Archive for January, 2015

UMass Medical Center reports possible data breach

Thousands of patients have been warned of a possible data breach at UMass Memorial Medical Group.

Officials said a worker may have stolen personal information, and more than 14,000 patients have been notified.

The incident occurred last year, officials said.

Officials said law enforcement officials told the company not to say anything about the potential breach during the investigation.

The worker no longer works for the company.

Article source: http://www.wcvb.com/news/umass-medical-center-reports-possible-data-breach/31021666

,

No Comments

UMass Memorial Medical Group reports data breach

<!–

–>

Welcome to telegram.com. You have 1 articles remaining before being asked to register or login.


<!–

–>

<!–

–>


<!–

–>




<!– –>

<!– –>




<!– –>


 



WORCESTER — The UMass Memorial Medical Group said Friday it is working with law enforcement after a former employee allegedly accessed thousands of patient billing records that contained credit card and debit card information, Social Security numbers, dates of birth and medical record numbers.

The medical group, part of UMass Memorial Health Care, said it was given permission Jan. 28 to notify the approximately 14,000 patients potentially affected.

The hospital group says it began notifying potentially affected patients Friday and has set up a dedicated call center to assist patients with any questions. UMMMG says it’s now working to strengthen its privacy and information security program.

UMass Memorial said the incident did not affect all UMMMG patients. Those who have not received a letter by Feb. 21 should call (877) 218-0049 Monday through Friday from 9 a.m. to 7 p.m. The reference number is 5710012015.

UMass Memorial said it learned April 9 that information related to some of its centers’ patients “may have been accessed inappropriately and potentially for fraudulent purposes.” UMMMG officials say it immediately began an investigation and reported the incident to law enforcement at that time.

UMass Memorial identified an employee who “may have accessed billing records outside of normal job duties,” from Jan. 7, 2014 to May 7, 2014.

In August, law enforcement advised UMMMG they additionally had found copies of some patient billing documents in possession of an unauthorized person. The former employee would have had access to those billing documents, a spokesperson said.

UMass Memorial said that information “may have” included the patients’ names, addresses, dates of birth, medical record numbers, and Social Security numbers as well as their credit and debit card numbers.

“We continue to work with law enforcement in their investigation,” a statement from the hospital reads. “…UMMMG is committed to the security of patient information and it is taking this matter very seriously. … UMMMG deeply regrets this incident and any inconvenience it may cause its patients”

UMMMG did not indicate whether it would pay for credit monitoring services for those affected.

The data breach would be the second in two years for UMass Memorial. A former employee pleaded not guilty in November to multiple charges of identity fraud and other charges in Dudley District Court. UMass Memorial officials said they contacted approximately 2,400 patients whose information was accessed.

Contact Samantha Allen at [email protected] Follow her on Twitter @SAllen_89.

<!–

–>

 “Like” the Telegram on Facebook
  
 Follow us on Twitter

  1. Sidewalk snow sets up clash in Worcester
  2. Summer Nationals promoter plans to bring car show back, at Spencer Fairgrounds
  3. East Brookfield pizzeria seeks cooking oil thieves
  4. Worcester Sharks make move west official
  5. Worcester woman seriously injured in 290E crash
  6. John Kerry fined $50 for failing to shovel snow outside home
  7. Millbury man accused in Sutton cornfield assaults is ordered held without bail
  8. Seattle fans stay true in Patriots Country
  9. A snow dusting today, but another wallop is forecast by Monday
  10. Dudley could pay if plow hits mailbox




<!–
Miles added this commented tag 1/7/2010 to make proper value get assigned to AccessControlIdentifier:

  1. Sidewalk snow sets up clash in Worcester
  2. Summer Nationals promoter plans to bring car show back, at Spencer Fairgrounds
  3. East Brookfield pizzeria seeks cooking oil thieves
  4. Worcester Sharks make move west official
  5. Worcester woman seriously injured in 290E crash
  6. John Kerry fined $50 for failing to shovel snow outside home
  7. Millbury man accused in Sutton cornfield assaults is ordered held without bail
  8. Seattle fans stay true in Patriots Country
  9. A snow dusting today, but another wallop is forecast by Monday
  10. Dudley could pay if plow hits mailbox

–>


Article source: http://www.telegram.com/article/20150130/NEWS/301309587/1116

,

No Comments

A Quarter of Top Legal Officers Have Seen Data Breaches

Your (Article, Chart, Blog) was successfully saved to your folder My Default Folder

Don’t forget you can visit My Briefcase to manage your folders at any time.

Article source: http://www.therecorder.com/top-stories/id=1202716686639/A-Quarter-of-Top-Legal-Officers-Have-Seen-Data-Breaches?mcode=1202615738014&curindex=0

,

No Comments

Reddit Publishes its First Transparency Report

Reddit on Thursday published its first transparency report, joining the litany of technology and online service providers who have already shed light on their privacy practices, and the extent to which governments makes requests for user information.

Reddit thrives on user-submitted content organized by category, or subreddits. It has not been without controversy, however. Most recently in December, the site decided to ban a subreddit where stolen files from the Sony hack were stored and distributed. And last August, in the throes of the celebrity nude photo hacking scandal, several subreddits distributing and reposting the stolen images were shut down.

The transparency report released yesterday covers requests for user information and content removal received in 2014, the site said in its announcement. In addition, the site said it has never received a National Security Letter or an order from the secret Foreign Intelligence Surveillance Court under FISA.

“If we ever received such a request, we would seek to let the public know it existed,” reddit said.

The numbers are relatively low. Reddit said it received 55 requests for user information, which includes log data and content uploaded by users, in addition to any personal information used to register with reddit. As for content removal, reddit said it received 218 such requests and complied 68 times (31 percent). Most of those removal requests were for copyright or trademark infringement.

“We take all requests for the disclosure of user information seriously,” reddit said. “When we receive a request, we make sure it is legitimate and not overbroad, and we provide advance notice to affected users unless prohibited by a court order or where we decide delayed notice is appropriate based on clear criteria described in our privacy policy.”

Reddit said it complied with 58 percent of all government requests for user data, and with 64 percent of U.S. state and federal government requests. More than 90 percent of requests came from the United States in the form of subpoenas, warrants or emergency requests, reddit said.

Of the civil requests for user information, reddit said 30 percent of those were accompanied by a court order prohibiting them from notifying the users in question. The site said it won appeals of two civil subpoenas seeking data on more than two dozen users.

Of the 55 requests, 78 users accounts were named, 13 requests came with legally binding gag orders; in 32 cases, some information was disclosed.

“Many government requests we receive contain demands to withhold notice from users that carry no legal weight. We actively disregard these non-binding demands,” reddit said. “Our goal is to give users the information they need to seek legal advice before their records are disclosed. As stated in our privacy policy, we provide advance notice to affected users unless prohibited by a court order or where we decide delayed notice is appropriate based on clear criteria.”

Image courtesy of Eva Blue

Article source: https://threatpost.com/reddit-publishes-its-first-transparency-report/110762

No Comments

Army Research Lab Releases Dshell Forensics Framework

Article source: https://threatpost.com/army-research-lab-releases-dshell-forensics-framework/110766

No Comments

Threatpost News Wrap, January 30, 2015

Article source: https://threatpost.com/threatpost-news-wrap-january-30-2015/110767

No Comments

Facebook Malware Poses as Flash Update, Infects 110K Users

Article source: https://threatpost.com/facebook-malware-poses-as-flash-update-infects-110k-users/110775

No Comments

Defending Your Castle from the Inside: Data Breaches and How to Minimise …

Every business holds at least some sensitive data. This may be sensitive personal information belonging to clients or employees, or confidential data relating to business operations. Keeping this secret information secret should be a concern to every business, no matter what industry or size.

Verizon’s 2013 Data Breach Investigations Report shows that hackers target businesses from every sector and of any size. This report, which combined the expertise of 19 global organisations that study and combat data breaches, found that attackers used many different methods to compromise business systems. As the technology evolves, hackers change their targets and attack methods – becoming more and more tailored to the type of business or even the individual organisation.

Expect Attacks from Every Angle

The majority of attacks originate from outside the business, often from overseas, the report found. Against these attacks, companies try to build higher and more impenetrable walls around their networks and data. This is a never-ending arms race, as even the most advanced systems may, before long, present weaknesses that malicious technology can exploit.

However, this is not the only risk that keeps information security professionals awake at night. Attacks originating from inside the business are typically harder to detect and prevent, and have more potential to significantly damage the business. In other words, it is not the outsiders charging at the walls but the people with the keys to the castle who present the greatest threats.

The Ponemon Institute’s 2012 Cost of Cyber Crime Study found ‘malicious insider’ attacks were one of the most costly cybercrimes to a business. Other studies have reported a spike in the number of cases involving the theft of confidential information over recent years. A major catalyst for this increase is the availability of cloud-based storage services such as Dropbox. Bodies such as Wikileaks and recent, high-profile instances of whistleblowing are also making disclosures seem acceptable.

Of course, not all leaks are malicious. Flexible working arrangements that necessitate remote access also contribute to this rise, as does the increasing use of ‘bring your own device’ policies. In some cases, lax or unclear human resources policies result in some employees not realising it’s unacceptable to take intellectual property with them when they leave a business.

Whatever the underlying cause, it has never been easier for a worker to transfer huge amounts of data very rapidly outside the business.

Make Sure Your Castle is Tidy

As a community, information security professionals have started to accept that data breaches are a clear and continual risk. We are instead working to minimise the potential damage if a breach were to occur.

The basic rules for defending your business still apply, and are repeated year after year by security professionals – Confidential Integrity and Availability. CIA means all data should be confidential protected via encryption. Integrity of the data should be maintained through auditing of access and finally, there must be availability of backup and disaster recovery plans if data is lost. This translates into a handful of practical action points such as:

  • Eliminating any copies of sensitive data that your business holds unnecessarily.
  • Maintaining a good level of logging which allows for regular review and audit of your business systems.

The key to eliminating unnecessarily held sensitive data is understanding where this data resides in your systems. However, this is not as simple as it sounds. Businesses produce huge volumes of unstructured data which are stored in unstructured repositories such as email, file shares, collaboration systems and on individual hard drives. Understanding which data presents risk and where it is stored requires a powerful indexing software that can automatically identify sensitive information based on pre-defined parameters such as credit card numbers, references to companies, social security numbers and monetary values.

Fast Response is Enabled by a High-Level View

The Verizon survey found the majority of breaches in large businesses were detected by someone outside the company. The proposed EU General Data Protection Regulation (GDPR), if adopted in 2014, would give businesses in Europe only a single day after a data breach to figure out what went wrong, who could be hurt by it, and how to prevent it from happening again. This stands in stark contrast to current practices, which often involve months-long investigations before admitting fault.

I would argue that your incident response plan is the most import element of your defence. Clearly a practical way to minimise the business impact of a breach is to detect and contain the incident as soon as possible. Yet in this area there is considerable room for improvement.

An attacker will rarely leave an obvious trail to follow. Following a system compromise, investigators need a broad window into the organisation’s data, following a trail through potential evidence sources including email, documents, mobile phone images, server logs and cloud-based data. Techniques such as searching, date filtering, entity extraction and clustering similar documents can help investigators quickly identify the relevant compromised data.

After the Breach

Post-event autopsies are difficult because companies don’t know where their data is, and because hackers or rogue employees will cover their trail through a wide variety of data formats, repositories and devices. Most tools simply can’t handle such large volumes of data and provide a big-picture overview.

Data quantities and sources are growing so rapidly that traditional data forensic tools and methodologies simply can’t keep up. Security professionals must evolve and consider new techniques to effectively manage the data. The only effective solution is a toolset that can take vast data sets and quickly reduce it to a small, more relevant set of evidence by casting a wide net and culling with powerful and repeatable search technology with a full audit trail.

This crucial ability allows you to effectively respond to any incidents. It provides a robust first response for your security team, who can then focus their tools and analysis efforts on the most likely sources.

Read More:

Tags NuixData quantitiesdropboxattackswikileaksVerizon’s 2013 Data Breachbusinesscybercrimessensitive dataCSO Australiadata breaches

More about DropboxEUVerizon

Article source: http://www.cso.com.au/article/565153/defending-your-castle-from-inside-data-breaches-how-minimise-their-impact/

,

No Comments

Data breach loss capped at $500000

Schnuck Markets Inc
Data breach loss capped at $500,000

A St. Louis-based supermarket chain has a $500,000 cap on how much it must pay for a data breach it suffered in 2012 and 2013, says a federal court in a case filed by the retailer against its payments processor and merchant bank.

Schnuck Markets Inc. had suffered a data breach between December 2012 and March 2013. The supermarket chain filed suit against Atlanta-based First Data Merchant Data Services Corp. and the associated Jacksonville, Florida-based Citicorp Payment Services Inc., claiming they were withholding more transaction money than their merchant payment processing agreement permits in order to reimburse banks that issued payment cards affected by the attack, according to the Jan. 15 ruling by the U.S. District Court in St. Louis in Schnuck Markets Inc. v. First Data Merchant Data Services Corp. and Citicorp Payment Services Inc.

At issue in the litigation is the master services agreement between Schnucks and First Data, under which First Data agreed to provide credit and debit card processing services for the supermarket chain.

That agreement states Schnucks must indemnify the defendants for “all losses, liabilities, damages and expenses” under certain circumstances, “but limits Schnucks’ liability to $500,000.” An exception to that limit is “chargebacks, servicers’ fees, third party fees and fees, fines or penalties” assessed by payment card networks.

The two sides disagree on whether this exception applies to this case. In his ruling, U.S. District Judge John A Ross agrees with Schnucks that the exception does not apply and that Schnucks’ liability is limited to $500,000.

“After careful review of the parties’ agreement as a whole, and following the well-established principles of contract interpretation, the Court finds the exception for ‘third party fees’ and ‘fees, fines and penalties’ was not intended to apply to liability for issuer losses assessed” by the payment card networks, Judge Ross said in the ruling.

Among several reasons for this is that while “the exception lists specific fees, fines and penalties that are excluded from the limitation of liability clause,” it “does not list anything equivalent to issuer losses,” Judge Ross said in ruling in Schnucks’ favor.

The ruling states the defendants must return to Schnucks any funds held in excess of $500,000, plus the Visa fine and MasterCard case management fee. The amount involved is not specified in the ruling.

Source: businessinsurance.com

Publication date: 1/29/2015

Article source: http://www.freshplaza.com/article/134522/Data-breach-loss-capped-at-500,000

,

No Comments

AG offers tips in light of data breaches

Indiana Attorney General Greg Zoeller (WISH Photo)
Indiana Attorney General Greg Zoeller (WISH Photo)

INDIANAPOLIS, Ind. (WISH) – French Lick Resort is just the latest in a long list of data breaches around Indy in 2014.

The Indiana Attorney General’s Office provided statistics that show 395 separate data breaches and that they have received more than 1,300 complaints of identity theft.

The AG’s office has also recommended the 2015 legislature pass a bill that would tighten Indiana laws governing data collection. A first step in putting more responsibility on companies to clean up data periodically. The hope being: if they are compromised at some point, the breach won’t be as large as it could be, otherwise.

“The key to identity theft is to take more control of your credit” explains Attorney General Greg Zoeller. “So these credit freezes that our office provides are easy ways to keep people from accessing your credit reports and opening up new lines of credit.”

Credit freezes, or security freezes, are a consumer right provided by state law. A freeze would keep new creditors from accessing your report with your permission. Even if a thief had your social security number, they couldn’t take out credit in your name. According to the AG’s website, you can also lift the freeze for a certain period of time or for a certain party, and it won’t lower your credit score.

Zoeller also advises people who could be vulnerable to keep a close eye on their accounts.

“Use of a credit card is an insured transaction,” he says. “So if there are problems with it, it’s the credit card company that pays.”

Zoeller says there are some people who are charging less and avoiding places where breaches have happened. He says avoiding places, like French Lick Resort, aren’t the solution.

“This is going to happen, and people need to recognize, protect yourself on the front end, and then also of you are a victim of identity theft there are ways we can help you,” said Zoeller

The Attorney General’s Identity Theft Unit was created in 2008 for exactly that reason. Experts within the office can walk victims through the process.

“You can go to court and be adjudicated as a victim of identity theft. That helps clean up what has been a really hard process to keep creditors and debt companies from calling you,” said Zoeller

According to the AG’s statistics from 2014, over $679,000 was returned to Hoosiers who were the victims of identity theft or data breaches.

Article source: http://wlfi.com/2015/01/29/ag-offers-tips-in-light-of-data-breaches/

,

No Comments