Archive for December, 2015

Neiman Marcus requests dismissal of data breach case (again)

JD Supra provides users with access to its legal industry publishing services (the “Service”) through its website (the “Website”) as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement (“Policy”). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users’ names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user’s experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the “opt-out of future email” option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

Article source: http://www.jdsupra.com/legalnews/neiman-marcus-requests-dismissal-of-59263/

,

No Comments

Hyatt Hotels warns of possible data breach

Bill Cosby Charged with Felony Sex Crime, Mugshot Released View Count: 41

Author: Sadie Robertson

Article source: http://waltonian.com/2015/12/hyatt-hotels-warns-of-possible-data-breach/

,

No Comments

Another Big Data Breach Releases Personally Identifiable Voter Information

A little over a month after it became known that the social security numbers, drivers license numbers and dates of birth of more than six million Georgia registered voters were sent to news organizations and political parties in what is known as the Peach Breach, a much bigger database of voter information was discovered in the wild. Databreaches.net reported that a database with 191 million records containing voter information was available publicly on the internet. After this report, public access to the database was removed.

While the information in the database didn’t include social security or drivers license numbers like the Peach Breach did, it did include dates of birth, phone numbers, email addresses and possibly more. Is this significant? Or as was pointed out in a tweet, is it no more than someone accidentally leaking Facebook?

A story in this morning’s New York Times tries to answer that question. In addition to talking about how voter information is aggregated and used by political campaigns, it talks about how the information can be used for less noble purposes:

Big data advocates argue that what is in most voter files is nothing more than the White Pages of a phone book augmented with party affiliation and voting history (not which candidate people voted for, but whether they voted.) But for privacy experts, that alone, especially when compiled in one place, is cause for concern.

“Simply by digitizing the data, collecting it in one place, making it freely available in one place — it’s a Christmas gift for thieves,” said Neal O’Farrell, the executive director of the Identity Theft Council. “I interviewed an identity thief, and he said credit card numbers are for chumps. It’s much easier to get caught. The cybercriminals really want to know who you are. And voter information and any kind of information that fills in all the blanks makes it easier for phishing, for social engineering, and for extortion.”

There is no doubt that this type of data has become essential to modern political campaigns. Democrats and some others use NGP/Van to aggregate voter data and enable voter contact. NationBuilder is a popular tool used by a wide variety of candidates and organizations to build support. And don’t forget that the voter data exposed in the Peach Breach except for personally identifiable information is required by Georgia law to be made available to those willing to pay a fee.

Many people, myself included, are willing to provide personal information to social media sites like Facebook in order to be able to enjoy social media. Plenty of people use a Kroger Plus Card or other shopper card to get discounts at retail while providing a wealth of personally identifiable information about what we purchase and use on a daily basis. And while the benefits can be great, there are also risks, as not only the unauthorized release of voter information but the legally required distribution of voter records shows.

Article source: http://www.peachpundit.com/2015/12/31/another-big-data-breach-releases-personally-identifiable-voter-information/

,

No Comments

More questions for Brian Kemp data breach

We finally have our first hint at why Georgia Secretary of State Brian Kemp released the social security numbers of every Georgia voter.

Kemp responded to a request from Georgia’s tax agency, the Georgia Department of Revenue.

That leaves us asking a new questions:

Why does Georgia’s tax office need social security numbers, driver’s license numbers and dates of birth from the voter file?

Why does Georgia’s tax office need to know how you vote?

In Georgia, we’ve learned to accept all sorts of bad behavior from our elected officials. We have grown used to members of political parties protecting their own, instead of looking out for us.

This must stop.

Wrong is wrong.

Regardless of Brian Kemp’s political party, he can’t be allowed to gang up with the tax office and hand over information including which ballots we cast and our social security number.

Sign and share the petition: Fire Brian Kemp

Article source: http://bettergeorgia.org/2015/12/07/more-questions-for-brian-kemp-data-breach/

,

No Comments

Hillsides, a Pasadena child welfare agency, warns of data breach – The Pasadena Star



PASADENA A Pasadena child welfare agency has warned of a computer security breach that may have exposed the personal information of nearly 1,000 clients and staff members.

Hillsides, 940 Avenue 64, announced the data breach Wednesday. It was first discovered Dec. 8, when Hillsides officials learned that an employee had sent unencrypted files to a personal, non-Hillsides affiliated email address on five occasions between Oct. 10, 2014, and Oct. 19, 2015, Hillsides representatives said in a written statement.

The information sent contained names, social security numbers, home addresses and phone numbers for 468 Hillsides staff members, as well as names, birthdates, genders, medical identification numbers, therapists’ names and rehabilitative therapists’ names of 502 Hillsides clients.

The employee has since been terminated for violation of company policy, officials said.

“To date, the agency has been unable to recover the data files from (the employee’s) personal email account or verify whether the files have been deleted,” according to the statement. “While Hillsides has no evidence that any of the personal information has been further disclosed or misused in any manner, they have provided notice of the incidents to individuals whose information was contained in the files so that they can take any precautions they feel are appropriate or necessary.”

Those who has received a letter from Hillsides notifying them their information may be at risk are encouraged to consider contacting the three major credit bureaus — Experian, Transunion and Equifax — to review account statements and monitor free credit reports.

“We sincerely apologize for the inconvenience and concern these incidents may have caused to our staff and clients, whose privacy is very important to us,“ Hillsides CEO Joseph M. Costa said.. “We will continue to investigate the incident, to reduce harm to potentially affected individuals, and to protect against future similar occurrences.”

The investigation has not resulted in a criminal case, Costa said Wednesday.

Hillsides does not call or email anyone requesting personal information, and anyone receiving an unsolicited call or email purporting to be from Hillsides should not provide any personal information, officials said.

Affected clients and employees are also invited to contact Hillsides with questions. Privacy Officer Tony Aikins can be reached via telephone at 323-543-2800 from 8:30 a.m. to 4:30 p.,. Mondays through Fridays, via email at taikins@hillsides.org or by addressing a letter to Hillsides Support Services, attention “Privacy Questions” at 815 Colorado Blvd., Suite 100, Los Angeles, CA 90041.

Article source: http://www.pasadenastarnews.com/general-news/20151230/hillsides-a-pasadena-child-welfare-agency-warns-of-data-breach

,

No Comments

Database of 191 Million US Voter Records Left Exposed Online

An improperly configured database exposing the information of 191 million registered U.S. voters was discovered on Dec. 20. The database was taken offline Monday, Dec. 28, presumably to be patched.

Discovered by researcher Chris Vickery, who has since been working with with security website Databreaches as well as IT expert and security blogger Steve Ragan to pinpoint the cause, the unsecured voter list could become a problem for the people listed. Such lists can may contain more than the voter’s name, date of birth, gender, and address—which on their own is a good amount of personally identifiable information (PII).

As Databreaches.net, pointed out such lists can also include the voter’s ethnicity, party affiliation, e-mail address, phone number, state voter ID, and whether she is on the “Do Not Call” list. According to Ragan, the breached data did not include social security or driver license numbers.

MORE: On Experian’s data breach.

Still, that’s certainly enough data to help identity thieves get what they need—although given all the breaches afflicting hotel chains, credit agencies, and retailers, anyone who doesn’t think their PII isn’t already out in the wild is probably kidding themselves.

WATCH: For more on data breaches, watch this Fortune video.

The issue with voter lists, however, is that campaign consultants and marketing firms can (and do) use them for their own purposes—though that activity can be limited by state law.

From the Databreaches.net post mortem:

… databases developed for political campaigns may also include whether or not you voted in the last general and primary elections, whether you appeared to follow a party line vote, and there may be a score predicting whether you’re likely to vote in an upcoming election or for a particular party or candidate. Databases developed for issue-oriented campaigns or non-profits doing fundraising may contain even more personal information such as your religious affiliation, whether you’re likely to be anti-abortion, whether you’re a gun owner, etc.

SIGN UP: Get Data Sheet, Fortune’s daily newsletter about the business of technology.

For more on this breach, check out Vickery’s post on Reddit and Ragan’s article on CSOOnline.

Article source: http://fortune.com/2015/12/29/us-voter-data-exposed/

,

No Comments

California elections officials probe voter data breach claims: Sacramento Bee


California Secretary of State Alex Padilla said on Tuesday that his office was working to verify claims that confidential voter information had been exposed on the Internet, the Sacramento Bee newspaper reported.

An independent computer security researcher on Monday said he uncovered a database of information on 191 million voters that was exposed on the open Internet due to a misconfiguration of the database.

The database includes names, addresses, birth dates, party affiliations, phone numbers and emails of voters in all 50 U.S. states and Washington, said researcher Chris Vickery.

Padilla said the records were not posted by the California Secretary of State, and that he was collaborating with Attorney General Kamala Harris’ office to provide any necessary assistance, the Sacramento Bee reported.

Offices of the California Secretary of State and Kamala Harris could not be immediately reached for comment.

The breach was first reported by computer and privacy news sites CSO Online and Databreaches.net. CSO Online said the exposed information may have originally come from campaign software provider NationBuilder because the leak included data codes similar to those used by that firm.

NationBuilder Chief Executive Officer Jim Gilliam said in a statement that the database was not created by the Los Angeles-based company, but that some of its information may have come from data it freely supplies to political campaigns.

Regulations on protecting voter data vary from state to state, with many states imposing no restrictions. California, for example, requires that voter data be used for political purposes only and not be available to persons outside of the United States.

(Reporting by Rama Venkat Raman in Bengaluru; Editing by Sunil Nair)

Article source: http://www.reuters.com/article/us-usa-voters-probe-idUSKBN0UD09P20151230

,

No Comments

Voter data breach shows need for higher security thresholds

It’s a sad feature of contemporary life that data breaches are as common as changes in the weather. Still, the news that a misconfigured database resulted in the exposure of about 191 million registered voters’ personal information is incredibly alarming.

Article source: http://www.sfchronicle.com/opinion/editorials/article/Voter-data-breach-shows-need-for-higher-security-6726559.php

,

No Comments

School takes steps to prevent further data breach following loss of memory stick

A TOP York public school says it is taking steps to prevent another loss of important data, following an incident in which a memory stick was apparently mislaid on public transport.

St Peter’s School says it is acting on a series of recommendations from the Information Commissioner’s Office (ICO), including mandatory training for employees in data protection.

However, it said the ICO had informed the school that it was not taking any further action over the incident, which happened earlier this year.

The Press exclusively reported in October how a memory stick, which was not protected by a password and contained a number of documents “relating to the governance of the school”, had been lost.

School head Leo Winkley wrote to all parents to inform them of the loss, saying there was no indication that details of bank accounts had been on the device and nor was there any suggestion that the device or data had been found or accessed by anyone.

He said the school was contacting a small number of individuals whose data might have been included on the device.

The Press became aware of the incident after being contacted by a source, who claimed the memory stick contained highly sensitive information about pupils and former pupils.

Now the school has said in a statement: “Following our report of a potential data breach, the Information Commissioner’s Office has informed us that they will not be taking any further action but have made the following recommendations:

* Future incidents should be reported as soon as possible after the incident has occurred.

* Conduct mandatory training in data protection for employees, and for individuals who are not employees of the school but who have access to personal information to which the school is the data controller.

* Introduce a remote-working policy and procedure which relates to the use and storage of personal information away from school premises.”

The statement said the ICO had provided useful references to help put together these policies and procedures.

“We are working to ensure that these recommendations are implemented as soon as possible.”

The school said it understood that it was some months after the loss of the device before the school was alerted to it.

“However, the loss was reported as soon as we became aware of it,” it added.

A spokesperson for the ICO said: “We have made enquiries about this potential breach and decided not to take any further action on this occasion.”

Article source: http://www.yorkpress.co.uk/news/14172137.School_takes_steps_to_prevent_further_data_breach_following_loss_of_memory_stick/

,

No Comments

The futility of data breach notifications

As a security reporter, I often wondered if data breach notifications helped victims or if they were simply an empty gesture. I got my answer the hard way when I discovered my health insurance provider was hacked.

The breach happened two years ago during my first year of college at a small liberal arts school. During my first semester at school, a highly contagious bug spread through my dorm faster than American Pharoah, and unfortunately, I caught it too. So I took a taxi to the hospital and I got the prescriptions I needed and soon I was on my merry way. But what I didn’t think twice about was that my health insurance provider was interacting with an apparently unsecure network at the hospital.

A few weeks ago, I received a letter in the mail that read: “Excellus BlueCross BlueShield was the target of a sophisticated cyberattack, and some of your personal information may have been accessed by the attackers.” Further down, the data breach notification letter stated: “Our investigation determined that the attackers may have gained unauthorized access to your information, which could include your name, address, telephone number, date of birth, Social Security number, member identification number, financial account information, and claims information.”

Uh-oh.

I let out an exasperated gasp that I’d unknowingly held in while I was reading. This wasn’t a simple Target hack; I can replace my credit card and feel safe again, but my birthdate and Social Security number aren’t going to change. My personally identifiable information (PII) was exposed, and the list of ways my PII can be abused in the hands of the wrong person is endless.

The breach notification letter stated that the attack specifically occurred in several counties of the state where I was attending college at the time, so I was able to determine when and how I was affected by the breach. But the rest of the data breach notification letter was a dense, four pages-long statement that didn’t actually explain anything about the cyberattack or the health insurance provider’s response in detail. Essentially, the letter went something like this: there was a data breach, your information was compromised, we are offering free credit monitoring, and we are enhancing security. Excellus BlueCross BlueShield also posted a public statement on its website, but that didn’t offer much information either. Out of curiosity and my occupation, I wanted to know more.

I called Excellus to see what they had to say. After waiting on hold for 20 minutes I was transferred to a woman, who I can imagine was working in a call center and had little to no information to offer. To start, I asked her, “How did this happen?” She reiterated what the letter said with vague details. I continued to ask more questions: “Was my data encrypted?”, “Why did it take two years to discover?”, “What security was being used to protect my personal data?” and other inquiries. She suggested I look online for more information or call the credit report agencies like Experian listed in the data breach notification letter. But it’s worth noting that Experian was hacked this October, exposing 15 million people’s personal information. Thanks but no thanks.

I called another credit report agency listed in the letter to order a free credit report. I jumped around a phone maze for 20 minutes, giving the automated voice response system my personal information to establish my identity. I hoped at the end of it I would finally be connected to a real person to talk to but I wasn’t. Instead, I was told to get more information about getting my credit report in the mail in two to three weeks, and then the line hung up. Frustrated, I tried calling yet another credit reporting agency Equifax, and again I was met with an automated voice response system and was unable speak to a representative.

About two weeks after I requested a credit report from Equifax, I received it in the mail. But there was no actual credit score in the report. It didn’t occur to me that they’d send me a credit report without a credit score. And on the fifth page titled, “Historical Account Information,” there is a list of payments but it doesn’t say where the payment came from. It simply reads “No Data Available.”

But what I found most interesting is that I have the right to request a “security freeze,” which they explained was “designed to prevent credit loans or services from being approved in your name without your consent.” I was intrigued because it seemed like a legitimate way to help victims of a data breach. But to  get a security freeze I’d have to call another number and pay $5.00. But don’t worry — if you’re a victim of identity theft and you “submit a copy of a valid police report, no fees will be charged.” In other words, you can’t get a free security freeze on your credit unless you’ve already been victimized.

Healthcare organizations are the Holy Grail for attackers as far as personal information goes. The data is comprehensive, it includes the most sensitive information about a person, and it has a long shelf life, which is why healthcare organizations have been regularly targeted by cybercriminals recently. The other problem is that healthcare organizations aren’t equipped to handle the backlash of a cyberattack because they cannot “identify illicit records activity and put a stop to it,” according to the 2014 Bitglass Healthcare Breach Report. The data breach notification letter said the hospital breach was a “sophisticated cyberattack,” but I have my doubts. Many companies fail to keep up with proper security measures and regulations, leaving a gaping hole for cybercriminals to waltz through. For example, Target was subject to embarrassment after a post-breach internal report was made public by security reporter Brian Krebs.

At the time, I recalled a conversation I had with Christopher Budd, global threat communications manager at security vendor Trend Micro. “People pay more attention [to data breaches] because they’ve seen what has happened to others. But people are not learning because we don’t get full details,” Budd told me. “The general public never gets the whole story.”

I found that to be painfully true.

The victims of any cyberattack should be able to know, in reasonable detail, what happened, how it happened, the impact of breach, why the company’s security was breached, and what exactly the company is doing to make sure it doesn’t happen again. I started to wonder if the data breach notification letter was actually designed to serve customers’ best interests or if it was simply a formality so the company could cover itself in case of any legal action.

Even though I received a data breach notification letter with plenty of numbers to call and companies to contact and a free credit report, I don’t know any more than I did before I was notified, and my occupation as a security reporter didn’t help me get any answers or clarity on the situation. In addition to the lack of information, the so-called “protection” offered to me was laughable. Next time, Excellus BlueCross BlueShield, save your paper.

Article source: http://searchsecurity.techtarget.com/opinion/The-futility-of-data-breach-notifications

,

No Comments