databreach
Latest
After Math: The price of doing business
This week on the After Math, we're all about the benjamins. Between four major corporations shelling out $413 million over an employee anti-poaching scheme, the feds spending $133 million to protect victims of the OPM breach and the new cost of Hulu doing what every other streaming service on the market already does, there's a whole bunch of money changing hands.
Sony settles with employees affected by massive data breach
Sony Entertainment has reached a deal with its employees affected by the security breach that rocked its world in 2014. If you recall, that incident led to several waves of data leaks, including unreleased movies and juicy emails between its execs. Turns out the hackers also snatched present and previous employees' information in the process, because some of the affected individuals reported seeing their info for sale on the internet. Others claimed that someone tried to use their credit cards to make purchases -- in short, the data breach made them easy targets to identity thieves and credit card fraudsters.
US will pay over $133 million to protect OPM data breach victims
That massive data breach at the US Office of Personnel Management is going to cost the country a lot more than you might think. Officials have awarded ID Experts a contract to protect the 21.5 million affected government workers against identity theft. The arrangement will cost the government at least $133.3 million, and options could bring its value to as high as $329.8 million. Suddenly, Sony's identity protection offer following the 2011 PSN breach seems like small potatoes. And that's just part of a smaller effort to mitigate the effects of data breaches -- the General Services Administration has handed out a separate $500 million contract for responding to these kinds of attacks.
WHSmith mistakenly emails customer details to other customers
IT gaffes don't come much bigger than this. UK newsagent WHSmith has accidentally leaked a wealth of customer information by mass-emailing details that were submitted through a "contact us" form. The affected page is supposed to send customer messages and their contact details directly to WHSmith -- instead, they were reportedly sent to everyone on its mailing list. It's a huge technical blunder, and to make matters worse, some subscribers used the form when they first received the emails, thereby putting their own details into circulation. WHSmith confirmed to the Guardian that the problem was "a bug, not a data breach" and that it was caused by I-subscribe, an external company that manages its magazine subscriptions: "I-subscribe have immediately taken down their 'Contact Us' online form which contains the identified bug, while this is resolved."
Target's data breach payout to Visa may hit $67 million
It's nearly two years since Target suffered its giant shopping data breach, and the retailer is still paying for its mistakes. In the wake of a $19 million payout to MasterCard, Target has reached a settlement with Visa over compensation for the many, many customers exposed to potential credit and debit card fraud. Neither side is revealing the specifics, but the Wall Street Journal understands that Target will pay up to $67 million. That's a significant blow for a breach, though not crushing for a company that raked in $635 million in profit last quarter. Target adds that it already factored these costs into its previous earnings reports, but this should still serve as a friendly reminder that lax security can prove costly in more ways than one. [Image credit: AP Photo/Robert F. Bukaty]
US Treasury's intelligence network was susceptible to cyberattacks
Yet another government agency was found to have substandard cybersecurity measures in place after an internal audit -- worse, it exposed the organization's intelligence network to attacks. According to a late 2014 audit report obtained by Reuters, around 29 percent of the devices that connect to the US Treasury's Foreign Intelligence Network don't meet federal cybersecurity standards. Some of those are Windows computers that weren't properly configured, preventing the IT division from updating them on time and making sure they were secure. The country's spy agencies tap into that network to add info they want to share with each other and assess and detect international threats to America's economy. They also use it to keep track of what their peers know about militant groups and the effect of sanctions against organizations and countries like Iran and Russia.
White House may find more data breaches following security 'sprint'
When investigators discovered that the US Office of Personnel Management had suffered a massive data breach, the White House kicked off a 30-day cybersecurity "sprint" in hopes of boosting its defenses and checking for vulnerabilities. Well, that mad dash is over -- and the government might not like what it found. Chief Information Officer Tony Scott tells Reuters that there's a "realistic chance" that the feds will have word of more intrusions when they share details on July 20th. That kind of discovery won't be completely surprising given how much the US has come under attack, but it could make the OPM breach just one piece of a much larger puzzle.
Hackers in giant federal breach got 30 years of worker info
Just how bad was the hack that compromised the info of 4 million US government workers? Exceptionally bad, if you ask anonymous officials talking to Reuters. They understand that the Office of Personnel Management breach exposed data going as far back in time as 1985, which could reveal what about 1.9 million staffers did after they left federal employment. It's not certain exactly what was taken, but the hack may have exposed bank info, birthdays and Social Security numbers -- the kind of sensitive content that could lead to breaches elsewhere.
Thieves steal tax data for 100,000 from an IRS website
You might need to keep a closer eye than usual on your tax-related info. The Internal Revenue Service is warning that intruders stole tax data for 100,000 people between February and May by taking advantage of a flaw in the agency's transcript website. The evildoers successfully circumvented a security check that asks for static info like your Social Security number and tax filing status. The IRS is temporarily shutting down transcripts and says that its main servers are safe, but this could lead to the culprits filing for bogus tax refunds and getting victims in trouble.
Data breaches exposed 29 million US health records in 4 years
If there are any doubts left that health care data breaches are a major problem, the medical industry just put them to rest. Researchers have published a study showing that a whopping 29.1 million American health records were compromised between 2010 and 2013. Most of them (58 percent) were exposed through theft, but the rest were revealed through a mix of hacks and carelessness, including workers who gave unauthorized access or didn't properly get rid of info they no longer needed.
Health insurance data breach exposes 11 million people
Unfortunately, the days of massive health care data breaches are far from over. Premera Blue Cross has revealed that hackers breached its insurance customer data starting in May 2014, potentially exposing both the financial and medical records of 11 million people -- the largest such attack to date. There's no evidence yet that the data has been "used inappropriately," the company says, and it notes that both the FBI and security firm FireEye are already on the case.
Uber data breach compromises IDs of 50,000 drivers
An Uber database containing the names and driver's license numbers of 50,000 current and former drivers was accessed by an outside party in 2014, the company announced today. Uber discovered the breach on September 17, 2014, and an investigation revealed one instance of unauthorized access on May 13, 2014. This means the information has been in the wild for nearly a year, though Uber drivers haven't reported anything fishy and the database is now secure, the company said.
President's proposals would protect hack victims and student data
President Barack Obama's State of the Union address is going to include at least two proposals that will affect how companies handle your data. One, the Personal Data Notification and Protection Act, would require that firms tell their customers about data breaches within 30 days after discovering that hackers got in. The varying state data laws that exist today both leave people vulnerable and create headaches for businesses, the president argues. The speech will also include a voluntary deal that makes it easier to get your credit score and find out if a data thief wrecked your financial reputation.
Staples breach may have affected over a million credit cards
Good grief, the hacks just don't stop. Now office-supply store Staples believes that it suffered an attack that compromised some 1.16 million payment cards. Between August 10th and September 16th this year, 115 stores were afflicted by malware that "may have" grabbed cardholder names and payment information, and two stores possibly fell victim from July 20th to September 16th this year as well. The retailer isn't fully owning up to the attacks just yet, but it's offering a mea culpa all the same: free identity protection, credit reports and a host of other security services to anyone who used a card at the affected stores (PDF). And even though four Manhattan locations had reports of fraudulent payment use from this April to September without any malware or suspicious activity taking place, the outfit is extending the aforementioned benefits to customers of those stores as well.
Hackers won't release Sony workers' personal info if they object
Here's an odd twist to the Sony Pictures hack: the attackers are becoming courteous... relatively speaking, of course. The Guardians of Peace are threatening to release yet more of the studio's data as a "Christmas gift," but they're also offering to withhold personal information if employees ask to keep it out of the public eye. It's not clear what prompted the sudden concern for privacy, although it may come from a realization that the leaks are hurting ordinary workers, not just actors and executives. It's a half-hearted gesture -- real privacy wouldn't involve leaks in the first place, after all -- but it suggests that the hacking group won't just dump everything it has. Not that Sony will take much comfort in this, mind you. The Guardians claim that the future data release will be "more interesting," which is no mean feat when previous posts have included movie scripts and celebrity conversations. Update: And now Sony is sending legalese notes to news organizations, demanding that they stop reporting on the leaks and delete any data that media has received from the hackers. And if they don't comply? Sony said it will have "no choice but to hold you responsible from any damage or loss resulting from such use or dissemination by you." [Image credit: Toshifumi Kitamura/AFP/Getty Images]
Unreleased Sony movies leak online following studio hack
There may now be some strong evidence that the Sony Pictures hackers came across a treasure trove of sensitive info when they broke into the movie studio's networks. High-quality screener copies of Annie, Fury, Mr. Turner and Still Alice have reached torrent file sites well before you can get any of them at home -- and, outside of Fury, before you can even see them in theaters. While there's no direct evidence that the Sony Pictures attackers (the "Guardians of Peace") are responsible, a tipster claiming to be the "boss of G.O.P." has emailed many media outlets claiming that the group seeded the bootleg videos. That may be supported by the names of the torrents themselves, which start with "2014 Sony Movie" in a seeming attempt to highlight the source.
Sony Pictures is worried that North Korea hacked its computers
If you've been intrigued by the hack that took down Sony Pictures' computers, you've probably wondered who the self-proclaimed culprits, the "Guardians of Peace," might be. Are they disgruntled employees? Social activists? According to Recode sources, Sony is worried that they're actually North Korean cyberwarriors. The company and its security consultants are "actively exploring" theories that an outfit in China breached the network on North Korea's behalf. Investigators haven't confirmed anything, but they also haven't ruled out the Korean link so far.
State Department shuts down unclassified email to cope with hack
The US government is no stranger to dealing with cyberattacks, but it just took a rare and relatively extreme step to keep itself safe. The State Department shut down its entire unclassified email system this weekend to bolster its defenses after spotting "activity of concern" (read: potential data breaches) that happened at the same time as an earlier hack that targeted the White House. Officials aren't naming culprits at this stage -- they've pinned some previous attacks on China and Russia, but it's not clear that there was digital warfare involved this time around. More details are expected to come once the security upgrades are in place, so you may get a better sense of what happened in the near future. [Image credit: AP Photo/J. Scott Applewhite]
China suspected in US Postal Service hack that exposed data on 800,000 workers
The United States Postal Service's computer networks were breached, the USPS announced this morning. The breach was discovered back in September -- it's not clear when the actual attack(s) took place -- and the Washington Post is reporting that Chinese government is responsible. The US Federal Bureau of Investigation is leading investigations into the breach; FBI officials aren't saying who they believe is responsible. The entire USPS staff of over 800,000 employees is affected by the breach: "names, dates of birth, Social Security numbers, addresses, dates of employment and other information" were all taken, according to USPS officials. The breach reportedly doesn't affect USPS customers, both in-store and online via USPS.com, though some customer information (names, email addresses and phone numbers) was also taken -- if you "contacted the Postal Service Customer Care Center via phone or email between January 1st and August 16th." Officials are saying no other customer info was taken. "At this time, we do not believe that potentially affected customers need to take any action as a result of this incident," a statement from the USPS says. All USPS employees are being offered one free year of credit monitoring in wake of the information breach, though we're guessing that a few of those approximately 800,000 people are seeking employment elsewhere after today's news.
Home Depot hackers stole 53 million email adresses on top of credit card info
The hackers that got into Home Depot's computers didn't only steal 56 million credit card details -- the company has recently discovered that they also got away with 53 million email addresses. According to the retailer, no passwords were stolen along with the email ads, but it still wants to warn customers, in case they receive some phishing emails in their inbox. So, if you have Home Depot-loving family or friends who aren't as tech-savvy, make sure remind them not to click on dubious links sent to their emails and to activate two-factor authentication when available. In addition to finding out that its customers' emails had been pilfered, Home Depot now also knows how the perps got into their system in the first place.
