Posts Tagged IT security

Nearly 20000 Australians caught up in massive Bupa Global data breach

Bupa’s international health insurance arm was hit by a malicious act in the UK, putting private details of almost 20,000 Australian customers in danger.

Local Business

Bupa’s international health insurance arm was hit by a malicious act in its UK office, putting the private information of almost 20,000 Australian customers in danger.

The company admitted on Friday that an employee had “inappropriately copied and removed some customer information” at its Bupa Global division, which provides international health insurance for frequent travellers or people who work overseas.

“The data taken includes: names, dates of birth, nationalities, and some contact and administrative details including Bupa insurance membership numbers,” Bupa Global managing director Sheldon Kenton said.

The data was then “made available to other parties”, he added.

“We are contacting those customers who are affected to apologise and advise them as we believe the information has been made available to other parties.”

The company admitted on Friday that an employee had “inappropriately copied and removed some customer information” at its Bupa Global division. Photo: Supplied

A Bupa Australia spokesperson said that among the 547,000 customers affected worldwide, 19,595 were believed to be Australians.

“It is important to point out that this was not a cyberattack or external data breach. It was deliberate act by an employee in the UK who had no access to customer data for the Bupa Australia Health Insurance business, which is kept on separate systems,” the spokesperson said.

The company will be “taking appropriate legal action” against the responsible staff member, who has now been dismissed.

“We have introduced additional security measures and increased our customer identity checks. A thorough investigation is under way and we have informed the FCA and Bupa’s other UK regulators,” Mr Kenton said.

Customers that have been embroiled in the incident have policy numbers starting with “BI” and the BBC confirmed on Friday that the Information Commissioner’s Office in the UK was making enquiries.

Article source: http://www.busseltonmail.com.au/story/4794371/nearly-20000-australians-caught-up-in-bupa-data-breach/?cs=4071

,

No Comments

As GDPR approaches, retail data breaches remain unacceptably high

Two in five retailers across the globe have experienced a data breach in the past year, according to Thales and 451 Research. The report reveals that 43 percent of retailers had experienced a data breach in the last year, with a third claiming more than one.

With 60% claiming that they had been breached in the past, it’s perhaps unsurprising to learn that 88% of retailers consider themselves to be ‘vulnerable’ to data threats, with 37% stating they are ‘very’ or ‘extremely’ vulnerable. As a result, three quarters of retailers expect their spending on IT security to increase.

Taking steps toward compliance

An increase in regulations such as the forthcoming GDPR has led to greater awareness and concern around issues of data privacy and sovereignty, with 72% of retailers claiming to be impacted.

The report reveals that, in an effort to comply with these new requirements, 64% of retailers are encrypting their data, 40% are tokenising data, and 36% are implementing a migration project.

Pressures to use advanced technology increase risk

According to the report, 52% of retail organisations will use sensitive data in a big data environment this year, with a third using encryption to protect that data. Despite this, however, 39% were very concerned that they’re using these environments without proper security in place.

What’s more, the report found that as adoption of cloud and SaaS environments continues to rise, so too do concerns regarding their safe use. Two-thirds of retailers, for example, claimed to be very or extremely concerned about cloud service providers (CSPs) falling victim to security breaches or attacks. A similar number (66%) expressed concerns around vulnerabilities in shared infrastructure, and 65% were worried about the custodianship of the encryption keys used to protect their data.

63% of respondents suggested that such fears could be allayed through the use of data encryption in the cloud, with keys being controlled at the retailer’s premises, while half preferred the CSPs to control the keys.

“Breach results were not so rosy for global retail – a staggering 43 percent of global retail respondents reported a breach in the past year alone, approaching twice the global average. These distressing breach rates serve as stark proof that data on any system can be attacked and compromised. Unfortunately, organisations keep spending on the same security solutions that worked for them in the past, but aren’t necessarily the most effective at stopping modern breaches,” said Garrett Bekker, principal analyst for information security at 451 Research.

Retail organisations interested in improving their overall security postures should strongly consider:

  • Deploying security tool sets that offer services-based deployments, platforms and automation
  • Discovering and classifying the location of sensitive data within cloud, SaaS, big data, IoT and container environments
  • Leveraging encryption and Bring Your Own Key (BYOK) technologies for all advanced technologies.

Article source: https://www.helpnetsecurity.com/2017/07/24/gdpr-approaches-retail-data-breaches/

,

No Comments

Data breach has Arkansas seeking new vendor

style=”” class=” js no-touch history csstransforms csstransforms3d csstransitions video” lang=”en”<!– <!– <Attribute name="Caption" value="

CREDIT: Thinkstock

“/> –>


© 2017 Associated Press

TRENDING VIDEOS

“).insertBefore(“.dvp-item:nth-child(2)”);/*]]*/

More Stories
  • Carjacking hero, victim meet for first time
    Carjacking hero, victim meet for first time
  • Smuggling tragedy: 8 dead, 30 hospitalized after hot
    Smuggling tragedy: 8 dead, 30 hospitalized after hot…
  • Man resists arrest, gets physical with officer on I-30 West
    Man resists arrest, gets physical with officer on I-30 West

Article source: http://www.thv11.com/news/local/data-breach-has-arkansas-seeking-new-vendor/458836359

,

No Comments

Wells Fargo Gets Regulatory Questions After Data Breach – Bloomberg

Wells Fargo Co., already in the regulatory spotlight because of last year’s fake-account scandal, is drawing renewed scrutiny after a lawyer’s unauthorized release of sensitive client details for tens of thousands of accounts belonging to wealthy customers of its brokerage unit.

Regulators have started asking questions about the breach, according to a person with knowledge of the matter, after the data was mistakenly provided to an attorney as part of a lawsuit involving two brothers, one a Wells Fargo employee and the other a former employee. A person briefed on the matter said Wells Fargo has determined the accounts were all from one brokerage branch in the Northeast.

Representatives of the Financial Industry Regulatory Authority informally contacted at least one of the attorneys involved in the dispute for information about how the breach occurred and how Wells Fargo failed to detect it, said the person, who asked not to be identified because the matter isn’t public. Lawyers for the bank are taking steps to contact regulators about the data breach, according to another person with knowledge of the matter. The person didn’t specify which agencies.

Ray Pellecchia, a spokesman for Finra, which licenses and supervises Wall Street workers including financial advisers, didn’t have an immediate comment. Representatives for the Consumer Financial Protection Bureau, the Office of the Comptroller of the Currency and the Securities and Exchange Commission didn’t immediately respond to messages seeking comment.

‘Thoroughly Investigate’

While this latest black eye may not rise to the level of the retail-bank debacle, it further calls into question Wells Fargo’s ability to manage its people and information.

“Wells Fargo takes the security and privacy of our customers’ information very seriously,” the bank said in a statement. “We are currently taking legal action to ensure the additional data is not disseminated, and we are requesting its rapid return. We continue to thoroughly investigate this matter and will take the proper steps, including corrective action, based on the outcome of our investigation.”

The bank’s latest troubles come just 10 months after regulators disclosed that Wells Fargo employees had been opening potentially millions of accounts in its retail banking division without customers’ permission over a half decade. The bank’s stock valuation and reputation were tarnished, and Wells Fargo has spent at least $520 million on fines, remediation, consultants and civil litigation since then, including a near-final $142 million to consumers who accused the bank of creating bogus accounts.

Insufficient Oversight

The OCC, the bank’s main regulator, said in September Wells Fargo had “failed to provide sufficient oversight” of its sales programs and didn’t adequately monitor employees in its retail bank. Part of the consent order the OCC forced the bank to carry out afterward included beefing up internal controls and risk management.

The recent data breach began with a financial spat between a pair of brothers over less than $1 million. Gary Sinderbrand, a former managing director at Wells Fargo Advisors, is engaged in two legal actions against his older brother Steven Sinderbrand, a managing director at the bank, one in New York and one in New Jersey.

Lawyers for Gary Sinderbrand received client names, Social Security numbers and account balances earlier this month for 50,000 Wells Fargo accounts, the New York Times first reported, including one file with details on the holdings of a “well-known hedge fund billionaire” with at least $23 million invested.

Protective Order

The trove of confidential client data was sent by attorney Angela A. Turiano of law firm Bressler, Amery Ross, who’s representing Wells Fargo in both of the disputes. Turiano sent the information without a protective order or confidentiality agreement between the parties.

Turiano, who indicated that an outside vendor was involved in the information breach, asked the information be returned when Gary Sinderbrand’s attorneys informed her of the breach this week, the New York Times reported. Turiano didn’t return messages for comment on Saturday.

Gary Sinderbrand’s lawyers had been seeking documents related to a squabble over allegedly unpaid fees for a consulting arrangement with his brother. Sinderbrand alleges Wells Fargo knew about and approved of a verbal arrangement that he provide risk-management and client-retention coaching to his brother Steven, while Gary Sinderbrand took a two-year sabbatical from managing wealthy clients’ money.

The New York dispute is over what Gary Sinderbrand alleges is roughly $870,000 more he’s owed from 50 percent of fees his brother made managing their joint book of client business over a period of about two years.

Andrew L. Miller and Aaron Zeisler, attorneys for Gary Sinderbrand, either declined to comment or didn’t immediately return messages on Saturday. The brothers didn’t return messages seeking comment.

    Article source: https://www.bloomberg.com/news/articles/2017-07-22/wells-fargo-said-to-get-regulatory-questions-after-data-breach

    ,

    No Comments

    Data breach has Arkansas seeking new vendor

    Arkansas is seeking someone else to provide database services after a breach during the spring impacted 600,000 of the state’s residents.

    America’s Job Link Alliance-TS has held a contract with the state since 2007. In March, it told the Department of Workforce Services that records of at least 19,000 state job applicants had been compromised, but what was taken wasn’t immediately known.

    Agency spokesman Steven Guntharp says Workforce Services now knows that 598,533 Arkansans were impacted, though no one has complained of identity theft.

    Guntharp told the Arkansas Democrat-Gazette the agency is seeking a new vendor.

    Article source: http://www.thenewstribune.com/news/business/article163066133.html

    ,

    No Comments

    Wells Fargo Gets Regulatory Questions After Data Breach

    Wells Fargo Co., already in the regulatory spotlight because of last year’s fake-account scandal, is drawing renewed scrutiny after a lawyer’s unauthorized release of sensitive client details for tens of thousands of accounts belonging to wealthy customers of its brokerage unit.

    Regulators have started asking questions about the breach, according to a person with knowledge of the matter, after the data was mistakenly provided to an attorney as part of a lawsuit involving two brothers, one a Wells Fargo employee and the other a former employee. A person briefed on the matter said Wells Fargo has determined the accounts were all from one brokerage branch in the Northeast.

    Representatives of the Financial Industry Regulatory Authority informally contacted at least one of the attorneys involved in the dispute for information about how the breach occurred and how Wells Fargo failed to detect it, said the person, who asked not to be identified because the matter isn’t public. Lawyers for the bank are taking steps to contact regulators about the data breach, according to another person with knowledge of the matter. The person didn’t specify which agencies.

    Ray Pellecchia, a spokesman for Finra, which licenses and supervises Wall Street workers including financial advisers, didn’t have an immediate comment. Representatives for the Consumer Financial Protection Bureau, the Office of the Comptroller of the Currency and the Securities and Exchange Commission didn’t immediately respond to messages seeking comment.

    ‘Thoroughly Investigate’

    While this latest black eye may not rise to the level of the retail-bank debacle, it further calls into question Wells Fargo’s ability to manage its people and information.

    “Wells Fargo takes the security and privacy of our customers’ information very seriously,” the bank said in a statement. “We are currently taking legal action to ensure the additional data is not disseminated, and we are requesting its rapid return. We continue to thoroughly investigate this matter and will take the proper steps, including corrective action, based on the outcome of our investigation.”

    The bank’s latest troubles come just 10 months after regulators disclosed that Wells Fargo employees had been opening potentially millions of accounts in its retail banking division without customers’ permission over a half decade. The bank’s stock valuation and reputation were tarnished, and Wells Fargo has spent at least $520 million on fines, remediation, consultants and civil litigation since then, including a near-final $142 million to consumers who accused the bank of creating bogus accounts.

    Insufficient Oversight

    The OCC, the bank’s main regulator, said in September Wells Fargo had “failed to provide sufficient oversight” of its sales programs and didn’t adequately monitor employees in its retail bank. Part of the consent order the OCC forced the bank to carry out afterward included beefing up internal controls and risk management.

    The recent data breach began with a financial spat between a pair of brothers over less than $1 million. Gary Sinderbrand, a former managing director at Wells Fargo Advisors, is engaged in two legal actions against his older brother Steven Sinderbrand, a managing director at the bank, one in New York and one in New Jersey.

    Lawyers for Gary Sinderbrand received client names, Social Security numbers and account balances earlier this month for 50,000 Wells Fargo accounts, the New York Times first reported, including one file with details on the holdings of a “well-known hedge fund billionaire” with at least $23 million invested.

    Protective Order

    The trove of confidential client data was sent by attorney Angela A. Turiano of law firm Bressler, Amery Ross, who’s representing Wells Fargo in both of the disputes. Turiano sent the information without a protective order or confidentiality agreement between the parties.

    Turiano, who indicated that an outside vendor was involved in the information breach, asked the information be returned when Gary Sinderbrand’s attorneys informed her of the breach this week, the New York Times reported. Turiano didn’t return messages for comment on Saturday.

    Gary Sinderbrand’s lawyers had been seeking documents related to a squabble over allegedly unpaid fees for a consulting arrangement with his brother. Sinderbrand alleges Wells Fargo knew about and approved of a verbal arrangement that he provide risk-management and client-retention coaching to his brother Steven, while Gary Sinderbrand took a two-year sabbatical from managing wealthy clients’ money.

    The New York dispute is over what Gary Sinderbrand alleges is roughly $870,000 more he’s owed from 50 percent of fees his brother made managing their joint book of client business over a period of about two years.

    Andrew L. Miller and Aaron Zeisler, attorneys for Gary Sinderbrand, either declined to comment or didn’t immediately return messages on Saturday. The brothers didn’t return messages seeking comment.

      Article source: https://www.bloomberg.com/news/articles/2017-07-22/wells-fargo-said-to-get-regulatory-questions-after-data-breach

      ,

      No Comments

      Data breach reported at Tewksbury Hospital – Lowell Sun Online


      No Published CaptionSun staff photos can be ordered by visiting our SmugMug site.

      No Published Caption

      Sun staff photos can be ordered by visiting our SmugMug site.

      TEWKSBURY — State officials have determined a former Tewksbury Hospital employee may have inappropriately accessed the medical records of at least 1,100 patients from 2003 to 2017.

      Current and former patients who may have been affected are being notified of the breach, according to a Friday statement from the state Department of Public Health.

      The review, conducted in response to a former patient’s complaint, found that inappropriately viewed information included names, addresses, birth dates, phone numbers, gender, diagnoses, medical treatments and in some cases, social security numbers.

      State officials said there is no indication the information has been misused. They said the clerk responsible for accessing the information is no longer employed by Tewksbury Hospital and no longer has access to hospital patient medical records of any kind.

      The hospital has also made immediate changes to further protect social security numbers and is reviewing its policies regarding medical records system access, according to the statement.

      Article source: http://www.lowellsun.com/breakingnews/ci_31158235/data-breach-reported-at-tewksbury-hospital

      ,

      No Comments

      Wells Fargo Accidentally Releases Trove of Data on Wealthy Clients

      The documents were sent by Angela A. Turiano, a lawyer with Bressler, Amery Ross, an outside law firm in Florham Park, N.J., hired by Wells Fargo, which is not a party to the suit. Mr. Sinderbrand and one of his lawyers, Aaron Zeisler, notified Ms. Turiano on Thursday morning about the sensitive documents now in their hands.

      In an email response, Ms. Turiano described the disclosure as “inadvertent,” and wrote, “Obviously this was done in error and we would request that you return the CD asap so that it can be properly redacted.”

      Mr. Zeisler said his client intended to keep the CD secure and confidential. “We are continuing to evaluate his legal rights and responsibilities,” Mr. Zeisler said. “Wells Fargo has not identified what specific documents it asserts were inadvertently exposed.”

      The disclosure is a data breach that potentially violates a bevy of state and federal consumer data privacy laws that limit the release of personally identifiable customer information to outside parties.

      State and federal regulations also require companies to notify customers when their information has been improperly released, as Wells Fargo may now do. And some of the accounts in Mr. Sinderbrand’s database are listed as having a foreign owner, which would potentially trigger a separate set of overseas regulations, such as Europe’s stricter privacy statutes.

      “There are thousands of documents in here that the public should never see,” Mr. Sinderbrand said, noting that a less scrupulous recipient of such data could have easily posted it online.

      Reached on Friday, a day after Ms. Turiano was made aware of the issue, a spokeswoman for Wells Fargo Advisors, Emily Acquisto, released the following statement: “Wells Fargo takes the security and privacy of our customers’ information seriously. We are investigating this matter and will take the proper steps based on the outcome of our investigation.”

      Advertisement

      Continue reading the main story

      Ms. Turiano and a spokeswoman for her firm did not respond to requests for comment.

      The New York Times was shown large portions of the data and confirmed that it included what appeared to be clients’ names, unredacted Taxpayer Identification Numbers, assets under management, portfolio performance, mortgage information and details on 529 education savings plans.

      Newsletter Sign Up

      Continue reading the main story

      One file, for example, contained details on the holdings of a well-known hedge fund billionaire who had at least $23 million invested through Wells Fargo Advisors.

      The files also include extensive information on Wells Fargo’s financial advisers employed by the bank, their performance, their compensation and their client lists. One typical record showed the full roster of one adviser’s client book and his commissions for the past year, totaling $1.5 million.

      Based on the fairly narrow subpoena that his lawyer submitted — it sought communications about Mr. Sinderbrand’s employment and compensation — there was no reason for the bank to turn over such information, especially without any redactions, Mr. Sinderbrand said.

      “This is a public policy issue,” he said. “They have to find out what happened and how it happened. Did it happen before, and could it happen again?”

      Mr. Sinderbrand, 61, has an acrimonious history with Wells Fargo. He worked at the bank as a financial adviser until 2013, when he said he resigned to work for a health technology start-up. In 2016, he reached a settlement with the bank to resolve lingering financial issues related to his compensation. He later sued the bank, saying it violated a confidentiality clause in that agreement. That case is pending in New York State Supreme Court in Manhattan.

      The documents that Wells Fargo gave to Mr. Sinderbrand’s lawyer were sent in response to a subpoena in a separate defamation lawsuit proceeding in New Jersey against one of his brothers, who works at the bank.

      The disclosure of so much sensitive material comes amid heightened concern about the ease with which personal information can be hacked, leaked or accidentally divulged. Banks are supposed to have extensive internal controls to protect clients’ data.

      Wells Fargo’s internal controls are under particular scrutiny after a false-accounts scandal came to light last year. The company disclosed that its employees, trying to meet aggressive sales goals, opened as many as 3.5 million unwanted bank and credit card accounts for customers without their knowledge, and agreed this month to pay $142 million to settle a related class-action suit.

      Advertisement

      Continue reading the main story

      In terms of information security, litigation poses a special risk because confidential material often must change hands. The legal industry’s best practices for handling digital documents in discovery — “e-discovery,” as lawyers call it — include careful reviews to exclude or redact personally identifiable information, encryption and other safeguards as data is transferred.

      Confidential information is also often covered by a protective order, which must be granted by a judge, to prevent the data’s recipients from sharing it more widely. None of that seemed to have happened here, reflecting a breakdown in vetting at multiple levels.

      In Ms. Turiano’s email to Mr. Sinderbrand’s lawyer, she wrote: “We went through a long process of a very large email review with an outside vendor with instructions on exclusion which was spot checked. Clearly there was some type of vendor error — which I am confirming now.”


      Continue reading the main story

      Article source: https://www.nytimes.com/2017/07/21/business/dealbook/wells-fargo-confidential-data-release.html

      ,

      No Comments

      McKesson’s New Head of Litigation Saw A Data Breach Up Close

      The newest member of McKesson Corp.’s legal department, Robin Jacobsohn, has seen what the aftermath of a cyber attack looks and feels like from the inside.

      In July 2015, Jacobsohn joined the U.S. Office of Personnel Management — months after it discovered a massive breach of its internal system had compromised the personal data of an estimated 21.5 million individuals, including federal employees and others. Much of her time there was spent dealing with the aftermath.

      “We were very much in the middle of a lot of people’s focus,” she said. “There was obviously a lot of time and energy spent responding to the underlying challenges and gathering information as quickly and clearly we could” about what had happened.

      Although Jacobsohn joined OPM as head of its litigation, she said she spent a substantial portion of her time dealing with the fallout from the hack. Likewise, she will head McKesson’s litigation, but said her responsibilities will include intellectual property, information technology and employment and benefits. Her title will be senior vice president, associate general counsel.

      Previously in her career, Jacobsohn served as an associate attorney general in the U.S. Department of Justice, a deputy general counsel in the U.S. Department of Defense, and as a partner in Williams Connolly.

      McKesson, a San Francisco-based company that distributes pharmaceuticals and is also involved in healthcare delivery, has been involved in 983 federal court cases since July 2013, according to Bloomberg Law. The vast majority of those cases featured product liability claims.

      Screen Shot 2017-07-21 at 5.40.50 PM

      Jacobsohn, who will be based in Washington, D.C., and started only two weeks ago, said she is still getting comfortable in her new position and her new role.

      She said she doesn’t have any set rules about what she wants from outside counsel but they should be familiar with the company and its business. That may mean understanding the trends in class-action litigation occurring within the industry or simply being familiar with the nature of relevant regulatory investigations.

      Part of her role will be figuring out how to optimize her own use of in-house attorneys for those tasks that they have the expertise to handle, and deciding when it makes sense to bring in outside counsel. As to the mix of law firms she plans to use, Jacobsohn said there is no one-size fits all approach to the ideal outside counsel.

      “I’ve worked with a range of law firms over the years … and had terrific experiences with all manners of law firms [from] tiny boutiques, that are very local [to] very broad international practices,” she said.

      Article source: https://bol.bna.com/mckessons-new-head-of-litigation-saw-a-data-breach-up-close/

      ,

      No Comments

      Two in five retailers ‘have experienced a data breach in the past year’

      Two in five retailers around the world have had a data breach in the last year – and most consider themselves to be vulnerable to such threats in the future, according to a new study.

      In all, 43% of retailers said they had experienced a breach over the preceding 12 months, while 60% of retailers said they have been breached in the past, and 88% say they are at risk for the future, including 37% that say they are ‘very’ or ‘extremely’ vulnerable, according to the 2017 Thales Data Threat Report, Retail Edition, published this week.

      Information systems, cybersecurity and data security specialist Thales, which worked with analysts from 451 Research, also said that 73% of retailers planned to increase their spending on IT security in response. This, it says, will come still further to the fore as regulations increase. That includes the arrival, next year, of the European Union GDPR regulations, with measures that will give consumers more control over their data and are set to raise awareness of data privacy and sovereignty issues.

      The report found that almost two thirds of retailers (64%) are now working to encrypt their data in order to comply with its requirements, 40% are tokenising data, and a similar number (36%) are implementing a migration project.

      According to the report, half of retail organisations (52%) will use sensitive data in a big data environment this year, with a third (34%) using encryption to protect that data. Despite this, however, 39% were very concerned that they are using these environments without proper security in place.

      The report also found that as adoption of cloud and SaaS environments continues to rise, so too do concerns regarding their safe use. Two-thirds of retailers (67%), for example, claimed to be very or extremely concerned about cloud service providers (CSPs) falling victim to security breaches or attacks. A similar number (66%) expressed concerns around vulnerabilities in shared infrastructure, and 65% were worried about the custodianship of the encryption keys used to protect their data.

      “Breach results were not so rosy for global retail,” said Garrett Bekker, principal analyst for information security at 451 Research. “A staggering 43% of global retail respondents reported a breach in the past year alone, approaching twice the global average. These distressing breach rates serve as stark proof that data on any system can be attacked and compromised.”

      Peter Galvin, vice president of strategy at Thales e-Security said: “With tremendous sets of detailed customer behaviour and personal information in their custody, retailers are a prime target for hackers so should look to invest more in data-centric protection. And as retailers dive head first into new technologies, data security must be a top priority as they continue to pursue their digital transformation.”

      Image credits:

        Article source: http://internetretailing.net/2017/07/two-five-retailers-experienced-data-breach-past-year/

        ,

        No Comments