Archive for February, 2017

ICO slaps health firm with £200k fine over audio recording data breach boo-boo

THE ICO HAS SLAPPED a health firm with a £200,000 fine for emailing audio recordings of outpatient letters in an unencrypted format, the transcripts of which were then searchable online via an insecure FTP server.

The ICO issued the fine to the HCA International Ltd after it was alerted to the fact the transcripts of outpatients letters could be found online.

The audio recordings were sent to a company in India for transcribing before being sent back to the staff at HCA International. However, the company used an insecure FTP to store and send the data, meaning it was available online for anyone to access.

A customer made the firm aware of this on 8 April 2015 and the ICO subsequently investigated.

The ICO has now issued the fine because HCA International Ltd had failed to adequately ensure third-party contractors were following adequate data protection guidelines, as it is required to do when collecting and sharing personal data, and sending the audio recording unencrypted.

Head of ICO enforcement, Steve Eckersley said the case was particularly galling given the company was aware of it data protection requirements in-house but had not considered anything beyond this.

Related: ICO slams charities for ‘wealth screening’ data protection breaches

“The hospital had a duty to keep the information secure. Once information is online it can be accessed by anyone and could have caused even more distress to people who were already going through a difficult time,” he said.

“What makes this case even worse is that we know the company is aware of its data protection obligations and already has appropriate safeguards in place in other areas of its business.

“The situation could have been avoided entirely if HCA International had taken the time to check up on the methods used by the contract company.”

A Lister Fertility Clinic Spokesman, the division of HCA in which the breach happened, said the firm would be improving security as a result of the incident.
 
“We take the protection of our patients’ confidential and sensitive information extremely seriously, however on this occasion we fell short of both the standards of the ICO and the high standards we set for ourselves,” a spokesperson said.

“We have apologised to the seven patients affected for the distress this may have caused and we no longer work with the company involved.  The Lister Fertility Clinic has put in place more rigorous checks and measures to ensure the safety of our patients’ information.” µ

<!–

–>

  • <!–

  • Save this article

  • –>

Article source: http://www.theinquirer.net/inquirer/news/3005556/ico-slaps-health-firm-with-gbp200k-fine-over-audio-recording-data-breach-boo-boo

,

No Comments

‘Massive’ Arby’s data breach put customers at risk, lawsuits allege

Arby’s has more than 1,000 corporate locations, where the hacks were reportedly isolated, thus not reaching its franchise locations. In total, the chain has more than 3,300 restaurants, according to the suit. 

Article source: http://www.ajc.com/news/local/massive-arby-data-breach-put-customers-risk-lawsuits-allege/gGJrn3ncCd9fRT7OrCuAjP/

,

No Comments

Redmond schools hit by major employee data breach – KTVZ

Redmond School District Data Breach






REDMOND, Ore. – The Redmond School District faces a massive data breach after an unknown individual impersonated the superintendent over email and obtained all employees’ names, Social Security numbers, mailing addresses and wage and tax withholding information. 

Last Friday, one district employee received an email from someone who was pretending to be Superintendent Mike McIntosh. The person requested all employee W-2 forms. 

“We’re trying to not let anybody panic, it’s a whole new racket, with respect to stealing and theft, and it happened to hit home today,” McIntosh said Monday evening. “We are trying to minimize the panic, but not minimize the importance, significance or urgency, and deal with it in a very productive and urgent manner.”

No direct deposit, banking, medical or student information was released in this breach. It does not directly affect families or students, either. This data breach only affects employees in the Redmond School District. There are 13 schools where about 1,000 current or recently retired employees face potential repercussions from the data breach.

All employees received an email from the district about what to do, including filing a 2016 tax return as soon as possible, filing an identity theft affidavit with the IRS and contacting credit report agencies.

“You hear of data breaches in major corporations, warehouses or banks, and how many of us have gotten new credit cards in the mail because there was an alleged breach in the system,” McIntosh said. “This isn’t a new phenomenon, it’s just new to the Redmond School District. And so we are trying to take that seriously, but appropriately as possible.”

Local certified fraud examiner Melissa Goddard said if important information like a W-2 form is requested, it should never be sent electronically.

“Any time you are asked to provide that information over an email, you should never send it,” Goddard said by phone. “You should walk it down to the HR department or whoever requested it from you and hand it to them, because it can get transferred to the wrong person.”

The district said there is no immediate damage to employees, but it is actively trying to safeguard all the information. If an employee does find their information has been used fraudulently, they should contact the district immediately. 

____________________________

Here’s the letter sent to all employees:

Redmond School District Employees:

The Redmond School District experienced a data breach resulting in the release of all district employee W-2 information to an unauthorized third party. We apologize for this unfortunate incident and are taking immediate steps to safeguard your personal information and support you in protecting yourself from identity theft.

What happened

A scammer impersonated Superintendent McIntosh via email and requested and received W-2s from all district employees on Friday, February 24, 2017. W-2s include an employee’s name, social security number, mailing address, wages, and tax withholding information.

None of our internal systems were breached, and no user information such as email passwords were accessed.

What we are doing

The school district takes this incident very seriously and protecting you from identity theft is our top priority. Once discovered this morning, we immediately contacted the police and appropriate authorities to investigate the breach and minimize risk from the disclosure. An investigation is underway and we are taking steps to prevent future incidents.

What you can do to protect yourself

Contact your banking institution and alert them about the data breach.

Change passwords on all your banking accounts and credit cards and consider a 2-step password verification.

We also recommend adding 2-step verification to your district Gmail Account. Click here for instructions: https://www.google.com/landing/2step/.

File your 2016 tax return as soon as possible to prevent unauthorized parties from filing a false return. Additionally, you should file an Identity Theft Affidavit (Form 14039) with the IRS. See a fillable-PDF form attached to this email with Section A and B pre-filled. You will need to add your personal information in Sections C-F and fax the form and required documentation to 855-807-5720. Include a cover sheet marked “Confidential.” You may also mail this form to the IRS. Mailing information is included on the form.

Keep a record of your actions taken to mitigate risk from this unauthorized disclosure.

You may also consider contacting the credit reporting agencies directly if you wish to put in place a fraud alert or credit freeze. A fraud alert will notify any merchant checking your credit history that you may be the victim of identity theft and that the merchant should take additional measures to verify the application. Contacting any one of the three agencies will place an alert on your file at all three. A credit freeze restricts all creditor access to your account, but might also delay any requests you make for new accounts. Inquire with the credit-reporting agencies for their specific procedures regarding security freezes.

Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241

Experian: 1-888-EXPERIAN (391-3742); www.experian.com; Fraud Victim Assistance Division, P.O. Box 9532, Allen, TX 75013

TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790

Again, we apologize for this unfortunate incident and are ready to answer questions and help you with solutions to any problems that may arise.

Additional information will be forthcoming as it becomes available. Please direct questions to district Public Information Officer Rainier Butler at 541-923-1133 or [email protected]

Michael D. McIntosh
Superintendent
Redmond School District
P: 541.923.8267 | [email protected]

Article source: http://www.ktvz.com/news/scammer-gets-all-redmond-school-employees-w-2-info/364147629

,

No Comments

After data breach, Md. school district passes new policy to handle stolen information

Feb. 23–After a major student data breach, Frederick County Public Schools now has a clear response policy for future security lapses.

The policy — which the Board of Education passed unanimously Wednesday — provides a multi-step plan for school administrators if FCPS data is stolen or leaked.

In September, a Catoctin High School graduate contacted the school system and reported that the names, birth dates and Social Security numbers of about 1,000 other students were available for sale online.

FCPS later confirmed that the information that was stolen related to students enrolled in Frederick County schools between November 2005 and November 2006. The breach occurred before 2010, school officials said. The stolen information has remained on a website with an offer to sell similar details about thousands of other people.

The new policy establishes procedures for the “unauthorized acquisition” of personal data maintained by FCPS. The first steps lie with the FCPS director of technology infrastructure, who is expected to confirm the breach and immediately take steps to prevent further information loss, according to the written policy.

When the September data breach was reported, there was no director of technology infrastructure. Derek Root, who previously held the position, left in the summer of 2016 to be chief technology officer with Washington County Public Schools.

In early January, the system hired Ted Gardner to take over the position, Board of Education President Brad Young said.

The plan sets clear expectations for notification in the event of a breach. The policy calls for victims to be notified within 30 to 45 days after the security lapse is verified, and for the notification to include details on what personal information was stolen.

Delayed notification was a concern after the most recent data breach, which became a monthslong crisis for the school system. Though the district was notified of the leak in September, it took FCPS officials more than three months to notify the students affected.

Young attributed the delay to state involvement in the breach. In December, FCPS stated that students’ personal information was likely stolen from a Maryland education department computer system. The state has disputed that claim.

“Because of state involvement — that’s what kind of delayed it until it became clear that the state wasn’t going to take ownership,” Young said.

The new policy allows a delay if a law enforcement agency says that notification could jeopardize the investigation.

A delay is also allowed “to determine the scope of the breach of the security of a system, identify the individuals affected, or restore the integrity of the system,” according to the policy.

“Each incident is unique, so, obviously, you have to notify legal agencies first,” Young said. “The worst thing you could do is unnecessarily worry the people who might have been affected.”

The new policy requires the superintendent of FCPS to notify the Board of Education within 30 days of the breach, and for the school system to notify the attorney general’s office.

The protocols were approved after about a month of development. They were first presented at a Board of Education meeting on Jan. 25.

___

(c)2017 The Frederick News-Post (Frederick, Md.) Visit The Frederick News-Post (Frederick, Md.) at www.fredericknewspost.com Distributed by Tribune Content Agency, LLC.

Article source: http://www.securityinfowatch.com/news/12309266/after-data-breach-md-school-district-passes-new-policy-to-handle-stolen-information

,

No Comments

Redmond schools hit by major employee data breach

Redmond School District Data Breach






REDMOND, Ore. – The Redmond School District faces a massive data breach after an unknown individual impersonated the superintendent over email and obtained all employees’ names, Social Security numbers, mailing addresses and wage and tax withholding information. 

Last Friday, one district employee received an email from someone who was pretending to be Superintendent Mike McIntosh. The person requested all employee W-2 forms. 

“We’re trying to not let anybody panic, it’s a whole new racket, with respect to stealing and theft, and it happened to hit home today,” McIntosh said Monday evening. “We are trying to minimize the panic, but not minimize the importance, significance or urgency, and deal with it in a very productive and urgent manner.”

No direct deposit, banking, medical or student information was released in this breach. It does not directly affect families or students, either. This data breach only affects employees in the Redmond School District. There are 13 schools where about 1,000 current or recently retired employees face potential repercussions from the data breach.

All employees received an email from the district about what to do, including filing a 2016 tax return as soon as possible, filing an identity theft affidavit with the IRS and contacting credit report agencies.

“You hear of data breaches in major corporations, warehouses or banks, and how many of us have gotten new credit cards in the mail because there was an alleged breach in the system,” McIntosh said. “This isn’t a new phenomenon, it’s just new to the Redmond School District. And so we are trying to take that seriously, but appropriately as possible.”

Local certified fraud examiner Melissa Goddard said if important information like a W-2 form is requested, it should never be sent electronically.

“Any time you are asked to provide that information over an email, you should never send it,” Goddard said by phone. “You should walk it down to the HR department or whoever requested it from you and hand it to them, because it can get transferred to the wrong person.”

The district said there is no immediate damage to employees, but it is actively trying to safeguard all the information. If an employee does find their information has been used fraudulently, they should contact the district immediately. 

____________________________

Here’s the letter sent to all employees:

Redmond School District Employees:

The Redmond School District experienced a data breach resulting in the release of all district employee W-2 information to an unauthorized third party. We apologize for this unfortunate incident and are taking immediate steps to safeguard your personal information and support you in protecting yourself from identity theft.

What happened

A scammer impersonated Superintendent McIntosh via email and requested and received W-2s from all district employees on Friday, February 24, 2017. W-2s include an employee’s name, social security number, mailing address, wages, and tax withholding information.

None of our internal systems were breached, and no user information such as email passwords were accessed.

What we are doing

The school district takes this incident very seriously and protecting you from identity theft is our top priority. Once discovered this morning, we immediately contacted the police and appropriate authorities to investigate the breach and minimize risk from the disclosure. An investigation is underway and we are taking steps to prevent future incidents.

What you can do to protect yourself

Contact your banking institution and alert them about the data breach.

Change passwords on all your banking accounts and credit cards and consider a 2-step password verification.

We also recommend adding 2-step verification to your district Gmail Account. Click here for instructions: https://www.google.com/landing/2step/.

File your 2016 tax return as soon as possible to prevent unauthorized parties from filing a false return. Additionally, you should file an Identity Theft Affidavit (Form 14039) with the IRS. See a fillable-PDF form attached to this email with Section A and B pre-filled. You will need to add your personal information in Sections C-F and fax the form and required documentation to 855-807-5720. Include a cover sheet marked “Confidential.” You may also mail this form to the IRS. Mailing information is included on the form.

Keep a record of your actions taken to mitigate risk from this unauthorized disclosure.

You may also consider contacting the credit reporting agencies directly if you wish to put in place a fraud alert or credit freeze. A fraud alert will notify any merchant checking your credit history that you may be the victim of identity theft and that the merchant should take additional measures to verify the application. Contacting any one of the three agencies will place an alert on your file at all three. A credit freeze restricts all creditor access to your account, but might also delay any requests you make for new accounts. Inquire with the credit-reporting agencies for their specific procedures regarding security freezes.

Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241

Experian: 1-888-EXPERIAN (391-3742); www.experian.com; Fraud Victim Assistance Division, P.O. Box 9532, Allen, TX 75013

TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790

Again, we apologize for this unfortunate incident and are ready to answer questions and help you with solutions to any problems that may arise.

Additional information will be forthcoming as it becomes available. Please direct questions to district Public Information Officer Rainier Butler at 541-923-1133 or [email protected]

Michael D. McIntosh
Superintendent
Redmond School District
P: 541.923.8267 | [email protected]

Article source: http://www.ktvz.com/news/scammer-gets-all-redmond-school-employees-w-2-info/364147629

,

No Comments

New Report: Businesses Suffer Serious, Measurable Damage From Data Breaches

Cisco recently published its tenth annual data breach report, and some of the findings should be cause for concern by people who own, run, or work for businesses.

The firm’s 2017 edition of its annual cybersecurity report entitled “Cybersecurity Report: Chief Security Officers Reveal True Cost of Breaches And The Actions That Organizations Are Taking,” provides insights based on threat intelligence gathered by Cisco’s security experts, combined with input from nearly 3,000 Chief Security Officers (CSOs) and other security operations leaders from businesses in 13 countries.

Cisco noted that, according to its research, in 2016:

  • More than 50 percent of organizations faced public scrutiny after a security breach. Operations and finance systems were the most affected, followed by brand reputation and customer retention. (If you own or work for a business, take note: data breaches have repercussions.)
  • For organizations that suffered a breach, the effect was substantial: 22% of breached organizations lost customers — 40% of them lost more than a fifth of their customer base. 29% lost revenue, with 38% of that group losing more than a fifth of their revenue. 23% of breached organizations lost business opportunities, with 42% of them losing more than a fifth of such opportunities. (The repercussions are quite costly.)
  • CSOs cite budget constraints, poor compatibility of systems, and a lack of trained talent as the biggest barriers to advancing their security postures. Security leaders also reveal that their security departments are increasingly complex environments with nearly two thirds of organizations using six or more security products – some with even more than 50! – increasing the potential for security effectiveness gaps and mistakes. (Complexity and a lack of skilled professionals are putting businesses at risk.)
  • Criminals are leveraging “classic” attack mechanisms – such as adware and email spam – in an effort to easily exploit the gaps that such complexity can create. (Criminals often don’t need to spend resources crafting and executing advanced attacks – simple attacks can do the job.)
  • Spam is now at a level not seen since 2010, and accounts for nearly two-thirds of all email — with eight to 10 percent of it being outright malicious. Global spam volume is rising, often spread by large and thriving botnets. (Spam is a serious problem that has not gone away – because it works!)
  • Old-fashioned adware (that is, software that downloads advertising without users’ permission, continues to prove successful, infecting 75 percent of organizations polled. (…as is adware.)
  • Just 56 percent of security alerts are investigated and less than half of legitimate alerts actually lead to problems being corrected. Defenders, while confident in their tools, are undermined by complexity and manpower challenges; criminals are exploiting the inability of organizations to handle all important security matters in a timely fashion. (Information overload is causing a “Boy Who Cried Wolf” situation in some environments, and too many real alerts are overwhelming information-security professionals in others.)

  • Twenty-seven percent of employee-introduced, third-party cloud applications, intended to open up new business opportunities and increase efficiencies, were categorized as high risk and created significant security concerns. (Inadequately vetted applications can create risks.)

  • On the positive side, 90% of organizations that experienced a breach in 2016 are improving threat defense technologies and processes after attacks by separating IT and security functions (38 percent), increasing security awareness training for employees (38 percent), and implementing risk mitigation techniques (37 percent). (Thankfully, firms that have suffered breaches are investing in preventing future problems.)

Discussing the report, John N. Stewart, Cisco’s Senior Vice President and Chief Security and Trust Officer, noted that “In 2017, cyber is business, and business is cyber -that requires a different conversation, and very different outcomes. Relentless improvement is required and that should be measured via efficacy, cost, and well managed risk. The 2017 Annual Cybersecurity Report demonstrates, and I hope justifies, answers to our struggles on budget, personnel, innovation and architecture.”

Here are comments from several other industry insiders on the report.

  • David Vergara, Head of Global Product Marketing, VASCO Data Security:

“This report makes several things abundantly clear. The first is that cybercriminal’s weapon of choice is not always the sophisticated attack; generally, they prefer the path of least resistance, so security laggards beware. Second is the hard cost of a breach, through lost customers, revenue and business, is rising dramatically. This cost should drive more pointed security resource discussions and prop up related business cases.”

  • Brad Bussie, Director of Product Management, STEALTHbits Technologies:

“Statistics from this study, and others, show an alarming trend that asset risk is no longer being calculated correctly. Losing customers, revenue, and opportunities can be mapped directly back to breached systems. It would be interesting to see how much it would have cost to protect the systems in question, or to change to process that was exploited and compare it to what was lost because of the breach.”

  • Don Duncan, Security Engineer, NuData Security:

“Cisco’s findings that 22% of breached organizations lost customers and a significant number of these companies lost 20% of their entire customer base is a sobering data point for any organization when considering whether to disclose a breach publically. Regulations may be coming that will force disclosures. Until that happens, with so much at risk it’s no wonder that breach numbers are vastly underestimated.”

  • Brian Laing, VP of Business Development and Products, Lastline:

“The Cisco data breach report highlights the continually evolving techniques used by criminals to exfiltrate sensitive corporate data, and the resulting impact on business performance. Enterprises must continually expand and enhance their security capabilities to keep up with new techniques, schemes, and technology continually introduced by organized crime.”

Article source: http://www.inc.com/joseph-steinberg/new-report-businesses-suffer-serious-measurable-damage-from-data-breaches_1.html

,

No Comments

Vanderbilt UMC notifies 3,000+ patients of data breach

Nashville, Tenn.-based Vanderbilt University Medical Center is notifying 3,247 patients that their medical information was accessed by unauthorized individuals, according to The Tennessean.

Between May 2015 and December 2016, two VUMC patient transporters accessed information from VUMC patients’ electronic medical records, including names, birthdates, medical record identification numbers and some Social Security numbers.

“To our knowledge, the information the employees viewed was not printed, forwarded or downloaded,” said VUMC Chief Communications Officer John Howser in a statement. “So far, we have no reason to believe that our patients’ personal information has been used or disclosed in other ways. While we are not aware of any risk of financial harm to these patients, we are contacting each of them by letter to recommend that they vigilantly review account statements and their credit status.”

VUMC has reported the breach to HHS. VUMC will offer credit monitoring services to patients whose Social Security numbers were accessed.

*Editor’s note: This article previously stated the breach occurred during Vanderbilt UMC’s Epic EHR implementation. However, the breach occurred between May 2015 and December 2016. The hospital is currently migrating its EHR to an Epic system, although a spokesperson for VUMC said the migration and breach are unrelated events.

More articles on health IT:
Island Health temporarily stops using Cerner EHR
How the ONC is getting involved in blockchain
Loyola Medicine receives HIMSS Stage 6 designation


© Copyright ASC COMMUNICATIONS 2017. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

Article source: http://www.beckershospitalreview.com/healthcare-information-technology/vanderbilt-umc-hit-with-data-breach-during-epic-ehr-implementation.html

,

No Comments

Smart teddy bears involved in a contentious data breach

If you own a stuffed animal from CloudPets, then you better change your password to the product. The toys — which can receive and send voice messages from children and parents — have been involved in a data breach dealing with more than 800,000 user accounts.

The breach, which grabbed headlines on Monday, is drawing concerns from security researchers because it may have given hackers access to voice recordings from the toy’s customers. But the company behind the products, Spiral Toys, is denying that any customers were hacked. 

“Were voice recordings stolen? Absolutely not,” said Mark Myers, CEO of the company.

Security researcher Troy Hunt, who tracks data breaches, brought the incident to light on Monday. Hackers appear to have accessed an exposed CloudPets’ database, which contained email addresses and hashed passwords, and they even sought to ransom the information back in January, he said in a blog post.

The incident underscores the danger with connected devices, including toys, and how data passing through them can be exposed, he added. 

In the case of CloudPets, the brand allegedly made the mistake of storing the customer information in a publicly exposed online MongoDB database that required no authentication to access. That allowed anyone, including hackers, to view and steal the data.

On the plus side, the passwords exposed in the breach are hashed with the bcrypt algorithm, making them difficult to crack. Unfortunately, CloudPets placed no requirement on password strength, meaning that even a single character such as letter “a” was acceptable, according to Hunt, who was given a copy of the stolen data last week.

As a result, Hunt was able to decipher a large number of the passwords, by simply checking them against common terms such as qwerty, 123456, and cloudpets.

“Anyone with the data could crack a large number of passwords, log on to accounts and pull down the voice recordings,” Hunt said in his blog post. 

Security researcher Victor Gevers from the GDI Foundation said he also discovered the exposed database from CloudPets and tried to contact the toy maker in late December.

However, both Gevers and Hunt said the company never responded to their repeated warnings.

On Monday, California-based Spiral Toys, which operates the CloudPets brand, claimed the company never received the warnings. 

“The headlines that say 2 million messages were leaked on the internet are completely false,” Myers said. 

His company only became aware of the issue after a reporter from Vice Media contacted them last week. “We looked at it and thought it was a very minimal issue,” he said. 

A malicious actor would only be able to access a customer’s voice recording if they managed to guess the password, he said. 

“We have to find a balance,” Myers said, when he addressed the toy maker’s lack of password strength requirements.  “How much is too much?”

He also said that Spiral Toys had outsourced its server management to a third-party vendor. In January, the company implemented changes MongoDB requested to increase the server’s security. 

Spiral Toys hasn’t been the only company targeted. In recent months, several hacking groups have been attacking thousands of publicly exposed MongoDB databases. They’ve done so by erasing the data, and then saying they can restore it, but only if victims pay a ransom fee.   

In the CloudPets incident, different hackers appear to have deleted the original databases, but left ransom notes on the exposed systems, Hunt said.

Although the CloudPets’ databases are no longer publicly accessible, it appears that the toy maker hasn’t notified customers about the breach, Hunt said. The danger is that hackers might be using the stolen information to break into customer accounts registered with the toys.

But Myers said the company found no evidence that any hackers broke into customer accounts. To protect its users, the company is planning on a password reset for all users. “Maybe our solution is to put more complex passwords,” he said. 

Article source: http://www.csoonline.com/article/3175075/security/smart-teddy-bears-involved-in-a-contentious-data-breach.html

,

No Comments

Singapore defense ministry suffers data breach affecting 850 users

Singapore’s Ministry of Defence (Mindef) says a security breach earlier this month has compromised the personal data of 850 national servicemen and employees.

The ministry identified a breach in its I-net system, which supported web-connected computer terminals its employees and national servicemen used for personal online communications or internet browsing. National servicemen encompass male citizens of Singapore, all of whom are required to undergo mandatory uniformed services such as military or police.

According to Mindef, the dedicated internet kiosks were located within the ministry building as well as Singapore Armed Forces camps and premises. It said the I-net system did not contain any classified military data, which were used on a separate system with no connection to the internet and had more stringent security features.

Data stolen in the breach included the victims’ national identification numbers, telephone numbers, and dates of birth. These personal information were used to manage user accounts and stored on I-net. All affected by the breach had been notified and instructed to change their passwords, including other systems if they had used the same passwords to access those services.

Mindef said I-net was disconnected once the breach was detected and forensic investigations were initiated to assess the damage. As an added precaution, the ministry said it conducted investigations of all other systems within Mindef and the armed forces. It also informed Singapore’s cybersecurity government agency and government CIO department so they could investigate other public sector systems, though, no other breach had been detected.

Investigations still were ongoing, it said, noting that the cyberattack seemed “targeted and carefully planned”. “The real purpose may have been to gain access to official secrets, but this was prevented by the physical separation of I-net from our internal systems,” it said.

The ministry said it would continue to provide internet kiosks as its employees and national servicemen required online access.

The Singapore government last June announced plans to remove internet access from all workstations used by employees in the public sector, which operated a network of 100,000 computers. Government employees instead would have online access only on dedicated terminals or rely on their own personal mobile devices, which would not be connected to government e-mail systems.

Prime Minister Lee Hsien Loong had described the move as necessary to beef up the security of critical infrastructure, adding that the implementation was expected to be completed across the public sector by mid-2017.

Lee just last week mooted the possibility of a national digital identification system that can be used to access both public and private sector services. This, he said, would expand beyond the functions of SingPass, an existing citizen account used for e-government services, to include access to a wider range of transactions.

A 2014 security breach had affected 1,560 SingPass accounts, though, Minister for Communication and Information Yaacob Ibrahim then said there was no vulnerability in the system. He said the breach could have been the result of weak user passwords or malware.

Commenting on the Mindef breach, Darktrace’s Asia-Pacific managing director Sanjay Aurora said the attack aimed to “erode” data integrity and trust in public institutions. It also underscored the need for businesses to tap machine-learning and artificial intelligence (AI) to automatically detect and respond to potential threats, before data could be compromised.

Aurora said: “Although it appears Mindef has responded swiftly to this incident, the reality is that no human can keep up in this rapidly-evolving threat landscape. It is a cyber arms race and AI technology that self-learns what is ‘normal’ for a network, and automatically identifies and takes action against abnormal behaviour and genuine threats, will be instrumental in safeguarding critical information and infrastructure.”

Article source: http://www.zdnet.com/article/singapore-defense-ministry-suffers-data-breach-affecting-850-users/

,

No Comments

Report Summarizes Healthcare Data Breaches in January 2017

JD Supra provides users with access to its legal industry publishing services (the “Service”) through its website (the “Website”) as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement (“Policy”). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users’ names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user’s experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the “opt-out of future email” option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at [email protected] In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: [email protected]

Article source: http://www.jdsupra.com/legalnews/report-summarizes-healthcare-data-36966/

,

No Comments