Third parties, in particular advertisers, have accidentally had access
to Facebook users’ accounts including profiles, photographs, chat, and
also had the ability to post messages and mine personal information.
Fortunately, these third-parties may not have realized their ability
to access this information. We have reported this issue to Facebook,
who has taken corrective action to help eliminate this issue.
Facebook applications are Web applications that are integrated onto
the Facebook platform. According to Facebook, 20 million Facebook
applications are installed every day.
Symantec has discovered that in certain cases, Facebook IFRAME
applications inadvertently leaked access tokens to third parties like
advertisers or analytic platforms. We estimate that as of April 2011,
close to 100,000 applications were enabling this leakage. We estimate
that over the years, hundreds of thousands of applications may have
inadvertently leaked millions of access tokens to third parties.
Access tokens are like ‘spare keys’ granted by you to the Facebook
application. Applications can use these tokens or keys to perform
certain actions on behalf of the user or to access the user’s profile.
Each token or ‘spare key’ is associated with a select set of
permissions, like reading your wall, accessing your friend’s profile,
posting to your wall, etc.
Tuesday, June 7, 2011
Square Enix customer data leaked after Sony problems
Japanese game developer Square Enix Holdings said email addresses of
25,000 customers as well as resumes of 250 job applicants were leaked
after a hacker attack against its European subsidiary.
Hackers accessed the Eidosmontreal.com website, managed by London-based
Square Enix Ltd, as well as other product sites, said a statement from the
group released late Saturday.
The news came as Sony's game and Internet services were pulled down after
hackers staged one of the biggest data breaches since the advent of the
Internet, including the theft of personal customer data.
Square Enix Holdings, creator of mega hits such as Final Fantasy and the
Dragon Quest series, took the sites offline to increase security, before
resuming services.
25,000 customers as well as resumes of 250 job applicants were leaked
after a hacker attack against its European subsidiary.
Hackers accessed the Eidosmontreal.com website, managed by London-based
Square Enix Ltd, as well as other product sites, said a statement from the
group released late Saturday.
The news came as Sony's game and Internet services were pulled down after
hackers staged one of the biggest data breaches since the advent of the
Internet, including the theft of personal customer data.
Square Enix Holdings, creator of mega hits such as Final Fantasy and the
Dragon Quest series, took the sites offline to increase security, before
resuming services.
Michaels Breach: Patterns Showed Fraud
Card issuers were quick to link incidents of debit and credit fraud to the
Michaels retail chain, experts say - a sign that strong transaction
monitoring and behavioral analytics are the best ways to curb growing
card-fraud schemes.
The Michaels card breach is now believed to have affected stores in 20
states. The mode of card fraud: Point-of-sale PIN pad tampering, also
known as PIN pad swapping. [See 3 Tips to Foil POS Attacks.]
Brian Riley, senior research director of bank cards at TowerGroup, says as
details about the breach are gradually revealed, it's clear that financial
institutions, as card-issuers, picked up on the common fraud link -
Michaels. "The behavioral scoring in this was really high," he says. "The
pattern of transactions showed that all of these affected accounts had
Michaels' purchases in their history. Behavioral scoring is really where
it's at in card transactions."
Even advanced card technology, such as the Europay, MasterCard, Visa chip
and PIN standard, which takes the skimmable magnetic-stripe out of the
equation, would not have helped in the Michaels' case, Riley notes. "With
a tampered POS device, you can get around EMV," he says. "A good, robust
scoring system is the only way to really pick up on this. That's why
behavioral scoring is so important. That's, quite often, how these things
are discovered."
Michaels retail chain, experts say - a sign that strong transaction
monitoring and behavioral analytics are the best ways to curb growing
card-fraud schemes.
The Michaels card breach is now believed to have affected stores in 20
states. The mode of card fraud: Point-of-sale PIN pad tampering, also
known as PIN pad swapping. [See 3 Tips to Foil POS Attacks.]
Brian Riley, senior research director of bank cards at TowerGroup, says as
details about the breach are gradually revealed, it's clear that financial
institutions, as card-issuers, picked up on the common fraud link -
Michaels. "The behavioral scoring in this was really high," he says. "The
pattern of transactions showed that all of these affected accounts had
Michaels' purchases in their history. Behavioral scoring is really where
it's at in card transactions."
Even advanced card technology, such as the Europay, MasterCard, Visa chip
and PIN standard, which takes the skimmable magnetic-stripe out of the
equation, would not have helped in the Michaels' case, Riley notes. "With
a tampered POS device, you can get around EMV," he says. "A good, robust
scoring system is the only way to really pick up on this. That's why
behavioral scoring is so important. That's, quite often, how these things
are discovered."
Virus causes data breach at state websites
Personal information about an unknown number of Massachusetts
residents may have been stolen from the Massachusetts Executive Office
of Labor and Workforce Development, after hundreds of the agency's
computers were infected with a computer worm.
"Unfortunately, like many government and non-government organizations
we were targeted by criminal hackers who penetrated our system with a
new strain of a virus," said Joanne F. Goldstein, the commonwealth's
secretary of labor and workforce development, in a statement released
this afternoon. "All steps possible are being taken to avoid any
future recurrence.”
About 1,500 computers in the departments of Unemployment Assistance
and Career Services and at the state's One Stop Career Centers were
infected with a computer virus called W32.QAKBOT, which is designed to
allow an attacker to take control of infected computers and to steal
information stored on the machines.
The agency first detected the presence of the virus on April 20, and
took immediate steps to disinfect its machines. But yesterday, the
agency said that the virus "was not remediated as originally believed
and that the persistence of the virus resulted in a data breach."
residents may have been stolen from the Massachusetts Executive Office
of Labor and Workforce Development, after hundreds of the agency's
computers were infected with a computer worm.
"Unfortunately, like many government and non-government organizations
we were targeted by criminal hackers who penetrated our system with a
new strain of a virus," said Joanne F. Goldstein, the commonwealth's
secretary of labor and workforce development, in a statement released
this afternoon. "All steps possible are being taken to avoid any
future recurrence.”
About 1,500 computers in the departments of Unemployment Assistance
and Career Services and at the state's One Stop Career Centers were
infected with a computer virus called W32.QAKBOT, which is designed to
allow an attacker to take control of infected computers and to steal
information stored on the machines.
The agency first detected the presence of the virus on April 20, and
took immediate steps to disinfect its machines. But yesterday, the
agency said that the virus "was not remediated as originally believed
and that the persistence of the virus resulted in a data breach."
Dropbox Drops the Ball on Data Security
Dropbox, a provider of cloud-based data storage services, is in hot
water with the Federal Trade Commission over claims that it lied and
intentionally deceived customers into believing that their data is
more private and secure than it really is. Whether Dropbox was
deliberately misleading, or just failed to clearly communicate policy
changes, the complaint filed with the FTC illustrates concerns over
online data security.
At issue are Dropbox's terms of service. Previously, the company
stated in its terms of service that "all files stored on Dropbox
servers are encrypted (AES-256) and are inaccessible without your
account password." But, Dropbox has continued to modify the terms of
service, and backpedal on exactly how secure customer data
is--sometimes putting its foot in its proverbial mouth.
Dropbox has been at least confusing, if not misleading, about just how
secure data really is.
After a few amendments, the terms have been altered such that it now
reads more to the effect that Dropbox can access and view your
encrypted data, and it might do so to share information with law
enforcement if it is compelled, but that employees are prohibited from
abusing that power and viewing customer data.
According to encryption expert Vormetric, the root of the Dropbox
scenario is that the keys used to encrypt and decrypt files are in the
hands of Dropbox, not stored on each user's machine. While Dropbox
might have policies prohibiting Dropbox employees from viewing files,
a rogue employee could view customer data using the keys held by
Dropbox.
Aaron Levie, co-founder and CEO of Dropbox rival Box.net, is a class
act. Rather than take advantage of the situation to kick Dropbox while
it's down, Levie gives his cloud competitor the benefit of the doubt.
"I think Dropbox has its users' best interests at heart, but probably
went a bit too far in the messaging. I believe they will rectify
this."
Levie did, however, stress the importance of data security as well.
"Broadly speaking though, security must be of critical importance to
any cloud service, and businesses should be absolutely certain they
can trust their provider--things like SAS 70 Type II certification,
encryption in transit and at rest, and extensive security controls for
users and IT should all be top of mind for enterprises looking to
leverage the cloud."
Dropbox is a popular online data storage service with over 25 million
users. I tend to side with Levie and assume that Dropbox doesn't have
any insidious or malicious ulterior motives. It seems that Dropbox has
perhaps been too fickle in trying to adapt its service and features to
improve performance and meet address concerns, but I doubt Dropbox
meant any harm.
That said, employees don't always follow policies, and the fact that
customers might believe their data is impenetrable while Dropbox
employees can actually view it at will is more than a little problem.
water with the Federal Trade Commission over claims that it lied and
intentionally deceived customers into believing that their data is
more private and secure than it really is. Whether Dropbox was
deliberately misleading, or just failed to clearly communicate policy
changes, the complaint filed with the FTC illustrates concerns over
online data security.
At issue are Dropbox's terms of service. Previously, the company
stated in its terms of service that "all files stored on Dropbox
servers are encrypted (AES-256) and are inaccessible without your
account password." But, Dropbox has continued to modify the terms of
service, and backpedal on exactly how secure customer data
is--sometimes putting its foot in its proverbial mouth.
Dropbox has been at least confusing, if not misleading, about just how
secure data really is.
After a few amendments, the terms have been altered such that it now
reads more to the effect that Dropbox can access and view your
encrypted data, and it might do so to share information with law
enforcement if it is compelled, but that employees are prohibited from
abusing that power and viewing customer data.
According to encryption expert Vormetric, the root of the Dropbox
scenario is that the keys used to encrypt and decrypt files are in the
hands of Dropbox, not stored on each user's machine. While Dropbox
might have policies prohibiting Dropbox employees from viewing files,
a rogue employee could view customer data using the keys held by
Dropbox.
Aaron Levie, co-founder and CEO of Dropbox rival Box.net, is a class
act. Rather than take advantage of the situation to kick Dropbox while
it's down, Levie gives his cloud competitor the benefit of the doubt.
"I think Dropbox has its users' best interests at heart, but probably
went a bit too far in the messaging. I believe they will rectify
this."
Levie did, however, stress the importance of data security as well.
"Broadly speaking though, security must be of critical importance to
any cloud service, and businesses should be absolutely certain they
can trust their provider--things like SAS 70 Type II certification,
encryption in transit and at rest, and extensive security controls for
users and IT should all be top of mind for enterprises looking to
leverage the cloud."
Dropbox is a popular online data storage service with over 25 million
users. I tend to side with Levie and assume that Dropbox doesn't have
any insidious or malicious ulterior motives. It seems that Dropbox has
perhaps been too fickle in trying to adapt its service and features to
improve performance and meet address concerns, but I doubt Dropbox
meant any harm.
That said, employees don't always follow policies, and the fact that
customers might believe their data is impenetrable while Dropbox
employees can actually view it at will is more than a little problem.
Qakbot family of malware blamed for data breach
In Massachusetts, a Malware infection that spread to a possible 1,500
systems within the Office of Labor and Workforce Development (OLWD) is to
blame for a data breach assumed to have exposed 1,200 employer records, an
agency statement says.
The Departments of Unemployment Assistance and Career Services were
infected sometime in April. On Monday, the OLWD discovered that the
initial cleanup efforts failed to remove the Qakbot Malware. Because of
this, it.s possible that the Malware harvested confidential information.
Qakbot has been around for some time. First discovered in 2009, the
Malware spreads via several sources, including network shares. At one time
it leveraged vulnerabilities in Apple.s QuickTime and Internet Explorer to
target victims.
Qakbot is able to gather various kinds of data on an infected system
including OS and network information, keystrokes, stored FTP and email
login details, targeted banking data, as well as usernames and passwords
stored within a browser.
systems within the Office of Labor and Workforce Development (OLWD) is to
blame for a data breach assumed to have exposed 1,200 employer records, an
agency statement says.
The Departments of Unemployment Assistance and Career Services were
infected sometime in April. On Monday, the OLWD discovered that the
initial cleanup efforts failed to remove the Qakbot Malware. Because of
this, it.s possible that the Malware harvested confidential information.
Qakbot has been around for some time. First discovered in 2009, the
Malware spreads via several sources, including network shares. At one time
it leveraged vulnerabilities in Apple.s QuickTime and Internet Explorer to
target victims.
Qakbot is able to gather various kinds of data on an infected system
including OS and network information, keystrokes, stored FTP and email
login details, targeted banking data, as well as usernames and passwords
stored within a browser.
Regulator plans to discipline Hyundai Capital over hacking
SEOUL, May 18 (Yonhap) -- South Korea's financial regulator decided
Wednesday to punish Hyundai Capital Services Inc. for lax computer system
maintenance, which led to a major hacking attack at the biggest local
consumer finance firm.
The Financial Supervisory Service (FSS) launched an inspection into
Hyundai Capital on April 11 after a hacker broke into Hyundai Capital
between March 6 and April 7, stole personal customer information and
demanded cash from the company, threatening to leak it on the Internet.
Holding Hyundai Capital accountable for negligence in computer system
security management, the FSS will submit the case to its disciplinary
decision committee to decide on the punishment for Hyundai Capital and its
executives, according to the regulator.
The FSS said data on 1.75 million Hyundai Capital customers was leaked
during the attack, in which the hacker implanted a malicious program in
the company's homepage. The program was downloaded onto computers of
customers who accessed the homepage.
Wednesday to punish Hyundai Capital Services Inc. for lax computer system
maintenance, which led to a major hacking attack at the biggest local
consumer finance firm.
The Financial Supervisory Service (FSS) launched an inspection into
Hyundai Capital on April 11 after a hacker broke into Hyundai Capital
between March 6 and April 7, stole personal customer information and
demanded cash from the company, threatening to leak it on the Internet.
Holding Hyundai Capital accountable for negligence in computer system
security management, the FSS will submit the case to its disciplinary
decision committee to decide on the punishment for Hyundai Capital and its
executives, according to the regulator.
The FSS said data on 1.75 million Hyundai Capital customers was leaked
during the attack, in which the hacker implanted a malicious program in
the company's homepage. The program was downloaded onto computers of
customers who accessed the homepage.
Not so fast: Sony's PlayStation Network hacked again [Updated]
Less than 2 days after Sony started bringing its PlayStation Network back
online reports are coming in that the besieged gaming giant.s platform has
been hacked yet again. MCV is reporting that the exploit allows for
hackers to change users passwords using only a PSN account email and date
of birth, two pieces of user information that were obtained in the
original hack. Update below.
MCV says that the hack, which is really an exploit of Sony.s password
reset system, was first reported by Nyleveia.com and then corroborated by
Eurogamer. Now the PSN login option is unavailable on a number of Sony.s
sites. Sony's login site that is used to reset passwords using the email
and date of birth is now down.
According to Nyleveia the exploit was demonstrated to it personally by
someone who knew the method.
online reports are coming in that the besieged gaming giant.s platform has
been hacked yet again. MCV is reporting that the exploit allows for
hackers to change users passwords using only a PSN account email and date
of birth, two pieces of user information that were obtained in the
original hack. Update below.
MCV says that the hack, which is really an exploit of Sony.s password
reset system, was first reported by Nyleveia.com and then corroborated by
Eurogamer. Now the PSN login option is unavailable on a number of Sony.s
sites. Sony's login site that is used to reset passwords using the email
and date of birth is now down.
According to Nyleveia the exploit was demonstrated to it personally by
someone who knew the method.
PSN breach and restoration to cost $171M, Sony estimates
In the lead-up to its fiscal year 2010 earnings report this Thursday,
Sony today released a revised forecast -- forewarning a $3.2 billion
loss (yowzah!) -- for the twelve months ending March 31, 2011. Having
occurred in late April, the PlayStation Network attack and subsequent
data theft and outage fall outside of that period, but the company
nonetheless addressed "the impact" of the event during an investors
call today, "since there have been so many media inquiries about this
incident."
"As of today," said Sony, according to its call script, "our currently
known associated costs for the fiscal year ending March 2012 are
estimated to be approximately 14 billion yen on the consolidated
operating income level." That's roughly $171 million -- a "reasonable
assumption," says Sony -- that the company expects to spend throughout
the current fiscal year on its "personal information theft protection
program," in addition to "welcome back programs," customer support,
network security "enhancements" and legal costs. Sony noted that
revenue loss from the outage and recovery, which also spans its
Qriocity and Sony Online Entertainment services, had been factored
into the cost, as well.
"So far, we have not received any confirmed reports of customer
identity theft issues, nor confirmed any misuse of credit cards from
the cyber-attack," the company added. "Those are key variables, and if
that changes, the costs could change."
And what about the class action suits? Sony qualifies them as "all at
a preliminary stage, so we are not able to include the possible
outcome of any of them in our results forecast for the fiscal year
ending March 2012 at this moment."
Sony today released a revised forecast -- forewarning a $3.2 billion
loss (yowzah!) -- for the twelve months ending March 31, 2011. Having
occurred in late April, the PlayStation Network attack and subsequent
data theft and outage fall outside of that period, but the company
nonetheless addressed "the impact" of the event during an investors
call today, "since there have been so many media inquiries about this
incident."
"As of today," said Sony, according to its call script, "our currently
known associated costs for the fiscal year ending March 2012 are
estimated to be approximately 14 billion yen on the consolidated
operating income level." That's roughly $171 million -- a "reasonable
assumption," says Sony -- that the company expects to spend throughout
the current fiscal year on its "personal information theft protection
program," in addition to "welcome back programs," customer support,
network security "enhancements" and legal costs. Sony noted that
revenue loss from the outage and recovery, which also spans its
Qriocity and Sony Online Entertainment services, had been factored
into the cost, as well.
"So far, we have not received any confirmed reports of customer
identity theft issues, nor confirmed any misuse of credit cards from
the cyber-attack," the company added. "Those are key variables, and if
that changes, the costs could change."
And what about the class action suits? Sony qualifies them as "all at
a preliminary stage, so we are not able to include the possible
outcome of any of them in our results forecast for the fiscal year
ending March 2012 at this moment."
Sony BMG Greece the latest hacked Sony site
Greek Sony BMG site was reported hacked yesterday, with a partial dump
of 8300+ users full names email addresses and (partial again) telephones
appearing on pastebin. Given that not all details were mandatory, this
somehow limits the impact of the breach but still, looking through the
dump appearing in pastebin there are indeed accounts with all the
details provided.
Media coverage in
http://nakedsecurity.sophos.com/2011/05/22/sony-bmg-greece-the-latest-hacked-sony-site/
In what seems to be a neverending nightmare it appears that the website
of Sony BMG in Greece has been hacked and information dumped.
An anonymous poster has uploaded a user database to pastebin.com,
including the usernames, real names and email addresses of users
registered on SonyMusic.gr.
The data posted appears to be incomplete as it claims to include
passwords, telephone numbers and other data that is either missing or bogus.
[..]
It appears someone used an automated SQL Injection tool to find this
flaw. It's not something that requires a particularly skillful attacker,
but simply the diligence to comb through Sony website after website
until a security flaw is found.While it's cruel to kick someone while
they're down, when this is over, Sony may end up being one of the most
secure web assets on the net.If you are a user of SonyMusic.gr, it is
highly recommended that you reset your password. Expect that any
information you entered when creating your account may be in the hands
of someone with malicious intent, and keep a close eye out for phishing
attacks.The lesson I take away from this is similar to other stories we
have published on data breaches. It would cost far less to perform
thorough penetration tests than to suffer the loss of trust, fines,
disclosure costs and loss of reputation these incidents have resulted
in.Want to learn more about securing your web servers and databases?
[...] Update: The editors of The Hacker News have contacted Naked
Security and indicated they were the source of the post to pastebin.com.
The original hackers had contacted them with the dump.
of 8300+ users full names email addresses and (partial again) telephones
appearing on pastebin. Given that not all details were mandatory, this
somehow limits the impact of the breach but still, looking through the
dump appearing in pastebin there are indeed accounts with all the
details provided.
Media coverage in
http://nakedsecurity.sophos.
In what seems to be a neverending nightmare it appears that the website
of Sony BMG in Greece has been hacked and information dumped.
An anonymous poster has uploaded a user database to pastebin.com,
including the usernames, real names and email addresses of users
registered on SonyMusic.gr.
The data posted appears to be incomplete as it claims to include
passwords, telephone numbers and other data that is either missing or bogus.
[..]
It appears someone used an automated SQL Injection tool to find this
flaw. It's not something that requires a particularly skillful attacker,
but simply the diligence to comb through Sony website after website
until a security flaw is found.While it's cruel to kick someone while
they're down, when this is over, Sony may end up being one of the most
secure web assets on the net.If you are a user of SonyMusic.gr, it is
highly recommended that you reset your password. Expect that any
information you entered when creating your account may be in the hands
of someone with malicious intent, and keep a close eye out for phishing
attacks.The lesson I take away from this is similar to other stories we
have published on data breaches. It would cost far less to perform
thorough penetration tests than to suffer the loss of trust, fines,
disclosure costs and loss of reputation these incidents have resulted
in.Want to learn more about securing your web servers and databases?
[...] Update: The editors of The Hacker News have contacted Naked
Security and indicated they were the source of the post to pastebin.com.
The original hackers had contacted them with the dump.
Sony hit with phishing scam on Thailand home page
A phishing site targeting an Italian credit card company has been
found on servers of Sony’s Thailand page.
Security firm F-Secure discovered the scam, which is unrelated to the
previous cyber attacks on the company’s PlayStation Network and Sony
Online Entertainment.
found on servers of Sony’s Thailand page.
Security firm F-Secure discovered the scam, which is unrelated to the
previous cyber attacks on the company’s PlayStation Network and Sony
Online Entertainment.
Michaels Breach: Who's Liable?
A Chicago consumer affected by the Michaels card breach has filed a
federal lawsuit against the crafts retailer, claiming it should have
better protected customers' cards from breach and compromise.
Brandi F. Ramundo had more than $1,300 withdrawn from her checking
account, after reportedly making a debit purchase worth less than $20 at
Michaels. Her five-count suit seeks class-action status, a jury trial,
compensatory damages, and consequential and statutory damages. It also
includes an order for Michaels to pay for card-fraud monitoring services
for consumers hit by the scam, as well as compensation and punitive
damages for costs associated with the suit.
Ramundo's suit raises questions about liability after a card breach fraud.
What role should merchants play, when it comes to ensuring transactional
security, and how should financial institutions, as card-issuers, fall
into the fray?
Attorney Randy Sabett, partner and co-chair of the Internet and Data
Protection practice at law firm SNR Denton LLP, says the liability lines
are often blurred and hard to define after a breach. Despite that card
fraud usually occurs outside banking institutions' control, banks and
credit unions, as the card issuers, usually absorb losses and expenses
associated with breach recovery.
federal lawsuit against the crafts retailer, claiming it should have
better protected customers' cards from breach and compromise.
Brandi F. Ramundo had more than $1,300 withdrawn from her checking
account, after reportedly making a debit purchase worth less than $20 at
Michaels. Her five-count suit seeks class-action status, a jury trial,
compensatory damages, and consequential and statutory damages. It also
includes an order for Michaels to pay for card-fraud monitoring services
for consumers hit by the scam, as well as compensation and punitive
damages for costs associated with the suit.
Ramundo's suit raises questions about liability after a card breach fraud.
What role should merchants play, when it comes to ensuring transactional
security, and how should financial institutions, as card-issuers, fall
into the fray?
Attorney Randy Sabett, partner and co-chair of the Internet and Data
Protection practice at law firm SNR Denton LLP, says the liability lines
are often blurred and hard to define after a breach. Despite that card
fraud usually occurs outside banking institutions' control, banks and
credit unions, as the card issuers, usually absorb losses and expenses
associated with breach recovery.
Some Soy Capital debit cards compromised
DECATUR - Officials at Soy Capital Bank and Trust are working to get customers their money back after an unknown number of debit cards were compromised over the weekend.
The bank was one of five Midwest financial institutions where some MasterCard-issued debit cards received fraudulent charges, said bank President Leon Hinton. The charges began late Saturday night, and MasterCard's fraud detection department alerted some customers on Sunday.
Hinton said customers continued to discover charges they had not made throughout the day Monday. While he did not yet know the scope of the breach, Hinton said it affected a "small percentage" of Soy Capital customers.
[..]
CONFIDENTIAL: This email message and any attachments are for the sole use of the intended recipient(s) and may contain HIGHLY CONFIDENTIAL PERSONAL HEALTH INFORMATION. It is to be used only to aid in providing specific healthcare services to this patient. Any unauthorized review,use, disclosure, or distribution is a violation of Federal Law (HIPAA) and will be reported as such. If you are not the intended recipient or a person responsible for delivering this message to an intended recipient, please contact the sender by reply email and destroy all copies of the original message immediately.
35m Google Profiles dumped into private database
Proving that information posted online is indelible and trivial to mine,
an academic researcher has dumped names, email addresses and biographical
information made available in 35 million Google Profiles into a massive
database that took just one month to assemble.
University of Amsterdam Ph.D. student Matthijs R. Koot said he compiled
the database as an experiment to see how easy it would be for private
detectives, spear phishers and others to mine the vast amount of personal
information stored in Google Profiles. The verdict: It wasn't hard at all.
Unlike Facebook policies that strictly forbid the practice, the
permissions file for the Google Profiles URL makes no prohibitions against
indexing the list.
What's more, Google engineers didn't impose any technical limitations in
accessing the data, which is made available in an extensible markup
language file called profiles-sitemap.xml. The code he used for the
data-mining proof of concept is available here.
an academic researcher has dumped names, email addresses and biographical
information made available in 35 million Google Profiles into a massive
database that took just one month to assemble.
University of Amsterdam Ph.D. student Matthijs R. Koot said he compiled
the database as an experiment to see how easy it would be for private
detectives, spear phishers and others to mine the vast amount of personal
information stored in Google Profiles. The verdict: It wasn't hard at all.
Unlike Facebook policies that strictly forbid the practice, the
permissions file for the Google Profiles URL makes no prohibitions against
indexing the list.
What's more, Google engineers didn't impose any technical limitations in
accessing the data, which is made available in an extensible markup
language file called profiles-sitemap.xml. The code he used for the
data-mining proof of concept is available here.
BofA Breach: 'A Big, Scary Story'
BofA Breach: 'A Big, Scary Story'
$10 Million Loss Highlights Risks, Sophistication of Internal Breaches
May 25, 2011 - Tracy Kitten, Managing Editor
An internal breach at U.S. financial giant Bank of America shows how some
corporations do not focus enough attention on mitigating internal fraud
risks.
According to news reports, a BofA employee with access to accountholder
information allegedly leaked personally identifiable information such as
names, addresses, Social Security numbers, phone numbers, bank account
numbers, driver's license numbers, birth dates, e-mail addresses, family
names, PINs and account balances to a ring of criminals. With that
information, the fraudsters reportedly hijacked e-mail addresses, cell
phone numbers and possibly more, keeping consumers in the dark about new
accounts and checks that had been ordered in their names.
Some 300 BofA customers in California and other Western states have
reportedly had their accounts hit, and 95 suspects linked to the breach
were arrested by the Secret Service in Feb.
BofA says it detected the fraud a year ago, but only recently began
notifying affected customers of the breach.
$10 Million Loss Highlights Risks, Sophistication of Internal Breaches
May 25, 2011 - Tracy Kitten, Managing Editor
An internal breach at U.S. financial giant Bank of America shows how some
corporations do not focus enough attention on mitigating internal fraud
risks.
According to news reports, a BofA employee with access to accountholder
information allegedly leaked personally identifiable information such as
names, addresses, Social Security numbers, phone numbers, bank account
numbers, driver's license numbers, birth dates, e-mail addresses, family
names, PINs and account balances to a ring of criminals. With that
information, the fraudsters reportedly hijacked e-mail addresses, cell
phone numbers and possibly more, keeping consumers in the dark about new
accounts and checks that had been ordered in their names.
Some 300 BofA customers in California and other Western states have
reportedly had their accounts hit, and 95 suspects linked to the breach
were arrested by the Secret Service in Feb.
BofA says it detected the fraud a year ago, but only recently began
notifying affected customers of the breach.
Mystery Australian merchant credit cards breached
The Commonwealth Bank, Westpac and St George have cancelled a number of credit cards in response to a potential security breach.
Both banks have confirmed to the ABC that some customers' cards have been cancelled due to fears they had been compromised and would be open to fraud.
The Commonwealth Bank says it detected the potential security breach through its continuous monitoring process.
CBA says a merchant terminal used by its customers was not secure.
It says the terminal is owned by another bank which has been notified.
CBA says MasterCard and Visa were also alerted to the potential problem immediately.
ANZ and National Australia Bank say it is not one of their terminals.
Westpac says there has been no security breach with its systems either, but would not comment on whether there was a problem at its subsidiary St George.
Sony Begins Providing ID Theft Protection for PlayStation Hack
Sony has begun sending out formal emails advising users of its PlayStation
Network how to sign up for the identity theft protection services it said
it would offer customers.
Sony also said Tuesday that the PlayStation online store would remain down
until the end of the month.
"Sony Computer Entertainment and Sony Network Entertainment have made
arrangements with Debix to offer AllClear ID PLUS to eligible PlayStation
Network and Qriocity account holders in the United States who are
concerned about identity theft," Sony said in an email sent Wednesday
afternoon.
The service will provide 12 months of alerts to help protect users from
identity theft, as well as provide ID theft insurance coverage (up to $1
million, Sony has said previously) as well as hands-on help from fraud
investigators.
Network how to sign up for the identity theft protection services it said
it would offer customers.
Sony also said Tuesday that the PlayStation online store would remain down
until the end of the month.
"Sony Computer Entertainment and Sony Network Entertainment have made
arrangements with Debix to offer AllClear ID PLUS to eligible PlayStation
Network and Qriocity account holders in the United States who are
concerned about identity theft," Sony said in an email sent Wednesday
afternoon.
The service will provide 12 months of alerts to help protect users from
identity theft, as well as provide ID theft insurance coverage (up to $1
million, Sony has said previously) as well as hands-on help from fraud
investigators.
Update: Honda Canada breach exposed data on 280, 000 individuals
Update: Honda Canada breach exposed data on 280,000 individuals
Company says ID theft unlikely because no SSNs, driver license details,
birth dates, bank details were compromised
By Jaikumar Vijayan
May 26, 2011 05:05 PM ET
Computerworld - Honda Canada has notified about 280,000 customers in that
country of a data breach involving the compromise of their personal data.
The breach was discovered in late February. However the company only began
notifying customers of the compromise earlier this month.
An undated alert posted on the company's Web site said the incident
involved the unauthorized access of customer names, addresses, vehicle
identification numbers, and in the case of a small number of customers,
their Honda Financial Services account numbers.
Jerry Chenkin, executive vice president of Honda Canada, said Thursday the
reason for the delay was because the company needed time to figure out the
scope of the breach before it could begin notifying customers.
Company says ID theft unlikely because no SSNs, driver license details,
birth dates, bank details were compromised
By Jaikumar Vijayan
May 26, 2011 05:05 PM ET
Computerworld - Honda Canada has notified about 280,000 customers in that
country of a data breach involving the compromise of their personal data.
The breach was discovered in late February. However the company only began
notifying customers of the compromise earlier this month.
An undated alert posted on the company's Web site said the incident
involved the unauthorized access of customer names, addresses, vehicle
identification numbers, and in the case of a small number of customers,
their Honda Financial Services account numbers.
Jerry Chenkin, executive vice president of Honda Canada, said Thursday the
reason for the delay was because the company needed time to figure out the
scope of the breach before it could begin notifying customers.
Asperger's charity loses children's data in laptop theft
Asperger's charity loses children's data in laptop theft
Personal information relating to 80 children with Asperger's syndrome has
been stolen from a Sheffield charity.
A laptop containing names, addresses and medical information was stolen
from Asperger's Children and Carers Together (ACCT).
The computer was taken from the home of an employee and reported in
December.
The Information Commissioner's Office (ICO) said the incident breached
data protection and the charity must ensure "information is encrypted".
Personal information relating to 80 children with Asperger's syndrome has
been stolen from a Sheffield charity.
A laptop containing names, addresses and medical information was stolen
from Asperger's Children and Carers Together (ACCT).
The computer was taken from the home of an employee and reported in
December.
The Information Commissioner's Office (ICO) said the incident breached
data protection and the charity must ensure "information is encrypted".
Latest Sony Hack Targets Japan Music Site
This is getting a little ridiculous. Analysts have discovered yet
another flaw on Sony's network, this time via Sony Music Japan.
"The Hacker News sent us a tip this evening documenting a couple of
vulnerable Web pages on SonyMusic.co.jp that allowed hackers to access
their contents through SQL injection," Chester Wisniewski with Sophos
wrote in a blog post.
another flaw on Sony's network, this time via Sony Music Japan.
"The Hacker News sent us a tip this evening documenting a couple of
vulnerable Web pages on SonyMusic.co.jp that allowed hackers to access
their contents through SQL injection," Chester Wisniewski with Sophos
wrote in a blog post.
Aussie banks cancel 10,000 credit cards
Aussie banks cancel 10,000 credit cards
No you didn.t exceed your limit, we can.t secure our data
By Natalie Apostolou
Posted in Security, 29th May 2011 22:50 GMT
The Australian banking system has been rocked by a mystery security breach
which caused the immediate cancellation of over 10,000 cards on Friday.
The Commonwealth Bank and the St George Bank initiated the alert via SMS
to customers notifying them that their cards would be cancelled as part of
precautionary measures.
The Commonwealth Bank said in a statement that it was alerted to comprised
security for credit card data following the report of a potential data
breach by an undisclosed Australian merchant (serviced by another bank).
However, none of the affected banks have revealed the cause or detailed
the exact nature of the security breach.
The Commonwealth Bank has cancelled 8,000 cards while Bendigo Bank has
also reportedly cancelled 2,300 cards. Westpac and the National Australia
Bank (NAB) alerted customers of the fraudulent activity but said that only
a small amount of customers - fewer than 1,000 - had been affected.
No you didn.t exceed your limit, we can.t secure our data
By Natalie Apostolou
Posted in Security, 29th May 2011 22:50 GMT
The Australian banking system has been rocked by a mystery security breach
which caused the immediate cancellation of over 10,000 cards on Friday.
The Commonwealth Bank and the St George Bank initiated the alert via SMS
to customers notifying them that their cards would be cancelled as part of
precautionary measures.
The Commonwealth Bank said in a statement that it was alerted to comprised
security for credit card data following the report of a potential data
breach by an undisclosed Australian merchant (serviced by another bank).
However, none of the affected banks have revealed the cause or detailed
the exact nature of the security breach.
The Commonwealth Bank has cancelled 8,000 cards while Bendigo Bank has
also reportedly cancelled 2,300 cards. Westpac and the National Australia
Bank (NAB) alerted customers of the fraudulent activity but said that only
a small amount of customers - fewer than 1,000 - had been affected.
Survey: Breaches Cost Some Healthcare Organizations $100K Per Day
Most healthcare organizations have made compliance with security and
privacy regulations a priority, but that hasn?t slowed the data-breach
bleed, a new survey finds.
Some 56 percent of IT administrators in healthcare organizations say they
spend anywhere from 25 to 100 percent of their time working on compliance,
and 54 percent spend most of it on HIPPA, according to the survey
conducted by GlobalSign, a certificate authority. Meanwhile, some 34
percent of organizations suffered a breach of their patients' records in
the past two years, and 10 percent say those breaches cost organizations
$100,000 per incident each day.
Nearly 40 percent spend one-fourth of their work week "improving security
and ensuring data privacy," and 19 percent say they spend 75 to 100
percent of their time on compliance, the report found, based on a survey
of 107 IT administrators, managers, and C-level executives. Half of the
respondents are with organizations of 5,000 or more employees.
Lila Kee, chief product officer at GlobalSign, says the findings reveal
that healthcare is working heavily on compliance for HIPPA, HITECH, and
other state and federal regulations, but is still getting hacked. "They
are still having breaches even though they are doing a lot with
regulations and compliance," Kee says.
privacy regulations a priority, but that hasn?t slowed the data-breach
bleed, a new survey finds.
Some 56 percent of IT administrators in healthcare organizations say they
spend anywhere from 25 to 100 percent of their time working on compliance,
and 54 percent spend most of it on HIPPA, according to the survey
conducted by GlobalSign, a certificate authority. Meanwhile, some 34
percent of organizations suffered a breach of their patients' records in
the past two years, and 10 percent say those breaches cost organizations
$100,000 per incident each day.
Nearly 40 percent spend one-fourth of their work week "improving security
and ensuring data privacy," and 19 percent say they spend 75 to 100
percent of their time on compliance, the report found, based on a survey
of 107 IT administrators, managers, and C-level executives. Half of the
respondents are with organizations of 5,000 or more employees.
Lila Kee, chief product officer at GlobalSign, says the findings reveal
that healthcare is working heavily on compliance for HIPPA, HITECH, and
other state and federal regulations, but is still getting hacked. "They
are still having breaches even though they are doing a lot with
regulations and compliance," Kee says.
Data breach notification laws: Timing right for breach notification bill, experts say
New legislation proposed by the White House is attempting to blanket
the United States with a standard set of data breach notification
rules and experts say the time has never been better for the proposed
data breach notification law (PDF).
The Obama administration is seeking to standardize the amount of time
companies can wait before informing consumers of a data breach
involving consumer data. At the same time, the White House issued a
document outlining its International Strategy for Cyberspace (PDF),
which outlines a roadmap in how the federal government would help
secure distributed networks, protect intellectual property and build
disaster response plans.
The new data security legislation sent to Congress follows a string of
high-profile data breaches. It would require companies to notify
potential victims “without unreasonable delay.” Other requirements
include the notification of a major media outlet and all major
credit-reporting agencies within 60 days if the credit card data on
more than 5,000 individuals is at risk.
The bill and a document outlining the country’s national security
strategy comes just two years after President Barack Obama’s Strategic
Cyber security Review, which outlined cybersecurity and made it
paramount to U.S. national security.
“There hasn’t been a high number of very high-profile attacks and data
breaches that have drawn the concern of Congress,” said Eric
Rosenbach, principal and lead of the Global Cybersecurity Consulting
Practice at Good Harbor Consulting. “You see now, within the last two
or three years, that there has been a number of high-profile attacks
that change the context in which people think about this.”
The Obama administration said it sought to construct a ubiquitous
piece of legislation that would benefit the private sector and protect
consumers, thus creating one consistent federal standard for data
breech notification. A unified federal law will help “push forward
the new momentum of cloud computing,” by creating one set of rules
that large corporations have to deal with instead of several,
Rosenbach said.
Rosenbach believes that while this proposal is important, it will not
make it through the legislative process unchanged, especially coming
from a democratic White House through a republican House of
Representatives.
Other experts agreed that the timing is right for federal
cybersecurity legislation. Different rules and regulations set up by
states have been costly for enterprises, said Pete Lindstrom, a
research director with Malvern, Pennsylvania-based Spire Security.
“Any time you’re consolidating the procedural requirements for
notification, I think it’s generally a good thing,” Lindstrom said.
“Right now, with each state deciding how notification should occur,
it’s a huge burden on enterprises to actually comply with all the
different state laws.”
Lindstrom said privacy advocates will be watching the bill closely,
but legislators are keenly aware of ongoing sensitivity over privacy
issues.
“States are going to dislike it because it usurps some of their
authority, but generally the House and the Senate are going to like it
because it gives them more oversight and people care,” Lindstrom said.
Some like Avivah Litan, a vice president and distinguished analyst at
Gartner Inc., see the law as “pretty innocuous” and do not anticipate
much of a fight on Capitol Hill. Since companies already have to
comply with state disclosure laws they have little reason to fight a
bill seeking to make their legal maneuverings easier; however, Litan
is sure there will be lobby groups who come out against the bill.
“I think this law can only improve security,” Litan said. “I think it
is one of the better things they’ve done in cybersecurity, and I’m not
usually very generous with them. I’ve got lots of other criticisms of
the Obama administration, but I think this law is actually a good
proposal.”
The unified federal law will be especially helpful to smaller
businesses, preventing them from having to deal with expensive and
specialized lawyers, especially if the businesses operate in multiple
states, said Good Harbor’s Rosenbach. This is because larger companies
often have the resources to deal with multiple and varying state laws
while smaller businesses do not, which could be an impediment to
competitiveness.
“The private sector, above all else when it comes to cybersecurity,
wants something that is stable and easy to understand because then
it’s easy for them to plan for future investment and they have a more
stable kind of operating environment,” Rosenbach said.
the United States with a standard set of data breach notification
rules and experts say the time has never been better for the proposed
data breach notification law (PDF).
The Obama administration is seeking to standardize the amount of time
companies can wait before informing consumers of a data breach
involving consumer data. At the same time, the White House issued a
document outlining its International Strategy for Cyberspace (PDF),
which outlines a roadmap in how the federal government would help
secure distributed networks, protect intellectual property and build
disaster response plans.
The new data security legislation sent to Congress follows a string of
high-profile data breaches. It would require companies to notify
potential victims “without unreasonable delay.” Other requirements
include the notification of a major media outlet and all major
credit-reporting agencies within 60 days if the credit card data on
more than 5,000 individuals is at risk.
The bill and a document outlining the country’s national security
strategy comes just two years after President Barack Obama’s Strategic
Cyber security Review, which outlined cybersecurity and made it
paramount to U.S. national security.
“There hasn’t been a high number of very high-profile attacks and data
breaches that have drawn the concern of Congress,” said Eric
Rosenbach, principal and lead of the Global Cybersecurity Consulting
Practice at Good Harbor Consulting. “You see now, within the last two
or three years, that there has been a number of high-profile attacks
that change the context in which people think about this.”
The Obama administration said it sought to construct a ubiquitous
piece of legislation that would benefit the private sector and protect
consumers, thus creating one consistent federal standard for data
breech notification. A unified federal law will help “push forward
the new momentum of cloud computing,” by creating one set of rules
that large corporations have to deal with instead of several,
Rosenbach said.
Rosenbach believes that while this proposal is important, it will not
make it through the legislative process unchanged, especially coming
from a democratic White House through a republican House of
Representatives.
Other experts agreed that the timing is right for federal
cybersecurity legislation. Different rules and regulations set up by
states have been costly for enterprises, said Pete Lindstrom, a
research director with Malvern, Pennsylvania-based Spire Security.
“Any time you’re consolidating the procedural requirements for
notification, I think it’s generally a good thing,” Lindstrom said.
“Right now, with each state deciding how notification should occur,
it’s a huge burden on enterprises to actually comply with all the
different state laws.”
Lindstrom said privacy advocates will be watching the bill closely,
but legislators are keenly aware of ongoing sensitivity over privacy
issues.
“States are going to dislike it because it usurps some of their
authority, but generally the House and the Senate are going to like it
because it gives them more oversight and people care,” Lindstrom said.
Some like Avivah Litan, a vice president and distinguished analyst at
Gartner Inc., see the law as “pretty innocuous” and do not anticipate
much of a fight on Capitol Hill. Since companies already have to
comply with state disclosure laws they have little reason to fight a
bill seeking to make their legal maneuverings easier; however, Litan
is sure there will be lobby groups who come out against the bill.
“I think this law can only improve security,” Litan said. “I think it
is one of the better things they’ve done in cybersecurity, and I’m not
usually very generous with them. I’ve got lots of other criticisms of
the Obama administration, but I think this law is actually a good
proposal.”
The unified federal law will be especially helpful to smaller
businesses, preventing them from having to deal with expensive and
specialized lawyers, especially if the businesses operate in multiple
states, said Good Harbor’s Rosenbach. This is because larger companies
often have the resources to deal with multiple and varying state laws
while smaller businesses do not, which could be an impediment to
competitiveness.
“The private sector, above all else when it comes to cybersecurity,
wants something that is stable and easy to understand because then
it’s easy for them to plan for future investment and they have a more
stable kind of operating environment,” Rosenbach said.
LulzSec Sony dump online
Greetings folks. We're LulzSec, and welcome to Sownage. Enclosed you will find
various collections of data stolen from internal Sony networks and websites,
all of which we accessed easily and without the need for outside support or
money.
We recently broke into SonyPictures.com and compromised over 1,000,000 users'
personal information, including passwords, email addresses, home addresses,
dates of birth, and all Sony opt-in data associated with their accounts. Among
other things, we also compromised all admin details of Sony Pictures (including
passwords) along with 75,000 "music codes" and 3.5 million "music coupons".
Due to a lack of resource on our part (The Lulz Boat needs additional funding!)
we were unable to fully copy all of this information, however we have samples
for you in our files to prove its authenticity. In theory we could have taken
every last bit of information, but it would have taken several more weeks.
Our goal here is not to come across as master hackers, hence what we're about
to reveal: SonyPictures.com was owned by a very simple SQL injection, one of
the most primitive and common vulnerabilities, as we should all know by now.
>From a single injection, we accessed EVERYTHING. Why do you put such faith in a
company that allows itself to become open to these simple attacks?
What's worse is that every bit of data we took wasn't encrypted. Sony stored
over 1,000,000 passwords of its customers in plaintext, which means it's just a
matter of taking it. This is disgraceful and insecure: they were asking for it.
This is an embarrassment to Sony; the SQLi link is provided in our file
contents, and we invite anyone with the balls to check for themselves that what
we say is true. You may even want to plunder those 3.5 million coupons while
you can.
Included in our collection are databases from Sony BMG Belgium & Netherlands.
These also contain varied assortments of Sony user and staffer information.
various collections of data stolen from internal Sony networks and websites,
all of which we accessed easily and without the need for outside support or
money.
We recently broke into SonyPictures.com and compromised over 1,000,000 users'
personal information, including passwords, email addresses, home addresses,
dates of birth, and all Sony opt-in data associated with their accounts. Among
other things, we also compromised all admin details of Sony Pictures (including
passwords) along with 75,000 "music codes" and 3.5 million "music coupons".
Due to a lack of resource on our part (The Lulz Boat needs additional funding!)
we were unable to fully copy all of this information, however we have samples
for you in our files to prove its authenticity. In theory we could have taken
every last bit of information, but it would have taken several more weeks.
Our goal here is not to come across as master hackers, hence what we're about
to reveal: SonyPictures.com was owned by a very simple SQL injection, one of
the most primitive and common vulnerabilities, as we should all know by now.
>From a single injection, we accessed EVERYTHING. Why do you put such faith in a
company that allows itself to become open to these simple attacks?
What's worse is that every bit of data we took wasn't encrypted. Sony stored
over 1,000,000 passwords of its customers in plaintext, which means it's just a
matter of taking it. This is disgraceful and insecure: they were asking for it.
This is an embarrassment to Sony; the SQLi link is provided in our file
contents, and we invite anyone with the balls to check for themselves that what
we say is true. You may even want to plunder those 3.5 million coupons while
you can.
Included in our collection are databases from Sony BMG Belgium & Netherlands.
These also contain varied assortments of Sony user and staffer information.
Sony Pictures attacked again, 4.5 million records exposed
Sony Pictures attacked again, 4.5 million records exposed
by Chester Wisniewski on June 2, 2011
The same hackers who recently attacked PBS.org have turned their attention
back to Sony by releasing the latest dump of information stolen from
Sony's websites.
While the information disclosed includes approximately 150,000 records,
the hackers claim the databases exposed contain over 4.5 million records,
at least a million of which include user information.
The data stolen includes:
* A link to a vulnerable sonypictures.com webpage.
* 12,500 users related to Auto Trader (Contest entrants?) including
birth dates, addresses, email addresses, full names, plain text passwords,
user IDs and phone numbers.
* 21,000 IDs associated with a DB table labeled "BEAUTY_USERS"
including email addresses and plain text passwords.
* ~20,000 Sony Music coupons (out of 3.5 million in the DB).
* Just under 18,000 emails and plain text passwords from a Seinfeld
"Del Boca" sweepstakes.
* Over 65,000 Sony Music codes.
* Several other tables including those from Sony BMG in The
Netherlands and Belgium.
by Chester Wisniewski on June 2, 2011
The same hackers who recently attacked PBS.org have turned their attention
back to Sony by releasing the latest dump of information stolen from
Sony's websites.
While the information disclosed includes approximately 150,000 records,
the hackers claim the databases exposed contain over 4.5 million records,
at least a million of which include user information.
The data stolen includes:
* A link to a vulnerable sonypictures.com webpage.
* 12,500 users related to Auto Trader (Contest entrants?) including
birth dates, addresses, email addresses, full names, plain text passwords,
user IDs and phone numbers.
* 21,000 IDs associated with a DB table labeled "BEAUTY_USERS"
including email addresses and plain text passwords.
* ~20,000 Sony Music coupons (out of 3.5 million in the DB).
* Just under 18,000 emails and plain text passwords from a Seinfeld
"Del Boca" sweepstakes.
* Over 65,000 Sony Music codes.
* Several other tables including those from Sony BMG in The
Netherlands and Belgium.
LibriVox Forum Hacked
> Dear Librivoxer,
>
> This is Hugh, the founder of LibriVox, writing to let you know that,
> unfortunately, a hacker broke into the LibriVox forum, caused a bit of
> damage (now fixed), but more worryingly, got access to our complete
> database including emails and encrypted passwords. We have locked them out
> of the system, and we?ve fixed the vandalism, but they still have our
> database.
>
> So, in order to protect our users & the LibriVox accounts:
>
> * we have RESET ALL USER PASSWORDS (including yours)
> * the next time you login your password will be invalid
> * you will have to reset your password, using this link:
> http://forum.librivox.org/ucp.php?mode=sendpassword
>
> NOTE1: PLEASE DO NOT USE THE SAME PASSWORD YOU USED BEFORE!
>
> NOTE2: IF YOU USE THE SAME PASSWORD ON OTHER INTERNET SERVICES, WE
> RECOMMEND YOU CHANGE THOSE PASSWORDS TOO.
>
> If you have difficulty resetting your password, please reply to this email
> and ask for help. Be sure to include your forum username.
> LibrivoxPasswordReset@librivox.org
>
> In the interests of full disclosure, here is some extra information:
> (1) The database contained every piece of communications sent through the
> forum, including all private messages. This information is now in the
> possession of the hacker.
>
> (2) All forum passwords in the database are encrypted. However, if your
> password was very simple, it will be trivial for the hacker to break the
> encryption using "brute-force" techniques. They will likely attempt exactly
> this, so if you use the same password on any other Internet service, you
> should immediately change your password at those services.
>
> We are very sorry that this happened, and once this is sorted out as best
> as it can be, we?ll be doing a more thorough security review.
>
> If you have questions, please don?t hesitate to contact me.
>
> Sincerely,
> Hugh McGuire
> Founder, Librivox
>
>
> --
> The LibriVox Team
>
> This is Hugh, the founder of LibriVox, writing to let you know that,
> unfortunately, a hacker broke into the LibriVox forum, caused a bit of
> damage (now fixed), but more worryingly, got access to our complete
> database including emails and encrypted passwords. We have locked them out
> of the system, and we?ve fixed the vandalism, but they still have our
> database.
>
> So, in order to protect our users & the LibriVox accounts:
>
> * we have RESET ALL USER PASSWORDS (including yours)
> * the next time you login your password will be invalid
> * you will have to reset your password, using this link:
> http://forum.librivox.org/ucp.
>
> NOTE1: PLEASE DO NOT USE THE SAME PASSWORD YOU USED BEFORE!
>
> NOTE2: IF YOU USE THE SAME PASSWORD ON OTHER INTERNET SERVICES, WE
> RECOMMEND YOU CHANGE THOSE PASSWORDS TOO.
>
> If you have difficulty resetting your password, please reply to this email
> and ask for help. Be sure to include your forum username.
> LibrivoxPasswordReset@
>
> In the interests of full disclosure, here is some extra information:
> (1) The database contained every piece of communications sent through the
> forum, including all private messages. This information is now in the
> possession of the hacker.
>
> (2) All forum passwords in the database are encrypted. However, if your
> password was very simple, it will be trivial for the hacker to break the
> encryption using "brute-force" techniques. They will likely attempt exactly
> this, so if you use the same password on any other Internet service, you
> should immediately change your password at those services.
>
> We are very sorry that this happened, and once this is sorted out as best
> as it can be, we?ll be doing a more thorough security review.
>
> If you have questions, please don?t hesitate to contact me.
>
> Sincerely,
> Hugh McGuire
> Founder, Librivox
>
>
> --
> The LibriVox Team
Sony had HOW many breaches?
We thought keeping track of entities involved in the Epsilon breach
was tough, but the recent spate of attacks on Sony networks has us
working overtime trying to update the database. Thankfully, Jericho
provided yeoman service and compiled a hyperlinked chronology of
recent developments.
The Sony breaches have generated a lot of discussion. Some of it has
centered on Sony's shocking failure to encrypt passwords and it being
all-too-vulnerable to SQLi compromises (if those posting the data
publicly are accurate as to how they compromised certain databases).
Sony undoubtedly has a lot of explaining to do if it hopes to have
future assertions of industry-standard security taken seriously.
To date, the two largest incidents affected over 100 million records.
But were the PSN and Sony Online Entertainment (SOE) attacks two
separate incidents or were they really one breach? Should
DataLossDB.org have recorded one breach with over 100 million
affected, or two incidents involving 77 million and 24.6 million,
respectively? Or should we just treat the last 45 days' incidents as
one #EPIC #FAIL and one big incident? In light of our mission to track
unique breaches, the question is not trivial.
When news of the second incident broke, the first thought was to
update the PSN entry and add another 24.6 million to that counter. But
as more details emerged, it seemed clear that we should treat it as a
separate incident. The attack had occurred on different days than the
the PSN attack, the data compromised were on different networks, it
seems quite likely the different networks had different security
measures involved (Sony later testified that databases with credit
card data were treated with higher security), we did not know if the
same individuals were involved in both attacks, and the company itself
was reporting it as a second incident previously unknown to them and
not as an update to the other breach. Our impression that these were
two unique incidents was subsequently supported by the reports made to
the New Hampshire Attorney General's Office for each incident (here
and here).
Despite what we thought was an accurate way to track these breaches,
one commenter to DataLossDB.org questioned our decision to treat the
reports as two unique incidents. A researcher with Javelin Strategy
commented that treating this as two incidents instead of one benefited
Sony: they would not appear ranked 2nd in our list of all-time largest
breaches on our home page. Since these incidents had the same parent
corporation, he suggested, they should be treated as one aggregated
incident.
While those points may appear reasonable to some, we find them
unpersuasive. First, we do not make decisions based on whether an
entity benefits or suffers from a particular decision. We make
decisions based on whether the available information supports
aggregating the data for a particular incident or not. In this case,
although it is the same parent corporation, the available information
does not support aggregation. In other cases, such as a Wellpoint
breach that was initially entered as distinct incidents, when my
research revealed that there was only one incident and that what
appeared to be a second incident was really due to Wellpoint's vendor
not fully securing the web sites after the first report, I recommended
that those incidents be combined, and they will be. But other than a
common target - Sony - where is there any evidence that this was just
one incident? There is none.
We recognize that not everyone will agree with our decision, and
that's fine. Should new information become available that suggests
that a one-incident approach is more appropriate for these incidents,
we will edit our entries.
As always, we welcome constructive thoughts about how to make the
database more useful to stakeholders, but we do not expect all of our
decisions to please everyone.
was tough, but the recent spate of attacks on Sony networks has us
working overtime trying to update the database. Thankfully, Jericho
provided yeoman service and compiled a hyperlinked chronology of
recent developments.
The Sony breaches have generated a lot of discussion. Some of it has
centered on Sony's shocking failure to encrypt passwords and it being
all-too-vulnerable to SQLi compromises (if those posting the data
publicly are accurate as to how they compromised certain databases).
Sony undoubtedly has a lot of explaining to do if it hopes to have
future assertions of industry-standard security taken seriously.
To date, the two largest incidents affected over 100 million records.
But were the PSN and Sony Online Entertainment (SOE) attacks two
separate incidents or were they really one breach? Should
DataLossDB.org have recorded one breach with over 100 million
affected, or two incidents involving 77 million and 24.6 million,
respectively? Or should we just treat the last 45 days' incidents as
one #EPIC #FAIL and one big incident? In light of our mission to track
unique breaches, the question is not trivial.
When news of the second incident broke, the first thought was to
update the PSN entry and add another 24.6 million to that counter. But
as more details emerged, it seemed clear that we should treat it as a
separate incident. The attack had occurred on different days than the
the PSN attack, the data compromised were on different networks, it
seems quite likely the different networks had different security
measures involved (Sony later testified that databases with credit
card data were treated with higher security), we did not know if the
same individuals were involved in both attacks, and the company itself
was reporting it as a second incident previously unknown to them and
not as an update to the other breach. Our impression that these were
two unique incidents was subsequently supported by the reports made to
the New Hampshire Attorney General's Office for each incident (here
and here).
Despite what we thought was an accurate way to track these breaches,
one commenter to DataLossDB.org questioned our decision to treat the
reports as two unique incidents. A researcher with Javelin Strategy
commented that treating this as two incidents instead of one benefited
Sony: they would not appear ranked 2nd in our list of all-time largest
breaches on our home page. Since these incidents had the same parent
corporation, he suggested, they should be treated as one aggregated
incident.
While those points may appear reasonable to some, we find them
unpersuasive. First, we do not make decisions based on whether an
entity benefits or suffers from a particular decision. We make
decisions based on whether the available information supports
aggregating the data for a particular incident or not. In this case,
although it is the same parent corporation, the available information
does not support aggregation. In other cases, such as a Wellpoint
breach that was initially entered as distinct incidents, when my
research revealed that there was only one incident and that what
appeared to be a second incident was really due to Wellpoint's vendor
not fully securing the web sites after the first report, I recommended
that those incidents be combined, and they will be. But other than a
common target - Sony - where is there any evidence that this was just
one incident? There is none.
We recognize that not everyone will agree with our decision, and
that's fine. Should new information become available that suggests
that a one-incident approach is more appropriate for these incidents,
we will edit our entries.
As always, we welcome constructive thoughts about how to make the
database more useful to stakeholders, but we do not expect all of our
decisions to please everyone.
Acer Europe Customer Details Exposed
According to a report from The Hacker News, the personal data of approximately 40,000 Acer customers were made available online via the company's Acer-Euro.com FTP server. The 13 MB ZIP archive contained an Excel spreadsheet with the various customer details, including first and last names, country of residence and email addresses, as well as product model and serial numbers owned by these customers.
Wednesday, April 27, 2011
Hacker pleads after busted with 675K stolen cards
A Georgia man has pleaded guilty to fraud and identity theft after
authorities found him in possession of more than 675,000 credit card
numbers, some of which he obtained by hacking into business networks
Rogelio Hackett Jr., 26, pleaded guilty on Thursday to one count each of
access device fraud and aggravated identity theft after authorities
executed a search warrant at his home and discovered the card numbers,
used to conduct fraudulent transactions totaling more than $36 million, on
his computers and storage devices.
According to the indictment, authorities hunted Hackett down after
monitoring his activity in internet relay chat (IRC) rooms and on
underground forums, where he sold stolen card numbers, usually at $20 to
$25 each to buyers around the world. He used the proceeds to make high-end
purchases, such as a 2001 BMW X5 and a pair of $450 Louis Vuitton shoes.
authorities found him in possession of more than 675,000 credit card
numbers, some of which he obtained by hacking into business networks
Rogelio Hackett Jr., 26, pleaded guilty on Thursday to one count each of
access device fraud and aggravated identity theft after authorities
executed a search warrant at his home and discovered the card numbers,
used to conduct fraudulent transactions totaling more than $36 million, on
his computers and storage devices.
According to the indictment, authorities hunted Hackett down after
monitoring his activity in internet relay chat (IRC) rooms and on
underground forums, where he sold stolen card numbers, usually at $20 to
$25 each to buyers around the world. He used the proceeds to make high-end
purchases, such as a 2001 BMW X5 and a pair of $450 Louis Vuitton shoes.
Only four fines over data breaches
Just four civil penalties have been handed out by the information
watchdog since the powers came into force last year, with a company
that lost information relating to more than 20,00 people in Leicester
and Hull fined, figures show.
More than 2,500 possible breaches of the Data Protection Act have been
reported to the Information Commissioner's Office (ICO), but just 36
have resulted in any action and only four have attracted civil
penalties.
In all, organisations have been fined a total of just £310,000, with
the biggest fine handed out to date being £100,000 - despite the
maximum penalty for a single offence being £500,000.
The figures, released to encryption firm ViaSat under Freedom of
Information laws, also showed that the ICO has taken action against
seven private sector organisations, penalising just one, but 29 in the
public sector, penalising three.
Chris McIntosh, the firm's chief executive, said: "The ICO has a
tremendous amount of leeway in the penalties it levies and so far
doesn't seem to be applying this in either direction.
"The ICO has stated that the embarrassment and poor image of a fine
will act as a deterrent and an incentive to improve an organisation's
grasp of the Data Protection Act. However, if fines are rare and well
below the maximum allowed limit, their value as a deterrent drops.
"Organisations will view the rarity of a fine and the associated
negative publicity the same way they have viewed the threat of a data
breach itself: an event that only happens to other people."
The biggest fine to date, £100,000, was given to Hertfordshire County
Council in November last year after it accidentally faxed highly
sensitive information about cases involving child sex abuse and care
proceedings to the wrong recipients on two occasions in the space of
two weeks in June 2010.
In February, Ealing Council was fined £80,000 and Hounslow Council was
fined £70,000 after an out-of-hours service working on behalf of both
councils lost two laptops containing the details of around 1,700
people when they were stolen from an employee's home. Almost 1,000 of
the individuals were clients of Ealing Council and almost 700 were
clients of Hounslow Council.
And also in November, employment services company A4e was fined
£60,000 over the theft of a laptop containing personal information of
about 24,000 people who had used community legal advice centres in
Hull and Leicester in June.
watchdog since the powers came into force last year, with a company
that lost information relating to more than 20,00 people in Leicester
and Hull fined, figures show.
More than 2,500 possible breaches of the Data Protection Act have been
reported to the Information Commissioner's Office (ICO), but just 36
have resulted in any action and only four have attracted civil
penalties.
In all, organisations have been fined a total of just £310,000, with
the biggest fine handed out to date being £100,000 - despite the
maximum penalty for a single offence being £500,000.
The figures, released to encryption firm ViaSat under Freedom of
Information laws, also showed that the ICO has taken action against
seven private sector organisations, penalising just one, but 29 in the
public sector, penalising three.
Chris McIntosh, the firm's chief executive, said: "The ICO has a
tremendous amount of leeway in the penalties it levies and so far
doesn't seem to be applying this in either direction.
"The ICO has stated that the embarrassment and poor image of a fine
will act as a deterrent and an incentive to improve an organisation's
grasp of the Data Protection Act. However, if fines are rare and well
below the maximum allowed limit, their value as a deterrent drops.
"Organisations will view the rarity of a fine and the associated
negative publicity the same way they have viewed the threat of a data
breach itself: an event that only happens to other people."
The biggest fine to date, £100,000, was given to Hertfordshire County
Council in November last year after it accidentally faxed highly
sensitive information about cases involving child sex abuse and care
proceedings to the wrong recipients on two occasions in the space of
two weeks in June 2010.
In February, Ealing Council was fined £80,000 and Hounslow Council was
fined £70,000 after an out-of-hours service working on behalf of both
councils lost two laptops containing the details of around 1,700
people when they were stolen from an employee's home. Almost 1,000 of
the individuals were clients of Ealing Council and almost 700 were
clients of Hounslow Council.
And also in November, employment services company A4e was fined
£60,000 over the theft of a laptop containing personal information of
about 24,000 people who had used community legal advice centres in
Hull and Leicester in June.
Privacy breach case is settled - Restaurant group to pay Mass. $110, 000
The Briar Group, which runs Ned Devine’s, the Green Briar, the Lenox,
and other popular restaurants, has agreed to pay $110,000 to resolve
allegations that the Boston chain failed to take reasonable steps to
protect diners’ personal information and put at risk tens of thousands
of credit and debit card accounts.
The settlement stems from a lawsuit filed by Massachusetts Attorney
General Martha Coakley over a data breach the Briar Group suffered in
April 2009. Briar’s failure to implement basic data security measures
enabled hackers to access customers’ credit and debit card
information, including names and account numbers, according to the
lawsuit. The hackers’ malware — malicious software designed to
infiltrate computer systems — that caused the security problems was
not removed from the company’s computers until December 2009.
The lawsuit filed in Suffolk Superior Court also alleges that the
Briar Group failed to change default usernames and passwords on its
point-of-sale computer system; allowed multiple employees to share
common usernames and passwords; failed to properly secure its remote
access utilities and wireless network; and continued to accept credit
and debit cards from consumers after Briar knew of the data breach.
“The Briar Group is committed to high-quality customer service at all
of our restaurants. We take the security of our customer’s credit card
information very seriously and therefore respond aggressively to any
concerns that are brought to our attention,’’ the restaurant chain
said in a statement. “We believe the agreement we have entered into
with the attorney general’s office achieves our shared goal of
ensuring that our customers can use their credit cards with confidence
in the security of their data.’’
But the Briar Group added in its statement that it believes it chain
acted immediately once it was informed of the possible breach.
“We took immediate and aggressive action steps, including: informing
the major credit card companies of the potential breach, working with
the nation’s leading data security company to identify any weaknesses
in our data systems and make system upgrades to further secure
customer data and cooperating with a federal investigation into this
matter,’’ the statement said. “We are confident that customers dining
at one of our restaurants can safely use their credit cards.’’
Under the terms of the settlement, the Briar Group must pay the
Commonwealth $110,000 in civil penalties; comply with state data
security regulations and Payment Card Industry Data Security
Standards; and maintain an enhanced computer network security system.
“When consumers use their credit and debit cards at Massachusetts
establishments, they have an expectation that their personal
information will be properly protected,’’ Coakley said in a statement.
“In addition to the payment, this agreement also works to ensure that
steps have been taken to protect consumer information moving
forward.’’
and other popular restaurants, has agreed to pay $110,000 to resolve
allegations that the Boston chain failed to take reasonable steps to
protect diners’ personal information and put at risk tens of thousands
of credit and debit card accounts.
The settlement stems from a lawsuit filed by Massachusetts Attorney
General Martha Coakley over a data breach the Briar Group suffered in
April 2009. Briar’s failure to implement basic data security measures
enabled hackers to access customers’ credit and debit card
information, including names and account numbers, according to the
lawsuit. The hackers’ malware — malicious software designed to
infiltrate computer systems — that caused the security problems was
not removed from the company’s computers until December 2009.
The lawsuit filed in Suffolk Superior Court also alleges that the
Briar Group failed to change default usernames and passwords on its
point-of-sale computer system; allowed multiple employees to share
common usernames and passwords; failed to properly secure its remote
access utilities and wireless network; and continued to accept credit
and debit cards from consumers after Briar knew of the data breach.
“The Briar Group is committed to high-quality customer service at all
of our restaurants. We take the security of our customer’s credit card
information very seriously and therefore respond aggressively to any
concerns that are brought to our attention,’’ the restaurant chain
said in a statement. “We believe the agreement we have entered into
with the attorney general’s office achieves our shared goal of
ensuring that our customers can use their credit cards with confidence
in the security of their data.’’
But the Briar Group added in its statement that it believes it chain
acted immediately once it was informed of the possible breach.
“We took immediate and aggressive action steps, including: informing
the major credit card companies of the potential breach, working with
the nation’s leading data security company to identify any weaknesses
in our data systems and make system upgrades to further secure
customer data and cooperating with a federal investigation into this
matter,’’ the statement said. “We are confident that customers dining
at one of our restaurants can safely use their credit cards.’’
Under the terms of the settlement, the Briar Group must pay the
Commonwealth $110,000 in civil penalties; comply with state data
security regulations and Payment Card Industry Data Security
Standards; and maintain an enhanced computer network security system.
“When consumers use their credit and debit cards at Massachusetts
establishments, they have an expectation that their personal
information will be properly protected,’’ Coakley said in a statement.
“In addition to the payment, this agreement also works to ensure that
steps have been taken to protect consumer information moving
forward.’’
Epsilon pledges to build 'Fort Knox' around breached system
E-mail marketing giant Epsilon will build an industry-leading security
system in response to a March 30 breach in which thieves gained access
to the e-mail addresses and names of partner's customers, the CEO of
Epsilon's parent company said Thursday.
Epsilon had "very strong" security measures in place before the
breach, but additional improvements are coming, said Ed Heffernan,
president and CEO of Alliance Data Systems.
"Bottom line, we will emerge not just with strong security protocols,
but industry-leading," he said. "We're essentially going to build Fort
Knox around this thing. We've taken the position now that it's not
good enough to be at or above the industry [standard], we need to be
the absolute leader in the industry because we are the largest
player."
Epsilon's e-mail marketing technologies will sacrifice some
flexibility and user-friendliness for security, Heffernan said during
a conference call about his company's quarterly profits. Heffernan
didn't disclose what new security measures the company planned to
take.
The breach affected about 2 percent of Epsilon's clients. Heffernan
said. Best Buy, JPMorgan Chase and the Kroger supermarket chain were
among the Epsilon clients that warned their customers about the
breach.
Several clients have expressed frustration over the incident,
Heffernan said. The company plans to do "whatever it takes" to restore
relationships with clients, he said.
"While knowing we are the victim of this crime, we will not be playing
that card," he said. "Rather, we view our role as standing up and
taking the hit for what these cyber-crooks did. We will learn from the
experience and come out stronger than ever."
Still, Alliance Data Systems projected no "meaningful" costs or
liability related to the incident, Heffernan said. E-mail volumes have
remained at the expected levels, and the company expects no changes in
Epsilon's financial results going forward.
The company expects the "vast, vast majority, if not all," of
Epsilon's clients to remain with the company, he said. Client
retention will be a top priority at Epsilon moving forward, company
officials said.
The company detected "abnormalities" in its e-mail marketing system on
March 30 and began notifying clients and U.S. law enforcement
officials within 24 hours, Heffernan said.
Heffernan declined to discuss details of the breach.
Epsilon's investigation found that e-mail addresses and names were
stolen, but no personally identifiable information (PII), such as
account numbers or credit card numbers, he said.
"Stolen e-mail addresses are certainly bad, but stolen PII is what we
would call really, really bad," he said.
Alliance Data Systems officials called their first quarter earnings
"strong." Epsilon's revenue increased 23 percent to $156 million from
the first quarter of 2010. The breach happened one day before the
first quarter ended.
system in response to a March 30 breach in which thieves gained access
to the e-mail addresses and names of partner's customers, the CEO of
Epsilon's parent company said Thursday.
Epsilon had "very strong" security measures in place before the
breach, but additional improvements are coming, said Ed Heffernan,
president and CEO of Alliance Data Systems.
"Bottom line, we will emerge not just with strong security protocols,
but industry-leading," he said. "We're essentially going to build Fort
Knox around this thing. We've taken the position now that it's not
good enough to be at or above the industry [standard], we need to be
the absolute leader in the industry because we are the largest
player."
Epsilon's e-mail marketing technologies will sacrifice some
flexibility and user-friendliness for security, Heffernan said during
a conference call about his company's quarterly profits. Heffernan
didn't disclose what new security measures the company planned to
take.
The breach affected about 2 percent of Epsilon's clients. Heffernan
said. Best Buy, JPMorgan Chase and the Kroger supermarket chain were
among the Epsilon clients that warned their customers about the
breach.
Several clients have expressed frustration over the incident,
Heffernan said. The company plans to do "whatever it takes" to restore
relationships with clients, he said.
"While knowing we are the victim of this crime, we will not be playing
that card," he said. "Rather, we view our role as standing up and
taking the hit for what these cyber-crooks did. We will learn from the
experience and come out stronger than ever."
Still, Alliance Data Systems projected no "meaningful" costs or
liability related to the incident, Heffernan said. E-mail volumes have
remained at the expected levels, and the company expects no changes in
Epsilon's financial results going forward.
The company expects the "vast, vast majority, if not all," of
Epsilon's clients to remain with the company, he said. Client
retention will be a top priority at Epsilon moving forward, company
officials said.
The company detected "abnormalities" in its e-mail marketing system on
March 30 and began notifying clients and U.S. law enforcement
officials within 24 hours, Heffernan said.
Heffernan declined to discuss details of the breach.
Epsilon's investigation found that e-mail addresses and names were
stolen, but no personally identifiable information (PII), such as
account numbers or credit card numbers, he said.
"Stolen e-mail addresses are certainly bad, but stolen PII is what we
would call really, really bad," he said.
Alliance Data Systems officials called their first quarter earnings
"strong." Epsilon's revenue increased 23 percent to $156 million from
the first quarter of 2010. The breach happened one day before the
first quarter ended.
ICO Slaps Oldham School, But Suffers Fresh Criticism
Information Commissioner tells a teacher off for losing a laptop, but
critics say this is not enough
The Information Commissioner has reprimanded a school and a hospital
for data breaches, but is still facing criticism for going too easy on
organisations failing to protect their data.
Freehold Community School in Oldham, may have exposed 90 pupils’
personal information when an unencrypted laptop was stolen from a
teacher’s car, while NHS Birmingham East and North breached the Data
Protection Act by failing to restrict access to files on its IT
network, the Information Commissioner’s Office (ICO) has said.
The announcements came while the ICO was slated for acting on data
breaches so rarely that its fines are “a risk organisations are
prepared to take,” according to critics.
Public sector still unfairly targeted?
The ICO has only fined four organisations for data breaches, despite
having 2565 incidents reported to it in the year since it gained the
right to fine offender, according to a Freedom of Information request
made by security firm ViaSat.
ICO deputy director David Smith attacked the figures when they were
released, calling them “inaccurate”, and suggested a revision downward
to around 600 reported breaches. ViaSat stood by the figures, pointing
out that the data came from the ICO in response to a specific request
about data breaches.
“Our request was clear in that we wanted information on the number of
data breaches,” said ViaSat chief executive Chris McIntosh. “Even if
you look at the revised figures the ICO has released it is still clear
that that monetary penalties have been enforced in less than one
percent of the data losses it has dealt with.”
The new reprimands did not include fines, and do nothing to counter
McIntosh’s other criticism, that the ICO hits the public sector
unfairly. “The public sector… dutifully reports its failures under the
data protection act and receives more, and larger, penalties as a
result,” said McIntosh in a statement.
Promise to do better
Joyce Willetts, the head of Freehold Community School, has promised
that laptops will not be stored in cars in future, all data taken off
site will be encrypted, and staff will be trained.
Meanwhile in Birmingham, Denise McLellan, chief executive of the NHS
Birmingham East and North trust has promised to increase security,
after the personal records of thousands of members of staff were
potentially exposed to staff at three NHS trusts.
“Our focus as a regulator is on getting bodies to comply with the Data
Protection Act,” said an ICO statement. “This isn’t always best
achieved by issuing organisations or businesses with monetary
penalties. The big stick is there, but doesn’t need to be deployed all
the time to have an effect.”
The ICO ’s guidance on the use of its powers to issue a monetary
penalty is here (PDF)
This statement did little to placate McIntosh, who reiterated his
criticism of ICO inaction: “The ICO is fond of saying that ‘you have
to be selective to be effective’ but by being too selective all that
happens is that organisations, especially in the private sector, can
begin to view the threat of a penalty or an undertaking as something
that is so unlikely as to be beneath notice,” he said. “For example,
organisations could easily look at the £60,000 penalty meted out to
A4e, its size compared to the company’s £145m turnover, its rarity and
the fact that A4e is still receiving plenty of business, from the
Government no less, and feel that the risk of ICO action is one they
are prepared to take.”
McIntosh and the ICO agree on one thing however. At Infosec Smith is
reported as asking for more powers to deal with those who breach the
data protection act.
McIntosh agrees: “The ICO is right to push for more powers, and we
fervently hope it can get them,” he said. “However, it would be nice
to see those it has exercised a little more.”
The ICO has indeed been given more powers in another area related to
data breaches. It can fine companies that send unwanted spam up to
£500,000.
critics say this is not enough
The Information Commissioner has reprimanded a school and a hospital
for data breaches, but is still facing criticism for going too easy on
organisations failing to protect their data.
Freehold Community School in Oldham, may have exposed 90 pupils’
personal information when an unencrypted laptop was stolen from a
teacher’s car, while NHS Birmingham East and North breached the Data
Protection Act by failing to restrict access to files on its IT
network, the Information Commissioner’s Office (ICO) has said.
The announcements came while the ICO was slated for acting on data
breaches so rarely that its fines are “a risk organisations are
prepared to take,” according to critics.
Public sector still unfairly targeted?
The ICO has only fined four organisations for data breaches, despite
having 2565 incidents reported to it in the year since it gained the
right to fine offender, according to a Freedom of Information request
made by security firm ViaSat.
ICO deputy director David Smith attacked the figures when they were
released, calling them “inaccurate”, and suggested a revision downward
to around 600 reported breaches. ViaSat stood by the figures, pointing
out that the data came from the ICO in response to a specific request
about data breaches.
“Our request was clear in that we wanted information on the number of
data breaches,” said ViaSat chief executive Chris McIntosh. “Even if
you look at the revised figures the ICO has released it is still clear
that that monetary penalties have been enforced in less than one
percent of the data losses it has dealt with.”
The new reprimands did not include fines, and do nothing to counter
McIntosh’s other criticism, that the ICO hits the public sector
unfairly. “The public sector… dutifully reports its failures under the
data protection act and receives more, and larger, penalties as a
result,” said McIntosh in a statement.
Promise to do better
Joyce Willetts, the head of Freehold Community School, has promised
that laptops will not be stored in cars in future, all data taken off
site will be encrypted, and staff will be trained.
Meanwhile in Birmingham, Denise McLellan, chief executive of the NHS
Birmingham East and North trust has promised to increase security,
after the personal records of thousands of members of staff were
potentially exposed to staff at three NHS trusts.
“Our focus as a regulator is on getting bodies to comply with the Data
Protection Act,” said an ICO statement. “This isn’t always best
achieved by issuing organisations or businesses with monetary
penalties. The big stick is there, but doesn’t need to be deployed all
the time to have an effect.”
The ICO ’s guidance on the use of its powers to issue a monetary
penalty is here (PDF)
This statement did little to placate McIntosh, who reiterated his
criticism of ICO inaction: “The ICO is fond of saying that ‘you have
to be selective to be effective’ but by being too selective all that
happens is that organisations, especially in the private sector, can
begin to view the threat of a penalty or an undertaking as something
that is so unlikely as to be beneath notice,” he said. “For example,
organisations could easily look at the £60,000 penalty meted out to
A4e, its size compared to the company’s £145m turnover, its rarity and
the fact that A4e is still receiving plenty of business, from the
Government no less, and feel that the risk of ICO action is one they
are prepared to take.”
McIntosh and the ICO agree on one thing however. At Infosec Smith is
reported as asking for more powers to deal with those who breach the
data protection act.
McIntosh agrees: “The ICO is right to push for more powers, and we
fervently hope it can get them,” he said. “However, it would be nice
to see those it has exercised a little more.”
The ICO has indeed been given more powers in another area related to
data breaches. It can fine companies that send unwanted spam up to
£500,000.
Sealed Records Exposed In Major Court Gaffe
In a shocking failure to protect sensitive details about dozens of ongoing
criminal investigations, federal officials somehow allowed confidential
information about sealed cases to be publicly accessible via the court
system.s online lookup service, The Smoking Gun has learned.
Over the past nine months, details of 40 separate sealed court
applications filed by federal prosecutors in Alabama were uploaded to
PACER, the web-based records system that counts nearly one million users,
including defense lawyers, prosecutors, journalists, researchers, private
investigators, and government officials.
The court applications, made by ten separate prosecutors, included
requests to install hidden surveillance cameras, examine Facebook records,
obtain credit information on certain individuals, procure telephone
records, and attach devices on phone lines that would allow agents to
track incoming and outgoing calls. Remarkably, the U.S. District Court
records--which covered filings as recent as April 11--included specific
names, addresses, and phone numbers that should never have appeared on
PACER.
criminal investigations, federal officials somehow allowed confidential
information about sealed cases to be publicly accessible via the court
system.s online lookup service, The Smoking Gun has learned.
Over the past nine months, details of 40 separate sealed court
applications filed by federal prosecutors in Alabama were uploaded to
PACER, the web-based records system that counts nearly one million users,
including defense lawyers, prosecutors, journalists, researchers, private
investigators, and government officials.
The court applications, made by ten separate prosecutors, included
requests to install hidden surveillance cameras, examine Facebook records,
obtain credit information on certain individuals, procure telephone
records, and attach devices on phone lines that would allow agents to
track incoming and outgoing calls. Remarkably, the U.S. District Court
records--which covered filings as recent as April 11--included specific
names, addresses, and phone numbers that should never have appeared on
PACER.
Carder Pleads Guilty to Fraud Involving $36 Million in Losses
A hacker and carder has pleaded guilty to trafficking in more than half a
million stolen card numbers that resulted in $36 million in fraud losses.
Rogelio Hackett, Jr., 26, pleaded guilty Thursday in Virginia to one count
of access device fraud and one count of aggravated identity theft.
The hacker was arrested in 2009 for selling stolen bank card numbers in
online criminal forums and IRC chatrooms. When authorities searched his
home at the time, they found more than 675,000 stolen credit card numbers
on his computers and in e-mail accounts. According to court records
(.pdf), more than $36 million in fraudulent transactions have been
attributed to the stolen numbers found in Hackett?s possession.
Authorities don?t say how many of these transactions were committed by him
or by others.
Hackett, who hails from Lithonia, Georgia, admitted that he had been
hacking computers since the late 1990s, an activity that morphed into
hacking-for-profit by 2002 when he began stealing bank card data from SQL
databases. In August 2007, for example, he breached the server at an
unnamed online ticket seller and stole information on about 360,000 credit
card accounts. He still had the data on his computer two years later when
authorities searched his home.
million stolen card numbers that resulted in $36 million in fraud losses.
Rogelio Hackett, Jr., 26, pleaded guilty Thursday in Virginia to one count
of access device fraud and one count of aggravated identity theft.
The hacker was arrested in 2009 for selling stolen bank card numbers in
online criminal forums and IRC chatrooms. When authorities searched his
home at the time, they found more than 675,000 stolen credit card numbers
on his computers and in e-mail accounts. According to court records
(.pdf), more than $36 million in fraudulent transactions have been
attributed to the stolen numbers found in Hackett?s possession.
Authorities don?t say how many of these transactions were committed by him
or by others.
Hackett, who hails from Lithonia, Georgia, admitted that he had been
hacking computers since the late 1990s, an activity that morphed into
hacking-for-profit by 2002 when he began stealing bank card data from SQL
databases. In August 2007, for example, he breached the server at an
unnamed online ticket seller and stole information on about 360,000 credit
card accounts. He still had the data on his computer two years later when
authorities searched his home.
The silence is ‘deafening’ on Ohio State’s data breach
More than four months after Ohio State revealed the largest data
breach in higher education history, officials responsible for
protecting the university’s electronic information remain silent as
evidence of internal disputes arise and the investigation continues.
On Oct. 22, the university discovered that a server, which fell under
the responsibilities of the Office of the Chief Information Officer,
had been breached and the identities of about 760,000 people had been
jeopardized.
On Dec. 15, the university notified current and former faculty,
students, applicants and others affiliated with the university that a
hacker had accessed the server containing their names, dates of birth,
addresses and Social Security numbers.
However, Kathleen Starkoff, the university’s Chief Information Officer
and Steve Romig, associate director of Information Technology security
in the CIO’s office, have no email records containing the phrase “data
breach” before Dec. 5, according to documents obtained by The Lantern
through open records requests.
Obscurity shrouds the issue, as university spokesman Jim Lynch serves
as OSU’s voice on this matter.
Contacts from the university’s IT department, including Starkoff,
Romig and Charles Morrow-Jones, director of IT security, refused
comment and referred The Lantern to Lynch.
breach in higher education history, officials responsible for
protecting the university’s electronic information remain silent as
evidence of internal disputes arise and the investigation continues.
On Oct. 22, the university discovered that a server, which fell under
the responsibilities of the Office of the Chief Information Officer,
had been breached and the identities of about 760,000 people had been
jeopardized.
On Dec. 15, the university notified current and former faculty,
students, applicants and others affiliated with the university that a
hacker had accessed the server containing their names, dates of birth,
addresses and Social Security numbers.
However, Kathleen Starkoff, the university’s Chief Information Officer
and Steve Romig, associate director of Information Technology security
in the CIO’s office, have no email records containing the phrase “data
breach” before Dec. 5, according to documents obtained by The Lantern
through open records requests.
Obscurity shrouds the issue, as university spokesman Jim Lynch serves
as OSU’s voice on this matter.
Contacts from the university’s IT department, including Starkoff,
Romig and Charles Morrow-Jones, director of IT security, refused
comment and referred The Lantern to Lynch.
Texas fires two tech chiefs over breach
Computerworld - The Texas State Comptroller's office has fired its
heads of information security and of innovation and technology
following an inadvertent data leak that exposed Social Security
numbers and other personal information on over 3.2 million people in
the state.
Two other employees have also been fired over the incident, a
statement posted on Texas Comptroller Susan Combs' site noted.
The office has hired Gartner and Deloitte to review its existing
information security controls and policies and to recommend any needed
changes. In addition, the state has also negotiated a 70% discount on
credit monitoring fees with Experian for affected individuals, the
statement said.
The measures come in the wake of a recent disclosure by Combs' office
that Social Security numbers, driver's license numbers, and names and
addresses of more than 3.2 million Texans were inadvertently posted on
a publicly accessible Web site for nearly a year.
The exposed data was contained in three files that were transferred to
the comptroller's office from the Teacher Retirement System of Texas
(TRS), the Texas Workforce Commission and the Employees Retirement
System of Texas (ERS).
The data, which was to be used by a property verification system at
the Comptroller's office, was supposed to have been transferred in an
encrypted manner by the agencies under Texas administrative rules.
However, the data was transferred in an unencrypted manner to the
Comptroller.
To compound the mistake, personnel in Combs' office then put the
information onto a server that was accessible to the public and left
it there for an extended period, without purging it as required, the
statement said.
The mistake was finally discovered on March 31, more than 10 months
after the files were put on the server. Since then, public access to
the files have been shut off and the data itself been removed from the
server. The exposed information was "embedded in a chain of numbers
and not in separate fields," the statement noted.
Though Combs' office noted that there is no indication that the
exposed data has been misused, a statement released by state Attorney
General Greg Abbott on Tuesday warned of a fraudulent call received by
a state employee following the breach.
"Unfortunately, the Attorney General's Office has learned that Texans
affected by the Internet security breach may now be the targets of a
new telephone scam," Abbott said. He asked affected victims to be
extra vigilant against fraud.
Abbott's office is currently conducting an investigation into the breach.
The sheer number of records that were exposed by the comptroller's
office makes this the largest breach involving Social Security numbers
and other personal data, this year. Despite the size of the breach,
the public firing of technology executives over such incidents are
relatively rare.
In 2008, Providence Home Services fired an employee and three others
quit their jobs, after the theft of backup computer tapes and disk
containing personal information on 365,000 individuals.
heads of information security and of innovation and technology
following an inadvertent data leak that exposed Social Security
numbers and other personal information on over 3.2 million people in
the state.
Two other employees have also been fired over the incident, a
statement posted on Texas Comptroller Susan Combs' site noted.
The office has hired Gartner and Deloitte to review its existing
information security controls and policies and to recommend any needed
changes. In addition, the state has also negotiated a 70% discount on
credit monitoring fees with Experian for affected individuals, the
statement said.
The measures come in the wake of a recent disclosure by Combs' office
that Social Security numbers, driver's license numbers, and names and
addresses of more than 3.2 million Texans were inadvertently posted on
a publicly accessible Web site for nearly a year.
The exposed data was contained in three files that were transferred to
the comptroller's office from the Teacher Retirement System of Texas
(TRS), the Texas Workforce Commission and the Employees Retirement
System of Texas (ERS).
The data, which was to be used by a property verification system at
the Comptroller's office, was supposed to have been transferred in an
encrypted manner by the agencies under Texas administrative rules.
However, the data was transferred in an unencrypted manner to the
Comptroller.
To compound the mistake, personnel in Combs' office then put the
information onto a server that was accessible to the public and left
it there for an extended period, without purging it as required, the
statement said.
The mistake was finally discovered on March 31, more than 10 months
after the files were put on the server. Since then, public access to
the files have been shut off and the data itself been removed from the
server. The exposed information was "embedded in a chain of numbers
and not in separate fields," the statement noted.
Though Combs' office noted that there is no indication that the
exposed data has been misused, a statement released by state Attorney
General Greg Abbott on Tuesday warned of a fraudulent call received by
a state employee following the breach.
"Unfortunately, the Attorney General's Office has learned that Texans
affected by the Internet security breach may now be the targets of a
new telephone scam," Abbott said. He asked affected victims to be
extra vigilant against fraud.
Abbott's office is currently conducting an investigation into the breach.
The sheer number of records that were exposed by the comptroller's
office makes this the largest breach involving Social Security numbers
and other personal data, this year. Despite the size of the breach,
the public firing of technology executives over such incidents are
relatively rare.
In 2008, Providence Home Services fired an employee and three others
quit their jobs, after the theft of backup computer tapes and disk
containing personal information on 365,000 individuals.
Records Of 25K Students, 2,500 Employees Hacked In SC
LANCASTER COUNTY, S.C. -- When Geraldine Watson read the letter from
the Lancaster County School District on Tuesday, her jaw dropped.
"We really were surprised to see that this was really happening,"
Watson said. She's one of thousands of parents and grandparents who
are receiving the letter, alerting them to the theft of personal
information for up to 25,000 students, former students, and 2,500
school employees.
Two weeks ago, a computer-monitoring branch of the Department of
Homeland Security noticed a large amount of information being gathered
from computers in South Carolina. They contacted the state education
department, and it was determined that the computers were part of the
Lancaster County School System.
The breach gave hackers access to phone numbers, addresses, birth
dates and Social Security numbers.
"I think that's terrible, because if somebody can go in there and get
your information, I mean, that's dangerous," Watson said.
Renee Horton also received the letter. "I was very surprised,
concerned for the fact that this is confidential information," she
said.
There is no evidence yet that any of that information has been used
illegally. However, the letter to parents explains the breach, and
urges them to keep an eye on bank accounts and credit card
transactions, even though school computers do not store any financial
information.
School safety director Bryan Vaughn said hundreds of school computers
are being wiped clean and re-imaged, both at the district office and
on several other campuses.
Right now, they're trying to find out how the attack happened. It was
"possibly through an email, possibly a website somebody visited, we're
not sure," Vaughn said.
Finding out who's behind the attack will be very difficult. "It could
be anywhere. It could be any place in the country, or any place in the
world," Vaughn said. "The chances of us being able to find out who did
this may be slim, but what we can do is react in an appropriate way."
Parents like Horton hope that the district will stay in close contact
with parents if any new information surfaces.
"I’m hoping that the school will get back in touch with us, and notify
us of things that change," she said.
School officials are also concerned about the cost. It could cost the
school district $15,000 or more to make sure all the computers are
safe. That's money that isn't budgeted, but must come from somewhere.
Parents who have questions about the stolen data are asked to contact
the school's computer security task force at 803-416-8822.
the Lancaster County School District on Tuesday, her jaw dropped.
"We really were surprised to see that this was really happening,"
Watson said. She's one of thousands of parents and grandparents who
are receiving the letter, alerting them to the theft of personal
information for up to 25,000 students, former students, and 2,500
school employees.
Two weeks ago, a computer-monitoring branch of the Department of
Homeland Security noticed a large amount of information being gathered
from computers in South Carolina. They contacted the state education
department, and it was determined that the computers were part of the
Lancaster County School System.
The breach gave hackers access to phone numbers, addresses, birth
dates and Social Security numbers.
"I think that's terrible, because if somebody can go in there and get
your information, I mean, that's dangerous," Watson said.
Renee Horton also received the letter. "I was very surprised,
concerned for the fact that this is confidential information," she
said.
There is no evidence yet that any of that information has been used
illegally. However, the letter to parents explains the breach, and
urges them to keep an eye on bank accounts and credit card
transactions, even though school computers do not store any financial
information.
School safety director Bryan Vaughn said hundreds of school computers
are being wiped clean and re-imaged, both at the district office and
on several other campuses.
Right now, they're trying to find out how the attack happened. It was
"possibly through an email, possibly a website somebody visited, we're
not sure," Vaughn said.
Finding out who's behind the attack will be very difficult. "It could
be anywhere. It could be any place in the country, or any place in the
world," Vaughn said. "The chances of us being able to find out who did
this may be slim, but what we can do is react in an appropriate way."
Parents like Horton hope that the district will stay in close contact
with parents if any new information surfaces.
"I’m hoping that the school will get back in touch with us, and notify
us of things that change," she said.
School officials are also concerned about the cost. It could cost the
school district $15,000 or more to make sure all the computers are
safe. That's money that isn't budgeted, but must come from somewhere.
Parents who have questions about the stolen data are asked to contact
the school's computer security task force at 803-416-8822.
Oak Ridge National Laboratory Breached by Phishing Email, IE Exploit
Federal research facility Oak Ridge National Laboratory shut down its
Internet access and email systems after an IE exploit compromised the
network.
After attackers compromised several machines at federal research
facility Oak Ridge National Laboratory, administrators temporarily
shut down all Internet access and e-mail systems to contain the
damage. An investigation is currently underway.
The laboratory’s IT administrators made the decision to disconnect the
machines from the Internet after discovering malware on several
systems attempting to transfer data to remote servers, according to
Barbara Penland, the deputy director of communications at Oak Ridge.
Even though e-mail access was restored late April 19, all attachments
are automatically blocked, Penland told eWEEK. Internet access remains
down, but the lab’s public facing Website remains in operation.
The restrictions will remain in place until lab officials and
investigators are satisfied the situation is under control and
manageable.
Similar to the recent data breach at RSA Security, Oak Ridge’s systems
were compromised by a spear phishing attack. When two employees
clicked on a link in a malicious e-mail, they were directed to a
Website that exploited remote code execution vulnerability in Internet
Explorer.
Microsoft had fixed the bug—identified by independent security
researcher Steven Fewer at CanSecWest’s Pwn2Own hacking competition—in
April’s massive Patch Tuesday update.
The malicious e-mail had been sent to about 530 employees, of which 57
believed it was a legitimate message sent from the human resources
department and clicked on the link, according to Wired. The malware
was designed to hide on the system and delete itself if it could not
compromise the system.
The malware lay dormant for a week and then transmitted stolen data to
a remote server. Administrators detected the transmission immediately
and shut down and cleaned offending machines. Administrators
discovered that other machines were also infected and made the
decision on April 15 to shut down Internet access entirely to contain
the damage.
Only a “few megabytes” of data were stolen before the lab discovered
the breach, Thomas Zacharia, deputy director of the lab, told Wired.
Zacharia declined to disclose what had been transferred, but confirmed
that the data was encrypted.
It appears that business systems were targeted and the supercomputers
and other sensitive networks remained secure.
Oak Ridge National Labs blamed the incident on an “advanced persistent
threat,” (APT) a term commonly used by organizations to imply that the
threat was so advanced that they would never have been able to protect
themselves, Gunter Ollmann, vice-president of research at Damballa,
told eWEEK. “In many cases, what is being called an APT is, in
reality, just another cybercrime attack--motivated by the usual
monetization and fraud aspects and using the same tools,” Ollmann
said.
In actuality, APTs generally are campaigns lasting for a long period
of time and using many infection vectors to compromise a network.
Attackers generally target strategic data over a long period of time
in an APT, Ollmann said.
This is not the first data breach at Oak Ridge, as attackers stole
large amounts of data containing Social Security numbers for
approximately 12,000 individuals in 2007. That attack also succeeded
because employees opened an attachment on a malicious e-mail
purporting to have information about a conference.
The root of the problem is people, and there is no patch for that,
Anup Ghosh, founder and chief scientist of Invincea, told eWEEK.
Cyber-criminals are increasingly targeting the end user by crafting
e-mails designed to trick them in to clicking and viewing content.
“Curiosity has always and will always kill the cat—but now it also
gets your network ‘pwned’ and your intellectual property exfiltrated,”
Ghosh said.
The industry needs to change how the end-user is protected from
ever-evolving threats by placing the user in a “protective
bubble”—such as a virtualized system where user mistakes are isolated
from the rest of the network, Ghosh said.
Located in Tennessee, Oak Ridge National Laboratory performs
classified and unclassified research for federal agencies and
departments on nuclear energy, chemical science and biological
systems. Funded by the Department of Energy, the lab’s research
includes analyzing malware, vulnerabilities and phishing attacks. Oak
Ridge may have been one of the facilities at which computer scientists
analyzed the Stuxnet worm to learn about its complex capabilities.
Other Department of Energy labs have sent experts to help decrypt the
data and to assist with the investigation, Zacharia said.
Internet access and email systems after an IE exploit compromised the
network.
After attackers compromised several machines at federal research
facility Oak Ridge National Laboratory, administrators temporarily
shut down all Internet access and e-mail systems to contain the
damage. An investigation is currently underway.
The laboratory’s IT administrators made the decision to disconnect the
machines from the Internet after discovering malware on several
systems attempting to transfer data to remote servers, according to
Barbara Penland, the deputy director of communications at Oak Ridge.
Even though e-mail access was restored late April 19, all attachments
are automatically blocked, Penland told eWEEK. Internet access remains
down, but the lab’s public facing Website remains in operation.
The restrictions will remain in place until lab officials and
investigators are satisfied the situation is under control and
manageable.
Similar to the recent data breach at RSA Security, Oak Ridge’s systems
were compromised by a spear phishing attack. When two employees
clicked on a link in a malicious e-mail, they were directed to a
Website that exploited remote code execution vulnerability in Internet
Explorer.
Microsoft had fixed the bug—identified by independent security
researcher Steven Fewer at CanSecWest’s Pwn2Own hacking competition—in
April’s massive Patch Tuesday update.
The malicious e-mail had been sent to about 530 employees, of which 57
believed it was a legitimate message sent from the human resources
department and clicked on the link, according to Wired. The malware
was designed to hide on the system and delete itself if it could not
compromise the system.
The malware lay dormant for a week and then transmitted stolen data to
a remote server. Administrators detected the transmission immediately
and shut down and cleaned offending machines. Administrators
discovered that other machines were also infected and made the
decision on April 15 to shut down Internet access entirely to contain
the damage.
Only a “few megabytes” of data were stolen before the lab discovered
the breach, Thomas Zacharia, deputy director of the lab, told Wired.
Zacharia declined to disclose what had been transferred, but confirmed
that the data was encrypted.
It appears that business systems were targeted and the supercomputers
and other sensitive networks remained secure.
Oak Ridge National Labs blamed the incident on an “advanced persistent
threat,” (APT) a term commonly used by organizations to imply that the
threat was so advanced that they would never have been able to protect
themselves, Gunter Ollmann, vice-president of research at Damballa,
told eWEEK. “In many cases, what is being called an APT is, in
reality, just another cybercrime attack--motivated by the usual
monetization and fraud aspects and using the same tools,” Ollmann
said.
In actuality, APTs generally are campaigns lasting for a long period
of time and using many infection vectors to compromise a network.
Attackers generally target strategic data over a long period of time
in an APT, Ollmann said.
This is not the first data breach at Oak Ridge, as attackers stole
large amounts of data containing Social Security numbers for
approximately 12,000 individuals in 2007. That attack also succeeded
because employees opened an attachment on a malicious e-mail
purporting to have information about a conference.
The root of the problem is people, and there is no patch for that,
Anup Ghosh, founder and chief scientist of Invincea, told eWEEK.
Cyber-criminals are increasingly targeting the end user by crafting
e-mails designed to trick them in to clicking and viewing content.
“Curiosity has always and will always kill the cat—but now it also
gets your network ‘pwned’ and your intellectual property exfiltrated,”
Ghosh said.
The industry needs to change how the end-user is protected from
ever-evolving threats by placing the user in a “protective
bubble”—such as a virtualized system where user mistakes are isolated
from the rest of the network, Ghosh said.
Located in Tennessee, Oak Ridge National Laboratory performs
classified and unclassified research for federal agencies and
departments on nuclear energy, chemical science and biological
systems. Funded by the Department of Energy, the lab’s research
includes analyzing malware, vulnerabilities and phishing attacks. Oak
Ridge may have been one of the facilities at which computer scientists
analyzed the Stuxnet worm to learn about its complex capabilities.
Other Department of Energy labs have sent experts to help decrypt the
data and to assist with the investigation, Zacharia said.
PlayStation Network Hack Leaves Credit Card Info at Risk
Sony thinks an "unauthorized person" now has access to all PlayStation
Network account information and passwords, and may have obtained users.
credit card numbers.
The PlayStation maker said it believes hackers now have access to
customers. vital information, including names, birthdates, physical and
e-mail addresses, and PlayStation Network/Qriocity passwords, logins,
handles and online IDs.
Credit card information, purchase histories and other profile data stored
on the PlayStation Network servers also could be compromised, the Japanese
company said in a lengthy blog post Tuesday afternoon.
"While there is no evidence at this time that credit card data was taken,
we cannot rule out the possibility," reads the post, which Sony says it
will e-mail to all PlayStation Network account holders, as well as users
of its Qriocity streaming-media service. "If you have provided your credit
card data through PlayStation Network or Qriocity, out of an abundance of
caution we are advising you that your credit card number (excluding
security code) and expiration date may have been obtained."
Network account information and passwords, and may have obtained users.
credit card numbers.
The PlayStation maker said it believes hackers now have access to
customers. vital information, including names, birthdates, physical and
e-mail addresses, and PlayStation Network/Qriocity passwords, logins,
handles and online IDs.
Credit card information, purchase histories and other profile data stored
on the PlayStation Network servers also could be compromised, the Japanese
company said in a lengthy blog post Tuesday afternoon.
"While there is no evidence at this time that credit card data was taken,
we cannot rule out the possibility," reads the post, which Sony says it
will e-mail to all PlayStation Network account holders, as well as users
of its Qriocity streaming-media service. "If you have provided your credit
card data through PlayStation Network or Qriocity, out of an abundance of
caution we are advising you that your credit card number (excluding
security code) and expiration date may have been obtained."
Hackers breach security vendor's defences
Ashampoo informs 14 million customers.
German software developer Ashampoo has informed its 14 million customers
that hackers gained access to its customer database in an embarrassing
security breach.
The breach stings particularly for Ashampoo because it offers security
software as part of its product portfolio.
Ashampoo chief executive Rolf Hilchner emailed customers and posted a
message on the software vendor.s website after discovering that hackers
had gained access to one of its servers.
.Like many other companies, we are targeted by organisations of hackers
that try to break into IT systems in order to steal data,. he said.
.Unfortunately, one of our security systems fell victim to such an attack
recently. An unauthorised access to one of our servers took place..
The company said billing information - including credit card and banking
details . had not been compromised in the attack, as that data was stored
on a separate system.
German software developer Ashampoo has informed its 14 million customers
that hackers gained access to its customer database in an embarrassing
security breach.
The breach stings particularly for Ashampoo because it offers security
software as part of its product portfolio.
Ashampoo chief executive Rolf Hilchner emailed customers and posted a
message on the software vendor.s website after discovering that hackers
had gained access to one of its servers.
.Like many other companies, we are targeted by organisations of hackers
that try to break into IT systems in order to steal data,. he said.
.Unfortunately, one of our security systems fell victim to such an attack
recently. An unauthorised access to one of our servers took place..
The company said billing information - including credit card and banking
details . had not been compromised in the attack, as that data was stored
on a separate system.
Wednesday, April 20, 2011
Notice of data breach received from Hilton
Dear Customer:
We were notified by our database marketing vendor, Epsilon, that we are among a group of companies affected by a data breach. How will this affect you? The company was advised by Epsilon that the files accessed did not include any customer financial information, and Epsilon has stressed that the only information accessed was names and e-mail addresses. The most likely impact, if any, would be receipt of unwanted e-mails. We are not aware at this time of any unsolicited e-mails (spam) that are related, but as a precaution, we want to remind you of a couple of tips that should always be followed:
• Do not open e-mails from senders you do not know
• Do not share personal information via e-mail
Hilton Worldwide, its brands and loyalty program will never ask you to e-mail personal information such as credit card numbers or social security numbers. You should be cautious of "phishing" e-mails, where the sender tries to trick the recipient into disclosing confidential or personal information. If you receive such a request, it did not come from Hilton Worldwide, its brands or its loyalty program. If you receive this type of request you should not respond to it but rather notify us at fraud_alert@hilton.com.
As always, we greatly value your business and loyalty, and take this matter very seriously. Data privacy is a critical focus for us, and we will continue to work to ensure that all appropriate measures are taken to protect your personal information from unauthorized access.
Sincerely,
Jeff Diskin
Jeffrey Diskin
Senior Vice President, Customer Marketing
Hilton Worldwide
We were notified by our database marketing vendor, Epsilon, that we are among a group of companies affected by a data breach. How will this affect you? The company was advised by Epsilon that the files accessed did not include any customer financial information, and Epsilon has stressed that the only information accessed was names and e-mail addresses. The most likely impact, if any, would be receipt of unwanted e-mails. We are not aware at this time of any unsolicited e-mails (spam) that are related, but as a precaution, we want to remind you of a couple of tips that should always be followed:
• Do not open e-mails from senders you do not know
• Do not share personal information via e-mail
Hilton Worldwide, its brands and loyalty program will never ask you to e-mail personal information such as credit card numbers or social security numbers. You should be cautious of "phishing" e-mails, where the sender tries to trick the recipient into disclosing confidential or personal information. If you receive such a request, it did not come from Hilton Worldwide, its brands or its loyalty program. If you receive this type of request you should not respond to it but rather notify us at fraud_alert@hilton.com.
As always, we greatly value your business and loyalty, and take this matter very seriously. Data privacy is a critical focus for us, and we will continue to work to ensure that all appropriate measures are taken to protect your personal information from unauthorized access.
Sincerely,
Jeff Diskin
Jeffrey Diskin
Senior Vice President, Customer Marketing
Hilton Worldwide
Important Announcement For BJ's Visa(R) Customers
Dear Customer,
Re: Important information regarding a breach to the privacy of your email address.
Barclays Bank of Delaware is the bank behind your credit card referenced above. We have been informed by Epsilon, a marketing vendor we use to send emails to customers, that someone outside their company gained unauthorized access to files in their systems that included your email address. This has affected many of our credit cards under our various co-brands, including the brand on your card.
Epsilon has assured us that the only information that was obtained was your name and email address. Please be assured your account and any other confidential or personally identifiable information were not at risk.
It is possible you may receive spam email messages as a result which could potentially ask you for additional information about your account. Please note, Barclays will never ask you in an email to verify sensitive information such as your full account number, Username, Password or Social Security Number. Therefore, any email which does so should be treated suspiciously, even if it looks like it comes from Barclays. As a reminder, we urge you to be cautious when opening links or attachments from unknown third parties.
Barclays is one of many companies affected and so you may receive similar notifications from other companies.
Please visit the "Privacy and Security" section at our website www.BarclaycardUS.com for more information on protecting your personal information.
We sincerely regret this has taken place and for any inconvenience this may have caused you. Barclays is committed to protecting customers against the misuse of their personal information and we take security issues very seriously. We vigorously monitor the security of our systems and require all third party vendors to adhere to strict security and privacy policies and procedures.
Please know that a full investigation of this matter is under way by Epsilon and we will continue to work diligently to protect your personal information.
If you have any questions or need further assistance, please call our customer care center at the phone number on the back of your credit card.
Sincerely,
Larry Drexler
Chief Privacy Officer
Barclays Bank of Delaware
Karen Smithson
Information Security Officer
Barclays Bank of Delaware
Re: Important information regarding a breach to the privacy of your email address.
Barclays Bank of Delaware is the bank behind your credit card referenced above. We have been informed by Epsilon, a marketing vendor we use to send emails to customers, that someone outside their company gained unauthorized access to files in their systems that included your email address. This has affected many of our credit cards under our various co-brands, including the brand on your card.
Epsilon has assured us that the only information that was obtained was your name and email address. Please be assured your account and any other confidential or personally identifiable information were not at risk.
It is possible you may receive spam email messages as a result which could potentially ask you for additional information about your account. Please note, Barclays will never ask you in an email to verify sensitive information such as your full account number, Username, Password or Social Security Number. Therefore, any email which does so should be treated suspiciously, even if it looks like it comes from Barclays. As a reminder, we urge you to be cautious when opening links or attachments from unknown third parties.
Barclays is one of many companies affected and so you may receive similar notifications from other companies.
Please visit the "Privacy and Security" section at our website www.BarclaycardUS.com for more information on protecting your personal information.
We sincerely regret this has taken place and for any inconvenience this may have caused you. Barclays is committed to protecting customers against the misuse of their personal information and we take security issues very seriously. We vigorously monitor the security of our systems and require all third party vendors to adhere to strict security and privacy policies and procedures.
Please know that a full investigation of this matter is under way by Epsilon and we will continue to work diligently to protect your personal information.
If you have any questions or need further assistance, please call our customer care center at the phone number on the back of your credit card.
Sincerely,
Larry Drexler
Chief Privacy Officer
Barclays Bank of Delaware
Karen Smithson
Information Security Officer
Barclays Bank of Delaware
Important message from Target (fwd)
To our valued guests,
Target?s email service provider, Epsilon, recently informed us that their
data system was exposed to unauthorized entry. As a result, your email
address may have been accessed by an unauthorized party. Epsilon took
immediate action to close the vulnerability and notified law enforcement.
While no personally identifiable information, such as names and credit card
information, was involved, we felt it was important to let you know that
your email may have been compromised. Target would never ask for personal or
financial information through email.
Consider these tips to help protect your personal information online:
- *Don?t provide sensitive information through email.* Regular email is
not a secure method to transmit personal information.
- *Don?t provide sensitive information outside of a secure website.
*Legitimate
companies will not attempt to collect personal information outside a secure
website. If you are concerned, contact the organization represented in the
email.**
- *Don?t open emails from senders you don?t know.*
We sincerely regret that this incident occurred. Target takes information
protection very seriously and will continue to work to ensure that all
appropriate measures are taken to protect personal information. Please
contact Guest.Relations@target.com should you have any additional questions.
Sincerely,
Bonnie Gross
Vice President, Marketing and Guest Engagement
Target?s email service provider, Epsilon, recently informed us that their
data system was exposed to unauthorized entry. As a result, your email
address may have been accessed by an unauthorized party. Epsilon took
immediate action to close the vulnerability and notified law enforcement.
While no personally identifiable information, such as names and credit card
information, was involved, we felt it was important to let you know that
your email may have been compromised. Target would never ask for personal or
financial information through email.
Consider these tips to help protect your personal information online:
- *Don?t provide sensitive information through email.* Regular email is
not a secure method to transmit personal information.
- *Don?t provide sensitive information outside of a secure website.
*Legitimate
companies will not attempt to collect personal information outside a secure
website. If you are concerned, contact the organization represented in the
email.**
- *Don?t open emails from senders you don?t know.*
We sincerely regret that this incident occurred. Target takes information
protection very seriously and will continue to work to ensure that all
appropriate measures are taken to protect personal information. Please
contact Guest.Relations@target.com should you have any additional questions.
Sincerely,
Bonnie Gross
Vice President, Marketing and Guest Engagement
Important information from Red Roof
Dear Guest,
We have been informed by one of our email service providers, Epsilon,
that your email address was exposed by an unauthorized entry into that
provider's computer system. We use our email service providers to help
us manage the large number of email communications with our guests. Our
email service providers send emails on our behalf to guests who have
chosen to receive email communications from us.
How will this affect you? First, we want to assure you that your name
and email address were the only information that was compromised. As a
result of this incident, it is possible that you may receive spam email
messages, emails that contain links containing computer viruses or other
types of computer malware, or emails that seek to deceive you into
providing personal or credit card information. As a result, you should
be extremely cautious before opening links or attachments from unknown
third parties or providing a credit card number or other sensitive
information in response to any email. Also know that Red Roof will not
send you e-mails asking for your credit card number, social security
number or other personally identifiable information. So if you are ever
asked for this information, you can be confident it is not from Red Roof.
We appreciate your business and loyalty to Red Roof and take your
privacy very seriously. We will continue to work diligently to protect
your personal information.
If you have any questions regarding this incident, please contact us at
877.733.7663 between the hours of 9am and 5pm Eastern.
Sincerely,
Brenda Eddy Manager, Loyalty Marketing
Red Roof Inns, Inc.
We have been informed by one of our email service providers, Epsilon,
that your email address was exposed by an unauthorized entry into that
provider's computer system. We use our email service providers to help
us manage the large number of email communications with our guests. Our
email service providers send emails on our behalf to guests who have
chosen to receive email communications from us.
How will this affect you? First, we want to assure you that your name
and email address were the only information that was compromised. As a
result of this incident, it is possible that you may receive spam email
messages, emails that contain links containing computer viruses or other
types of computer malware, or emails that seek to deceive you into
providing personal or credit card information. As a result, you should
be extremely cautious before opening links or attachments from unknown
third parties or providing a credit card number or other sensitive
information in response to any email. Also know that Red Roof will not
send you e-mails asking for your credit card number, social security
number or other personally identifiable information. So if you are ever
asked for this information, you can be confident it is not from Red Roof.
We appreciate your business and loyalty to Red Roof and take your
privacy very seriously. We will continue to work diligently to protect
your personal information.
If you have any questions regarding this incident, please contact us at
877.733.7663 between the hours of 9am and 5pm Eastern.
Sincerely,
Brenda Eddy Manager, Loyalty Marketing
Red Roof Inns, Inc.
Epsilon / Robert Half
Dear Valued Customer,
Today we were informed by Epsilon Interactive, our national email service
provider, that your email address was exposed due to unauthorized access
of their system. Robert Half uses Epsilon to send marketing and service
emails on our behalf.
We deeply regret this has taken place and any inconvenience this may have
caused you. We take your privacy very seriously, and we will continue to
work diligently to protect your personal information. We were advised by
Epsilon that the information that was obtained was limited to email
addresses only.
Please note, it is possible you may receive spam email messages as a
result. We want to urge you to be cautious when opening links or
attachments from unknown third parties. We ask that you remain alert to
any unusual or suspicious emails.
As always, if you have any questions, or need any additional information,
please do not hesitate to contact us at customersecurity@rhi.com.
Sincerely,
Robert Half Customer Care
Robert Half Finance & Accounting
Robert Half Management Resources
Robert Half Legal
Robert Half Technology
The Creative Group
Today we were informed by Epsilon Interactive, our national email service
provider, that your email address was exposed due to unauthorized access
of their system. Robert Half uses Epsilon to send marketing and service
emails on our behalf.
We deeply regret this has taken place and any inconvenience this may have
caused you. We take your privacy very seriously, and we will continue to
work diligently to protect your personal information. We were advised by
Epsilon that the information that was obtained was limited to email
addresses only.
Please note, it is possible you may receive spam email messages as a
result. We want to urge you to be cautious when opening links or
attachments from unknown third parties. We ask that you remain alert to
any unusual or suspicious emails.
As always, if you have any questions, or need any additional information,
please do not hesitate to contact us at customersecurity@rhi.com.
Sincerely,
Robert Half Customer Care
Robert Half Finance & Accounting
Robert Half Management Resources
Robert Half Legal
Robert Half Technology
The Creative Group
Notice of data breach received from College Board
We have been informed by Epsilon, the vendor that sends email to you on our behalf, that your e-mail address may have been exposed by unauthorized entry into their system.
Epsilon has assured us that the only information that may have been obtained was your first and last name and e-mail address. REST ASSURED THAT THIS VENDOR DID NOT HAVE ACCESS TO OTHER MORE SENSITIVE INFORMATION SUCH AS SOCIAL SECURITY NUMBER OR CREDIT CARD DATA.
Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.
In keeping with standard security practices, the College Board will never ask you to provide or confirm any information, including credit card numbers, unless you are on a secure College Board site.
Epsilon has reported this incident to, and is working with, the appropriate authorities.
We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.
Sincerely,
The College Board
Epsilon has assured us that the only information that may have been obtained was your first and last name and e-mail address. REST ASSURED THAT THIS VENDOR DID NOT HAVE ACCESS TO OTHER MORE SENSITIVE INFORMATION SUCH AS SOCIAL SECURITY NUMBER OR CREDIT CARD DATA.
Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.
In keeping with standard security practices, the College Board will never ask you to provide or confirm any information, including credit card numbers, unless you are on a secure College Board site.
Epsilon has reported this incident to, and is working with, the appropriate authorities.
We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.
Sincerely,
The College Board
An important message from Ameriprise Financial
We were recently notified by Epsilon, an industry-leading provider of
email marketing services, that an unauthorized individual accessed files
that included some of our client and consumer information. Epsilon sends
marketing and service emails on our behalf but does not have access to
sensitive client data such as social security numbers. They have assured
us that only names and email addresses were obtained. We take your
privacy very seriously and want you to be aware of this.
You are receiving this because you have in the past received a
communication from Ameriprise. If you receive an email that appears to
be from Ameriprise asking for personal or financial information, do not
respond. Instead, please immediately forward the email to us at:
anti.fraud@ampf.com.
Consider these tips to help protect your personal information online:
*Don't email personal or financial information.* Regular email is not
a secure method of transmitting personal information. Some companies,
including Ameriprise Financial, offer a secure email service that you
can use when you need to exchange sensitive information.
*Don't reply to or click on links in email or pop-up messages that ask
for personal information.* Legitimate companies will not attempt to
collect personal information outside of a secure website. If you are
concerned about your account, contact the organization mentioned in the
email or pop-up.
*Use anti-virus and anti-spyware software and a firewall.* Some
phishing emails contain software, such as spyware, that harm your
computer or track your activities on the Internet. Anti-virus software
and a firewall can protect you from inadvertently accepting such
unwanted files.
*Use caution when opening attachments or downloading files from
email.* These files can contain viruses or other software that can
weaken your computer's security.
The security of your information is very important to us. If you have
questions or concerns, visit our Privacy and Security Center on
email marketing services, that an unauthorized individual accessed files
that included some of our client and consumer information. Epsilon sends
marketing and service emails on our behalf but does not have access to
sensitive client data such as social security numbers. They have assured
us that only names and email addresses were obtained. We take your
privacy very seriously and want you to be aware of this.
You are receiving this because you have in the past received a
communication from Ameriprise. If you receive an email that appears to
be from Ameriprise asking for personal or financial information, do not
respond. Instead, please immediately forward the email to us at:
anti.fraud@ampf.com
Consider these tips to help protect your personal information online:
*Don't email personal or financial information.* Regular email is not
a secure method of transmitting personal information. Some companies,
including Ameriprise Financial, offer a secure email service that you
can use when you need to exchange sensitive information.
*Don't reply to or click on links in email or pop-up messages that ask
for personal information.* Legitimate companies will not attempt to
collect personal information outside of a secure website. If you are
concerned about your account, contact the organization mentioned in the
email or pop-up.
*Use anti-virus and anti-spyware software and a firewall.* Some
phishing emails contain software, such as spyware, that harm your
computer or track your activities on the Internet. Anti-virus software
and a firewall can protect you from inadvertently accepting such
unwanted files.
*Use caution when opening attachments or downloading files from
email.* These files can contain viruses or other software that can
weaken your computer's security.
The security of your information is very important to us. If you have
questions or concerns, visit our Privacy and Security Center on
Current list of Epsilon related notifications
Brian Krebs has an article on the Epsilon breach. At the bottom, he has a
list of companies affected:
http://krebsonsecurity.com/2011/04/epsilon-breach-raises-specter-of-spear-phishing/
For those wondering, DatalossDB.org does not have an entry yet because A)
we're processing so much information and B) our system was only designed
to track up to 8 companies affected by a single breach. Epsilon broke that
pretty quick. =) We'll get the entry created ASAP, after we scrounge up a
developer.
list of companies affected:
http://krebsonsecurity.com/2011/04/epsilon-breach-raises-specter-of-spear-phishing/
For those wondering, DatalossDB.org does not have an entry yet because A)
we're processing so much information and B) our system was only designed
to track up to 8 companies affected by a single breach. Epsilon broke that
pretty quick. =) We'll get the entry created ASAP, after we scrounge up a
developer.
Important Information from the Kroger Family of Stores
> Dear
>
> Kroger wants you to know that the data base with our customers' names
> and email addresses has been breached by someone outside of the company.
> This data base contains the names and email addresses of customers who
> voluntarily provided their names and email addresses to Kroger. We want
> to assure you that the only information that was obtained was your name
> and email address. As a result, it is possible you may receive some spam
> email messages. We apologize for any inconvenience.
>
> Kroger wants to remind you not to open emails from senders you do not
> know. Also, Kroger would never ask you to email personal information
> such as credit card numbers or social security numbers. If you receive
> such a request, it did not come from Kroger and should be deleted.
>
> If you have concerns, you are welcome to call Kroger?s customer service
> center at 1-800-Krogers (1-800-576-4377).
>
> Sincerely,
>
> The Kroger Family of Stores
>
> Kroger wants you to know that the data base with our customers' names
> and email addresses has been breached by someone outside of the company.
> This data base contains the names and email addresses of customers who
> voluntarily provided their names and email addresses to Kroger. We want
> to assure you that the only information that was obtained was your name
> and email address. As a result, it is possible you may receive some spam
> email messages. We apologize for any inconvenience.
>
> Kroger wants to remind you not to open emails from senders you do not
> know. Also, Kroger would never ask you to email personal information
> such as credit card numbers or social security numbers. If you receive
> such a request, it did not come from Kroger and should be deleted.
>
> If you have concerns, you are welcome to call Kroger?s customer service
> center at 1-800-Krogers (1-800-576-4377).
>
> Sincerely,
>
> The Kroger Family of Stores
Important Information About Your Account
Dear TiVo Customer,
Today we were informed by our email service provider that your email address was exposed due to unauthorized access of their system. Our email service provider deploys emails on our behalf to customers who have opted into email-based communications from us.
We were advised by our email service provider that the information that was obtained was limited to first name and/or email addresses only. Your service and any other personally identifiable information were not at risk and remain secure.
Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.
We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.
*If you have unsubscribed in the past, there is no need to unsubscribe again. Your preferences will remain in place.*
Sincerely,
The TiVo Team
Today we were informed by our email service provider that your email address was exposed due to unauthorized access of their system. Our email service provider deploys emails on our behalf to customers who have opted into email-based communications from us.
We were advised by our email service provider that the information that was obtained was limited to first name and/or email addresses only. Your service and any other personally identifiable information were not at risk and remain secure.
Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.
We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.
*If you have unsubscribed in the past, there is no need to unsubscribe again. Your preferences will remain in place.*
Sincerely,
The TiVo Team
Important Notice from Marriott International, Inc. - Email Regarding Epsilon Breach
Dear Marriott Customer,
We were recently notified by Epsilon, a marketing vendor used by Marriott International, Inc. to manage customer emails, that an unauthorized third party gained access to a number of Epsilon's accounts including Marriott's email list.
In all likelihood, this will not impact you. However, we recommend that you continue to be on the alert for spam emails requesting personal or sensitive information. Please understand and be assured that Marriott does not send emails requesting customers to verify personal information.
We take your privacy very seriously. Marriott has a long-standing commitment to protecting the privacy of the personal information that our guests entrust to us. We regret this has taken place and apologize for any inconvenience.
Please visit our FAQ to learn more.
Sincerely,
Marriott International, Inc.
We were recently notified by Epsilon, a marketing vendor used by Marriott International, Inc. to manage customer emails, that an unauthorized third party gained access to a number of Epsilon's accounts including Marriott's email list.
In all likelihood, this will not impact you. However, we recommend that you continue to be on the alert for spam emails requesting personal or sensitive information. Please understand and be assured that Marriott does not send emails requesting customers to verify personal information.
We take your privacy very seriously. Marriott has a long-standing commitment to protecting the privacy of the personal information that our guests entrust to us. We regret this has taken place and apologize for any inconvenience.
Please visit our FAQ to learn more.
Sincerely,
Marriott International, Inc.
Epsilon fallout: Moneygram
We have been informed by Epsilon, a service provider that sends emails on our behalf to our customers, that files containing your first and last name and email address were accessed by an unauthorized entry into their computer system. MoneyGram was one of a number of companies impacted by this incident. According to Epsilon, the personal information that was compromised does not include any customer financial information.
As a result of this incident, you may receive spam email messages, emails that contain links containing computer viruses or other types of computer malware, or emails attempting to solicit personal or financial information. You should be extremely cautious before opening links or attachments from unknown third parties or providing sensitive information in response to any email. If you receive an email that appears to be from MoneyGram asking for personal information, delete it or forward it to TransactionSecurity@moneygram.com. It did not come from MoneyGram.
*Please remember that MoneyGram will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time.*
If you have questions regarding this incident, contact us at 800-926-9400. We regret any inconvenience this may cause you.
[image: MoneyGram - The Power is in Your Hands]
This email was delivered to you from MoneyGram Payment Systems, Inc. This
email is automated; do not reply. If you wish to unsubscribe from *marketing
* email messages from MoneyGram, unsubscribe
here [link]
Allow up to 10 business days for your request to be processed. Unsubscribing
will only apply to marketing email messages; you will continue to receive
other important legal notices (such as this security mailing) via email from
MoneyGram. We will never send you an email requesting personal
information. View the MoneyGram Privacy Statement. [link]
As a result of this incident, you may receive spam email messages, emails that contain links containing computer viruses or other types of computer malware, or emails attempting to solicit personal or financial information. You should be extremely cautious before opening links or attachments from unknown third parties or providing sensitive information in response to any email. If you receive an email that appears to be from MoneyGram asking for personal information, delete it or forward it to TransactionSecurity@moneygram.com. It did not come from MoneyGram.
*Please remember that MoneyGram will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time.*
If you have questions regarding this incident, contact us at 800-926-9400. We regret any inconvenience this may cause you.
[image: MoneyGram - The Power is in Your Hands]
This email was delivered to you from MoneyGram Payment Systems, Inc. This
email is automated; do not reply. If you wish to unsubscribe from *marketing
* email messages from MoneyGram, unsubscribe
here [link]
Allow up to 10 business days for your request to be processed. Unsubscribing
will only apply to marketing email messages; you will continue to receive
other important legal notices (such as this security mailing) via email from
MoneyGram. We will never send you an email requesting personal
information. View the MoneyGram Privacy Statement. [link]
Epsilon/BestBuy
Dear Valued Best Buy Customer,
On March 31, we were informed by Epsilon, a company we use to send emails
to our customers, that files containing the email addresses of some Best
Buy customers were accessed without authorization.
We have been assured by Epsilon that the only information that may have
been obtained was your email address and that the accessed files did not
include any other information. A rigorous assessment by Epsilon determined
that no other information is at risk. We are actively investigating to
confirm this.
For your security, however, we wanted to call this matter to your
attention. We ask that you remain alert to any unusual or suspicious
emails. As our experts at Geek Squad would tell you, be very cautious when
opening links or attachments from unknown senders.
In keeping with best industry security practices, Best Buy will never ask
you to provide or confirm any information, including credit card numbers,
unless you are on our secure e-commerce site, www.bestbuy.com. If you
receive an email asking for personal information, delete it. It did not
come from Best Buy.
Our service provider has reported this incident to the appropriate
authorities.
We regret this has taken place and for any inconvenience this may have
caused you. We take your privacy very seriously, and we will continue to
work diligently to protect your personal information. For more information
on keeping your data safe, please visit:
http://www.geeksquad.com/do-it-yourself/tech-tip/six-steps-to-keeping-your-data-safe.aspx.
Sincerely,
Barry Judge
Executive Vice President & Chief Marketing Officer
Best Buy
On March 31, we were informed by Epsilon, a company we use to send emails
to our customers, that files containing the email addresses of some Best
Buy customers were accessed without authorization.
We have been assured by Epsilon that the only information that may have
been obtained was your email address and that the accessed files did not
include any other information. A rigorous assessment by Epsilon determined
that no other information is at risk. We are actively investigating to
confirm this.
For your security, however, we wanted to call this matter to your
attention. We ask that you remain alert to any unusual or suspicious
emails. As our experts at Geek Squad would tell you, be very cautious when
opening links or attachments from unknown senders.
In keeping with best industry security practices, Best Buy will never ask
you to provide or confirm any information, including credit card numbers,
unless you are on our secure e-commerce site, www.bestbuy.com. If you
receive an email asking for personal information, delete it. It did not
come from Best Buy.
Our service provider has reported this incident to the appropriate
authorities.
We regret this has taken place and for any inconvenience this may have
caused you. We take your privacy very seriously, and we will continue to
work diligently to protect your personal information. For more information
on keeping your data safe, please visit:
http://www.geeksquad.com/do-it-yourself/tech-tip/six-steps-to-keeping-your-data-safe.aspx.
Sincerely,
Barry Judge
Executive Vice President & Chief Marketing Officer
Best Buy
Important Reminder for Soccer.com Email Recipients
Dear James,
You may have seen in the news or received emails today from other online companies informing you that Epsilon, our email marketing service provider, had consumer files accessed without authorization.
While Epsilon has assured us and their other affected clients that only first name and email address were exposed, we wanted to call this matter to your attention and remind you of a few best practices for online security to protect your personal information:
* Don't send financial or personal information via email. Email is not a secure way to send this information and reputable companies will not ask for your personal information via email. Eurosport/SOCCER.COM will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, www.soccer.com.
* Use caution when opening links or attachments from unknown third parties. Sometimes spammers send emails that look like they come from a reputable company (known as phishing) and these emails can contain spyware.
* Use or install anti-virus software on your computer. If you have anti-virus software installed, it can warn you not to accept the spyware and detect and delete any spyware present.
The security of your information is extremely important to us, and we apologize for any inconvenience this may have caused you.
As always, if you have any questions, or need any additional information, please do not hesitate to contact us at 1-800-950-1994 or custserv@sportsendeavors.com.
Sincerely,
Mike and Brendan Moylan
Co-Founders
Eurosport, the Fabled Soccer Traders
You may have seen in the news or received emails today from other online companies informing you that Epsilon, our email marketing service provider, had consumer files accessed without authorization.
While Epsilon has assured us and their other affected clients that only first name and email address were exposed, we wanted to call this matter to your attention and remind you of a few best practices for online security to protect your personal information:
* Don't send financial or personal information via email. Email is not a secure way to send this information and reputable companies will not ask for your personal information via email. Eurosport/SOCCER.COM will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, www.soccer.com.
* Use caution when opening links or attachments from unknown third parties. Sometimes spammers send emails that look like they come from a reputable company (known as phishing) and these emails can contain spyware.
* Use or install anti-virus software on your computer. If you have anti-virus software installed, it can warn you not to accept the spyware and detect and delete any spyware present.
The security of your information is extremely important to us, and we apologize for any inconvenience this may have caused you.
As always, if you have any questions, or need any additional information, please do not hesitate to contact us at 1-800-950-1994 or custserv@sportsendeavors.com.
Sincerely,
Mike and Brendan Moylan
Co-Founders
Eurosport, the Fabled Soccer Traders
A Message from Walgreens
Dear Valued Customer,
On March 30th, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Walgreens customers were accessed without authorization.
We have been assured by Epsilon that the only information that was obtained was your email address. No other personally identifiable information was at risk because such data is not contained in Epsilon's email system.
For your security, we encourage you to be aware of common email scams that ask for personal or sensitive information. Walgreens will not send you emails asking for your credit card number, social security number or other personally identifiable information. If ever asked for this information, you can be confident it is not from Walgreens.
We realize you previously unsubscribed from promotional emails from Walgreens, and that will continue, but we feel an obligation to make you aware of this incident. We regret this has taken place and any inconvenience this may have caused you. If you have any questions regarding this issue, please contact us at 1-855-814-0010. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.
Sincerely,
Walgreens Customer Service Team
On March 30th, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Walgreens customers were accessed without authorization.
We have been assured by Epsilon that the only information that was obtained was your email address. No other personally identifiable information was at risk because such data is not contained in Epsilon's email system.
For your security, we encourage you to be aware of common email scams that ask for personal or sensitive information. Walgreens will not send you emails asking for your credit card number, social security number or other personally identifiable information. If ever asked for this information, you can be confident it is not from Walgreens.
We realize you previously unsubscribed from promotional emails from Walgreens, and that will continue, but we feel an obligation to make you aware of this incident. We regret this has taken place and any inconvenience this may have caused you. If you have any questions regarding this issue, please contact us at 1-855-814-0010. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.
Sincerely,
Walgreens Customer Service Team
Important Information for 1800Flowers.com Email Customers
> Dear 1800Flowers.com Customer:
>
> One of our email service providers, Epsilon, has informed us that we
> are among a group of companies affected by a data breach that may
> have exposed your email address to unauthorized third parties.
> It's important to know that this incident did not
> involve other account or personally identifiable information.
> We use permission-based email service providers such as Epsilon
> to help us manage email communications to our customers.
>
> We take your privacy very seriously and we work diligently to ensure
> your private information is always protected. Epsilon has assured
> us that no private information, other than your email address,
> was involved in the incident. We regret any inconvenience
> that this may cause you.
>
> Because of this incident, we advise you to be extremely cautious
> before opening emails from senders you do not recognize.
>
> We thank you for your understanding in this matter.
>
> Sincerely,
>
> Bibi Brown
> Director, Customer Service
>
> Security & Privacy
> [link]
>
> This email was sent to [redacted]
> If you've received this e-mail as a forward,
> we invite you to subscribe.
>
> One of our email service providers, Epsilon, has informed us that we
> are among a group of companies affected by a data breach that may
> have exposed your email address to unauthorized third parties.
> It's important to know that this incident did not
> involve other account or personally identifiable information.
> We use permission-based email service providers such as Epsilon
> to help us manage email communications to our customers.
>
> We take your privacy very seriously and we work diligently to ensure
> your private information is always protected. Epsilon has assured
> us that no private information, other than your email address,
> was involved in the incident. We regret any inconvenience
> that this may cause you.
>
> Because of this incident, we advise you to be extremely cautious
> before opening emails from senders you do not recognize.
>
> We thank you for your understanding in this matter.
>
> Sincerely,
>
> Bibi Brown
> Director, Customer Service
>
> Security & Privacy
> [link]
>
> This email was sent to [redacted]
> If you've received this e-mail as a forward,
> we invite you to subscribe.
Important information from M&S (Epsilon)
We have been informed by Epsilon, a company we use to send emails
to our customers, that some M&S customer email addresses have been
accessed without authorisation.
We would like to reassure you that the only information that may
have been accessed is your name and email address. No other personal
information, such as your account details, has been accessed or is at
risk.
We wanted to bring this to your attention as it is possible that
you may receive spam email messages as a result. We apologise for any
inconvenience this may cause you. We take your privacy very seriously, and
we will continue to work diligently to protect your personal information.
Marks and Spencer plc. Registered office: Waterside House, 35 North
Wharf Road, London W2 1NW.
Registered number: 214436 (England and Wales)
to our customers, that some M&S customer email addresses have been
accessed without authorisation.
We would like to reassure you that the only information that may
have been accessed is your name and email address. No other personal
information, such as your account details, has been accessed or is at
risk.
We wanted to bring this to your attention as it is possible that
you may receive spam email messages as a result. We apologise for any
inconvenience this may cause you. We take your privacy very seriously, and
we will continue to work diligently to protect your personal information.
Marks and Spencer plc. Registered office: Waterside House, 35 North
Wharf Road, London W2 1NW.
Registered number: 214436 (England and Wales)
Subscribe to:
Posts (Atom)