Archive for September, 2016

Fed government admits health data breach

The private health data of Australians may have been unwittingly made public by the federal Health Department.

Health Minister Sussan Ley has apologised for the breach after the department admitted on Thursday that de-identified medical data it released in August was able to be decoded.

The department was alerted on September 8 to the breach by Melbourne University researchers who were able to decrypt some of the information.

Doctors warn it’s possible individual patients could be identified.

Ms Ley insists government security experts have advised there was no public release of confidential information.

No information about patients or health service providers was made public, she said.

“While the academic team has shown that the health service provider numbers can be decrypted, this information has not been published or disseminated,” She told the Royal Australian College of General Practitioners annual conference in Perth.

“It’s certainly something we take seriously and we apologise for any concern this may cause you as providers.

“However what we cannot and must not do is shy away from using data to improve health outcomes for patients and clinical practice.”

Ms Ley insisted the government had worked swiftly to tighten privacy laws, with Attorney-General George Brandis rushing on Wednesday to amend legislation making it illegal to re-identify de-identified government data without authorisation.

But Dr Nathan Pinskier, chair of the RACGP’s expert committee on e-health, says the retrospective changes will do nothing to retrieve sensitive information already made public.

He said the RACGP expressed concern about the potential for the data to be decoded when it was initially released but was never consulted by the Health Department.

“If you can reaggregate it, even though it’s illegal to do so, somebody probably will,” he said.

“There is a possibility individual consumers could be identified – it could be potentially devastating.”

“This was rushed, they didn’t do a proper evaluation, and if they’d done their proper threat risk assessment they probably would have not released information in that form.”

Dr Pinskier believes the data release by the department last month was a knee-jerk reaction after the government cut funding to other primary care research programs.

Ms Ley said the de-identified Medicare and Pharmaceutical data were removed once the department was alerted and remains offline.

The privacy commissioner has been notified and investigations are under way.

Opposition health spokeswoman Catherine King demanded the government explain why it had to be alerted to the breach by university researchers.

“The health minister has given no assurances that the health providers who are affected by this breach will be told about it,” she said.

“Australians deserve an explanation of how this health data was breached.”

Article source: http://www.news.com.au/national/breaking-news/health-records-accidentally-made-public/news-story/ac8cc200721a574243f82ca89bfe1c9e

,

No Comments

ICO probes Yahoo over huge data breach

Elizabeth Denham, the new Information Commissioner, has revealed that the ICO has questioned Yahoo about its huge data breach, and is looking to probe WhatsApp and other Facebook-owned companies about their data sharing arrangements.

Denham said in her first speech as Information Commissioner that the ICO will choose its investigations carefully to ensure that they are relevant to the general public.

“Last Friday, the ICO stepped in to ask questions about the Yahoo data breach, which involved eight million UK accounts,” she said.

Denham told BBC Radio 4 in a subsequent interview that she is concerned about Yahoo’s two-year delay in informing the public of the breach.

“Why did it take so long for Yahoo to notify the public? It looks like it happened two years ago. What can these account holders do to protect themselves?” she said.

Denham also explained in her speech that the ICO is reviewing data sharing between WhatsApp and other Facebook companies, stating that “all of this is about transparency and individual control”.

This follows a ruling in Germany that has banned data sharing between the two firms because not enough was done to make users of both services aware of the changes being introduced.

Denham also said that the ICO will appoint a chief technology adviser so that the watchdog can keep pace with the fast-paced nature of the areas it oversees.

“We are building on our own capacity for technology by analysing more, researching more and embedding technology into the future of the CIO. We are also seeking partnerships with universities, and we aim to support research into privacy by design solutions,” she added.

Brexit and General Data Protection Regulation
Denham also touched on Brexit, admitting that the decision made her job more challenging but that the ICO is well prepared.

“Countries that are part of the EU are now preparing to adopt the new GDPR law in 2018,” she said. “The referendum result has thrown our data protection plans into a state of flux.”

The GDPR is technically already in force, but member states are not obliged to apply it until 25 May 2018, and Denham believes it “extremely likely” that GDPR will be live before the UK leaves the EU.

She said it is crucial that personal information can flow, despite not yet knowing where the UK stands in regards to the GDPR.

“The GDPR is a strong law, and once we are out of Europe we will still need to be deemed adequate or essentially equivalent,” she said.

This means that UK organisations will almost certainly have to adhere to the regulations regardless of the country’s position in the future.

<!–

Article source: http://www.v3.co.uk/v3-uk/news/2472606/ico-probes-yahoo-over-huge-data-breach

,

No Comments

Data Breaches Top 700 So Far in 2016

While the data breach at Yahoo nabbed all the headlines last week, an equally nasty attack on a cybersecurity site went all but unnoticed, primarily because the attack failed.

Security website KrebsOnSecurity was targeted by a dedicated denial of service (DDoS) attack on September 20 that was among the largest internet assaults ever. According to security expert and website owner Brian Krebs, first reports estimated that traffic directed toward the site amounted to about 665 gigabits per second. Later analysis dropped that figure to 620 gigabits per second, still a gargantuan number.

What made the attack unusual is that it appeared “to have been launched almost exclusively by a very large botnet of hacked devices,” Krebs writes in his report. Hundreds of thousands of hacked systems may have been involved in the attack.

Krebs goes on to note that there were signs that the attack was launched “with the help of a botnet that has enslaved a large number of hacked so-called ‘Internet of Things’ (IoT) devices — routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords.”

In September of last year, Fiat Chrysler recalled more than 1.4 million vehicles after testing proved that it was possible to hack into the vehicles’ software and take control of the engine and steering. IoT devices from door locks to thermostats have been hacked in similar demonstrations. Think about that the next time an appliance salesperson begins the spiel about the convenience of connected devices.

The latest data breach count from the Identity Theft Resource Center (ITRC) reports that there have been 708 data breaches recorded this year through September 27, 2016, and that nearly 29 million records have been exposed since the beginning of the year. The total number of reported breaches increased by 21 since ITRC’s last report on September 20.

The number of breaches in 2015 totaled 781, just two shy of the record 783 breaches that ITRC tracked in 2014. The 708 data breaches reported so far for 2016 are more than 16% above the number reported (609) for the same period last year. A total of more than 169 million records were exposed in 2015.

Here’s a rundown of the latest ITRC report:

  • The medical/health care sector leads them all in the number of records compromised to date in 2016. The sector has posted 36.2% (256) of all data breaches to date this year. The number of records exposed in these breaches totaled nearly 13.6 million, or about 47.2% of the total so far in 2016.
  • The government/military sector has suffered 51 data breaches so far this year, representing about 42.5% of the total number of records exposed and 7.2% of the incidents. More than 12 million records have been compromised in the government/military sector to date in 2016.
  • The business sector accounts for more than 2.5 million exposed records in 308 incidents. That represents 43.5% of the incidents and 8.8% of the exposed records.
  • The number of banking/credit/financial breaches totals 26 for the year to date and involves more than 25,000 records, some 3.7% of the total number of breaches and about 0.1% of the records exposed.
  • The educational sector has seen 67 data breaches in 2016. The sector accounts for 9.5% of all breaches for the year and more than 400,000 exposed records, about 1.4% of the total so far this year.

Since beginning to track data breaches in 2005, ITRC had counted 6,518 breaches through September 27, 2016, involving more than 880 million records.

Article source: http://247wallst.com/technology-3/2016/09/30/data-breaches-top-700-so-far-in-2016/

,

No Comments

ICO probes Yahoo over huge data breach | V3

Elizabeth Denham, the new Information Commissioner, has revealed that the ICO has questioned Yahoo about its huge data breach, and is looking to probe WhatsApp and other Facebook-owned companies about their data sharing arrangements.

Denham said in her first speech as Information Commissioner that the ICO will choose its investigations carefully to ensure that they are relevant to the general public.

“Last Friday, the ICO stepped in to ask questions about the Yahoo data breach, which involved eight million UK accounts,” she said.

Denham told BBC Radio 4 in a subsequent interview that she is concerned about Yahoo’s two-year delay in informing the public of the breach.

“Why did it take so long for Yahoo to notify the public? It looks like it happened two years ago. What can these account holders do to protect themselves?” she said.

Denham also explained in her speech that the ICO is reviewing data sharing between WhatsApp and other Facebook companies, stating that “all of this is about transparency and individual control”.

This follows a ruling in Germany that has banned data sharing between the two firms because not enough was done to make users of both services aware of the changes being introduced.

Denham also said that the ICO will appoint a chief technology adviser so that the watchdog can keep pace with the fast-paced nature of the areas it oversees.

“We are building on our own capacity for technology by analysing more, researching more and embedding technology into the future of the CIO. We are also seeking partnerships with universities, and we aim to support research into privacy by design solutions,” she added.

Brexit and General Data Protection Regulation
Denham also touched on Brexit, admitting that the decision made her job more challenging but that the ICO is well prepared.

“Countries that are part of the EU are now preparing to adopt the new GDPR law in 2018,” she said. “The referendum result has thrown our data protection plans into a state of flux.”

The GDPR is technically already in force, but member states are not obliged to apply it until 25 May 2018, and Denham believes it “extremely likely” that GDPR will be live before the UK leaves the EU.

She said it is crucial that personal information can flow, despite not yet knowing where the UK stands in regards to the GDPR.

“The GDPR is a strong law, and once we are out of Europe we will still need to be deemed adequate or essentially equivalent,” she said.

This means that UK organisations will almost certainly have to adhere to the regulations regardless of the country’s position in the future.

<!–

Article source: http://www.v3.co.uk/v3-uk/news/2472606/ico-probes-yahoo-over-huge-data-breach

,

No Comments

Yahoo! ‘Largest data breach in history?’ – MyNewsLA.com

A sign outside the Yahoo! headquarters in Sunnyvale. Photo by Sebastian Bergmann via Wikimedia Commons
A sign outside the Yahoo! headquarters in Sunnyvale. Photo by Sebastian Bergmann via Wikimedia Commons

A Los Angeles man who has held a Yahoo! user account for more than a decade filed a lawsuit against the company stemming from the technology firm’s acknowledgment of a widespread data breach.

Brendan Quinn’s Los Angeles Superior Court proposed class-action lawsuit alleges negligence, breach of contract and violations of the state’s Civil Code and Business and Professions Code.

Quinn is seeking unspecified damages as well as an injunction directing Yahoo to immediately encrypt all confidential user information and to immediately notify users whose personal information is compromised and to provide them with identity-theft monitoring.

Yahoo communications manager Megan Levinson told City News Service, “Yahoo doesn’t comment on ongoing litigation.”

Sunnyvale-based Yahoo announced on Friday that a recent internal investigation showed that sensitive information involving 500 million user accounts was stolen from the company’s network in late 2014 by what the company believes was a “state-sponsored actor.”

“Reports indicate this is the largest data breach in history,” the suit states.

According to the 24-page lawsuit, Quinn provided his name, phone number and date of birth when he registered for his Yahoo account. He says he uses the account for a “variety of general purposes and reasonably expected that … Yahoo would maintain the privacy of his confidential account information.”

Given the size of the Yahoo security problem, Quinn’s account “was almost certainly amongst those included in the data breach,” according to the suit.

—City News Service

Want to read more stories like this? Get our Free Daily Newsletters Here!

Article source: http://mynewsla.com/crime/2016/09/28/yahoo-largest-data-breach-in-history/

,

No Comments

This Is Why Yahoo Did Not Reset Passwords Following Data Breach

marissa-mayer-yahooAs you might have heard by now, especially if you’re a Yahoo user, the company has recently experienced a massive data breach. Usually in the case of such things, one of the first things a company would do is to reset the passwords of its users. The reason being is that in the event login credentials have been stolen, the hackers won’t be able to use them if the passwords are changed.

Unfortunately this did not happen during Yahoo’s data breach, and if you think that was weird, a report from The New York Times seemingly explains why. The article is rather lengthy but to sum it up, it seems that this is largely due to the decisions made by Yahoo’s CEO Marissa Mayer who according to the report, seemed to prioritize developing new products over making security improvements when she took over the role as CEO.

To be fair, Mayer had the monumental task of trying to turn the company around and obviously getting people excited about new products and a new look made sense, although unfortunately this seemingly was at the expense of security. The article reads, “The ‘Paranoids,’ the internal name for Yahoo’s security team, often clashed with other parts of the business over security costs. And their requests were often overridden because of concerns that the inconvenience of added protection would make people stop using the company’s products.”

However Yahoo claims this isn’t the case and according to a company spokeswoman Suzanne Philion, she claims that Yahoo has spent $10 million on encryption technology back in 2014, and that investment has increased by 60% from 2015 to 2016. “At Yahoo, we have a deep understanding of the threats facing our users and continuously strive to stay ahead of these threats to keep our users and our platforms secure.”

Now we can’t confirm whether or not it is true that security did take a backseat over the development of new products, but if it is, it is rather unsettling especially when in the past few years we’ve seen many huge companies experience data breaches. In the meantime if you are a Yahoo user, perhaps now is a good time to change your password if you haven’t done so already.

Filed in General. Read more about Security and Yahoo.

Article source: http://www.ubergizmo.com/2016/09/yahoo-did-not-reset-password-after-breach/

,

No Comments

Fed government admits health data breach

The private health data of Australians may have been unwittingly made public by the federal Health Department.

Health Minister Sussan Ley has apologised for the breach after the department admitted on Thursday that de-identified medical data it released in August was able to be decoded.

The department was alerted on September 8 to the breach by Melbourne University researchers who were able to decrypt some of the information.

Doctors warn it’s possible individual patients could be identified.

Ms Ley insists government security experts have advised there was no public release of confidential information.

No information about patients or health service providers was made public, she said.

“While the academic team has shown that the health service provider numbers can be decrypted, this information has not been published or disseminated,” She told the Royal Australian College of General Practitioners annual conference in Perth.

“It’s certainly something we take seriously and we apologise for any concern this may cause you as providers.

“However what we cannot and must not do is shy away from using data to improve health outcomes for patients and clinical practice.”

Ms Ley insisted the government had worked swiftly to tighten privacy laws, with Attorney-General George Brandis rushing on Wednesday to amend legislation making it illegal to re-identify de-identified government data without authorisation.

But Dr Nathan Pinskier, chair of the RACGP’s expert committee on e-health, says the retrospective changes will do nothing to retrieve sensitive information already made public.

He said the RACGP expressed concern about the potential for the data to be decoded when it was initially released but was never consulted by the Health Department.

“If you can reaggregate it, even though it’s illegal to do so, somebody probably will,” he said.

“There is a possibility individual consumers could be identified – it could be potentially devastating.”

“This was rushed, they didn’t do a proper evaluation, and if they’d done their proper threat risk assessment they probably would have not released information in that form.”

Dr Pinskier believes the data release by the department last month was a knee-jerk reaction after the government cut funding to other primary care research programs.

Ms Ley said the de-identified Medicare and Pharmaceutical data were removed once the department was alerted and remains offline.

The privacy commissioner has been notified and investigations are under way.

Opposition health spokeswoman Catherine King demanded the government explain why it had to be alerted to the breach by university researchers.

“The health minister has given no assurances that the health providers who are affected by this breach will be told about it,” she said.

“Australians deserve an explanation of how this health data was breached.”

Article source: http://www.sbs.com.au/news/article/2016/09/29/fed-government-admits-health-data-breach

,

No Comments

Yahoo! data breach likely exceeds 500 million records

When added up, all the hacked records total about 3.5 billion.

InfoArmor is reporting that the Yahoo! data breach likely contains millions more records than the 500-million figure now being bandied about and the total number of user records that have been stolen by the various groups involved in this and other recent hacks could total 3.5 billion.

The company is also disputing the idea put forth by Yahoo! that the hack was performed by a state actor; instead, the security firm believes a group of Eastern Europeans is responsible. The records involved in this case were taken in 2014.

Andrew Komarov, InfoArmor CEO, told SCMagazine.com that the Yahoo! breach easily surpasses the 500 million mark, judging from a sample of several million of the stolen records his company was able to obtain, but he was reticent to put out an exact figure at this time and berated other firms for issuing numbers before the validation process was completed.

“We need to validate the data leaks and not trust the words from the threat actors,” he said, adding more time is needed to determine the exact number involved.

Komarov said this also hold true when assigning blame for an attack. When news of the breach broke, a state-sponsored group was assumed to be the source. InfoArmor has belied that report stating credit belongs to an Eastern European gang it calls Group E. The only involvement a state-sponsored group has with the attack is that Group E did sell part of the Yahoo! data dump to such an organization, while two other sales were made to gangs specializing in spam attacks, Komarov said. About $300,000 was charged for the data in each case.

Because Group E is selling to specific customers it has not posted the Yahoo! database to the web, instead it is being sold in pieces through proxies, InfoArmor wrote.

Michael Lipinski, CISO and chief security strategist at Securonix, told SCMagazine.com in an email that a true determination of credit will be difficult until Yahoo! is more forthcoming with information.

“Unfortunately, we are still speculating since there has been no release of information from Yahoo!,” Lipinski said. “Sure it’s possible that a state actor with ulterior motives contracted with the folks that already had the formula for breaching Yahoo! from the work done on LinkedIn, DropBox and Myspace. That’s a reasonable assumption. Why reinvent the wheel if you don’t have too,” he said.

However, Lipinski is more troubled by Yahoo!’s general inaction in responding to the hack.

“The lack of discovery of this breach on Yahoo!’s part gave whoever took this information exactly what they wanted,” he said. “They had the account information that we now know was crackable. If they had ulterior motives, they had years to benefit from that obtained information and lack of notification to users of those accounts. That’s my larger concern.”

While the 500-million-plus Yahoo! user records is a massive number, InfoArmor believes the total number of records stolen over the last several years is several times that size. When Group E’s pile of Yahoo! ! data is added to those taken from LinkedIn, Myspace, Dropbox, and other big attacks and then combined with all the other attacks that have taken place, the total number of records compromised is likely in the region of 3.5 billion or about the same number of people who are known to use the internet, Komarov noted.

Yahoo! has not yet responded to SCMagazine.com’s inquiry for further information.

Article source: http://www.scmagazine.com/yahoo-data-breach-likely-exceeds-500-million-records/article/525990/

,

No Comments

Privacy watchdog called after Health Department data breach

There are fears patients’ sensitive medical information could have been made public in a Medicare data breach by the health department.

Health Minister Sussan Ley insists the data, which was loaded onto the internet, does not identify patients. 

The Health Department says no patient privacy was compromised in a recent data breach.  Photo: Andrew Quilty

But Dr Nathan Pinskier, the chair of the RACGP expert committee for e-health, said it was possible patients could be distinguished amongst the data and such a breach could be could be “devastating”.

“There is a possibility individual consumers could be identified,” he said.  “…if you can identify data in a remote part of Australia where there’s only a few consumers you’ll be able to work out who they are pretty quickly.”

The privacy watchdog is investigating whether patients’ medical information was released and the government has rushed through a new privacy crime in the wake of the data breach.

The data on the Pharmaceutical Benefits and Medicare Benefits schemes was not associated with patients’ details but it was linked to some doctor and other health service provider numbers, which Ms Ley admitted could be decrypted. This means that doctors and potentially what they were prescribing could be identified.

Ms Ley has apologised to doctors over the accidental leaking of the sensitive Medicare data.

The sensitive information was uploaded onto the internet months ago but it wasn’t until a University of Melbourne researcher contacted the department about the “vulnerability” on September 8 that it was removed, Ms Ley said.

The Attorney-General made an urgent amendment to the Privacy Act yesterday to make it an offence to re-identify de-identified data.

“As a government we’ve acted swiftly in the public interest and announced changes to the Privacy Act, which will make it a criminal offence to re-identify publicly available de-identified information for unauthorised purposes and disseminate that information effective of yesterday,” Ms Ley said.

She apologised for the breach at a gathering of doctors in Perth on Thursday afternoon and said no patient information had been compromised.

“The department immediately removed the data set, advised the privacy commissioner, and after thorough consultation with government security experts have advised me that there was no release of confidential information in the public arena,” Ms Ley told thousands of doctors at the Royal Australian College of General Practitioners meeting.

“There were no provider names in the data set and no patient information has been compromised.  

“I’ve also received assurances form the Department of Health that the data set did not include names or addresses of service providers and no information about those service providers has been publicly identified or released.”

But Dr Pinskier, a Melbourne GP, said there was a possibility patients could be identified and that creating a new law would not stop the release of this information if somebody wanted to release it.

“If you can re-aggregate it, even though its illegal to do so, somebody probably will,” he said.

“You can’t pull it back, so if my sensitive health care data or my practice profile or patterns are exposed, once it’s out there, it’s out there.

Privacy Commissioner Timothy Pilgrim said his office had already begun looking into the breach.

“The primary purpose of the investigation is to assess whether any personal information has been compromised or is at risk of compromise, and to assess the adequacy of the Department of Health’s processes for de-identifying information for publication,” he said.

“I welcome the decision of the Department of Health to immediately suspended access to the data set.”

“The results of my investigation will be published at its conclusion.”

Rania Spooner travelled to Perth as a guest of the RACGP

Article source: http://www.theage.com.au/national/public-service/privacy-watchdog-called-after-health-department-data-breach-20160929-grr2m1.html

,

No Comments

Jive resets Producteev passwords after August data breach

Software house Jive has reset customers passwords after the company discovered a data breach.

(Image: Jive)

The Palo Alto, California-based company said in a notification letter to the state’s attorney general on Friday — released this week — that some email addresses and passwords associated with its Producteev task management software had been accessed by an outsider.

The company said that the logins were “held in a file outside our normal encryption procedures.”

A Jive spokesperson would not say what those procedures included, or if the file was encrypted at all.

“Based on our research, it appears that only a very small number of Producteev user account credentials were accessed but unfortunately we cannot confirm that these were the only Producteev accounts compromised,” said the spokesperson in an email to ZDNet.

The company said the month delay between discovering the breach and notifying its customers was to to take “immediate steps to investigate and remedy the issue.”

“As an added safeguard, we recommended that all Producteev users change their passwords,” the spokesperson said.

The company added that no other Jive products were impacted by the breach.

Article source: http://www.zdnet.com/article/jive-resets-passwords-after-august-data-breach/

,

No Comments