Apple Pay fraud stems from retailer data breaches, Apple Store purchases …

According to a report on Thursday, fraudsters are using credit card information gleaned from recent high-profile retail chain data to create Apple Pay accounts, while Apple Stores themselves account for 80 percent of unauthorized transactions.

Citing sources familiar with the matter, The Wall Street Journal reports criminals are purchasing big-ticket items at Apple Stores using fraudulent Apple Pay accounts created in part with credit card data stolen from Home Depot and Target. With the iPhone 6′s NFC capabilities, the physical card may not be required for such purchases.

Apple Pay itself has not been breached, meaning customers who have provisioned cards with Apple’s service are safe. The bank-side systems on which Apple Pay security is partially reliant, however, is apparently being gamed.

When Apple Pay users first opt to add a credit or debit card, the issuing bank can use a “green path,” which immediately provisions the card, or a “yellow path” that requires additional steps to verify a user’s identity. A study found the yellow path to be somewhat lenient, with banks asking for information that in some cases are relatively easy to attain, such as the last four digits of a user’s social security number.

Methods of authentication vary from bank-to-bank, but some institutions require cardholders verify account details, log into online accounts or speak to a customer service representative. The publication said some banks send out a confirmation text message to a customer’s phone, a technique often used by Web-based two-step authentication services.

The report echoes previous claims that Apple Pay bank partners are “scrambling” to stem the tide of fraudulent activity related to supposedly lax cardholder verification procedures. It is unclear what changes are being made on the backend, but it can be assumed that cardholders will soon see more stringent authentication protocols.

Article source: http://appleinsider.com/articles/15/03/05/apple-pay-fraud-stems-from-retailer-breaches-80-of-unauthorized-buys-are-at-apple-stores

,

No Comments

69000 Oregonians Hit by Health Data Breaches

Friday, March 06, 2015

Over 69,000 Oregonians have been affected by health data security breaches since 2010, according to data maintained by the U.S. Department of Health and Human Services’ Office for Civil Rights.  

Fifteen businesses, including Oregon Health and Science University, Portland Veteran Affairs Medical Center, and Lower Umpqua Hospital, each compromised private information for over 500 of their clients. However, some breaches affected as much as 17,000 people.  

SLIDES:  See the Security Breaches BELOW

Health data breaches can lead to medical identity theft, a growing problem with serious consequences for victims, according to Bob Gregg, CEO of ID Experts, a company specializing in data breach prevention and response. 

“It’s not an overstatement to say medical identity theft could kill you,” said Gregg. “It’s the fastest growing identity crime in the country.”  

When records gathered by health organizations are breached, information on medical history and insurance is compromised. Gregg said this information is used to purchase medical supplies and services, or harvested by health providers who use it to bill Medicare or Medicare for services never rendered. 

However, Gregg said the consequences for medical identity theft victims are more serious than having to cancel a credit card. 

“If you got to the ER and you’re unconscious, you can’t talk to the doctors when they pull up your record and your drug allergies or even blood type has been changed,” Gregg said. 

In 2014, 2.3 million Americans were victim to some form of medical identity theft, a 23 percent increase from the previous year, according to a study by the Ponemon Institute. 
The growth is because the montaryvalue of the medical information is 10 to 50 times more valuable than Social Security numbers, according to Gregg. 

Protecting your information
If personal information is compromised in a data breach, it is important to act quickly. Paul Stephens is the Director of Policy and Advocacy at Privacy Rights Clearinghouse, a nonprofit consumer rights and privacy advocate.  

“If it involves your Social Security number, you need to look into a credit report freeze and Social Security freeze. If it’s medical information, you want to monitor the explanation of benefits from your insurance carrier,” Stephens said. 

Of the sixteen health data breaches in Oregon since 2010, 11 resulted from thefts of papers or laptops. Stephens said these cases are generally carelessness on the company or employer’s part. 
“They’ll lose a laptop and it won’t be encrypted,” Stephens said.  

The Government’s Role
Under the federal HITECH Act, health security breaches that affect 500 people or more must be reported to the Secretary of Health and Human Services. 

In Oregon, businesses are required to notify anyone whose information may have been compromised in a breach. However, they do not have to report it to any state regulators, such as the Oregon Attorney General. 
Last December, Oregon Attorney General Ellen Rosenblum urged the Oregon Senate and House Judiciary Committee to expand the state’s data breach law and require breaches be reported to her office, giving her enforcment power.  

“As technology changes, so must the legal infrastructure which protects that technology. Oregonians want—and should—know who is collecting their personal information and data, how it is being used and protected, as well as to whom it is being sold,”  Rosenblum said in her testimony.

Only fifteen states have laws that require data breaches be reported to state police. 

Gregg said he has been lobbying this year in Salem, urging legislators to require medical identity monitoring in the case of a breach, along with financial monitoring.  

“90 percent of the public has no clue what medical identity theft is,” Gregg said. “They have to start understanding the biggest risk for citizens of Oregon in breaches of this kind.”


The following are health data breach reports from Oregon as listed on the Department of Health and Human Services Office of Civil Rights website

As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. These breaches are now posted in a new, more accessible format that allows users to search and sort the posted breaches. Additionally, this new format includes the names of private practice providers who have reported breaches of unsecured protected health information to the Secretary.

Prev
Next

#16

Oregon Health Authority

Individuals Affected: 550

Breach Submission Date: 4/26/2012 

Type of Breach: Theft

Location of Breached Information: Paper/Films 

Prev
Next

#15

Kaiser Foundation Health Plan of the Northwest

Individuals Affected: 647

Breach Submission Date: 9/3/2013 

Type of Breach: Unauthorized Access/Disclosure

Location of Breached Information: Unauthorized Access/Disclosure

Prev
Next

#14

Oregon Health Science University

Individuals Affected: 702

Breach Submission Date: 7/31/2012

Type of Breach: Theft

Location of Breached Information: Other

Prev
Next

#13

Lincoln County Health and Human Services/Lincoln Community Health Center

Individuals Affected: 959

Breach Submission Date: 6/14/2013

Type of Breach: Unauthorized Access/Disclosure

Location of Breached Information: Paper/Films

Prev
Next

#12

Oregon Health Science University

Individuals Affected: 1076

Breach Submission Date: 4/11/2013

Type of Breach: Theft

Location of Breached Information: Laptop

Prev
Next

#11

Treatment Services Northwest

Individuals Affected: 1,200

Breach Submission Date: 7/29/2011

Type of Breach: Theft

Location of Breached Information: Desktop Computer

Prev
Next

#10

Albertina Kerr Centers

Individuals Affected: 1,320

Breach Submission Date: 10/6/2014

Type of Breach: Theft

Location of Breached Information: Laptop 

Prev
Next

#9

Oregon Health Science University

Individuals Affected: 1,361

Breach Submission Date: 7/28/2013

Type of Breach: Unauthorized Access/Disclosure

Location of Breached Information: Other

Prev
Next

#8

Portland VA Medical Center

Individuals Affected: 1,740

Breach Submission Date: 10/29/2014 

Type of Breach: Theft

Location of Breached Information: Paper/Films

Prev
Next

#7

Dr. Trandinh

Individuals Affected: 2,300

Breach Submission Date: 2/20/2012

Type of Breach: Theft, Unauthorized Access/Disclosure

Location of Breached Information: Laptop

Prev
Next

#6

Thomas L. Davis, Jr. DDS

Individuals Affected: 3,269

Breach Submission Date: 3/15/2013

Type of Breach: Theft

Location of Breached Information: Desktop computer, electronic medical record 

Prev
Next

#5

Eastmoreland Surgical Clinic, William Graham, DO

Individuals Affected: 4,328

Breach Submission Date: 8/20/2010

Type of Breach: Theft

Location of Breached Information: Desktop computer, laptop, other,  

Prev
Next

#4

Molalla Family Dental

Individuals Affected: 4,354

Breach Submission Date: 7/16/2012

Type of Breach: Hacking/IT Incident, Other, Unauthorized Access/Disclosure

Location of Breached Information: Network Server

Prev
Next

#3

Robert Witham, MD, FACP

Individuals Affected: 11,136

Breach Submission Date: 6/6/2012

Type of Breach: Theft

Location of Breached Information: Desktop computer 

Prev
Next

#2

Lower Umpqua Hospital

Individuals Affected: 17,000

Breach Submission Date: 6/8/2011

Type of Breach: Theft

Location of Breached Information: Other, other portable electronic device

Prev
Next

#1

Central City Concern

Individuals Affected: 17,914

Breach Submission Date: 5/19/2014

Type of Breach: Unauthorized Access/Disclosure

Location of Breached Information: Other

Prev

  • #16
  • #15
  • #14
  • #13
  • #12
  • #11
  • #10
  • #9
  • #8
  • #7
  • #6
  • #5
  • #4
  • #3
  • #2
  • #1

Next

Enjoy this post? Share it with others.

Article source: http://www.golocalpdx.com/news/69000-oregonians-hit-by-health-data-breaches

,

No Comments

AAFES Confirms Data Breach of US Military Customers’ Info in Germany

Names, addresses, emails and technical information belonging to 98,000 U.S. military personnel stationed in Europe held by an on-base cell phone concessionaire have potentially been compromised, according to the Army and Air Force Exchange.

“The Exchange learned on February 11 of a data breach of customer information held by concessionaire SIGA Telecom,” AAFES spokesman Chris Ward said in an email Friday.

AAFES referred questions about the nature of the data breach to SIGA.

SIGA officials did not immediately provide a comment on Friday.

“There was no financial information released,” Ward said. “To date, there is no evidence of fraudulent use of the information.”

After the data breach was discovered SIGA immediately took systems offline, began an investigation and informed German authorities in an effort to find and prosecute the person responsible, Ward said. “The investigation is ongoing.”

SIGA notified the holders of 27,500 active accounts of the data breach on March 5, he said.

Exchange representatives have met with SIGA executives to review details of the breach and confer on remedial actions, Ward said.

AAFES has ordered SIGA to notify its customers, set up telephone information line, develop a remediation plan and re-evaluate its security within 90 days, he said.

Article source: http://www.military.com/daily-news/2015/03/06/aafes-confirms-data-breach-of-us-military-customers-info-germany.html

,

No Comments

Anthem Refusing OIG Security Audit Following Breach

Article source: https://threatpost.com/anthem-refusing-oig-security-audit-following-breach/111476

No Comments

Data breach hits food chain Natural Grocers

A health food chain has reported that payment card numbers may have been compromised in a cyber data breach.

Lakewood, Colorado-based Natural Grocers by Vitamin Cottage Inc., which does business as Natural Grocers, said in a statement Wednesday that the “unauthorized intrusion” targeted limited customer payment card data.

The company said the card numbers that may have been compromised have been provided to the company’s payment processor and the major credit card brands, which have been asked to take appropriate measures to monitor activity on those cards and, if necessary, notify customers of any suspicious activity.

It also said the incident has been contained and that there is no indication that PIN numbers or personally identifiable information, such as names, addresses or Social Security numbers, were involved, according to the company, which operates 93 stores in 15 states.

The company said it has accelerated the updating of its point-of-sale system in all of its store locations.

A company spokesman could not immediately be reached for comment.

Article source: http://www.businessinsurance.com/article/20150305/NEWS06/150309907/data-breach-hits-health-food-chain-natural-grocers?tags=%7C338%7C83%7C329%7C302%7C299

,

No Comments

Attorney General’s data breach notification bill approved in House … – Bonney Lake and Sumner Courier

Today, Washington Attorney General Bob Ferguson’s legislation strengthening the state’s data breach notification law passed the House of Representatives, 97 to 0, with strong bipartisan support.

“Nearly every day, we hear of another troubling compromise of sensitive personal information,” Ferguson said. “Repairing the damage caused by identity theft costs consumers billions of dollars every year. Protecting consumers is one of my top priorities, and the sooner they know their data has been compromised, the more they can do to minimize that damage.”

The House version of the Attorney General’s agency-request legislation, House Bill 1078, is sponsored by Rep. Zack Hudgins, D—Tukwila.

“Cybercrime gets more sophisticated every day, but it’s been nearly a decade since our data breach notification law had any update,” Hudgins said. “I’m glad my colleagues joined me in taking the first step in giving consumers the tools they need to protect themselves when data breaches occur, and I hope this robust discussion of cybersecurity continues.”

The senate version, Senate Bill 5047, is sponsored by Sen. John Braun, R—Centralia.

“Identity theft is becoming more common and can have serious impacts on peoples’ lives,” said Braun. “This legislation would empower consumers with access to timely information to understand what they can do if their sensitive data have been compromised. We need to improve awareness and education so that people can recover from data breaches.”

Every year, data breaches imperil the personal and financial information of millions of consumers across the nation. Sophisticated hackers attack businesses, non-profits, and public agencies of all sizes, accessing vast troves of consumer information with each breach.

In 2012 alone, the most recent year that federal Bureau of Justice Statistics data are available, 16.6 million Americans — some 7 percent of those age 16 or older — were victims of identity theft. According to the Online Trust Alliance, in 2013 there were 2,164 data breaches in which over 830 million records were exposed, including credit card numbers, email addresses, login credentials, Social Security numbers and other personal information.

Current state law regarding data breaches does not adequately protect consumers in this new age of massive database theft. It does not require notifications concerning the release of “encrypted” data, even when the encryption is easy to break or there is reason to believe that the encryption “key” has been stolen.  Current law does not specify a deadline by which consumers must be notified nor does it require entities to provide consumers with information on how to protect themselves in the wake of a breach.

Finally, unlike other states, Washington state law does not require any centralized reporting to the state when a data breach occurs, resulting in a lack of robust information for law enforcement and consumers.

The legislation passed by the House strengthens Washington’s data breach notification law by:

- Eliminating the blanket exemption for encrypted data;

- Requiring consumer notification as immediately as possible and no later than 45 days whenever personal information is likely compromised;

- Requiring that the Attorney General be notified within 45 days when a data breach occurs at a business, non-profit or public agency, enabling the Attorney General to compile centralized information about data breaches for law enforcement and consumers; and

- Requiring businesses, non-profits and agencies, when reporting a breach, to provide consumers with basic information they can use to help secure or recover their identities.

 

Article source: http://www.blscourierherald.com/news/295203061.html

,

No Comments

Mandarin Oriental Investigates Data Breach Incident

The data breach tidal wave continues: the Mandarin Oriental Hotel Group has confirmed that its hotels have been affected by a credit-card breach.

Banks told independent researcher Brian Krebs that they had noticed a pattern of fraudulent charges on customer cards that had all recently been used at Mandarin hotels. To boot, it appears that the attack happened just before Christmas, and that it likely affected most if not all of the company’s two-dozen locations.

When Krebs reached out to the luxury chain, the company confirmed it is investigating a breach caused by malware used to infect its point-of-sale systems in the US and in Europe.

“We can confirm that Mandarin Oriental has been alerted to a potential credit card breach and is currently conducting a thorough investigation to identify and resolve the issue,” the company told Krebs.

 “Mandarin Oriental can confirm that the credit card systems in an isolated number of our hotels in the US and Europe have been accessed without authorization and in violation of both civil and criminal law,” it continued. “The Group has identified and removed the malware and is coordinating with credit card agencies, law enforcement authorities and forensic specialists to ensure that all necessary steps are taken to fully protect our guests and our systems across our portfolio.”

It’s a pretty rote statement. Ulf Mattsson, CTO at Stamford, CT-based data security company Protegrity, noted that rote answers are not enough. He added that while it’s important to follow PCI and privacy guidelines, it’s also necessary to go beyond them.

“I have no doubt that officials at the luxury hotel chain will say their credit card systems were PCI compliant,” he noted in an emailed comment. “Unfortunately, they have just learned the hard way that compliance does not equal security.”

Rather, there are critical questions that need to be asked. “This is no time for corporate security officers to tell themselves, ‘my company is PCI-compliant. We haven’t had any breaches. We should be OK,’” he said. “What they should really be asking themselves is, ‘Are we really good at protecting our most critical data or were we just lucky? What else can we do to make sure criminals don’t steal our sensitive data, not to mention our reputation, our customers’ loyalty, our employees’ job satisfaction or even our profits?’”

Krebs said that given the Mandarin’s type of clientele—rooms go for upwards of $600 per night—the cards could be worth a lot on the underground market. But, it’s not clear if the theft is from stores and restaurants inside the hotels or the front desk systems themselves.

“This was the case with hotels managed by White Lodging Services Corp., which last year disclosed a breach that impacted only restaurants and gift shops within the affected hotels,” he said.

Article source: http://www.infosecurity-magazine.com/news/mandarin-oriental-data-breach/

,

No Comments

Despite high-profile data breaches, fraud is down

Home Depot, Staples, Neiman Marcus — 2014 was a blockbuster year for the high-profile data breaches, with at least $16 billion stolen from a reported 12.7 million fraud victims.

But those numbers are actually an improvement, according to a new study by Javelin Strategy Research. Last year, the amount of money lost to fraud dropped 11 percent, down from $18 billion in 2013. And in 2012, the amount was even higher, at $21 billion.

The number of victims is down too, dipping 3 percent in 2014.

Though hacks appear to be growing in size and targeting larger retailers, financial institutions have also gotten better at performing triage after such an attack occurs.

“The combined efforts of industry, consumers, and monitoring and protection systems that are catching fraud more quickly helped reduce the incidence of fraud and the amount stolen over the past year,” said Al Pascual, director of fraud and security at Javelin, a consulting firm that analyzes consumer transactions. “When detected, fraud is being resolved quicker than ever before.”

After 110 million credit card numbers were stolen in the December 2013 Target breach, for example, banks went on the offensive, spending more than $200 million to replace consumer credit and debit cards.

In 2014, 1 in 4 consumers received data breach notifications, but a smaller proportion of those people became fraud victims than in 2013. Last year, fraud incidents among notified breach victims dropped 17 percentage points to 13.7 percent, the lowest rate since Javelin began conducting its annual study in 2004.

The report hypothesized that the huge number of data breaches in 2014 may have spurred banks and retailers to take such attacks more seriously, driving down the incidents of fraud. Improvements in technology that can help detect fraud also contributed to the decline, the report said.

Pascual warned that despite dropping reports of fraud, consumers should still be wary of identity theft.

“We have seen declines in the past, but they have reversed as fraudsters try new approaches or when new technologies make it easier for fraudsters to get consumer information,” he said.

For instance, while new-account fraud (in which a fraudster uses stolen information to open an account in a victim’s name) reached record lows in 2014 according to the Javelin report, this year such incidents have increased due to security weaknesses in Apple’s new mobile payments system, Apple Pay.

In the Javelin report, 13 percent of victims of new-account fraud did not detect the identity theft for more than a year.

Though 2014’s number of victims was down, 2013 had the second-highest number of identity theft victims since Javelin began its annual study.

In the end, said Pascual, more breaches will result in more victims of identity theft. In 2014, two-thirds of identity fraud victims had previously received a data breach notification that year.

“This is a long, drawn-out battle against identity thieves,” he said. “While there have been some victories this year, there have also been some discouraging setbacks. It really reinforces why we need the combined efforts of industry, consumers, and monitoring and protection systems working together to continue the downward trend.”

Javelin’s report was based on a sample of 5,000 U.S. adults, including 790 fraud victims.

Kristen V. Brown is a San Francisco Chronicle staff writer. E-mail: [email protected] Twitter: @kristenvbrown

Article source: http://www.sfgate.com/business/article/Despite-high-profile-data-breaches-fraud-is-down-6117588.php

,

No Comments

AAFES confirms SIGA data breach of US military customers’ information in …

Related

  • Military families in the Pacific with AFN decoder boxes will have to make changes soon to avoid disruption in service.

  • Geographic restrictions have kept many servicemembers from using the Internet to watch their favorite TV shows while posted overseas. The commander of Naval Forces Japan decided to change that for sailors posted in the country, seeing it as a growing quality-of-life issue.

TOKYO – Names, addresses, emails and technical information belonging to 98,000 U.S. military personnel stationed in Europe have been stolen from an on-base cellphone concessionaire, according to the Army and Air Force Exchange.

“The Exchange learned on February 11 of a data breach of customer information held by concessionaire SIGA Telecom,” AAFES spokesman Chris Ward said in an email Friday.

AAFES referred questions about the nature of the data breach to SIGA.

SIGA did not, immediately, answer telephone calls or emails on Friday.

“There was no financial information released,” Ward said. “To date, there is no evidence of fraudulent use of the information.”

After the data breach was discovered SIGA immediately took systems offline, began an investigation and informed German authorities in an effort to find and prosecute the person responsible, Ward said. “The investigation is ongoing.”

SIGA notified the holders of 27,500 active accounts of the data breach on March 5, he said.

Exchange representatives have met with SIGA executives to review details of the breach and confer on remedial actions, Ward said.

AAFES has ordered SIGA to notify its customers, set up telephone information line, develop a remediation plan and reevaluate its security within 90 days, he said.

[email protected]

Article source: http://www.stripes.com/news/europe/aafes-confirms-siga-data-breach-of-us-military-customers-information-in-germany-1.332993

,

No Comments

Anthem data breach leaves personal information vulnerable

Scammers have been targeting some of the 80 million people who may have had patient information hacked during the Anthem data breach in an attempt to gather personal information. There are several things that consumers can do after any data breach to help protect themselves.

Here are some tips from the Better Business Bureau:

Visit Anthem’s website at www.anthemfacts.com for the latest information on the data breach. They are offering free credit monitoring for 24 months through All Clear ID. This is being offered to current and former customers dating back to 2004.

Set up a yearly credit report plan. Visit www.annualcreditreport.com to request a free credit report from Equifax, Experian TransUnion. You are eligible to receive this free credit report annually. A good rule of thumb is to space those out and request one every four months from the different reporting agencies.

Consider a credit freeze. This is when a credit report is taken out of circulation and only existing creditors are allowed access to it. There may be a fee involved and must be placed with all three major credit bureaus. It stays indefinitely until you remove it.
Protect your child’s information. It may have been compromised with the Anthem data breach whose records are tied to the parent’s accounts. A child’s social security profile is “clean” and valuable to identity thieves.

Be on the look out for credit card offers, jury duty notices, collection attempts, etc., which is a good indication your child’s information was compromised. Request a free credit report from the three major credit bureaus to check your child’s credit profile.

Look out for phone scams and emails from fake companies claiming to offer credit monitoring services. They want for you to sign up for their services so they can steal your credit card information and social security number. Hang up the phone or delete unsolicited emails as they may contain a virus.

The BBB is trained to recognize and investigate instances of ID theft fraud and can advise you on these types of data breaches. Please contact the Mid Missouri BBB at [email protected] or 573-886-8965 with any questions. 

Article source: http://www.abc17news.com/news/anthem-data-breach-leaves-personal-information-vulnerable/31638942

,

No Comments