Staff Writer- Dallas Business Journal
Goodwill Industries International Inc. is the latest North Texas company that could have fallen victim to cyber thieves.
The Maryland-based nonprofit, which has 165 regional headquarters, one of which is in Dallas, said it was contacted July 18 by a payment card industry fraud investigative unit and federal authorities about the breach that could’ve affected select stores. No breach has been confirmed and an investigation is underway, the company said in a released statement.
If its systems were breached, the nonprofit joins the likes of North Texas retailers Neiman Marcus, Michaels Stores and Sally Beauty, which all reported possible data breaches.
“We will remain appraised of the situation and will work proactively with any individual local Goodwill involved taking appropriate actions if a data compromise is uncovered,” the statement said.
Last year, Target was one of the first retailers to report a data breach, which could’ve affected 110 million shoppers. In January, about a month later, Neiman Marcus reported a data breach that could’ve affected 1.1 million shoppers. Sally Beauty was next in line, reporting a breach in March. Then, Michaels released a statement in April, reporting that its breach could’ve affected up to 3 million.
The retailers have all taken steps to rectify breaches, upgrading their security and software and providing affected shoppers with fraud monitoring services. Sally incurred a $1.1 million expense related to its data breach, and Neiman Marcus spent $4.1 million on the breach. Neiman Marcus also created a new job, chief information security officer since its breach. Target announced its plan to quickly roll out chip-and-pin cards, payment cards that create a more secure transaction for customers.
Danielle covers technology, retail, restaurants and hospitality for the Dallas Business Journal. Subscribe to our email newsletters.
Senior Staff Writer- Sacramento Business Journal
The Third District Court of Appeals dismissed 13 coordinated lawsuits filed after a computer with personal data on 4.24 million patients was stolen from a local office in October 2011. The reason: There’s no proof anybody actually looked at the stolen information following the theft.
Whether it was viewed or not, Sutter has a duty under California law to protect confidential patient information, plaintiffs’ attorneys allege.
“We’re disappointed with the decision and plan to appeal to the state Supreme Court,” said John Parker Jr., a Sacramento attorney and one of several lead counsel for the plaintiffs. The appeals court did not correctly interpret the law, he added. “In fact, they rewrote it in such a way that it violates the intent of the Legislature, legal history and long-standing protections of the privacy and confidentiality of medical records in California,” he said.
In a statement, Sutter spokesman Bill Gleeson applauded the ruling and fact that it ends litigation “which, if it had continued would have diverted resources better spent on patient health care.”
Plaintiffs’ attorneys are seeking damages of up to $4.25 billion, not counting attorneys’ fees and court costs.
The computer was protected with a password, but the stolen records were not encrypted. No patient financial records, Social Security numbers or health plan identification numbers were included, but there was personal and medical information on about four million patients, including nearly a million in the Sacramento area.
Kathy Robertson covers health care, law and lobbying, labor, workplace issues and immigration for the Sacramento Business Journal.
Article source: http://www.bizjournals.com/sacramento/news/2014/07/22/sutter-health-data-case-appeal-attorneys.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A%20bizj_sacramento%20(Sacramento%20Business%20Journal)
Goodwill Industries International is investigating a series of apparent data breaches at its stores across the country, KrebsOnSecurity reports. If confirmed, it would be the latest in a slew of credit-card data breaches at major U.S. companies in the last several months, including P.F. Chang’s, Michaels, Sally Beauty Supply, Neiman Marcus and Target.
What We Know So Far
Goodwill, which has 2,900 retail locations across the U.S., hasn’t confirmed the breach but is working with the U.S. Secret Service to look into financial institutions’ reports of suspicious activity on credit and debit cards used at Goodwill locations. The stores collect and sell clothing and household-item donations, using the proceeds to support training and services for people seeking stronger finances and jobs, credentials or degrees.
The company first learned of a possible breach on July 18, Goodwill said in a statement to security blogger Brian Krebs, but his sources at financial institutions say the incidents may go back to mid-2013. The number of stores and cards potentially affected remains unknown, but Krebs’ sources have reported fraudulent activity on cards used at Goodwill stores in at least 21 states.
How You Should Respond
As the investigation continues, consumers should check their financial statements for signs of suspicious activity. If someone has acquired your credit- or debit-card data, you may see fraudulent transactions on your account statements, and you should report them to your card issuer immediately. Consumers are generally not held liable for such purchases, but the protections on credit and debit cards differ, as do the protections for business credit cards.
Given the prevalence of data breaches, consumers would be smart to make a habit of checking their card activity regularly and frequently, because the more often you look, the less likely it is you’ll overlook an unauthorized charge. Gone unaddressed, thieves can rack up serious debt on your credit cards, which can wreck your credit, at least temporarily. Here’s an explainer on how to monitor your credit after a data breach.
In addition to transactional monitoring, you can use your credit score as a fraud detector — by checking your credit score regularly, you’ll notice sudden changes, which could indicate fraud or identity theft. Using the free tools on Credit.com, you can get two credit scores every month and other insights into your credit standing.
More on Identity Theft:
- Identity Theft: What You Need to Know
- How Can You Tell If Your Identity Has Been Stolen?
- How Credit Impacts Your Day-to-Day Life
DENVER — Goodwill Industries Denver said Tuesday that stores in Denver and northern Colorado are not part of an investigation involving federal officials into theft of customers credit card numbers.
The Associated Press reported that the national nonprofit was working with federal officials to investigate the possibility that credit card numbers were stolen from some U.S. stores.
Goodwill Industries of Denver released a statement saying Denver retail stores are not part of the investigation.
“A breach has not been confirmed at any Goodwill locations nationwide, however, an investigation is under way at certain locations,” said spokeswoman Vanessa Clark.
The company’s stores are operated by about 165 regional headquarters around the country, so there is no centralized database of all of its customers’ credit card information.
Goodwill operates more than 2,900 stores and takes in annual retail sales of $3.79 billion. It sells donated merchandise to fund job programs.
- Contact Us
- Traffic Light Protocol
- Get a PDF Reader
US-CERT is part of the Department of Homeland Security.
NEW YORK – It’s an almost weekly occurrence: On Tuesday, Goodwill said its computer systems may have been hacked, leading to the possible theft of customers’ credit and debit card information. The nonprofit agency, which operates 2,900 stores in the U.S., said it is working with federal investigators to look into a possible breach.
That follows news over the weekend that Vendini, an event ticketing service, had settled a class-action suit related to a data breach in 2013. For many people who had ordered tickets through the service, an e-mail about the settlement was their first notification that their information had been compromised. In the last year, major companies like Target, LinkedIn, eBay and Neiman Marcus have also been hacked.
The incidents are especially troubling to consumers as online and mobile shopping continues to grow. People aren’t likely to stop using their credit and debit cards any time soon, and as data breaches become increasingly common, consumers don’t often know what to do when a company they’ve done business with experiences a breach.
Here are five ways you can avoid becoming a victim of identity theft_even if your data has been compromised.
— 1. Monitor your bank statements. The easiest and most effective way to make sure someone hasn’t made fraudulent charges to your account is to keep a close tab on your bank statements. Gartner analyst Avivah Litan recommends checking at least once a month, if not more, for any suspicious activity. If you find something that doesn’t seem right, call your bank right away.
— 2. Use a credit card, not a debit card. Government regulations protect you from liability for fraudulent charges over $50 when you use a credit card or a debit card with a signature, not a pin number. But if you use a debit card with a pin, the regulations are murkier, and you may end up being liable for some charges.
“The best tip to avoid problems on your existing accounts is not to use debit cards, because not only is the credit card law better, but your own money is not at risk with a credit card,” says Ed Mierzwinski, consumer program director at the U.S. Public Interest Research Group.
3. Get free credit monitoring. Concerned consumers can pay an organization for credit monitoring, but the government offers three free credit checks a year, something consumers should take advantage of, says Litan. The reports will show if any loans or new credit cards have been taken out in your name. Here’s where to find free credit reports: https://www.annualcreditreport.com/index.action
Also, companies that have had a data breach often offer to pay for customers’ credit monitoring. Target, for example, offered one year of free credit monitoring, including identity theft insurance, to Target shoppers after its data breach last year.
4. Bank smarter. Many banks offer a service that sends an email alert when any major changes — or charges — are made to a customer’s account. The alerts can be very helpful in detecting identity theft. If you want to be extra cautious, don’t make money transfers online or pay bills electronically — use a check. “Paper is much more secure,” says Litan. Also, experts recommend changing your passwords often. And never use the same password for banking that you use for lower-security websites. Non-banking sites tend to be easier to hack.
5. Don’t rely on companies. Vendini, the latest company to report a data breach, on Friday scored a rare settlement for a class-action lawsuit about compromised data. The company, which offers ticketing services for theaters and event venues, will pay out up to $3,000 per customer for identity theft losses, but it will be difficult for people to collect their money, because it is necessary to prove that the information that was used for identity theft came from Vendini. The lesson: don’t depend on companies to let you know if your data has been stolen. If you want to protect yourself, it’s best to take matters into your own hands.
ROCKVILLE, Md. — If you used a credit card at a Goodwill outlet recently, your information may be in the hands of someone you don’t know.
Security blogger Brian Krebs reports he received confirmation from Goodwill Industries International Inc. that it is working with the U.S. Secret Service on “a series of credit card breaches involving Goodwill locations nationwide.” Goodwill is based in Rockville, Md.
Goodwill first learned about the breach July 18, says Krebs, but the breach has yet to be confirmed. What’s more, Krebs quotes sources as telling him that a pattern of credit card fraud can be traced in 21 states. But Michigan is not on Krebs’ list of states involved in that pattern of fraud.
Nonprofit organization Goodwill Industries Inc. is working with federal officials to investigate a possible security breach.
The Rockville, Maryland-based organization said late Monday that it was contacted Friday by a payment card industry fraud investigative unit and federal authorities who said payment card numbers may have been stolen from some U.S. stores. Goodwill said it is working with credit card makers, the Secret Service and fraud investigators to figure out if a breach occurred, but so far none has been discovered.
Goodwill operates more than 2,900 stores and takes in annual retail sales of $3.79 billion. It sells donated merchandise to fund job programs.
Since the company’s stores are operated by about 165 regional headquarters around the country, there is no centralized database of all of its customers’ credit card information. That could limit a breach, if one occurred, to certain Goodwill locations.
The investigation follows a spate of high-profile data breaches at Target, Neiman Marcus and other retailers.
Researchers have identified several remotely exploitable vulnerabilities in a wireless remote monitoring product from OleumTech that is used in energy, water and other critical infrastructure sectors. Two of the three flaws are related to the encryption implementation in the affected products, including the use of a weak random number generator.
The vulnerabilities, discovered by a pair of researchers at IOActive, are present in the OleumTech WIO DH2 Wireless Gateway and all of the OleumTech Sensor Wireless I/O Modules versions. OleumTech is a California company that provides wireless remote monitoring devices for industrial environments. The IOActive researchers discovered three separate vulnerabilities in the company’s products, including an input-validation flaw, key management errors and the use of a weak pseudo-random number generator.
“When connecting any of the devices to BreeZ, it is possible to read the site security key of the device without authentication. This could allow someone, who has stolen a node or has physical access to the device to obtain the site security key to communicate freely with other network devices. However, this key cannot be read remotely when the data system is up and running, only in the manual setup mode. The data flow one way from sensor to gateway collector, and there is no control channel back to the sensor. To reset the key, the device must be taken offline and updated manually,” the advisory from ICS-CERT says.
BreeZ is OleumTech’s software for configuring and managing the company’s WIO system devices.
OleumTech does not plan to fix this vulnerability or the key management errors, because they don’t consider them vulnerabilities.
“The vendor states the key in the DH2 is for site-specific RF Network Authentication only, not encryption, and has no plans to change the DH2. The replacement DH3 platform will handle key management differently,” the advisory says.
The company and the researchers worked with ICS-CERT to understand and address the vulnerabilities, but couldn’t come to an agreement on the severity and validity of the flaws.
“Security researchers Lucas Apa and Carlos Mario Penagos Hollman of IOActive have identified multiple vulnerabilities in OleumTech’s WIO family including the sensors and the DH2 data collector. The researchers have coordinated the vulnerability details with NCCIC/ICS-CERT and OleumTech in hopes the vendor would develop security patches to resolve these vulnerabilities. While ICS-CERT has had many discussions with both OleumTech and IOActive this past year, there has not been consensus on vulnerability details and positive product developments to resolve identified vulnerabilities,” the advisory from ICS-CERT says.
The input-validation vulnerability would allow an attacker to execute arbitrary code on a vulnerable system.
“If a specially crafted packet is received by the DH2 Gateway with a high value on the battery voltage field, the DH2 Gateway radio receiver crashes. If this scenario is repeated multiple times, a DoS condition could occur. This could allow the attacker to execute arbitrary code,” the advisory says.
The rise of sophisticated new online tracking mechanisms, including one known as ‘canvas fingerprinting’ that’s been infiltrating the Internet, could soon raise the ire of privacy conscious users.
A recent study, a collaborative effort between researchers at Princeton University and researchers from KU Leuven in Belgium, warns of the relatively new and mostly unblockable mechanism, pointing out that while previously unseen, over five percent of the top 100,000 websites now feature it.
The researchers unveiled their work in a paper “The Web Never Forgets: Persistent Tracking Mechanisms in the Wild” (.PDF) that made its way online this week.
The method – first theorized back in 2012 (.PDF) by researchers at the University of California, San Diego – uses browsers’ Canvas API to draw invisible images and pulls what the paper calls a “long-term fingerprint” of the user. At the time, researchers warned that an attacker could use it to “exploit the subtle difference in the rendering of the same text to extract a consistent fingerprint that can easily be obtained in a fraction of a second without user’s awareness.”
While the concept has been established for two years now, this is the first time examples of it have been discovered being used on websites.
With the mechanism, technically the API renders a smattering of letters and numbers. The hodge-podge of letters and numbers depend on several variables: the computer’s operating system, font library, graphics card, etc. The API then takes the pixel data and turns it into a hash; this is the fingerprint.
The site then uses that fingerprint to recognize users on their return visit, similar to how cookies work. Unlike cookies and other tracking mechanisms however, the researchers caution that canvas fingerprinting can directly subvert users’ wishes not to be tracked as it inherently resists removal.
In their study the researchers found that the lion’s share of sites running canvas fingerprinting scripts are using technology from a single media web-tracking technology, AddThis. Ninety-five percent of the sites the researchers found with “canvas fingerprinting,” or 1 in every 18, were running code by the Virginia-based company that specializes in social media sharing tools.
In combing the sites, a slew of popular ones, including CBS, cheezburger.com, Starbucks.com, barstoolsports.com and even whitehouse.gov, run canvas fingerprinting scripts on their homepages, according to the researchers.
Other sites running the fingerprinting code include ones using technology from the German digital marketer Ligatus and the Canada-based dating site PlentyofFish.
A complete list of the nearly 6,000 sites the researchers dug up can be found here.
Rich Harris, AddThis’ Chief Executive, acknowledged in interviews with both ProPublica and Mashable this week that the company first began using the mechanism as a way to get away from cookies, previously considered to be industry standard when it comes to tracking users online.
“We’re looking for a cookie alternative,” Harris said, adding that the company only deployed the mechanism in a small handful of the 13 million websites it comes rolled up in.
Harris admits that the company to date has only used the data it’s gathered so far for research and development and that for what it’s worth it’s considering ending the test soon.
Defending the company’s choice to use canvas fingerprinting, Harris claims its activity is “well within the rules and regulations and laws and policies that we have.”
Legal nitpicking aside, concerned users can always opt out of having the information AddThis tracks sent to advertisers but that hasn’t stopped researchers from stressing the clear leg up the company could have when it comes to tracking its users.
“By collecting fingerprints from millions of users and correlating this with cookie based identification, the popular third party trackers such as AddThis are in the best position to both measure how identifying browser features are and develop methods for monitoring and matching changing fingerprints,” the researchers warned.
As far as canvas fingerprinting in concerned, on the whole, it looks like there’s little users can do to thwart the new technology. Save for a recent campaign by Mozilla to enumerate plugins, most browser manufacturers do not have a built-in defense against the mechanism.
Chameleon, a Tor-like Chrome browser extension, is working on protecting against canvas fingerprinting, but since it’s still in pre-alpha, developer-only mode, its creators can’t yet promise complete defense.
Meanwhile, plugins like AdBlock Plus and Ghostery can block third-party content but can’t stop fingerprints from being extracted.
The researchers claim the only way to successfully protect against canvas fingerprinting would be to use the Tor Browser, which as of June, returns an empty image from the API when it’s asked to read the fingerprint.
The discovery should no doubt make another hurdle for those truly concerned about their privacy online.
But on the other side of the coin, there continues to be no shortage of new privacy tools flooding the internet. The Electronic Frontier Foundation, following the one year anniversary of the Edward Snowden debacle last month, circulated a handful of such tools, including the aforementioned Tor, HTTPS Everywhere, Textsecure, and others.
“Privacy Badger is an algorithmic program,” Opsahl said, “[on AddThis sites] it will show the cookie from AddThis.com and block the tracker, which has the effect of the canvas being drawn.”