Archive for February, 2016
Over 707 million records were stolen last year in 1,673 separate data breaches, a new report says.
That equates to about 1.9 million records stolen every day, or about 22 records every second, according to Gemalto researchers.
Compared to 2014, the number of data breaches declined by 3.4 percent, and the total number of compromised records fell by 39 percent.
But the report said that the number is likely to be understated as almost half of the companies that reported a data breach had an unknown number of records stolen.
Out of the breaches, almost two-thirds were carried out by malicious actors. Most of the attacks were focused on the government sector, which led the breach index, accounting for 43 percent of the year’s lost or stolen records, or about 307 million records.
Two significant breaches — including the hack that targeted the Office of Personnel Management (OPM), and another targeting a Turkish government agency — accounted for the theft of over 77 million records alone.
Although many of the cases were high-profile in nature, the data points to mostly smaller breaches.
North America took the brunt of most breaches, accounting for 77 percent of all breaches, resulting in 460 million records stolen, or 65 percent of the total.
The researchers said that the predominance of North America is “due to the more stringent data breach disclosure laws in the United States compared with other countries.”
UC Berkeley on Friday revealed that it has alerted 80,000 current and former faculty, staff, students and vendors in the wake of a late December “criminal cyberattack” that could have compromised Social Security and bank account numbers.
We’re not talking an epic breach possibly affecting millions of people as did last year’s Anthem and Ashley Madison compromises. But the revelation still must be unsettling for an institution that prides itself on cutting-edge cybersecurity research. UC Berkeley was among several big-name schools to receive millions from the Hewlett Foundation for cybersecurity policy research, and the school last year established the Center for Long-Term Cybersecurity.
As for short-term cybersecurity, UC Berkeley says it has no evidence that any of the compromised accounts were abused, but it nevertheless was compelled by law to disclose the breach and in addition is offering credit protection services for free.
The attack took place in December when one or more people gained access to Berkeley Financial System computers via a flaw that was being patched.
“The security and privacy of the personal information provided to the university is of great importance to us,” said Paul Rivers, UC Berkeley’s chief information security officer, in a statement. “We regret that this occurred and have taken additional measures to better safeguard that information.”
If the UC Berkeley news is causing you some deja vu, it could be because numerous higher education institutions — from Harvard to Penn State — were hit with breaches last year. And UC Berkeley itself revealed a breach last April that involved unauthorized access to a Web server maintained by the school’s Division of Equity and Inclusion, and also disclosed a separate breach in late 2014 involving servers and databases in the Real Estate Division.
Hackers used the “Get Transcript” program, which allows you to check your tax history online. The IRS began the online program two years ago, allowing taxpayers to request their tax history over the Internet, in addition to the post office. But following a nine-month investigation by the Treasury inspector general for tax administration, the IRS says its online service has put hundreds of thousands of more taxpayers at risk of identify theft, reports CBS News correspondent Jan Crawford.
Not even Virginia-based tax attorney, Wayne Zell, was protected from hackers.
“Somebody was trying to claim a refund using my social security number and I knew something was wrong,” Zell said. “I got a form earlier this week stating that somebody had recovered my E-File personal identification number. I don’t have an E-File personal identification number.”
The IRS’s data dump is the latest in a series of disclosures. In May 2015, the agency reported cyber criminals accessed approximately 114,000 taxpayer accounts. Three months later, that number grew to as many as 334,000. This month, the IRS said there are as many as 724,000 victims.
“The IRS is frankly not doing enough to protect us,” said Steve Weisman, a senior lecturer at Bentley University and an expert in identity theft. “The very fact that it takes them so many months to even analyze the depth of the problem shows you that there are probably more identity theft that is going on.”
The IRS said hackers used personal information gathered from other online sources – like bank accounts – to answer personal identity questions on the “Get Transcript” forms.
One possible culprit is the IRS-approved tax preparers. According to an audit conducted by the non-profit online trust alliance, six out of 13 IRS-approved companies failed at providing adequate security to customers.
“We’re often our own worst enemies because there are times that we don’t use proper passwords, we don’t use proper security,” Weisman said.
The IRS said they are notifying the hacked taxpayers by mail, as well as offering free identity protection for a year.
In a statement, the agency said it’s “committed to protecting taxpayers on multiple fronts against tax-related identity theft… We are moving quickly to help these taxpayers.”
“Short of changing your social security number, which I understand only witness protection program victims can do, I don’t really we have a solution yet, but I think we need to search for one,” Zell said.
The online viewing and download feature of “Get Transcript” has been suspended since May 2015. The IRS is working to restore that part of the service with enhanced security to protect taxpayer identities.
A consumer has filed a putative class action against The Wendy’s Co. alleging a failure to sufficiently secure customer payment card data. Torres v. Wendy’s Co., No. 16-0210 (M.D. Fla., filed February 8, 2016). Wendy’s announced in late January 2016 that it had discovered in its processing systems a software program designed to steal credit and debit card information, several weeks after the plaintiff discovered that his debit card had been used in fraudulent purchases totaling almost $600.
“Wendy’s could have prevented this Data Breach,” the complaint asserts. “The malicious software used in the Data Breach was more than likely a variant of ‘BlackPOS,’ the identical malware strain that hackers used in last year’s data breach at many other retail establishments. While many retailers, banks and card companies responded to recent breaches by adopting technology that helps make transactions more secure, Wendy’s has acknowledged that it has retained a security consultant to review and look into its systems.”
The plaintiff calls the existing measures “suspect,” arguing that the situation requires “judicial intervention and consumer and independent oversight.” For allegations of breach of implied contract, negligence and a violation of Florida’s consumer-protection statute, he seeks class certification, damages, attorney’s fees and injunctions compelling Wendy’s to stop using its current security system and to “utilize appropriate methods and policies with respect to consumer data collection, storage and safety.”
2015 was a bad time for database administrators, says Gemalto, a data security company, after compiling all of last year’s data breaches in its bi-annual Breach Level Index report.
During the past twelve months, Gemalto’s researchers observed and inventoried 1,673 data breaches that leaked in total over 707 million data records.
The numbers are astounding but are mainly driven by a few series of big-name incidents. Among them are the Anthem Insurance data breach (78.8 million records), the Turkish General Directorate of Population and Citizenship Affairs data breach (50 million records), the Korea Pharmaceutical Information Center data breach (43 million records), the US Office of Personnel Management data breach (22 million), and the Experian data breach (15 million records).
While these incidents got all the headlines, they are not entirely representative of the entire spectrum of recorded data breaches.
Gemalto security analysts say that, during 2015, most breaches were perpetrated by malicious outsiders [964 incidents, 58%], were the result of an accident [398 incidents, 24%], or of an insider’s actions [238 incidents, 14%]. Hacktivists and state-sponsored groups also played a role, but not as big as you’d think, not even to account for over 4% combined.
Attackers mostly targeted government sites and personal records
Most of the leaked records are from the government sector [307 million records, 43%], followed by healthcare [134 million records, 19%], the technology field [84 million records, 12%], retail [40 million, 6%], and education [19 million, 3%].
As per Gemalto’s earlier report from September 2015, the most targeted country remains the US, which saw 1,222 data breaches. The rest of the top 5 is made up by the UK with 154 incidents, Canada with 59 incidents, Australia with 42 incidents, and New Zealand with 22 incidents. In spite of its huge size, China recorded only 8 incidents, just as many as the Netherlands.
In 53% of all incidents, hackers were after identity and personal information, while in 22% of the incidents, the attackers targeted financial data. Other reasons for breaking into databases were to steal account access credentials (11%), existential data (10%), or just as a nuisance (hacktivism) (4%).
A hacker broke into the University of California, Berkeley computer system holding financial data of 80,000 students, alumni, current and former employees, school officials said Friday.
The university said that although there is no evidence that any information has been stolen, it has notified potential victims of the breach so they can watch for signs of possible misuse of their personal data.
Those notified include students and staff who received non-salary payments though electronic fund transfers, such as financial aid awards and work-related reimbursements. Vendors whose financial information was in the system for payment purposes are also at risk.
The hack occurred in December right after Christmas and just as UC Berkeley was in the middle of patching a security flaw in the financial management system.
“We (looked) at all the available evidence of what the attackers did, and as we looked at that, we don’t see any evidence that these are the kinds of attackers that did access the data, or did anything to take that data,” Paul Rivers, UC Berkeley’s chief information security officer, told reporters, according to SF Gate.
“However, in an abundance of caution, we don’t want to depend on our judgment alone,” he added. “We want to be transparent and (let people) make their own choice on how they should respond.”
The SF Gate reported this cyberattack is the third-largest breach affecting the school in years and shows how difficult it is to protect academic institutions.
Rivers said part of the difficulty with protecting the school is the fact officials can’t close if a major breach happens. He said he can’t treat network security on campus like it was a bank or tech company.
The FBI was notified and the flaw has been patched.
Rivers added that the school needs to work faster on getting its security system fixed. He didn’t offer a timeframe or a plan on when the security patches would take place.
The Associated Press contributed to this report.
A second lawsuit is being filed against the University of Central Florida for a massive data breach that surfaced at the beginning of the month.
The lawsuit is the second to be filed after UCF announced that a hacker gained access to 63,000 Social Security numbers belonging to former and current students and workers.
The lawsuit is being filed by a former manager for the school’s basketball team. He is suing for more than $15,000.
The suit alleges UCF failed to protect its systems.
WASHINGTON, Feb. 27 (UPI) — An additional 390,000 taxpayer accounts may have been compromised after cyber criminals fraudulently accessed personal information, the Internal Revenue Service announced Friday.
The new number increases the amount of suspected targets to 720,000 since the discovery of a data breach in 2015.
In a statement released Friday, the IRS said it would notify the victims and offer them free identity-theft protection services. The news comes after a nine-month investigation, the IRS said.
“The IRS is committed to protecting taxpayers on multiple fronts against tax-related identity theft, and these mailings are part of that effort,” IRS Commissioner John Koskinen said Friday.
In May, the IRS said cyber criminals used the new “get transcript” tool on the agency’s website to access years of transcript history from people whose personal information they had stolen elsewhere.
Taxpayers used the tool to download about 23 million transcripts in its first few months of use at the beginning of 2015, the agency said. It used extensive security measures to keep out cyber criminals, such as asking for Social Security numbers, addresses and birthdays.
The agency said criminals used previously obtained identity information in order to trick the online tool, which been suspended since the launch of the investigation in May 2015.
Initially, the IRS reported 114,000 accessed taxpayer accounts, with an additional 111,000 accounts targeted but not accessed.
In August, they identified 220,000 more suspected compromised accounts and about 170,000 others which were unsuccessfully accessed.
“We appreciate the work of the treasury inspector general for tax administration to identify these additional taxpayers whose accounts ay have been accessed. We are moving quickly to help these taxpayers,” Koskinen said.
Feb. 25–York Hospital is reporting that hundreds of employees at its hospital and four campuses in York County have been victimized by cyber criminals.
“Personal identifying information” related to names, addresses, Social Security numbers and wages were stolen, hospital spokeswoman Jody Merrill said Wednesday.
The data breach was discovered Monday. Merrill said local law enforcement officials have turned the investigation over to the FBI.
“York Hospital was victimized by cyber criminals who fraudulently stole personal identifying information of York Hospital employees,” Merrill said in a statement issued Wednesday afternoon. “There is no indication at this time that patient health information, which is stored on a system separate from staff employment information, was targeted in this attack, nor was any medical information of York Hospital staff compromised.”
The breach affects staff, including doctors and nurses, who were employed by the hospital in 2015, Merrill said in a telephone interview Wednesday evening. Employees hired in 2016 were not affected, she said.
York Hospital currently employs 1,400 people at its hospital in York and at its campuses in Wells, Berwick, Kittery and South Berwick.
“The hospital sincerely apologizes to its staff for this incident and deeply regrets the inconvenience that will be caused,” Merrill said in the statement. “Identity theft security and mitigation services will be available to all staff at no cost to them so that credit rankings, bank accounts and IRS status can be protected for the upcoming year.”
There have been no reports of criminal activity or identity fraud since the data breach was discovered Monday, Merrill said.
The FBI’s Boston office is investigating the theft, Merrill said.
FBI spokeswoman Kristen Setera in Boston declined to comment Wednesday night.
Copyright 2016 – Portland Press Herald, Maine
, myParagraphCount: 5 –>
- Photo via University of Central Florida
The University of Central Florida was hit with a second lawsuit Friday over a massive data breach where hackers stole 63,000 Social Security numbers belonging to students and employees.
The Orlando Sentinel reports Jeremiah Hughley, a former UCF men’s basketball team manager, is suing the university after he says his bank account was drained following the breach and alleges the school’s management of personal information was “lackadaisical, cavalier, reckless, or at the very least, negligent.”
Earlier this month, UCF revealed it first became aware of the breach in January, according to the school’s website. The hack affected current and former athletes, UCF teams staff members, and current and former university employees working in Other Personal Services, also known as OPS. People affected by the hack were offered one year of complimentary credit monitoring and identity-protection services.
Hughley’s lawsuit is the second one filed this month. A day after UCF announced the data breach on Feb. 4, two UCF alumni filed a class-action lawsuit against the school.
The computer hack is being investigated by the FBI’s Jacksonville office, according to the Sentinel.