A Georgia man has pleaded guilty to fraud and identity theft after
authorities found him in possession of more than 675,000 credit card
numbers, some of which he obtained by hacking into business networks
Rogelio Hackett Jr., 26, pleaded guilty on Thursday to one count each of
access device fraud and aggravated identity theft after authorities
executed a search warrant at his home and discovered the card numbers,
used to conduct fraudulent transactions totaling more than $36 million, on
his computers and storage devices.
According to the indictment, authorities hunted Hackett down after
monitoring his activity in internet relay chat (IRC) rooms and on
underground forums, where he sold stolen card numbers, usually at $20 to
$25 each to buyers around the world. He used the proceeds to make high-end
purchases, such as a 2001 BMW X5 and a pair of $450 Louis Vuitton shoes.
Wednesday, April 27, 2011
Only four fines over data breaches
Just four civil penalties have been handed out by the information
watchdog since the powers came into force last year, with a company
that lost information relating to more than 20,00 people in Leicester
and Hull fined, figures show.
More than 2,500 possible breaches of the Data Protection Act have been
reported to the Information Commissioner's Office (ICO), but just 36
have resulted in any action and only four have attracted civil
penalties.
In all, organisations have been fined a total of just £310,000, with
the biggest fine handed out to date being £100,000 - despite the
maximum penalty for a single offence being £500,000.
The figures, released to encryption firm ViaSat under Freedom of
Information laws, also showed that the ICO has taken action against
seven private sector organisations, penalising just one, but 29 in the
public sector, penalising three.
Chris McIntosh, the firm's chief executive, said: "The ICO has a
tremendous amount of leeway in the penalties it levies and so far
doesn't seem to be applying this in either direction.
"The ICO has stated that the embarrassment and poor image of a fine
will act as a deterrent and an incentive to improve an organisation's
grasp of the Data Protection Act. However, if fines are rare and well
below the maximum allowed limit, their value as a deterrent drops.
"Organisations will view the rarity of a fine and the associated
negative publicity the same way they have viewed the threat of a data
breach itself: an event that only happens to other people."
The biggest fine to date, £100,000, was given to Hertfordshire County
Council in November last year after it accidentally faxed highly
sensitive information about cases involving child sex abuse and care
proceedings to the wrong recipients on two occasions in the space of
two weeks in June 2010.
In February, Ealing Council was fined £80,000 and Hounslow Council was
fined £70,000 after an out-of-hours service working on behalf of both
councils lost two laptops containing the details of around 1,700
people when they were stolen from an employee's home. Almost 1,000 of
the individuals were clients of Ealing Council and almost 700 were
clients of Hounslow Council.
And also in November, employment services company A4e was fined
£60,000 over the theft of a laptop containing personal information of
about 24,000 people who had used community legal advice centres in
Hull and Leicester in June.
watchdog since the powers came into force last year, with a company
that lost information relating to more than 20,00 people in Leicester
and Hull fined, figures show.
More than 2,500 possible breaches of the Data Protection Act have been
reported to the Information Commissioner's Office (ICO), but just 36
have resulted in any action and only four have attracted civil
penalties.
In all, organisations have been fined a total of just £310,000, with
the biggest fine handed out to date being £100,000 - despite the
maximum penalty for a single offence being £500,000.
The figures, released to encryption firm ViaSat under Freedom of
Information laws, also showed that the ICO has taken action against
seven private sector organisations, penalising just one, but 29 in the
public sector, penalising three.
Chris McIntosh, the firm's chief executive, said: "The ICO has a
tremendous amount of leeway in the penalties it levies and so far
doesn't seem to be applying this in either direction.
"The ICO has stated that the embarrassment and poor image of a fine
will act as a deterrent and an incentive to improve an organisation's
grasp of the Data Protection Act. However, if fines are rare and well
below the maximum allowed limit, their value as a deterrent drops.
"Organisations will view the rarity of a fine and the associated
negative publicity the same way they have viewed the threat of a data
breach itself: an event that only happens to other people."
The biggest fine to date, £100,000, was given to Hertfordshire County
Council in November last year after it accidentally faxed highly
sensitive information about cases involving child sex abuse and care
proceedings to the wrong recipients on two occasions in the space of
two weeks in June 2010.
In February, Ealing Council was fined £80,000 and Hounslow Council was
fined £70,000 after an out-of-hours service working on behalf of both
councils lost two laptops containing the details of around 1,700
people when they were stolen from an employee's home. Almost 1,000 of
the individuals were clients of Ealing Council and almost 700 were
clients of Hounslow Council.
And also in November, employment services company A4e was fined
£60,000 over the theft of a laptop containing personal information of
about 24,000 people who had used community legal advice centres in
Hull and Leicester in June.
Privacy breach case is settled - Restaurant group to pay Mass. $110, 000
The Briar Group, which runs Ned Devine’s, the Green Briar, the Lenox,
and other popular restaurants, has agreed to pay $110,000 to resolve
allegations that the Boston chain failed to take reasonable steps to
protect diners’ personal information and put at risk tens of thousands
of credit and debit card accounts.
The settlement stems from a lawsuit filed by Massachusetts Attorney
General Martha Coakley over a data breach the Briar Group suffered in
April 2009. Briar’s failure to implement basic data security measures
enabled hackers to access customers’ credit and debit card
information, including names and account numbers, according to the
lawsuit. The hackers’ malware — malicious software designed to
infiltrate computer systems — that caused the security problems was
not removed from the company’s computers until December 2009.
The lawsuit filed in Suffolk Superior Court also alleges that the
Briar Group failed to change default usernames and passwords on its
point-of-sale computer system; allowed multiple employees to share
common usernames and passwords; failed to properly secure its remote
access utilities and wireless network; and continued to accept credit
and debit cards from consumers after Briar knew of the data breach.
“The Briar Group is committed to high-quality customer service at all
of our restaurants. We take the security of our customer’s credit card
information very seriously and therefore respond aggressively to any
concerns that are brought to our attention,’’ the restaurant chain
said in a statement. “We believe the agreement we have entered into
with the attorney general’s office achieves our shared goal of
ensuring that our customers can use their credit cards with confidence
in the security of their data.’’
But the Briar Group added in its statement that it believes it chain
acted immediately once it was informed of the possible breach.
“We took immediate and aggressive action steps, including: informing
the major credit card companies of the potential breach, working with
the nation’s leading data security company to identify any weaknesses
in our data systems and make system upgrades to further secure
customer data and cooperating with a federal investigation into this
matter,’’ the statement said. “We are confident that customers dining
at one of our restaurants can safely use their credit cards.’’
Under the terms of the settlement, the Briar Group must pay the
Commonwealth $110,000 in civil penalties; comply with state data
security regulations and Payment Card Industry Data Security
Standards; and maintain an enhanced computer network security system.
“When consumers use their credit and debit cards at Massachusetts
establishments, they have an expectation that their personal
information will be properly protected,’’ Coakley said in a statement.
“In addition to the payment, this agreement also works to ensure that
steps have been taken to protect consumer information moving
forward.’’
and other popular restaurants, has agreed to pay $110,000 to resolve
allegations that the Boston chain failed to take reasonable steps to
protect diners’ personal information and put at risk tens of thousands
of credit and debit card accounts.
The settlement stems from a lawsuit filed by Massachusetts Attorney
General Martha Coakley over a data breach the Briar Group suffered in
April 2009. Briar’s failure to implement basic data security measures
enabled hackers to access customers’ credit and debit card
information, including names and account numbers, according to the
lawsuit. The hackers’ malware — malicious software designed to
infiltrate computer systems — that caused the security problems was
not removed from the company’s computers until December 2009.
The lawsuit filed in Suffolk Superior Court also alleges that the
Briar Group failed to change default usernames and passwords on its
point-of-sale computer system; allowed multiple employees to share
common usernames and passwords; failed to properly secure its remote
access utilities and wireless network; and continued to accept credit
and debit cards from consumers after Briar knew of the data breach.
“The Briar Group is committed to high-quality customer service at all
of our restaurants. We take the security of our customer’s credit card
information very seriously and therefore respond aggressively to any
concerns that are brought to our attention,’’ the restaurant chain
said in a statement. “We believe the agreement we have entered into
with the attorney general’s office achieves our shared goal of
ensuring that our customers can use their credit cards with confidence
in the security of their data.’’
But the Briar Group added in its statement that it believes it chain
acted immediately once it was informed of the possible breach.
“We took immediate and aggressive action steps, including: informing
the major credit card companies of the potential breach, working with
the nation’s leading data security company to identify any weaknesses
in our data systems and make system upgrades to further secure
customer data and cooperating with a federal investigation into this
matter,’’ the statement said. “We are confident that customers dining
at one of our restaurants can safely use their credit cards.’’
Under the terms of the settlement, the Briar Group must pay the
Commonwealth $110,000 in civil penalties; comply with state data
security regulations and Payment Card Industry Data Security
Standards; and maintain an enhanced computer network security system.
“When consumers use their credit and debit cards at Massachusetts
establishments, they have an expectation that their personal
information will be properly protected,’’ Coakley said in a statement.
“In addition to the payment, this agreement also works to ensure that
steps have been taken to protect consumer information moving
forward.’’
Epsilon pledges to build 'Fort Knox' around breached system
E-mail marketing giant Epsilon will build an industry-leading security
system in response to a March 30 breach in which thieves gained access
to the e-mail addresses and names of partner's customers, the CEO of
Epsilon's parent company said Thursday.
Epsilon had "very strong" security measures in place before the
breach, but additional improvements are coming, said Ed Heffernan,
president and CEO of Alliance Data Systems.
"Bottom line, we will emerge not just with strong security protocols,
but industry-leading," he said. "We're essentially going to build Fort
Knox around this thing. We've taken the position now that it's not
good enough to be at or above the industry [standard], we need to be
the absolute leader in the industry because we are the largest
player."
Epsilon's e-mail marketing technologies will sacrifice some
flexibility and user-friendliness for security, Heffernan said during
a conference call about his company's quarterly profits. Heffernan
didn't disclose what new security measures the company planned to
take.
The breach affected about 2 percent of Epsilon's clients. Heffernan
said. Best Buy, JPMorgan Chase and the Kroger supermarket chain were
among the Epsilon clients that warned their customers about the
breach.
Several clients have expressed frustration over the incident,
Heffernan said. The company plans to do "whatever it takes" to restore
relationships with clients, he said.
"While knowing we are the victim of this crime, we will not be playing
that card," he said. "Rather, we view our role as standing up and
taking the hit for what these cyber-crooks did. We will learn from the
experience and come out stronger than ever."
Still, Alliance Data Systems projected no "meaningful" costs or
liability related to the incident, Heffernan said. E-mail volumes have
remained at the expected levels, and the company expects no changes in
Epsilon's financial results going forward.
The company expects the "vast, vast majority, if not all," of
Epsilon's clients to remain with the company, he said. Client
retention will be a top priority at Epsilon moving forward, company
officials said.
The company detected "abnormalities" in its e-mail marketing system on
March 30 and began notifying clients and U.S. law enforcement
officials within 24 hours, Heffernan said.
Heffernan declined to discuss details of the breach.
Epsilon's investigation found that e-mail addresses and names were
stolen, but no personally identifiable information (PII), such as
account numbers or credit card numbers, he said.
"Stolen e-mail addresses are certainly bad, but stolen PII is what we
would call really, really bad," he said.
Alliance Data Systems officials called their first quarter earnings
"strong." Epsilon's revenue increased 23 percent to $156 million from
the first quarter of 2010. The breach happened one day before the
first quarter ended.
system in response to a March 30 breach in which thieves gained access
to the e-mail addresses and names of partner's customers, the CEO of
Epsilon's parent company said Thursday.
Epsilon had "very strong" security measures in place before the
breach, but additional improvements are coming, said Ed Heffernan,
president and CEO of Alliance Data Systems.
"Bottom line, we will emerge not just with strong security protocols,
but industry-leading," he said. "We're essentially going to build Fort
Knox around this thing. We've taken the position now that it's not
good enough to be at or above the industry [standard], we need to be
the absolute leader in the industry because we are the largest
player."
Epsilon's e-mail marketing technologies will sacrifice some
flexibility and user-friendliness for security, Heffernan said during
a conference call about his company's quarterly profits. Heffernan
didn't disclose what new security measures the company planned to
take.
The breach affected about 2 percent of Epsilon's clients. Heffernan
said. Best Buy, JPMorgan Chase and the Kroger supermarket chain were
among the Epsilon clients that warned their customers about the
breach.
Several clients have expressed frustration over the incident,
Heffernan said. The company plans to do "whatever it takes" to restore
relationships with clients, he said.
"While knowing we are the victim of this crime, we will not be playing
that card," he said. "Rather, we view our role as standing up and
taking the hit for what these cyber-crooks did. We will learn from the
experience and come out stronger than ever."
Still, Alliance Data Systems projected no "meaningful" costs or
liability related to the incident, Heffernan said. E-mail volumes have
remained at the expected levels, and the company expects no changes in
Epsilon's financial results going forward.
The company expects the "vast, vast majority, if not all," of
Epsilon's clients to remain with the company, he said. Client
retention will be a top priority at Epsilon moving forward, company
officials said.
The company detected "abnormalities" in its e-mail marketing system on
March 30 and began notifying clients and U.S. law enforcement
officials within 24 hours, Heffernan said.
Heffernan declined to discuss details of the breach.
Epsilon's investigation found that e-mail addresses and names were
stolen, but no personally identifiable information (PII), such as
account numbers or credit card numbers, he said.
"Stolen e-mail addresses are certainly bad, but stolen PII is what we
would call really, really bad," he said.
Alliance Data Systems officials called their first quarter earnings
"strong." Epsilon's revenue increased 23 percent to $156 million from
the first quarter of 2010. The breach happened one day before the
first quarter ended.
ICO Slaps Oldham School, But Suffers Fresh Criticism
Information Commissioner tells a teacher off for losing a laptop, but
critics say this is not enough
The Information Commissioner has reprimanded a school and a hospital
for data breaches, but is still facing criticism for going too easy on
organisations failing to protect their data.
Freehold Community School in Oldham, may have exposed 90 pupils’
personal information when an unencrypted laptop was stolen from a
teacher’s car, while NHS Birmingham East and North breached the Data
Protection Act by failing to restrict access to files on its IT
network, the Information Commissioner’s Office (ICO) has said.
The announcements came while the ICO was slated for acting on data
breaches so rarely that its fines are “a risk organisations are
prepared to take,” according to critics.
Public sector still unfairly targeted?
The ICO has only fined four organisations for data breaches, despite
having 2565 incidents reported to it in the year since it gained the
right to fine offender, according to a Freedom of Information request
made by security firm ViaSat.
ICO deputy director David Smith attacked the figures when they were
released, calling them “inaccurate”, and suggested a revision downward
to around 600 reported breaches. ViaSat stood by the figures, pointing
out that the data came from the ICO in response to a specific request
about data breaches.
“Our request was clear in that we wanted information on the number of
data breaches,” said ViaSat chief executive Chris McIntosh. “Even if
you look at the revised figures the ICO has released it is still clear
that that monetary penalties have been enforced in less than one
percent of the data losses it has dealt with.”
The new reprimands did not include fines, and do nothing to counter
McIntosh’s other criticism, that the ICO hits the public sector
unfairly. “The public sector… dutifully reports its failures under the
data protection act and receives more, and larger, penalties as a
result,” said McIntosh in a statement.
Promise to do better
Joyce Willetts, the head of Freehold Community School, has promised
that laptops will not be stored in cars in future, all data taken off
site will be encrypted, and staff will be trained.
Meanwhile in Birmingham, Denise McLellan, chief executive of the NHS
Birmingham East and North trust has promised to increase security,
after the personal records of thousands of members of staff were
potentially exposed to staff at three NHS trusts.
“Our focus as a regulator is on getting bodies to comply with the Data
Protection Act,” said an ICO statement. “This isn’t always best
achieved by issuing organisations or businesses with monetary
penalties. The big stick is there, but doesn’t need to be deployed all
the time to have an effect.”
The ICO ’s guidance on the use of its powers to issue a monetary
penalty is here (PDF)
This statement did little to placate McIntosh, who reiterated his
criticism of ICO inaction: “The ICO is fond of saying that ‘you have
to be selective to be effective’ but by being too selective all that
happens is that organisations, especially in the private sector, can
begin to view the threat of a penalty or an undertaking as something
that is so unlikely as to be beneath notice,” he said. “For example,
organisations could easily look at the £60,000 penalty meted out to
A4e, its size compared to the company’s £145m turnover, its rarity and
the fact that A4e is still receiving plenty of business, from the
Government no less, and feel that the risk of ICO action is one they
are prepared to take.”
McIntosh and the ICO agree on one thing however. At Infosec Smith is
reported as asking for more powers to deal with those who breach the
data protection act.
McIntosh agrees: “The ICO is right to push for more powers, and we
fervently hope it can get them,” he said. “However, it would be nice
to see those it has exercised a little more.”
The ICO has indeed been given more powers in another area related to
data breaches. It can fine companies that send unwanted spam up to
£500,000.
critics say this is not enough
The Information Commissioner has reprimanded a school and a hospital
for data breaches, but is still facing criticism for going too easy on
organisations failing to protect their data.
Freehold Community School in Oldham, may have exposed 90 pupils’
personal information when an unencrypted laptop was stolen from a
teacher’s car, while NHS Birmingham East and North breached the Data
Protection Act by failing to restrict access to files on its IT
network, the Information Commissioner’s Office (ICO) has said.
The announcements came while the ICO was slated for acting on data
breaches so rarely that its fines are “a risk organisations are
prepared to take,” according to critics.
Public sector still unfairly targeted?
The ICO has only fined four organisations for data breaches, despite
having 2565 incidents reported to it in the year since it gained the
right to fine offender, according to a Freedom of Information request
made by security firm ViaSat.
ICO deputy director David Smith attacked the figures when they were
released, calling them “inaccurate”, and suggested a revision downward
to around 600 reported breaches. ViaSat stood by the figures, pointing
out that the data came from the ICO in response to a specific request
about data breaches.
“Our request was clear in that we wanted information on the number of
data breaches,” said ViaSat chief executive Chris McIntosh. “Even if
you look at the revised figures the ICO has released it is still clear
that that monetary penalties have been enforced in less than one
percent of the data losses it has dealt with.”
The new reprimands did not include fines, and do nothing to counter
McIntosh’s other criticism, that the ICO hits the public sector
unfairly. “The public sector… dutifully reports its failures under the
data protection act and receives more, and larger, penalties as a
result,” said McIntosh in a statement.
Promise to do better
Joyce Willetts, the head of Freehold Community School, has promised
that laptops will not be stored in cars in future, all data taken off
site will be encrypted, and staff will be trained.
Meanwhile in Birmingham, Denise McLellan, chief executive of the NHS
Birmingham East and North trust has promised to increase security,
after the personal records of thousands of members of staff were
potentially exposed to staff at three NHS trusts.
“Our focus as a regulator is on getting bodies to comply with the Data
Protection Act,” said an ICO statement. “This isn’t always best
achieved by issuing organisations or businesses with monetary
penalties. The big stick is there, but doesn’t need to be deployed all
the time to have an effect.”
The ICO ’s guidance on the use of its powers to issue a monetary
penalty is here (PDF)
This statement did little to placate McIntosh, who reiterated his
criticism of ICO inaction: “The ICO is fond of saying that ‘you have
to be selective to be effective’ but by being too selective all that
happens is that organisations, especially in the private sector, can
begin to view the threat of a penalty or an undertaking as something
that is so unlikely as to be beneath notice,” he said. “For example,
organisations could easily look at the £60,000 penalty meted out to
A4e, its size compared to the company’s £145m turnover, its rarity and
the fact that A4e is still receiving plenty of business, from the
Government no less, and feel that the risk of ICO action is one they
are prepared to take.”
McIntosh and the ICO agree on one thing however. At Infosec Smith is
reported as asking for more powers to deal with those who breach the
data protection act.
McIntosh agrees: “The ICO is right to push for more powers, and we
fervently hope it can get them,” he said. “However, it would be nice
to see those it has exercised a little more.”
The ICO has indeed been given more powers in another area related to
data breaches. It can fine companies that send unwanted spam up to
£500,000.
Sealed Records Exposed In Major Court Gaffe
In a shocking failure to protect sensitive details about dozens of ongoing
criminal investigations, federal officials somehow allowed confidential
information about sealed cases to be publicly accessible via the court
system.s online lookup service, The Smoking Gun has learned.
Over the past nine months, details of 40 separate sealed court
applications filed by federal prosecutors in Alabama were uploaded to
PACER, the web-based records system that counts nearly one million users,
including defense lawyers, prosecutors, journalists, researchers, private
investigators, and government officials.
The court applications, made by ten separate prosecutors, included
requests to install hidden surveillance cameras, examine Facebook records,
obtain credit information on certain individuals, procure telephone
records, and attach devices on phone lines that would allow agents to
track incoming and outgoing calls. Remarkably, the U.S. District Court
records--which covered filings as recent as April 11--included specific
names, addresses, and phone numbers that should never have appeared on
PACER.
criminal investigations, federal officials somehow allowed confidential
information about sealed cases to be publicly accessible via the court
system.s online lookup service, The Smoking Gun has learned.
Over the past nine months, details of 40 separate sealed court
applications filed by federal prosecutors in Alabama were uploaded to
PACER, the web-based records system that counts nearly one million users,
including defense lawyers, prosecutors, journalists, researchers, private
investigators, and government officials.
The court applications, made by ten separate prosecutors, included
requests to install hidden surveillance cameras, examine Facebook records,
obtain credit information on certain individuals, procure telephone
records, and attach devices on phone lines that would allow agents to
track incoming and outgoing calls. Remarkably, the U.S. District Court
records--which covered filings as recent as April 11--included specific
names, addresses, and phone numbers that should never have appeared on
PACER.
Carder Pleads Guilty to Fraud Involving $36 Million in Losses
A hacker and carder has pleaded guilty to trafficking in more than half a
million stolen card numbers that resulted in $36 million in fraud losses.
Rogelio Hackett, Jr., 26, pleaded guilty Thursday in Virginia to one count
of access device fraud and one count of aggravated identity theft.
The hacker was arrested in 2009 for selling stolen bank card numbers in
online criminal forums and IRC chatrooms. When authorities searched his
home at the time, they found more than 675,000 stolen credit card numbers
on his computers and in e-mail accounts. According to court records
(.pdf), more than $36 million in fraudulent transactions have been
attributed to the stolen numbers found in Hackett?s possession.
Authorities don?t say how many of these transactions were committed by him
or by others.
Hackett, who hails from Lithonia, Georgia, admitted that he had been
hacking computers since the late 1990s, an activity that morphed into
hacking-for-profit by 2002 when he began stealing bank card data from SQL
databases. In August 2007, for example, he breached the server at an
unnamed online ticket seller and stole information on about 360,000 credit
card accounts. He still had the data on his computer two years later when
authorities searched his home.
million stolen card numbers that resulted in $36 million in fraud losses.
Rogelio Hackett, Jr., 26, pleaded guilty Thursday in Virginia to one count
of access device fraud and one count of aggravated identity theft.
The hacker was arrested in 2009 for selling stolen bank card numbers in
online criminal forums and IRC chatrooms. When authorities searched his
home at the time, they found more than 675,000 stolen credit card numbers
on his computers and in e-mail accounts. According to court records
(.pdf), more than $36 million in fraudulent transactions have been
attributed to the stolen numbers found in Hackett?s possession.
Authorities don?t say how many of these transactions were committed by him
or by others.
Hackett, who hails from Lithonia, Georgia, admitted that he had been
hacking computers since the late 1990s, an activity that morphed into
hacking-for-profit by 2002 when he began stealing bank card data from SQL
databases. In August 2007, for example, he breached the server at an
unnamed online ticket seller and stole information on about 360,000 credit
card accounts. He still had the data on his computer two years later when
authorities searched his home.
The silence is ‘deafening’ on Ohio State’s data breach
More than four months after Ohio State revealed the largest data
breach in higher education history, officials responsible for
protecting the university’s electronic information remain silent as
evidence of internal disputes arise and the investigation continues.
On Oct. 22, the university discovered that a server, which fell under
the responsibilities of the Office of the Chief Information Officer,
had been breached and the identities of about 760,000 people had been
jeopardized.
On Dec. 15, the university notified current and former faculty,
students, applicants and others affiliated with the university that a
hacker had accessed the server containing their names, dates of birth,
addresses and Social Security numbers.
However, Kathleen Starkoff, the university’s Chief Information Officer
and Steve Romig, associate director of Information Technology security
in the CIO’s office, have no email records containing the phrase “data
breach” before Dec. 5, according to documents obtained by The Lantern
through open records requests.
Obscurity shrouds the issue, as university spokesman Jim Lynch serves
as OSU’s voice on this matter.
Contacts from the university’s IT department, including Starkoff,
Romig and Charles Morrow-Jones, director of IT security, refused
comment and referred The Lantern to Lynch.
breach in higher education history, officials responsible for
protecting the university’s electronic information remain silent as
evidence of internal disputes arise and the investigation continues.
On Oct. 22, the university discovered that a server, which fell under
the responsibilities of the Office of the Chief Information Officer,
had been breached and the identities of about 760,000 people had been
jeopardized.
On Dec. 15, the university notified current and former faculty,
students, applicants and others affiliated with the university that a
hacker had accessed the server containing their names, dates of birth,
addresses and Social Security numbers.
However, Kathleen Starkoff, the university’s Chief Information Officer
and Steve Romig, associate director of Information Technology security
in the CIO’s office, have no email records containing the phrase “data
breach” before Dec. 5, according to documents obtained by The Lantern
through open records requests.
Obscurity shrouds the issue, as university spokesman Jim Lynch serves
as OSU’s voice on this matter.
Contacts from the university’s IT department, including Starkoff,
Romig and Charles Morrow-Jones, director of IT security, refused
comment and referred The Lantern to Lynch.
Texas fires two tech chiefs over breach
Computerworld - The Texas State Comptroller's office has fired its
heads of information security and of innovation and technology
following an inadvertent data leak that exposed Social Security
numbers and other personal information on over 3.2 million people in
the state.
Two other employees have also been fired over the incident, a
statement posted on Texas Comptroller Susan Combs' site noted.
The office has hired Gartner and Deloitte to review its existing
information security controls and policies and to recommend any needed
changes. In addition, the state has also negotiated a 70% discount on
credit monitoring fees with Experian for affected individuals, the
statement said.
The measures come in the wake of a recent disclosure by Combs' office
that Social Security numbers, driver's license numbers, and names and
addresses of more than 3.2 million Texans were inadvertently posted on
a publicly accessible Web site for nearly a year.
The exposed data was contained in three files that were transferred to
the comptroller's office from the Teacher Retirement System of Texas
(TRS), the Texas Workforce Commission and the Employees Retirement
System of Texas (ERS).
The data, which was to be used by a property verification system at
the Comptroller's office, was supposed to have been transferred in an
encrypted manner by the agencies under Texas administrative rules.
However, the data was transferred in an unencrypted manner to the
Comptroller.
To compound the mistake, personnel in Combs' office then put the
information onto a server that was accessible to the public and left
it there for an extended period, without purging it as required, the
statement said.
The mistake was finally discovered on March 31, more than 10 months
after the files were put on the server. Since then, public access to
the files have been shut off and the data itself been removed from the
server. The exposed information was "embedded in a chain of numbers
and not in separate fields," the statement noted.
Though Combs' office noted that there is no indication that the
exposed data has been misused, a statement released by state Attorney
General Greg Abbott on Tuesday warned of a fraudulent call received by
a state employee following the breach.
"Unfortunately, the Attorney General's Office has learned that Texans
affected by the Internet security breach may now be the targets of a
new telephone scam," Abbott said. He asked affected victims to be
extra vigilant against fraud.
Abbott's office is currently conducting an investigation into the breach.
The sheer number of records that were exposed by the comptroller's
office makes this the largest breach involving Social Security numbers
and other personal data, this year. Despite the size of the breach,
the public firing of technology executives over such incidents are
relatively rare.
In 2008, Providence Home Services fired an employee and three others
quit their jobs, after the theft of backup computer tapes and disk
containing personal information on 365,000 individuals.
heads of information security and of innovation and technology
following an inadvertent data leak that exposed Social Security
numbers and other personal information on over 3.2 million people in
the state.
Two other employees have also been fired over the incident, a
statement posted on Texas Comptroller Susan Combs' site noted.
The office has hired Gartner and Deloitte to review its existing
information security controls and policies and to recommend any needed
changes. In addition, the state has also negotiated a 70% discount on
credit monitoring fees with Experian for affected individuals, the
statement said.
The measures come in the wake of a recent disclosure by Combs' office
that Social Security numbers, driver's license numbers, and names and
addresses of more than 3.2 million Texans were inadvertently posted on
a publicly accessible Web site for nearly a year.
The exposed data was contained in three files that were transferred to
the comptroller's office from the Teacher Retirement System of Texas
(TRS), the Texas Workforce Commission and the Employees Retirement
System of Texas (ERS).
The data, which was to be used by a property verification system at
the Comptroller's office, was supposed to have been transferred in an
encrypted manner by the agencies under Texas administrative rules.
However, the data was transferred in an unencrypted manner to the
Comptroller.
To compound the mistake, personnel in Combs' office then put the
information onto a server that was accessible to the public and left
it there for an extended period, without purging it as required, the
statement said.
The mistake was finally discovered on March 31, more than 10 months
after the files were put on the server. Since then, public access to
the files have been shut off and the data itself been removed from the
server. The exposed information was "embedded in a chain of numbers
and not in separate fields," the statement noted.
Though Combs' office noted that there is no indication that the
exposed data has been misused, a statement released by state Attorney
General Greg Abbott on Tuesday warned of a fraudulent call received by
a state employee following the breach.
"Unfortunately, the Attorney General's Office has learned that Texans
affected by the Internet security breach may now be the targets of a
new telephone scam," Abbott said. He asked affected victims to be
extra vigilant against fraud.
Abbott's office is currently conducting an investigation into the breach.
The sheer number of records that were exposed by the comptroller's
office makes this the largest breach involving Social Security numbers
and other personal data, this year. Despite the size of the breach,
the public firing of technology executives over such incidents are
relatively rare.
In 2008, Providence Home Services fired an employee and three others
quit their jobs, after the theft of backup computer tapes and disk
containing personal information on 365,000 individuals.
Records Of 25K Students, 2,500 Employees Hacked In SC
LANCASTER COUNTY, S.C. -- When Geraldine Watson read the letter from
the Lancaster County School District on Tuesday, her jaw dropped.
"We really were surprised to see that this was really happening,"
Watson said. She's one of thousands of parents and grandparents who
are receiving the letter, alerting them to the theft of personal
information for up to 25,000 students, former students, and 2,500
school employees.
Two weeks ago, a computer-monitoring branch of the Department of
Homeland Security noticed a large amount of information being gathered
from computers in South Carolina. They contacted the state education
department, and it was determined that the computers were part of the
Lancaster County School System.
The breach gave hackers access to phone numbers, addresses, birth
dates and Social Security numbers.
"I think that's terrible, because if somebody can go in there and get
your information, I mean, that's dangerous," Watson said.
Renee Horton also received the letter. "I was very surprised,
concerned for the fact that this is confidential information," she
said.
There is no evidence yet that any of that information has been used
illegally. However, the letter to parents explains the breach, and
urges them to keep an eye on bank accounts and credit card
transactions, even though school computers do not store any financial
information.
School safety director Bryan Vaughn said hundreds of school computers
are being wiped clean and re-imaged, both at the district office and
on several other campuses.
Right now, they're trying to find out how the attack happened. It was
"possibly through an email, possibly a website somebody visited, we're
not sure," Vaughn said.
Finding out who's behind the attack will be very difficult. "It could
be anywhere. It could be any place in the country, or any place in the
world," Vaughn said. "The chances of us being able to find out who did
this may be slim, but what we can do is react in an appropriate way."
Parents like Horton hope that the district will stay in close contact
with parents if any new information surfaces.
"I’m hoping that the school will get back in touch with us, and notify
us of things that change," she said.
School officials are also concerned about the cost. It could cost the
school district $15,000 or more to make sure all the computers are
safe. That's money that isn't budgeted, but must come from somewhere.
Parents who have questions about the stolen data are asked to contact
the school's computer security task force at 803-416-8822.
the Lancaster County School District on Tuesday, her jaw dropped.
"We really were surprised to see that this was really happening,"
Watson said. She's one of thousands of parents and grandparents who
are receiving the letter, alerting them to the theft of personal
information for up to 25,000 students, former students, and 2,500
school employees.
Two weeks ago, a computer-monitoring branch of the Department of
Homeland Security noticed a large amount of information being gathered
from computers in South Carolina. They contacted the state education
department, and it was determined that the computers were part of the
Lancaster County School System.
The breach gave hackers access to phone numbers, addresses, birth
dates and Social Security numbers.
"I think that's terrible, because if somebody can go in there and get
your information, I mean, that's dangerous," Watson said.
Renee Horton also received the letter. "I was very surprised,
concerned for the fact that this is confidential information," she
said.
There is no evidence yet that any of that information has been used
illegally. However, the letter to parents explains the breach, and
urges them to keep an eye on bank accounts and credit card
transactions, even though school computers do not store any financial
information.
School safety director Bryan Vaughn said hundreds of school computers
are being wiped clean and re-imaged, both at the district office and
on several other campuses.
Right now, they're trying to find out how the attack happened. It was
"possibly through an email, possibly a website somebody visited, we're
not sure," Vaughn said.
Finding out who's behind the attack will be very difficult. "It could
be anywhere. It could be any place in the country, or any place in the
world," Vaughn said. "The chances of us being able to find out who did
this may be slim, but what we can do is react in an appropriate way."
Parents like Horton hope that the district will stay in close contact
with parents if any new information surfaces.
"I’m hoping that the school will get back in touch with us, and notify
us of things that change," she said.
School officials are also concerned about the cost. It could cost the
school district $15,000 or more to make sure all the computers are
safe. That's money that isn't budgeted, but must come from somewhere.
Parents who have questions about the stolen data are asked to contact
the school's computer security task force at 803-416-8822.
Oak Ridge National Laboratory Breached by Phishing Email, IE Exploit
Federal research facility Oak Ridge National Laboratory shut down its
Internet access and email systems after an IE exploit compromised the
network.
After attackers compromised several machines at federal research
facility Oak Ridge National Laboratory, administrators temporarily
shut down all Internet access and e-mail systems to contain the
damage. An investigation is currently underway.
The laboratory’s IT administrators made the decision to disconnect the
machines from the Internet after discovering malware on several
systems attempting to transfer data to remote servers, according to
Barbara Penland, the deputy director of communications at Oak Ridge.
Even though e-mail access was restored late April 19, all attachments
are automatically blocked, Penland told eWEEK. Internet access remains
down, but the lab’s public facing Website remains in operation.
The restrictions will remain in place until lab officials and
investigators are satisfied the situation is under control and
manageable.
Similar to the recent data breach at RSA Security, Oak Ridge’s systems
were compromised by a spear phishing attack. When two employees
clicked on a link in a malicious e-mail, they were directed to a
Website that exploited remote code execution vulnerability in Internet
Explorer.
Microsoft had fixed the bug—identified by independent security
researcher Steven Fewer at CanSecWest’s Pwn2Own hacking competition—in
April’s massive Patch Tuesday update.
The malicious e-mail had been sent to about 530 employees, of which 57
believed it was a legitimate message sent from the human resources
department and clicked on the link, according to Wired. The malware
was designed to hide on the system and delete itself if it could not
compromise the system.
The malware lay dormant for a week and then transmitted stolen data to
a remote server. Administrators detected the transmission immediately
and shut down and cleaned offending machines. Administrators
discovered that other machines were also infected and made the
decision on April 15 to shut down Internet access entirely to contain
the damage.
Only a “few megabytes” of data were stolen before the lab discovered
the breach, Thomas Zacharia, deputy director of the lab, told Wired.
Zacharia declined to disclose what had been transferred, but confirmed
that the data was encrypted.
It appears that business systems were targeted and the supercomputers
and other sensitive networks remained secure.
Oak Ridge National Labs blamed the incident on an “advanced persistent
threat,” (APT) a term commonly used by organizations to imply that the
threat was so advanced that they would never have been able to protect
themselves, Gunter Ollmann, vice-president of research at Damballa,
told eWEEK. “In many cases, what is being called an APT is, in
reality, just another cybercrime attack--motivated by the usual
monetization and fraud aspects and using the same tools,” Ollmann
said.
In actuality, APTs generally are campaigns lasting for a long period
of time and using many infection vectors to compromise a network.
Attackers generally target strategic data over a long period of time
in an APT, Ollmann said.
This is not the first data breach at Oak Ridge, as attackers stole
large amounts of data containing Social Security numbers for
approximately 12,000 individuals in 2007. That attack also succeeded
because employees opened an attachment on a malicious e-mail
purporting to have information about a conference.
The root of the problem is people, and there is no patch for that,
Anup Ghosh, founder and chief scientist of Invincea, told eWEEK.
Cyber-criminals are increasingly targeting the end user by crafting
e-mails designed to trick them in to clicking and viewing content.
“Curiosity has always and will always kill the cat—but now it also
gets your network ‘pwned’ and your intellectual property exfiltrated,”
Ghosh said.
The industry needs to change how the end-user is protected from
ever-evolving threats by placing the user in a “protective
bubble”—such as a virtualized system where user mistakes are isolated
from the rest of the network, Ghosh said.
Located in Tennessee, Oak Ridge National Laboratory performs
classified and unclassified research for federal agencies and
departments on nuclear energy, chemical science and biological
systems. Funded by the Department of Energy, the lab’s research
includes analyzing malware, vulnerabilities and phishing attacks. Oak
Ridge may have been one of the facilities at which computer scientists
analyzed the Stuxnet worm to learn about its complex capabilities.
Other Department of Energy labs have sent experts to help decrypt the
data and to assist with the investigation, Zacharia said.
Internet access and email systems after an IE exploit compromised the
network.
After attackers compromised several machines at federal research
facility Oak Ridge National Laboratory, administrators temporarily
shut down all Internet access and e-mail systems to contain the
damage. An investigation is currently underway.
The laboratory’s IT administrators made the decision to disconnect the
machines from the Internet after discovering malware on several
systems attempting to transfer data to remote servers, according to
Barbara Penland, the deputy director of communications at Oak Ridge.
Even though e-mail access was restored late April 19, all attachments
are automatically blocked, Penland told eWEEK. Internet access remains
down, but the lab’s public facing Website remains in operation.
The restrictions will remain in place until lab officials and
investigators are satisfied the situation is under control and
manageable.
Similar to the recent data breach at RSA Security, Oak Ridge’s systems
were compromised by a spear phishing attack. When two employees
clicked on a link in a malicious e-mail, they were directed to a
Website that exploited remote code execution vulnerability in Internet
Explorer.
Microsoft had fixed the bug—identified by independent security
researcher Steven Fewer at CanSecWest’s Pwn2Own hacking competition—in
April’s massive Patch Tuesday update.
The malicious e-mail had been sent to about 530 employees, of which 57
believed it was a legitimate message sent from the human resources
department and clicked on the link, according to Wired. The malware
was designed to hide on the system and delete itself if it could not
compromise the system.
The malware lay dormant for a week and then transmitted stolen data to
a remote server. Administrators detected the transmission immediately
and shut down and cleaned offending machines. Administrators
discovered that other machines were also infected and made the
decision on April 15 to shut down Internet access entirely to contain
the damage.
Only a “few megabytes” of data were stolen before the lab discovered
the breach, Thomas Zacharia, deputy director of the lab, told Wired.
Zacharia declined to disclose what had been transferred, but confirmed
that the data was encrypted.
It appears that business systems were targeted and the supercomputers
and other sensitive networks remained secure.
Oak Ridge National Labs blamed the incident on an “advanced persistent
threat,” (APT) a term commonly used by organizations to imply that the
threat was so advanced that they would never have been able to protect
themselves, Gunter Ollmann, vice-president of research at Damballa,
told eWEEK. “In many cases, what is being called an APT is, in
reality, just another cybercrime attack--motivated by the usual
monetization and fraud aspects and using the same tools,” Ollmann
said.
In actuality, APTs generally are campaigns lasting for a long period
of time and using many infection vectors to compromise a network.
Attackers generally target strategic data over a long period of time
in an APT, Ollmann said.
This is not the first data breach at Oak Ridge, as attackers stole
large amounts of data containing Social Security numbers for
approximately 12,000 individuals in 2007. That attack also succeeded
because employees opened an attachment on a malicious e-mail
purporting to have information about a conference.
The root of the problem is people, and there is no patch for that,
Anup Ghosh, founder and chief scientist of Invincea, told eWEEK.
Cyber-criminals are increasingly targeting the end user by crafting
e-mails designed to trick them in to clicking and viewing content.
“Curiosity has always and will always kill the cat—but now it also
gets your network ‘pwned’ and your intellectual property exfiltrated,”
Ghosh said.
The industry needs to change how the end-user is protected from
ever-evolving threats by placing the user in a “protective
bubble”—such as a virtualized system where user mistakes are isolated
from the rest of the network, Ghosh said.
Located in Tennessee, Oak Ridge National Laboratory performs
classified and unclassified research for federal agencies and
departments on nuclear energy, chemical science and biological
systems. Funded by the Department of Energy, the lab’s research
includes analyzing malware, vulnerabilities and phishing attacks. Oak
Ridge may have been one of the facilities at which computer scientists
analyzed the Stuxnet worm to learn about its complex capabilities.
Other Department of Energy labs have sent experts to help decrypt the
data and to assist with the investigation, Zacharia said.
PlayStation Network Hack Leaves Credit Card Info at Risk
Sony thinks an "unauthorized person" now has access to all PlayStation
Network account information and passwords, and may have obtained users.
credit card numbers.
The PlayStation maker said it believes hackers now have access to
customers. vital information, including names, birthdates, physical and
e-mail addresses, and PlayStation Network/Qriocity passwords, logins,
handles and online IDs.
Credit card information, purchase histories and other profile data stored
on the PlayStation Network servers also could be compromised, the Japanese
company said in a lengthy blog post Tuesday afternoon.
"While there is no evidence at this time that credit card data was taken,
we cannot rule out the possibility," reads the post, which Sony says it
will e-mail to all PlayStation Network account holders, as well as users
of its Qriocity streaming-media service. "If you have provided your credit
card data through PlayStation Network or Qriocity, out of an abundance of
caution we are advising you that your credit card number (excluding
security code) and expiration date may have been obtained."
Network account information and passwords, and may have obtained users.
credit card numbers.
The PlayStation maker said it believes hackers now have access to
customers. vital information, including names, birthdates, physical and
e-mail addresses, and PlayStation Network/Qriocity passwords, logins,
handles and online IDs.
Credit card information, purchase histories and other profile data stored
on the PlayStation Network servers also could be compromised, the Japanese
company said in a lengthy blog post Tuesday afternoon.
"While there is no evidence at this time that credit card data was taken,
we cannot rule out the possibility," reads the post, which Sony says it
will e-mail to all PlayStation Network account holders, as well as users
of its Qriocity streaming-media service. "If you have provided your credit
card data through PlayStation Network or Qriocity, out of an abundance of
caution we are advising you that your credit card number (excluding
security code) and expiration date may have been obtained."
Hackers breach security vendor's defences
Ashampoo informs 14 million customers.
German software developer Ashampoo has informed its 14 million customers
that hackers gained access to its customer database in an embarrassing
security breach.
The breach stings particularly for Ashampoo because it offers security
software as part of its product portfolio.
Ashampoo chief executive Rolf Hilchner emailed customers and posted a
message on the software vendor.s website after discovering that hackers
had gained access to one of its servers.
.Like many other companies, we are targeted by organisations of hackers
that try to break into IT systems in order to steal data,. he said.
.Unfortunately, one of our security systems fell victim to such an attack
recently. An unauthorised access to one of our servers took place..
The company said billing information - including credit card and banking
details . had not been compromised in the attack, as that data was stored
on a separate system.
German software developer Ashampoo has informed its 14 million customers
that hackers gained access to its customer database in an embarrassing
security breach.
The breach stings particularly for Ashampoo because it offers security
software as part of its product portfolio.
Ashampoo chief executive Rolf Hilchner emailed customers and posted a
message on the software vendor.s website after discovering that hackers
had gained access to one of its servers.
.Like many other companies, we are targeted by organisations of hackers
that try to break into IT systems in order to steal data,. he said.
.Unfortunately, one of our security systems fell victim to such an attack
recently. An unauthorised access to one of our servers took place..
The company said billing information - including credit card and banking
details . had not been compromised in the attack, as that data was stored
on a separate system.
Wednesday, April 20, 2011
Notice of data breach received from Hilton
Dear Customer:
We were notified by our database marketing vendor, Epsilon, that we are among a group of companies affected by a data breach. How will this affect you? The company was advised by Epsilon that the files accessed did not include any customer financial information, and Epsilon has stressed that the only information accessed was names and e-mail addresses. The most likely impact, if any, would be receipt of unwanted e-mails. We are not aware at this time of any unsolicited e-mails (spam) that are related, but as a precaution, we want to remind you of a couple of tips that should always be followed:
• Do not open e-mails from senders you do not know
• Do not share personal information via e-mail
Hilton Worldwide, its brands and loyalty program will never ask you to e-mail personal information such as credit card numbers or social security numbers. You should be cautious of "phishing" e-mails, where the sender tries to trick the recipient into disclosing confidential or personal information. If you receive such a request, it did not come from Hilton Worldwide, its brands or its loyalty program. If you receive this type of request you should not respond to it but rather notify us at fraud_alert@hilton.com.
As always, we greatly value your business and loyalty, and take this matter very seriously. Data privacy is a critical focus for us, and we will continue to work to ensure that all appropriate measures are taken to protect your personal information from unauthorized access.
Sincerely,
Jeff Diskin
Jeffrey Diskin
Senior Vice President, Customer Marketing
Hilton Worldwide
We were notified by our database marketing vendor, Epsilon, that we are among a group of companies affected by a data breach. How will this affect you? The company was advised by Epsilon that the files accessed did not include any customer financial information, and Epsilon has stressed that the only information accessed was names and e-mail addresses. The most likely impact, if any, would be receipt of unwanted e-mails. We are not aware at this time of any unsolicited e-mails (spam) that are related, but as a precaution, we want to remind you of a couple of tips that should always be followed:
• Do not open e-mails from senders you do not know
• Do not share personal information via e-mail
Hilton Worldwide, its brands and loyalty program will never ask you to e-mail personal information such as credit card numbers or social security numbers. You should be cautious of "phishing" e-mails, where the sender tries to trick the recipient into disclosing confidential or personal information. If you receive such a request, it did not come from Hilton Worldwide, its brands or its loyalty program. If you receive this type of request you should not respond to it but rather notify us at fraud_alert@hilton.com.
As always, we greatly value your business and loyalty, and take this matter very seriously. Data privacy is a critical focus for us, and we will continue to work to ensure that all appropriate measures are taken to protect your personal information from unauthorized access.
Sincerely,
Jeff Diskin
Jeffrey Diskin
Senior Vice President, Customer Marketing
Hilton Worldwide
Important Announcement For BJ's Visa(R) Customers
Dear Customer,
Re: Important information regarding a breach to the privacy of your email address.
Barclays Bank of Delaware is the bank behind your credit card referenced above. We have been informed by Epsilon, a marketing vendor we use to send emails to customers, that someone outside their company gained unauthorized access to files in their systems that included your email address. This has affected many of our credit cards under our various co-brands, including the brand on your card.
Epsilon has assured us that the only information that was obtained was your name and email address. Please be assured your account and any other confidential or personally identifiable information were not at risk.
It is possible you may receive spam email messages as a result which could potentially ask you for additional information about your account. Please note, Barclays will never ask you in an email to verify sensitive information such as your full account number, Username, Password or Social Security Number. Therefore, any email which does so should be treated suspiciously, even if it looks like it comes from Barclays. As a reminder, we urge you to be cautious when opening links or attachments from unknown third parties.
Barclays is one of many companies affected and so you may receive similar notifications from other companies.
Please visit the "Privacy and Security" section at our website www.BarclaycardUS.com for more information on protecting your personal information.
We sincerely regret this has taken place and for any inconvenience this may have caused you. Barclays is committed to protecting customers against the misuse of their personal information and we take security issues very seriously. We vigorously monitor the security of our systems and require all third party vendors to adhere to strict security and privacy policies and procedures.
Please know that a full investigation of this matter is under way by Epsilon and we will continue to work diligently to protect your personal information.
If you have any questions or need further assistance, please call our customer care center at the phone number on the back of your credit card.
Sincerely,
Larry Drexler
Chief Privacy Officer
Barclays Bank of Delaware
Karen Smithson
Information Security Officer
Barclays Bank of Delaware
Re: Important information regarding a breach to the privacy of your email address.
Barclays Bank of Delaware is the bank behind your credit card referenced above. We have been informed by Epsilon, a marketing vendor we use to send emails to customers, that someone outside their company gained unauthorized access to files in their systems that included your email address. This has affected many of our credit cards under our various co-brands, including the brand on your card.
Epsilon has assured us that the only information that was obtained was your name and email address. Please be assured your account and any other confidential or personally identifiable information were not at risk.
It is possible you may receive spam email messages as a result which could potentially ask you for additional information about your account. Please note, Barclays will never ask you in an email to verify sensitive information such as your full account number, Username, Password or Social Security Number. Therefore, any email which does so should be treated suspiciously, even if it looks like it comes from Barclays. As a reminder, we urge you to be cautious when opening links or attachments from unknown third parties.
Barclays is one of many companies affected and so you may receive similar notifications from other companies.
Please visit the "Privacy and Security" section at our website www.BarclaycardUS.com for more information on protecting your personal information.
We sincerely regret this has taken place and for any inconvenience this may have caused you. Barclays is committed to protecting customers against the misuse of their personal information and we take security issues very seriously. We vigorously monitor the security of our systems and require all third party vendors to adhere to strict security and privacy policies and procedures.
Please know that a full investigation of this matter is under way by Epsilon and we will continue to work diligently to protect your personal information.
If you have any questions or need further assistance, please call our customer care center at the phone number on the back of your credit card.
Sincerely,
Larry Drexler
Chief Privacy Officer
Barclays Bank of Delaware
Karen Smithson
Information Security Officer
Barclays Bank of Delaware
Important message from Target (fwd)
To our valued guests,
Target?s email service provider, Epsilon, recently informed us that their
data system was exposed to unauthorized entry. As a result, your email
address may have been accessed by an unauthorized party. Epsilon took
immediate action to close the vulnerability and notified law enforcement.
While no personally identifiable information, such as names and credit card
information, was involved, we felt it was important to let you know that
your email may have been compromised. Target would never ask for personal or
financial information through email.
Consider these tips to help protect your personal information online:
- *Don?t provide sensitive information through email.* Regular email is
not a secure method to transmit personal information.
- *Don?t provide sensitive information outside of a secure website.
*Legitimate
companies will not attempt to collect personal information outside a secure
website. If you are concerned, contact the organization represented in the
email.**
- *Don?t open emails from senders you don?t know.*
We sincerely regret that this incident occurred. Target takes information
protection very seriously and will continue to work to ensure that all
appropriate measures are taken to protect personal information. Please
contact Guest.Relations@target.com should you have any additional questions.
Sincerely,
Bonnie Gross
Vice President, Marketing and Guest Engagement
Target?s email service provider, Epsilon, recently informed us that their
data system was exposed to unauthorized entry. As a result, your email
address may have been accessed by an unauthorized party. Epsilon took
immediate action to close the vulnerability and notified law enforcement.
While no personally identifiable information, such as names and credit card
information, was involved, we felt it was important to let you know that
your email may have been compromised. Target would never ask for personal or
financial information through email.
Consider these tips to help protect your personal information online:
- *Don?t provide sensitive information through email.* Regular email is
not a secure method to transmit personal information.
- *Don?t provide sensitive information outside of a secure website.
*Legitimate
companies will not attempt to collect personal information outside a secure
website. If you are concerned, contact the organization represented in the
email.**
- *Don?t open emails from senders you don?t know.*
We sincerely regret that this incident occurred. Target takes information
protection very seriously and will continue to work to ensure that all
appropriate measures are taken to protect personal information. Please
contact Guest.Relations@target.com should you have any additional questions.
Sincerely,
Bonnie Gross
Vice President, Marketing and Guest Engagement
Important information from Red Roof
Dear Guest,
We have been informed by one of our email service providers, Epsilon,
that your email address was exposed by an unauthorized entry into that
provider's computer system. We use our email service providers to help
us manage the large number of email communications with our guests. Our
email service providers send emails on our behalf to guests who have
chosen to receive email communications from us.
How will this affect you? First, we want to assure you that your name
and email address were the only information that was compromised. As a
result of this incident, it is possible that you may receive spam email
messages, emails that contain links containing computer viruses or other
types of computer malware, or emails that seek to deceive you into
providing personal or credit card information. As a result, you should
be extremely cautious before opening links or attachments from unknown
third parties or providing a credit card number or other sensitive
information in response to any email. Also know that Red Roof will not
send you e-mails asking for your credit card number, social security
number or other personally identifiable information. So if you are ever
asked for this information, you can be confident it is not from Red Roof.
We appreciate your business and loyalty to Red Roof and take your
privacy very seriously. We will continue to work diligently to protect
your personal information.
If you have any questions regarding this incident, please contact us at
877.733.7663 between the hours of 9am and 5pm Eastern.
Sincerely,
Brenda Eddy Manager, Loyalty Marketing
Red Roof Inns, Inc.
We have been informed by one of our email service providers, Epsilon,
that your email address was exposed by an unauthorized entry into that
provider's computer system. We use our email service providers to help
us manage the large number of email communications with our guests. Our
email service providers send emails on our behalf to guests who have
chosen to receive email communications from us.
How will this affect you? First, we want to assure you that your name
and email address were the only information that was compromised. As a
result of this incident, it is possible that you may receive spam email
messages, emails that contain links containing computer viruses or other
types of computer malware, or emails that seek to deceive you into
providing personal or credit card information. As a result, you should
be extremely cautious before opening links or attachments from unknown
third parties or providing a credit card number or other sensitive
information in response to any email. Also know that Red Roof will not
send you e-mails asking for your credit card number, social security
number or other personally identifiable information. So if you are ever
asked for this information, you can be confident it is not from Red Roof.
We appreciate your business and loyalty to Red Roof and take your
privacy very seriously. We will continue to work diligently to protect
your personal information.
If you have any questions regarding this incident, please contact us at
877.733.7663 between the hours of 9am and 5pm Eastern.
Sincerely,
Brenda Eddy Manager, Loyalty Marketing
Red Roof Inns, Inc.
Epsilon / Robert Half
Dear Valued Customer,
Today we were informed by Epsilon Interactive, our national email service
provider, that your email address was exposed due to unauthorized access
of their system. Robert Half uses Epsilon to send marketing and service
emails on our behalf.
We deeply regret this has taken place and any inconvenience this may have
caused you. We take your privacy very seriously, and we will continue to
work diligently to protect your personal information. We were advised by
Epsilon that the information that was obtained was limited to email
addresses only.
Please note, it is possible you may receive spam email messages as a
result. We want to urge you to be cautious when opening links or
attachments from unknown third parties. We ask that you remain alert to
any unusual or suspicious emails.
As always, if you have any questions, or need any additional information,
please do not hesitate to contact us at customersecurity@rhi.com.
Sincerely,
Robert Half Customer Care
Robert Half Finance & Accounting
Robert Half Management Resources
Robert Half Legal
Robert Half Technology
The Creative Group
Today we were informed by Epsilon Interactive, our national email service
provider, that your email address was exposed due to unauthorized access
of their system. Robert Half uses Epsilon to send marketing and service
emails on our behalf.
We deeply regret this has taken place and any inconvenience this may have
caused you. We take your privacy very seriously, and we will continue to
work diligently to protect your personal information. We were advised by
Epsilon that the information that was obtained was limited to email
addresses only.
Please note, it is possible you may receive spam email messages as a
result. We want to urge you to be cautious when opening links or
attachments from unknown third parties. We ask that you remain alert to
any unusual or suspicious emails.
As always, if you have any questions, or need any additional information,
please do not hesitate to contact us at customersecurity@rhi.com.
Sincerely,
Robert Half Customer Care
Robert Half Finance & Accounting
Robert Half Management Resources
Robert Half Legal
Robert Half Technology
The Creative Group
Notice of data breach received from College Board
We have been informed by Epsilon, the vendor that sends email to you on our behalf, that your e-mail address may have been exposed by unauthorized entry into their system.
Epsilon has assured us that the only information that may have been obtained was your first and last name and e-mail address. REST ASSURED THAT THIS VENDOR DID NOT HAVE ACCESS TO OTHER MORE SENSITIVE INFORMATION SUCH AS SOCIAL SECURITY NUMBER OR CREDIT CARD DATA.
Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.
In keeping with standard security practices, the College Board will never ask you to provide or confirm any information, including credit card numbers, unless you are on a secure College Board site.
Epsilon has reported this incident to, and is working with, the appropriate authorities.
We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.
Sincerely,
The College Board
Epsilon has assured us that the only information that may have been obtained was your first and last name and e-mail address. REST ASSURED THAT THIS VENDOR DID NOT HAVE ACCESS TO OTHER MORE SENSITIVE INFORMATION SUCH AS SOCIAL SECURITY NUMBER OR CREDIT CARD DATA.
Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.
In keeping with standard security practices, the College Board will never ask you to provide or confirm any information, including credit card numbers, unless you are on a secure College Board site.
Epsilon has reported this incident to, and is working with, the appropriate authorities.
We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.
Sincerely,
The College Board
An important message from Ameriprise Financial
We were recently notified by Epsilon, an industry-leading provider of
email marketing services, that an unauthorized individual accessed files
that included some of our client and consumer information. Epsilon sends
marketing and service emails on our behalf but does not have access to
sensitive client data such as social security numbers. They have assured
us that only names and email addresses were obtained. We take your
privacy very seriously and want you to be aware of this.
You are receiving this because you have in the past received a
communication from Ameriprise. If you receive an email that appears to
be from Ameriprise asking for personal or financial information, do not
respond. Instead, please immediately forward the email to us at:
anti.fraud@ampf.com.
Consider these tips to help protect your personal information online:
*Don't email personal or financial information.* Regular email is not
a secure method of transmitting personal information. Some companies,
including Ameriprise Financial, offer a secure email service that you
can use when you need to exchange sensitive information.
*Don't reply to or click on links in email or pop-up messages that ask
for personal information.* Legitimate companies will not attempt to
collect personal information outside of a secure website. If you are
concerned about your account, contact the organization mentioned in the
email or pop-up.
*Use anti-virus and anti-spyware software and a firewall.* Some
phishing emails contain software, such as spyware, that harm your
computer or track your activities on the Internet. Anti-virus software
and a firewall can protect you from inadvertently accepting such
unwanted files.
*Use caution when opening attachments or downloading files from
email.* These files can contain viruses or other software that can
weaken your computer's security.
The security of your information is very important to us. If you have
questions or concerns, visit our Privacy and Security Center on
email marketing services, that an unauthorized individual accessed files
that included some of our client and consumer information. Epsilon sends
marketing and service emails on our behalf but does not have access to
sensitive client data such as social security numbers. They have assured
us that only names and email addresses were obtained. We take your
privacy very seriously and want you to be aware of this.
You are receiving this because you have in the past received a
communication from Ameriprise. If you receive an email that appears to
be from Ameriprise asking for personal or financial information, do not
respond. Instead, please immediately forward the email to us at:
anti.fraud@ampf.com
Consider these tips to help protect your personal information online:
*Don't email personal or financial information.* Regular email is not
a secure method of transmitting personal information. Some companies,
including Ameriprise Financial, offer a secure email service that you
can use when you need to exchange sensitive information.
*Don't reply to or click on links in email or pop-up messages that ask
for personal information.* Legitimate companies will not attempt to
collect personal information outside of a secure website. If you are
concerned about your account, contact the organization mentioned in the
email or pop-up.
*Use anti-virus and anti-spyware software and a firewall.* Some
phishing emails contain software, such as spyware, that harm your
computer or track your activities on the Internet. Anti-virus software
and a firewall can protect you from inadvertently accepting such
unwanted files.
*Use caution when opening attachments or downloading files from
email.* These files can contain viruses or other software that can
weaken your computer's security.
The security of your information is very important to us. If you have
questions or concerns, visit our Privacy and Security Center on
Current list of Epsilon related notifications
Brian Krebs has an article on the Epsilon breach. At the bottom, he has a
list of companies affected:
http://krebsonsecurity.com/2011/04/epsilon-breach-raises-specter-of-spear-phishing/
For those wondering, DatalossDB.org does not have an entry yet because A)
we're processing so much information and B) our system was only designed
to track up to 8 companies affected by a single breach. Epsilon broke that
pretty quick. =) We'll get the entry created ASAP, after we scrounge up a
developer.
list of companies affected:
http://krebsonsecurity.com/2011/04/epsilon-breach-raises-specter-of-spear-phishing/
For those wondering, DatalossDB.org does not have an entry yet because A)
we're processing so much information and B) our system was only designed
to track up to 8 companies affected by a single breach. Epsilon broke that
pretty quick. =) We'll get the entry created ASAP, after we scrounge up a
developer.
Important Information from the Kroger Family of Stores
> Dear
>
> Kroger wants you to know that the data base with our customers' names
> and email addresses has been breached by someone outside of the company.
> This data base contains the names and email addresses of customers who
> voluntarily provided their names and email addresses to Kroger. We want
> to assure you that the only information that was obtained was your name
> and email address. As a result, it is possible you may receive some spam
> email messages. We apologize for any inconvenience.
>
> Kroger wants to remind you not to open emails from senders you do not
> know. Also, Kroger would never ask you to email personal information
> such as credit card numbers or social security numbers. If you receive
> such a request, it did not come from Kroger and should be deleted.
>
> If you have concerns, you are welcome to call Kroger?s customer service
> center at 1-800-Krogers (1-800-576-4377).
>
> Sincerely,
>
> The Kroger Family of Stores
>
> Kroger wants you to know that the data base with our customers' names
> and email addresses has been breached by someone outside of the company.
> This data base contains the names and email addresses of customers who
> voluntarily provided their names and email addresses to Kroger. We want
> to assure you that the only information that was obtained was your name
> and email address. As a result, it is possible you may receive some spam
> email messages. We apologize for any inconvenience.
>
> Kroger wants to remind you not to open emails from senders you do not
> know. Also, Kroger would never ask you to email personal information
> such as credit card numbers or social security numbers. If you receive
> such a request, it did not come from Kroger and should be deleted.
>
> If you have concerns, you are welcome to call Kroger?s customer service
> center at 1-800-Krogers (1-800-576-4377).
>
> Sincerely,
>
> The Kroger Family of Stores
Important Information About Your Account
Dear TiVo Customer,
Today we were informed by our email service provider that your email address was exposed due to unauthorized access of their system. Our email service provider deploys emails on our behalf to customers who have opted into email-based communications from us.
We were advised by our email service provider that the information that was obtained was limited to first name and/or email addresses only. Your service and any other personally identifiable information were not at risk and remain secure.
Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.
We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.
*If you have unsubscribed in the past, there is no need to unsubscribe again. Your preferences will remain in place.*
Sincerely,
The TiVo Team
Today we were informed by our email service provider that your email address was exposed due to unauthorized access of their system. Our email service provider deploys emails on our behalf to customers who have opted into email-based communications from us.
We were advised by our email service provider that the information that was obtained was limited to first name and/or email addresses only. Your service and any other personally identifiable information were not at risk and remain secure.
Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.
We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.
*If you have unsubscribed in the past, there is no need to unsubscribe again. Your preferences will remain in place.*
Sincerely,
The TiVo Team
Important Notice from Marriott International, Inc. - Email Regarding Epsilon Breach
Dear Marriott Customer,
We were recently notified by Epsilon, a marketing vendor used by Marriott International, Inc. to manage customer emails, that an unauthorized third party gained access to a number of Epsilon's accounts including Marriott's email list.
In all likelihood, this will not impact you. However, we recommend that you continue to be on the alert for spam emails requesting personal or sensitive information. Please understand and be assured that Marriott does not send emails requesting customers to verify personal information.
We take your privacy very seriously. Marriott has a long-standing commitment to protecting the privacy of the personal information that our guests entrust to us. We regret this has taken place and apologize for any inconvenience.
Please visit our FAQ to learn more.
Sincerely,
Marriott International, Inc.
We were recently notified by Epsilon, a marketing vendor used by Marriott International, Inc. to manage customer emails, that an unauthorized third party gained access to a number of Epsilon's accounts including Marriott's email list.
In all likelihood, this will not impact you. However, we recommend that you continue to be on the alert for spam emails requesting personal or sensitive information. Please understand and be assured that Marriott does not send emails requesting customers to verify personal information.
We take your privacy very seriously. Marriott has a long-standing commitment to protecting the privacy of the personal information that our guests entrust to us. We regret this has taken place and apologize for any inconvenience.
Please visit our FAQ to learn more.
Sincerely,
Marriott International, Inc.
Epsilon fallout: Moneygram
We have been informed by Epsilon, a service provider that sends emails on our behalf to our customers, that files containing your first and last name and email address were accessed by an unauthorized entry into their computer system. MoneyGram was one of a number of companies impacted by this incident. According to Epsilon, the personal information that was compromised does not include any customer financial information.
As a result of this incident, you may receive spam email messages, emails that contain links containing computer viruses or other types of computer malware, or emails attempting to solicit personal or financial information. You should be extremely cautious before opening links or attachments from unknown third parties or providing sensitive information in response to any email. If you receive an email that appears to be from MoneyGram asking for personal information, delete it or forward it to TransactionSecurity@moneygram.com. It did not come from MoneyGram.
*Please remember that MoneyGram will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time.*
If you have questions regarding this incident, contact us at 800-926-9400. We regret any inconvenience this may cause you.
[image: MoneyGram - The Power is in Your Hands]
This email was delivered to you from MoneyGram Payment Systems, Inc. This
email is automated; do not reply. If you wish to unsubscribe from *marketing
* email messages from MoneyGram, unsubscribe
here [link]
Allow up to 10 business days for your request to be processed. Unsubscribing
will only apply to marketing email messages; you will continue to receive
other important legal notices (such as this security mailing) via email from
MoneyGram. We will never send you an email requesting personal
information. View the MoneyGram Privacy Statement. [link]
As a result of this incident, you may receive spam email messages, emails that contain links containing computer viruses or other types of computer malware, or emails attempting to solicit personal or financial information. You should be extremely cautious before opening links or attachments from unknown third parties or providing sensitive information in response to any email. If you receive an email that appears to be from MoneyGram asking for personal information, delete it or forward it to TransactionSecurity@moneygram.com. It did not come from MoneyGram.
*Please remember that MoneyGram will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time.*
If you have questions regarding this incident, contact us at 800-926-9400. We regret any inconvenience this may cause you.
[image: MoneyGram - The Power is in Your Hands]
This email was delivered to you from MoneyGram Payment Systems, Inc. This
email is automated; do not reply. If you wish to unsubscribe from *marketing
* email messages from MoneyGram, unsubscribe
here [link]
Allow up to 10 business days for your request to be processed. Unsubscribing
will only apply to marketing email messages; you will continue to receive
other important legal notices (such as this security mailing) via email from
MoneyGram. We will never send you an email requesting personal
information. View the MoneyGram Privacy Statement. [link]
Epsilon/BestBuy
Dear Valued Best Buy Customer,
On March 31, we were informed by Epsilon, a company we use to send emails
to our customers, that files containing the email addresses of some Best
Buy customers were accessed without authorization.
We have been assured by Epsilon that the only information that may have
been obtained was your email address and that the accessed files did not
include any other information. A rigorous assessment by Epsilon determined
that no other information is at risk. We are actively investigating to
confirm this.
For your security, however, we wanted to call this matter to your
attention. We ask that you remain alert to any unusual or suspicious
emails. As our experts at Geek Squad would tell you, be very cautious when
opening links or attachments from unknown senders.
In keeping with best industry security practices, Best Buy will never ask
you to provide or confirm any information, including credit card numbers,
unless you are on our secure e-commerce site, www.bestbuy.com. If you
receive an email asking for personal information, delete it. It did not
come from Best Buy.
Our service provider has reported this incident to the appropriate
authorities.
We regret this has taken place and for any inconvenience this may have
caused you. We take your privacy very seriously, and we will continue to
work diligently to protect your personal information. For more information
on keeping your data safe, please visit:
http://www.geeksquad.com/do-it-yourself/tech-tip/six-steps-to-keeping-your-data-safe.aspx.
Sincerely,
Barry Judge
Executive Vice President & Chief Marketing Officer
Best Buy
On March 31, we were informed by Epsilon, a company we use to send emails
to our customers, that files containing the email addresses of some Best
Buy customers were accessed without authorization.
We have been assured by Epsilon that the only information that may have
been obtained was your email address and that the accessed files did not
include any other information. A rigorous assessment by Epsilon determined
that no other information is at risk. We are actively investigating to
confirm this.
For your security, however, we wanted to call this matter to your
attention. We ask that you remain alert to any unusual or suspicious
emails. As our experts at Geek Squad would tell you, be very cautious when
opening links or attachments from unknown senders.
In keeping with best industry security practices, Best Buy will never ask
you to provide or confirm any information, including credit card numbers,
unless you are on our secure e-commerce site, www.bestbuy.com. If you
receive an email asking for personal information, delete it. It did not
come from Best Buy.
Our service provider has reported this incident to the appropriate
authorities.
We regret this has taken place and for any inconvenience this may have
caused you. We take your privacy very seriously, and we will continue to
work diligently to protect your personal information. For more information
on keeping your data safe, please visit:
http://www.geeksquad.com/do-it-yourself/tech-tip/six-steps-to-keeping-your-data-safe.aspx.
Sincerely,
Barry Judge
Executive Vice President & Chief Marketing Officer
Best Buy
Important Reminder for Soccer.com Email Recipients
Dear James,
You may have seen in the news or received emails today from other online companies informing you that Epsilon, our email marketing service provider, had consumer files accessed without authorization.
While Epsilon has assured us and their other affected clients that only first name and email address were exposed, we wanted to call this matter to your attention and remind you of a few best practices for online security to protect your personal information:
* Don't send financial or personal information via email. Email is not a secure way to send this information and reputable companies will not ask for your personal information via email. Eurosport/SOCCER.COM will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, www.soccer.com.
* Use caution when opening links or attachments from unknown third parties. Sometimes spammers send emails that look like they come from a reputable company (known as phishing) and these emails can contain spyware.
* Use or install anti-virus software on your computer. If you have anti-virus software installed, it can warn you not to accept the spyware and detect and delete any spyware present.
The security of your information is extremely important to us, and we apologize for any inconvenience this may have caused you.
As always, if you have any questions, or need any additional information, please do not hesitate to contact us at 1-800-950-1994 or custserv@sportsendeavors.com.
Sincerely,
Mike and Brendan Moylan
Co-Founders
Eurosport, the Fabled Soccer Traders
You may have seen in the news or received emails today from other online companies informing you that Epsilon, our email marketing service provider, had consumer files accessed without authorization.
While Epsilon has assured us and their other affected clients that only first name and email address were exposed, we wanted to call this matter to your attention and remind you of a few best practices for online security to protect your personal information:
* Don't send financial or personal information via email. Email is not a secure way to send this information and reputable companies will not ask for your personal information via email. Eurosport/SOCCER.COM will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, www.soccer.com.
* Use caution when opening links or attachments from unknown third parties. Sometimes spammers send emails that look like they come from a reputable company (known as phishing) and these emails can contain spyware.
* Use or install anti-virus software on your computer. If you have anti-virus software installed, it can warn you not to accept the spyware and detect and delete any spyware present.
The security of your information is extremely important to us, and we apologize for any inconvenience this may have caused you.
As always, if you have any questions, or need any additional information, please do not hesitate to contact us at 1-800-950-1994 or custserv@sportsendeavors.com.
Sincerely,
Mike and Brendan Moylan
Co-Founders
Eurosport, the Fabled Soccer Traders
A Message from Walgreens
Dear Valued Customer,
On March 30th, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Walgreens customers were accessed without authorization.
We have been assured by Epsilon that the only information that was obtained was your email address. No other personally identifiable information was at risk because such data is not contained in Epsilon's email system.
For your security, we encourage you to be aware of common email scams that ask for personal or sensitive information. Walgreens will not send you emails asking for your credit card number, social security number or other personally identifiable information. If ever asked for this information, you can be confident it is not from Walgreens.
We realize you previously unsubscribed from promotional emails from Walgreens, and that will continue, but we feel an obligation to make you aware of this incident. We regret this has taken place and any inconvenience this may have caused you. If you have any questions regarding this issue, please contact us at 1-855-814-0010. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.
Sincerely,
Walgreens Customer Service Team
On March 30th, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Walgreens customers were accessed without authorization.
We have been assured by Epsilon that the only information that was obtained was your email address. No other personally identifiable information was at risk because such data is not contained in Epsilon's email system.
For your security, we encourage you to be aware of common email scams that ask for personal or sensitive information. Walgreens will not send you emails asking for your credit card number, social security number or other personally identifiable information. If ever asked for this information, you can be confident it is not from Walgreens.
We realize you previously unsubscribed from promotional emails from Walgreens, and that will continue, but we feel an obligation to make you aware of this incident. We regret this has taken place and any inconvenience this may have caused you. If you have any questions regarding this issue, please contact us at 1-855-814-0010. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.
Sincerely,
Walgreens Customer Service Team
Important Information for 1800Flowers.com Email Customers
> Dear 1800Flowers.com Customer:
>
> One of our email service providers, Epsilon, has informed us that we
> are among a group of companies affected by a data breach that may
> have exposed your email address to unauthorized third parties.
> It's important to know that this incident did not
> involve other account or personally identifiable information.
> We use permission-based email service providers such as Epsilon
> to help us manage email communications to our customers.
>
> We take your privacy very seriously and we work diligently to ensure
> your private information is always protected. Epsilon has assured
> us that no private information, other than your email address,
> was involved in the incident. We regret any inconvenience
> that this may cause you.
>
> Because of this incident, we advise you to be extremely cautious
> before opening emails from senders you do not recognize.
>
> We thank you for your understanding in this matter.
>
> Sincerely,
>
> Bibi Brown
> Director, Customer Service
>
> Security & Privacy
> [link]
>
> This email was sent to [redacted]
> If you've received this e-mail as a forward,
> we invite you to subscribe.
>
> One of our email service providers, Epsilon, has informed us that we
> are among a group of companies affected by a data breach that may
> have exposed your email address to unauthorized third parties.
> It's important to know that this incident did not
> involve other account or personally identifiable information.
> We use permission-based email service providers such as Epsilon
> to help us manage email communications to our customers.
>
> We take your privacy very seriously and we work diligently to ensure
> your private information is always protected. Epsilon has assured
> us that no private information, other than your email address,
> was involved in the incident. We regret any inconvenience
> that this may cause you.
>
> Because of this incident, we advise you to be extremely cautious
> before opening emails from senders you do not recognize.
>
> We thank you for your understanding in this matter.
>
> Sincerely,
>
> Bibi Brown
> Director, Customer Service
>
> Security & Privacy
> [link]
>
> This email was sent to [redacted]
> If you've received this e-mail as a forward,
> we invite you to subscribe.
Important information from M&S (Epsilon)
We have been informed by Epsilon, a company we use to send emails
to our customers, that some M&S customer email addresses have been
accessed without authorisation.
We would like to reassure you that the only information that may
have been accessed is your name and email address. No other personal
information, such as your account details, has been accessed or is at
risk.
We wanted to bring this to your attention as it is possible that
you may receive spam email messages as a result. We apologise for any
inconvenience this may cause you. We take your privacy very seriously, and
we will continue to work diligently to protect your personal information.
Marks and Spencer plc. Registered office: Waterside House, 35 North
Wharf Road, London W2 1NW.
Registered number: 214436 (England and Wales)
to our customers, that some M&S customer email addresses have been
accessed without authorisation.
We would like to reassure you that the only information that may
have been accessed is your name and email address. No other personal
information, such as your account details, has been accessed or is at
risk.
We wanted to bring this to your attention as it is possible that
you may receive spam email messages as a result. We apologise for any
inconvenience this may cause you. We take your privacy very seriously, and
we will continue to work diligently to protect your personal information.
Marks and Spencer plc. Registered office: Waterside House, 35 North
Wharf Road, London W2 1NW.
Registered number: 214436 (England and Wales)
Important information about your Ann Taylor credit card account
This email was sent to you by World Financial Network National Bank
(WFNNB). WFNNB issues your Ann Taylor Credit Card account.
Dear Valued Customer,
Our email service provider, Epsilon, has notified us that their email files have been accessed without authorization. We regret to inform you that your email address and/or your name may have been included in this compromised email file. Please be assured that no financial information or other personal information of yours was accessed or affected in any way.
As a result of this incident, you could receive some spam email messages. We sincerely apologize for any inconvenience that this may cause you. For your protection, it is important that you always be cautious when opening email links or attachments from unknown email senders. Remember, we would never ask you to supply or verify sensitive personal or financial information via email; only provide this type of information through a secure website.
Again, we apologize for any concern; your security and privacy are very important to us. If you have any questions or need further assistance, please call the credit card Customer Service center at the phone number listed on the back of your credit card.
Sincerely,
Sallie Komitor
Head of Customer Service
(WFNNB). WFNNB issues your Ann Taylor Credit Card account.
Dear Valued Customer,
Our email service provider, Epsilon, has notified us that their email files have been accessed without authorization. We regret to inform you that your email address and/or your name may have been included in this compromised email file. Please be assured that no financial information or other personal information of yours was accessed or affected in any way.
As a result of this incident, you could receive some spam email messages. We sincerely apologize for any inconvenience that this may cause you. For your protection, it is important that you always be cautious when opening email links or attachments from unknown email senders. Remember, we would never ask you to supply or verify sensitive personal or financial information via email; only provide this type of information through a secure website.
Again, we apologize for any concern; your security and privacy are very important to us. If you have any questions or need further assistance, please call the credit card Customer Service center at the phone number listed on the back of your credit card.
Sincerely,
Sallie Komitor
Head of Customer Service
An Important Message to Our Customers - Ritz-Carlton
Dear Ritz-Carlton Customer,
We were recently notified by Epsilon, a marketing vendor The Ritz-Carlton Hotel Company uses to manage customer emails, that an unauthorized third party gained access to a number of their accounts including The Ritz-Carlton email list. We want to assure you that the only information obtained was your name and email address. Your account and any other personally identifiable information are not at risk.
Please visit our FAQ to learn more.
In all likelihood, this will not impact you. However, we recommend that you continue to be on the alert for spam emails requesting personal or sensitive information. Please understand and be assured that The Ritz-Carlton does not send emails requesting customers to verify personal information.
We take your privacy very seriously. The Ritz-Carlton has a long-standing commitment to protecting the privacy of the personal information that our guests entrust to us. We regret this has taken place and apologize for any inconvenience.
Sincerely,
The Ritz-Carlton Hotel Company
Terms of Use
Internet Privacy Statement
All contents ©2011 The Ritz-Carlton Hotel Company. All rights reserved.
This email was sent to you by The Ritz-Carlton based on a past or present relationship with The Ritz-Carlton.
You may receive customer service notifications even if you have unsubscribed from The Ritz-Carlton promotional email.
Internet Customer Care ? The Ritz-Carlton
4445 Willard Avenue, Suite 800
Chevy Chase, Maryland 20815
We were recently notified by Epsilon, a marketing vendor The Ritz-Carlton Hotel Company uses to manage customer emails, that an unauthorized third party gained access to a number of their accounts including The Ritz-Carlton email list. We want to assure you that the only information obtained was your name and email address. Your account and any other personally identifiable information are not at risk.
Please visit our FAQ to learn more.
In all likelihood, this will not impact you. However, we recommend that you continue to be on the alert for spam emails requesting personal or sensitive information. Please understand and be assured that The Ritz-Carlton does not send emails requesting customers to verify personal information.
We take your privacy very seriously. The Ritz-Carlton has a long-standing commitment to protecting the privacy of the personal information that our guests entrust to us. We regret this has taken place and apologize for any inconvenience.
Sincerely,
The Ritz-Carlton Hotel Company
Terms of Use
Internet Privacy Statement
All contents ©2011 The Ritz-Carlton Hotel Company. All rights reserved.
This email was sent to you by The Ritz-Carlton based on a past or present relationship with The Ritz-Carlton.
You may receive customer service notifications even if you have unsubscribed from The Ritz-Carlton promotional email.
Internet Customer Care ? The Ritz-Carlton
4445 Willard Avenue, Suite 800
Chevy Chase, Maryland 20815
Letter from Dell
Dell's global email service provider, Epsilon, recently informed us that
their email system was exposed to unauthorised entry. As a result, your
email address, and your first name and last name may have been accessed by
an unauthorised party. Epsilon took immediate action to close the
vulnerability and notify US law enforcement officials.
Whilst no credit card, banking or other personally identifiable
information was involved, we felt it was important to let you know that
your email address may have been accessed. While we hope that you will not
be affected, we recommend that you be alert to suspicious emails
requesting your personal information.
To help protect your personal information online we recommend that you do
not provide any sensitive information through email, or open emails from
senders you do not know. Dell will never ask for your financial
information through email.
Dell takes its commitment to protecting customer data very seriously and
has notified the Australian Privacy Commissioner and ACMA (Australian
Communications and Media Authority). Dell continues to work closely with
regulatory bodies and manage customer concerns.
We sincerely regret that this incident has taken place and we will
continue to work with Epsilon to ensure that all appropriate measures are
taken to protect your personal information.
their email system was exposed to unauthorised entry. As a result, your
email address, and your first name and last name may have been accessed by
an unauthorised party. Epsilon took immediate action to close the
vulnerability and notify US law enforcement officials.
Whilst no credit card, banking or other personally identifiable
information was involved, we felt it was important to let you know that
your email address may have been accessed. While we hope that you will not
be affected, we recommend that you be alert to suspicious emails
requesting your personal information.
To help protect your personal information online we recommend that you do
not provide any sensitive information through email, or open emails from
senders you do not know. Dell will never ask for your financial
information through email.
Dell takes its commitment to protecting customer data very seriously and
has notified the Australian Privacy Commissioner and ACMA (Australian
Communications and Media Authority). Dell continues to work closely with
regulatory bodies and manage customer concerns.
We sincerely regret that this incident has taken place and we will
continue to work with Epsilon to ensure that all appropriate measures are
taken to protect your personal information.
Who is Epsilon and why does it have my data?
If you didn't get an e-mail warning this week that your name and e-mail
address were part of a database that was breached, consider yourself
lucky, and unique.
E-mails from dozens of companies--including Citibank, Chase, Capital One,
American Express, Walgreens, Target, Best Buy, TiVo, TD Ameritrade,
Verizon, and Ritz Carlton--began flooding inboxes this week after a
company called Epsilon announced that its system had been breached. Some
people have reported receiving as many as four of these warnings.
Citibank is a household name, as are most of the brands on the list (which
now reaches more than 55, according to this list on DataBreaches.net). But
who exactly is Epsilon, and what is it doing with my data?
address were part of a database that was breached, consider yourself
lucky, and unique.
E-mails from dozens of companies--including Citibank, Chase, Capital One,
American Express, Walgreens, Target, Best Buy, TiVo, TD Ameritrade,
Verizon, and Ritz Carlton--began flooding inboxes this week after a
company called Epsilon announced that its system had been breached. Some
people have reported receiving as many as four of these warnings.
Citibank is a household name, as are most of the brands on the list (which
now reaches more than 55, according to this list on DataBreaches.net). But
who exactly is Epsilon, and what is it doing with my data?
Thousands Of US Airways Pilots Victims Of Possible Insider Data Breach
The US Airline Pilots Association (USAPA) said it has been working with
the FBI for several months in the wake of a leak of personal information
of 3,000 of the airline union's pilots.
A spokesman for US Airways today declined to comment on specifics of the
case, but confirmed that some two-thirds of the airline's pilots -- 3,000
of its employees -- were affected by the breach. "We take any claim of the
breach of sensitive data very seriously," the spokesman said. US Airways
is offering 12 months of LifeLock's identity theft watch services to the
pilots, he said.
The USAPA, a union that represents 5,200 US Airways pilots, yesterday
publicly expressed its frustration with the airline's handling of the
case. The USAPA said the airline recently revealed that a management-level
pilot leaked a database of US Airways pilot names, addresses, Social
Security numbers, and possibly passport information to a third-party pilot
group.
A former chief pilot at the airline reportedly handed over the information
in an Excel document in October 2009 to the group, called Leonidas, which
represents pilots from what was once America West, now part of US Airways,
according to a published report. The leak appears to be associated with a
long-running labor dispute and bad blood between former America West
pilots and their counterparts at US Airways. Leonidas did not respond to
requests for an interview.
the FBI for several months in the wake of a leak of personal information
of 3,000 of the airline union's pilots.
A spokesman for US Airways today declined to comment on specifics of the
case, but confirmed that some two-thirds of the airline's pilots -- 3,000
of its employees -- were affected by the breach. "We take any claim of the
breach of sensitive data very seriously," the spokesman said. US Airways
is offering 12 months of LifeLock's identity theft watch services to the
pilots, he said.
The USAPA, a union that represents 5,200 US Airways pilots, yesterday
publicly expressed its frustration with the airline's handling of the
case. The USAPA said the airline recently revealed that a management-level
pilot leaked a database of US Airways pilot names, addresses, Social
Security numbers, and possibly passport information to a third-party pilot
group.
A former chief pilot at the airline reportedly handed over the information
in an Excel document in October 2009 to the group, called Leonidas, which
represents pilots from what was once America West, now part of US Airways,
according to a published report. The leak appears to be associated with a
long-running labor dispute and bad blood between former America West
pilots and their counterparts at US Airways. Leonidas did not respond to
requests for an interview.
Beware: Social Security numbers available online via indexed tax documents
Beware: Social Security numbers available online via indexed tax documents
By Stephen Chapman | April 11, 2011, 4:38am PDT
As one who keeps up with the cutting edge of search engines and advanced
search querying, it is with much reservation and disbelief that I bring
you the results of my latest online investigative research. As of
4/10/2011, I have discovered in excess of 50 tax documents containing any
given combination of Social Security numbers, credit card information,
names, addresses, tax IDs, and phone numbers being made available online.
However, unlike recent leaks of email addresses and password hashes being
made available due to hackers compromising systems, these documents are
being unknowingly made freely available to prying eyes by the very owners
of said information.
Sounds unbelievable, right? It gets worse.
To clarify, these are tax documents as they have been/will be submitted to
State and Federal government: Names, addresses, income, phone numbers,
credit card numbers (stored from e-filing), and worse of all, Social
Security numbers. The latter is the most detrimental of all not just
because of the individual filing their taxes having their identity
potentially stolen, but because of individuals who have children that they
use for tax credits.
As any parent knows, you must include certain information about your
children when using them for tax breaks; namely, their names and Social
Security numbers. That takes identity theft into a completely different
atmosphere since a child having their identity stolen most likely will not
find out until years down the road long after the damage has been done and
the perpetrator has vanished. The potential consequences of such ignorance
are far-reaching.
By Stephen Chapman | April 11, 2011, 4:38am PDT
As one who keeps up with the cutting edge of search engines and advanced
search querying, it is with much reservation and disbelief that I bring
you the results of my latest online investigative research. As of
4/10/2011, I have discovered in excess of 50 tax documents containing any
given combination of Social Security numbers, credit card information,
names, addresses, tax IDs, and phone numbers being made available online.
However, unlike recent leaks of email addresses and password hashes being
made available due to hackers compromising systems, these documents are
being unknowingly made freely available to prying eyes by the very owners
of said information.
Sounds unbelievable, right? It gets worse.
To clarify, these are tax documents as they have been/will be submitted to
State and Federal government: Names, addresses, income, phone numbers,
credit card numbers (stored from e-filing), and worse of all, Social
Security numbers. The latter is the most detrimental of all not just
because of the individual filing their taxes having their identity
potentially stolen, but because of individuals who have children that they
use for tax credits.
As any parent knows, you must include certain information about your
children when using them for tax breaks; namely, their names and Social
Security numbers. That takes identity theft into a completely different
atmosphere since a child having their identity stolen most likely will not
find out until years down the road long after the damage has been done and
the perpetrator has vanished. The potential consequences of such ignorance
are far-reaching.
Thousands Of US Airways Pilots Victims Of Possible Insider Data Breach
Thousands Of US Airways Pilots Victims Of Possible Insider Data Breach
Pilot union says US Airways employee leaked personal data of 3,000 pilots
Apr 07, 2011 | 08:42 PM
By Kelly Jackson Higgins
Darkreading
The US Airline Pilots Association (USAPA) said it has been working with
the FBI for several months in the wake of a leak of personal information
of 3,000 of the airline union's pilots.
A spokesman for US Airways today declined to comment on specifics of the
case, but confirmed that some two-thirds of the airline's pilots -- 3,000
of its employees -- were affected by the breach. "We take any claim of the
breach of sensitive data very seriously," the spokesman said. US Airways
is offering 12 months of LifeLock's identity theft watch services to the
pilots, he said.
The USAPA, a union that represents 5,200 US Airways pilots, yesterday
publicly expressed its frustration with the airline's handling of the
case. The USAPA said the airline recently revealed that a management-level
pilot leaked a database of US Airways pilot names, addresses, Social
Security numbers, and possibly passport information to a third-party pilot
group.
Pilot union says US Airways employee leaked personal data of 3,000 pilots
Apr 07, 2011 | 08:42 PM
By Kelly Jackson Higgins
Darkreading
The US Airline Pilots Association (USAPA) said it has been working with
the FBI for several months in the wake of a leak of personal information
of 3,000 of the airline union's pilots.
A spokesman for US Airways today declined to comment on specifics of the
case, but confirmed that some two-thirds of the airline's pilots -- 3,000
of its employees -- were affected by the breach. "We take any claim of the
breach of sensitive data very seriously," the spokesman said. US Airways
is offering 12 months of LifeLock's identity theft watch services to the
pilots, he said.
The USAPA, a union that represents 5,200 US Airways pilots, yesterday
publicly expressed its frustration with the airline's handling of the
case. The USAPA said the airline recently revealed that a management-level
pilot leaked a database of US Airways pilot names, addresses, Social
Security numbers, and possibly passport information to a third-party pilot
group.
Franken to act on Epsilon breach
As part of his role as chairman of the Privacy, Technology and the Law
subcommittee, Sen. Al Franken, D-Minn., is investigating the security
breach at marketing and management firm Epsilon that occurred earlier
this month.
University of Minnesota students were bombarded with emails last week
from Epsilon clients, including Target, Citigroup and Verizon. The
messages notified them of the breach that unveiled the records of
approximately 2 percent of the marketing database company’s 2,500
corporate clients.
Now Congress is demanding the company release more information about
the breach.
On Monday subcommittee member Sen. Richard Blumenthal, D-Conn.,
requested Epsilon CEO Bryan Kennedy come up with a plan to prevent
data hackings in the future. Franken said a major problem is that many
Americans don’t know where their information is stored or who’s in
charge of it.
“This is one of the largest data breaches in history,” Franken said in
a written statement. “Yet most of the people affected by the Epsilon
breach had never heard of that company before.”
While the Epsilon breach is a national concern, Franken said it’s also
a particular problem for Minnesota, as many state employers do
business with the email marketing firm, including Best Buy and U.S.
Bank. Franken vowed to do more to protect users’ information online.
The U.S. Senate’s Privacy, Technology and the Law subcommittee is part
of the Judiciary Committee and was formed in February. It came in
response to the explosion of social media and online activity in
general, Judiciary Committee Chairman Sen. Patrick Leahy, D-Vt., said
in a statement.
“We need to give Americans more awareness about who has their
information and [give them] greater ability to protect it,” he said in
the statement.
As Congress is looking for a more detailed report on the magnitude of
the breach, students are on the lookout for the phishing scams
expected in the wake of the breach.
Marketing senior Gina Clementi got an email about the breach from
Express and heard about it in her business class at the University.
“They called [phishing] the next wave of crime, and it definitely
scared me,” Clementi said. “The email says ‘Hey, we’ve got it all
under control,’ and it could be a cover-up, we don’t really know.”
Since the cyber thieves obtained names and email addresses, consumers
are at risk for “spear phishing” — phishing scams targeted to specific
individuals via email or phone.
“I feel like I’m smart enough to know what’s legit and what’s not,”
mechanical engineering senior Jim Dawson said. “I always follow the
general rule that you don’t give out info unless you initiated some
contact first.”
The Epsilon incident is the second major email marketing company
breach within six months since Silverpop –– a provider with more than
100 clients, including McDonald’s –– was hacked in December.
Alliance Data, Epsilon’s parent company, confirmed that Social
Security and credit card numbers were safe.
Epsilon currently makes up 22 percent of Alliance Data’s total profit,
taking in $65 million last year.
subcommittee, Sen. Al Franken, D-Minn., is investigating the security
breach at marketing and management firm Epsilon that occurred earlier
this month.
University of Minnesota students were bombarded with emails last week
from Epsilon clients, including Target, Citigroup and Verizon. The
messages notified them of the breach that unveiled the records of
approximately 2 percent of the marketing database company’s 2,500
corporate clients.
Now Congress is demanding the company release more information about
the breach.
On Monday subcommittee member Sen. Richard Blumenthal, D-Conn.,
requested Epsilon CEO Bryan Kennedy come up with a plan to prevent
data hackings in the future. Franken said a major problem is that many
Americans don’t know where their information is stored or who’s in
charge of it.
“This is one of the largest data breaches in history,” Franken said in
a written statement. “Yet most of the people affected by the Epsilon
breach had never heard of that company before.”
While the Epsilon breach is a national concern, Franken said it’s also
a particular problem for Minnesota, as many state employers do
business with the email marketing firm, including Best Buy and U.S.
Bank. Franken vowed to do more to protect users’ information online.
The U.S. Senate’s Privacy, Technology and the Law subcommittee is part
of the Judiciary Committee and was formed in February. It came in
response to the explosion of social media and online activity in
general, Judiciary Committee Chairman Sen. Patrick Leahy, D-Vt., said
in a statement.
“We need to give Americans more awareness about who has their
information and [give them] greater ability to protect it,” he said in
the statement.
As Congress is looking for a more detailed report on the magnitude of
the breach, students are on the lookout for the phishing scams
expected in the wake of the breach.
Marketing senior Gina Clementi got an email about the breach from
Express and heard about it in her business class at the University.
“They called [phishing] the next wave of crime, and it definitely
scared me,” Clementi said. “The email says ‘Hey, we’ve got it all
under control,’ and it could be a cover-up, we don’t really know.”
Since the cyber thieves obtained names and email addresses, consumers
are at risk for “spear phishing” — phishing scams targeted to specific
individuals via email or phone.
“I feel like I’m smart enough to know what’s legit and what’s not,”
mechanical engineering senior Jim Dawson said. “I always follow the
general rule that you don’t give out info unless you initiated some
contact first.”
The Epsilon incident is the second major email marketing company
breach within six months since Silverpop –– a provider with more than
100 clients, including McDonald’s –– was hacked in December.
Alliance Data, Epsilon’s parent company, confirmed that Social
Security and credit card numbers were safe.
Epsilon currently makes up 22 percent of Alliance Data’s total profit,
taking in $65 million last year.
Eloqua, subscription manager for VMWare, leaks customer info
So last week some time Chris Hadnagy linked me to the following URL:
http://info.vmware.com/content/opt-out which was pretty interesting last
week. Basically it allowed someone to full in their email address to
manage their VMWare subscriptions, i noticed a couple of things from the
next pages:
* The fields auto populated with details like Name, Phone Number etc
(i know, without auth and only an email address . worriedface)
* Another tab became available that allowed you to update your details
. again, no auth, scary
So i whipped out the good old firebug and started looking through the ajax
calls till i came across this little gem:
http://info.vmware.com/content/opt-out which was pretty interesting last
week. Basically it allowed someone to full in their email address to
manage their VMWare subscriptions, i noticed a couple of things from the
next pages:
* The fields auto populated with details like Name, Phone Number etc
(i know, without auth and only an email address . worriedface)
* Another tab became available that allowed you to update your details
. again, no auth, scary
So i whipped out the good old firebug and started looking through the ajax
calls till i came across this little gem:
SSA exposed SSNs, names, birth dates for 36, 000 people, IG says
The Social Security Administration publicly made available the names,
dates of birth, Social Security numbers and other sensitive personal
information on more than 36,000 people from May 2007 to April 2010 despite
being warned about the privacy risks, according to a report from SSA's
Office of the Inspector General.
The information was erroneously included in SSA?s Death Master File sold
to the public. The 36,657 people affected were not deceased, and the
release of the personal information was considered a breach of privacy,
the report states.
The IG first told SSA officials in June 2008 to take precautions against a
pattern of publishing the personal information of living people in its
database of death-related information, the report states, adding that
there was no indication that organized identity thefts were taking place.
However, SSA did not follow those precautions, and the agency continued to
expose personal data of people mistakenly included in its Death Master
File, according to the March 31 report.
dates of birth, Social Security numbers and other sensitive personal
information on more than 36,000 people from May 2007 to April 2010 despite
being warned about the privacy risks, according to a report from SSA's
Office of the Inspector General.
The information was erroneously included in SSA?s Death Master File sold
to the public. The 36,657 people affected were not deceased, and the
release of the personal information was considered a breach of privacy,
the report states.
The IG first told SSA officials in June 2008 to take precautions against a
pattern of publishing the personal information of living people in its
database of death-related information, the report states, adding that
there was no indication that organized identity thefts were taking place.
However, SSA did not follow those precautions, and the agency continued to
expose personal data of people mistakenly included in its Death Master
File, according to the March 31 report.
European Space Agency hacked, sensitive data released publicly
It is reported that yesterday the European Space Agency (ESA) website was
compromised by a hacker, opening up sensitive project logs and exposing
hundreds of email addresses and passwords associated with some of Europe?s
top science institutes.
The hacker, known by the alias TinKode, posted a full disclosure of the
attack on his website, highlighting FTP accounts, database users, hashed
passwords as well as SHA1-hashed server root password. Perhaps a little
more worrying for the ESA was that fact the attacker was also able to
access some of the agency?s space projects including satellite activities,
calibration sources and environmental details.
Despite showcasing the data stolen in the attack, the hacker did not
disclose how the ESA website was compromised.
Administrator and editor credentials were discovered to be in plain text,
as were user email addresses and passwords, which look to consist of
serveral CERN science institute employees, staff at defence corporation
BAE Systems and many other contractors and companies linked to the agency.
compromised by a hacker, opening up sensitive project logs and exposing
hundreds of email addresses and passwords associated with some of Europe?s
top science institutes.
The hacker, known by the alias TinKode, posted a full disclosure of the
attack on his website, highlighting FTP accounts, database users, hashed
passwords as well as SHA1-hashed server root password. Perhaps a little
more worrying for the ESA was that fact the attacker was also able to
access some of the agency?s space projects including satellite activities,
calibration sources and environmental details.
Despite showcasing the data stolen in the attack, the hacker did not
disclose how the ESA website was compromised.
Administrator and editor credentials were discovered to be in plain text,
as were user email addresses and passwords, which look to consist of
serveral CERN science institute employees, staff at defence corporation
BAE Systems and many other contractors and companies linked to the agency.
Southwest Ambulance reports data breach
A former Southwest Ambulance employee took 581 patient records that
included the names, financial and medical information from those
customers.
Southwest Ambulance recovered the records and notified affected customers
about the breach of their private medical records.
The Mesa-based company said it recently learned the employee took the
records after a property manager found them in a residence vacated by the
employee.
The employee took the records from Southwest Ambulance over a period of
years and used the records for training purposes, Southwest Ambulance
said.
included the names, financial and medical information from those
customers.
Southwest Ambulance recovered the records and notified affected customers
about the breach of their private medical records.
The Mesa-based company said it recently learned the employee took the
records after a property manager found them in a residence vacated by the
employee.
The employee took the records from Southwest Ambulance over a period of
years and used the records for training purposes, Southwest Ambulance
said.
Uh, Oh: Epsilon Email Breach Exposed Medical Info
The Epsilon data breach just got more serious — or at least, more
embarrassing. When the database hack that compromised the subscriber
lists of over 100 companies was first revealed, Epsilon said that only
names and email addresses were exposed — meaning all the millions of
people affected had to fear was a lot of spam and possibly some
targeted phishing attacks. But now there’s a drug company on the
Epsilon breach list; its client list included the drug websites to
which its customers subscribed — and thus implies which medical
conditions they may suffer from.
The Wall Street Journal reports that GlaxoSmithKline sent a letter to
consumers over the weekend who had “registered with Glaxo Web sites
for some prescription and nonprescription drugs and products,” warning
them that their email addresses and names had been hacked, and that
the stolen information “may have identified the product website on
which you registered.”
Glaxo has websites for products ranging from HIV, bipolar disorder,
and depression medication to Nicorette gum. And if you’re a Beano
registrant, some hacker out there may be having a gas at your expense.
As the law stands now, it’s still unlikely Epsilon and Glaxo would get
into legal trouble for this breach, as there’s no direct financial
harm from the information being exposed. But that could change in the
future.
“The Johns” (a.k.a. Senators Kerry and McCain) are pushing for a new
commercial privacy bill of rights that would put the onus on companies
to keep data secure — one interpretation of this is as a requirement
that companies encrypt the user information they keep in their
databases. Meanwhile, in California, a federal judge has set an
unusual legal precedent in letting a lawsuit against social media game
developer RockYou move forward based only on the 2009 exposure of its
users’ email addresses after its database was hacked, asserting that
our email addresses are a kind of “property” with some “ascertainable
but unidentified ‘value.’”
Technology lawyer Eric Goldman predicts the case against RockYou is
ultimately doomed, because the plaintiffs still have to prove some
kind of damages. That usually means financial damage. The
inconvenience of a deluge of junk mail post-hack doesn’t suffice.
embarrassing. When the database hack that compromised the subscriber
lists of over 100 companies was first revealed, Epsilon said that only
names and email addresses were exposed — meaning all the millions of
people affected had to fear was a lot of spam and possibly some
targeted phishing attacks. But now there’s a drug company on the
Epsilon breach list; its client list included the drug websites to
which its customers subscribed — and thus implies which medical
conditions they may suffer from.
The Wall Street Journal reports that GlaxoSmithKline sent a letter to
consumers over the weekend who had “registered with Glaxo Web sites
for some prescription and nonprescription drugs and products,” warning
them that their email addresses and names had been hacked, and that
the stolen information “may have identified the product website on
which you registered.”
Glaxo has websites for products ranging from HIV, bipolar disorder,
and depression medication to Nicorette gum. And if you’re a Beano
registrant, some hacker out there may be having a gas at your expense.
As the law stands now, it’s still unlikely Epsilon and Glaxo would get
into legal trouble for this breach, as there’s no direct financial
harm from the information being exposed. But that could change in the
future.
“The Johns” (a.k.a. Senators Kerry and McCain) are pushing for a new
commercial privacy bill of rights that would put the onus on companies
to keep data secure — one interpretation of this is as a requirement
that companies encrypt the user information they keep in their
databases. Meanwhile, in California, a federal judge has set an
unusual legal precedent in letting a lawsuit against social media game
developer RockYou move forward based only on the 2009 exposure of its
users’ email addresses after its database was hacked, asserting that
our email addresses are a kind of “property” with some “ascertainable
but unidentified ‘value.’”
Technology lawyer Eric Goldman predicts the case against RockYou is
ultimately doomed, because the plaintiffs still have to prove some
kind of damages. That usually means financial damage. The
inconvenience of a deluge of junk mail post-hack doesn’t suffice.
Epsilon Bingo
By now, everyone has probably read about a company named Epsilon. In
fact, most people likely have second hand involvement, receiving one
or more emails from companies you do business with warning you to be
very careful after a recent incident. Most of these companies have
used a similar form letter explaining the concerns and that you should
be "cautious of phishing e-mails, where the sender tries to trick the
recipient into disclosing confidential or personal information." These
notifications stem from Epsilon, a managed e-mail broadcasting
company, getting compromised and having all of their customer e-mail
addresses copied.
We have received a few emails from people asking us how we could have
missed the Epsilon breach and why it isn't on our site. Well, it
actually is on the site as we do follow incidents such as this,
however, it is listed as a Fringe incident. Why “Fringe”? From what we
can tell so far, the breach (while unacceptable) is contained to Names
and Email Addresses. We do recognize that this information may
increase the risk to customers as targeted spearphishing attempts may
be more successful, however, there is no loss of PII. We have debated
this topic for years and instead of not including them in DataLossDB,
they are now just labeled Fringe. There will be more debate on the
severity of this incident for sure. Some think it is critical and
others merely say that their email address was never meant to be
private anyways. There are good arguments supporting both sides of the
debate.
When Epsilon posted the notice on their site they mentioned: "On March
30th, an incident was detected where a subset of Epsilon clients'
customer data were exposed by an unauthorized entry into Epsilon's
email system."
As on April 4th, they have now have updated the definition of “subset”
to mean "The affected clients are approximately 2 percent of total
clients and are a subset of clients for which Epsilon provides email
services."
As of today, we are aware of a little over 40 companies affected and
more notices are pouring in from users. As to how many users are
impacted that is anyone’s guess. Our guess is A LOT.
If you want to read some of the notices we have received, over a dozen
are on our mailing lists archives:
http://lists.osvdb.org/pipermail/dataloss/2011-April/thread.html
For those that want to play along, we have decided to make some
Epsilon Bingo Cards. If you are able to fill up a whole card and prove
it with the notices we might have to give you a prize... that is the
least we could do, right?
As always, please keep sending us any notices that we are missing so
that we may better gauge the scope of this incident and update the
cards.
fact, most people likely have second hand involvement, receiving one
or more emails from companies you do business with warning you to be
very careful after a recent incident. Most of these companies have
used a similar form letter explaining the concerns and that you should
be "cautious of phishing e-mails, where the sender tries to trick the
recipient into disclosing confidential or personal information." These
notifications stem from Epsilon, a managed e-mail broadcasting
company, getting compromised and having all of their customer e-mail
addresses copied.
We have received a few emails from people asking us how we could have
missed the Epsilon breach and why it isn't on our site. Well, it
actually is on the site as we do follow incidents such as this,
however, it is listed as a Fringe incident. Why “Fringe”? From what we
can tell so far, the breach (while unacceptable) is contained to Names
and Email Addresses. We do recognize that this information may
increase the risk to customers as targeted spearphishing attempts may
be more successful, however, there is no loss of PII. We have debated
this topic for years and instead of not including them in DataLossDB,
they are now just labeled Fringe. There will be more debate on the
severity of this incident for sure. Some think it is critical and
others merely say that their email address was never meant to be
private anyways. There are good arguments supporting both sides of the
debate.
When Epsilon posted the notice on their site they mentioned: "On March
30th, an incident was detected where a subset of Epsilon clients'
customer data were exposed by an unauthorized entry into Epsilon's
email system."
As on April 4th, they have now have updated the definition of “subset”
to mean "The affected clients are approximately 2 percent of total
clients and are a subset of clients for which Epsilon provides email
services."
As of today, we are aware of a little over 40 companies affected and
more notices are pouring in from users. As to how many users are
impacted that is anyone’s guess. Our guess is A LOT.
If you want to read some of the notices we have received, over a dozen
are on our mailing lists archives:
http://lists.osvdb.org/pipermail/dataloss/2011-April/thread.html
For those that want to play along, we have decided to make some
Epsilon Bingo Cards. If you are able to fill up a whole card and prove
it with the notices we might have to give you a prize... that is the
least we could do, right?
As always, please keep sending us any notices that we are missing so
that we may better gauge the scope of this incident and update the
cards.
An Important Notice About Your Email Security
As a valued Scottrade customer or someone who previously provided us
> with your email address, we want to make you aware of a situation
> that affects your email security. We have been notified by Epsilon,
> a company we use to send emails, that an unauthorized person outside
> of their company accessed records that contained your name and emailaddress.
>
> This incident occurred at Epsilon. We want to assure you that
> Scottrade's systems were not affected and your account information
> remains secure.
>
> The security of your information is important to us and we apologize
> for any inconvenience this may have caused. You may receive an
> increase in spam email as a result of this incident. We encourage
> you to be cautious when opening emails, links or attachments from
> unknown sources. Scottrade will never ask you for personal or
> account information in an email.
>
> Please visit Scottrade's Security Center http://www.scottrade.com/security/
> for more information on online security.
>
> Sincerely,
>
> Scottrade Customer Support
>
> with your email address, we want to make you aware of a situation
> that affects your email security. We have been notified by Epsilon,
> a company we use to send emails, that an unauthorized person outside
> of their company accessed records that contained your name and emailaddress.
>
> This incident occurred at Epsilon. We want to assure you that
> Scottrade's systems were not affected and your account information
> remains secure.
>
> The security of your information is important to us and we apologize
> for any inconvenience this may have caused. You may receive an
> increase in spam email as a result of this incident. We encourage
> you to be cautious when opening emails, links or attachments from
> unknown sources. Scottrade will never ask you for personal or
> account information in an email.
>
> Please visit Scottrade's Security Center http://www.scottrade.com/security/
> for more information on online security.
>
> Sincerely,
>
> Scottrade Customer Support
>
Important Notice from Express
We were recently notified by Epsilon, a business partner used to send emails for the Express Credit Card, that an unauthorized party from outside of their company had accessed files that included the names and e-mail addresses of current and former Express credit card holders. We are still investigating this incident with Epsilon and World Financial Network National Bank. They have assured us that no financial or account information was accessed and the data security breach was limited to only names and e-mail addresses.
Because we take privacy and security seriously, we felt it important to notify our customers as quickly as possible to remind them that Express and World Financial Network National Bank (WFNNB) will never request personal information or account login information via email.
If you receive an email that appears to be from Express or World Financial Network National Bank asking for personal or financial information, do not respond to that email. Instead, please call the customer service center at the phone number listed on the back of your credit card. As always, you should be cautious of any e-mail message requesting personal information and should not open attachments or click on links from an e-mail unless you know it is from a trusted source.
We apologize for any inconvenience this may cause, and we will keep you informed of any updates as necessary.
Sincerely,
Express
Because we take privacy and security seriously, we felt it important to notify our customers as quickly as possible to remind them that Express and World Financial Network National Bank (WFNNB) will never request personal information or account login information via email.
If you receive an email that appears to be from Express or World Financial Network National Bank asking for personal or financial information, do not respond to that email. Instead, please call the customer service center at the phone number listed on the back of your credit card. As always, you should be cautious of any e-mail message requesting personal information and should not open attachments or click on links from an e-mail unless you know it is from a trusted source.
We apologize for any inconvenience this may cause, and we will keep you informed of any updates as necessary.
Sincerely,
Express
PLEASE READ - important message about your email address
Dear Valued Customer,
Your privacy is extremely important to us, and we wanted to share the following information with you. We discovered that an unauthorized party has gained access to files containing email addresses associated with several companies including Victoria's Secret credit cards.
While your email address and/or name may have been included in these files, no sensitive financial or other personal information was compromised. However because of the circumstance, you may receive spam emails. We sincerely apologize for any inconvenience this may cause.
For your security, we remind you to never provide personal information to unknown individuals/businesses online and avoid opening suspicious email links or attachments.
Again, we are very sorry that this occurred and are working diligently to maintain your trust. If you have any questions or need further assistance, please call the WFNNB Customer Service Center at the phone number listed on the back of your credit card.
Sincerely,
Sallie Komitor
Head of Customer Service
Your privacy is extremely important to us, and we wanted to share the following information with you. We discovered that an unauthorized party has gained access to files containing email addresses associated with several companies including Victoria's Secret credit cards.
While your email address and/or name may have been included in these files, no sensitive financial or other personal information was compromised. However because of the circumstance, you may receive spam emails. We sincerely apologize for any inconvenience this may cause.
For your security, we remind you to never provide personal information to unknown individuals/businesses online and avoid opening suspicious email links or attachments.
Again, we are very sorry that this occurred and are working diligently to maintain your trust. If you have any questions or need further assistance, please call the WFNNB Customer Service Center at the phone number listed on the back of your credit card.
Sincerely,
Sallie Komitor
Head of Customer Service
Important information about your J. Crew credit card account
Dear Valued Customer,
Our email service provider, Epsilon, has notified us that their email files have been accessed without authorization. We regret to inform you that your email address and/or your name may have been included in this compromised email file. Please be assured that no financial information or other personal information of yours was accessed or affected in any way.
As a result of this incident, you could receive some spam email messages. We sincerely apologize for any inconvenience that this may cause you. For your protection, it is important that you always be cautious when opening email links or attachments from unknown email senders. Remember, we would never ask you to supply or verify sensitive personal or financial information via email; only provide this type of information through a secure website.
Again, we apologize for any concern; your security and privacy are very important to us. If you have any questions or need further assistance, please call the credit card Customer Service center at the phone number listed on the back of your credit card.
Sincerely,
Sallie Komitor
Head of Customer Service
Our email service provider, Epsilon, has notified us that their email files have been accessed without authorization. We regret to inform you that your email address and/or your name may have been included in this compromised email file. Please be assured that no financial information or other personal information of yours was accessed or affected in any way.
As a result of this incident, you could receive some spam email messages. We sincerely apologize for any inconvenience that this may cause you. For your protection, it is important that you always be cautious when opening email links or attachments from unknown email senders. Remember, we would never ask you to supply or verify sensitive personal or financial information via email; only provide this type of information through a secure website.
Again, we apologize for any concern; your security and privacy are very important to us. If you have any questions or need further assistance, please call the credit card Customer Service center at the phone number listed on the back of your credit card.
Sincerely,
Sallie Komitor
Head of Customer Service
An Important Message from TIAA-CREF
April 5, 2011
TIAA-CREF has been informed by Epsilon, a vendor we use to
send emails, that files containing the first names, last names
and email addresses of some TIAA-CREF participants were
accessed without authorization.
We have not shared any participant account or financial information
with Epsilon. So, this incident has not compromised your TIAA-CREF
accounts and they remain secure. For your security, however,
we wanted to call this matter to your attention.
As always, do not reply to emails asking for your personal
information, account numbers or any other type of confidential
information. TIAA-CREF will never ask for your personal
information or login credentials in an email.
Below are some additional precautions we recommend you follow:
-- Do not give your TIAA-CREF user ID or password in email.
-- Do not respond to emails that require you to enter personal
or financial information directly into the email.
-- Do not reply to emails asking you to send personal information.
-- Do not use your email address as a login ID or password.
-- Do not respond to emails threatening to close your account
if you do not provide personal information.
We regret any inconvenience this may have caused and will keep
you informed of relevant updates. For more information on
TIAA-CREF's commitment to keeping your personal information secure,
please visit:
TIAA-CREF has been informed by Epsilon, a vendor we use to
send emails, that files containing the first names, last names
and email addresses of some TIAA-CREF participants were
accessed without authorization.
We have not shared any participant account or financial information
with Epsilon. So, this incident has not compromised your TIAA-CREF
accounts and they remain secure. For your security, however,
we wanted to call this matter to your attention.
As always, do not reply to emails asking for your personal
information, account numbers or any other type of confidential
information. TIAA-CREF will never ask for your personal
information or login credentials in an email.
Below are some additional precautions we recommend you follow:
-- Do not give your TIAA-CREF user ID or password in email.
-- Do not respond to emails that require you to enter personal
or financial information directly into the email.
-- Do not reply to emails asking you to send personal information.
-- Do not use your email address as a login ID or password.
-- Do not respond to emails threatening to close your account
if you do not provide personal information.
We regret any inconvenience this may have caused and will keep
you informed of relevant updates. For more information on
TIAA-CREF's commitment to keeping your personal information secure,
please visit:
Please read important message about your e-mail address
*Note*: This is a service message with information related to your e-mail
address.
Chase is letting our customers know that we have been informed by Epsilon, a
vendor we use to send e-mails, that an unauthorized person outside Epsilon
accessed files that included e-mail addresses of some Chase customers. We
have a team at Epsilon investigating and we are confident that the
information that was retrieved included some Chase customer e-mail
addresses, but did *not* include any customer account or financial
information. Based on everything we know, your accounts and confidential
information remain secure. As always, we are advising our customers of
everything we know as we know it, and will keep you informed on what impact,
if any, this will have on you.
We apologize if this causes you any inconvenience. We want to remind you
that Chase will never ask for your personal information or login credentials
in an e-mail. As always, be cautious if you receive e-mails asking for your
personal information and be on the lookout for unwanted spam. It is
*not*Chase's practice to request personal information by e-mail.
*As a reminder, we recommend that you:*
- Don't give your Chase OnlineSM User ID or password in e-mail.
- Don't respond to e-mails that require you to enter personal information
directly into the e-mail.
- Don't respond to e-mails threatening to close your account if you do
not take the immediate action of providing personal information.
- Don't reply to e-mails asking you to send personal information.
- Don't use your e-mail address as a login ID or password.
The security of your information is a critical priority to us and we strive
to handle it carefully at all times. Please visit our Security Center at *
chase.com* and click on
"Fraud Information" under the "How to Report Fraud." It provides additional
information on exercising caution when reading e-mails that appear to be
sent by us.
Sincerely,
Patricia O. Baker
Senior Vice President
Chase Executive Office
If you want to contact Chase, please do not reply to this message, but
instead go to Chase Online. For faster service, please enroll or log in to
your account. Replies to this message will not be read or responded to.
Your personal information is protected by advanced technology. For more
detailed security information, view our Online Privacy
Notice.
To request in writing: Chase Privacy Operations, P.O. Box 659752, San
Antonio, TX 78265-9752.
JPMorgan Chase Bank, N.A. Member FDIC
© 2011 JPMorgan Chase & Co.
LCEPAEM0311
address.
Chase is letting our customers know that we have been informed by Epsilon, a
vendor we use to send e-mails, that an unauthorized person outside Epsilon
accessed files that included e-mail addresses of some Chase customers. We
have a team at Epsilon investigating and we are confident that the
information that was retrieved included some Chase customer e-mail
addresses, but did *not* include any customer account or financial
information. Based on everything we know, your accounts and confidential
information remain secure. As always, we are advising our customers of
everything we know as we know it, and will keep you informed on what impact,
if any, this will have on you.
We apologize if this causes you any inconvenience. We want to remind you
that Chase will never ask for your personal information or login credentials
in an e-mail. As always, be cautious if you receive e-mails asking for your
personal information and be on the lookout for unwanted spam. It is
*not*Chase's practice to request personal information by e-mail.
*As a reminder, we recommend that you:*
- Don't give your Chase OnlineSM User ID or password in e-mail.
- Don't respond to e-mails that require you to enter personal information
directly into the e-mail.
- Don't respond to e-mails threatening to close your account if you do
not take the immediate action of providing personal information.
- Don't reply to e-mails asking you to send personal information.
- Don't use your e-mail address as a login ID or password.
The security of your information is a critical priority to us and we strive
to handle it carefully at all times. Please visit our Security Center at *
chase.com
"Fraud Information" under the "How to Report Fraud." It provides additional
information on exercising caution when reading e-mails that appear to be
sent by us.
Sincerely,
Patricia O. Baker
Senior Vice President
Chase Executive Office
If you want to contact Chase, please do not reply to this message, but
instead go to Chase Online. For faster service, please enroll or log in to
your account. Replies to this message will not be read or responded to.
Your personal information is protected by advanced technology. For more
detailed security information, view our Online Privacy
Notice
To request in writing: Chase Privacy Operations, P.O. Box 659752, San
Antonio, TX 78265-9752.
JPMorgan Chase Bank, N.A. Member FDIC
© 2011 JPMorgan Chase & Co.
LCEPAEM0311
Fwd: An important announcement about your email
While we wish this was about lipstick, we have important news regarding your email address.
We were just informed by a former email vendor that the database with our customers' names and email addresses has been compromised by an unauthorized person. The only information at risk is your name and email address. The vendor has assured us that "a rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway." This data breach has also affected several other companies that work with this vendor.
We have taken action to ensure that the entire database be removed from that vendor's files. Spam emails seem to be the biggest risk from this news, but here are a few things to remember: Only open emails from senders you know. Benefit will never ask for transactional information, such as credit card numbers via email, so delete any requests.
If you have any concerns, please call Customer Care at 1.800.781.2336 or contact us
We were just informed by a former email vendor that the database with our customers' names and email addresses has been compromised by an unauthorized person. The only information at risk is your name and email address. The vendor has assured us that "a rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway." This data breach has also affected several other companies that work with this vendor.
We have taken action to ensure that the entire database be removed from that vendor's files. Spam emails seem to be the biggest risk from this news, but here are a few things to remember: Only open emails from senders you know. Benefit will never ask for transactional information, such as credit card numbers via email, so delete any requests.
If you have any concerns, please call Customer Care at 1.800.781.2336 or contact us
Another Epislon client - AbeBooks
We have been informed by Epsilon, a third-party vendor we use to send
e-mails, that an unauthorized person outside their company accessed files
that included e-mail addresses of some AbeBooks customers. Epsilon has
advised us that the files that were accessed did not include any customer
information other than email addresses.
As a reminder, AbeBooks will never ask customers for personal or account
information in an e-mail. Please exercise caution if you get any emails
that ask for personal information or direct you to a site where you are
asked to provide personal information.
e-mails, that an unauthorized person outside their company accessed files
that included e-mail addresses of some AbeBooks customers. Epsilon has
advised us that the files that were accessed did not include any customer
information other than email addresses.
As a reminder, AbeBooks will never ask customers for personal or account
information in an e-mail. Please exercise caution if you get any emails
that ask for personal information or direct you to a site where you are
asked to provide personal information.
Hyundai Capital admits to unprecedented information leak
A recently announced hacking incident at Hyundai Capital marked an
unprecedented systematic accessing of customer financial information by
hackers, resulting in major aftereffects. The breach in the computer
network has not only sunk confidence levels to rock bottom for financial
companies, for whom security is essential, but also spawned concerns about
secondary effects due to leaked passwords and other information.
Hyundai Capital announced Friday that the personal information accessed
through the hack consisted of name, email, and cell phone information for
420 thousand people, approximately 23 percent of all customers, and that
it bore no direct connection with financial transactions. However, Vice
President Hwang Yoo-no said Sunday that there was ?a possibility that some
secret information was hacked, including customer passwords and credit
ratings,? indicating that it appeared likely that passwords were leaked
for around 13 thousand customers.
In the past, there have been leaks of financial information amounting to a
few hundred people through efforts by criminal organizations, but no cases
such as this one of information being hacked for more than 10 thousand
people at one time. In short, the company?s security system did not
function at all. Observers are predicting no major damages in the
immediate future, as the passwords accessed were for ?minus loan? cards.
But the possibility does exist for secondary effects since many
individuals use the same password at various locations when conducting
transactions with financial companies.
The revelation of systematic criminal efforts by hackers has the potential
to develop into a problem for the financial world as a whole rather than
Hyundai Capital alone, as it is impossible to guarantee that the security
systems of other financial companies such as banks and credit card
companies are safe either. For this reason, many observers are saying that
a full reexamination of the security systems for South Korean financial
companies has become unavoidable.
unprecedented systematic accessing of customer financial information by
hackers, resulting in major aftereffects. The breach in the computer
network has not only sunk confidence levels to rock bottom for financial
companies, for whom security is essential, but also spawned concerns about
secondary effects due to leaked passwords and other information.
Hyundai Capital announced Friday that the personal information accessed
through the hack consisted of name, email, and cell phone information for
420 thousand people, approximately 23 percent of all customers, and that
it bore no direct connection with financial transactions. However, Vice
President Hwang Yoo-no said Sunday that there was ?a possibility that some
secret information was hacked, including customer passwords and credit
ratings,? indicating that it appeared likely that passwords were leaked
for around 13 thousand customers.
In the past, there have been leaks of financial information amounting to a
few hundred people through efforts by criminal organizations, but no cases
such as this one of information being hacked for more than 10 thousand
people at one time. In short, the company?s security system did not
function at all. Observers are predicting no major damages in the
immediate future, as the passwords accessed were for ?minus loan? cards.
But the possibility does exist for secondary effects since many
individuals use the same password at various locations when conducting
transactions with financial companies.
The revelation of systematic criminal efforts by hackers has the potential
to develop into a problem for the financial world as a whole rather than
Hyundai Capital alone, as it is impossible to guarantee that the security
systems of other financial companies such as banks and credit card
companies are safe either. For this reason, many observers are saying that
a full reexamination of the security systems for South Korean financial
companies has become unavoidable.
Important Message from Capital One (Epsilon)
Dear Capital One Customer,
As we have communicated over the course of the last week, Epsilon-a
marketing vendor that sends e-mails on our behalf-notified us about
unauthorized outside access to files that included Capital One(r) customer
e-mail addresses.
The information obtained was limited to the e-mail address of some
customers. No account information or other information was compromised.
We'll continue to provide updates when we have important new information
to share. And, we'll let you know what impact, if any, these developments
will have on you.
Protecting our customers' information is always a top priority for Capital
One. We're working with Epsilon and law enforcement, and we're thoroughly
investigating this incident to help prevent future ones like it. Epsilon
is also conducting its own comprehensive investigation in cooperation with
the appropriate authorities.
It's always a good idea to ignore any e-mail that requests your
confidential account or login information. And don't forget, if you get an
e-mail you think is suspicious, don't click any of the links. Just send it
to us at abuse@capitalone.com. Then delete it.
We apologize for any inconvenience this unfortunate incident has caused
and appreciate your patience. For more information, please visit our Web
site at www.capitalone.com.
Sincerely,
Capital One
As we have communicated over the course of the last week, Epsilon-a
marketing vendor that sends e-mails on our behalf-notified us about
unauthorized outside access to files that included Capital One(r) customer
e-mail addresses.
The information obtained was limited to the e-mail address of some
customers. No account information or other information was compromised.
We'll continue to provide updates when we have important new information
to share. And, we'll let you know what impact, if any, these developments
will have on you.
Protecting our customers' information is always a top priority for Capital
One. We're working with Epsilon and law enforcement, and we're thoroughly
investigating this incident to help prevent future ones like it. Epsilon
is also conducting its own comprehensive investigation in cooperation with
the appropriate authorities.
It's always a good idea to ignore any e-mail that requests your
confidential account or login information. And don't forget, if you get an
e-mail you think is suspicious, don't click any of the links. Just send it
to us at abuse@capitalone.com. Then delete it.
We apologize for any inconvenience this unfortunate incident has caused
and appreciate your patience. For more information, please visit our Web
site at www.capitalone.com.
Sincerely,
Capital One
An Important Message Regarding Your The Place Card, Issued By Citibank (South Dakota), N.A (Epsilon)
Dear [Name],
Recently, Citi was notified of a system breach at Epsilon, a third-party
vendor that provides marketing services to a number of companies,
including Citi. The information obtained was limited to the customer name
and email address of some credit card customers. No account information or
other information was compromised and therefore there is no reason to
re-issue a new card.
Because e-mail addresses can be used for "phishing" attacks, we want to
remind our customers of the following:
* Citi Cards uses an Email Security Zone in all of our email to help you
recognize that the email was sent by us. Customers should check the Email
Security Zone to verify that the email you received is from Citi and
reduce the risk of personal information being "phished." To help you
recognize that the email was sent by Citi we will always include the
following in the Email Security Zone in the top headline portion of all
our emails: * Your first name and last name * Last four digits of your
Citi card account number * And recently to increase security, we have
added your "member since" date located on the front of your card, where
available.
Recently, Citi was notified of a system breach at Epsilon, a third-party
vendor that provides marketing services to a number of companies,
including Citi. The information obtained was limited to the customer name
and email address of some credit card customers. No account information or
other information was compromised and therefore there is no reason to
re-issue a new card.
Because e-mail addresses can be used for "phishing" attacks, we want to
remind our customers of the following:
* Citi Cards uses an Email Security Zone in all of our email to help you
recognize that the email was sent by us. Customers should check the Email
Security Zone to verify that the email you received is from Citi and
reduce the risk of personal information being "phished." To help you
recognize that the email was sent by Citi we will always include the
following in the Email Security Zone in the top headline portion of all
our emails: * Your first name and last name * Last four digits of your
Citi card account number * And recently to increase security, we have
added your "member since" date located on the front of your card, where
available.
Epsilon / Sears / Citibank
Your Account: Important Notification
Dear ************, =
Recently, Citi was notified of a system breach at Epsilon, a third-party
vendor that provides marketing services to a number of companies,
including Citi. The information obtained was limited to the customer name
and email address of some credit card customers. No account information or
other information was compromised and therefore there is no reason to
re-issue a new card.
Dear ************, =
Recently, Citi was notified of a system breach at Epsilon, a third-party
vendor that provides marketing services to a number of companies,
including Citi. The information obtained was limited to the customer name
and email address of some credit card customers. No account information or
other information was compromised and therefore there is no reason to
re-issue a new card.
Important information about your Value City Furniture credit card account (Epsilon / WFNNB)
Dear Valued Customer,
Our email service provider, Epsilon, has notified us that their email
files have been accessed without authorization. We regret to inform you
that your email address and/or your name may have been included in this
compromised email file. Please be assured that no financial information or
other personal information of yours was accessed or affected in any way.
As a result of this incident, you could receive some spam email messages.
We sincerely apologize for any inconvenience that this may cause you. For
your protection, it is important that you always be cautious when opening
email links or attachments from unknown email senders. Remember, we would
never ask you to supply or verify sensitive personal or financial
information via email; only provide this type of information through a
secure website.
Again, we apologize for any concern; your security and privacy are very
important to us. If you have any questions or need further assistance,
please call the credit card Customer Service center at the phone number
listed on the back of your credit card.
Sincerely,
Sallie Komitor
Head of Customer Service
Our email service provider, Epsilon, has notified us that their email
files have been accessed without authorization. We regret to inform you
that your email address and/or your name may have been included in this
compromised email file. Please be assured that no financial information or
other personal information of yours was accessed or affected in any way.
As a result of this incident, you could receive some spam email messages.
We sincerely apologize for any inconvenience that this may cause you. For
your protection, it is important that you always be cautious when opening
email links or attachments from unknown email senders. Remember, we would
never ask you to supply or verify sensitive personal or financial
information via email; only provide this type of information through a
secure website.
Again, we apologize for any concern; your security and privacy are very
important to us. If you have any questions or need further assistance,
please call the credit card Customer Service center at the phone number
listed on the back of your credit card.
Sincerely,
Sallie Komitor
Head of Customer Service
Windows servers hacked at The Hartford insurance company
Hackers have broken into The Hartford insurance company and installed
password-stealing programs on several of the company's Windows servers.
In a warning letter sent last month to about 300 employees, contractors,
and a handful of customers, the company said it discovered the infection
in late February. Several servers were hit, including Citrix servers used
by employees for remote access to IT systems. A copy of The Hartford's
letter was posted earlier this week to the website of the Office of the
New Hampshire Attorney General.
"It was a very small incident," said Debora Raymond, a company
spokeswoman. The victims were mostly company employees. Less than 10
customers were affected by the malware, the W32-Qakbot Trojan, she said.
Qakbot has been around for about two years. Once installed it spreads from
computer to computer in the network, taking steps to cover its tracks as
it logs sensitive data and opens up back doors for the hackers to access
the network.
[..]
Despite the presence of keylogging software, the insurance company's
lawyer, Debra Hampson, said that her company has "no reason to believe
that any information has been or will be misused." Victims are being given
two years' free credit monitoring.
[..]
password-stealing programs on several of the company's Windows servers.
In a warning letter sent last month to about 300 employees, contractors,
and a handful of customers, the company said it discovered the infection
in late February. Several servers were hit, including Citrix servers used
by employees for remote access to IT systems. A copy of The Hartford's
letter was posted earlier this week to the website of the Office of the
New Hampshire Attorney General.
"It was a very small incident," said Debora Raymond, a company
spokeswoman. The victims were mostly company employees. Less than 10
customers were affected by the malware, the W32-Qakbot Trojan, she said.
Qakbot has been around for about two years. Once installed it spreads from
computer to computer in the network, taking steps to cover its tracks as
it logs sensitive data and opens up back doors for the hackers to access
the network.
[..]
Despite the presence of keylogging software, the insurance company's
lawyer, Debra Hampson, said that her company has "no reason to believe
that any information has been or will be misused." Victims are being given
two years' free credit monitoring.
[..]
Important Message to Valued Clients (Tastefully Simple / Epsilon)
Dear Valued Client,
Since you currently receive special emails from your Tastefully Simple
consultant or you have at least once in the past, we wanted to send you a
quick note on behalf of our headquarters team.
We were recently notified by our email service provider that a list of
Tastefully Simple's client names and email addresses was exposed by
unauthorized entry into their system - along with email lists for several
major companies across the nation. (Our email provider sends emails on
behalf of our consultants to clients who've opted in to receive special
news and offers about Tastefully Simple via email.)
We take your privacy very seriously, and we sincerely regret this has
occurred. Rest assured, the only information that was potentially obtained
was your name and/or email address - and there was absolutely NO risk to
any of your personal information.
So what does this mean to you? As a result, it is possible that you may
receive SPAM-type email messages. (SPAM is email that is unsolicited or
unwanted, commonly called ?junk email.?) While bothersome, it generally is
harmless. As always, it's a good idea to be suspicious of senders you
don't know and be cautious when opening links or attachments. Emails
asking for personal information or asking you to do something out of the
ordinary are often scam emails. At Tastefully Simple, neither we - nor
your Tastefully Simple consultant - would ask you to email personal
information such as credit card numbers or Social Security numbers, and if
you receive such a request, simply delete it.
If you have any questions, please feel free to check out the special
notice at tastefullysimple.com, where we'll continue to post any further
information and updates.
We truly value your privacy, and once again, we hope you'll accept our
heartfelt apologies for any inconvenience.
Kindest regards,
Tastefully Simple's Headquarters Team
Since you currently receive special emails from your Tastefully Simple
consultant or you have at least once in the past, we wanted to send you a
quick note on behalf of our headquarters team.
We were recently notified by our email service provider that a list of
Tastefully Simple's client names and email addresses was exposed by
unauthorized entry into their system - along with email lists for several
major companies across the nation. (Our email provider sends emails on
behalf of our consultants to clients who've opted in to receive special
news and offers about Tastefully Simple via email.)
We take your privacy very seriously, and we sincerely regret this has
occurred. Rest assured, the only information that was potentially obtained
was your name and/or email address - and there was absolutely NO risk to
any of your personal information.
So what does this mean to you? As a result, it is possible that you may
receive SPAM-type email messages. (SPAM is email that is unsolicited or
unwanted, commonly called ?junk email.?) While bothersome, it generally is
harmless. As always, it's a good idea to be suspicious of senders you
don't know and be cautious when opening links or attachments. Emails
asking for personal information or asking you to do something out of the
ordinary are often scam emails. At Tastefully Simple, neither we - nor
your Tastefully Simple consultant - would ask you to email personal
information such as credit card numbers or Social Security numbers, and if
you receive such a request, simply delete it.
If you have any questions, please feel free to check out the special
notice at tastefullysimple.com, where we'll continue to post any further
information and updates.
We truly value your privacy, and once again, we hope you'll accept our
heartfelt apologies for any inconvenience.
Kindest regards,
Tastefully Simple's Headquarters Team
Subscribe to:
Posts (Atom)