Archive for August, 2016

Village-based hotel chain announces data breach


A Greenwood Village-based international hotel chain has announced that some of its customers may have had their credit card information stolen earlier this year.

Millennium Hotels Resorts North America says the recent data breach was tied to food and beverage purchases at 14 of its U.S. hotels. The corporation owns the Harvest House in Boulder, but did not indicate which of its properties were affected.

“We urge customers who visited our U.S. hotels between early March and the end of June this year to check their payment card records and to report dubious transactions to their card operators immediately,” Millennium President Shaun Treacy said in a statement. “We also urge customers to take advice from their card operators on any further recommended security precautions. The Millennium Hotels Resorts team, above all, values its customer relationships and is committed to protecting customers’ payment card information. Since being informed of this incident, we have taken a number of steps to ensure that this commitment is met in full.”

According to the statement, when the corporation was notified of the incident by the Secret Service, it took immediate steps to investigate and isolate the card-processing problem, which was not tied to its hotel bookings.

Millennium has reportedly contracted with cyber-forensic experts and implemented recommended security measures, but had nor announced and discovery of malware at press time. 

Several other hotel chains have been similarly targeted, including HEI, Kimpton, Hard Rock and Omni.

Article source:


No Comments

Reported UK Data Breaches Soar 88% in a Year

The volume of data breach incidents reported to the Information Commissioner’s Office (ICO) has almost doubled in the space of a year, according to a new Freedom of Information (FoI) request.

The figure rose from 1,089 in the period April 2014-March 2015 to 2,048 in virtually the same period a year later, according to Huntsman Security.

Health, local government and education were the worst performing sectors in terms of the volume of breaches disclosed, accounting for 64% of the total in 2015-16.

However, financial organizations were the worst hit by ICO fines. Despite accounting for fewer than 6% of incidents they were on the receiving end of 33% of the watchdog’s financial penalties during the period, which hints at the severity of these breaches.

In three-quarters of the total number of cases, no action was taken by the ICO, either suggesting that the incidents themselves were fairly innocuous or that the watchdog needs to grow some sharper teeth.

It’s believed that incoming commissioner Elizabeth Denham may be less forgiving of organizations in this regard than her predecessor.

Data disclosed in error accounted for the vast majority of reported breaches (67%), followed by security incidents (30%).

However, there are signs that some organizations are still failing to report all of the breaches that occur on their watch – whether that’s deliberate or a result of poor technology and processes combined with an overwhelming volume of security incidents to deal with.

UK utilities firms reported just two breaches over an entire year, for example, despite representing a high risk target.

“The most likely reason for the ICO not being notified of breaches is that organizations simply aren’t aware of them; after all, it’s still very easy for an issue to remain unknown for weeks or even months before it’s noticed,” Huntsman Security head of product management, Piers Wilson, told Infosecurity.

“At the same time, any organization purposefully keeping breaches secret would have to balance any short-term benefit against the ultimate cost, in terms of reputation, share price and loyalty, of being found out. Of course, the ultimate proof will be when the GDPR, or similar legislation, comes into effect. A consistent, sharp increase in reported breaches could tell its own story.”

Article source:


No Comments

Emerson Scott, LLP Announces Ongoing Investigation Involving Banner Health Data Breach

HOUSTON, Aug. 31, 2016 — Emerson Scott, LLP announces a continuing investigation of the Banner Health data breach which may have affected 3.7 million or more doctors, patients, employees, cafeteria customers, and others whose personal and/or financial information was compromised while in the possession of Banner Health during a period of time that currently appears to be June and July, 2016.

The cyber-attackers or hackers stole the personal information as well as personal financial information which may include names, addresses, birth dates, doctor’s names, dates of service, claims information, health records, health insurance information, driver’s license information, and/or military identification numbers, social security numbers, credit card numbers or other payment information.  These health and financial records are a treasure trove for hackers seeking to profit from stolen identities and this data may already be for sale by criminals on the so-called “Dark-Net”.

Banner Health is a health system based in Phoenix, Arizona that operates 23 hospitals as well as specialized medical facilities.  There appear to be at least 27 Banner Health locations affected by the data breach in four states including Alaska, Arizona, Colorado, and Wyoming.

Emerson Scott, LLP, with offices in Houston, TX and Little Rock, AR, is a boutique law firm specializing in results, integrity, and personal service. Emerson Scott, LLP represents consumers throughout the nation and has significant cyber-attack and data breach experience in such data breach cases as Anthem, Premera, Experian, Vizio, Office of Personnel Management (“OPM”) and Wendy’s. Emerson Scott, LLP and its predecessor firms have devoted their practice to complex commercial litigation for more than thirty years and have recovered hundreds of millions of dollars for consumers in class actions throughout the United States.  A number of class action cases have been filed concerning the Banner data breach.     

IMPORTANT:  If you were treated at a Banner Health facility, work at one of its facilities, used your credit card at one of facilities during 2016, or if you have received a letter or other notification from Banner Health that personal and/or financial information has been compromised or hacked then please contact us immediately to protect your rights.  It makes no difference what state you reside in.  Contact plaintiff’s counsel, Emerson Scott, LLP, at the following toll-free number: 800-663-9817, or via e-mail to John G. Emerson ([email protected]) or David G. Scott ([email protected]).    

Editor’s Picks

Four things you should know before starting that exercise regime

Exam results: how mindfulness can help you make better life choices

What’s the best way to go to the toilet – squatting or sitting?

Could friendly bacteria be used to treat cancer?

60TB Seagate SSD, World’s Largest

Does burnt food give you cancer?

Why save a computer virus?

Do cough medicines work?

No time to exercise? Then this training programme might be for you


Four things you should know before starting that exercise regime

Exam results: how mindfulness can help you make better life choices

What’s the best way to go to the toilet squatting or sitting?

Could friendly bacteria be used to treat cancer?

60TB Seagate SSD, Worlds Largest

Does burnt food give you cancer?

Why save a computer virus?

Do cough medicines work?

No time to exercise? Then this training programme might be for you


Article source:


No Comments

Why Dropbox’s data breach response is still wrong

One day Dropbox may well get its head around the best-practice methods for handling customer data breaches, but today is not that day.

News broke on Tuesday that details of 68,680,741 user accounts had been found online, apparently the result of a data breach back in 2012. The files reportedly contained the users’ email addresses, plus their salted and hashed passwords.

Dropbox’s response was to email the affected users, who could be forgiven for not realising it was about a data breach.

“Resetting passwords from mid-2012 and earlier,” was the subject line.

“We’re reaching out to let you know that if you haven’t updated your Dropbox password since mid-2012, you’ll be prompted to update it the next time you sign in. This is purely a preventative measure, and we’re sorry for the inconvenience,” the email read.

“To learn more about why we’re taking this precaution, please visit this page on our Help Center. If you have any questions, feel free to contact us at [email protected]

If users did click through, they’d had to have scrolled down four sub-headings before they were finally told there’d been a data breach — and even then, it was only after yet more softening of the message.

“Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time.

“Based on our threat monitoring and the way we secure passwords, we don’t believe that any accounts have been improperly accessed. Still, as one of many precautions, we’re requiring anyone who hasn’t changed their password since mid-2012 to update it the next time they sign in.”

I reckon there’s a few problems with that messaging, though I’ll come back to that. There’s more to worry about.

First, there’s a problem with the secondary authentication protocol: it isn’t being used.

Assume for the moment that the bad guys have obtained a user’s password. They can log in to Dropbox. Then, if they’re forced to change the password, this is what they see.

Dropbox password change dialog

(Image: Dropbox)

The bad guys enter a new password, and it’s game over.

What should happen? The secondary authentication protocol should be brought into play. For Dropbox, that’s the user’s email address.

Once the user has entered the old password, they should be emailed a one-time time-limited token, one of those emails that says “Click here to enter you new password”. That way the bad guys need to have gained access to the user’s email account as well. Not perfect, but a significant additional hurdle.

Second, even when a user does change their password, Dropbox says that any logged-in sessions on other devices will still be active — and that would include any sessions created by the bad guys before the user changed the password.

What should happen? When there’s any suspicion that an account may have been compromised, all logged-in sessions should be logged out immediately. When the user logs back in, they should be forced to change their password immediately — not merely prompted to do it when they get around to it.

OK, sure, in this particular instance Dropbox says their threat monitoring and password storage strategy give them a clean bill of health. So far, we have no reason to doubt that.

But Dropbox has form.

In 2014, Dropbox waved away security concerns, despite having written that “there’s nothing more important to us than keeping your stuff safe and secure”.

In 2012, Dropbox clearly failed to reset everyone’s passwords after a potential data breach. If they had done, they wouldn’t be asking users to reset them now, right?

And in 2011, Dropbox left a bunch of users’ files open to the internet, yet brushed away concerns by claiming it was only “a very small number of users (much less than 1 percent)” who might have been affected. That’s no consolation if you were one of them.

Dropbox, like so many other organisations, is presumably worried that users will be scared away by security breaches, so they soften the language. But experience and research show that when it comes to data breaches, owning up actually increases trust.

So here’s how I’d have handled Dropbox’s latest problems — apart from fixing those secondary authentication and session management problems.

“Security Message”, I’d have written in an email to every user, having previously shoved the PR and marketing teams into a canal.

“We’ve had a security problem. So far our investigations suggest that your account hasn’t been accessed by anyone else. See below for the details. But to be sure, we need you to reset your password. It might also be a good idea to turn on two-factor authentication (2FA).”

I’d list the steps users need to take, and then the rest of the details — including the steps we’d already taken to investigate and rectify the problem, and when we’d be emailing them an update.

Yes, I’d say “problem” not “issue”, because that’s what it is. And yes, I’d email every user, because why not? It builds trust.

One day Dropbox should start paying attention to this sort of best-practice advice, and today is that day.

Article source:


No Comments

Business, government must step up in fight against data breaches

Graeme Pyper, Regional Director for Gemalto Australia and New Zealand, warns that recent events show that Australia has a “growing data security crisis” and the country is a primary target.

“With the new Privacy Amendment Bill likely to be passed as law before next year, many companies could be in for a shock if they don’t start preparing now,” Pyper says.

“The new regulation will have major implications on the way in which data is collected, stored, accessed and secured. Most importantly, it will require an entirely new mindset when it comes to securing customer data, what is considered a serious breach and the steps an organisation must take in response to one.”

But, Pyper says there must be clarity on what is considered sensitive information and what constitutes a “notifiable data breach”, and he cautions that organisations with lax security will be put in the spotlight with the requirement to notify both authorities and affected individuals when a data breach occurs.

Ominously, Pyper warns that being breached is not a question of if but when. “The notion of data at times seems insignificant but when it’s further defined as information it’s not difficult to understand why some details should be guarded more closely,” Pyper notes.

And, according to Pyper, traditional approaches to data security do not work anymore, “so it’s time to move away from breach prevention, towards a secure breach approach”.

Pyper observes that the government has accepted that breaches happen and says it’s time for all of industry to follow suit.

He suggests organisations need to adopt a data-centric view of digital threats starting with better identity and access control techniques such as multi-factor authentication and the use of encryption and key management to secure sensitive data.

“That way, if the data is stolen it is useless to the thieves,” Pyper says.

Three years ago, Australia’s peak telecommunications consumer body, the Australian Communications Consumer Action Network (ACCAN), urged a Senate Committee to support the introduction of mandatory data breach notification laws, saying the new laws would significantly lead to better security of Australians’ private and financial information.

At the time, ACCAN CEO, Teresa Corbin, said consumers have a “right to be informed when companies lose or misuse their data”.

Article source:,-government-must-step-up-in-fight-against-data-breaches.html


No Comments

Voter data breach leads to questions of tampering and state security

The FBI said hackers attacked two state election websites and accessed voter registration databases, and one expert believes there will undoubtedly be more voter data breaches before November’s election.

The states in question were not mentioned in the “flash” alert from the FBI, but officials from Arizona and Illinois have admitted their voter record systems were attacked on voter records. An Arizona state official told Yahoo News that malicious software was introduced into its voter registration system but no data was stolen, and Ken Menzel, the general counsel of the Illinois Board of Elections, said hackers had stolen personal data on as many as 200,000 state voters.

The FBI memo noted there may have been a connection between the two attacks because one of eight IP addresses associated with the breaches was used in both cases.

“The FBI is requesting that states contact their Board of Elections and determine if any similar activity to their logs, both inbound and outbound, has been detected,” the alert read. “Attempts should not be made to touch or ping the IP addresses directly.”

Menzel said attackers were able to exploit “a chink in the armor in one small data field in the online registration system,” which according to the FBI, may have been a SQL injection vulnerability found with penetration testing tools Acunetix, SQLMap and DirBuster.

Peter Tran, general manager and senior director of RSA, the Security Division of EMC, said this type of vulnerability can be common.

“It’s no surprise that the state voter systems in question may have been victim to garden variety SQL exploitation techniques, mainly due to the prevalence of older website-driven databases and interfaces, typically found at the local city and state government environments,” Tran told SearchSecurity. “Attacking the databases themself using SQL injection, particularly if it’s the path of least resistance, can yield a harvest of data and system control beyond voter registration public records such as the core voter file, ballot or voting history, campaign finance or donor data and other sensitive personal identifiable information and political capital.”

Tran noted that voter registration data is placed in the public record domain and can be legally purchased from sites like NationBuilder and InstantCheckMate, but that doesn’t necessarily lessen the value of a voter data breach for an attacker.

“Public record data in general, such as basic voter registration information, is relatively low-risk by itself. However, this is rarely the case as nation state and other cybercriminals aggregate multiple sources of data from open source and breached data to form high value target profiles that can be leveraged in a number of ways ranging from identity fraud to corporate and/or government espionage,” Tran said. “Essentially, it’s farming and cultivating data crops, so over time, the data becomes more valuable and risks go up for individuals.”

Because IP addresses used in the attacks had been seen in Russian hacking forums, Senate minority leader Harry Reid wrote to FBI Director James Comey with fears that the voter data breaches may result in more than just stolen information.

“I have recently become concerned that the threat of the Russian government tampering in our presidential election is more extensive than widely known and may include the intent to falsify official election results,” Reid wrote. “The prospect of a hostile government actively seeking to undermine our free and fair elections represents one of the gravest threats to our democracy since the Cold War and it is critical for the Federal Bureau of Investigation to use every resource available to investigate this matter thoroughly and in a timely fashion.”

Comey refused to comment on any investigations in progress at a conference hosted by security firm Symantec Tuesday, but he did say the FBI takes “very seriously any effort by any actor, including nation-states, and maybe especially nation-states, that moves beyond the collection of information about our country and that offers the prospect of an effort to influence the conduct of affairs in our country.”

State election security

Privacy Professor CEO Rebecca Herold said people should worry about voter data breaches making personal information available, but noted there was another issue to focus on in the wake of these attacks.

“What is an overwhelmingly huge additional concern is that these voting systems, which are associated with, if not the sources of, the stolen records, are so poorly secured that they could be hacked and changed in ways that would change the outcomes of elections throughout the U.S.,” Herold told SearchSecurity.

The release of this FBI alert came just three days after Secretary of Homeland Security Jeh Johnson said the DHS knew of no “specific or credible cybersecurity threats relating to the upcoming general election systems.”

Even so, Johnson “encouraged state officials to focus on implementing existing recommendations from NIST and the EAC on securing election infrastructure” and “offered the assistance of the Department’s National Cybersecurity and Communications Integration Center to conduct vulnerability scans, provide actionable information, and access to other tools and resources for improving cybersecurity.”

A number of state officials have gone on record expressing concern over this offer from the DHS,and Georgia Secretary of State Brian Kemp even went so far as to claim this was an attempt by the White House to expand federal control over state election processes and data.

Herold approved of the DHS offer but said it could have taken a less controversial form.

“I think that the offer is good, if it was an attempt to shine light on the very real and significant problems that exist within most of the states’ voting systems and associated elections systems. However, to maintain the independence of states’ election processes and data, it would be more proactive for DHS to issue guidance, which would be that offered help, that could then be used by each state that does not include direct involvement of the Federal agency into state systems, which creates problems and could be viewed as Federal government overreach into state issues,” Herold said. “There should not be any access that could be viewed as an attempt by the Federal government to have undue influence on the outcomes of each state’s elections.”

Tran said the suggestion of the DHS to follow NIST guidelines was one of the best ways to improve state election security.

“The Internet and the increased push to cloud-based data-driven systems has no physical borders and as a result, determining a governance, risk and compliance model should not be thought of in terms of local city, state and/or federal borders,” Tran said. “In terms of a sustainable model, voting systems should be thought of more as part of the national critical infrastructure, perhaps one of the main drivers of why the DHS is offering its assistance in helping to shore up the near and mid-term challenges. As a framework to help address concerns of ‘federalization’ at the state level, the NIST Cybersecurity Framework can help guide, as a viable model to determine the best approach to both technology and policy, that is fair and balanced to address core cyber security best practices.”

Herold said Congress may want to consider new regulations requiring states to “demonstrate that they are performing due diligence to ensure their voting and elections systems and databases are adequately secured.

“The spectrum of possibilities is very wide for those who would want to see our election outcomes be very different from the actual votes of our citizens,” Herold said. “The spectrum of possibilities is also very wide for how using inadequately secured systems could create outcomes that do not reflect the actuals votes simply because the lack of effective security controls within systems and applications created mistakes loss of data that could provide results drastically different from the original votes. It truly is a matter of national homeland security to require our elections to occur with effective safeguards in place.”

Article source:


No Comments

US banks losing data breach war, Bitglass

Five of the USA’s top 20 largest banks have already suffered a breach in 2016, according to Bitglass research. Using data aggregated from public databases and government mandated disclosures, this shows that leaks nearly doubled between 2014 and 2015, a growth trend on track to continue in 2016. The nation’s biggest banks have all suffered leaks at some point in the recent past. JP Morgan Chase, the largest US bank, has experienced recurring breaches since 2007. The largest, the result of a cyberattack, was widely publicised in 2014 and affected an estimated 76 million US households. Others at JPMorgan were due to lost devices, unintended disclosures, and payment card fraud.

Lost and stolen devices were responsible for 25.3% of breach events, with financial services organisations appearing to struggle with data protection on managed and unmanaged devices. While hacking accounted for a disproportionate number of individuals affected by FS breaches, only one in five leaks were caused by hacking. Other causes included unintended disclosures, malicious insiders, and lost paper records.

“Financial institutions are prime targets for hackers and are rightfully concerned about the threat of cyber attacks, device theft, and malicious insiders,” says Nat Kausik, CEO of Bitglass. “To stay one step ahead as data moves beyond the firewall, firms in this sector must encrypt cloud data at rest, control access by contextual risk, and protect data on unmanaged devices.”

  • By Scott Thompson
    Follow Scott at @ScotThompsonIBS


    Article source:


    No Comments

    Fish and Game license system suffers data breach

    You are using an outdated browser. Upgrade your browser today or install Google Chrome Frame to better experience this site.

    Idaho Fish and Game Hacked

    Stay Connected Anytime

    Stay in Touch Anywhere, Anytime with News, Weather and Video — Download the 6 ON YOUR SIDE app:

    Article source:


    No Comments

    What should CROs do with cost of data breach studies?

    Last week we wrote about a Deloitte study that estimated the potential hard and soft costs of a data breach to an organization over several years. The point was to show that less visible costs — loss of customer confidence and brand reputation — could have a long-lasting impact on an organization.

    But what should chief risk officers do with these and other reports? Think carefully, according to an article today on Security Week.

    For one thing, it notes there’s no consistency in cost of breach reports. In fact the European Union Agency for Network and Information Security (ENISA) released a report earlier this month that reviewed studies that try to do a calculate the costs for critical infrastructure organizations and concluded its damn hard. On the one hand it found evidence that the finance, ICT and energy sectors would suffer the highest costs, it also admits there’s no  common approach or criteria to cost of breach estimates. Any calculations use “rarely comparable” approaches that are often only relevant to a specific context.

    Related Articles
    99324736 Cost of an average Canadian data breach is $5.3 million: Study Sony headquarters in Tokyo 2014 cyber attack to cost Sony US$35 million

    So can cost estimates be used in a risk mitigation policy? The Security Week story suggests they have limited value to CROs. The chief security officer at Samsung Research America is quoted as saying such calculations are always subjective. In his firm’s case the big assets are intellectual property, whose loss isn’t easy to put a price on. His goal is to mitigate the effects of a breach, he points out. So he works on that, rather than the cost of a breach.

    That is echoed by another expert, who says CISOs need to look at the value of assets in their own organizations to make a risk assessment, rather than use third-party averaged estimates.

    The article also usefully points out there’s a difference between the estimated cost of a breach and the risk of a breach. But it also quotes an expert saying that cost calculations are “good instruments for practitioners to raise awareness and kick off an internal discussion to move from a compliance, check-box mentality to a more pro-active, risk- and business-driven approach to security.”

    And talking about security across the entire enterprise is always a good thing.

    Related Download
    Can we save the open web? Sponsor: Acquia
    Can we save the open web?
    Join the creator of Drupal, Dries Buytaert, in a discussion about the web’s evolution, how we can put the power of the internet back into the hands of the people, and how you can prepare your organization.
    Register Now

    Article source:


    No Comments

    Sancho: Florida primary safe from data breaches

    Sancho: Florida primary not prone to data breach

    Article source:


    No Comments