Posts Tagged IT security

Biz overlords need to give a stuff about what they’re told by IT crowd

Companies that suffer a data breach can expect to see their share price fall by five per cent and watch two to three per cent of customers take their business elsewhere.

Researchers at Ponemon looked at the share prices of 113 companies that had lost customer data, tracking their value from 30 days before their respective breaches were made public and 90 days afterwards.

The organisations saw an almost instant 5 per cent fall in their share price when the breach was made public. The stock took an average of 45 days to recover but there were big differences between companies seen as having a strong security stance and those with weak security.

Companies which showed a fast security response could expect their price to recover within seven days while a weak response left share prices still languishing 90 days after the data breach.

The number of customers which left the company as a result of the data breach ranged from less than 2 per cent to over 5 per cent. In financial terms that ranged from average annual revenue losses of between £2.08m and £3.07m.

As well as looking at share price, Ponemon researchers surveyed three groups of people – 313 IT and security staff, 292 chief marketing and comms officers and 405 consumers.

A terrifying 51 per cent of consumers said they had been told by a company or government agency that their data had been lost or stolen in the last two years.

A little more than three-quarters 76 per cent) of consumers believed organisations have a responsibility to control access to their data, but only 46 per cent of CMOs and 44 per cent of IT staff agreed.

Consumer trust was also misplaced in certain industries: 68 per cent of consumers said they trusted healthcare companies to safeguard their data but only 24 per cent have equal faith in credit card companies. However healthcare companies accounted for 34 per cent of all data breaches while banking, credit and financial organisations were involved in only 4.8 per cent of total breaches.

There were some interesting disparities in the survey results: while 40 per cent of IT staff said their organisation had seen a data breach involving the loss or theft of more than 1,000 customer records or other business information in the last two years, only 23 per cent of comms and marketing staff agreed. This indicated that either sampling was skewed or that IT staff are not always ‘fessing up to marketing when something went wrong.

There were also differences in perceptions of the impact of a breach on the organisation. Marketing and communications staff see falling customer trust and negative media coverage and damage to brand as the three most important results of a breach. But 51 per cent of IT staff say financial harm is most damaging, followed by pressure from increased scrutiny of IT work after a breach. Regulatory fines or lawsuits were mentioned by 40 per cent of IT staff but only 18 per cent of CMOs. An even more paranoid 63 per cent of IT staff said a breach could result in them losing their jobs, versus just five per cent of CMOs.

Ponemon used a sampling frame for each of the three groups and got responses from between three and five per cent once some were removed for failing reliability checks. The survey could include non-response bias – it is possible that all those who declined to take part are substantially different to those that did. ®

Article source: https://www.theregister.co.uk/2017/05/19/data_breaches_bash_share_prices_and_customer_confidence/

,

No Comments

Zomato Breach Threatens 17 Million Users

Zomato, the restaurant app, disclosed Thursday (May 18) that around 17 million users’ information has been stolen in a data breach.

According to a report in CNN, the hackers took off with the email addresses and encrypted passwords from a Zomato data base. The app covers more than one million restaurants across 24 countries and competes with Yelp. Zomato said no payment information or credit card data was taken in the data breach.

“So far, it looks like an internal (human) security breach — some employee’s development account got compromised,” the company said in a blog post, without providing further details, reported CNN. The company said the theft was a recent discovery and that it is “actively working to plug any more security gaps that we find in our systems.”

Zomato noted that security measures it has in place prevents stolen passwords from being converted back into text. It did urge users to change their passwords if they use the same password elsewhere. Customers who were affected were logged out of the app by Zomato, and their passwords were reset, noted the report.

The disclosure from Zomato comes as the world is on edge after the WannaCry virus wreaked havoc on computers around the globe this past weekend. As has been widely reported, a massive attack hit everything from the United Kingdom’s National Health Service, European automakers and Chinese firms and any number of companies across other verticals, winnowing its way through disparate countries into Saturday. Interpol had estimated over the weekend that more than 100,000 organizations across 150 nations had been hit by the attack, as reported by The Associated Press.

Reuters and others reported that the ransomware infections that hit computers worldwide likely trace their genesis to the U.S. National Security Agency, and Friday’s tally comes to more than 126,000 cases of infection. The malware that was sent had been hidden in any number of attachments in emails that had seemed legitimate, from files that spoofed invoices to job offers and other communications. The demands came in from $300 to $600 to give users back access to their machines.



Recommended for you

Article source: http://www.pymnts.com/news/security-and-risk/2017/zomato-breach-threatens-17-million-users/

,

No Comments

India’s Zomato hit by 17m user data breach

Indian online restaurant guide Zomato says hackers have the stolen data of more than 17 million users.

Email addresses and passwords were among the records stolen by hackers, Zomato said in a statement on its website.

“No payment information or credit card data has been stolen/leaked,” Zomato said, adding that all affected accounts had been reset and it was working to plug any more security gaps in its systems.

The hashed passwords could not be decrypted back to plain text, Zomato said, but it nevertheless encouraged users who used the same password for other services to change it.

Zomato’s statement came a day after the internet security website HackRead reported that a vendor who claimed to have hacked Zomato was selling the data of 17 million of its users on the “dark web.”

Founded as a restaurant search service by Deepinder Goyal and Pankaj Chaddah in 2008, Zomato has more than 120 million users and operates in 23 countries including Australia, the United States, Portugal, Britain and Chile.

Article source: http://www.sbs.com.au/news/article/2017/05/18/indias-zomato-hit-17m-user-data-breach

,

No Comments

India’s Zomato hit by 17m user data breach

Indian online restaurant guide Zomato says hackers have the stolen data of more than 17 million users.

Email addresses and passwords were among the records stolen by hackers, Zomato said in a statement on its website.

“No payment information or credit card data has been stolen/leaked,” Zomato said, adding that all affected accounts had been reset and it was working to plug any more security gaps in its systems.

The hashed passwords could not be decrypted back to plain text, Zomato said, but it nevertheless encouraged users who used the same password for other services to change it.

Zomato’s statement came a day after the internet security website HackRead reported that a vendor who claimed to have hacked Zomato was selling the data of 17 million of its users on the “dark web.”

Founded as a restaurant search service by Deepinder Goyal and Pankaj Chaddah in 2008, Zomato has more than 120 million users and operates in 23 countries including Australia, the United States, Portugal, Britain and Chile.

Article source: http://www.sbs.com.au/news/article/2017/05/18/indias-zomato-hit-17m-user-data-breach

,

No Comments

Lone consumer holds up Target data breach settlement | Minnesota …


  1. Listen

    Story audio

    4min 4sec

It’s been about three and a half years since cyber crooks hacked Target’s systems, compromising the financial or personal information of some 100 million customers.

Target has paid banks and credit- and debit-card issuers about $110 million for fraud losses, card replacement costs and other damages they endured.

In late 2015, Target agreed to a compensation plan for affected consumers with a pool of $10 million available. But consumers have yet to see a dime because of a sole objection.

One man stands in the way.

Leif Olson, a Texas resident, has been able to block court approval of the plan. He’s represented by a group critical of lawyers called the Center for Class Action Fairness.

The group’s opposition makes no sense, said attorney Vincent Esades, who represented consumers in a data breach class-action lawsuit against Target.

“They’re saying there should have been more classes. More lawyers. Their ultimate conclusion is this case should not be going forward as a class action,” he said. “I disagree because if it doesn’t go forward as a class action, hundreds of thousands of people are not going to get anything.”

• Report: How Target blew the data breach

Only about 226,000 consumers filed for compensation from Target. They had to provide evidence of a loss or, if they lacked documentation, assert they suffered certain kinds of trouble, such as having to dispute fraudulent charges or overdraft fees.

Individual pay-outs are capped at $10,000. But the vast majority of claims are undocumented and would pay only $40.

The Center for Class Action Fairness, which is associated with the Competitive Enterprise Institute, a libertarian thinktank. The center boasts that when it prevails “lawyers get less, class members get more.”

Melissa Holyoak, an attorney with the Center, contends consumers did not get a good deal in the Target case. They’re in line for just $10 million, while attorney and administration costs hit $13 million.

She said various groups of consumers would get a raw deal. For example, she said there’s nothing in the settlement to compensate for damages only incurred in the future.

“If you had some sort of loss that you could identify, you could get money under the settlement. But everyone else got nothing,” Holyoak said.

After U.S. District Court Judge Paul Magnuson approved the proposed settlement, the center appealed. In February, the 8th U.S. Circuit Court of Appeals sent the case back to Magnuson for reconsideration.

Attorneys who negotiated the class-action settlement with Target argue it offers something for everyone — specifically, enhanced security and business practices Target agreed to implement to prevent future fiascoes.

But Holyoak said those terms don’t specifically benefit injured consumers.

“That is for everyone. the whole world gets the protections that Target is now doing,” she said. It doesn’t offer any special consideration for these class members.”

Class-action objectors are allowed to hold up settlements, but the motives can range from personal gain to calling attention to legitimate shortcomings.

Critics of the Center for Class Action Fairness say it masquerades as a consumer advocate, but really tries to undermine class actions.
“It’s part of constellation of conservative efforts to shut down class actions, to block people from being able to pursue justice against corporate bad actors or to enforce civil rights legislation in the courts,” said Rebecca Buckwalter-Poza, a fellow at the left-leaning Center for American Progress.

But the Holyoak said her organization is about preventing attorneys from siphoning off money that should rightly go to the consumers in a class action settlement.

“We want them to be fair. We’re not trying to get rid of class actions,” Holyoak said. “We just want to get rid of the bad players in class action. The ones that are only structuring and negotiating selfish settlements.”

Judge Magnuson on Wednesday reaffirmed his prior decision. But further reviews and appeals are possible.

That could mean nothing gets resolved and consumers won’t get paid before next year, at the earliest, even though Magnuson ruling indicates he doesn’t see a better option.

It is “difficult to imagine a settlement that more comprehensively addresses all of the harm suffered,” he wrote.

Article source: https://www.mprnews.org/story/2017/05/18/lone-consumer-holds-up-target-data-breach-settlement

,

No Comments

Lone consumer holds up Target data breach settlement | Minnesota …


  1. Listen

    Story audio

    4min 4sec

It’s been about three and a half years since cyber crooks hacked Target’s systems, compromising the financial or personal information of some 100 million customers.

Target has paid banks and credit- and debit-card issuers about $110 million for fraud losses, card replacement costs and other damages they endured.

In late 2015, Target agreed to a compensation plan for affected consumers with a pool of $10 million available. But consumers have yet to see a dime because of a sole objection.

One man stands in the way.

Leif Olson, a Texas resident, has been able to block court approval of the plan. He’s represented by a group critical of lawyers called the Center for Class Action Fairness.

The group’s opposition makes no sense, said attorney Vincent Esades, who represented consumers in a data breach class-action lawsuit against Target.

“They’re saying there should have been more classes. More lawyers. Their ultimate conclusion is this case should not be going forward as a class action,” he said. “I disagree because if it doesn’t go forward as a class action, hundreds of thousands of people are not going to get anything.”

• Report: How Target blew the data breach

Only about 226,000 consumers filed for compensation from Target. They had to provide evidence of a loss or, if they lacked documentation, assert they suffered certain kinds of trouble, such as having to dispute fraudulent charges or overdraft fees.

Individual pay-outs are capped at $10,000. But the vast majority of claims are undocumented and would pay only $40.

The Center for Class Action Fairness, which is associated with the Competitive Enterprise Institute, a libertarian thinktank. The center boasts that when it prevails “lawyers get less, class members get more.”

Melissa Holyoak, an attorney with the Center, contends consumers did not get a good deal in the Target case. They’re in line for just $10 million, while attorney and administration costs hit $13 million.

She said various groups of consumers would get a raw deal. For example, she said there’s nothing in the settlement to compensate for damages only incurred in the future.

“If you had some sort of loss that you could identify, you could get money under the settlement. But everyone else got nothing,” Holyoak said.

After U.S. District Court Judge Paul Magnuson approved the proposed settlement, the center appealed. In February, the 8th U.S. Circuit Court of Appeals sent the case back to Magnuson for reconsideration.

Attorneys who negotiated the class-action settlement with Target argue it offers something for everyone — specifically, enhanced security and business practices Target agreed to implement to prevent future fiascoes.

But Holyoak said those terms don’t specifically benefit injured consumers.

“That is for everyone. the whole world gets the protections that Target is now doing,” she said. It doesn’t offer any special consideration for these class members.”

Class-action objectors are allowed to hold up settlements, but the motives can range from personal gain to calling attention to legitimate shortcomings.

Critics of the Center for Class Action Fairness say it masquerades as a consumer advocate, but really tries to undermine class actions.
“It’s part of constellation of conservative efforts to shut down class actions, to block people from being able to pursue justice against corporate bad actors or to enforce civil rights legislation in the courts,” said Rebecca Buckwalter-Poza, a fellow at the left-leaning Center for American Progress.

But the Holyoak said her organization is about preventing attorneys from siphoning off money that should rightly go to the consumers in a class action settlement.

“We want them to be fair. We’re not trying to get rid of class actions,” Holyoak said. “We just want to get rid of the bad players in class action. The ones that are only structuring and negotiating selfish settlements.”

Judge Magnuson on Wednesday reaffirmed his prior decision. But further reviews and appeals are possible.

That could mean nothing gets resolved and consumers won’t get paid before next year, at the earliest, even though Magnuson ruling indicates he doesn’t see a better option.

It is “difficult to imagine a settlement that more comprehensively addresses all of the harm suffered,” he wrote.

Article source: https://www.mprnews.org/story/2017/05/18/lone-consumer-holds-up-target-data-breach-settlement

,

No Comments

Prison term given in UNI data breach case

Whenever Jeff Reinitz posts new content, you’ll get an email delivered to your inbox with a link.

Email notifications are only sent once a day, and only if there are new matching items.

Article source: http://wcfcourier.com/news/local/crime-and-courts/prison-term-given-in-uni-data-breach-case/article_9c750af5-e454-52c4-b016-459b51ea113b.html

,

No Comments

Minnesota federal judge again approves certification of Target data breach class action

SAINT PAUL, Minn. (Legal Newsline) – A Minnesota federal judge again has approved a $10 million settlement in a data breach class action brought against Target.

On Wednesday, Judge Paul A. Magnuson with the U.S. District Court for the District of Minnesota approved certification of the class action for a second time.

The U.S. Court of Appeals for the Eighth Circuit sent the case back to the Minnesota federal district court to reconsider the objections of class member Leif Olson, who is represented by the Competitive Enterprise Institute’s Center for Class Action Fairness, which appealed the original approval of the class action settlement.

“Although Olson is highly critical of the settlement and the representation of named Plaintiffs and class counsel, he has utterly failed to demonstrate any conflict of interest,” Magnuson wrote in his 21-page order granting the consumer plaintiffs’ renewed motion to certify the class.

The Eighth Circuit explained in its Feb. 1 opinion that while the U.S. Supreme Court has not said what, specifically, a “rigorous analysis” of class certification prerequisites entails, at a minimum the rule — Rule 23(a) — requires a district court to state its reasons “in terms specific enough for meaningful appellate review.”

Judge Bobby E. Shepherd, writing for the Eighth Circuit, said the District of Minnesota’s certification of the settlement class did not meet this standard.

“In its preliminary order, the court replaces analysis of the certification prerequisites with a recitation of Rule 23 and a conclusion that certification is proper,” Shepherd wrote.

He continued, “These remarks are conclusions, not reasons, and on their own they do not constitute a ‘rigorous analysis’ of whether certification is proper in this case.”

Olson challenged the class certification for lack of adequate representation due to an alleged intraclass conflict.

Olson alleged that, unlike the class representatives, he incurred no expenses or costs making him eligible for compensation from the settlement fund. Despite receiving no such relief, he is bound under the deal to release Target from liability from any claims he may someday have.

He argued class members such as himself make up what he calls a “zero-recovery subclass.” Since no named plaintiff belongs to this purported subclass, Olson contended the court should certify a separate subclass with independent representation.

“Though not exhaustive, Olson’s objection raises important concerns for the district court to evaluate upon remand,” Shepherd wrote in the Eighth Circuit’s 10-page opinion.

Class member Jim Sciaroni did not object to the certification but appealed the district court’s approval of the settlement agreement.

Both Olson and Sciaroni also challenged the district court’s order requiring them to post a bond of $49,156 to cover the costs of the appeal.

The Eighth Circuit reversed that order, noting the parties agreed that only $2,284 of the bond reflects the direct costs of the appeal.

The remaining $46,872 — according to the district court — covers the “financial harm the class will suffer as a result of the delay caused by the appeal,” such as disruptions in the claims process, hindered distribution of settlement funds to class members, and the administrative costs of maintaining the settlement website and toll-free telephone number.

The Eighth Circuit remanded to the district court to reduce the bond to reflect only those costs that the appellees will recover “should they succeed in any issues remaining on appeal following the district court’s reconsideration of class certification.”

Magnuson, in his order, said it is “insufficient” to merely argue that a settlement is not good enough.

“To establish that the representation of class representatives and the settlement they negotiated is not fair or adequate, Olson must offer actual evidence of the conflict he claims,” the Minnesota federal judge wrote. “His failure to do so, or to offer any alternative potential — and reasonably achievable — recoveries shows that the representation was fair and adequate, and the settlement was as good a settlement as any class member could hope.”

The judge continued, “Those who suffered monetary losses will, in the main, be compensated for all of the losses they suffered. Those who did not suffer any monetary loss will benefit from the heightened protections Target agreed to put in place to safeguard its customers’ personal information. And any class member whose fear of identity theft compelled them to purchase protection for such theft can seek reimbursement for those costs from the settlement fund.”

Magnuson said it’s “difficult to imagine” a settlement that more comprehensively addresses all of the harm suffered by the class.

According to Magnuson’s Nov. 17, 2015 order granting final approval, the settlement provides that Target will pay $10 million to settle the claims of class members and to pay service awards to class representatives. Any residual settlement funds will not revert to Target but will be distributed as directed by the court.

Payments to class members will vary depending on each individual’s ability to document their losses.

Individuals with documentary proof of losses will be reimbursed both for out-of-pocket loss and time loss (up to two hours at $10 per hour), up to a maximum of $10,000.

The plaintiffs have estimated that the average payout for such “high value” documented claims — where the claimed damages are more than $5,000 and there is documentation to support the claim — will be almost $2,200 per claimant, and the average payout for lower-value documented claims will be just under $300 per claimant.

Individuals who have no documented proof of loss will receive an equal share of the settlement fund after service awards and documented-loss payments are made.

The plaintiffs have estimated that the payment for undocumented-loss claimants will be $40 per claimant.

Magnuson said the settlement also requires Target to improve its data security practices in “significant ways.”

The court preliminarily approved the settlement in March 2015, certifying the class to include “all persons in the United States whose credit or debit card information and/or whose personal information was compromised as a result of the data breach that was first disclosed by Target on Dec. 19, 2013.”

The case arises out of one of the largest breaches of payment-card security in the United States’ retail history.

Between Nov. 27 and Dec. 15, 2013 — the peak of the year’s holiday shopping season — computer hackers stole credit- and debit-card information and other personal information for about 110 million Target customers.

Many of the plaintiffs, in their lawsuits, alleged the retail store failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach.

“The Target class action settlement freezes out millions of people from settlement relief,” CEI senior attorney Melissa Holyoak said in a statement Thursday.

“Although these class members had their financial data stolen, they are releasing their future-damages claims against Target in exchange for nothing.”

Holyoak said CEI will return to the Eighth Circuit to challenge Magnuson’s most recent order, calling it an “unfair, unlawful ruling.”

Vincent J. Esades of Minneapolis law firm Heins Mills Olson PLC is lead counsel for the class.

From Legal Newsline: Reach Jessica Karmasek by email at [email protected]

Article source: http://legalnewsline.com/stories/511117410-minnesota-federal-judge-again-approves-certification-of-target-data-breach-class-action

,

No Comments

Woman asked accountancy firm to pay her €1m to make data breach ‘go away’, court hears

Grant Thornton wants Ms Scanlon’s defence and counterclaim to its action against her struck out on grounds including they have no basis in law, are bound to fail, and disclose no cause of action.

Ms Scanlon has opposed that application.

In her application, Ms Scanlon seeks to have other parties, including Danske Bank, who appointed the receiver over her assets, The Data Protection Commissioner and the Attorney General, be joined to the action.

Article source: http://www.independent.ie/irish-news/courts/woman-asked-accountancy-firm-to-pay-her-1m-to-make-data-breach-go-away-court-hears-35731393.html

,

No Comments

Delaware cybersecurity bill to update requirements for data breach response

Delaware cybersecurity bill to update requirements for data breach responseASSOCIATED PRESS





DOVER, Del. – Delaware lawmakers are eyeing legislation that would expand protections for Delawareans who fall victim to computer security breaches.

House Bill 180, sponsored by Representative Paul Baumbach, would require businesses to safeguard personal information and provide notice to Delawareans within 60 days of discovering a breach. Officials say business must notify the Attorney General if a breach affects more than 500 residents.

“This legislation would provide additional, common sense protections for Delawareans whose personal information may be compromised in a cybersecurity breach,” Governor John Carney said. “We live in a world where these types of breaches are becoming more common, and we should enact additional safeguards for all Delawareans who may be affected.”

Breached entities will additionally be required to provide a year’s worth of identify protection services to Delawareans whose Social Security numbers are compromised in a breach. Only one other state currently requires this protection, officials said.

Article source: http://www.wmdt.com/news/delaware/delaware-cybersecurity-bill-to-update-requirements-for-data-breach-response/505084611

,

No Comments