Archive for June, 2014

Alabama DPH sends 500+ patient data breach notices

The Alabama Department of Public Health (ADPH) has notified more than 500 patients who were treated at one of Alabama’s 65 county health departments that their personal information and identities were compromised.

According to the ADPH notice, the U.S. Attorney’s Office for the Middle District of Alabama and the U.S. Department of Justice’s Tax Division alerted ADPH that they were prosecuting the case on June 5. The unknown source being prosecuted stole the data, such as clients’ names, dates of birth, and Social Security numbers from ADPH, as well as several other entities.

Privacy Officer Samarria Dunson said to waff.com, “[w]e believe now that it is possible they may have been former employees, but we are still participating in the investigation. It would be particular records that were printed out by individuals.”

The report stated that the patient records may have been part of tax fraud rings in Alabama and Georgia, as more than $20 million in fake tax returns were filed, according to al.com.

Article source: http://healthitsecurity.com/2014/06/30/alabama-dph-sends-500-patient-data-breach-notices/

,

No Comments

Benjamin F. Edwards & Co. discloses data breach



cyber theft web









Greg Edwards
Reporter- St. Louis Business Journal

Email
 | 
Twitter
 | 
Facebook

Benjamin F. Edwards Co. disclosed its data was breached May 24, Forbes.com reported.

The brokerage, owned and operated by Tad Edwards, great-grandson of the founder of A.G. Edwards, discovered the breach May 27 and began sending out letters to customers June 27, explaining how they can get credit reporting, Forbes reported.

The firm said in a statement released Monday that it hired a computer forensics expert to investigate after learning of the breach. “During our investigation we learned some of our information was taken but do not have specific evidence that suggests information about our clients and employees was acquired by a third party or has been fraudulently used,” the statement said.

Here is the Forbes report.

Cyber crime costs the U.S. economy as many as 500,000 jobs a year, according to a study by the Center for Strategic and International Studies. Globally, cyber crime has an estimated cost of $500 billion a year.

Shoptalk, Banking, Economic development


Article source: http://www.bizjournals.com/stlouis/blog/biznext/2014/06/benjamin-f-edwards-co-discloses-data-breach.html

,

No Comments

10 Worst Data Breaches of All Time

Credit: Milos Stojanovic/ShutterstockCredit: Milos Stojanovic/Shutterstock

You probably heard about the Target data breach that put the credit card numbers and personal information of millions of the retail giant’s customers into the hands of cybercriminals in late 2013. But Target’s security nightmare wasn’t the worst data breach in history.

Here are the 10 worst data breaches in history — so far.

MORE: 7 Scariest Security Threats Headed Your Way

Heartland Payment Systems, 2008-2009: 130 million records compromised

In early 2009, this Princeton, New Jersey-based payment processor announced the largest data breach ever to affect an American company. Heartland’s breach exposed information from approximately 130 million credit and debit cards to cybercriminals.

Malware planted on Heartland’s network recorded card data as it arrived from retailers. Because the company processed payments for more than 250,000 businesses across the country, the impact was huge.

In 2010, Albert Gonzalez, the convicted mastermind behind the Heartlandbreach (as well as another huge breach), was sentenced to 20 years in prison — the longest sentence ever handed down for computer crime in a U.S. court.

Target Stores, 2013:110 million records compromised

In December 2013, retail giant Target confirmed that hackers had infected the company’s payment-card readers, making off with approximately 40 million credit and debit card numbers that had been used at Target stores in the United States during the 2013 post-Thanksgiving shopping surge.

In January 2014, Target announced that the contact information — full names, addresses, email addresses and telephone numbers — of 70 million customers had also been compromised. Some of those customers probably also had credit-card data compromised in the earlier breach, but it’s possible that as many as 110 million people were affected by the Target breaches.

Sony online entertainment services, 2011: 102 million records compromised

In April 2011, attackers whose identities are still unknown targeted the PlayStation Network that links Sony’s home gaming consoles, as well as Sony Online Entertainment, which hosts massively multiplayer online PC games, and the Qriocity video- and music-streaming service.

Initially, Sony said that only the personal information of 78 million PlayStation Network users — login credentials, names, addresses, phone numbers and email addresses — had been exposed. But the tally of compromised accounts rose by 24.6 million when investigators discovered the attackers had also penetrated SOE and Qriocity. The credit-card data of approximately 23,400 SOE users in Europe was also stolen.

Following the initial breach disclosure, the PlayStation Network went dark worldwide for more than three weeks. In May 2011, Sony estimated its cleanup costs — which included fighting 65 class-action lawsuits brought against the company — at $171 million. 

National Archive and Records Administration, 2008: 76 million records compromised

Not all data breaches are the result of criminal activity. In late 2008, a hard drive at the National Archive and Records Administration (NARA) stopped working. It held the names, contact information and Social Security numbers of 76 million U.S. military veterans.

Instead of being destroyed on-site, the drive was sent for repair to a government contractor, which determined the drive could not be fixed — so it was sent it out to be scrapped. It is not clear whether the drive was actually destroyed.

Following complaints by an IT manager at NARA, an investigation was launched, and NARA changed its policies to destroy all malfunctioning storage media containing sensitive personal information.

“NARA does not believe that a breach of PII [personally identifiable information] occurred, and therefore does not believe that notification [of the affected veterans] is necessary or appropriate at this time,” the agency told Wired News in 2009.

Epsilon, 2011: 60 million to 250 million records compromised

In March 2011, the Texas-based marketing firm Epsilon, which handled email communications for more than 2,500 clients worldwide — including seven Fortune 10 companies — announced that databases pertaining to about 50 Epsilon clients had been stolen.

Email addresses of at least 60 million customers ended up in the hands of cybercriminals, and more than a dozen major retailers, banks, hotels and other companies were affected, including Best Buy, JPMorgan Chase, Capital One Bank and Verizon.

Epsilon could not confirm exactly how many individuals were affected. Conservative estimates put the number of email addresses stolen at 60 million, but according to the Privacy Rights Clearinghouse, a San Diego-based nonprofit advocacy group, the number may have been as high as 250 million. 

Evernote, 2013:More than 50 million records compromised

In March 2013, users of the note-taking and archiving service Evernote learned that their email addresses, usernames and encrypted passwords had been exposed by a security breach. No financial data was stolen, and the company confirmed that none of the user-generated content on its servers had been compromised.

However, as had been the case for those affected by Epsilon’s 2011 breach, Evernote users who had their usernames and email addresses stolen were vulnerable to spam emails and phishing campaigns — some of which pretended to be password-reset emails coming from Evernote itself.

Living Social, 2013: More than 50 million records compromised

In April 2013, Living Social, a daily-deals site partly owned by Amazon, announced that the names, email addresses, birth dates and encrypted passwords of more than 50 million customers worldwide had been stolen by hackers. Twenty million Living Social customers whose information was stored on servers in Asia were not affected.

TJX Companies Inc., 2006-2007: 46 million records compromised

When it was discovered in 2007, the TJX data breach was the biggest theft of consumer data ever in the United States, affecting the parent company of several major retail brands, including Marshalls, T.J. Maxx and HomeGoods. Approximately 45.6 million credit and debit card numbers were stolen over an 18-month period.

About 450,000 TJX customers also had their personally identifiable information stolen, including driver’s license numbers. The breach ultimately cost the Framingham, Massachusetts-based company $256 million.

The TJX hackers included Albert Gonzalez, who was cooperating with law-enforcement investigations into earlier data thefts when he took part in both the TJX breach and the even larger Heartland Payment Systems attack two years later.

MORE: 10 Simple Tips to Avoid Identity Theft

Adobe Systems, 2013: At least 41 million records compromised

In October 2013, the American graphics-software giant Adobe Systemsrevealed that user email addresses, encrypted passwords, password hints and, in some cases, usernames pertaining to 150 million accounts had been stolen from its servers.

An Adobe spokeswoman told security blogger Brian Krebs that only 38 million of those accounts had been active. The remaining ones, she said, were invalid, duplicate or test accounts. Subsequent announcements by Adobe revealed that some 3 million encrypted credit card records had also been stolen.

CardSystems Solutions, 2005: More than 40 million records compromised

When this breach was disclosed in June 2005, CardSystems Solutions of Tucson, Arizona, was the card-payment processor of choice for more than 100,000 small U.S. companies, and processed $15 billion in transactions annually.

Malicious hackers took advantage of CardSystems’ lax security measures, gaining access to the names, account numbers and verification codes of more than 40 million cardholders. A probe found that CardSystems had failed to comply with Payment Card Industry security standards, and the company was forced into acquisition in late 2005.

Follow Elizabeth Palermo on Twitter @techEpalermo, Facebook Google+. Follow Tom’s Guide @tomsguide and Facebook  Google+.

Article source: http://www.tomsguide.com/us/biggest-data-breaches,news-19083.html

,

No Comments

Butler University data breach affects 163K with school ties

Identity thieves may have stolen the information of approximately 163,000 students, faculty, staff, alumni and applicants of Butler University, a school spokesman said.

Police contacted Butler officials on May 18 to alert them to an investigation of possible identity theft, according to documents provided by Butler spokesman Marc Allan.

The investigation originated in California, according to a letter sent out by Jim Danko, Butler’s president.

The “suspect had in his possession a flash drive containing the information of certain Butler University employees,” the letter reads.

Further investigation turned up indications of “unauthorized hacking” into Butler’s computer network between November 2013 and May 2014, according to the letter.

“Third-party computer forensics experts” verified the apparent hacking, Danko wrote, before the university sent out notification letters to those affected.

The letter advises the potential identity-theft victims of steps they can take to protect themselves from possible damages caused by the breach — including a free one-year membership in an identity theft protection service courtesy of Butler.

The hacked files contain names, birth dates, Social Security numbers and bank-account information, officials said. Alumni whose information could have been tapped include those who graduated as far back as 1983, Allan said.

“Please know that we are taking steps that will prevent this from happening again in the future,” Danko wrote, “and that the safety and security of your personal information remains a top priority for Butler University.”

One former Butler student was stunned to receive the letter last week informing her of the breach.

“At first I thought it was a scam,” said Kimberly Somermeyer, 55, Homecroft. ” I graduated from Purdue in 1982 and took one master’s level science course at Butler in the fall of 1983.”

Despite the frustration, Somermeyer kept a sense of humor about the breach.

” I wish the hackers would let me know what my grade was at Butler,” she said. “I have since forgotten!”

Butler’s data breach comes after Indiana University reported earlier this year that a security lapse may have exposed the personal information of about 146,000 students and graduates. Names, addresses and Social Security numbers were inadvertently stored on an unprotected site, the university said.

Read more: IU security lapse may have exposed 146,000 students’ Social Security numbers

Call Star reporter Bill McCleery at (317) 444-6083. Follow him on Twitter: @BillMcCleery01.

Article source: http://www.indystar.com/story/news/crime/2014/06/30/butler-university-data-breach-affects-k-school-ties/11745909/

,

No Comments

PHP Fixes OpenSSL Flaws in New Releases

vmware-patch

  • Google +1
  • Share on LinkedIn

  • Submit this to Reddit
    submit to reddit


0

VMware Patches Apache Struts Flaws in vCOPS

VMware has patched several serious security vulnerabilities in its vCenter Operations Center Management suite, one of which could lead to remote code execution on vulnerable machines.

Read more…

Article source: http://threatpost.com/php-fixes-openssl-flaws-in-new-releases/106908

No Comments

ICS Malware Found on Vendors’ Update Installers

Malware targeting industrial control systems has infected the update installers belonging to three known industrial control vendors, according to an advisory from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

The Havex remote access Trojan (RAT) is targeting vendors via phishing campaigns, website redirects and most recently by infecting the software installers. Three vendor websites have been compromised in watering hole attacks, the advisory said.

“According to analysis, these techniques could have allowed attackers to access the networks of systems that have installed the trojanized software,” the ICS-CERT advisory said. “The identities of these three known industrial control system vendors are available along with additional indicators of compromise to critical infrastructure owners and operators on the US-CERT secure portal.”

The advisory also revealed that ICS-CERT has received reports of numerous system crashes caused by Havex infections, leading to denial-of-service conditions.

Havex is a traditional RAT in that the Trojan opens a backdoor where stolen data is flushed out to the attacker’s server. The command and control server can also send back additional payloads. ICS-CERT said the Trojan has the capability of mapping all network resources connected to the victim, including network shares.

“[Havex] uses the classic DCOM-based (Distributed Component Object Model) version of the Open Platform Communications (OPC) standard to gather information about connected control system resources within the network,” the advisory said. “The known components of the identified Havex payload do not appear to target devices using the newer OPC Unified Architecture (UA) standard.”

The Trojan gathers a laundry list of system information, including server name, OPC version, vendor and server bandwidth information. ICS-CERT said Friday there is no indication the Trojan can make any changes to the connected network hardware resource.

“It is important to note that ICS-CERT testing has determined that the Havex payload has caused multiple common OPC platforms to intermittently crash,” the advisory said. “This could cause a denial of service effect on applications reliant on OPC communications.”

OPC is an open specification used for process control across a number of industries, primarily for operability between gear from different vendors.

The advisory also suggests a number of mitigations for ICS operators, including locking down network access to OPC clients and servers and using OPC tunneling to avoid legacy DCOM services.

ICS-CERT also said that it is investigating whether Havex has been involved in other watering hole attacks.

Earlier this year, a watering hole attack targeting energy utilities involved a compromised website belonging to a law firm that represents energy companies that redirected victims to a site hosting the LightsOut exploit kit.

The exploit kit used a number of Java and Adobe exploits and researchers at Zscaler said in March that the site used in the attack is also a known command site for Havex.

This isn’t the first time experts have warned about update services as a possible malware vehicle. During the TrustyCon event in February, activist Chris Soghoian of the American Civil Liberties Union said that intelligence agencies could also target mass, automated update mechanisms with surveillance software.

Soghoian said at that time that his concern is that the government will not only exploit the convenience of these update services offered by most large providers, but also that it will erode the trust users have in the services leaving them vulnerable to cybercrime, identity theft and fraud.

“There are really sound security reasons why we want automatic security updates. If consumers have to do work to get updates, they won’t, and they will stay vulnerable,” Soghoian said. “What that means though is giving companies root on our computers—and we really don’t know what’s in the code after fact. This is a point of leverage the government can use. We have no evidence they are using it right now, but these companies have a position of power over our devices that is unparalleled.”

Article source: http://threatpost.com/ics-malware-found-on-vendors-update-installers/106910

No Comments

Microsoft to End Email Security Notifications

vmware-patch

  • Google +1
  • Share on LinkedIn

  • Submit this to Reddit
    submit to reddit


0

VMware Patches Apache Struts Flaws in vCOPS

VMware has patched several serious security vulnerabilities in its vCenter Operations Center Management suite, one of which could lead to remote code execution on vulnerable machines.

Read more…

Article source: http://threatpost.com/microsoft-to-end-email-security-notifications/106916

No Comments

Google Patches Shared Links Vulnerability in Drive

Article source: http://threatpost.com/google-patches-shared-links-vulnerability-in-drive/106918

No Comments

Targeted Paerls Campaign Includes Old-School Word Macro Attack

A targeted malware campaign has been uncovered that combines an old-school Microsoft Word Macro malware attack with a decidedly new school approach of redirecting victims to exploits stored on Dropbox.

The String of Paerls attacks, which Cisco’s VRT team reported today, targets industries such as banking, oil, television and jewelry with convincing, customized spear phishing emails that are spiked with a malicious Word document.

“When the victim opens the Word document, an On-Open macro fires, which results in downloading an executable and launching it on the victim’s machine,” Cisco researchers said.

One sample email pretends to be a receipt for payment from massive shipping line Maersk; invoices and purchase orders have also been seen in other samples. In most cases, the attachment is called 2014-05.doc and it immediately opens a backdoor connection to either one of two command and control servers as well as to a Dropbox domain, dl[.]dropboxusercontent[.]com.

The Dropbox domain hosts four distinct pieces of the exploit, Cisco said, adding that it has notified Dropbox, which de-activated the links in question. The other two domains contacted by the malware are londonpaerl[.]co[.]uk and selombiznet[.]in.

Londonpaerl is a typosquat on Londonpearl, which is a high-end jewelry vendor specializing in pearls. The Londonpaerl domain resolves to a purported employment company.

Capitalizing on some shoddy operational security, Cisco said it was able to gain more insight into the threat actors from identifiers in a number of whois records attached to the command and control domains. For example, a reference to “2 close medical/medicle road” was made in the registrant’s street address for the selombiznet domain. Additional searches turned up the same phrase tied to registration records for six domains used in malware attacks since March 12.

“During the investigation, we identified several different campaigns believed to be associated with this threat actor involving many other pieces of malware. Many of the domains appear to be suspended presumably due to past malicious activity,” Cisco said. “In fact, during the investigation the threat actor changed the information on some of the domains several times. Luckily, if you monitor whois history you can still view all of this information, including the evasion attempt.”

This isn’t the first phishing campaign to send victims to Dropbox. Earlier this month, researchers at PhishMe reported a campaign sending users a Dropbox link where a .zip file hosting a version of the Zeus banking Trojan was waiting. The Zeus campaign, unlike this one, was not targeted yet still relied on similar lures such as invoices or payment notifications.

Article source: http://threatpost.com/targeted-paerls-campaign-includes-old-school-word-macro-attack/106923

No Comments

State senator warns of data breach at car washes in West Haven, Shelton and …



WEST HAVEN A state senator says that people who take their cars to Splash Car Wash locations should check their credit card accounts for fraudulent activity after the company experienced a data breach earlier this year.

In an email to constituents late last week, state Sen. Kevin Kelly said the breach has affected about 1,400 people who went to Splash Car Wash.

Kelly said the breach occurred from Feb. 28 to May 16 at the chains locations in West Haven, Shelton, Bridgeport, Fairfield, Cos Cob and Greenwich.

The senator said that the data breach did not affect customers who have unlimited plans with the car wash company. He said that people who see fraudulent activity on their accounts should contact their credit card companies immediately.

Kelly represents Monroe, Seymour, Shelton and Stratford in the legislature.

He said that Splash has asked forensic investigators to look into the breach and has replaced credit card systems at all 16 of its locations with card readers that are verified as safe.

Article source: http://www.nhregister.com/general-news/20140630/state-senator-warns-of-data-breach-at-car-washes-in-west-haven-shelton-and-other-towns

,

No Comments