in the future.

The breach affected staff who were employed by the organisation, which covers Berkshire, Buckinghamshire, Hampshire and Oxfordshire, and related to data attached to a report on its website.

After the breach was discovered, SCAS said it was cooperating fully with the ICO.

It said it had drafted an action plan to mitigate the risk of such an event happening again and the data released had not been patient or clinically related.

Article source: http://www.bbc.co.uk/news/uk-england-29217810

,

No Comments

Chase Bank Security Breach May Not Be That Bad

New details are emerging about the security breach in the internal computer networks of JPMorgan Chase Bank this past June. And it’s good news for Chase customers. The hackers responsible for the breach did not access customers’ financial data.

A source close to the JPMorgan investigation told The New York Times’ Nicole Pelroth that the criminals may have only gained access to customers’ names, addresses and phone numbers. So far, Chase Bank has still seen no evidence of fraudulent activity due to the breach.

MORE: 7 Scariest Security Threats Headed Your Way: Special Report

But it’s not all good news: According to Pelroth’s sources, the hackers also broke into several JPMorgan servers and got a look at the software JPMorgan uses internally. If the criminals can find security flaws in this software, it may give them an opening to stage another attack on JPMorgan’s systems in the future. 

However, JPMorgan spokeswoman Kristin Lemkau told Pelroth that the cybercriminals don’t seem to have stolen any proprietary software, nor accessed a map of JPMorgan’s networks. 

The approximately 1 million Chase Bank customers affected in the data breach will still have to keep on the lookout for phishing emails: official-looking messages that are actually designed to trick users into handing over their sensitive data.

In addition to this breach, charity JPMorgan Chase Corporate Challenge may also have been breached, resulting in the exposure and possible theft of members’ names, addresses and physical addresses. JPMorgan said in a letter to members that it learned of this breach on August 7.

“We’re sorry that other content on this website isn’t available now. We’re working on it,” reads a message on the JPMorgan Chase Corporate Challenge website. The site is maintained by a third-party, not JPMorgan itself, and it’s unclear if the two breaches are related.

What we know about the Chase Bank hack

Attackers breached the internal networks of JPMorgan Chase some time this June. The company detected the intrusion in July, and Bloomberg News broke the story on August 27.

Earlier that August, security experts discovered a phishing campaign targeting Chase Bank customers.

Investigators from the FBI, the United States Secret Service and the National Security Agency (NSA) are all on the case. They believe four other U.S. banks were also hit in the same attack, and that the criminals responsible may be politically motivated (which would explain the lack of fraudulent activity).

If you’re a Chase Bank customer and you haven’t yet changed your account password, do so now. You should also keep an eye on your accounts for any signs of suspicious activity.

And be skeptical of any emails you receive from Chase or about Chase. Don’t click on any links in these emails; rather, if the email claims to have news regarding your Chase Bank account, go straight to your Web browser and type Chase’s URL in yourself. This will help you avoid phishing websites disguised as Chase’s site.

Jill Scharr is a staff writer for Tom’s Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.

Article source: http://www.tomsguide.com/us/chase-bank-breach-update,news-19545.html

,

No Comments

7 On your side: Medical Data Breach – KPLC

Data breaches seem to happen more routinely.  One of the latest happened to medical facilities that use a company called Community Health Systems Professional Services Corporation. The company, in Tennessee, confirmed its computer network was the target of an external criminal cyber-attack in April and June. Carmen Million with the Better Business Bureau says the attacker was what they call an “advanced persistent threat” from overseas.

“The perpetrator in this particular scam is somebody in China, so it’s somebody in a foreign country, obviously they’re very savvy. They know how to get into somebody’s data base. And unfortunately we’re seeing that more often,” said Million.

Consumers whose medical provider uses the health systems company are now receiving letters to notify them that a company called Kroll will provide id theft protection services free of charge.

“They’re giving you a year of free credit protection. Basically they’re going to monitor your credit, and if anything happens they will notify you immediately. So, that’s free. We would recommend that consumers take advantage of that. If they are still concerned after that year or they choose not to do business with this Kroll company, we would recommend they maybe hire their own protection, credit protection agency, or they can do what we call a credit freeze,” said Million.

Million says many businesses are working to stay a step ahead of the scammers. Local business representatives attended this workshop put on by law enforcement, including the U.S. Secret Service, where they discussed protecting consumers by using the latest state of the art technology.

“I think that they are doing the best they can to try to protect their customers’ information. If you’re not sure you need to ask that company, what are you doing, if you’re asking for my credit card information, if you’re asking for my bank information, if you’re asking for my social security number, whether it’s a local store or a doctor’s office, what are you doing to protect my information,” said Million.

Again, a reminder to make sure you know to whom you are providing personal information and whether they can be trusted. Click here for more on the company monitoring those whose information may be at risk.   Click here for tips on safeguarding your identity.

Copyright 2014 KPLC All rights reserved

Article source: http://www.kplctv.com/story/26539004/7-on-your-side-medical-data-breach

,

No Comments

Data breach losses not adding up at Goodwill

MANATEE, FLA. — Fourteen Sarasota and Manatee Goodwill stores were targeted in a data security breach. According to a Goodwill spokeswoman, thus far, there have not been any local customers that have reported a compromised credit or debit card.

This breach was announced by Goodwill Industries in July and updated on Monday.

After gathering more information, a forensic expert hired by Goodwill discovered that the breach was caused when a third-party vendor system was under attack by malware; which gave thieves access to payment information from numerous vendor customers–Goodwill being one of them.

Each Goodwill store that was affected immediately took action to ensure that malware from the third-part vendor systems were no longer a threat.

No fraudulent chargers have been reported from shopping at Goodwill stores.

Our advice to local shoppers who used their credit or debit cards is to monitor them closely. In fact, during these times, it is always important to check your statements and pay close attention to what is happening with your cards,” said Dave Bristow, a Manatee County Sheriff’s Office spokesman.

Jim Gibbons, president and CEO of Goodwill Industries International, stated: “We continue to take this matter very seriously. We took immediate steps to address this issue and we are providing extensive support to the affected Goodwill members in their efforts to prevent this type of incident from occurring in the future.

Manatee and Sarasota county Goodwill stores affected by the security breach from Feb. 2, 2013, to Aug. 14 include:

• 5138 Cortez Road W., Bradenton;

• 5512 Manatee Ave. W., Bradenton;

• 7200 55th Ave. E., Bradenton;

• 2210 N. Tamiami Trial, Nokomis;

• 14879 Tamiami Trail, North Port;

• 1210 10th St. E., Palmetto;

• 7241 S. Tamiami Trail, Sarasota;

• 7501 15th St. E., Sarasota;

• 1752 Tamiami Trail S., Venice;

• 676 Tamiami Trail. S., Venice;

• 1704 N. Honore Ave., Sarasota, breached from March 20 to Aug. 14;

• 5150 N. Tamiami Trail., Sarasota, breached from Feb. 19, 2013, to Aug. 14;

• 5831 Derek Ave., Sarasota, breached from May 8 to Aug. 14; and

• 2715 51st Ave. E., Bradenton, breached from July 17 to Aug. 14.

Article source: http://www.wtsp.com/story/news/local/2014/09/15/data-breach-losses-not-adding-up-at-14-goodwill-stores/15700235/

,

No Comments

House Democrat Seeks Hearing To Examine CHS’ Data Breach

A House Democrat has sent a letter to the House Oversight and Government Reform Committee chair asking for a hearing to investigate the recent data breach at Community Health Systems, FierceHealthIT reports (Bowman, FierceHealthIT, 9/15).

Background

Last month, Community Health Systems announced that an external group of hackers attacked its computer network and stole the non-medical data of 4.5 million patients.

Five Alabama residents have filed a class-action lawsuit against the health system alleging that the provider did not inform those potentially affected by a data breach in a timely manner (iHealthBeat, 9/3).

Letter Details

In the letter, Rep. Elijah Cummings (Md.), the top Democrat on the House Oversight and Government Reform Committee, urged committee Chair Darrell Issa (R-Calif.) to investigate the breach in an effort to identify ways to better protect patient data (Gold, “Morning eHealth,” Politico, 9/10).

Cummings wrote, “Cybersecurity threats are an ongoing challenge for both the federal government and the private sector.” He added, “I believe an investigation of the data security breach at [CHS] will help the committee learn from these witnesses about security vulnerabilities they have experienced in order to better protect our federal information technology assets” (Cummings’ letter, 9/9).

For example, Cummings noted that such an investigation could help lawmakers as they work to examine potential security vulnerabilities in the federal health insurance exchange (FierceHealthIT, 9/15).

Issa has not publicly commented on the CHS data breach, according to Politico‘s “Morning eHealth” (“Morning eHealth, Politico, 9/10).

Article source: http://www.ihealthbeat.org/articles/2014/9/15/house-democrat-seeks-hearing-to-examine-chs-data-breach

,

No Comments

Six hospitals sued for patient data breach

Six plaintiffs are suing six Mississippi hospitals and their parent company, alleging the facilities did not properly secure sensitive patient information.

The complaint, filed Sept. 11 in federal court in the Southern District of Mississippi, says the plaintiffs were patients at the hospitals, and are at increased risk of identity theft because identifying information was made available to “thieves and hackers.”

The hospitals listed as defendants are Central Mississippi Medical Center in Jackson, River Region Medical Center in Vicksburg, Madison River Oaks Hospital in Canton, Crossgates River Oaks Hospital in Brandon, River Oaks Hospital in Flowood and Natchez Community Hospital.

Each of the plaintiffs, who were patients at the hospitals between 2012 and 2014, claim the breach has them emotional distress, economic harm, including future expenses to monitor their individual credit reports.

The complaint demands a jury trial. It claims that, between April and June, a group of hackers in China acquired the information from a database operated by Community Health Systems. Tennessee-based CHS owns the six hospitals listed as defendants. A company spokesperson did not return a message.

The company, according to the complaint, said the breach did not include medical or financial information. But, the complaint counters that hackers did obtain information protected by the Health Information and Patient Privacy law.

In August, CHS notified the Securities and Exchange Commission that it had detected the breach. In the filing with the agency, CHS said the breach affected patients its hospitals had treated the last five years.

The complaints asks the litigation to be designated a class action, a status a judge would have to grant. Bradley Clanton, the Jackson attorney representing the plaintiffs, said that designation has not been granted yet. The individual claims will move forward even if it is not, he said.

The hospitals were owned by Florida-based Health Management Associates until early this year. Community Health Systems acquired HMA in a $7.6 billion deal that closed in January. Community Health Systems owns, leases or operates a total of 206 hospitals in 29 states. Twelve of those are in Mississippi.

Contact Clay Chandler at (601) 961-7264 or [email protected]. Follow @claychand on Twitter.

Article source: http://www.clarionledger.com/story/business/2014/09/15/hospitals-sued-data-breach/15666399/

,

No Comments

Attorneys General Launch Multistate Home Depot Data Breach Investigation

By Martha Kessler

Sept. 11 — A group of attorneys general have opened a multistate investigation into the recently confirmed data breach at Home Depot Inc., officials from the offices of the attorneys general in several states told Bloomberg BNA Sept. 10.

The investigation seeks to identify the circumstances and the causes of the breach as well as the manner in which the home improvement retailer has dealt with affected shoppers, they said.

A spokeswoman for Connecticut Attorney General George Jepsen (D) said that Jepsen will be leading the multistate investigation in coordination with attorneys general Lisa Madigan (D) of Illinois and Kamala D. Harris (D) of California.

Officials in the offices of Harris and Madigan confirmed to Bloomberg BNA that they are engaged in investigating the breach and will work to evaluate the matter and take appropriate action as needed.

Jaclyn M. Falkowski, a spokeswoman for Jepsen, said the attorneys general have had initial contact with the Atlanta-based retailer but declined to offer any further information.

In a breach involving payment cards, there often arises an issue of whether the retailer or the credit card issuer has the duty to report to attorneys general if a relevant state data breach notification law requires it.

Retailer Confirmed Breach

Home Depot, the world’s largest home improvement retailer, confirmed Sept. 8 that its payment data systems had been breached, which could potentially impact customers using payment cards at its U.S. and Canadian stores.

The company said in a statement it began its investigation Sept. 2, immediately after it received reports from its banking partners and law enforcement that criminals may have hacked its payment data systems. Home Depot said while it continues to determine the full scope, scale and impact of the breach, there is no evidence that debit personal identification numbers were compromised.

Spokeswomen for attorneys general in Rhode Island and Massachusetts told Bloomberg BNA their offices had received communication from Home Depot alerting them of the breach and the steps the company is taking to investigate the breach and to support customers possibly affected by any data theft.

Rhode Island Attorney General Peter Kilmartin (D) said in a Sept. 10 statement that his office has learned that the cyberattack may have involved transactions as far back as April 2014 and might affect all of the retailer’s 2,200 U.S. stores.

Jillian Fennimore, spokeswoman for Massachusetts Attorney General Martha Coakley (D), told Bloomberg BNA that her state is also involved in the multistate investigation.

“We have been in contact with Home Depot, and will be working with attorneys general across the country to review the circumstances and cause of this data breach, whether Home Depot had sufficient safeguards in place to protect consumer information, and to confirm that Home Depot will take appropriate steps to protect its customers,” Fennimore said.

Retailers Should be Aware

Home Depot joins a growing list of major U.S. retailers that have reported data breaches.

“At this point, all retailers should be aware of the gaps in security that are being exploited and they should immediately implement” improvements, Tom Kellermann, chief cybersecurity officer of Internet and cloud security firm Trend Micro Inc., told Bloomberg BNA Sept. 10.

 “Everyone should have learned” from what happened to Target Corp., he said. In December 2013, Target revealed a massive hacking breach of its payment card databases. “And the fact they haven’t should be quite damning,” he said.

The lack of improvements by businesses may mean government regulators, such as the Federal Trade Commission, should act, Kellermann added.

Sens. Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.)—who previously served as Connecticut’s attorney general—have called on the FTC to determine whether Home Depot’s data security procedures meet a “reasonable standard”.

Who Must Notify Attorneys General?

One question that has come up in investigations of data breaches is which party is responsible under various state statutes for notifying the appropriate state authorities.

In referencing the Massachusetts data security law, Cynthia Larose, a member of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo PC in Boston, told Bloomberg BNA Sept. 11 that the notification requirements depend on the type of breach. In these kinds of situations, where the payment system is breached and the information is actually grabbed before it enters the retailer’s payment system, Larose said, one can argue that the information isn’t “owned” by the retailer but instead belongs to the credit card issuer because this information was never actually transferred to the retailer.

The credit card issuers typically don’t notify the attorneys general because they say it isn’t their breach, Larose said. “The attorneys general have not forced that issue with the credit card companies because it is true that they are owners of the information but they are not the processors of the information,” she said.

There are multiple levels of people in between, which is why public notice is really the only way to go.

“I think in a situation like this, where there has been public notice anyway, sending a letter to the attorney general’s office is just closing the loop for retailers like Home Depot that have been involved in a mass breach,” Larose said.

“I think it is always recommended to communicate with the regulators when something like this happens. You only do yourself harm by not communicating with the regulators,” she said.

“Just looking at the situation and saying it’s not really our problem, or we don’t fit under the statute is probably not the best idea,” Larose added.

With assistance from Joyce Cutler in San Francisco

To contact the reporter on this story: Martha Kessler in Boston at [email protected]

To contact the editor responsible for this story: Donald G. Aplin at mailto:%[email protected]

 

Article source: http://www.bna.com/attorneys-general-launch-n17179894898/

,

No Comments

Flaw in Android Browser Allows Same Origin Policy Bypass

Article source: http://threatpost.com/flaw-in-android-browser-allows-same-origina-policy-bypass/108265

No Comments

Comcast Pushes Back Against Allegations it Will Cut Off Tor Users

Comcast’s damage-control processes continue to get a workout.

Weeks after an infamously exasperating exchange went public between a customer service person and a customer wishing to disconnect their service, the mega ISP spent most of the weekend defending itself from charges it was discouraging customers from using the Tor browser.

Reports surfaced from a website called DeepDotWeb citing anecdotes allegedly from Comcast customers who were being told they must stop using Tor and quoted customer service reps who said Tor was an “illegal service.”

Comcast fired back this morning, refuting the report and reassuring Tor users they would not be disconnected for using the anonymity service.

“Comcast is not asking customers to stop using Tor, or any other browser for that matter. We have no policy against Tor, or any other browser or software,” said Jason Livingood, VP Internet and Communications Engineering in Technology at Comcast. “Customers are free to use their Xfinity Internet service to visit any website, use any app, and so forth.”

Tor promises its users a level of anonymity online by routing traffic through layers of proxies on the network until packets reach their final destination. The network is used by journalists, activists and other privacy-conscious individuals to keep communication secret.

Tor executive director Andrew Lewman told Threatpost that its Open Observatory of Network Interference (OONI) project  investigates instances where Internet access might be restricted, and that this may be a good research topic for OONI.

“People with uncensored connections to the Internet can use Tor to share their access with human rights defenders and journalists behind national firewalls,” Lewman said. “We tend to have good relationships with Internet Service Providers in free societies for this reason.”

The DeepDotWeb report is shy on confirmed facts, citing anonymous Comcast reps by their first name, who allegedly accused Tor users of illegalities and added that Comcast could terminate or suspend a Tor user’s account, and fine them. The report also intimates that Comcast monitors its users’ browser choices. In its first Transparency Report, released in March, Comcast said it received fewer than 20,000 subpoenas for customer information, 253 content warrants and even relatively fewer (93) pen register and trap-and-trace orders.

Livingood said Comcast doesn’t monitor its customers’ choice of browser, nor does it monitor surfing history.

“The anecdotal chat room evidence described in these reports is not accurate,” he said, adding that for example, the company does not terminate customers for repeated violations of copyright infringemetns. Comcast’s Copyright Alert System, also known as Six Strikes, is meant to be an educational tool and is non-punitive, Livingood said.

“We respect customer privacy and security and only investigate and disclose certain information about a customer’s account with a valid court order or other appropriate legal process, just like other ISPs,” Livingood said. “Our customers can use Tor at any time, as I have myself.  I’m sure many of them are using it right now.”

Article source: http://threatpost.com/comcast-pushes-back-against-allegations-it-will-cut-off-tor-users/108268

No Comments