identitytheft
Latest
A thief took Facebook hard drives with payroll data from a worker's car
It seems Facebook just couldn't make it through to the end of the year without another privacy-related incident. Only this time around, its own employees are affected. A thief broke into a payroll worker's car and stole hard drives that reportedly contained unencrypted payroll information for around 29,000 current and former US employees.
LifeLock ID theft protection leak could have aided identity thieves
LifeLock's identity theft protection service suffered from a security flaw that put users' identities in jeopardy. The event forced its parent company, Symantec, to pull part of its website* down to fix the issue after it was notified by KrebsOnSecurity. According to Krebs, Atlanta-based security researcher Nathan Reese discovered the vulnerability through a newsletter email he received from the service. Upon clicking "unsubscribe," a page that clearly showed his subscriber key popped up. That allowed Reese to write a script that sequences numbers, which was able to pull keys and their corresponding email addresses from the service.
Senators ask the FCC to investigate fake net neutrality comments
Two Senators from opposing parties have put aside their differences to demand an investigation into the stolen identities that led to millions of fake net neutrality comments on the FCC's website. In a letter addressed to FCC Chairman Ajit Pai, Senators Jeff Merkley (D-OR) and Pat Toomey (R-PA) said they were "among those whose identities were misused to express viewpoints [they] do not hold" on the FCC's net neutrality proposals. They're now asking the commission to identify the entity behind the fake comments, as well as to adopt safeguards to prevent the same incident from happening in the future.
Equifax's chief security and information officers are out
Equifax's Chief Security Officer Susan Mauldin and Chief Information Officer David Webb have both left the company as it deals with the fallout from a months-long hacking campaign that compromised the personal information of 143 million people this year. Attackers took advantage of an unpatched server flaw to steal names, addresses, dates of birth, social security numbers and other identifying information from Equifax's database from May 13th to July 30th. The server flaw was made public more than a month before the hack began.
Equifax blames breach on a server flaw it should've patched
Equifax's latest update on its unprecedented security breach notifies the public that its investigation has found the cause of the theft. Along with an unnamed security firm (ZDNet and others have reported it's Mandiant) the company confirmed rumors that attackers exploited a flaw in the Apache Struts Web Framework. That bug, CVE-2017-5638, was revealed in March, but the criminals were still able to use it against Equifax to steal personally identifiable information (PII - including names, birth dates, social security numbers and more) for 143 million people in the US in mid-May.
Equifax's data breach response has its own security flaw
The Equifax data breach is already unnerving thanks to the sheer scale of sensitive data involved, but it's not helped by the credit reporting agency's initial response. Clients have discovered that the PIN codes Equifax is handing out to help lock your credit report (so a thief can't open a line of credit in your name) are generated by the date and time you made the request. An attacker could determine your code simply through brute force, especially if they have an idea as to when you locked your report.
Equifax tries to explain its response to a massive security breach
A day after announcing that hackers stole personal information tied to 143 million people in the US, Equifax's response to the breach has come under scrutiny. Language on the website where people could find out if they were affected seemed to say that by signing up they would waive any right to join a class action suit against the company -- something New York Attorney General Eric Schneiderman said is "unacceptable and unenforceable." The company has since explained it does not apply to the data breach at all, but that hasn't stopped misinformation from spreading.
Equifax security breach leaks personal info of 143 million US consumers
One of the largest security breaches ever has come to light today as Equifax revealed attackers used an exploit on its website to access records for 143 million US citizens (for reference, the US has a population for 323 million or so, that's about 44 percent). The oldest of the three major US credit bureaus, it maintains information on over 800 million people for credit and insurance reports, which is also a juicy target for anyone trying to steal data. Equifax says the breach lasted from mid-May through July 29th when it was detected. The criminals had access to information that could allow them to create or take over accounts for many of the people impacted since they have names, addresses, birth dates, social security numbers and "in some cases" drivers license numbers. An unspecified number of UK and Canadian residents were hit, plus the credit card numbers for 209,000 people and certain dispute documents for 182,000 people in the US.
How to adult at security
You're a grown-ass adult -- so stop using the same password for everything. Seriously, your cat's name followed by your birthday isn't fooling anybody. Don't be that guy (of any gender) who gets totally owned by ransomware. Pull up your big-person pants, walk with us through the baddies of threats and help yourself to our tips on how to totally adult your way through the nightmare that is modern computer security. Don't worry, you got this.
Symantec to buy identity protection firm with checkered past
Symantec is acquiring identity-theft protection firm LifeLock for $2.3 billion. It's the company's latest move to branch out from malware protection into cybersecurity, following its purchase of Blue Coat, a company that safeguards web transactions. "With the combination of Norton and LifeLock, we will be able to deliver comprehensive cyber defense for consumers," Symantec CEO Greg Clark said in a statement.
All Eddie Bauer stores in the US hit with malware
If you shopped at an Eddie Bauer store in the first half of 2016, you may want to keep a close eye on your personal and banking information. The clothing store chain has reported that -- like a growing number of retailers of the last few years -- it's detected and subsequently removed malware from its point-of-sale systems at every one of its 350+ stores in North America.
Retailers fight to silence customer data breaches
A consortium of retailers, including Target and Home Depot, vowed to fight a data breach notification bill. The bill, HR 2205 from Reps. Randy Neugebauer (R-Texas) and John Carney (D-Del.), would require companies to tell customers when they've been hacked and would also require the encryption of data in both storage and transit. It would hold retailers to the same data-security standards as the financial sector. The large and powerful Retail Industry Leaders Association (RILA) sent a letter on Tuesday to House leadership saying that "it makes no sense to take one industry's regulations and apply it to a large segment of the economy without understanding the consequences."
Even Snapchat falls victim to phishing attempts
Snapchat bragged about its eight billion daily video views on Monday, but over the weekend something happened that the ephemeral social app is probably less enthusiastic to admit: it's just as susceptible to phishing attempts as anyone else. A post on the company's blog says that last Friday someone impersonating the ghostly app's CEO emailed the payroll department and requested and received information about some of its staff.
IRS says identity thieves nabbed 100,000 income tax e-file PINs
Tax season is a busy time for the Internal Revenue Service, and identity thieves are only making it worse. The IRS confirmed that hackers used stolen social security numbers automated malware to generate over 100,000 e-file (electronic filing) PINs before the department but the clamps on the attack last week. Thieves were actually after 464,000 of the numbers, but were stopped about a quarter of the way through.
US will pay over $133 million to protect OPM data breach victims
That massive data breach at the US Office of Personnel Management is going to cost the country a lot more than you might think. Officials have awarded ID Experts a contract to protect the 21.5 million affected government workers against identity theft. The arrangement will cost the government at least $133.3 million, and options could bring its value to as high as $329.8 million. Suddenly, Sony's identity protection offer following the 2011 PSN breach seems like small potatoes. And that's just part of a smaller effort to mitigate the effects of data breaches -- the General Services Administration has handed out a separate $500 million contract for responding to these kinds of attacks.
FTC slams LifeLock for false advertising, again
Worried about identity theft? If you listen to talk radio you've probably heard of one potential answer: LifeLock, an identity protection service that promises to stop identity theft before it happens. It's a nice thought, but the company doesn't actually have that good of a track record: back in 2010, the FTC hit the company with a $12 million penalty settlement for false advertising. Now LifeLock is in trouble again -- the FTC is charging the company with violating its 2010 settlement order for the exact same reasons.
Hackers stole all federal employees' SSN and private info, union says
A federal worker union claims that the massive Office of Personnel Management hack reported last week is even bigger and more damaging than the government cares to admit. The American Federation of Government Employees believes the hackers stole the social security number of every current federal employee and retiree, along with the SSNs of up to a million former workers. Associated Press has also obtained a letter addressed to OPM and written by AFGE's president, J. David Cox, where he listed the other types of info stolen from OPM's database: military records and veterans' status information, address, birth date, job and pay history, health insurance, life insurance and pension information; and age, gender and race data. Meanwhile, the Wall Street Journal reports the hackers were inside for more than a year before a sales demo by a tech firm discovered malware in the network.
Staples breach may have affected over a million credit cards
Good grief, the hacks just don't stop. Now office-supply store Staples believes that it suffered an attack that compromised some 1.16 million payment cards. Between August 10th and September 16th this year, 115 stores were afflicted by malware that "may have" grabbed cardholder names and payment information, and two stores possibly fell victim from July 20th to September 16th this year as well. The retailer isn't fully owning up to the attacks just yet, but it's offering a mea culpa all the same: free identity protection, credit reports and a host of other security services to anyone who used a card at the affected stores (PDF). And even though four Manhattan locations had reports of fraudulent payment use from this April to September without any malware or suspicious activity taking place, the outfit is extending the aforementioned benefits to customers of those stores as well.
New White House efforts help secure your payments
American banks and stores may already be planning to tighten your payment security, but the White House wants to give those efforts a boost. President Obama has signed an Executive Order that will require the federal government to both issue more secure chip-and-PIN (aka EMV) payment cards and upgrade terminals to match. This isn't just for protecting day-to-day staff expenses -- it also means that pensions, Social Security and veteran payments (all of which tend to go through official debit cards) should be safer. There should also be fewer risks when you're buying from federal locations like national parks and the passport office.
US Attorney General wants law requiring notifications after data breaches
Large-scale data breaches have become all too common as of late, and US Attorney General Eric Holder wants to do more than just catch the thieves. He has asked Congress to create a federal law requiring that companies notify their customers after detecting serious intrusions. Holder's proposal would exempt firms from reporting low-risk breaches, but it would also punish companies that either don't send a quick alert or haven't been doing enough to protect data in the first place. The would-be law isn't strictly necessary when 45 states have notification requirements in place, but it would hold corporations to a similar standard across the country.
