Archive for September, 2015
A number of U.S. intelligence assets are to return home after a cyber attack in which hackers gained access to information on millions of federal employees.
According to U.S. officials the data breach involved the personal data on 21.5 million government workers, and spies will be withdrawn from China due to a potential risk to their safety, writes Evan Perez for CNN.
U.S. suspects China was behind OPM hack
Although the U.S. has not formally implicated China in the attack, it is thought that hackers working for Beijing were behind the attack on the U.S. Office of Personnel Management. The fingerprints of 5.6 million government employees were compromised, along with other pieces of sensitive personal data.
The records of State Department employees were included on the database, and as a result the hackers could determine which embassy personnel were in fact intelligence assets. Agents of the Central Intelligence Agency, National Security Agency and Defense Intelligence Agency currently working in China are at risk of having their cover blown.
Consequently the CIA has removed a number of officers from the U.S. Embassy in Beijing, according to a report in The Washington Post. The hack is expected to have a wide-ranging effect on U.S. national security.
Potential long-term effects of information breach
One further reason that U.S. officials are concerned is the fact that information from forms used for security clearances, known as SF86 questionnaires, was also compromised. The forms contain data on current, former and prospective federal employees, their families and associates.
There is a concern that China may try to identify future U.S. intelligence assets using the data stolen from OPM. Chinese officials are known to investigate visa applications from people connected with the U.S. using travel patterns and other information.
Due to advancements in biometric technology, it has been getting harder for the CIA to plant operatives in foreign countries pretending to be someone else. To make up for this loss the CIA is working on improving its technological spying capabilities.
Obama administration criticized for reaction to hack
Figures from the Republican party have criticized the Obama administration over its handling of the hack. This Tuesday Republican senators questioned Director of National Intelligence James Clapper about why the Obama administration has not reacted more decisively.
“This is a pretty significant issue that is going to impact millions of Americans,” said Sen. Kelly Ayotte (R-N.H.). “But it seems to me they are not seeing a response right now from us, and therefore we’re going to continue to see bad behavior from the Chinese.”
Clapper admitted that the U.S. response was restricted by the fact that its intelligence agencies also use similar spying tactics. “We’re not bad at it,” he said.
He then reminded senators of an old saying. “I think it’s a good idea to at least think about the old saw about people who live in glass houses shouldn’t throw rocks,” said Clapper.
Cyber espionage a huge point of contention between U.S. and China
Despite suspicions that it maintains and uses powerful teams of hackers, Beijing has long denied that it engages in any hacking. Chinese officials consistently deny their involvement and sometimes claim to be a victim of hacking.
Hong Lei, a spokesman for the Chinese Ministry of Foreign Affairs, underlined that official position this Wednesday. “The Chinese government firmly opposes any forms of hacking,” he said.
Lei also mentioned the recent agreement between the U.S. and China related to cyber theft. A few days ago both nations agreed not to steal trade secrets or intellectual property for commercial gain, hopefully reducing the amount of U.S. companies which lose sensitive data to hackers.
Cyber crime was a huge part of talks between U.S. President Barack Obama and Chinese President Xi Jinping during the latter’s state visit to the United States last week. After warnings from Obama that China had overstepped the line when it came to cyber espionage and the theft of trade secrets, there were signs of apparent progress on the issue.
Both leaders announced that they had reached a “common understanding” and would work on a set of international rules for cyberspace. It would seem wise for the U.S. to strengthen its own defenses rather than trust China, given the amount of information lost in recent years.
Even if China scales back its cyber espionage program, U.S. public and private sector information needs to be better protected in case of attempted hacks from other countries. Russia has a strong cyber espionage program, and North Korea has threatened cyber war on more than one occasion.
China may be the main suspect in the biggest hacks, but U.S. cyber defense needs to be improved across the board.
Fos has claimed that more data protection breaches are coming across its radar, where providers have disclosed personal and sensitive financial information.
According to Fos, one complaint involved a mortgage lender providing personal financial information about its client, Mr H, to his partner – who promptly left him when she found out he had debt problems.
The case study said that Mr H lived with his partner, Miss A, and their children. The mortgage on their house was in Mr H’s name. He had been having problems keeping up with his repayments for some time, but had not told Miss A.
The study said: “Worried that their home would be repossessed, Mr H asked Miss A if she could make a repayment. Mr H called the mortgage company to make the payment, and Miss A gave her payment details over the phone. During the call, the mortgage company told Miss A the account was significantly in arrears and by how much.
“A few days later Miss A left Mr H and moved away with their children. Mr H complained to the mortgage company, saying they should not have given Miss A details about the mortgage and the arrears.”
The mortgage company apologised for giving out the information – but Mr H then contacted Fos, saying he did not feel the mortgage company appreciated the consequences of their mistake.
Although Fos did not agree that the data breach had been a direct reason for the relationship ending, it did acknowledge the mortgage company had made a “serious error”.
The case study said: “We pointed out to the mortgage company that they had made a serious error in disclosing sensitive information to a third party. Whether or not this was responsible for his relationship breaking down, it had caused him a considerable amount of stress and embarrassment.
“When we explained the impact this had on Mr H, the mortgage company offered to pay him £450 to recognise the upset they caused.” Mr H accepted the ombudsman’s findings.
In the latest edition of the Ombudsman News, Fos chief ombudsman Caroline Wayman said: “Because of the personal nature of the information involved, people often feel very strongly that we should punish businesses that have acted wrongly. We are careful to explain that it is not our job to fine a business.
“Our job is to help a business make up for both the financial and non-financial consequences of any error, including any upset someone’s experienced as a result. While the Information Commissioner’s Office is responsible for fining organisations that breach data protection law, it cannot compensate their individual customers.”
An undisclosed number of CIA officers have been pulled from China in the wake of massive cybertheft earlier this year that exposed the personal data of more than 21 million U.S. government workers, The Washington Post reported, citing current and former U.S. officials.
As a precautionary measure, the Central Intelligence Agency removed the agents from the U.S. embassy in Beijing, said the officials, who spoke with the Post on condition of anonymity.
The CIA declined to comment.
The move comes after the announcement earlier this year of two massive data breaches at the U.S. Office of Personnel Management that exposed personnel records of 21.5 million current and former U.S. federal employees.
OPM said the information included security-clearance background checks as well as 5.6 million fingerprint records.
U.S. officials suspect the data was stolen in an attempt to identify U.S. spies, who could then be recruited or coerced into providing sensitive information.
The newspaper quoted Director of National Intelligence James Clapper saying the OPM breach posed significant risks to U.S. intelligence-gathering.
Clapper said that the intelligence agencies do not know specifically whose records were taken, but the scale of the compromise “has very serious implications … from the standpoint of the intelligence community and the potential for identifying people” who may be undercover.
U.S. officials have linked the OPM breach to China, but have not said publicly whether they believe its government was responsible.
China Ministry of Foreign Affairs spokesman Hong Lei often has denied that Beijing is involved in hacking and said the country itself is often the victim of such attacks.
“The Chinese government firmly opposes any forms of hacking,” Hong told news channel CNN Wednesday.
The newspaper report appeared shortly after Clapper and other senior intelligence and defense officials testified Tuesday before the Senate Armed Services Committee.
The Post said the officials were being asked to explain to frustrated lawmakers the U.S. policy on deterring foreign governments, such as China, from carrying out cyberattacks.
Clapper was trying to make the distinction between the OPM hacks and cybertheft of U.S. companies’ secrets to benefit another country’s industry, the Post reported.
He said that what happened in OPM case, “as egregious as it was,” was not an attack. “Rather, it would be a form of theft or espionage.”
“We, too, practice cyber-espionage and in a public forum, I’m not going to say how successful we are, but we’re not bad,” Clapper said. “I think it’s a good idea to at least think about the old saw about people in glass houses should not throw rocks.”
Clapper’s comment drew a sharp response from Committee Chairman John McCain: “So it’s okay for them to steal our secrets that are most important because we live in a glass house? That is astounding.”
Recent cyber agreement
The testimony came as part of a broader hearing, with the defense and intelligence officials being questioned about a recent U.S.-China cyber agreement meant to slow a growing torrent of cyberattacks on U.S. computer networks.
McCain asked Clapper if he was optimistic that the agreement would result in the elimination of such attacks from China.
Clapper replied: “No.”
The agreement was not supposed to eliminate all cyberattacks, only state-sponsored ones that target businesses.
Some material for this report came from Reuters and AP.
Lovely to see how the latest data-privacy breach moved from a dramatic crisis to light entertainment in the space of a week.
The news that the Education Ministry had misplaced a data drive packed with sensitive information about school kids was treated like an Amber Alert when the government ’fessed up to its disappearance last week. There was a serious press conference with sobering details about how hard everyone looked for the thing. Reassurances were issued about how seriously the government takes protection of privacy. Important officials announced major expensive investigations. It was a bit like when Amelia Earhart’s plane went missing.
The impression left was that hell will most certainly be paid.
As all the belated barn-door-locking got underway, the legislature resumed sitting. The passage of a week, and the absence so far of any victims, seems to have encouraged everyone to relax a bit. Because in a half-hour of debate about the scandal, MLAs milked it for more laughs than a night at Yuk Yuks.
Education Minister Mike Bernier opened with a sincere apology for the mistake. When NDP Leader John Horgan noted it was the first time the Liberal benches didn’t routinely applaud a cabinet minister, the Liberals obliged with sustained applause.
“Thank you for your participation,” Speaker Linda Reid noted sarcastically.
The NDP continued by reciting all the solemn promises over the years from government about how “highly protected” student data are. It’s a “top priority” and everyone is committed to safeguarding it. NDP MLA Doug Routley quoted a minister responsible to that effect and said all of the past six ministers responsible for data security have said the same thing.
Bernier popped up again, and got another big round of applause to make up for the missing one. Big laugh. (You had to be there.)
There was a terrifying moment when Bernier defended the collection of the data by saying the School Act requires student records be kept for 55 years. You could see MLAs pausing briefly to calculate the chances of their grades coming back to haunt them. (Pre-emptive disclosure: I got the strap twice in elementary school. There. Data leaks be damned. I’ve cleared the air.)
NDP MLA Rob Fleming took a turn ridiculing the help-line number to which the government is referring anyone who has concerns. “I’m sorry. Telling people to call 1-800-FIND-MY-DATA is not good enough.”
He made up the phone number for laughs, but it turns out it’s an aluminum company in New Jersey. So he’s right, it’s not good enough.
By that point, Bernier had settled into his stride. “Government takes the collection and protection of people’s information and their privacy very seriously.”
He had so little to go on by this point, he actually said: “Our ministry is co-operating fully with the investigation.” He sounded like the president of Volkswagen.
Next up was Advanced Education Minister Andrew Wilkinson.
“How does he expect students and parents to ever trust him?” asked NDP MLA Carole James.
Well, because there are 430,000 students in 25 institutions, and their information is transmitted seamlessly through a fine system and travels smoothly between the schools and helps students “who want to build the economy and lead a life of autonomy and prosperity.”
“Wow,” said James.
Wilkinson also disputed the day’s central premise — that the information is “lost.”
The missing drive is a duplicate, so the actual information is still on hand. “The information has not been lost. The drive has been misplaced. It may be found,” said Wilkinson.
That required a brief time-out for the house to regain its composure.
Debate morphed to the $100-million new MyEducation BC computer system that replaced the last $100-million system. It had glitches on the first week of school and has bogged down.
The official word is that it’s “lethargic.” Like Hal was, in 2001: A Space Odyssey.
The estimate is that it takes 15 minutes to search a file in the new system.
“It takes less time to communicate with Mars,” said NDP MLA Selina Robinson.
If only all the audit and investigation reports piling up on data and computer botches were as funny.
© Copyright Times Colonist
BEIJING, Sept. 30 (UPI) — The Central Intelligence Agency pulled out multiple officers from the U.S. embassy in Beijing as a precaution after the massive Office of Personnel Management data breach.
The theft of OPM documents has been characterized as political espionage in attempts to identify spies, and people who might be recruited as spies or be coerced through blackmailing to provide information. China has consistently been accused of carrying out the hack since it was revealed earlier in the year.
The CIA’s move was meant to protect officers whose affiliation to the agency may have been discovered as a result of the OPM data breach, The Washington Post reported. The OPM records contained background checks of Department of State employees and China could compare records with the list of embassy personnel, meaning anyone on that list could be a CIA officer.
The OPM recently announced it underestimated the number of victims whose fingerprints were stolen in this year’s data breach by 4.5 million people.
The original estimate of people whose fingerprints were stolen has been increased to 5.6 million, up from 1.1 million, after OPM discovered archived records that were not previously analyzed.
About 21.5 million former, current and prospective federal employees and contractors were affected by the OPM data breach in the spring. The new estimates do not affect the overall number.
On a state visit to the United States, Chinese President Xi Jinping said his country is willing to cooperate with the United States on the controversial act of cybercrime, while denying China has ever participated in hacking.
- China pledges 8,000 troops for U.N. peacekeeping missions
- China possibly building its own aircraft carrier
- Hillary Clinton: Xi Jinping ‘shameless’ for hosting women’s rights summit
Sign Up For Our Free Newsletter
Articles to help you save money and build wealth, delivered daily.
Sign up now and receive a free PDF with 205 ways to save!
Posted: Tuesday, September 29, 2015 5:10 pm
Updated: 5:14 pm, Tue Sep 29, 2015.
A class action lawsuit filed against the former parent company of Flowers Hospital over the alleged theft of private patient information has survived a motion to dismiss.
On Tuesday, U.S. District Judge William Keith Watkins adopted the recommendation of a magistrate judge and carried the vast majority of the claims in the case to the suit’s discovery stage.
The suit lists five named defendants whose private patient information appears to have been stolen by a hospital employee some time between June 2013 and February 2014. The suit alleges violations of the Federal Credit Reporting Act and state law violations including negligence and breach of contract. An invasion of privacy claim brought by the plaintiffs was dismissed, but all other claims survive.
In addition to the five named plaintiffs, the suit also lists as defendants “others similarly situated” whose private patient information was stolen during the time period. The suit alleges the size of the class could be thousands.
A former hospital employee, Kamarian Deshaun Millender, pleaded guilty to one count of felony identity theft in federal court in 2014 and a similar state charge in local court in March of this year. He was sentenced to two years in prison for the federal charge.
The civil suit is filed against Triad of Alabama, the former Flowers Hospital parent company. The suit claims Triad failed to properly safeguard the patient information.
The suit claims that some of the plaintiffs had their social security numbers stolen and that fraudulent tax returns were filed in their names. The suit also claims that because their personal information is now out in the open, they have incurred out-of-pocket expenses to try to mitigate the increased risk of further identity theft. They also claim emotional stress and anxiety.
In its motion to dismiss, Triad claimed that the plaintiffs’ contention that future injuries may arise is not legally sufficient to justify the claim. Triad also argued that while fraudulent tax returns may have been filed in the names of some of the plaintiffs, they failed to show any actual monetary losses.
Triad offered the plaintiffs one year’s worth of credit monitoring as a preventive measure.
The judge, however, ruled in favor of the plaintiffs at this stage.
“Though they were given careful consideration, defendant’s arguments are ultimately unpersuasive,” U.S. Magistrate Judge Paul Greene wrote in his recommendation. It was adopted by U.S. District Judge William Keith Watkins.
Flowers Hospital is no longer owned by Triad. It is now owned by Community Health Systems.
Tuesday, September 29, 2015 5:10 pm.
Updated: 5:14 pm.
16,000 people are being notified of a major risk to their private health information following an email attack on a health services company. I’m talking birth dates, Social Security numbers, insurance info, diagnoses, addresses and more.
The Oakland Family Services, a nonprofit human and health services organization out of Pontiac, Michigan, is the company under fire and its patients are starting to receive the dreaded hacking warning.
On July 14, a hacker broke into an employee’s email account and roamed around in the system for over 23 minutes.
In that time, the unidentified intruder sent phishing emails to a number of the employee’s contacts. They also had access to incredibly private information such as names, client ID numbers, services dates, types of service provided, birth dates, telephone numbers, addresses, diagnoses, health plan ID numbers, insurance numbers and Social Security numbers.
The Oakland Family Services staff recognized the hacker after 15 minutes and worked diligently to cut him or her (or them) from the account.
After the debacle, David Partlo, director of IT at Oakland Family Services, released this statement:
“We took action within 15 minutes of the intruder gaining access to block him or her from the affected email account and based on this incident, even stronger email protocol has been implemented. We feel reassured by the fact it doesn’t appear the person gained access in search of PHI (protected healthcare information), but simply to perpetuate the phishing scheme, based on the amount of time the hacker spent in the account and the actions we know he or she took.”
We’ll keep you updated on this situation as it develops, so make sure you stay tuned to what’s Happening Now for the latest details.
By Dave Lewis
Hilton (HLT) is investigating a possible data breach that could have resulted in stolen credit card information.
Investigations have the alleged Hilton data breach taking place between April 21 and July 27. The hack is believed to be limited to credit cards and several Hilton locations, such as Doubletree, Hampton Inn and Embassy Suites, have been affected, reports USA Today.
Hilton is still investigating the data breach and it may affect credit cards used at its locations as far back as November 2014. Credit card holders that ate at a restaurant inside Hilton locations or bought items from the gift shop are advised to check their accounts for possible fraudulent charges, USA Today notes.
According to KrebsonSecurity, five different banks have pinned fraudulent transactions made on its customers accounts to Hilton locations. Travelers that stayed at a Hilton location and only used their credit cards to reserve rooms likely aren’t affected by the data breach.