Archive for December, 2016

Star Wars hack: Data breach hits Topps, customers’ card data likely stolen

Hackers have reportedly hit iconic collectable trading cards manufacturing firm Topps. The company’s popular products include Star Wars, Disney’s Frozen, Top Gear and the UEFA champion league. The firm reportedly believes that hackers may have gained access to users’ sensitive personal and financial information.

The data breach occurred earlier in the year and likely saw hackers making away with user information, including debit and credit card data. Topps told BBC that the security vulnerability has been fixed. The firm is also offering customers one year worth of free identity theft protection.

Topps sent out email notifications to customers in October, which read, “[They] may have gained access to names, addresses, email addresses, phone numbers, credit or debit card numbers, card expiration dates and card verification numbers for customers [who made purchases] between approximately 30 July 2016 and 12 October 2016.”

“The really unforgivable aspect here is the loss of credit card details,” said cyber-security expert Prof Alan Woodward from Surrey University.”If this was an external attack, these details just should not be accessible or readable. An obvious question is, ‘was the customers financial data encrypted?’ If not that should attract some heavy attention from the appropriate regulators.”

2016 has seen epic data breaches, many of which saw sensitive user data stolen and later leaked on underground hacker forums or dark web marketplaces, which listed the stolen records for sale. The shocking 1bn Yahoo hack shook the tech sector. Alarmingly, InfoArmour researcher Andrew Komarov claimed to have uncovered that the entire batch of stolen Yahoo accounts have already been sold on the dark web by Eastern European hacker group called “Group E”, for roughly $300,000.

Topps is yet to clarify details of the hack. The firm has not yet confirmed how many users may have been affected by the breach or how and why users’ payment card details were at risk. It is still uncertain if any of the potentially stolen data have been leaked online. The identity and location of the attackers also remains a mystery.

Article source: http://www.ibtimes.co.uk/hackers-hit-star-wars-collectable-trading-card-firm-topps-1598770

,

No Comments

Federal Court Rules CGL Insurance Covers Data Breach

A federal appeals court in Virginia has upheld a lower federal court in ruling that a commercial general liability policy (CGL) may cover a data breach. In a case involving the publication of private medical records on the internet, the courts found that coverage included in a CGL for personal and advertising injury applied.

Monday’s ruling by the U.S. Court of Appeals for the  4th Circuit is a defeat for Travelers Insurance which had argued that its 2012 and 2013 CGL policies did not require it to defend its insured, Portal Healthcare Solutions, which was being sued over a data breach.

The U.S. court ruling is at odds with at least two state court rulings, one in Connecticut in 2015 and the other in New York in 2014, that found no coverage for cyber claims in traditional commercial insurance policies.

Monday’s ruling came in the case of a class action filed in New York in 2013 by patients whose private medical records were exposed on the internet for four months. The two individuals initiating the suit said they searched their names on Google and the first links that appeared were to their private medical records from Glens Falls Hospital in New York where they were patients.

The action was brought against Portal, a medical records safekeeping firm with its principal office in Virginia that was hired by Glens Falls Hospital in New York and was insured by Travelers Indemnity.

District Court

In 2013, Travelers sought a declaration that it was not obligated to defend Portal in the civil suit because the breach was not covered under its policies.  However, on August 7, 2014, the District Court for the Eastern District of Virginia in Alexandria ruled that Travelers was obligated to defend Portal under its Coverage Part B Personal and Advertising Injury.

In its unpublished per curiam opinion issued Monday, the circuit court of appeals  upheld the judgment and the reasoning of the  district court. The higher court praised the district court for its “sound legal analysis” and accused Travelers of trying to “parse alternative dictionary definitions” to escape its duty to defend Portal.

Policy Language

Travelers issued Portal two substantially identical insurance policies; the first was effective from January 31, 2012 to January 31, 2013, and the second from January 31,2013 to January 31, 2014.

The 2012 and 2013 policies — under Coverage Part B Personal and Advertising Injury — obligated Travelers to pay if Portal became legally obligated to pay damages because of an advertising or website injury arising from the “electronic publication of material that… gives unreasonable publicity to a person’s private life” (the language found in the 2012 policy) or (2) the “electronic publication of material that… discloses information about a person’s private life.”

The district court held, and the circuit court agreed, that the insurance coverage applied to the conduct alleged by the plaintiffs because exposing confidential medical records to online searching is “publication” giving “unreasonable publicity” to, or “disclosing]” information about, a person’s private life. Thus, Travelers had a duty to defend Portal against the underlying class action, the court said.

Travelers had argued that there was no “personal injury” or “publication” as defined by the policies because release of the records was not intentional and they were not viewed by a third party. But the court said an unintentional publication is still publication. The court also said the definition of publication does not hinge on third party access.

“Publication occurs when information is ‘placed before the public,’ not when a member of the public reads the information placed before it,” the court said. “By Travelers’ logic, a book that is bound and placed on the shelves of Barnes Noble is not ‘published’ until a customer takes the book off the shelf and reads it.”

The lower court said Travelers’ understanding of the term publication “does not comport with the term’s plain meaning, and the medical records were published the moment they became accessible to the public via an online search.”

Publicity Argument

Next, the court found that the public availability of a patient’s confidential medical records gave “unreasonable publicity” to that patient’s private life and “disclose[d]” information about that patient’s private life, satisfying the policies’ second prerequisite to coverage.

Travelers had argued that no “publicity” occurred because Portal did not take steps designed to attract public interest or gain public attention or support.” But the court said Portal’s conduct fell within a broader and primary definition of “publicity” and suffices to establish that Portal gave unreasonable publicity to patients’ private lives when it posted their medical records online without security restriction.

State Courts

Travelers cited a 2015 case in which the Connecticut Supreme Court ruled there was no coverage under CGL and umbrella policies issued by Federal Insurance Co. and Scottsdale Insurance Co. for the loss of computer tapes that exposed personal information of IBM employees. In that case, 130 tapes fell out of the back of a van and were retrieved by an unknown person and were never recovered.

But the U.S. appeals court said that precedent did not apply because in the Portal case the information was posted on the internet and not just to a single thief but to anyone with a computer and internet access.

In 2014, a New York court ruled in a CGL policy coverage case that Zurich American Insurance Co. had no duty to defend Sony Corp. of America and Sony Computer Entertainment America in litigation stemming from the April 2011 hacking of Sony Corp.’s PlayStation online services. The Supreme Court of the State of New York granted summary judgment, ruling that acts by third-party hackers do not constitute “oral or written publication in any manner of the material that violates a person’s right of privacy” in the personal and advertising injury coverage under the CGL policy issued by Zurich.

As cyber risk has been evolving, the insurance industry has been trying to clarify that CGL policies exclude coverage for data breaches. The industry’s policy form organization ISO issued optional endorsements in 2013 and 2014 deleting invasion of privacy-related offenses from the definition of personal and advertising injury applicable to Coverage B and addressing access or disclosure of confidential or personal information.

Meanwhile, insurers have been offering standalone cyber policies and endorsements to businesses of all sizes in need of cyber coverage. However, because cyber risk is difficult to model and price, insurers are also being cautious in how much cyber insurance they are writing.

Article source: http://www.claimsjournal.com/news/national/2016/04/12/270072.htm

,

No Comments

Data Breaches, Whistleblowers and Augmented Reality Will Confront Courts in 2017

Your (Article, Chart, Blog) was successfully saved to your folder My Default Folder

Don’t forget you can visit My Briefcase to manage your folders at any time.

Article source: http://www.therecorder.com/id=1202775885942/Data-Breaches-Whistleblowers-and-Augmented-Reality-Will-Confront-Courts-in-2017

,

No Comments

2016 was the Year of the Data Breach

JD Supra provides users with access to its legal industry publishing services (the “Service”) through its website (the “Website”) as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement (“Policy”). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users’ names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user’s experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the “opt-out of future email” option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at [email protected] In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: [email protected]

Article source: http://www.jdsupra.com/legalnews/2016-was-the-year-of-the-data-breach-66683/

,

No Comments

Possible data breach involving Holiday Inn, other hotels

by: Jason Stoogenke
Updated: Dec 30, 2016 – 3:28 PM




“;
var imageDivId = “#”+”firstImageDisplayModal_479997984”;
if ($(“.reveal-modal-bg”).length == 0) {
$(“#wrapper”).after(“”);
}
if ($(imageDivId).length == 0) {
$(“#wrapper”).after(contentText);
}

The company that owns the Holiday Inn family of hotels confirmed a possible data breach. 

InterContinental Hotels Group (IHG) told Action 9 investigator Jason Stoogenke it hired an outside security firm to help investigate.

Guests at Holiday Inn, Holiday Inn Express, Staybridge Suites, Candlewood Suites and Crowne Plaza could be impacted, but especially Holiday Inn and Holiday Inn Express customers, according to national media reports. It’s not clear how many customers are impacted.

IHG emailed Stoogenke about the possible breach:

“IHG takes the protection of payment card data very seriously. We were made aware of a report of unauthorized charges occurring on some payment cards that were recently used at a small number of U.S.-based hotel locations. We immediately launched an investigation, which includes retaining a leading computer security firm to provide us with additional support. We continue to work with the payment card networks. We are committed to swiftly resolving this matter.”

According to experts, in other cases where hackers hit hotels, they put malware on the actual card readers at the hotels’ bars and restaurants. Then, they were able steal the information from each card swiped.

If you’re a guest or plan to be one at a hotel: 

  • Check your financial statements often.
  • Report any unusual charges right away. You shouldn’t be responsible for those charges.
  • Use credit instead of debit whenever possible. Credit has more fraud protection and — unlike debit — doesn’t give thieves direct access to your checking account.

Read more top trending stories on wsoctv.com:

Article source: http://www.wsoctv.com/news/action-9/possible-data-breach-involving-holiday-inn-other-hotels/479997962

,

No Comments

State IT chief says human error allowed DHHS data breach | New …

Detective: Suspect in DHHS data breach said he was ‘bored’

CONCORD – A patient at the state psychiatric hospital was able to access confidential information on 15,000 clients of Health and Human Services because of human error, according to Denis Goulet, the state’s chief technology officer.

Goulet, commissioner of the Department of Information Technology, said on Thursday that the investigation into the data breach so far has revealed that the problem started when a file server was reconfigured with unintended consequences.

“The typical way we configure a PC that is accessed by someone who is not a state employee would be to not have it on the state network,” he said. “There are times, however, when business requirements dictate that we would have such a PC on the network, and that was the case with the New Hampshire Hospital PCs. They were on the state network.”

That’s because the librarians needed to use the same PCs to do some of their work, he explained. The librarians would log on with their credentials and when done with their work would log-off to log-in again with user names and passwords that were designed for patient use with limited access.

“However, at some point in the past, and I phrase it that way because we haven’t figured out the details of when the change was made, the file server that the breached information resided on had a subtle configuration change that allowed someone who was inquisitive to find this information,” said Goulet. “An unintended change in the file server configuration allowed this access.”

He described the process of configuring file servers these days as “quite complicated.”

“It takes a fair amount of expertise and a lot of time and effort to understand the implications of what you are doing at all times,” Goulet said. “Human error happened, and we are taking steps to keep it from happening again.”

Goulet said his department has responded so far in three ways. Policies and documentation on the use of state-owned PCs by non-employees have been communicated to all users, “So we all know what the expectations are as to the use of these devices,” he said

The state is more closely auditing shared devices “because they carry more risk,” he said.

And the state is minimizing the number of situations in which a PC used by non-employees would have access to the state network.

The IT department’s analysis so far has not revealed any other vulnerabilities in the state computer systems similar to what existed at New Hampshire Hospital, according to Goulet.

“We’re continuing the technical investigation of this so there may be more information coming forward,” he said.

Goulet’s statement can be viewed below:


.

Article source: http://www.unionleader.com/state-government/state-it-chief-says-human-error-allowed-dhhs-data-breach--20161229

,

No Comments

InterContinental Hotels Investigates Credit Card Data Breach

Holiday Inn parent company InterContinental Hotels Group (IHG), which runs more than 5,000 hotels worldwide, is investigating a possible credit card breach at some U.S. locations.

KrebsOnSecurity received reports last week from sources who work in fraud prevention at a number of financial institutions. The sources told Krebs they were seeing fraud patterns on debit and credit cards that suggested a breach at IHG properties, particularly Holiday Inn and Holiday Inn Express hotels.

A spokesperson for IHG told Krebs the company had already received similar reports and had hired an outside security firm to assist in the investigation. The company stated, “IHG takes the protection of payment card data very seriously. We were made aware of a report of unauthorized charges occurring on some payment cards that were recently used at a small number of U.S.-based hotel locations. We immediately launched an investigation, which includes retaining a leading computer security firm to provide us with additional support.  We continue to work with the payment card networks.”

The company also said they will work to quickly resolve the breach, but they advise customers to monitor their credit card statements for fraudulent transactions. “We are committed to swiftly resolving this matter. In the meantime, and in line with best practice, we recommend that individuals closely monitor their payment card account statements.  If there are unauthorized charges, individuals should immediately notify their bank. Payment card network rules generally state that cardholders are not responsible for such charges.”

This is not the first breach IHG has suffered this year. Kimpton Hotels suffered a similar attack. Hackers were able to compromise the payment card system by installing malware on the payment terminals of over 60 hotels and restaurants. Once the malware is installed, criminals have access to the credit card information of anyone who pays at the terminal. Card information includes the cardholder name, card number, expiration date and CVV code.

Article source: http://www.lowcards.com/intercontinental-hotels-investigates-credit-card-data-breach-46804

,

No Comments

HHS data breach: A timeline

Detective: Suspect in DHHS data breach said he was ‘bored’

Key dates and events involved in the breach of personal information for 15,000 clients of public assistance programs with the state Department of Health and Human Services, according to state officials and police:

• Oct. 10, 2015: A patient in the state psychiatric hospital gets unauthorized access to personal information of HHS clients while using a computer in the hospital library.

• July 10, 2016: Now a former patient, he posts to Facebook HHS training information that he only could have gotten by getting into the department’s network.

• Aug. 10, 2016: A hospital security officer reads a Facebook message to her from the former patient who states he had taken an “archive” of documents off an HHS server.

• Sept. 1, 2016: Investigators learn from state information technology security that computers in the hospital library were not properly locked out of the state network. This meant the patient merely had to click on a shortcut to gain access to confidential personal information and internal documents.

• Sept. 2, 2016: A Merrimack County prosecutor tells state investigators they are unlikely to get a judge to issue a search warrant of the former patient’s computer due to his mental health status and that the person may not have realized what he was doing was unauthorized.

• Nov. 4, 2016: State hospital campus police confirm “several hundred documents, pictures” and personal information of HHS clients are posted by the former patient on Facebook.

• Nov. 5, 2016: The former patient goes to the Salem Police Department and turns over a CD with data he tells an officer “belonged to the state of New Hampshire.”

• Nov. 5, 2016: The former patient tells state investigators he copied the files because he was “bored” and unhappy at the state hospital. He admits that back in October 2015 he had sent all these files to his personal Gmail account and later backed them up on his laptop, an external hard drive and a CD.

• Nov. 6, 2016: Sixth Circuit Court Judge Edward Gordon grants a warrant for investigators to search all the patient’s computer devices as it investigates whether to charge him with unauthorized access to a computer network.

• Dec. 27, 2016: Health and Human Services Commissioner Jeffrey Meyers announced the data breach 53 days after the Nov. 4 Facebook posting and apologized to victims; federal law required public notice occur within 60 days.

• Dec. 29, 2016: State prosecutors confirm the former patient has not been arrested and is not being identified due to privacy concerns and to preserve the integrity of the ongoing investigation.

[email protected]

The notice sent by HHS regarding the breach can be viewed below:


.

Article source: http://www.unionleader.com/state-government/HHS-data-breach-A-timeline-12292016

,

No Comments

Some Arvest Accounts Affected By Merchant Data Breach | Fort …


arvest-bank

arvest-bank

FORT SMITH (KFSM) — A small amount of Arvest Bank accounts were affected in a merchant data breach during the Christmas holiday, according to the bank’s president.

Several Arvest customers told 5NEWS they had unauthorized charges on their accounts at locations in Texas. A merchant data breach means account information was stolen from a specific merchant, not the bank.

President Rodney Shepard said about one-tenth of one percent of the bank’s accounts have been affected by the breach. Arvest is aware of the issue and is working with customers to get their money back.

He advised customers to monitor the activity on their accounts for suspicious transactions.

“What we have seen in the past in other [merchant] breaches, obviously customers and financial institutions are impacted and it is further into the investigation where it is determined what merchant or merchants have been compromised,” Shepard said.

He also noted both debit and credit Visa customers are protected against fraudulent activity through Visa’s zero liability policy.

While Target’s 2013 breach made headlines because of the nearly 70 million customers who were affected, Shepard said small merchant data breaches, like the one affecting some Arvest customers, happen often during the holidays.

Arvest said other banks in the region have also been affected by the merchant breach, so they also recommend those who don’t bank with Arvest check their accounts.

Article source: http://5newsonline.com/2016/12/29/some-arvest-accounts-affected-by-merchant-data-breach/

,

No Comments

State IT chief blames ‘human error’ for DHHS data breach | New …

Detective: Suspect in DHHS data breach said he was ‘bored’

CONCORD – A patient at the state psychiatric hospital was able to access confidential information on 15,000 clients of Health and Human Services because of human error, according to Denis Goulet, the state’s chief technology officer.

Goulet, commissioner of the Department of Information Technology, said on Thursday that the investigation into the data breach so far has revealed that the problem started when a file server was reconfigured with unintended consequences.

“The typical way we configure a PC that is accessed by someone who is not a state employee would be to not have it on the state network,” he said. “There are times, however, when business requirements dictate that we would have such a PC on the network, and that was the case with the New Hampshire Hospital PCs. They were on the state network.”

That’s because the librarians needed to use the same PCs to do some of their work, he explained. The librarians would log on with their credentials and when done with their work would log-off to log-in again with user names and passwords that were designed for patient use with limited access.

“However, at some point in the past, and I phrase it that way because we haven’t figured out the details of when the change was made, the file server that the breached information resided on had a subtle configuration change that allowed someone who was inquisitive to find this information,” said Goulet. “An unintended change in the file server configuration allowed this access.”

He described the process of configuring file servers these days as “quite complicated.”

“It takes a fair amount of expertise and a lot of time and effort to understand the implications of what you are doing at all times,” Goulet said. “Human error happened, and we are taking steps to keep it from happening again.”

Goulet said his department has responded so far in three ways. Policies and documentation on the use of state-owned PCs by non-employees have been communicated to all users, “So we all know what the expectations are as to the use of these devices,” he said

The state is more closely auditing shared devices “because they carry more risk,” he said.

And the state is minimizing the number of situations in which a PC used by non-employees would have access to the state network.

The IT department’s analysis so far has not revealed any other vulnerabilities in the state computer systems similar to what existed at New Hampshire Hospital, according to Goulet.

“We’re continuing the technical investigation of this so there may be more information coming forward,” he said.

Goulet’s statement can be viewed below:


.

Article source: http://www.unionleader.com/state-government/state-it-chief-says-human-error-allowed-dhhs-data-breach--20161229

,

No Comments