MARTA Data Breach Affects Almost 800 Workers

Almost 800 MARTA employees were offered free credit monitoring after an e-mail malfunction sent their personal information to the wrong people in June.

MARTA said Thursday that the foul-up occurred when roughly 785 employees enrolled for critical care insurance; a “mechanical malfunction” occurred during the mail merge process, causing the information to be sent to incorrect addresses, the Atlanta Business Chronicle reports.

Officials discovered the malfunction on June 12 and informed the affected employees on June 16, MARTA told the Chronicle.

Article source:


No Comments

App Wars: Lyft Executive Allegedly Linked To Uber’s Driver Data Breach


Oct 8, 2015 1:46pm

CREDIT: Shutterstock/Dylan Petrohilos

Uber has been doing some digging to find out who was behind the breach of drivers’ login and license plate information last year, but the legal investigation has taken an unexpected turn that hints at the possibility of corporate espionage.

Two IP addresses of Lyft’s chief technology officer Christ Lambert were linked to a security key used to improperly download nearly 50,000 drivers’ personal information in March, Reuters reported.

Uber disclosed the May 2014 breach earlier this year, which has spurred lawsuits against the on-demand driver service. The company filed its own federal suit soon after to help uncover the perpetrator’s identity. However, there is no clear connection between Lambert’s computer and the breach. According to court documents, a different IP address that doesn’t belong to the Lyft executive was used to in the hack.

Lyft, which is valued at $2.5 billion or one-twentieth of Uber, has denied any wrongdoing and said an internal investigation didn’t turn up evidence of a Lyft employee tapping into Uber’s driver database. The company however hasn’t commented on the IP addresses Uber linked to Lambert and a stolen security key.

Uber’s lawsuit falls under the Computer Fraud and Abuse Act, a notably broad federal statute that prohibits unauthorized computer access and has been used to convict hackers — malicious and benign. President Barack Obama announced plans to update the law in the State of the Union address earlier this year.

But the law and the White House’s proposed revisions have been criticized for criminalizing any digital behavior done without clear consent and could lead to harsh convictions for seemingly innocuous behavior such as logging onto a friend’s computer months after you first asked for the password.

The 29-year old statute is also at the center of the Justice Department’s investigation into allegations of St. Louis Cardinal’s employees hacked Houston Astros’ players’ personnel data.

The FBI found evidence in 2014 that Cardinals officials accessed an Astros’ database with internal communications about player trades, scouting reports, and team statistics. Charges are pending against at least one Cardinal employee.

Article source:


No Comments

US cybersecurity sprint slows to a stroll following huge data breach

Nearly three months after a fevered Obama administration attempt to bolster security against cyber-hackers who tapped into the private information of some 25 million federal employees, cybersecurity experts say there is still no comprehensive plan to protect the sprawl of 10,000 government and contractor computer systems.

Among the noteworthy gaps:  a cybersecurity “strategy and implementation plan,”  which the White House said last July would  be the work of “a team of over 100 experts from across the government and private industry.” A spokesman for the White House Office of Management and Budget provided no answer to a specific question from Fox News about the timing of the plan’s release.

New comprehensive software defenses that the administration intends as a major security bulwark also appear to be a work in progress: a $1 billion award to the prime contractor for the design, development and maintenance of a so-called National Cybersecurity Protection System (NCPS), also known as EINSTEIN, was only announced at the end of September.

Meanwhile, the experts charge, government agencies apparently still don’t perform routine security tasks that are commonplace in the private sector, there is little evidence that the Obama administration is holding top agency officials accountable for the laxness, and literally hundreds of recommendations to government agencies on how to enhance security remain unaddressed.

Even when it comes to using the steady stream of software update patches that bolster most software systems, “they aren’t that good at it on a consistent basis,” says Gregory Wilshusen, director of information security issues at the Government Accountability Office (GAO), the watchdog arm of Congress.

Whatever improvement has occurred is “incremental,” Wilshusen told Fox News, and pointed in particular at the government’s glacial response to recommendations for improvement that largely come from GAO and other watchdogs. In GAO’s case, he noted, “between fiscal 2011 and fiscal 2015 we have made 1,590 recommendations on information security issues, and of those about one-half are still not implemented.”

“It’s almost as if the different departments and agencies feel someone else has their job.”

- Theresa Payton, former White House chief information officer

A GAO report released at the end of September on the administration’s information security practices reinforces Wilshusen’s contentions of glacial improvement at best. Using interviews at six selected agencies and information from inspectors general working at 24 federal agencies and departments, the document finds that virtually all of them have major difficulties in “limiting, preventing, and detecting inappropriate access to computer resources,” ranging from patch installation to much bigger issues of having plans to manage the risks of potential information security breaches.

At the same time, the report notes, cyberattacks involving personal information of federal employees or contractors have risen to 27,624 in 2014 from 10,481 in 2009.

Those numbers  likely include a series of  mega-attacks whose existence was only revealed this year that involved the personal information and intimate background checks, as well as fingerprints, of millions of current and former federal employees, and that could compromise the entire U.N. national security system. 

Along with the biggest attacks at the White House Office of Personnel Management, and its related contractors, the report notes that intrusions compromised the personal information of 800,000 Postal Service workers, 14,000 personal information accounts at the Food and Drug Administration, and about 330,000 IRS tax accounts.

The litany of reported lax security practices include such areas as:

  • weaknesses in access controls for 22 of the 24 agencies examined, meaning who could get in and out of systems;
  • weaknesses in authorization controls in 18 agencies, meaning who was allowed specific levels of access in the systems — and whether they should have lost those authorizations for such reasons as quitting or being transferred. The good news was that in 2013, 20 agencies had problems.
  • on the issue of installing patches and software updates, 17 agencies had reported weaknesses in 2014, down from 23 the previous fiscal year, but still more than 70 percent of those surveyed.
  • at the same time, 22 agencies had weaknesses in so-called configuration management, which it described as controls that “limit and monitor access to powerful programs and sensitive files associated with computer operations, [and] are important in providing reasonable assurance that access controls and the operations of systems and networks are not compromised.”
  • Seven agencies did not have so-called risk management plans, which the report describes as the “harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems. Wilshusen called that a “basic, fundamental principle” of information security that is, moreover, “required by law.”


“It’s almost as if the different departments and agencies feel someone else has their job,” observed Theresa Payton, who served as White House chief information officer from 2006 to 2008, and now runs her own cyber-security consulting firm, Fortalice Solutions.

Payton described herself as “floored” at the notion of access control lapses at any agency, which she described as “vitally important,” and said failure to “lock down” security contractor-operated networks entwined with federal agencies — the report says there are some 1,500 of them — was “borderline negligence.”

Even day-to-day activities like patching systems when required, she points out, are vital to security, since “if it’s updateable, it’s breachable.”

The administration’s response to the GAO report and related criticisms is that it is outdated, according to Jamal Brown, a spokesman for the White House Office of Management and Budget (OMB), one of the overseers of federal cybersecurity. Data for the report, he notes, largely came from “previous years and did not fully reflect the most recent efforts by federal agencies” under the goad of the cyber-sprint.

Earlier this year, Brown noted, “Federal civilian agencies increased their use of strong authentication for privileged and unprivileged users by 30 percent,” and he hailed an update of federal information security management laws at the end of 2014 for “better delineating the roles and responsibilities of the OMB and the Department of Homeland Security in securing federal networks and our ability to provide clearer guidance to federal agencies.”

The attainments that Brown cited are also mentioned in greater detail in a July 21 blog post by White House Chief Information Officer Tony Scott that hailed the results of the cyber-sprint — and also revealed how much catch-up was required, and still remains.

The increase in “strong authentication” for network access — meaning swipe card IDs or other tools — brought federal civilian agencies, on average, up from 42 to 72 percent of users — meaning that more than a quarter of users still did not have that required status.

The same went for “privileged” users, meaning those with greater access and ability to change systems. Previously, only one-third of such users had strongly protected credentials; a quarter still need them, according to the blog.

Scott added that 13 of 24 agencies had gotten the tally up to 95 percent of privileged users — implying that for the remaining agencies, the proportion must therefore be significantly lower than the three-quarters average.

Other results of the sprint ostensibly included the “immediate” patching of “critical vulnerabilities” and tight limits on the number of “privileged users with access to authorized systems,” but Scott did not report detailed progress in those areas — which means that the “outdated” criticism of federal sclerosis may not be all that outdated.

As the GAO’s Wilshusen puts it, “we need more of a marathon, not a sprint. What is required is continuity in day-in and day-out basics,” which the GAO report found lacking. He also said “the jury is still out” on the latest changes in information security law, which require individual federal agencies to identify risks and correct them “in a timely manner.”

“We don’t need one 30-day sprint,” adds Payton. “We need another and another and another.” Much of which was accomplished during that fast-track period, she notes, “was stuff they were supposed to do anyway.”

“At the end of the day, if the administration doesn’t hold the departments and agencies accountable,” not much will change, she said.

And if that is true, whoever is stealing America’s most sensitive information will likely continue to have a field day.

George Russell is editor-at-large of Fox News and can be found on Twitter:  @GeorgeRussell or on


Article source:


No Comments

Report Says a Data Breach Could Cost US Biz $15 Million

The fact is cybercrime is costly. Now, the 2015 Cost of Cyber Crime Study from HP Enterprise Security and the Ponemon Institute has revealed just how costly it really is to U.S. organizations. The average annual cost of cybercrime is a whopping $15 million. That’s about a 20 percent year-over-year increase — and an 82 percent increase since HP and Ponemon started doing these studies six years ago.

The report also noted it takes, on average, 46 days to resolve a cyberattack. That percentage has increased by 30 points over the past six years. And the average cost to resolve a single attack Relevant Products/Services is over $1.9 million.

“As organizations increasingly invest in new technologies like mobile, cloud Relevant Products/Services, and the Internet of Things, the attack surface for more sophisticated adversaries continues to expand,” said Sue Barsamian, senior vice president and general manager, enterprise security Relevant Products/Services products, HP, in a statement. “To address this challenging dynamic, we must first understand the threats that pose the most risk and then prioritize the security strategies that can make a difference in minimizing the impact.”

The Costliest Cybercrimes

Based on the study’s findings, HP pointed to the need to shift security strategies from traditional network control and perimeter management to an advanced focus on protecting interactions among users, applications and data Relevant Products/Services. Organizations are committing 20 percent of their security budgets to the application layer, up 33 percent in just two years, according to the study.

Denial of service, malicious insiders and malicious code lead to the most costly cybercrimes. These accounted for more than 50 percent of all cybercrime costs per organization on an annual basis, according to the study. HP also reported that malicious insider attacks can take longer to address, taking an average of approximately 63 days to contain.

Meanwhile, information theft is the highest external cost, followed by the costs associated with business disruption. Information theft accounted for 42 percent of total external costs annually, while costs associated with disruption to business or lost productivity accounted for 36 percent of external costs, up 4 percent from the six-year average.

On the other hand, the most costly internal activities were recovery and detection, which accounted for 55 percent of the total annual internal activity cost. Cash outlays and direct labor made up most of these costs.

The Right Solution

“With cyber attacks growing in both frequency and severity, understanding of the financial impact can help organizations determine the appropriate amount of investment and resources needed to prevent or mitigate the consequences of an attack,” said Larry Ponemon, chairman and founder of the Ponemon Institute, in the statement. “As seen in this year’s study, the return on investment for organizations deploying security intelligence Relevant Products/Services systems, such as SIEM, realized an average annual cost savings of nearly $4 million — showcasing the ability to minimize impact by more efficiently detecting and containing cyber attacks.”

We asked Tim Erlin, director of IT security and risk strategy for advanced threat protection Relevant Products/Services firm Tripwire, for his thoughts on the cybercrime report. He told us when these kinds of reports come out, the headlines are all about the escalating costs of a breach, but they should be about the mounting evidence that well-understood actions can materially decrease those costs.

“The probability that you will experience a breach is steadily increasing, and so the return on investment for an appropriate security budget and leadership has continuously become more favorable,” Erlin said. “There’s no doubt that avoiding a breach altogether is the best way to reduce its cost. Investing in tools that prevent, detect and shorten time to resolution is not only intuitively right, it’s proven out by reports like this one.”

Article source:


No Comments

Uber checks connections between hacker and competitor ‘Lyft’ following data …

Uber's logo on a smartphone. Reuters/Kai Pfaffenbach

Uber’s logo on a smartphone. Reuters/Kai Pfaffenbach

Eight months after disclosing a major data breach, ride service Uber [UBER.UL] is focusing its legal efforts on learning more about an internet address that it has persuaded a court could lead to identifying the hacker. That address, two sources familiar with the matter say, can be traced to the chief of technology at its main U.S. rival, Lyft.


s += ‘

Ads by Google


if (google_ads[0].bidtype == “CPC”) {
google_adnum = google_adnum + google_ads.length;

s += ‘


window.google_adnum = window.google_adnum || null;

google_ad_client = “ca-pub-9024837700129787″;
google_ad_output = “js”;
google_ad_type = “text”;

google_ad_channel = ‘8451474213,3764294476’;

google_max_num_ads = ‘2’;

google_skip = window.google_adnum; /* insert this snippet for each ad call */

In February, Uber revealed that as many as 50,000 of its drivers’ names and license numbers had been improperly downloaded, and the company filed a lawsuit in San Francisco federal court in an attempt to unmask the perpetrator.

Uber’s court papers claim that an unidentified person using a Comcast IP address had access to a security key used in the breach. The two sources said the address was assigned to Lyft’s technology chief, Chris Lambert.

The court papers draw no direct connection between the Comcast IP address and the hacker. In fact, the IP address was not the one from which the data breach was launched.

However, U.S. Magistrate Judge Laurel Beeler ruled that the information sought by Uber in a subpoena of Comcast records was “reasonably likely” to help reveal the “bad actor” responsible for the hack.

On Monday, Lyft spokesman Brandon McCormick said the company had investigated the matter “long ago” and concluded “there is no evidence that any Lyft employee, including Chris, downloaded the Uber driver information or database, or had anything to do with Uber’s May 2014 data breach.”

McCormick declined to comment on whether the Comcast IP address belongs to Lambert. He also declined to describe the scope of Lyft’s internal investigation or say who directed it.

Lambert declined to comment in person or over email.

Attorneys for the Comcast subscriber, who is not named in court documents, did not respond to an interview request on Monday.

In an email on Monday, an Uber spokeswoman declined to comment on any aspect of the case beyond what is in court filings, including what led the company to believe that more information about the Comcast subscriber might lead them to the hacker.

Uber’s lawsuit alleges the hacker violated civil provisions of the federal Computer Fraud and Abuse Act, as well as a similar California law. It is unclear if the leaked driver information was ever used by the hacker or anyone else.

According to documents filed in the case, the company learned months after the hack that someone had used an Uber digital security key to access the driver database. A copy of the key was inadvertently posted by Uber on one of its public pages on the code development platform GitHub in March of 2014, prior to the breach, the court filings show, and remained there for months.

After Uber discovered the unauthorized download, it examined the Internet Protocol addresses of every visitor to the page during the time between when the key was posted and when the breach occurred, according to court documents. The Uber review concluded that “the Comcast IP address is the only IP address that accessed the GitHub post that Uber has not eliminated” from suspicion, court papers say.

The numeric Comcast IP address and some other details have been redacted from court filings, so Reuters was unable to independently assess whether there was a connection between Lambert and the Comcast IP address. The two sources, however, said Uber researched the address and discovered that it showed up elsewhere in Internet postings associated with Lambert, and that the address was assigned to his name.

Lawyers for the unnamed Comcast subscriber have pointed out in court that the web page containing the key was publicly available and that anyone could have visited the site without violating any laws. They also stressed that the data breach stemmed from a different IP address.

In his statement on Monday, Lyft spokesman McCormick noted that “Uber allowed login credentials for their driver database to be publicly accessible for months before and after the breach.”

The two sources said that the address from which the hack was launched is associated with a virtual private network service. One of them added that the service is based in a Scandinavian country and is known for vigorously protecting the privacy of its users. The hacker’s numeric IP address is redacted from court papers.

In July, the federal magistrate judge in San Francisco approved Uber’s request for a subpoena granting the company access to the Comcast subscriber’s identity, source of payment and other subscription details. The subpoena also requires Comcast to disclose information connecting the subscriber to certain other IP addresses and to the GitHub web pages.

Attorneys for the unnamed Comcast subscriber appealed to the 9th U.S. Circuit Court of Appeals, and Beeler put her ruling on hold pending the outcome.

In fighting the subpoena, the subscriber’s attorneys asserted in court that Uber has improperly focused on their client instead of other possible perpetrators of the breach.

They noted that automated web crawlers also visited the site with the security key. Google and other search engines use such crawlers to visit and gather information from web pages for indexing and caching. One of those crawlers could have saved the key somewhere else, the subscriber’s attorneys argued in court filings, where it could have been accessed by the hacker.

The attorneys also suggested that a disgruntled Uber engineer could have taken the driver data to a new job, as it would be valuable for a competitor.

In her ruling, Beeler concluded there was “no evidence” that the key was available anywhere else online other than the place Uber inadvertently posted it.

Lyft, with a valuation of $2.5 billion, is much smaller than rival Uber, valued at $51 billion, based on previous funding rounds. The companies compete fiercely for drivers and customers.

Lambert has been Lyft’s CTO since 2012, according to his LinkedIn page. Prior to that, he was a software engineer at Google for 5 years, working on mobile maps and Google location.

(Reporting By Dan Levine and Joseph Menn; Editing by Sue Horton and Amy Stevens)


Article source:


No Comments

American Bankers Association Reveals Data Breach

The American Bankers Association recently disclosed details about a data breach that compromised roughly 6,400 usernames and passwords on the association’s website. The group confirmed the computer systems were compromised last Thursday, but they do not believe that any financial data was leaked in the breach.

“We have seen no evidence that the hacker has also accessed credit card information or other personal financial information,” Frank Keating, CEO and president of the ABA, said in a statement.

Nevertheless, the data that was taken was posted online, so the organization is encouraging users to change their passwords at this time for their own protection.

The breach did impact the shopping cart on, which users utilize for purchases made on the website, or to register for services on the site. Even though the personal financial details were not released–or not knowingly released–at this time, hackers may still use the stolen data to spend money fraudulently on a user’s account.

The irony of this data breach lies in the criticism that the ABA has recently levied at Congress to instill stricter security standards on the financial sector. The group goes so far as to provide security tips for consumers to read on their website.

The ABA is working closely with a cyber forensics team to get to find the source of the problem, but this shows that any organization could be vulnerable to a breach.

Article source:


No Comments

Guard your business against data breaches — and liability

Q: I have a few questions about liability for data breaches. I know that ARC’s position is that we are liable to pay for tickets issued by our GDS under our ARC number after a thief uses an agent’s login. Are we also liable if a hacker steals our clients’ credit card numbers and runs up huge credit cards bills? I know that the card company will reverse the charges and absorb the loss, but what if the fraud results in the cardholder being turned down for a home mortgage for his dream house or he suffers another unreimbursable loss? Finally, what steps can we take to prevent being victimized by a cyber thief?

A: Contrary to popular belief, there is no federal or state statute, regulation or court precedent that holds that a travel business is automatically liable for data breaches. As one court put it, “The fact that a company has suffered a data breach does not demonstrate that the company did not place significant emphasis on maintaining a high level of security.”

Even ARC agrees that you are not necessarily always liable when a cyber thief obtains an agent’s GDS login and issues tickets. ARC will blame you only if you failed to “exercise reasonable care” to prevent unauthorized issuance of electronic tickets.

Under the ARC Agent Reporting Agreement, ARC can relieve your agency of liability if ARC determines that your agency was exercising “reasonable care” at the time of the theft. One of the ways in which agencies must exercise reasonable care is to safeguard GDS login credentials.

If a cyber thief steals your client’s credit card information and other personal data and your client suffers an unreimbursed loss, the courts have generally applied the same reasonable-care standard. The cardholder cannot successfully sue your agency unless he proves that your lack of reasonable care (i.e., negligence) caused the loss.

To prove negligence, the cardholder (or a group suing you in a class action) would have to prove that you had a recognized duty, which you failed to observe, and that your failure directly caused the unreimbursed loss. As far as I know, very few consumers have ever succeeded in such a claim.

Nevertheless, just because it is difficult to successfully sue a credit card merchant for a data breach, it does not necessarily follow that you should not bother to guard against breaches. Many states require you to disclose the breach to your clients, and your reputation could be ruined if clients cannot trust you with their credit cards.

The three simplest methods to guard against data breaches are to safeguard logins, use complicated passwords and encrypt credit card numbers. Train all employees never to disclose their computer or GDS logins in response to any email, a pop-up window or a phone call purporting to be from the GDS vendor. Outlaw passwords that are easily guessed by trained thieves and password-cracking programs, such as pet names and favorite vacation spots.

Do not keep paper copies of credit card numbers, and do not enter them into your computer unless they are entered into software or a website that makes most of the number unreadable.

Beyond these simple steps, the Federal Trade Commission has published an understandable and practical guide.

Article source:


No Comments

Verizon 2015 Data Breach Report: Phishing Still Dominates

In its 2015 Data Breach Investigations report, Verizon found that phishing remains one of the most effective means of instigating a data breach today. Furthermore, the exact phishing attacks are nearly carbon copies of the attacks perpetrated as far back as 2009.

Verizon Principal Client Partner Bhavesh Chauhan presented the report’s findings at the Massachusetts State House this week. He emphasized the continued effectiveness of phishing attacks.

“We confirmed that by the time the threat actor sent out three phishing emails, they’d hacked into 50 percent of the audience,” Chauhan said.

Chauhan said that despite the training people go through to prevent cybersecurity victimization, phishing preys on predictable “human behavior.” According to the report, phishing is on the rise in the ranks of the top 20 security threat actions.

“You can see the top 20 threat actions are staying the same. They’re still using the same techniques, the same actions. And you can see how it’s going up and down in terms of how they’re being successful in a specific group. So the lesson for us is, let’s look at the policies we have in place and say, ‘How effective, how comprehensive they are on a continuous basis?” Chauhan said.


Article source:


No Comments

Strike Suit Offers Conjectures, And Little More, About Scottrade Data Breach

Kevin concentrates in complex corporate and class action litigation. He chairs the firm’s Class Action Working Group and has extensive experience defending consumer, antitrust, unfair trade practice, contract, mass tort, and employment class actions.

He has also represented corporations, professionals, and individuals in business acquisition disputes. Kevin’s clients have included health care–related entities (including pharmacies, PBMs, and managed care organizations), insurers (including life, auto, and casualty companies), retailers, manufacturers, and accounting firms. Several…

Article source:


No Comments

What Are Your Rights: Data Breach

text size

Updated: Wednesday, October 7 2015, 01:59 PM EDT
Recently, the credit reporting giants Experian was the subject of a data breach that may have left as many as 15 million people at increased risk for identity theft.

The exposed data included names, birth dates, and even Social Security numbers.

Paul Harding from the law firm of Martin, Harding, and Mazzotti discusses the ways we can better protect ourselves.
What Are Your Rights: Data Breach

Article source:


No Comments