databreach
Latest
Five state attorneys general are investigating Uber breach
Uber's latest security breach, which exposed 57 million customers' and drivers' personal information, has come under more and more scrutiny since it was revealed earlier this week. The Federal Trade Commission has already confirmed that it's looking into the breach as well as how Uber handled it. A number of agencies abroad are investigating the incident as well. But it doesn't stop there. Uber is also now under investigation by at least five state Attorney General offices and has been named in multiple lawsuits.
The FTC is looking into Uber's latest data breach
This week, Uber revealed that a security breach that happened in October of 2016 exposed personal data from around 57 million customers and drivers. But rather than inform the affected individuals, the company instead chose to pay off the hackers that stole the data in order to keep them quiet. Now, Reuters reports that the FTC is looking into the data breach and Uber's subsequent mishandling of the situation. An agency spokesperson told Reuters, "We are aware of press reports describing a breach in late 2016 at Uber and Uber officials' actions after that breach. We are closely evaluating the serious issues raised."
Firefox will soon flag sites that have been hacked
Firefox is having a good run right now, having just released its much speedier and better-looking Quantum browser. It's now working on a new feature that security fans are bound to like: It will warn you if you're visiting a site that has suffered a data breach. Firefox is working on the feature in collaboration with "Have I Been Pwned," the popular site that can check your email and tell you if your credentials have been stolen by hackers.
Uber hid data breach that exposed info for 57 million users
Uber's new CEO Dara Khosrowshahi has inherited yet another scandal from Travis Kalanick. The ridesharing firm has revealed to Bloomberg that it hid an extortion-oriented cyberattack which exposed the personal info for roughly 57 million customers and drivers in October 2016, including names, email addresses and phone numbers. Instead of reporting the hack to the government and users, it paid hackers $100,000 to delete the info and keep quiet for more than a year.
Equifax committee says executive stock sales weren’t insider trading
The eyes of the Securities and Exchange Commission and the US Department of Justice have been focused on some questionable stock sales initiated by three Equifax executives a month before the data breach that exposed 143 million US consumers' personal information was revealed to the public. Those agencies have been investigating the sales, which amounted to nearly $1.8 million, and are working to determine whether they were the result of insider trading. However, CNBC reports today that an Equifax committee has reviewed the sales and found no signs of misconduct.
Hilton data breaches lead to $700,000 penalty
The attorneys general of New York and Vermont both announced today that their joint investigation into two Hilton data breaches has resulted in a $700,000 penalty and a promise to strengthen security. In February of 2015, Hilton was made aware of a cybersecurity breach that occurred between November and December of 2014. A second breach that exposed sensitive customer data between April and July of 2015 was uncovered that July, but the company waited until November of that year to inform those affected by the breaches. In all, over 363,000 credit card numbers were exposed.
IRS hands fraud prevention contract to Equifax despite massive hack
You'd think that government agencies would be reticent to work with Equifax given that it just exposed the private info of more than 145 million people through a preventable hack, but a massive data breach apparently isn't enough of a deterrent. The Internal Revenue Service recently awarded Equifax a fraud prevention contract that will have it verifying taxpayer identities. And crucially, it was a no-bid, "sole source" contract -- Equifax was deemed the only company capable of fulfilling demand.
Equifax will warn 2.5 million additional hacking victims by mail
The hack that compromised Equifax was bad enough, but its response only seemed to make things worse. Even the website that verified the potential threat to your data left many people wondering. Equifax wants to remove any doubt, though. In the wake of a just-completed forensic investigation by security partner (and sometimes foe) Mandiant, Equifax has announced that it's mailing written notices to everyone who was confirmed as affected since it disclosed the hack on September 7th. That's no mean feat when 2.5 million more Americans have been added to the tally (which now stands at 145.5 million affected) as a result of the investigation. The website should reflect the additional hack victims no later than October 8th, so you might not have to wait for a letter to find out whether or not you're part of this newer batch.
Equifax breach shows signs of a possible state-sponsored hack
Ever since word of the Equifax hack got out, there's been one lingering question: was it a state-sponsored attack, or just criminals who took advantage of a security hole? At the moment, it looks like it might be the former. Bloomberg sources have shed light on the ongoing investigations into the breach, and they claim there are signs of a government's involvement. The initial group of hackers weren't particularly experienced, according to the tipsters, but they handed things over to a more "sophisticated" team. There are even hints that this might be the work of Chinese intelligence agents, although it's not yet clear who's responsible.
The FTC is investigating Equifax's data breach
It's been a long week for Equifax, sure, but that's to say nothing about the 143 million consumers affected by the massive financial data breach. In a move that should bode well for the latter while placing more scrutiny on the former, the Federal Trade Commission has officially announced that it's looking into the matter. "The FTC typically does not comment on ongoing investigations," spokesperson Peter Kaplan said in a statement to Reuters. "However, in light of the intense public interest and the potential impact of this matter, I can confirm that FT staff is investigating the Equifax data breach."
Equifax waives credit freeze fees after facing backlash
Equifax has learned the hard way that people don't appreciate having to pay $10 for protection when it's not their fault their personal details were compromised. Especially if that $10 solution has its own security flaw. That's why it's now offering to waive all credit freeze fees to prevent identity thieves from opening credit lines in the names of the 143 million Americans affected by the massive cyberattack it suffered. You won't even have to give up your right to join a class action by taking up the bureau on its offer. The bad news is that it will only waive fees for the next 30 days, so you may want to tell your friends to tell their friends to take advantage of the offer while it lasts.
Equifax's data breach response has its own security flaw
The Equifax data breach is already unnerving thanks to the sheer scale of sensitive data involved, but it's not helped by the credit reporting agency's initial response. Clients have discovered that the PIN codes Equifax is handing out to help lock your credit report (so a thief can't open a line of credit in your name) are generated by the date and time you made the request. An attacker could determine your code simply through brute force, especially if they have an idea as to when you locked your report.
Security lapse exposed thousands of military contractor files
Thousands of files containing the private info of US military and intelligence personnel have been exposed online. The documents (which included a mixture of resumes and job applications) were found on a public Amazon Web Services server by cybersecurity firm UpGuard. A research analyst for the company traced the files back to a North Carolina-based private security firm known as TigerSwan. In a statement on Saturday, TigerSwan blamed the lapse on TalentPen, a third-party recruiting vendor.
TalkTalk fined £100,000 for long-forgotten 2014 data breach
Enough time has passed that TalkTalk has bounced back from its reputation-damaging data debacle of 2015, which saw hackers steal the personal details of over 150,000 of its customers. That earned the company a £400,000 fine from the UK's Information Commissioner's Office (ICO), and today an older data breach in 2014 has cost the company an additional £100,000. The ICO has handed TalkTalk the invoice as a slap on the wrist for failing to adequately protect customer details after third-party support staff were found to have gained "unauthorised and unlawful access to the personal data of up to 21,000 customers."
Wells Fargo accidentally leaks 50,000 clients' records
Wells Fargo accidentally leaked thousands of sensitive documents, but not in the way you think. The bank wasn't hacked, and its computers didn't go on the fritz: it just inadvertently sent 1.4 gigabytes of files to a former financial adviser who subpoenaed the company as part of a lawsuit against one of its current employees. While 1.4GB of files doesn't seem that big, the collection includes at least 50,000 customers' names, Social Security numbers and sensitive financial info. According to The New York Times, which confirmed the contents of the documents, the affected clients are some of Wells Fargo's wealthiest, with investment portfolios worth tens of billions of dollars.
IBM's new mainframe keeps everything encrypted, all the time
Data breaches are bad enough by themselves, but they're made worse when companies don't bother to (or can't) encrypt all their info. It's tantamount to giving hackers the keys to the kingdom. But what to do? IBM thinks it has a simple solution: encrypt absolutely everything. Its latest Z mainframe system now has enough power to automatically encrypt all the data associated with an app or service, whether it's in transit or sitting idle in a database. According to IBM, conventional systems based on x86 processors only encrypt "limited slices" of information, while the new Z has enough power (18 times more, in fact) to lock everything down as a matter of course.
Hackers stole credit card data from Buckle stores' cash registers
If you shopped at Buckle in the past several months, you might want to check your financial statements -- the clothing store has confirmed a Krebs on Security report of a data breach. Intruders planted malware on the chain's cash register systems to steal credit card data between October 28th, 2016 and April 14th, 2017. The potential data loss is limited if you used a relatively secure chip-based card, but it's much worse if you relied on the magnetic stripe. The malware looked at stripe tracking data to collect names, card numbers and expiration dates.
GameStop confirms extensive credit card data breach
If you're a GameStop customer, check your mail. The company just sent out letters to online patrons confirming a suspected payment security breach. In April, GameStop said they were looking into a possible data breach that might have put customers' credit card information at risk. Confirming those suspicions, Kotaku reported today that a number of GameStop customers have received letters notifying them that their credit cards may have been stolen.
Major identity manager breach exposes sensitive user info
Identity and password management services are, in theory, supposed to improve your security by promoting tough-to-guess passwords and otherwise keeping logins under lock and key. However, the concentration of high-value data also makes them a juicy target for hackers -- and OneLogin is finding that out the hard way. The business-centric identity management provider has warned users of a US server breach that compromised sensitive info. While OneLogin initially provided only a handful of details in a blog post, Motherboard learned that an email warned customers their info had been taken. Moreover, the attackers compromised the "ability to decrypt" data -- don't count on your login being safe just because there was encryption involved.
Target settles with 47 states over its 2013 data breach
Believe it or not, Target still isn't done paying the price for the 2013 breach that exposed the shopping data of tens of millions of customers. The retailer has reached a settlement with 47 states (and the District of Columbia) that will have it pay a collective $18.5 million and institute key reforms. It'll have to separate its card data from the rest of its network, further control access to its network (such as by implementing two-factor authentication) and run "appropriate" encryption policies. It'll also have to implement a "comprehensive" info security program with a dedicated executive, and hire an outside firm for security reviews.
