Archive for February, 2015
For sale: Hell.
A small town in Michigan that bears the name is on the market to the highest bidder, as unofficial Mayor of Hell John Colone put his holdings up for sale for the low price of $999,666, The Huffington Post reports.
While living in Michigan, I of course visited Hell, and I can tell you: There’s not much there. But, if you have a million bucks lying around and love the idea of owning Hell’s souvenir shop, ice cream store, weather station, post office, and other holdings, then hey, go for it.
You may have some competition from DAMNED, though, a Detroit-based artist group that launched a Kickstarter campaign to raise enough money to buy Hell. DAMNED wants to build a performing arts center, and if you contribute, the group is offering such perks as your own, personalized parking space in Hell. Sold!
A Malden woman is seeking class-action status for a federal lawsuit she filed against Anthem Inc., claiming the insurance giant was negligent in failing to protect the personal information of its subscribers before a data breach disclosed this month.
“Anthem failed to take adequate and reasonable measures to ensure its data systems were protected, failed to take available steps to prevent and stop the breach from ever happening,” according to the complaint filed by Lisa Diane Daniels in federal court in Boston this week. The breach, which Anthem disclosed Feb. 4, affected 80 million subscribers nationwide including nearly 1 million in Massachusetts. The company said hackers obtained names, birth dates, addresses, Social Security numbers, health care ID numbers and employment information.
“When you are dealing with people’s sensitive information at any level, it’s important to prevent a breach,” said Justin Browne, one of Daniels’ attorneys, “but when we’re talking about a health-related information it’s particularly sensitive.”
Still attorneys not involved in the case are split on whether the suit will be successful.
“Courts have generally been receptive to the claims that a company has not taken the necessary steps to protect the data that they’re maintaining for their customers and their employees,” said attorney Peter Rukin.
But attorney Lisa Soto said a negligence claim may be tough to prove.
“Chances are high that it’s going to be very difficult to show a nexus between any damage anyone suffered and this event,” Soto said.
Anthem did not respond to multiple requests for comment.
An Uber database containing the names and driver’s license numbers of 50,000 current and former drivers was accessed by an outside party in 2014, the company announced today. Uber discovered the breach on September 17, 2014, and an investigation revealed one instance of unauthorized access on May 13, 2014. This means the information has been in the wild for nearly a year, though Uber drivers haven’t reported anything fishy and the database is now secure, the company said.
Uber began notifying affected drivers of the breach today and is offering a free year membership with an identity protection company. Of the 50,000 compromised names, 21,000 were based in California, prompting Uber to also notify the California attorney general, the LA Times says. Additionally, the company has filed a “John Doe” lawsuit in an effort to gather more information about the third party.
“Uber takes seriously our responsibility to safeguard personal information, and we are sorry for any inconvenience this incident may cause,” Uber said.
The data breach comes one month after Uber’s security protocols received a clean bill of health as part of an external privacy audit, though that was spurred by high-profile missteps with information about Uber’s passengers, not its drivers. In that report, the investigating agency recommended Uber start training its workforce in security issues and it further restrict access to data among employees.
“At Uber, protecting the personal information of riders is a core responsibility and company value,” CEO Travis Kalanick said at the time. “Delivering on that value means that privacy is woven into every facet of our business, from the design of new products to how we interact with riders, drivers and the public at large.”
Uber suffered a data breach in 2014 that affected 50,000 Uber drivers across the U.S., the ride-sharing startup disclosed in a statement on Friday.
The company determined on September 17, 2014 that a third party could have accessed one of its databases. After Uber “changed the access protocols for the database” and looked into the situation, it learned through an investigation that someone apparently accessed one of its databases on May 13, 2014, wrote Katherine M Tassi, Uber’s managing counsel, privacy.
Supposedly, the information that may have been compromised included driver names and their driver license numbers, but the startup said that it is not aware of any “reports of actual misuse” of that data. The company said it will be contacting the drivers, issuing them memberships in identity-alert services and filing a lawsuit to obtain more information to learn who was the third party that accessed the database.
While this data breach is small compared to the mega breaches that affected JPMorgan Chase, Sony Pictures Entertainment and Anthem in recent months, it’s notable because it seems to be the first publicly known data breach affecting a ride-sharing service.
The data breach also highlights the importance of setting up proper identity management and access controls for a company’s infrastructure, something on which many security startups are concentrating their efforts. At this time, it’s unclear how an unauthorized party was able to access an internal database. However, it’s obvious that Uber will have to ensure better access-management policies for all points in its infrastructure if it wants to make its system less vulnerable to breaches.
The breach comes at a time when President Obama recently proposed a federal law that calls for companies to notify their customers within 30 days of the discovery of a hack. Uber’s discovery of its announced data breach appears to have fallen well outside the 30-day mark and as far as we know, only appears to have affected its own employees.
A class action lawsuit filed Feb. 26 claims prescription benefit company Benecard Services Inc., which has an office in Mechanicsburg, failed to notify former employees and customers of a recent data breach.
The suit, filed in U.S. Middle District Court by Harrisburg attorney Benjamin Andreozzi, is on behalf of five former employees from Pennsylvania, along with others affected.
Andreozzi said several employees and former employees had their tax returns rejected by the IRS, and were told someone had already filed in their name.
The suit claims the company learned of the breach around Feb. 13, and that current employees were notified Feb. 20 that some employees’ information may have been compromised, and that some had run into problems filing tax returns. That and a second email notification sent Feb. 25 did not include former employees and customers, said the suit. Damages in excess of $5 million are sought.
Benecard has not said how many people are affected by the breach. The company employs 350 in Pennsylvania, New Jersey and Florida.
In an emailed statement Feb. 27, Benecard said, “Upon learning of the breach last week, Benecard notified law enforcement authorities, which are continuing their investigation, current and former employees and retained a highly regarded incident response firm to assist further with the investigation.”
“While we do not yet know the source of the data breach, it appears to involve solely our payroll records. We are working with law enforcement authorities to get answers,” said the company’s statement.
The company did not offer a response to the lawsuit Feb. 28.
The company said it is providing current and former employees to have AllClear ID protection for two years.
Benecard offers this advice to those impacted fraudulent tax filing:
- File a report with your local police department.
- Contact the IRS.
- Contact the Federal Trade Commission to complete an affidavit.
This is the second data breach affecting the midstate in recent weeks. A breach at health insurer Anthem Inc. could affect more than 750,000 Pennsylvania residents, Highmark said this week. Anthem has said about 80 million nationwide could be affected.
The two breaches are unrelated, said the state attorney general’s office.
TalkTalk has admitted to a major breach of sensitive user information, which may have led to some customers handing over bank data to hackers.
In an email to subscribers, the company said it first saw a big increase in malicious scammers claiming to be from TalkTalk at the end of last year.
The budget telco said that – following an investigation – some of its subscriber information, such as names, addresses, phone and account numbers, could have been illegally accessed, with scammers quoting these details to customers.
Consequently, a small number may have revealed more in-depth information, such as bank details. In some of these cases we know they may be using the information they have illegally obtained, the telecoms and services provider said.
At TalkTalk we take our customers’ security very seriously and we take numerous measures to help keep our customers safe. Yet sadly in every sector, criminal organisations using phone and email scams are on the rise.
As part of our ongoing approach to security we continually test our systems and processes … following further investigation into these reports, we have now become aware that some limited, non-sensitive information about some customers could have been illegally accessed in violation of our security procedures.
We are aware of a small, but nonetheless significant, number of customers who have been directly targeted by these criminals and we have been supporting them directly.
We want to reassure customers that no sensitive information, such as bank account details, has been illegally accessed, and TalkTalk Business customers are not affected.
The company said it was liaising with UK data watchdog the Information Commissioner’s Office and was writing to all of its customers to offer advice about the criminal activity.
An ICO spokesperson said: “We are aware of a possible data breach involving TalkTalk and are making enquiries into the circumstances.” ®
Protecting mobile certificates
On Friday February 27th the popular car service, Uber, made it known that they had suffered a data breach on May 13th 2014. The breach itself wasn’t discovered until September 17, 2014 and the notification only went out just a few hours ago. I’m fairly certain that it is Friday (or at least it was when I started writing this) roughly six months after the breach was discovered.
The size of this breach is significant in that it affects roughly 50,000 drivers across the United States. Which, according to Uber’s Managing Counsel, is only a small percentage of the Uber driver base. In a blog post from Uber’s website they state that the data which was accessed, by an unknown third party, only contained names and drivers licenses.
From the notification that was sent to affected Uber drivers:
We discovered in September that information allowing someone to access the database had been available without intended access restrictions. We immediately ensured that they database was no longer accessible using that information and have taken additional safety measures to protect your information.
My first question, as you might well imagine, how is it that it took the company 5 months to notice the intrusion in the first place? It strikes me that they were not doing proper monitoring and alerting in this case. A hard lesson to learn. As well, they do not give any indication as to how they discovered the breach in this case. If the credentials were readily available as the letter to drivers indicates it is entirely possible that a good samaritan dropped them a note.
The company is rolling out the standard one year of credit monitoring for the drivers that were affected by this data breach.
The blog post also indicated that the company has filed what is called a “John Doe” lawsuit in the hopes of collecting the necessary information to have charges pressed in the event that the attacker is identified. I’d hazard that this is an unlikely scenario.
Uber has been no stranger to data privacy issues. Case in point was the ‘God View’ story that broke which showed that the company had the ability to track riders at will. Hopefully for the sake of their drivers and customers these data privacy issues will become less common going forward.
Uber announced Friday that it suffered a breach to an internal database in 2014 that exposed data on about 50,000 drivers. In a blog post, the car service company said the unauthorized access occurred on May 13, but was not discovered until Sept. 17. A subsequent investigation showed that the breach exposed the names and driver’s license numbers of some 50,000 drivers, which Uber described as “a small percentage of current and former Uber driver partners.” No customer data, usernames or passwords were accessed. When contacted by NBC News, Uber declined to comment on why the breach was only disclosed Friday, or whether drivers were notified earlier.
The company is providing a year of identity theft protection to those affected. To date, there have been no reports of fraudulent use of the data, Uber said. The company has also filed a “John Doe” lawsuit, which will allow it to investigate further and collect evidence on the as-yet-unknown perpetrator.
Uber has been the target of criticism over what some critics see as a cavalier attitude toward security and privacy — its infamous “God View” tool allowed employees to view customers’ personal data, and a number of smaller incidents have exposed internal documents and tools. The company pledged in January to improve in this area after commissioning an audit of its privacy and data security practices.
- ‘We Haven’t Always Gotten It Right’: Uber Pledges to Improve Privacy
- Uber’s Wild 2014: Can Lawsuits and Protests Bring It Down?
- Road Rage: Uber and Lyft Scramble for Lead in Cutthroat Hired-Car Market
Global ride-sharing startup Uber says a data breach last year may have allowed a hacker to gain access to the licence numbers of some 50,000 of its drivers.
Uber said in a statement it identified “a one-time access of an Uber database by an unauthorised third party” in September 2014.
“Immediately upon discovery we changed the access protocols for the database, removing the possibility of unauthorised access,” the statement from data privacy manager Katherine Tassi said.
“We are notifying impacted drivers, but we have not received any reports of actual misuse of information as a result of this incident.”
Uber said it also filed a lawsuit to be able to gather information to help identify and prosecute the hacker.
The investigation found the breach affected “approximately 50,000 drivers across multiple (US) states, which is a small percentage of current and former Uber driver partners”, the statement said.
The Los Angeles Times reported that some 20,000 of the Uber drivers affected were in California.
Uber said it was offering free credit monitoring to them to guard against the licence information being used for identity theft.
Identity theft is the largest single element in US consumer fraud complaints, according to a Federal Trade Commission report Friday which cited 332,000 cases in 2014.
Uber joins the ranks of other companies hit by data breaches, including retailers Target and Home Depot and banking giant JPMorgan Chase, each of which saw millions of customers affected.
As I spoke on ID theft and data breaches at the National Small Business Association Phoenix conference last week and talked with business owners one-on-one, it was all too clear that most small businesses do not know or understand their obligations to notify customers or employees if an information breach occurs.
They most certainly didn’t realize there are a dizzying 47 different data-breach notification laws in currently place.
Though small businesses are a sweet spot for ID-theft criminals, most small businesses do not have an information security and governance plan or a data-breach response plan in place.
While the White House is leading the charge in support of the “Personal Data Notification Protection Act,” which will create federal standards for a national breach notification law, small businesses still need to be better prepared today. The current 47 states’ requirements regarding safeguarding customer and employee information also outline the notifications required in the event a breach occurs.
A new study released by Software Advice, a technology research and advisory company, found that small- to medium-sized businesses do not have a very good understanding of the current security breach notification laws.
Here are the key findings of the study:
— Only 33 percent of SMB decision-makers surveyed are “very confident” they understand their state’s data breach notification laws.
— Less than half of survey respondents (49 percent) say their company already has a breach response plan in place.
— The vast majority of decision-makers in the survey sample (82 percent) say that their business encrypts customers’ personal information.
“Small employers comprise 99.7 percent of all employer firms in the U.S. One in two workers in the private workforce run or work for a small business, and one in four individuals in the total U.S. population is part of the small-business community,” according to the NSBA 2013 Year-End Economic Report.
The NSBA report also shows a disturbing trend: Half of all small businesses today report they have been the victim of a cyberattack, up from 44 percent two years ago. “Among those who were targeted, 68 percent report being a cyber-victim more than just once,” the report said.
The NSBA report also shows the onerous cost of a breach on small business. “In 2013, cyberattacks cost small businesses on average $8,699 per attack. Today, that number skyrocketed to $20,752 per attack. For those firms whose business banking accounts were hacked, the average losses were $19,948 today – up significantly from $6,927 in 2013,” the report said.
So what can you do?
Whether your small business has one employee or 100 employees, create an information governance plan. Set up an information governance policy by recognizing the type of employee and customer data that you are collecting, storing and transferring.
Implement annual information security and training for all employees and constantly asses and test your organization’s needs and requirements. Like a secret shopper, consider conducting a simulated cyberattack, as these can be very revealing as to gaps in your policies and procedures.
Finally, you should implement baseline safeguards and controls such as annual pre-employment screening – as the insider threat including current and former employees is a common theme of data-breach events affecting both small and large businesses.
Mark’s Most Important: Small business owners take note that it will be no small problem if your data is breached and you’re unprepared.
Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., an ID theft-background screening company based in Phoenix. Contact him at [email protected]