Symantec Fights Subpoena in Target Data Breach Case

Your (Article, Chart, Blog) was successfully saved to your folder My Default Folder

Don’t forget you can visit My Briefcase to manage your folders at any time.

Article source:


No Comments

Phila.’s $1.43M Gun Permit Data-Breach Accord Approved

Your (Article, Chart, Blog) was successfully saved to your folder My Default Folder

Don’t forget you can visit My Briefcase to manage your folders at any time.

Article source:


No Comments

Credit unions hit by data breach

Home Depot incident cost branches $1.3M

A large data security breach this year at Home Depot Inc. cost Ohio’s 330 credit unions a combined $1.3 million in fraud losses and other costs associated with replacing compromised credit and debit cards.

“Anecdotally, every credit union CEO I’ve talked to from the relatively medium-sized ones to the large ones all seem to have been impacted by the Home Depot breach in some way,” said Patrick Harris, director of legislative affairs for the Ohio Credit Union League in Columbus.

“With the Home Depot breach and the Target breach last year, it really leads to the question of what’s next?” he said.

The five-month cyberattack on Home Depot’s data, which was revealed in September, compromised nearly 56 million credit cards and debit cards. Criminals stole the home improvement chain’s data by hacking self-serve pay terminals.

Mr. Harris said 165,000 compromised cards belonged to Ohio credit union members. Nationwide, credit unions lost $60 million and had 7.2 million cards breached, according to the Credit Union National Association.

While the nation’s banks suffered larger losses, Mr. Harris said the impact on credit unions may hurt more because they are nonprofit. Fraud losses and costs of reissuing cards — about $8 each when all expenses are combined — come out of a credit union’s funds, which essentially are members’ savings, he said.

Barry Shaner, president and CEO of Directions Credit Union of Sylvania, said 3,000 of its 70,000 members were directly affected by the Home Depot breach.

“That’s not an insubstantial amount. To reissue a card costs us $5, so that’s $15,000 right there,” said Mr. Shaner, whose credit union has nine Toledo area branches.

“I don’t know what the fraud number is yet and we won’t know that for a while, but there will be fraud losses associated with this. And that is money out of members’ pockets and it’s money we can’t use for services for them or for better rates for them. It’s real people’s money,” Mr. Shaner said.

Dave Wilde, vice president of marketing and business development for the 30,000-member Sun Federal Credit Union, which has four Toledo-area locations and six in eastern Pennsylvania, said about 750 Sun members in northwest Ohio had their cards compromised.

Overall, 1,500 members at Sun were affected. So far, fraud losses have totaled $10,000, he said. “Our systems are 100 percent secure and we had nothing to do with this breach. But our members rely on us to keep them safe, so it’s our reputation that’s taken a hit,” Mr. Wilde said.

Mark Slates, president and CEO of the 25,000-member Glass City Federal Credit Union of Maumee, said his institution did have members’ cards breached but so far no patterns of fraud have been seen. The credit union, which has five locations, took steps immediately to deactivate and replace at-risk cards.

“We’ve been fortunate that with most of these breaches we have not seen the fraud. Our fraud losses are very low,” Mr. Slates said.

Mr. Shaner, of Directions, said a big frustration for credit unions is that they are unlikely to be compensated for the costs caused by data breaches. “The problem is it’s very difficult to go back and say that card number was obtained from that Home Depot breach. So it’s the financial institution that ends up bearing the cost of that,” he said.

“It’s a big deal and it’s a lot of work and it’s happening more frequently. When the Target breach occurred, about half our members were affected,” he said. “It’s a huge frustration to our members.”

Contact Jon Chavez at: [email protected] or 419-724-6128.

Article source:


No Comments

Luck Played Role in Discovery of Data Breach at JPMorgan Affecting Millions

Log in to manage your products and services from The New York Times and the International New York Times.

Don’t have an account yet?
Create an account »

Subscribed through iTunes and need an account?
Learn more »

Article source:


No Comments

Data Breaches: Don’t Blame Security Teams, Blame Lack of Context

Post written by
Lior Div, CEO and cofounder, Cybereason

Lior Div is cofounder and CEO of Cybereason and an expert in hacking operations, forensics, cryptography and evasion.

Cyber security teams are now, more than ever, under great pressure due to an increased likelihood that their organization will be breached. It is not surprising that 57% of security experts expect their organizations to be compromised within the next year. As the news about cyber-attacks becomes the sad “who’s next?” water cooler discussion, it has become a well known reality that even the most extensively protected organizations will be victims of complex hacking operations.

Even though Enterprises spend millions of dollars on cybersecurity protection and detection solutions, the average breach goes undetected for 229 days. Moreover, once an incident is discovered, it usually takes another month for security to investigate the overall damage and magnitude of the cyber-attack. This significantly prolongs response time and has led to a devastating 3.5 million avg. breach cost for businesses in 2014.

The main reason why security fails to successfully battle complex hacking operations is not due to a lack of competency or negligence, as some may think. In reality, it is because security teams desperately lack context. The truth is, security teams are blinded by thousands of security alerts on a daily basis from their various security tools. Even the most sophisticated security teams are unable to comprehend an attack because most security solutions lack the capabilities to produce cohesive alerts.

When the Human Factor Fails

Because security tools produce a large amount of unwarranted alerts, security teams must manually investigate them: meticulously weed out false alerts and connect isolated malicious activities in order to reveal an attack. In an ideal world, where there is an abundance of highly skilled security experts, the need for manual investigation would be less detrimental. However, this security paradigm significantly weakens your defence for several reasons:

Isolated Alerting = Limited Remediation

Because traditional security systems alert on individual events, security teams will also remediate isolated issues, without taking historical evidence into consideration. For instance, IT will be alerted about a virus on a single endpoint and they will then clean that endpoint. However, they cannot tell if an employee accidentally brought the virus in from working at home or someone downloaded the virus from an email. Traditional tools cannot reveal if the alert was a localized event or a part of a far more dangerous hacking operation. The inability to see individual events as part of something larger, will make it very difficult for security teams to detect and remediate a cyber attack, giving hackers a serious time advantage.

Alert Blindness

Commonly, security solutions rely on indicators of compromise as triggers of an alert. These IOCs are based off of very rigid predefined rules. For example, an alert will be produced when there are multiple failed login attempts, but because security solutions do not have the capability to automatically judge alerts by examining other evidence, a large amount of alerts are produced, many of them are false. 56% of organizations reveal their concern and say that their security tools produce too many false positives. This challenge leaves security feeling rightfully uneasy, always unsure if they have fixed the problem, or if they have missed something along the way.

Article source:


No Comments

Alabama credit unions report Home Depot data breach cost them nearly $1M

Home Depot logo*304

Alabama’s credit unions say they have incurred costs estimated at nearly $1 million as a result of the recent data breach at Home Depot, , according to the League of Southeastern Credit Unions Affiliates.

Antrenise Cole
Reporter- Birmingham Business Journal


Alabama’s credit unions say they have incurred costs estimated at nearly $1 million as a result of the recent data breach at Home Depot, , according to the League of Southeastern Credit Unions Affiliates.

LSCU, which cited a survey conducted by the Credit Union National Association, said credit unions in the state have seen 107,105 debit and 14,845 credit cards affected by the Home Depot breach, which was announced in September. And with the costs per affected card at $8.02, local credit unions have spent an estimated $978,039, so far, for reissuing new cards, fraud and all other costs, such as additional staffing, member notification and account monitoring.

“The costs to credit unions by data breaches – which seem to be occurring with increasing regularity – are rising, as the CUNA survey clearly demonstrates,” said LSCU Affiliates President and CEO Patrick La Pine. “The bottom line is that credit union member owners end up paying the costs despite the fact that the credit unions are not at fault in causing the breaches in the first place.”

Nationwide, the recent data breach at Home Depot has cost credit unions more than $57 million with 7.2 million debit and credit cards affected.

Earlier this year, Alabama’s credit unions reported that the impact of the data breach at Target Corp. was more than $400,000.

Antrenise Cole covers banking, finance, small business lending, venture capital, accounting and law for the Birmingham Business Journal. Click here to follow her on Twitter.

Article source:


No Comments

California Attorney General Reports Data Breaches Up 600% in 2013

Attorney General Kamala Harris released her second annual California Data Breach Report on October 28, which revealed hacking penetration is up 600% since 2012. This year, the Attorney General issued 12 recommendations to companies in various industries, and to the legislature regarding ways to improve data security practices to improve California consumer protection.

The California Legislature has required (S.B. 24) that, beginning in 2012, all online businesses and government organizations submit copies of their breach notifications to the State Attorney General for all cases where a data breach affected more than 500 California residents. The Attorney General is then required to analyze the hacking incidents, publish statistic and make recommendations each year.

The 2013 report states  thatthe Attorney General’s office received 167 data breach notifications in 2013, a 28% increase over the prior year. The reported data breaches involved 18.5 million records of California residents. Two large breaches of Target and LivingSocial each exposed about 7.5 million Californians’ personal data. 

But separating out the two mega-hacks of retailers, “the number of records affected would have been 3.5 million, a 35 percent increase over 2012.” The average number of affected records in a breach would have been only about 2,600 in each hack. The report noted on average that the types of data breaches and the data breaches by industry have remained “fairly consistent” over the past two years.

Data breaches in 2013 were classified into four categories: (1) malware and hacking, (2) physical theft and loss, (3) errors, and (4) misuse. More than half of all computer penetrations in 2013 were caused by hacks classified as malware and hacking. Physical theft and loss accounted for about a quarter; unintentional errors accounted for 18 percent of breaches; and misuse by insiders accounted for the balance. 

Almost half of all breaches in 2013 involved Social Security numbers, making it “the most frequently compromised data type.” According to the report, the average financial loss “to a consumer who falls victim to the fraudulent use of a credit card account is $63, debit card $170, checking account $222 and Social Security number $289.”

A quarter of the number of breaches was from retail and involved 15.4 million records, or 84% of the 2013 total. Healthcare also involved a similar number of breaches, but just 1.1 million records were involved. 

The Attorney General made twelve recommendations for upgrading systems to improve resistance to data exposure. The annual report seems to be an excellent example of non-partisan good government. The fact that a behemoth like Target with huge resources did not know that 70 million of its customers’ data had been vacuumed up for months by an organized crime ring is frightening to most consumers. Having California businesses and the Attorney General cooperating to improve consumer records security should be bad news for the growing number of digitally sophisticated criminal cartels. 

Chriss Street suggests that if you are interested in California, please click on Covered California Website Outage Hides Huge Premium Increases.

Article source:


No Comments

Home Depot breach costs doubled Target’s

Credit unions spent $60 million following the data security breach at Home Depot in September — twice as much as the recent Target data breach, according to a survey published Thursday.

Credit unions and banks had to reissue consumer cards that were breached, with current laws stipulating that they’re responsible to pick up the costs.

The Home Depot data breach impacted 7.2 million consumer cards at credit unions, according to the survey, released by the Credit Union National Association (CUNA).

On average, it costs $8.02 to reissue a consumer card, according to the survey.

Last year’s Target data breach cost credit unions $30 million, according to CUNA.

But credit union officials say the risk to reputations following a data breach is even more burdensome.

“The bottom line is that credit union members end up paying the costs – despite the fact that the credit unions they own had nothing to do with causing the breach in the first place,” said CUNA President and CEO Jim Nussle.

Consumers often are notified by their bank or credit union that they need to have their cards reissued following a breach at a retailer, which bankers say puts them at a disadvantage with consumers who might blame them and not the retailer.

The retail industry pressed back against the credit unions’ criticisms.

In a letter to CUNA and the National Association of Federal Credit Unions (NAFCU) sent later Thursday, leaders of the top retail industry groups said that retailers do have to shoulder some of the costs from data breaches.

“Even after absorbing substantial fraud losses, merchants are subject to massive fines by Visa and MasterCard networks and hundreds of millions of dollars in restitution through private litigation for cybersecurity breaches,” they wrote in a letter signed by the Retail Industry Leaders Association (RILA) and the National Retail Federation (NRF).

Other groups signing the letter included the Food Marketing Institute, the National Association of Convenience Stores, the National Grocers Association, and the Merchant Advisory Group. 

The retailers noted that many in the financial services industry have formed a partnership, led by RILA and the Financial Services Roundtable, to establish a private-public partnership with businesses to share data threat information.

“Unfortunately, while retailers, restaurants, convenience stores, hotels, national banks, card networks and community banks have joined the Partnership, one constituency has still not seen fit to participate: credit unions,” they wrote in the letter. ”It is past time we started working together for the greater good of America’s consumers.”

Other top retailers and financial firms — including Nieman Marcus and JP MorganChase — have also reported major data security breaches.

President Obama and the administration have called for more stringent security technology to be used in credit and consumer cards. The financial services industry has also been working closely with the administration to encourage threat information sharing to protect consumers.

However, Congress has been slow to take up cyber security legislation. Most Republicans and Democrats support implementing a national data notification standard that would require retailers to notify consumers when their information had been breached.

Republicans want a standard that would allow for the industry to evolve with rapidly changing consumer technology. Democrats want a more stringent standard that they say would better protect consumers from the patchwork of lenient standards in the states.

This story was updated at 4:14 p.m.

Article source:


No Comments

Data breach suspected at Sheriff’s Office

Was investigation disseminated?

Freeborn County administration is investigating a suspected data breach within law enforcement, according to Administrator John Kluever.

John KlueverJohn Kluever

He said he and other information technology staff are looking into the possibility that someone was unnecessarily viewing open investigation files and disseminating parts of those files in the public.

He declined to comment on how the suspected breach was discovered and whether it has any connection to the upcoming election in the Freeborn County Sheriff’s Office.

“If you access something for a nongovernmental purpose, that would be a data breach,” Kluever said.

He hopes to have more answers by the end of next week.

Kluever said if a data breach is found, state statute requires officials to contact anyone who might have been affected.

The Freeborn County Sheriff’s Office has been rife with controversy and even an anonymously defamatory website, which also is under investigation. It’s unclear whether the data breach is related.

Look to the Tribune for more information as it becomes available.

Article source:


No Comments

Google Working on Tool to Gather Stats While Preserving Privacy

Google is working on a new system that enables the company to collect randomized information about the way that users are affected by unwanted software on their machines, without gathering identifying data about the users.

The system is known as RAPPOR (Randomized Aggregatable Privacy-Preserving Ordinal Response) and Google currently is testing it in Chrome. The company’s engineers are hoping to use RAPPOR to aggregate data on the problems affecting users while still preserving the privacy of each individual.

“To understand RAPPOR, consider the following example. Let’s say you wanted to count how many of your online friends were dogs, while respecting the maxim that, on the Internet, nobody should know you’re a dog. To do this, you could ask each friend to answer the question ‘Are you a dog?’ in the following way. Each friend should flip a coin in secret, and answer the question truthfully if the coin came up heads; but, if the coin came up tails, that friend should always say ‘Yes’ regardless,” Úlfar Erlingsson, tech lead manager in security research at Google, wrote in a blog post explaining the new system.

“Then you could get a good estimate of the true count from the greater-than-half fraction of your friends that answered “Yes”. However, you still wouldn’t know which of your friends was a dog: each answer ‘Yes’ would most likely be due to that friend’s coin flip coming up tails.”

Software vendors routinely collect data from users’ machines, typically in the form of crash reports or telemetry from thing such as security products or browsers. Users typically need to opt into sending that kind of information, and there are some privacy concerns around sending it. Google’s system is designed to address some of these issues.

“In short, RAPPORs allow the forest of client data to be studied, without permitting the possibility of looking at individual trees. By applying randomized response in a novel manner, RAPPOR provides the mechanisms for such collection as well as for efficient, high-utility analysis of the collected data. In particular, RAPPOR permits statistics to be collected on the population of client-side strings with strong privacy guarantees for each client, and without linkability of their reports,” the Google authors wrote in an abstract for a paper submitted to the ACM Conference on Computer and Communications Security. 

Google has made RAPPOR available on GitHub as an open source project.

“Building on the concept of randomized response, RAPPOR enables learning statistics about the behavior of users’ software while guaranteeing client privacy. The guarantees of differential privacy, which are widely accepted as being the strongest form of privacy, have almost never been used in practice despite intense research in academia. RAPPOR introduces a practical method to achieve those guarantees,” Erlingsson wrote.

Article source:

No Comments