Archive for August, 2014

Web Wealth: Responding to a bank data breach

Reports of a major data breach at JPMorgan and other banks – possibly by Russian hackers – puts in question the security of customer accounts. What’s a consumer to do?

Infosecurity magazine runs through the possible methods of the hackers and what the fallout might be. “The FBI has called the skill associated with the attack ‘far beyond the capability of ordinary criminal hackers,’ leading many to conclude that the action was state-sponsored,” writes reporter Tara Seals. The cold implication: “Without significant change in strategy, ultimate resistance to high-level attacks is, well, futile.”

Massive bank hacks are more dangerous than recent high-profile retail-store data thefts, says this post. “If someone gains access to and drains your bank account, you may find yourself without the means to pay essential bills, like student loans, utilities, or your mortgage, which is not only damaging to your livelihood but also to your credit standing,” writes Christine DiGangi. “You are often the last line of defense between ill-intentioned hackers and your financial information, so checking it from a variety of angles – account monitoring, credit reports, credit scores – will help you minimize the negative impact of an attack.”

Steps for consumers to safeguard accounts include being forewarned about “phishing” – attempts by crooks to get account information by, for example, pretending to be the bank and sending you an e-mail asking you for account information. “Banks and other financial institutions do not send e-mails asking customers to input their account information, verify account data, or update their records,” says this post at In addition, keep a close eye on your statement and get in touch with the bank the moment you see a problem.

Tom Kellermann, chief cybersecurity officer of Trend Micro, told CNN Money the threat to banks of the alleged Russian hacks are immense, and could have given the bad guys power to wipe out a bank’s entire network, in addition to exposing customer accounts. “Plus, criminals could have the banks’ investment playbooks,” this CNN Money piece says., a personal-finance site that offers to be “the nerdy friend you can count on and trust,” says people shouldn’t wait for the bank to notify them of a problem. In light of the recent news of a massive cyber attack, you probably ought to change your bank account passwords, just in case. Blogger Teddy Nykiel advises other steps, too, and notes it can take banks weeks to notify customers.


[email protected]

215-854-5114 @ReidKan

Article source:


No Comments

Data breach may have compromised Louisiana citizens’ information, state …

Louisiana state officials were notified Thursday by JPMorgan Chase that personally identifiable information it holds under contracts with state agencies may have been breached.

The company said it didn’t immediately know if or to what extent information on Louisiana citizens may have been exposed.

“Through contracts with the Louisiana Department of the Treasury and Louisiana Department of Revenue, JPMorgan Chase issues prepaid debit cards for certain state agencies, including for state income tax refunds distributed by LDR, unemployment benefits paid by the Louisiana Workforce Commission and Child Support Enforcement, STEP Supportive Services and Child Care Assistance provider payments paid by the Louisiana Department of Children and Family Services,” a news release from the Department of Revenue said.

The news release was issued to media outlets on Friday.

State agencies said they are working with JP Morgan Chase to keep Louisiana citizens apprised as more information about the breach becomes available.

Until then, citizens — particularly those who have used prepaid debit cards issued on behalf of these state agencies — are encouraged to monitor their credit statements and financial reports for any suspicious activities. They were also advised to change the passwords on their respective accounts as a precaution.

For additional information, visit the Federal Trade Commission’s website at for general information about identity theft and to learn more about reporting suspected fraudulent activities.


Biggest data breaches of all time

1 of 11

The FBI is investigating a hacking attack on JPMorgan Chase that caused a data breach, though the extent of the damage from the attack and where it came from have not yet been determined.

Gallery Endcap

Article source:


No Comments

Companies Slow To Alert About Data Breaches

Rumors of a data breach at a major New York bank started circulating more than a week ago in cyber-security circles. So for insiders, news that JPMorgan Chase had been victimized was more confirmation than revelation, just the latest headline from a digital crime wave that shows no sign of ebbing.

But for the millions of customers of JPMorgan Chase, the news reports that began appearing Wednesday were the first indication that their personal information might have been stolen by hackers. Like Target, Neiman Marcus and countless other companies, the nation’s largest bank chose to keep evidence of a cyber-crime private until journalists forced the issue.

This reticence is both deeply rooted within corporate America and, to some consumer advocates, deeply infuriating. Had a family’s precious jewelry been stolen from a safe deposit box, any bank would have quickly notified the affected customer. Yet loss of personal information, especially when it happens on a mass scale, is treated differently, both by the law and by industry custom.

The result is that days, weeks or longer can pass between when a company learns of a cyber-crime and when its customers do. That gap, say security experts, can amount to crucial lost time for people who might want to protect themselves by monitoring transactions, changing passwords or alerting other relevant parties — such as a credit card company — that the risk of fraud or identity theft is elevated.

“There have been so many breaches where companies have held information for so long that more disclosure would force companies to do a better job being accountable to consumers,” said Ed Mierzwinski, consumer program director at U.S. Public Interest Research Group. “It’s a real pain in the neck to clear your name. … You have to spend time — a lot of time — clearing your name. And you don’t get paid for that.”

The seriousness of the JPMorgan Chase breach, which involves at least one other bank as well, remains uncertain, though some reports said account data may have been compromised for some customers.

Bloomberg News first reported the intrusion Wednesday afternoon, saying that the FBI was investigating the possibility that Russian hackers had launched an attack in retaliation for U.S. sanctions prompted by Russia’s actions in Ukraine. Other investigators have expressed skepticism about that possibility but not ruled it out.

JPMorgan Chase posted a notice on its website saying, “The security of your Chase accounts is one of our highest priorities,” with general tips on how to protect personal banking security. But it didn’t directly address the numerous news reports of a data breach, nor did it offer details about what happened and who might be affected.

A representative for JPMorgan Chase said it will notify consumers if it determines they have been impacted but declined to say when or how. JPMorgan Chase also declined to comment on when it first learned of the data breach.

The interests of consumers and authorities sometimes diverge, said Neil MacBride, former U.S. Attorney for the Eastern District of Virginia and now a partner at Davis, Polk Wardwell. “Consumers want immediate notification from the breached company while law enforcement may want several days or weeks to investigate a crime scene before hackers are tipped off that the cops are on their tail.”

Notification is a notoriously cumbersome and costly process for companies that have data breaches. Forty-seven states and the District of Columbia have laws governing such disclosures, and a company with a nationwide customer base may have to comply with them all.

There also are notification requirements specific to banks under federal law. Publicly traded companies must report “material breaches” from cyber-crime in disclosures to investors. And the Federal Trade Commission investigates some corporate data breaches, especially when there is evidence that security measures were not up to industry standards.

The result is a mish-mash of rules and regulations that, in practice, force companies to disclose data breaches but rarely require them to do so quickly. New York’s data breach law, for example, requires disclosure “in the most expedient time possible and without unreasonable delay,” but allows for delay to accommodate “the legitimate needs of law enforcement” during an ongoing investigation.

The work involved in notification — and the public relations price for companies that have failed to keep their customers’ data safe — was a top goal of those who pushed for state notification laws. They wanted to raise the cost of data breaches in order to provide companies with incentive to implement better security practices.

“It wasn’t about providing a lot of notice to consumers. It was about seeking some visibility about lax security procedures,” said Deirdre Mulligan, a professor at the University of California, Berkeley School of Information who help craft California’s data breach law, which when it passed in 2002 was the nation’s first.

But 12 years later, as the incidents continue to pile up, some experts say the time has come to revisit the subject — with the goal of prioritizing the interests of the consumers who are affected.

“We’ve got this kind of patchwork, but given the frequency and visibility of these breaches, we ought to have a much more rigorous conversation in this country about data security policy,” said Woodrow Hartzog, a Samford University law professor who specializes in privacy and security.

Until then, companies typically are free to take the initiative of notifying their customers quickly. EMC Corp.’s RSA Security division, which makes security tokens for computer networks, publicly disclosed it had suffered a breach in March 2011. Its chairman, Art Coviello, posted an urgent message on its website acknowledging the intrusion by what Coviello described as an “ advanced persistent threat.” Intelligence officials later said they traced it to China.

“This was an extremely unusual event where the corporation very quickly identified the breach and disclosed it,” said Michael Brown, then a senior cybersecurity official at the Department of Homeland Security and now a vice president and general manager at RSA. “And we on the government side were very impressed.”

The company’s action, he said, enabled the alerting of its customers in the private sector and in government about ways to detect if they were vulnerable and to protect themselves. “There’s nothing worse,” he said, “than having an environment where potentially something’s going to come out and not having relayed coherent information to the customers.”

Article source:


No Comments

All Idaho Albertsons Stores Were Hacked In Data Breach

More details came out late Friday involving the data breach of Albertsons stores. It turns out that hackers will able to access data from all of Albertsons stores throughout Idaho, Washington and Montana.

Two weeks ago, Albertsons officials confirmed that hundreds of their stores throughout their network of locations had been hacked, but didn’t mention exactly which stores had been hit.

But KHQ-TV reports that all of the company’s stores in Idaho, Washington and Montana were targeted, compromising shoppers’ data between June 22 and July 17. AB Acquisition, an Albertsons subsidiary, confirmed the update.

Store officials say if consumers aren’t sure if they shopped at Albertsons during the time of the breach, they urge them to look through credit card or bank statements to check their records. They’re offering consumer identity protection services at 1-855-865-4449.

Article source:


No Comments

DQ may be latest victim of data breach

Dairy Queen may have been hit with a data breach that could put customers at risk of credit card fraud, the company told the Minneapolis/St. Paul Business Journal.

Dairy Queen said the potential data breach is connected to the “Backoff” point-of-sale malware that hit Target last year, but didn’t say how it was notified, how widespread the breach could be or how long it may have lasted.

“In addition to communicating with potentially affected franchised locations, credit card processors and credit card companies to gather relevant information, we immediately began cooperating with the authorities investigating this particular malware,”  the company said in their statement. “We continue to communicate with our franchisees and service providers regarding steps necessary to protect customer data and minimize any impact to our customers.”

Dairy Queen franchisees are currently not required to report fraud to headquarters.

More reports of breaches are likely to be reported in the future. According to the Secret Service, the same malware may have affected more than 1,000 other businesses.

Article source:


No Comments

Racing Post let off with stern warning after data breach

Image of racing courtesy of Cheryl Ann Quigley / The Racing Post, which suffered a data breach affecting over 677,000 users late last year, has escaped a fine but has agreed to sign an undertaking promising to try harder to keep its services and data secure.

According to the Information Commissioner’s Office (ICO), the Racing Post has been slacking off on its security arrangements since at least 2007, and has been given until the end of February 2015 to get its house in order.

The breach was a typical SQL injection attack that led to leaking of user data on 677,335 people who had signed up to the sport betting website.

The ICO has the power to impose a fine of up to £500,000 on “data controllers” found to be in breach of the Data Protection Act, as it demonstrated earlier this week with a £180,000 penalty imposed on the Ministry of Justice.

Although the Racing Post breach affected a large number of people, the ICO requires leaked data to cause “substantial damage and distress to the individuals affected” to merit a fine, and in this instance the data was found to be insufficiently sensitive.

It did, however, include names, addresses, phone numbers, dates of birth and passwords in a form described as “encrypted” but which appeared to be lacking the proper salting required to keep them safe (they apparently used simple MD5 hashing, making brute-forcing far easier than it should be).

Many people would likely feel fairly distressed to learn that all that personal data was in the hands of malicious hackers.

According to the text of the undertaking:

During the Commissioner’s investigation it was determined that the data controller had consulted security experts and procured penetration testing in 2007. However since that time there had been no steps taken to keep abreast of security developments. In the Commissioner’s opinion, this placed the data at an unacceptable level of risk of inappropriate processing.

It seems improbable that anyone could run a busy website for six years without taking any kind of security precautions, but that seems to be the implication.

By 28 February 2015, the Racing Post is promising to implement a proper password-storage system, to set up a proper process for software patching and updating, to run regular security testing, to monitor compliance with proper security policies and to “implement such other security measures as it deems appropriate”.

Six full months seems like a long time to get up to speed with what should be basic everyday security steps for any business.

With the barrage of epic breaches making headlines almost daily, no-one can be unaware of the importance of protecting any and all data held by a business or institution, and anyone who’s not reviewed their security policies in the last few years needs to wake up and get moving.

There are well-defined industry standards for secure storage of passwords, and a wealth of options for encrypting any other data that needs to be stored. Patching and updating of software may be a chore, but more and more providers are building in automated update systems to take the strain off sysadmins.

SQL injection attacks have been a common technique for well over a decade, and most are facilitated by sloppy or incomplete filtering of input data. Any web-facing system which accesses databases needs to be checked for proper input sanitizing.

This checking needs to be done both from within the organisation and from outside – third-party penetration testing should be a routine part of maintenance processes, running at least annually with no six-year breaks.

It remains to be seen whether making people stand up and acknowledge their failings, and promise to rectify them, will be enough to encourage everyone to make the proper effort.

The enormous media attention given to the steady stream of incidents in the last few years doesn’t seem to be getting the message through, and it could be that we need to start imposing stiffer penalties on those failing to pull their weight, regardless of how much “damage and distress” their leaks are perceived to have caused.

Image Cheryl Ann Quigley /

Article source:


No Comments

Target Data Breach Much Worse Than First Thought…

Remember the huge data breach that happened at Target late last year? Yes, the one where their POS system was hacked and customer’s names, addresses, credit card numbers, etc. were freely handed over to criminals. Yes, the same one that pretty much made every person who’d physically shopped at a Target store vulnerable to an attack. Finally, yes – the same one that prompted Target to offer a year of identity theft protection to their many guests who thought they might’ve been affected by the data breach. Well, it turns out it’s much worse than we first thought.

It turns out it wasn’t just Target that was affected – in fact, the Department of Homeland Security as well as the Secret Service believe that the same hacking affected over 1,000 other stores in the United States. Here’s how the New York Times describes their findings:

‘The attacks are much more pervasive than previously reported, and hackers are pilfering the data of millions of payment cards from American consumers without companies knowing about it, according to a new Department of Homeland Security advisory released Friday afternoon.”

Target Data Breach Much Worse Than First Thought...

As a result of this news, it’s probably a good idea to thoroughly look over your credit card statements with a fine-toothed comb checking for anything out of the ordinary. While I don’t have a proper list of all of the stores affected by the hack, it’s still a good idea to check your statements anyway.

Have you been affected by this massive data breach? If so, let us know in the comments section below.

[Image via NorthlandsNewsCenter]

SOURCE: Gizmodo

Article source:


No Comments

Albertsons data breach involved 3 states

0) { %

0) { %

0) { %

Article source:


No Comments

Dairy Queen’s silence on data breach could have ‘corrosive effect’ on consumer …


On Wednesday, International Dairy Queen issued a statement saying that it may have been subject to a data breach that hit other Twin Cities retailers, Supervalu and Target. Photographer: Michael Nagle/Bloomberg

Clare Kennedy
Staff reporter- Minneapolis / St. Paul Business Journal


Two days have passed since Dairy Queen revealed that its stores may have been hit with a data breach that could put customers at risk of credit card fraud. So far, the company has not released any further information about the possible intrusion.

The Edina-based restaurant chain hasn’t said how many stores were affected, how widespread the breach could be or how long it may have lasted. Though its brief announcement included a statement that it is complying with an investigation into the matter, it did not indicate what else it may be doing to protect customers. There are no notifications to customers on the company’s home page, its Twitter feed or Facebook page. Company representatives have not responded to requests for further comment.

Crisis communications specialist Jon Austin said that, while the breach may not have a lasting impact on the brand, maintaining silence about the breach is the wrong approach.

“There is some fraying that comes from this,” Austin said. “They should provide answers not because any one of these [incidents] is fatal, but if happens over a long period of time or if it particularly mishandled it can have a corrosive effect on the relationship with consumers.”

Austin said that “a fairly standard corporate playbook” has evolved since the massive data breach at Target Corp. at the end of 2013. The best response is a proactive one, he said, which was exemplified by Supervalu Inc. regarding its own data breach this summer.

On Aug. 15, the Eden Prairie-based grocery retailer and wholesaler disclosed the breach. Within 24 hours, the company had issued a full list of affected stores, along with information about the duration of the breach and what the company was doing in response. Supervalu also established a call center for concerned customers.

Clare Kennedy writes about food and drink.

Article source:


No Comments

State: Data breach involving JP Morgan Chase

Deborah Simmons

A teen embracing learning, faith and family — YES!

Article source:


No Comments