Archive for April, 2017
A data breach at Texas-based ACTIVEOutdoors, a Washington Department of Fish and Wildlife vendor, exposed the birthdates, addresses, driver’s licenses, partial or full Social Security numbers and other details of at least 2.2 million Washington residents. That’s nearly one-third of the state population.
“Although we have made and continue to make significant investments in technology and security, on August 22, we became aware that we were the victim of an unauthorized and unlawful access to our online hunting and fishing licensing applications in Idaho, Oregon and Washington,” the letter stated.
The state has had a data breach law since 2005, and the Legislature amended it in 2015 to require consumer notification. The Washington State Office of the Attorney General must be notified when a breach affects more than 500 residents. Washington is one of the few states that also makes these reported breaches public online.
The data-breach law applies to any entity, regardless of where it’s based, as well as to individuals—including individuals providing a service to friends and family on the side.
A September 2016 report by the attorney general’s office said that the personal information of 450,000 Washington residents was compromised in the previous year. That was before the ActiveOUTDOORS breach was reported that same month.
Since then, more than 25 other breaches were reported to the state, including Community Health Plan of Washington, which affected 353,388 residents. Others listed recently range from Boeing and CHI Franciscan Hospice to Western Union, Michigan State University and retailer Vera Bradley.
Last year saw a record 1,093 data breaches in the United States, a 40 percent increase over 2015, according to the Identity Theft Resource Center (ITRC).
“We have our data in a lot of places,” says Thad Dickson, a Key Peninsula resident and CEO of Xpio Health, a Gig Harbor company focused on security and compliance for health care organizations. “People should be conservative about providing their Social Security numbers and personal data to a company because … companies don’t always adequately protect or invest in cyber security protections like we, as consumers, expect.”
Increasingly, the data breaches are caused by hackers. Cybercriminals are after this data because it’s valuable on the black market. The underground works very much like the enterprise economy and the criminal element typically specializes. Some sell the tools needed to perpetrate cyberattacks—even providing customer service, tutorials and toll-free support lines. Others use those tools to perpetrate attacks and then sell the data.
Buyers of that data can then use it in numerous ways, including for identity theft. Personal information is more valuable on the black market than credit card and bank numbers because it has broader use and crimes like identify theft take much longer to detect.
The potential influx of data-breach notices may leave consumers fatigued. But don’t become immune to those letters, advises Shannon Smith, the state’s senior assistant attorney general and chief of the Consumer Protection Division. They are not sent to all customers, but only “to specific individuals who may be at risk of harm” from the exposed data.
She said it’s important to pay attention not only to the notices but also to monitor your credit. If you’re a victim of identity theft, your credit report can show red flags.
Credit-reporting agencies are required to provide one free credit report per year to consumers. Smith recommends staggering them so you can keep an eye on your credit all year long. However, cybercriminals often wait for years to monetize stolen data, so your identity may not be stolen for a long time after a breach.
“Just because there’s no immediate impact, it doesn’t mean there won’t be one,” Smith says. “So be vigilant.”
More information about data breaches, along with a list of companies with breaches affecting more than 500 Washington residents, is available at www.atg.wa.gov/data-breach-notifications.
You can request your free credit report from any of the three major reporting agencies at www.annualcreditreport.com.
Editor’s note: This is the first in a series of articles about protecting your personal information online.
style=”” class=” js no-touch history csstransforms csstransforms3d csstransitions video” lang=”en”<!– <!– –>
If you’ve eaten at Chipotle in the past couple of months, you may want to check your credit or debit card activity.
Chipotle said in a statement that it recently detected unauthorized activity on the network that supports payment processing.
The statement said the investigation is focused on card transactions from March 24, 2017, through April 18, 2017.
As a reminder, Chipotle says if you notice an unauthorized charge, immediately notify the bank that issued the card.
The company said the investigation is ongoing.
© 2017 KPNX-TV
6-month-old dies at hospital, murder charges…
Tunnel to Towers Stair Climb honors first…
18-year-old ‘at-risk’ woman missing from Rock Hill home
Data breaches and identity theft are among the most common security risks for businesses today. The average cost to mitigate a data breach is $4 million or $158 per compromised record. In addition, businesses are losing the trust of their customers whose personal information has been compromised.
This course has been accepted for six Technical Business CPE credits.
Cost: $275 if register by April 21, 2017 Regular registration $345 or $295 for nonprofit/government employees (Registration closes April 28)
Attendees will receive a Certificate of Completion from Hodges University.
The Australian federal police conducted six internal investigations in the past 18 months into alleged professional misconduct of officers who had been newly approved to access telecommunications data, Guardian Australia can reveal.
The latest revelations will heighten concern about the AFP’s handling of Australians’ personal information, after it revealed it had unlawfully accessed a journalist’s phone records without a warrant.
The AFP commissioner, Andrew Colvin, admitted on Friday the agency had unlawfully accessed a journalist’s metadata without obtaining a “journalist information warrant”, a requirement imposed on it since 2015.
Following the federal government’s data retention amendments, the AFP also tightened up the list of officers who could sign off on internal authorisations for Australians’ metadata.
Guardian Australia obtained a list of the identities of these officers and sought access to professional standards investigations finalised in the past 18 months.
The documents released show there were six professional standards investigations launched.
While four of the matters were deemed to be “not established”, two were ruled as not requiring further investigation.
One of the matters was listed as a “non significant corruption issue” that was referred to the integrity commissioner. The professional standards investigation said the AFP officer had exercised their discretion not to take further action.
One related to an allegation that the officer disclosed information relating to the execution of two search warrants.
Guardian Australia queried whether any of the officers had their metadata roles revoked or suspended.
The AFP said in a statement that “as the matters disclosed … did not require further action – there was no reduction or removal of delegations regarding metadata applications”.
Press freedom organisations and privacy advocates have condemned the AFP’s handling of the case, and have called for reform of Australia’s metadata law.
The agency’s disclosure on Friday coincided with the annual press freedom dinner in Sydney. The Media Entertainment and Arts Alliance chief executive, Paul Murphy, said: “It really is a disgrace. There is a clear public interest in whistleblowers having the confidence to call out misconduct in government.
“That public interest has been thrown away. It’s been thrown away in legislation cloaked in national security.”
The commonwealth ombudsman is investigating the AFP’s handling of the journalist’s case.
The journalist’s identity remains unknown, and they not been informed by the agency that their personal information was unlawfully accessed.
In an April 13, 2017 decision in Walters v. Kimpton Hotel,1 a California federal judge rejected the bid of hotel chain Kimpton Hotel and Restaurant Group, LLC to dismiss a proposed class action arising from a data breach last year. Judge Vince Chhabria found that the named plaintiff sufficiently alleged imminent harm to establish standing notwithstanding the absence of allegations that his personal information had been misused.
Background of the Lawsuit
In August 2016, Kimpton Hotel disclosed that malware had been installed on its servers from February 16, 2016 to July 7, 2016, and mailed notification letters to those guests who used their payment cards at a front desk during that period. Plaintiff Lee Walters was a guest at a Kimpton Hotel on May 29, 2016. Walters alleged that, following his stay at the hotel, his payment card information was stolen. Walters further alleged that, after learning of the breach, he expended time and effort to monitor his credit, and that he faced increased risk of identity theft due to the server breach.
Judge Chhabria found that a plaintiff does not need to “actually suffer the misuse of his data or an unauthorized charge before he has an injury for standing purposes,” and that Walters’ allegations of imminent harm were sufficient to confer standing to survive Kimpton’s motion to dismiss. Judge Chhabria adopted the standing approach applied by the Sixth and Seventh Circuits in Galaria v. Nationwide Mut. Ins. Co. and Lewert v. P.F. Chang’s China Bistro.2
In Galaria, the Sixth Circuit held that allegations of a continuing, increased risk of fraud and identify theft were more than just speculative allegations of injury, emphasizing that there is “no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals.”3 Similarly, in P.F. Chang’s, the Seventh Circuit explained that “it is plausible to infer a substantial risk of harm from the data breach, because a primary incentive for hackers is sooner or later to make fraudulent charges or assume those consumers’ identities.”4
It is important to note that a court at the motion to dismiss stage must accept allegations of imminent harm as true, and it is far from clear whether Walters will be able to prove injury-in-fact going forward. Even so, this decision is yet another reminder that companies can no longer assume that consumer-initiated lawsuits will be dismissed where no customer information has yet been misused, and they must prepare for legal attacks from all sides – regulators, shareholders, and consumers – even as they work to resolve the fallout from a cyberattack. A great starting point for all companies is a simple and straightforward incident response plan that anticipates the inevitable cyber breach. Such a plan can provide a framework for integrating a response amongst the company’s management, IT, legal, external communications, and outside experts, such as legal counsel and cyber forensic investigators.
A copy of the decision is available here.
1 Walters v. Kimpton Hotel Rest. Grp., LLC, No. 16-CV-05387-VC, 2017 WL 1398660 (N.D. Cal. Apr. 13, 2017).
2 Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384 (6th Cir. 2016); Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016). While not cited by the judge, the Ninth Circuit also recognizes that, following the theft of unencrypted personal data, an increased risk of identity theft constitutes harm. See Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010).
3 Galaria, at 388.
4 P.F. Chang’s, at 967 (internal citations omitted).
The spread of breaches tied to cyber espionage is among the key findings of the Verizon Data Breach Investigations Report 2017, says Ashish Thapar, a managing principal at Verizon Enterprise Solutions.
Manufacturing, public sector organizations and educational institutions are the top targets for cyber espionage attacks, the report finds. “We see cyber espionage attacks hitting these sectors hard,” Thapar says.
The report indicates that the primary motives for these attacks are to obtain sensitive personally identifiable information or proprietary information/intellectual property, he explains. For attacks aimed at educational institutions, valuable research data is the target (see: Analysis: Verizon’s 2017 Data Breach Digest).
The Business of Malware
Verizon’s report, Thapar says, also found that “malware is becoming a big business. We also see a lot of attacks through ransomware. Sometimes these ransomware attacks are just to extort money from the victims. Other times they serve as a smokescreen for other attacker activity in the background.”
Thapar acknowledges that the 10th annual report reflects a continuation of breach trend patterns seen in recent years, rather than any major new threats. The report analyzed data from 65 organizations worldwide on 42,000 incidents and 1,935 breaches.
Even small and midsize enterprises are increasingly become breach targets as attackers seek out softer targets, Thapar says the report shows.
“These organizations really need to guard and make it difficult for the bad guys,” he says. “Unlike determined advanced threat actors, most opportunistic attacks will move away and look for softer targets if you make it a little difficult for them.”
In this exclusive, in-depth interview (see audio player link below image), Thapar shares further insight on:
- The current trends revealed in the latest report;
- How these trends and affecting enterprises;
- Recommendations for how organizations can prepare themselves to counter these risks.
Thapar is the managing principal, risk services – APJ, at Verizon Enterprise Solutions. His experience includes designing, implementing and managing information security management systems for multiple organizations. Thapar has written several white papers and articles on information security topics. He also has been a featured speaker at several industry events.
Hackers continue to gain the upper hand in the battle for data security, with an astounding 87 percent of organizations saying they were the victims of cyberattacks in the past 12 months.
That is one of the findings in the new study “Threats Below the Surface Report,” which surveyed more than 3,000 IT professionals on the security risks, priorities and capabilities that are top-of-mind. The study also found that one in three organizations reported that they had been hacked more than five times in the past 12 months, double the rate of 2014.
One of the leading causes of the rise in data security risks is the rapid adoption of cloud computing, the study indicates.
“Enterprise cloud apps lack critical controls for data security that could significantly reduce the risk of a breach,” said Nat Kausik, chief executive officer at Bitglass, which co-produced the study along with the CyberEdge Group and Information Security Community. “While some organizations can identify potential leaks after the fact, few organizations can remediate threats in real time.”
Kausik shared a number of dramatic statistics regarding data breaches and cyber preparedness:
• 54 percent of organizations hit with a ransonware attack were able to recover without paying up.
• 52 percent of organizations expect to increase their overall information security budgets.
• 39 percent of organizations in retail and 36 percent in technology are spending a larger portion of their budgets on information security than in other vertical markets.
• 37 percent said phishing is a top security concern, followed by insider threats (cited by 33 percent) and malware (32 percent)
• 36 percent of organizations monitor mobile devices
• 24 percent of organizations monitor SaaS and IaaS apps for security risks
The study also found that 62 percent of organizations that have adopted the cloud say improved threat detection is the most critical threat management capability. Other capabilities most in demand include data encryption (cited by 72 percent), traffic encryption (cited by 60 percent) and access controls (cited by 56 percent).
As for cloud-specific concerns, the issues that organizations are struggling with the most include data leakage (cited by 57 percent), data privacy (cited by 49 percent), confidentiality (cited by 47 percent) and compliance (cited by 36 percent).
A council has apologised to 14 vulnerable adults whose personal details were published online.
The data was posted on a procurement website, revealing details such as health conditions and social care needs.
Gloucestershire County Council (GCC) said it had “done everything we can” to remove the online material.
The victims of the breach had been informed and an investigation is under way, the authority added.
The council uses online procurement portals to post notices when urgent residential or non-residential care was needed for people with physical disabilities, learning disabilities or mental health needs.
But staff had attached personal “pen pictures” of adults requiring such urgent help to notices available to the public on the supplyingthesouthwest.org.uk portal, dating from the start of 2017.
The council’s chief executive Pete Bungard “sincerely apologised” for the error, and said staff had already been retrained while an internal investigation was carried out.
A spokeswoman for the authority said GCC had “worked with the procurement websites and search engines” and added she was “confident the council has done everything it can to remove the information”.
Earlier this year, GCC launched an investigation after it unwittingly revealed details online of a £500m contract for a controversial incinerator project.
Article source: http://www.bbc.co.uk/news/uk-england-gloucestershire-39748772
Used by all states (except D.C.) with data breach laws 
(AK, AZ, AR, CA, CO, CT, DE, FL, GA, HI, ID, IL, IN, IA, KS, KY, LA, ME, MD, MA, MI, MN, MS, MO, MT, NE, NV, NH, NJ, NM, NY, NC, ND, OH, OK, OR, PA, RI, SC, TN, TX, UT, VT, VA, WA, WV, WI, WY)
MA – financial account number, or credit or debit card number, even without any required security code, access code, PIN or password, is reportable if associated with first name/initial and last name.
The breach, which occurred earlier this year, involved the time, date and duration of phone calls over a period of about a week, not the calls themselves, Mr Colvin said.