Data breach at local firm results in fraudulent tax returns

We learned from the IRS that some of the 2016 tax returns we electronically filed were rejected because someone, other than the taxpayer or us, had fraudulently filed the return. After a preliminary investigation, we discovered that perpetrators had illegally hacked into our system, and accessed 2015 tax return information for a number of our individual tax clients. Using this information, we believe they fraudulently filed some 2016 returns for the purpose of obtaining tax refunds.

We are deeply sorry that this data breach occurred, and for the worry and inconvenience this may cause those affected. We come to work every day looking forward to helping our clients who trust us. We are extraordinarily concerned and doing the best we can to protect our clients from any harm this data breach may cause.

We have alerted the IRS and are working with the agency’s Criminal Enforcement Division, and are reaching out to other law enforcement as appropriate, including the FBI. We are working with these agencies to assist in their investigation and interruption of the cyber criminals.

We are currently working with our local IT consultant and have engaged an IT firm specializing in forensic investigation and analysis. Our IT consultants are assisting us to ensure any malware has been removed, and to confirm that our network firewalls, computers and security protections are properly functioning.

We will keep our affected clients informed of action steps as we continue to consult with our experts, which will include instructions for credit monitoring services we plan to make available. In the meantime, we ask our clients to contact us if you have received any information from the IRS concerning your tax filings.

We ask our clients to remain vigilant in reviewing your bank account and brokerage statements, as well as free credit reports. Consider changing bank account numbers and bank account passwords. You can place a 90-day fraud alert on your accounts by contacting one of the credit agencies: Equifax, Experian, or TransUnion.

 

Article source: http://sanjuanislander.com/news-articles/business-and-economy/24192/data-breach-at-local-firm-results-in-fraudulent-tax-returns

,

No Comments

Here’s What You Need to Know About the Massive ‘Cloudbleed’ Data Breach

A huge data breach that may have exposed users’ private information and log-in details for thousands of websites was uncovered last week, in what looks to be the most significant internet leak of 2017 so far.

Dubbed ‘Cloudbleed’ in reference to the notorious ‘Heartbleed’ breach in 2014, the leak stems from a bug found in code operated by web infrastructure company Cloudflare, which provides security and hosting services for thousands of major internet sites.

Some of these clients are big-name web companies – including Uber, Yelp, Fitbit, and OkCupid – and due to a tiny but significant error in some of Cloudflare’s code, sensitive user information from some of these sites was being randomly inserted into web pages when visited by other people.

“For example, you could have visited a page on uber.com, and a chunk of memory from a previous request/response to okcupid.com would be returned,” security consultant Andrew Tierney from UK-based Pen Test Partners told Forbes.

“This sensitive data could have been returned to anyone. There was no need to carry out an active attack to obtain the data – my mum may have someone else’s passwords stored in her browser cache just by visiting another Cloudflare-fronted site.”

The leak was discovered on February 17 by security researcher Tavis Ormandy from Google’s Project Zero bug-hunting team, who was sifting through publicly available website data to look for any errors in the code.

“It’s not unusual to find garbage, corrupt data, mislabeled data, or just crazy non-conforming data… but the format of the data this time was confusing,” Ormandy explained in a blog post detailing the issue.

“In fact, the data was bizarre enough that some colleagues around the Project Zero office even got intrigued.”

What they found was evidence of snippets from user sessions on Cloudflare-hosted sites being randomly grabbed and replicated on other Cloudflare sites, including things like encryption keys, cookies, passwords, and other potentially sensitive information.

“I didn’t realise how much of the internet was sitting behind a Cloudflare CDN [content delivery network] until this incident,” Ormandy said on February 19.

“The examples we’re finding are so bad… I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings.”

Ormandy reached out to Cloudflare, which assembled an international team of engineers to fix the problem, and who were able to stop the bug in less than 7 hours.

It’s great that the parsing error is no more, but that’s not the end of the problem.

The leakage may have actually been active from as far back as 22 September 2016 – almost five months before Ormandy found it – and there’s no way of knowing how many people’s sensitive information was exposed in that time.

In a blog post last week, Cloudflare CTO John Graham-Cumming explained that they hadn’t detected any malicious activity resulting from the bug, but with nearly five months of exposed data in the wild, it’s difficult to say how many user credentials may have been leaked.

Adding to the problem, any exposed data could have been cached by search engine bots that index website code, meaning sensitive information could have been replicated far and wide, opening up even greater access to it.

According to Cloudflare, the peak of the bug occurred between February 13 and February 18, with around one in every 3,300,000 HTTP Cloudflare requests potentially resulting in data leakage.

That might sound like pretty good odds, but given the potential length of the leak – and that private data may have been cached elsewhere on the internet – now might not be a bad time to change some passwords if you think you may have been compromised.

While there isn’t an official list of affected services, a huge number of notable sites were exposed, including Uber, Yelp, Fitbit, OkCupid, the Pirate Bay, Change.org, Feedly, 4chan, and many more.

You can search here to see if sites and services you use are on Cloudflare, and there’s also an unofficial listing of the more than 4 million sites that could be affected here.

While the overall level risk to any particular user is probably very low, a lot of personal data could have been leaked here, so it’s a good idea to change your passwords for any potentially compromised sites.

“Cloudflare has said the actual impact is relatively minor, so I believe only limited amounts of information were actually disseminated,” security researcher and former Cloudflare employee Ryan Lackey wrote in a blog post.

“Regardless, unless it can be shown conclusively that your data was NOT compromised, it would be prudent to consider the possibility it has been compromised.”

Of course, to minimise the potential risk of similar breaches (inevitably) happening in the future, make sure you don’t use the same password across multiple sites.

Since it’s impossible to remember a huge number of passwords – given how many digital services we all uses these days – consider a password manager like LastPass or 1Password.

Another good idea is to make sure you enable two-factor authentication on services that support it, which can protect your accounts even if your passwords do get out.

Article source: http://www.sciencealert.com/here-s-what-you-need-to-know-about-the-massive-cloudbleed-data-breach

,

No Comments

Resort, tour company warn customers after data breach – Phys.org

Battery-operated medical devices implanted in human bodies have saved countless lives. A common implant, the cardioverter defibrillator, sends a jolt of electricity to the heart when needed, preventing a heart attack or heart …

Article source: https://phys.org/news/2017-02-resort-company-customers-breach.html

,

No Comments

Healthcare Data Breaches Up 40% Since 2015

When a U.S. Attorney called South Florida “an epicenter of identity theft” last month, it was in the context of announcing federal charges against more than 100 suspected fraudsters.

One of them was a former Jackson Health System employee accused of accessing the health system’s computer databases to steal patient data. The rogue employee, a former secretary, was accused of pilfering the Social Security numbers of more than 24,000 people over the course of five years. She was placed on administrative leave in 2016.

But the Miami-based safety net health system is certainly not alone in experiencing data breaches. According to a report from the Identity Theft Resource Center, the healthcare/medical industry experienced 377 reported data breach incidents in 2016, behind only the business sector in the number of incidents.

The healthcare industry represented 34.5% of the overall total number of breaches among the five industries tracked in the report.

The total number of breaches among the five industries included in the report is now at an all-time high. But ITRC experts said in a statement that it’s hard to tell whether there are actually more breaches each year or simply more reporting of breaches. In total, there were 1,093 reported data breaches in 2016. In 2015 there were 780 — a 40% increase.

More than a decade of ITRC data shows that there were significantly more healthcare data breaches in 2016 than there were in 2005, when the data showed only 16. That number has grown steadily in the years since.

Laws are “always behind,” with the latest techniques used to steal data, said Karen A. Barney, director of research and publications at the Identity Theft Resource Center. “In general, privacy laws typically seem to not necessarily keep pace.”

But some industries are better than others at deterring theft. The banking and financial sectors are better than the medical industry, Barney noted.

The proof is in the numbers. In 2005, the banking/credit/financial industry had more data breaches than the medical/health industry. But by 2016, it had 52 breaches, compared to the health industry’s 377, and accounted for just 4.8% of total breaches.

“There’s a great need for corporate protocols and best practices to be in place,” Barney said.

There have also been changes in how the breaches are occurring. Among the five industries in 2016, hacking/skimming/phishing accounted for 55.5% of total data breaches, compared to 14.1% in 2007.

Hacking, Physical Theft Dominate Healthcare Breaches

Broken down by industry, hacking was the most common data breach source for the healthcare sector, according to data provided to HealthLeaders Media by the Identity Theft Resource Center. Physical theft was the biggest breach category for healthcare in 2015 and 2014.

Insider theft and employee error/negligence tied for the second most common data breach sources in 2016 in the health industry. In addition, insider theft was a bigger problem in the healthcare sector than in other industries, and has been for the past five years.

Insider theft is alleged to have been at play in the Jackson Health System incident. Former employee Evelina Sophia Reid was charged in a fourteen-count indictment with conspiracy to commit access device fraud, possessing fifteen or more unauthorized access devices, aggravated identity theft, and computer fraud, the Department of Justice said. Prosecutors say that her co-conspirators used the stolen information to file fraudulent tax returns in the patients’ names.

What’s the next data breach tactic for the healthcare industry to be aware of? According to Barney, it’s “spear phishing,” a scheme involving email that purports to be from company executives and requests personal information on employees.

The IRS noted a “400% surge in phishing and malware incidents so far this tax season and other reports of scams targeting others in a wider tax community” in a March 2016 warning to payroll and human resource professionals, she said.

“They pretend to be someone in authority,” Barney said, and trick employees into giving things like Social Security numbers and W2 forms. “It’s providing the thief with anything and everything they need to commit tax fraud.”

This report is brought to you by HealthLeaders Media.

Article source: http://www.medpagetoday.com/practicemanagement/informationtechnology/63410

,

No Comments

Resort, tour company warn customers after data breach

Battery-operated medical devices implanted in human bodies have saved countless lives. A common implant, the cardioverter defibrillator, sends a jolt of electricity to the heart when needed, preventing a heart attack or heart …

Article source: https://phys.org/news/2017-02-resort-company-customers-breach.html

,

No Comments

Aadhaar biometric data breach triggers privacy concerns

New Delhi: A case of Aadhaar data breach has caused privacy concerns and raised questions over the security of biometric data in possession of the Unique Identification Authority of India (UIDAI).

This comes at a time when the government is pushing for Aadhaar-based transactions to promote its digital mission and the apex court is poised to debate concerns on privacy.

The UIDAI filed a police complaint on 15 February against Axis Bank Ltd, business correspondent Suvidhaa Infoserve and e-sign provider eMudhra, alleging they had attempted unauthorized authentication and impersonation by illegally storing Aadhaar biometrics.

A UIDAI official, who requested anonymity, said that the three had been given time till 27 February to explain their action.

The breach was detected after UIDAI found multiple transactions done with the same fingerprint. The official quoted above said that this would not have been possible without the core biometrics being stored and used without authorization.

“This shows that the confidence with which the government said that Aadhaar is invulnerable is misplaced. If UIDAI is admitting the breach, that is certainly to its credit. However, it needs to be much more forthcoming and proactive to secure this sensitive data,” said Chinmayi Arun, director at the Centre for Communication Governance at National Law University, Delhi.

The breach was noticed after one individual performed 397 biometric transactions between 14 July 2016 and 19 February 2017. Of these, 194 transactions were performed through Axis Bank, 112 through eMudhra and 91 through Suvidhaa Infoserve.

Under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, intentionally copying Aadhaar data is a criminal offence and entails a three-year sentence and a fine.

Another expert said that he did not see the alleged breach of data as a systemic flaw in Aadhaar. “You’ve got the law that says you cannot go beyond authentication, and someone does it. Human being breaks the law and you have to go after them,” said Rahul Matthan, partner in the technology, media and telecom group at law firm Trilegal and a Mint columnist.

According to an Axis Bank spokesperson, a developer from Suvidhaa carried out four live Aadhaar-based authentications even when the testing phase for them was going on. One can only do live authentications after no errors are found out in this phase.

“If something goes wrong in the testing phase, it has to be reported to us by Suvidhaa, they are accountable for it,” added the spokesperson.

UIDAI is not convinced. “Even testing is not permissible under the Aadhaar law and if such an experiment was being conducted, UIDAI should have been informed about it earlier. The authentication operation of the firms concerned has been suspended till the matter is resolved,” the official added.

The three agencies have been served a “notice for action” under Aadhaar regulations.

“The testing was done by our in-house team but there has been no financial loss as of now. We will submit our report to UIDAI on Monday,” said Paresh Rajde, chief executive officer of Suvidhaa.

eMudhra denied storing biometrics.

On 22 February, UIDAI had submitted a proposal to the IT ministry on introducing registration of biometric public devices to ensure the security of transactions and end-to-end traceability of the authentication process.

[email protected]

Article source: http://www.livemint.com/Industry/IKgrYL5pg3eTgfaP253XKI/Aadhaar-data-breach-triggers-privacy-concerns.html

,

No Comments

Resort, tour company warn customers after data breach

HONOLULU (AP) – A resort and a tour company are warning customers that their credit card information and other data may have been stolen.

KHON-TV reports Turtle Bay Resort and Roberts Hawaii both found a code in their websites that copies information at checkout.

Customers could be impacted if they placed orders with the tour company from July 30, 2015 to Dec. 14, 2016.

The resort is warning customers who used cards for purchases from Oct. 23 to Dec. 22 of last year.

Any unauthorized charges should be reported.

Hawaii News Now reported Roberts Hawaii discovered the malware after customers who’d recently made online purchases complained about subsequent fraudulent charges.

Copyright © 2017 The Washington Times, LLC.

Please enable JavaScript to view the comments powered by Disqus.blog comments powered by Disqus

 

Article source: http://www.washingtontimes.com/news/2017/feb/25/resort-tour-company-warn-customers-after-data-brea/

,

No Comments

Resort, tour company warn customers after data breach

A resort and a tour company are warning customers that their credit card information and other data may have been stolen.

KHON-TV reports Turtle Bay Resort and Roberts Hawaii both found a code in their websites that copies information at checkout.

Customers could be impacted if they placed orders with the tour company from July 30, 2015 to Dec. 14, 2016.

The resort is warning customers who used cards for purchases from Oct. 23 to Dec. 22 of last year.

Any unauthorized charges should be reported.

Hawaii News Now reported Roberts Hawaii discovered the malware after customers who’d recently made online purchases complained about subsequent fraudulent charges.

Article source: http://www.miamiherald.com/news/business/article134986944.html

,

No Comments

Uber, FitBit, OkCupid info exposed by massive data breach

SAN FRANCISCO, CA (WFLA) — A serious data breach impacting nearly 3,400 websites and apps including Uber and FitBit may have leaked sensitive data across the internet for months.

CloudFare, a cybersecurity company warned customers of a critical bug that could have exposed a range of sensitive information including usernames, passwords and other information onto the open internet.

“The bug was serious because the leaked memory could contain private information and because it had been cached by search engines,” CloudFare stated in a blog post.

The flaw was identified late last week by Google’s security researcher Tavis Ormandy who said he found said he found “private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings.”

Uber said passwords were not exposed and that “only a handful of session tokens” needed to be fixed. Fitbit said it was still assessing the bug’s impact.

OkCupid is investigating the matter and said in a statement they will take the necessary steps to protect its users.

Related Posts

quest



arbysweb



FILE - This Jan. 14, 2015 file photo shows Yahoo's headquarters in Sunnyvale, Calif. (AP Photo/Marcio Jose Sanchez, File)



FILE - This Oct. 24, 2008 file photo shows covered voting machines in Philadelphia. Pennsylvania is one of 10 states that rely on antiquated voting machines that store votes electronically, without printed ballots or other paper-based backups that could be used to double-check the balloting. Theres almost no way to know if theyve accurately recorded individual votes _ or if anyone tampered with the count. (AP Photo/Matt Rourke)


Article source: http://nbc4i.com/2017/02/25/uber-fitbit-okcupid-info-exposed-by-massive-data-breach/

,

No Comments

13 recent data breaches, hacks that you should know about

New Jersey’s largest insurance carrier has had to deal with at least two breaches within the last three years.

The company will pay a $1.1 million fine for not protecting the personal information of 690,000 policy holders. Two laptops were stolen from Horizon’s Newark office in 2013. An investigation discovered that the company did not encrypt names, addresses, birth dates, identification numbers, social security numbers and some customers’ medical information.

In November, the company said about 170,000 customers received letters with the personal information of other people including policy numbers and doctor information.


Article source: http://www.nj.com/news/index.ssf/2017/02/emails_credit_cards_biggest_data_breaches_affect_nj_residents.html

,

No Comments