Archive for May, 2017

Basildon Council fined £150000 for traveller family data breach

Basildon CouncilImage copyright
Google

Image caption

Basildon Council published information about a traveller family’s disabilities

A council has been fined £150,000 for publishing sensitive personal information about a traveller family on its website.

Basildon Council released details about the family’s disabilities, including mental health issues, in a planning application.

The Information Commissioner’s Office (ICO) says the authority failed to remove the personal data.

The council said it was taking legal advice and has 28 days to appeal.

Basildon Council breached the Data Protection Act when it published the information in planning application documents which it made publicly available online, the ICO said.

Its investigation found the authority received a written statement in support of a planning application for proposed works on green belt land on 16 July 2015.

The statement contained sensitive personal data relating to the traveller family who had lived on the site for several years.

‘Serious incident’

The ICO said an inexperienced council officer did not notice the personal information, and there was no procedure in place for a second person to check it before it was published online.

The information was only removed on 4 September 2015 when the concerns came to light.

ICO enforcement manager Sally Anne Poole said: “This was a serious incident in which highly sensitive personal data, including medical information, was made publicly available.

“Planning applications in themselves can be controversial and emotive, so to include such sensitive information and leave it out there for all to see for several weeks is simply unacceptable.”

A Basildon Council spokesman said: “The council has been given 28 days in which to lodge an appeal against this decision. We are taking advice and considering our position.”

Article source: http://www.bbc.com/news/uk-england-essex-40110726

,

No Comments

Target’s data breach settlement sets a low bar for industry security standards

Target’s multistate data breach settlement over its 2013 data breach outlines the kind of security measures enterprises should have in order to not be found negligent with customer data. The problem is, the settlement doesn’t go far enough to improve organizational security. For the pro-active CSO, the settlement should indicate the bare minimum and not what they should aspire to.

Tom Kellermann, CEO of Strategic Cyber Ventures and the former CEO of Trend Micro, called the terms a “slap on the wrist” for Target and said they were insufficient as they focused on keeping attackers out and not on improving response. Modern security needs to focus on reducing the amount of time between a compromise when detection, and making it harder for attackers to carry out their operations. While network segmentation and two-factor authentication will slow down attackers, the bulk of the terms are still defensive in nature.

“They [settlement terms] represent yesterday’s security paradigm,” Kellermann said.

To briefly recap, criminals stole credentials from a third-party HVAC vendor and gained access to Target’s network, and then proceeded to infect payment systems with data-stealing malware just before the beginning of the holiday shopping season back in 2013. The malware skimmed credit and debit card information belonging to about 40 million consumers, along with personally identifiable information (PII) for 70 million people. While Target’s security systems had detected the breach, no one understood the significance of, or acted upon, the alerts, resulting in the massive data breach.

[Related: —Ira Winkler: 6 failures that led to Target hack]

To its credit, Target since then has toughened its security posture and made significant improvements, and many in the industry tout the retailer as a good example of how to recover from a data breach. The settlement gives Target 180 days to “develop, implement, and maintain a comprehensive information security program,” but most of the terms refers to the changes the retailer has already adopted.

“[The] settlement with Target establishes industry standards for companies that process payment cards and maintain secure information about their customers,” Illinois Attorney General Lisa Madigan said in a statement.

The reference to industry standards suggest that future breach-related lawsuits may use the Target settlement to try to prove the organization did not go far enough in protecting personal information and other sensitive data. The settlement reiterates some of the basics, such as having a comprehensive security program, segmenting the network and implementing stricter access control policies to sensitive networks and data.

“All organizations that store valuable data need to implement a comprehensive security program that includes continuous risk assessments and a responsible executive that is accountable and actively involved in the program,” said Steven Grossman, vice-president of strategy at Bay Dynamics.

[Related: —Major companies, like Target, often fail to act on malware alerts]

Laundry list of what to do

Target agreed to tighten its digital security, which includes:

  • Develop and maintain a comprehensive information security program
  • Maintain software and encryption programs to safeguard people’s personal information
  • Separate its cardholder data from the rest of its computer network
  • Rigorously control who has access to the network
  • Regularly bring in an independent and well-qualified third party to conduct regular, comprehensive security assessments of its security measures.
  • Hire an executive officer to run its new security program and serve as a security advisor to the CEO and the board of directors.

Other must-have safeguards are specific to the payment systems and “cardholder data environment”:

  • Whitelisting to detect and block unauthorized applications from executing on payment systems and servers
  • File integrity monitoring
  • Change management to detect unauthorized changes to applications and operating systems
  • Logging and monitoring all security-relation information and devices attempting to connect to the sensitive network.

None of this sounds particularly advanced. In fact, network segmentation is an IT best practice and something companies should already be doing. It is nice to finally see a mandate that calls for two-factor authentication on individual, administrator and vendor accounts. The fact that card information has to be encrypted is a basic part of the Payment Card Industry-Data Security Standard (PCI-DSS) requirements, and just reiterates that encryption needs to be at the center of any comprehensive security program. The settlement also reminds Target that it has to keep up with patching and software updates.

“Target shall make reasonable efforts to maintain and support the software on its networks, taking into consideration the impact an update will have on data security in the context of Target’s overall network and its ongoing business and network operations, and the scope of resources required to address an end-of-life software issue,” according to the settlement.

What’s missing

Considering the initial breach came from the third-party vendor, the settlement is vague on what enterprises should be doing regarding their partners and contractors beyond “develop, implement and revise as necessary written, risk-based policies and procedures for auditing vendor compliance” against existing security policies. Requiring two-factor authentication for contractors and vendors will make a difference, but enterprises need to have a clearer idea of what other risks the third-party poses to their environment.

“It is essential that outsources know what services third-parties are performing, what controls they have in place, and verify that these controls are operational,” said Charlie Miller, a senior vice president with the Santa Fe Group’s Shared Assessments Program. Enterprises need to have processes that determine what kind of restricted access and security controls are appropriate when bringing a third-party onboard.

The settlement also talks about penetration tests and other ways to assess security measures, but it stopped short of asking for continuous assessments. “The recommendations on assessing risks using penetration testing are not enough,” Guy Bejerano, CEO and co-founder of SafeBreach says. Enterprises can’t rely on once-a-year, or periodic penetration tests to stay abreast of all the threats, because new vulnerabilities are always being found and new attack tools being developed.

The CSO needs to oversee and run the security program and advise the CEO and the board of directors, but the settlement did not mandate the individual report directly to the CEO and the board, which is a miss. In many enterprises, the CSO, despite being a C-level executive, doesn’t report directly to the CEO, and is shuffled under the CIO, the CTO or even legal. The CISO/CSO should report directly to the CEO and receive a separate budget from that of IT.

Industry standards are still a low bar

As part of settling with the states, Target has to pay $18.5 million. While New York Attorney General Eric T. Schneiderman touted this agreement as the largest multistate data breach settlement to date, it is pocket change for a company that reported over $20 billion in profits last year and has already paid $202 million in legal fees and other post-breach costs over the past four years. This isn’t even the first settlement, as Target settled for $39 million with the financial institutions affected by the breach and allocated $10 million for the consolidated class action lawsuit (along with the $6.75 million for plaintiffs’ attorneys fees and expenses).

[Related: —How much is a data breach going to cost you?]

There have been concerns that companies might deprioritize security activities and risks because it is cheaper to just pay the fine after something goes wrong—instead of putting in the time and effort to do it right. The settlement doesn’t do anything to change that viewpoint, but the fact that some of the basics are now codified as “industry standards” may at least raise the bar to the bare minimum. For many organizations, segmenting the networks and adding more security layers around sensitive data environments can make a huge difference in how easily criminals can move around or steal information.

Article source: http://www.csoonline.com/article/3199064/security/targets-data-breach-settlement-sets-a-low-bar-for-industry-security-standards.html

,

No Comments

Chipotle Warns of Data Breach – NBC 5 Dallas

Chipotle customers may want to check their bank statements after hackers hit most of its restaurants in a massive data hack, including dozens in North Texas.

MORE: Check to see if your Chipotle restaurant was affected

It’s unclear how many cards or customers were impacted by the breach.

Chipotle has roughly 2,250 stores across the US.

The company says hackers used malware to steal payment data over a span of three weeks, from March 25 to April 18. 

Account numbers and even internal verification codes were stolen. That information can be used to drain bank accounts, and even clone cards.

Chipotle says the malware has been removed, and its systems are safe again.

If you went to the restaurant during those dates: 

  • Monitor your card statements.
  • If you see an unauthorized charge, contact your bank immediately.
  • Even if your bank is able to reverse the charge, you should still request a new card altogether.

Article source: http://www.nbcdfw.com/news/local/Chipotle-Warns-of-Data-Breach-425397344.html

,

No Comments

Target’s data breach settlement sets a low bar for industry security standards

Target’s multistate data breach settlement over its 2013 data breach outlines the kind of security measures enterprises should have in order to not be found negligent with customer data. The problem is, the settlement doesn’t go far enough to improve organizational security. For the pro-active CSO, the settlement should indicate the bare minimum and not what they should aspire to.

Tom Kellermann, CEO of Strategic Cyber Ventures and the former CEO of Trend Micro, called the terms a “slap on the wrist” for Target and said they were insufficient as they focused on keeping attackers out and not on improving response. Modern security needs to focus on reducing the amount of time between a compromise when detection, and making it harder for attackers to carry out their operations. While network segmentation and two-factor authentication will slow down attackers, the bulk of the terms are still defensive in nature.

“They [settlement terms] represent yesterday’s security paradigm,” Kellermann said.

To briefly recap, criminals stole credentials from a third-party HVAC vendor and gained access to Target’s network, and then proceeded to infect payment systems with data-stealing malware just before the beginning of the holiday shopping season back in 2013. The malware skimmed credit and debit card information belonging to about 40 million consumers, along with personally identifiable information (PII) for 70 million people. While Target’s security systems had detected the breach, no one understood the significance of, or acted upon, the alerts, resulting in the massive data breach.

[Related: —Ira Winkler: 6 failures that led to Target hack]

To its credit, Target since then has toughened its security posture and made significant improvements, and many in the industry tout the retailer as a good example of how to recover from a data breach. The settlement gives Target 180 days to “develop, implement, and maintain a comprehensive information security program,” but most of the terms refers to the changes the retailer has already adopted.

“[The] settlement with Target establishes industry standards for companies that process payment cards and maintain secure information about their customers,” Illinois Attorney General Lisa Madigan said in a statement.

The reference to industry standards suggest that future breach-related lawsuits may use the Target settlement to try to prove the organization did not go far enough in protecting personal information and other sensitive data. The settlement reiterates some of the basics, such as having a comprehensive security program, segmenting the network and implementing stricter access control policies to sensitive networks and data.

“All organizations that store valuable data need to implement a comprehensive security program that includes continuous risk assessments and a responsible executive that is accountable and actively involved in the program,” said Steven Grossman, vice-president of strategy at Bay Dynamics.

[Related: —Major companies, like Target, often fail to act on malware alerts]

Laundry list of what to do

Target agreed to tighten its digital security, which includes:

  • Develop and maintain a comprehensive information security program
  • Maintain software and encryption programs to safeguard people’s personal information
  • Separate its cardholder data from the rest of its computer network
  • Rigorously control who has access to the network
  • Regularly bring in an independent and well-qualified third party to conduct regular, comprehensive security assessments of its security measures.
  • Hire an executive officer to run its new security program and serve as a security advisor to the CEO and the board of directors.

Other must-have safeguards are specific to the payment systems and “cardholder data environment”:

  • Whitelisting to detect and block unauthorized applications from executing on payment systems and servers
  • File integrity monitoring
  • Change management to detect unauthorized changes to applications and operating systems
  • Logging and monitoring all security-relation information and devices attempting to connect to the sensitive network.

None of this sounds particularly advanced. In fact, network segmentation is an IT best practice and something companies should already be doing. It is nice to finally see a mandate that calls for two-factor authentication on individual, administrator and vendor accounts. The fact that card information has to be encrypted is a basic part of the Payment Card Industry-Data Security Standard (PCI-DSS) requirements, and just reiterates that encryption needs to be at the center of any comprehensive security program. The settlement also reminds Target that it has to keep up with patching and software updates.

“Target shall make reasonable efforts to maintain and support the software on its networks, taking into consideration the impact an update will have on data security in the context of Target’s overall network and its ongoing business and network operations, and the scope of resources required to address an end-of-life software issue,” according to the settlement.

What’s missing

Considering the initial breach came from the third-party vendor, the settlement is vague on what enterprises should be doing regarding their partners and contractors beyond “develop, implement and revise as necessary written, risk-based policies and procedures for auditing vendor compliance” against existing security policies. Requiring two-factor authentication for contractors and vendors will make a difference, but enterprises need to have a clearer idea of what other risks the third-party poses to their environment.

“It is essential that outsources know what services third-parties are performing, what controls they have in place, and verify that these controls are operational,” said Charlie Miller, a senior vice president with the Santa Fe Group’s Shared Assessments Program. Enterprises need to have processes that determine what kind of restricted access and security controls are appropriate when bringing a third-party onboard.

The settlement also talks about penetration tests and other ways to assess security measures, but it stopped short of asking for continuous assessments. “The recommendations on assessing risks using penetration testing are not enough,” Guy Bejerano, CEO and co-founder of SafeBreach says. Enterprises can’t rely on once-a-year, or periodic penetration tests to stay abreast of all the threats, because new vulnerabilities are always being found and new attack tools being developed.

The CSO needs to oversee and run the security program and advise the CEO and the board of directors, but the settlement did not mandate the individual report directly to the CEO and the board, which is a miss. In many enterprises, the CSO, despite being a C-level executive, doesn’t report directly to the CEO, and is shuffled under the CIO, the CTO or even legal. The CISO/CSO should report directly to the CEO and receive a separate budget from that of IT.

Industry standards are still a low bar

As part of settling with the states, Target has to pay $18.5 million. While New York Attorney General Eric T. Schneiderman touted this agreement as the largest multistate data breach settlement to date, it is pocket change for a company that reported over $20 billion in profits last year and has already paid $202 million in legal fees and other post-breach costs over the past four years. This isn’t even the first settlement, as Target settled for $39 million with the financial institutions affected by the breach and allocated $10 million for the consolidated class action lawsuit (along with the $6.75 million for plaintiffs’ attorneys fees and expenses).

[Related: —How much is a data breach going to cost you?]

There have been concerns that companies might deprioritize security activities and risks because it is cheaper to just pay the fine after something goes wrong—instead of putting in the time and effort to do it right. The settlement doesn’t do anything to change that viewpoint, but the fact that some of the basics are now codified as “industry standards” may at least raise the bar to the bare minimum. For many organizations, segmenting the networks and adding more security layers around sensitive data environments can make a huge difference in how easily criminals can move around or steal information.

This story, “Target’s data breach settlement sets a low bar for industry security standards” was originally published by
CSO.

Article source: http://www.itworld.com/article/3199064/security/targets-data-breach-settlement-sets-a-low-bar-for-industry-security-standards.html

,

No Comments

Chipotle Identifies Minn. Locations Affected by March, April Data Breach

An investigation found malware accessed some data from payment cards swiped at the register between March 24 and April 18.

The Minnesota cities with locations affected were: Apple Valley, Blaine, Bloomington, Brooklyn Center, Brooklyn Park, Burnsville, Champlin, Chanhassen, Columbia Heights, Coon Rapids, Cottage Grove, Crystal, Duluth, Eagan, Eden Prairie, Edina, Elk River, Golden Valley, Hastings, Hopkins, Mankato, Maple Grove, Maplewood, Minneapolis, Minnetonka, Oak Park Heights, Plymouth, Richfield, Rochester, Rogers, Rosemount, Roseville, Shakopee, Shoreview, St. Cloud, St. Louis Park, St. Paul, Vadnais Heights, Wayzata, West St. Paul and Woodbury.

Article source: http://kstp.com/business/chipotle-identifies-locations-affected-by-march-april-data-breach-twin-cities-suburbs/4498868/

,

No Comments

Midstate Chipotle restaurants among those affected by data breach …

Mexican food chain Chipotle has confirmed that most of its restaurants — including those in the midstate — were affected by a data breach of customer’s’ financial information.

Chipotle said that the breach happened between March 24th and April 18th. The malware recorded names, numbers, expiration dates and security codes stored in the magnetic strips of credit and debit cards. The malware has since been removed.

According to the chain restaurant, the data breach affected at least 11 Chipotle locations in the midstate region.

If customers have questions regarding this incident, they can call 888-738-0534 Monday through Friday between the hours of 9 a.m. and 9 p.m.

Click here for more information about the security breach.

Article source: http://www.pennlive.com/news/2017/05/midstate_chipotle_restaurants.html

,

No Comments

Molina Healthcare investigates breach of patients’ data



Long Beach-based Molina Healthcare, a major insurer in Medicaid and state exchanges across the country, has shut down its online patient portal as it investigates a potential data breach that may have exposed sensitive medical information.

The company said that it closed the online portal for medical claims and other customer information while it examined a “security vulnerability.” It’s not clear how many patient records might have been exposed and for how long. The company has more than 4.8 million customers in 12 states and Puerto Rico.

Molina posted $17.8 billion in annual revenue last year. The company made news earlier this month with the surprise firing of its top two executives, who are sons of the company’s founder. Both CEO J. Mario Molina and his brother, finance chief John Molina, were ousted. The company’s board said Molina’s disappointing financial performance led to the management change.

“We are in the process of conducting an internal investigation to determine the impact, if any, to our customers’ information and will provide any applicable notifications to customers and/or regulatory authorities,” Molina said in a statement Friday. “Protecting our members’ information is of utmost importance.”

Brian Krebs, a well-known cybersecurity expert who runs the Krebs on Security website, said he notified the company of the potential breach earlier this month and wrote about it on his website Thursday. Molina said it was already aware of the security vulnerability when contacted.

Until recently, Krebs said, Molina “was exposing countless patient medical claims to the entire internet without requiring any authentication.”

Krebs said the information he saw online included patients’ names, addresses, dates of birth and information on their medical procedures and medications.

“It’s unconscionable that such a basic, security 101 flaw could still exist at a major health care provider,” Krebs said. “This information is more sensitive than credit card data, but it seems less protected.”

Krebs said he received an anonymous tip in April from a Molina member who stumbled upon the problem when trying to view his medical claim online. The tipster found that by changing a single number in the website address he could then view other patient claims, according to Krebs.

Krebs said the Molina member showed him screenshots of his own medical records and how when he changed the web address slightly it then displayed records of another patient. On Friday, the Molina website told customers that the online portal was “under maintenance.”

Health care companies, hospitals and other providers must report data breaches to U.S. officials. Molina emphasized that it was still investigating the matter so had not yet reported it. Federal regulators can levy significant fines for violations under the Health Insurance Portability and Accountability Act, also known as HIPAA.

Many security experts question the ability of health care companies and providers to safeguard vast troves of electronic medical records and other sensitive data, particularly at a time when cybercriminals are targeting medical information.

Molina has grown more prominent during the rollout of the Affordable Care Act, as Medicaid expanded and state insurance exchanges launched. The company serves more than 1 million people through Obamacare exchanges across several states. It has nearly 69,000 enrollees in the Covered California exchange, or about 5 percent of the market.

Article source: http://www.presstelegram.com/business/20170530/molina-healthcare-investigates-breach-of-patients-data

,

No Comments

Chipotle data breach exposed credit card info at 29 Upstate NY restaurants (full list)

Chipotle has revealed the full list of restaurants affected by a data breach earlier in 2017 that exposed customer’s credit card information.

The list includes numerous Chipotle locations in Upstate New York.

According to an official release from Chipotle, the breach involved “malware designed to access payment card data from cards used on point-of-sale (POS) devices at certain Chipotle restaurants between March 24, 2017 and April 18, 2017.”

The breach accessed “track data” from credit cards, which can include cardholder names, card numbers, expiration dates and internal verification codes. Chipotle said there is no indication that other information was accessed.

Chipotle directed any customers who believe they may have been affected to contact the FTC. More information about protecting yourself from identity theft, including how to place a “security freeze” on your account and how to sign up for fraud alerts, can be found here.

Here is the full list of Upstate NY Chipotle restaurants affected by the breach, including the dates that they were affected:

  • Albany – 1475 Western Avenue, 3/26/2017-4/18/2017
  • Albany – 105 Wolf Road, 3/26/2017-4/18/2017
  • Amherst – 1643 Niagara Falls Blvd, Suite 44C, 3/24/2017-4/18/2017
  • Central Valley – 498 Red Apple Court, FC-12, 3/27/2017-4/18/2017
  • Cheektowaga – 1717 Walden Avenue, 3/26/2017-4/18/2017
  • Clifton Park – 22 Clifton Country Road, Ste 150, 4/11/2017-4/18/2017
  • Hamburg – 4405 Mile Strip Road, Unit 5, 3/26/2017-4/18/2017
  • Ithaca – 740 South Meadow St., 3/26/2017-4/18/2017
  • Kingston – 1221/1217 Ulster Avenue, 3/27/2017-4/18/2017
  • Latham – 2 Wade Road, 3/24/2017-4/18/2017
  • Liverpool – 3852 State Route 31, 3/27/2017-4/18/2017
  • Middletown – 444 Route 211 East, Suite 2, 3/26/2017-4/18/2017
  • New Hartford – 4815 Commercial Drive, 200, 3/27/2017-4/18/2017
  • Niagara Falls – 1785 Military Road, 300, 3/26/2017-4/18/2017
  • Plattsburgh – 200 Consumer Square, Ste 208, 3/26/2017-4/18/2017
  • Rochester – 640 Jefferson Road, 3/25/2017-4/18/2017
  • Rochester – 1847 Ridge Road West, 3/26/2017-4/18/2017
  • Rochester – 1495 East Ridge Road, 3/26/2017-4/18/2017
  • Rochester – 1360 Mount Hope Ave, 3/26/2017-4/18/2017
  • Saratoga Springs – 3057 NY State Route 50, Suite 5, 3/25/2017-4/18/2017
  • Schenectady – 441 Balltown Road, Suite 3, 3/26/2017-4/18/2017
  • Syracuse – 3496 Erie Blvd East, 3/26/2017-4/13/2017
  • Syracuse – 129 Marshall Street, 3/26/2017-4/18/2017
  • Tonawanda – 1759 Sheridan Drive, 3/26/2017-4/18/2017
  • Vestal – 4698 Vestal Parkway East, 3/26/2017-4/18/2017
  • Victor – 401 Commerce Dr. , Suite 100, 3/27/2017-4/18/2017
  • Watertown – 1290 Arsenal Street, Suite 7, 3/26/2017-4/18/2017
  • Webster – 927 Holt Road, 500, 3/26/2017-4/18/2017
  • Williamsville – 8020 Transit Road, Unit 23, 3/26/2017-4/13/2017

Which restaurant franchises do we want the most in Upstate NY?

Article source: http://www.newyorkupstate.com/restaurants/2017/05/chipotle_data_breach_exposed_credit_card_info_at_29_upstate_ny_restaurants_full.html

,

No Comments

Midstate Chipotle restaurants among those affected by data breach

Mexican food chain Chipotle has confirmed that most of its restaurants — including those in the midstate — were affected by a data breach of customer’s’ financial information.

Chipotle said that the breach happened between March 24th and April 18th. The malware recorded names, numbers, expiration dates and security codes stored in the magnetic strips of credit and debit cards. The malware has since been removed.

According to the chain restaurant, the data breach affected at least 11 Chipotle locations in the midstate region.

If customers have questions regarding this incident, they can call 888-738-0534 Monday through Friday between the hours of 9 a.m. and 9 p.m.

Click here for more information about the security breach.

Article source: http://www.pennlive.com/news/2017/05/midstate_chipotle_restaurants.html

,

No Comments

Chipotle Identifies Minn. Locations Affected by March, April Data …

An investigation found malware accessed some data from payment cards swiped at the register between March 24 and April 18.

The Minnesota cities with locations affected were: Apple Valley, Blaine, Bloomington, Brooklyn Center, Brooklyn Park, Burnsville, Champlin, Chanhassen, Columbia Heights, Coon Rapids, Cottage Grove, Crystal, Duluth, Eagan, Eden Prairie, Edina, Elk River, Golden Valley, Hastings, Hopkins, Mankato, Maple Grove, Maplewood, Minneapolis, Minnetonka, Oak Park Heights, Plymouth, Richfield, Rochester, Rogers, Rosemount, Roseville, Shakopee, Shoreview, St. Cloud, St. Louis Park, St. Paul, Vadnais Heights, Wayzata, West St. Paul and Woodbury.

Article source: http://kstp.com/business/chipotle-identifies-locations-affected-by-march-april-data-breach-twin-cities-suburbs/4498868/

,

No Comments