Category: Data breach

Cancer Care Organization settles for 2.3 Mio $ after Data Breach

22. December 2017

In 2015, a data breach occurred at 21st Century Oncology  (21stCO), one of the leading providers of cancer care services in the USA, potentially affecting names, social security numbers, medical diagnoses and health insurance information of at least 2.2 million patients.

On its website, the provider had announced in 2016 that one of its databases was inappropriately accessed by an unauthorized third party, though an FBI investigation had already detected an attack as early as October 2015. The FBI, however, requested 21stCO to delay the notification because of ongoing federal investigations.

21stCO had then stated that ““we continue to work closely with the FBI on its investigation of the intrusion into our system” and “in addition to security measures already in place, we have also taken additional steps to enhance internal security protocols to help prevent a similar incident in the future.” To make amends for the security gap patients had been offered one year of free credit monitoring services.

Nevertheless, the provider now has to pay a fine worth 2.3 million dollars as settled with the Office for Civil Rights (OCR; part of the U.S. Department of Health and Human Services).

It has been accused of not implementing appropriate security measures and procedures to regularly review information system activity such as access or security incident reports, despite the disclosure by the FBI.

The OCR further stated that “the organization also disclosed protected health information to its business associates without having a proper business associate agreement in place”.

The settlement additionally requires 21stCO to set up a corrective action plan including the appointment of a compliance representative, completion of risk analysis and management, revision of cybersecurity policies, an internal breach reporting plan and overall in-depth IT-security. The organization will, in addition, need to maintain all relevant documents and records for six years, so the OCR can inspect and copy the documents if necessary.

Following the settlement, District Attorney Stephen Muldrow stated “we appreciate that 21st Century Oncology self-reported a major fraud affecting Medicare, and we are also pleased that the company has agreed to accept financial responsibility for past compliance failures.”

Uber hid massive data breach

22. November 2017

Uber just admitted that hackers stole personal data of 50 million Uber customers and 7 million drivers. The data breach happened in October 2016, over a year ago, but was only published this week.

The data include names, e-mail addresses, phone numbers and the license numbers of 600.000 drivers. According to Uber neither social security numbers, nor credit card information, or trip location details were taken.

Uber did not disclose the data breach to public, as required by data protection law, but paid the hackers 100.000,00 $ to delete the information. Uber assumes that the data was not used.

Referring to Uber the hackers came in through a badly protected database in a cloud service to the data. Uber security Chief Joe Sullivan and another manager lost their jobs.

This data breach wasn’t the first incident that happened to Uber. Uber has a well-documented history of abusing consumer privacy.

Uber said it has hired Matt Olsen, former general counsel at the National Security Agency and director of the National Counterterrorism Center, as an adviser.  He will help the company restructure its security teams.

Category: Cyber security · Data breach · USA
Tags:

Credit Bureau Equifax has been hacked

11. September 2017

The consumer credit reporting agency Equifax has been hacked in the middle of May. The operators have noticed the breach much later, on 29th July. The public has learned about the breach just last week on Thursday, 7th September.

The breach potentially affects the sensitive data of approximately 143 million consumers. Data concerned are the consumer’s name, social security numbers, birth dates, addresses and in some cases driver’s license numbers. As well as credit card numbers for 209.000 U.S. consumers and other dispute documents that contained identifying information for 182.000 consumers.

Not only the US is concerned. A hired third-party cybersecurity company also found some residents of the U.K. and Canada.

The Equifax Chairman and CEO Rick Smith announced steps Equifax is taking at the moment to respond on the breach and is working with authorities.

Category: Data breach · General · USA
Tags:

Hundreds of thousands of users affected by CloudPets data breach

2. March 2017

Yet another toy maker named Spiral Toys hit the headlines. The company suffered a big data breach with its stuffed animals called CloudPets resulting in the disclosure of 800,000 users’ personal data such as email addresses, passwords, profile pictures and 2 million voice recordings.

Spiral Toys’ CloudPets are able to connect to an app on a smartphone via Bluetooth so that parents can provide the toy with voice messages for their children.

The personal data were stored in an online database without authentication requirements so that hackers could easily access the database. According to Troy Hunt, a web security expert, the passwords were encrypted but Spiral Toys set no requirements for the password strength. That means hackers “could crack a large number of passwords, log on to accounts and pull down the voice recordings”.

Spiral Toys’ Mark Meyers denied that voice records were stolen. Still the company wants to increase the requirements for the password strength after the data breach was made public.

Both the decision of the German Federal Network Agency to take the doll “My friend Cayla” off the market in Germany and the data breach suffered by Spiral Toys, show that the privacy concerns smart toy producers are exposed to, should be taken seriously.

University of Pittsburgh Medical Center found not responsible for employee data securance

14. February 2017

Last month, the Pennsylvania Superior Court dismissed a class action lawsuit, which was filed against the University of Pittsburg Medical Center and ruled that the University has no responsibility in protecting employee data.

In this incident, the following data was compromised: dates of birth, names, social security numbers, addresses, salary, tax and bank information.

According to the court documents, the University had a breach in 2014, which finally resulted in approximately 788 tax fraud victims by compromising the information of nearly 62,000 UMPC employees.

Even though the University of Pittsburg Medical Center has been ruled not to have any legal duty to protect the personal and financial information of its employees under state law, the ruling is contradictory to a similar case of Texas hospital, which was penalized $3.2 million after a breach of data.

Category: Data breach · Personal Data · USA

News on federal data breach notification law in the U.S.

18. January 2017

The United States breach notification law is not an uniformed one. There exist separate laws in each 47 states plus District Columbia.

Nowadays, this conglomerate makes law enforcement in the U.S. somewhat complicated, as it has led to tokenization among the White House, consumer groups, retailers and others („Tokenization – when applied to data security, is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no extrinsic or exploitable meaning or value“ – source: Wikipedia).

This way card data is being protected while transmitted from one place to another – by storage in point-to-point encryption, retailers´ computer anti-hacking systems and tokanization.

Due to the fact that any business affected by a data breach suffers reputational and financial losses, the idea of obliging every business to publicly report data breaches has raised.

For instance, to diminish the stealing of card data by thieves, retailers have called on banks to replace the U.S. antiquated magnetic stripe credit card system with chip-and-PIN cards commonly used in other parts of the world. It is believed that such a chip is difficult to counterfeit.

Even though so far there have already been taken some steps in favour of solving the data breach problem, there was still no radical step on the legal level taken.

Having it lately noticed, Mallory Duncan – general counsel of the National Retail Federation – states: „Our nation badly needs a federal data breach notification law requiring everyone to disclose their own breaches“ (…) „But a national law needs to be uniform and comprehensive, covering not just retail but telecom companies, banks, credit card companies, card processors and all other entities that handle sensitive consumer data“.

Therefore there is a thorough need for the U.S. of enacting a federal law, which would notify consumers about data breach and help to keep data from being used improperly in order to keep it unbreached. The solution is now being worked on.

ICO fines charities with a total of 43,000 GBP

13. December 2016

The ICO just released a statement saying that investigations have shown that the Royal Society for the Prevention of Cruelty to Animals, RSPCA, and the British Heart Foundation, BHF, did not act according to the Data Protection Act.

The statement explaines that these charities used to screen donors for wealth in order to increase their donations.

“The charities also traced and targeted new or lapsed donors by piecing together personal information obtained from other sources” is stated in the report. Furthermore, “they traded personal details with other charities creating a massive pool of donor data for sale. Donors were not informed of these practices, and so were unable to consent or object.”

Elizabeth Denham, Information Commissioner, fined both charities, the RSPCA 25,000 GBP and BHF 18,000 GBP. She explained that the reason for the fining is also due to the fact that “This widespread disregard for people’s privacy will be a concern to donors, but so will the thought that the contributions people have made to good causes could now be used to pay a regulator’s fine for their charity’s misuse of personal information”.

Category: Data breach · UK
Tags:

What to do in case of a data breach?

27. October 2016

The Federal Trade Commision just released Guidelines on how to act in case of a data breach. These are called Data Breach Response: A Guide for Business and also include a video and a business blog.

These Guidelines state the most imprtant steps to be taken in order to protect customer information:

  • securing physical areas
  • removal of improperly posted information from the web
  • take service providers into account
  • providing breach notification
  • information about whom to contact in case of a data breach eg. law enforcement, affected businesses, and individuals

Furthermore, a model data breach notification letter is also included so that companies get to know the best way to alert concerned parties about an attack.

Data breach might cost Yahoo $1billion

11. October 2016

The New York Post published that Verizon, which is about to purchase Yahoo for $4.8 billion, is now asking Yahoo for a $1 billion discount.

This is due to the fact that Yahoo announced only two weeks ago that it had been hacked two years ago and that at this time usernames and passwords for 500 million accounts were stolen. Furthermore, it was revealed that Yahoo had been ordered by a secret Foreign Intelligence Surveillance Court to investigate emails for terrorist signatures under the Foreign Intelligence Surveillance Act, but not under section 702.

According to the New York Post, a source said that AOL CEO, Tim Armstrong, “is getting cold feet” due to the “lack of disclosure” and therefore he is asking “Can we get out of this or can we reduce the price?”

 

Category: Data breach · USA
Tags: , ,

Apple offers hackers up to $200,000

29. September 2016

Forbes just released an article saying that Apple invited some of the best hackers to its headquarter in Cupertino.

Among them:

  • the 19-year-old teenage prodigy who was the first to jailbreak an iPhone 7, and therefore now being a world-renowned iOS hacker as well as an
  • ex-NSA employee who has repeatedly found security lacks concerning Mac OS X  Luca Todesco.

The meeting should have been secret and kept confidential, but unfortunately some details leaked. So for example that Apple plans to brief them on the launch of its bug bounty program. The hackers will be rewarded with up to $200,000 in case they can provide Apple with information on vulnerabilities about its laptops and phones. Furthermore, the mentioned program is expected to be put into effect before the end of the month due to the fact that this has been promised at the Black Hat security conference in Las Vegas last months. Nevertheless, Apple pursues an invite-only list-strategy in order to get quality over quantity.

Pages: Prev 1 2 3 4 5 6 Next
1 3 4 5 6