Riverside warns of data breach; ex-employee charged – The Virginian

CHESAPEAKE

Riverside Health System announced a possible data breach this week after a former employee was charged with stealing credit card information from cancer patients.

T’sha Riddick, a 33-year-old convicted felon who worked for nearly two years at one of the company’s medical practices in South Hampton Roads, was arrested last month. She is scheduled to appear on Aug. 25 in Chesapeake General District Court on 13 identity-theft and fraud charges related to her time with Cancer Specialists of Tidewater, which has offices in Chesapeake, Virginia Beach and Suffolk.

Peter Glagola, a Riverside spokesman, said the hospital system was unaware the Elizabeth City resident had been convicted nine years ago in North Carolina of two felonies, including credit card fraud.

Glagola explained that Riddick was hired as an unlicensed medical assistant, and that the company requires background checks only for licensed employees. Others are screened randomly, he said.

“This is bringing a lot of things to light,” Glagola said.

The company is now considering whether to conduct background checks on all employees.

As a precaution, Riverside is offering free credit monitoring to over 2,000 patients and all staff. Glagola explained that the number represents everyone who has gone to the practice since Riddick was hired in June 2012.

Riverside Health System oversees five hospitals, including its flagship in Newport News, Riverside Regional Medical Center. The system also has three specialty hospitals, a medical group, surgery centers, retirement communities and home-care services.

“Keeping patient information protected is vital at Riverside,” Glagola said in a news release. “We are looking at ways to improve our monitoring program with more automatic flags to protect our patients.”

Court records indicate that Riddick – a single mother of three children – also worked at Waterbrooke Assisted Living in Elizabeth City around the time of her June 6 arrest. Officials with that facility said Wednesday that she no longer worked there and did not have access to patient information when she did. They declined to give their names or elaborate.

The charges against Riddick – who was released earlier this month on a $13,000 surety bond – stem from four different dates in January, March, April and June while she worked at Cancer Specialists of Tidewater, according to court documents.

Glagola said Riddick improperly accessed patient information at the practice, including credit card and Social Security numbers. It is unclear how she obtained the information, but Glagola said Riverside does not believe she accessed it through the company’s computer systems.

Andrew Sacks, Riddick’s attorney, declined to comment on the charges.

In 2005, Riddick pleaded guilty to credit card fraud and obtaining property by false pretense in North Carolina, according to Pasquotank County court documents. The credit card conviction stemmed from Riddick’s use of another woman’s card to pay electricity and telephone bills, court documents said. She worked for Albemarle Hospital at the time, the court documents said.

In 2008, Riddick was convicted of misdemeanor theft in North Carolina, according to court records.

And, last year, she was convicted of misdemeanor possession of stolen property and three counts of misdemeanor worthless checks.

She was on unsupervised probation at the time of her most recent arrest.

Riverside patients who believe they may have been victims of the data breach should call the hospital at 1-877-753-6854.

Pilot writers Elizabeth Simpson, Amy Jeter and Jeff Hampton contributed to this report.

Scott Daugherty, 757-222-5221, [email protected]

<!–

–>

Posted to: Chesapeake Crime Health News

Article source: http://hamptonroads.com/2014/07/riverside-warns-data-breach-exemployee-charged

,

No Comments

Director, Product Marketing, Proofpoint

As device proliferation, data privacy regulations, and enterprise data volumes continue to trend upward, enterprise risks around data compromise continue to be a growing concern. And these breaches are expensive, with fines and penalties for mishandling data privacy steeper than ever, as well as other intrinsic costs like brand damage.

Article source: http://www.infosecurity-magazine.com/webinar/471/byoe-bring-your-own-encryption-prevent-a-data-breach-and-stay-out-of-the-headlines/

,

No Comments

Data Breaches: On the Rise and Chasing Away Customers

Slide Show

Five Ways Encryption Has (or Hasn’t) Changed Since Snowden

More than 175 million records were compromised between April and June due to 237 data breaches, bringing the 2014 total to 375 million records affected and 559 data breaches. That’s a lot of records illegally accessed for less than 1,000 breaches worldwide. What this tells me is that even SMBs store a lot more records than they may realize, and a single data breach can result in a huge payoff for a hacker.

These numbers are from SafeNet’s Breach Level Index second quarter report. The report found that retail was the hardest hit industry, with more than 145 million records stolen, or 83 percent of all data records breached, according to a release.

Here is an important finding in the report: Less than 1 percent of all of the data breaches in the second quarter happened to networks that used encryption or strong security platforms to protect the data. So, no, not every security system is foolproof, but you greatly improve your chances of avoiding a breach if you put strong security practices in place. At the same time, it is a little scary to think how many businesses are still lacking when it comes to network security. Good security is vital to any company’s success, and a second report from SafeNet shows why. Once a customer discovers a company has been breached, he or she is not likely returning. As Yahoo Finance reported:

The global research surveyed over 4,500 adults across five of the world’s largest economies – US, UK, Germany, Japan, and Australia. It found that nearly two-thirds (65 percent) of respondents would never or were very unlikely to, shop or do business again with a company that had experienced a data breach where financial data (credit card information, bank account number, or associated login details) was stolen.

In its conclusion, the SafeNet report ponders why companies aren’t stepping up to the security challenge and doing more to protect their customers. It’s a good question, one I’ve certainly asked here and one that security experts often discuss. The report also makes a very good observation:

While many companies focus on the perimeter to keep the bad guys out, they often do not have a comprehensive plan to limit the damage once they get in.

SafeNet adds that there’s an easy fix here: Add stronger encryption and improve user access to the network. Based on the results of who gets breached and who doesn’t because of strong encryption, that’s pretty good advice. But I don’t think it is an easy fix.

First you have to get everyone in the company, from leadership on down to the stock room, on board with the need to practice better security. Perhaps the way to approach this is to make them understand that their jobs are on the line. After all, if customers walk away because your company suffered a breach, would your business be able to survive?

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba

Article source: http://www.itbusinessedge.com/blogs/data-security/data-breaches-on-the-rise-and-chasing-away-customers.html

,

No Comments

Study shows link between data breach and fraud victims

New research released by the National Consumers League (NCL), Washington, and Javelin Strategy and Research, Pleasanton, California, reveals trends affecting Chicago residents who have been affected by data breaches. The study finds that 72 percent of fraud victims also were victims of data breaches, suggesting a strong link between breaches and fraud.

The study also showed that consumers are losing faith in business to protect their identities and want more government action on fraud prevention measures.

Illinois Attorney General Lisa Madigan and representatives from NCL and Javelin met Wednesday, July 16, 2014, to discuss the research findings and to present resources that are designed to help Illinois residents protect themselves from ID theft.

 “The latest data breaches have served as a wake-up call signaling that government and the private sector need to take serious, meaningful action to curb this growing threat to our financial security,” Madigan said.

“Data insecurity is leading to real consumer harm and this report confirms consumers are at a loss for where to turn in the face of this national problem,” said NCL’s John Breyault. “As consumers share vast amounts of personal data with businesses, government and other entities, they expect their information to be protected from malicious hackers.”

The Chicago event was the third in NCL’s #DataInsecurity Project and followed similar events in Miami and Los Angeles that featured United States Attorney for the Southern District of Florida Wifredo Ferrer, Federal Trade Commission Commissioner Terrell McSweeny and Joanne McNabb, director of privacy education and policy for the California office of the Attorney General.

“In this polarized political climate, it’s rare for Americans to express such agreement on any issue,” said Al Pascual, Javelin senior analyst of fraud and security. “But when it comes to the security of their personally identifiable information, the respondents said with one voice that the government must do more.”

The NCL recently released new research examining the impact of data breaches and identity fraud on consumer victims in four key regions nationwide, including the Chicago metropolitan area. According to the study, Americans are urgently calling out for government action on the growing threat posed by data breach and identity theft.

The study, conducted in partnership with Javelin Strategy Research, shows that the impact of data breaches on consumers is severe: 61 percent of data breach victims who also experienced identity theft reported that the breached information was used to commit the fraud against them. What’s more, nearly half of all fraud victims—49 percent—do not know where the information used to defraud them was compromised.

The NCL/Javelin study, which includes surveys of fraud victims from Chicago, Los Angeles, Miami and Minneapolis, along with additional Javelin research on national fraud trends, found that consumers are calling for government to take action. A mere 28 percent of victims surveyed said the government’s requirements for protecting healthcare and financial data were “sufficient.”

In Chicago, 43 percent of fraud victims said their data were used to make online purchases, and 28 percent said their information was used to make purchases in person. Among fraud victims in Chicago, 72 percent had previously received a data breach notification, which is higher than reporting by victims in Minneapolis (66 percent) but is comparatively worse than in Los Angeles (82 percent) and Miami (80 percent), where the rates of data breach notification among fraud victims were significantly higher.

According to the new study, the consequences of consumer fraud have a serious ripple effect: fraud victims report losing trust in the businesses where their data was compromised. For example, 59 percent of respondents whose data were breached at a retailer expressed “significantly decreased” trust in retailers who failed to protect their information.

“When consumer trust drops, so do sales,” added Breyault, “This study is only the latest evidence for why the business community should be one of the most vocal advocates for protecting consumer data.”

Article source: http://www.sdbmagazine.com/study-links-data-breach-fraud.aspx

,

No Comments

Class action lawsuit filed against eBay over data breach

Collin Green claims eBay did not notify its customers of the security breach until May 21, but only after the security breach had been reported by independent Internet sources, according to a complaint filed July 23 in the U.S. District Court for the Eastern District of Louisiana.

Green claims the security breach was the result of eBay’s inadequate security in regard to protecting identity information of its millions of customers.

EBay’s failure to properly secure this information has caused, and is continuing to cause, damage to its customers, according to the suit.

“EBay was aware of the value of the personal information it held, and the threat to the security of that information long before the 2014 security breach,” the complaint states.

Green claims eBay stated in its first quarter 2014 10-Q SEC filing that security breaches were a constant threat.

After the data breach, eBay asked its customers to reset their passwords, according to the suit.

“Industry security experts have lambasted eBay for its failure to properly secure the data in its possession,” the complaint states.

Green claims eBay claims it encrypted passwords, but only in the least safe method.

“According to industry reports, eBay chose to use the cheaper security method of encryption as opposed to hashing, with full knowledge that hashing was much more secure and preferred by security experts,” the complaint states. “Once a hacker steals the encryption key, the complex nature of a ‘strong’ encrypted password is irrelevant as the hacker can simply reveal the password with the encryption key.”

With hashing, the hacker still cannot access the password, according to the suit.

Green claims eBay breached its implied contract, breached its fiduciary duty, violated the Gramm-Leach-Bliley Act, violated multi-state privacy laws and violated the federal Fair Credit Reporting Act.

Green is seeking class certification and compensatory and consequential damages with pre- and post-judgment interest. He is represented by Charles F. Zimmer II, Eric H. O’Bell and Bradley T. Oster of O’Bell Law Firm LLC.

The case has been assigned to District Judge Susie Morgan.

U.S. District Court for the Eastern District of Louisiana case number: 2:14-cv-01688

From Legal Newsline: Kyla Asbury can be reached at [email protected]

Article source: http://washingtonexaminer.com/class-action-lawsuit-filed-against-ebay-over-data-breach/article/feed/2153056

,

No Comments

Data breach is everybody’s business

For businesses, technology has greatly expanded opportunity … and risk. Purchases can be made online from across the globe. Vital personal information is stored digitally by virtually every enterprise. Medical information can be exchanged by just pressing send.

And all of it can be exposed in a data breach. There isn’t a business, non-profit, institution or civic organization today that can avoid the reality that they are in the data management business and all the risks that come with it. 

The threat of data becoming compromised is such that a whole new market has been created for the insurance industry. “Cyber policies” can afford some protection against losses; however, companies should always be aware that not all cyber policies cover the risks a company faces. Cyber insurance policies should cover the costs associated with the data breach, including engaging legal counsel, hiring investigators, providing credit monitoring for customers, and enlisting public relations experts to facilitate communications with all parties served by the company.

Companies can also proactively protect themselves in other ways. First and foremost, they should develop policies and educate employees on those policies. This includes establishing, publicizing and encouraging internal reporting mechanisms. Companies can institute electronic security policies that identify who should receive the report of a breach and establish the levels of discipline up to and including termination if an employee misuses data or takes part in a data breach.

Firms should consider creating a data management team with clear responsibilities and a thorough understanding of the types of data collected, processed and developed. They should also understand legal responsibilities and regulatory requirements. There are now 46 states with data breach laws and none of them are uniform. A university discovering its students’ data compromised can face scrutiny from every state in which its students reside. Meanwhile, the federal government offers protections in the Health Insurance Portability and Accountability Act of 1996 and Gramm-Leach-Bliley Act.

Businesses should also develop a risk assessment and mitigation plan. This includes reviewing vendor contracts to find weak links that could expose data. Even if a company shuns the exchange of data online, they can be held liable for data shared with vendors who do expose that data, however unintentionally, in a breach. A company that couriers its billing records to a bank needs assurances that the courier and the bank have policies in place to protect the data.

Companies should review the policies of their vendors. If the vendors do not have an electronic security policy that addresses employee background screening and data management, then your company should write one for them.

In addition, companies should also consider engaging a third party audit to review policies, compliance efforts and technical infrastructure. This is often done after a breach. It’s best to find any holes before they are compromised. 

If a data breach does occur, businesses must not only discover its source, mitigate impact and comply with appropriate state and federal regulations, but also take immediate action to recover from the breach. That means engaging legal counsel to provide protection from potential civil litigation and the discovery process through the attorney-client privilege. 

This is especially important because third party reports from IT forensic, accounting or crisis communications firms, as well as internal company communications, may be discoverable in civil litigation. If outside counsel is engaged, these communications may be protected under the attorney-client privilege.  

Obviously, technology is part of data breach avoidance including data encryption, security and monitoring software, password protection and the like. But the human element and lack of meaningful policies and preparation can create gaping holes that put data at risk. The best advice is thoroughly evaluating your data management risks and considering a cyber policy, developing the right team and policies to manage your data, ensuring vendors are sufficiently protecting information you share with them and educating all employees about risks and responsibilities. 

Technology is a wonderful business tool, but it carries evolving risks that can’t be relegated to a back burner of inaction.

Vanessa Robinson Keith is a member of the data breach practice group and the litigation practice group of Greensfelder, Hemker Gale, P.C.

Article source: http://www.stlamerican.com/news/columnists/guest_columnists/article_1effd20c-180a-11e4-b1bb-001a4bcf887a.html

,

No Comments

Riverside Health warns 2000 of possible data breach – The Virginian

CHESAPEAKE

Riverside Health System announced this week more than 2,000 patients may have been affected by a former employee accused of identity theft.

The employee, who was fired last month and is now under investigation by Chesapeake Police, worked for Cancer Specialists of Tidewater, a medical practice owned by Riverside with offices in Virginia Beach, Suffolk and Chesapeake.

Peter Glagola, a Riverside spokesman, said she improperly accessed patient information. He added Riverside does not believe the employee accessed credit card information through the company’s electronic systems.

As a precaution, however, Riverside is offering free credit monitoring to over 2,000 patients and all staff.

“Keeping patient information protected is vital at Riverside,” Glagola said in a prepared statement. “We have a robust compliance program and ongoing monitoring in place. We are looking at ways to improve our monitoring program with more automatic flags to protect our patients.”

If you are a Riverside patient and believe that you may be a victim of this data breach, please call the hospital at 1-877-753-6854.

<!–

–>

Posted to: Chesapeake Crime News

Article source: http://hamptonroads.com/2014/07/riverside-health-warns-2000-possible-data-breach

,

No Comments

Canada’s National Research Council Hit by Apparent Chinese Cyber Attack

One of Canada’s premier research and technology organizations was hit with a cyber-attack recently that forced the cooperative offline; the attack – which appears to be Chinese in origin – was so serious the organization is being forced to rebuild its entire system.

The National Research Council of Canada (NRC), a science and technology research group based in Ottawa, claimed Tuesday that it was able to detect the cyber-intrusion with the help of the Canada’s cryptologic agency, the Communications Security Establishment (CSE).

The country is only divulging so much about the attack –  it didn’t specify when it took place, what may have been taken or exactly how the attack was executed – but claims it will give an update on Thursday.

The organization stresses it is taking the necessary measures to contain the breach however.

“Following assessments by NRC and its security partners, action has been taken to contain and address this security breach, including protecting its information holdings and notifying the Privacy Commissioner,” the organization wrote in Tuesday’s statement.

While the NRC statement doesn’t acknowledge it, according to a separate announcement from Canada’s chief information officer, Corinne Charette, a “highly sophisticated Chinese state-sponsored actor” is to blame for the attack.

Canada’s Foreign Affairs Minister John Baird was in Beijing when the attack was announced and was set to give a press conference that was later shelved. According to his spokesman Adam Hodge, Baird had a “full and frank exchange” with his Chinese counterpart, Wang Yi.

“The government takes this issue very seriously and we are addressing it at the highest levels in both Beijing and Ottawa,” according to the statement.

It’s not entirely clear what kind of documents the NRC may have had on its systems but the organization works in tandem with a handful of sectors and has done work advancing aerospace, automotive, construction, energy, telecommunications, and medical device technology in the past.

When reached Wednesday, the NRC and CSE refused to share any further details regarding further the attack citing “security and confidentiality reasons.”

While the NRC falls under the Canadian government’s umbrella, Charette’s statement acknowledges that its system is not directly connected to the government’s network but that hasn’t stopped IT administrators from isolating it from the larger network as a precaution.

The organization has reportedly been in contact with its clients and claiming that it will take about a year to rebuild its information technology infrastructure, a figure that may suggest the attack was quite serious.

The People’s Republic is no stranger to hacking accusations, it just usually denounces such claims.

After the U.S. indicted five Chinese People’s Liberation Army officers with cybertheft earlier this year, China blamed the U.S. for “hypocrisy and double standards.” In 2013, after the initial report detailing the cybertheft emerged, China issued a strong denial and cautioned the report was flawed.

It’s the second alleged altercation between China and Canada in the last few years.

In 2011, the Canadian Broadcasting Company claimed that hackers using IP addresses from China were responsible for attacks on another Canadian government organization, the Defence Research and Development Canada along with Canada’s Finance Department and Treasury Board. China denied involvement in those attacks as well, stating that the nation’s government opposes hacking and that any allegations it supports it are groundless.

Article source: http://threatpost.com/canadas-national-research-council-hit-by-apparent-chinese-cyber-attack/107524

No Comments

Facebook Plans to Fix Instagram Mobile Session Hijack-Eventually

Two unrelated researchers this week disclosed a similar session hijack bug in the Instagram mobile applications for Android and iOS. Facebook has reportedly acknowledged the problem, which arose from a failure to fully encrypt all data traffic on the service, but the world’s largest social network is in no rush to fully encrypt the mobile variety of its popular photo-sharing service.

In order to exploit this lack of encryption, an attacker would have to be on the same network as the victim. Given that, an attacker could potentially monitor the pictures users are viewing, watch session cookies, and determine usernames and IDs through man-in-the-middle attacks that lead to account takeovers.

Mazin Ahmed, an information security specialist at Defensive-Sec, reported the issue last weekend after sniffing packets passing through a router from the Instagram application on his Android device.

One day later, Steve Graham posted an iOS version of the same hack on Github. Graham’s writeup includes an exploit proof-of-concept.

Graham and Ahmed said they have reported the issue to Facebook. In each case, Facebook reportedly responded that they were aware of the problem and plan on resolving it at some undetermined point in the future.

“We’re doing the technical work that’s necessary to add HTTPS protection across the remaining parts of the Instagram app, while still ensuring stability and performance,” an Instagram spokesperson told Threatpost via email. “We’ll keep the Instagram community updated on our progress.”

Graham claims that the Instagram application on iOS makes application programming interface calls to unencrypted endpoints.

While performing the exploit (for which the proof-of-concept can be found here) from his Mac while a friend surfed his Instagram account on an iOS device, Graham managed to perform the following actions: take the cookie sniffed from the iOS app, go to instagram.com as an unlogged in user, set document.cookie = $COOKIE, navigate to a profile, and see himself logged in as that user.

“I think this attack is extremely severe because it allows full session hijack and is easily automated,” Graham explains. “I could go to the Apple Store tomorrow and reap thousands of accounts in one day, and then use them to post spam.”

In an email interview earlier this week, Ahmed noted that he tested this on the Android Instagram application, but believed the attack could target iOS devices as well, because both rely on the same server which does not appear to uniformly enforce SSL.

Instagram co-founder Mike Krieger posted the following on Hacker News:

“We’ve been steadily increasing our HTTPS coverage–Instagram Direct, for example, which we launched in late 2013, is 100% HTTPS. For the remainder of the app, especially latency-sensitive read endpoints like the main feed and other browsing experiences, we’re actively working on rolling out HTTPS while making sure we don’t regress on performance, stability, and user experience. This is a project we’re hoping to complete soon, and we’ll share our experiences in our eng blog so other companies can learn from it as well.”

Article source: http://threatpost.com/facebook-plans-to-fix-instagram-mobile-session-hijack-eventually/107518

No Comments

ICS-CERT Warns of Flaw in Innominate mGuard Secure Cloud Product

The ICS-CERT is warning users about a vulnerability in a secure public cloud product from Innominate that enables an attacker to gain valuable configuration data about a target system, information that could be used in future attacks.

The vulnerability is an information disclosure bug in the Innominate mGuard product, which is meant to connect operators to machines in remote plants and industrial facilities via a VPN system. The company, based in Germany, says that mGuard “offers both operators and machine and plant engineering companies a turnkey VPN ecosystem for industrial remote services.” The mGuard product is an IPsec-based VPN and the basic version of it is free.

In its advisory, ICS-CERT says that the vulnerability, while minor in and of itself, could be used as part of a reconnaissance mission for a future, more serious attack.

“Exploitation of this vulnerability could allow a remote unauthenticated user access to release configuration information. While this is a minor vulnerability, it represents a method for further network reconnaissance,” the advisory says.

“An attacker using a carefully crafted URL may download a configuration snapshot without prior authorization using the HTTPS CGI interface. The configuration snapshot contains configuration data, current system information and log files, but no confidential data such as RSA private keys, Pre-Shared keys or passwords. An attacker might gather information about network topology, traffic flows, and other connected systems from this data.”

The kind of network reconnaissance that this vulnerability could facilitate often is a preliminary step in a planned attack on a target. Attackers will spend time gathering practical and technical information on a target network, looking for data on the kind of software the organization uses, who its partners, customers and suppliers are, and looking for soft spots in the infrastructure. Even though the snapshot that the Innominate mGuard vulnerability allows an attacker to get doesn’t include sensitive security information, the configuration and log files can be valuable in a targeted attack.

Users of the vulnerable products, which include firmware versions 4.0.0 through 8.0.2, can upgrade to versions 7.6.4, 8.0.3, 8.1.0 or 8.1.1 to patch the vulnerability.

 

Article source: http://threatpost.com/ics-cert-warns-of-flaw-in-innominate-mguard-secure-cloud-product/107532

No Comments