Simple steps: updating passwords

Last week, many LinkedIn users received an alarming email from the social media company informing them of a LinkedIn security issue. In 2012, LinkedIn was the victim of a cyber-attack that resulted in the disclosure of member account information, including email addresses, passwords and LinkedIn member IDs (an internal identifier that LinkedIn assigns to each member profile). 

When the company first reported the breach in 2012, it stated 6.5 million accounts were affected and required those members to reset their passwords. Now, LinkedIn reports that the breach affected over 100 million users whose information is currently being released online. In response, the company invalidated the passwords of any users that had not reset their password since the 2012 breach.

While some are left wondering what took LinkedIn so long to force members to change their passwords after a known breach, the revelation underscores a simple step online users can take to protect their information: password maintenance. Regularly changing passwords, using strong passwords and varying them across platforms can help prevent hackers from accessing personal information online. Many online service providers, including LinkedIn, are now also implementing two-step verification, which requires a person to use more than one form of verification to access an account. These small steps can make a big difference in protecting you –or your company’s – information online.

Data Breach, General News

FDIC under fire following recent string of data breaches

A recent data breach at the Federal Deposit Insurance Corporation (FDIC) is just one of many that have occurred in the past several months. The banking regulator is now under fire for its responses following a slew of breaches involving more than 10,000 sensitive and private data records. The FDIC was questioned about the breaches on May 12, 2016, during a hearing held by the House of Representatives Subcommittee on Oversight. Representatives criticized the FDIC, suggesting that it handled the incidents too slowly, did not notify Congress in a timely manner and failed to provide requested documents.

The FDIC was also criticized for failing to notify its employees who were affected by the breaches. It is estimated that the personal data of approximately 160,000 people have been impacted by these breaches, which occurred between October 30, 2015, and the present. The information includes names, bank account numbers and, possibly, social security numbers. According to Republican Representative Barry Loudermilk, chair of the subcommittee, the FDIC has still not notified any of these employees that their private information may have been compromised.

Evidence shows that at least seven recent breaches were caused by former employees as they were leaving the FDIC. The FDIC maintains that these breaches occurred inadvertently, but Congress is skeptical that the breaches were not intentional. One case is allegedly the subject of a criminal investigation. While the FDIC has indicated that it is completing a “top to bottom review” of its technology information policies, it appears that Congress will continue to apply pressure to the FDIC related to its response and handling of these breaches. According to Rep. Loudermilk in the subcommittee’s press release, the American people “have good reason to question whether their private banking information is properly secured by the FDIC.” 

Data Breach, General News

Krabacher quoted in Crain’s Cleveland Business regarding manufacturers and cybersecurity

Litigation and intellectual property attorney Greg Krabacher was quoted in a recent Crain’s Cleveland Business article titled, “Manufacturers beef up cybersecurity" (subscription required). The article highlights that sensitive customer information isn’t the only data cybercriminals are after; manufacturers must similarly protect their trade secrets, which have become a popular and lucrative target for online theft. According to Krabacher, manufacturers of all sizes face this threat. “[w]hile larger manufacturers have more intellectual property for hackers to steal, small companies can also be indirect targets, which means it’s important for companies to check for security when doing business with others.”

Data Breach, General News

No good deed goes unpunished: Did P.F. Chang’s prompt notice of data breach create standing to sue?

A troubling recent opinion issued by the Seventh Circuit involving restaurant chain P.F. Chang's will likely cause some to re-think the prudence of making any announcement of a potential hack until more is known about the nature and scope of the breach. It will also cause some to re-evaluate mitigating responses to a breach. Read more >>

Court Decisions, Data Breach

U.S Department of Homeland Security issues alert on hospital ransomware attacks

In the wake of recent ransomware attacks on hospitals, the Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT) issued an alert regarding ransomware and recent variants. The alert notes that already this year, destructive ransomware variants, such as Locky and Samas, have infected computers belonging to health care facilities and hospitals. US-CERT states that the alert is “to provide further information on ransomware, specifically its main characteristics, its prevalence, variants that may be proliferating, and how users can prevent and mitigate against ransomware.”

For more, read the latest health care analysis.

Data Breach, General News, Prevention

Ohio DFI issues data security guidelines

In response to increased financial fraud issues, the Ohio Division of Financial Institutions (DFI) recently issued data security guidelines. While the DFI specifically addressed debit card issues, its language indicates expectations for all institutions, requiring active steps to implement data security measures.

The DFI emphasized the following obligations:

  • Daily review of security-related issues
  • Email security and encryption
  • Timely review of security and activity reports
  • Suspicious activity report (SAR) training
  • Standardized security controls
  • After hours mechanisms to control suspicious activity

At its Ohio Banker’s Day on March 31, 2016, the DFI spent considerable time discussing financial fraud. It is apparent that further guidelines and bulletins will be forthcoming and will apply to all consumer-related activity, including lending. In light of its supervisory bulletin, verbal statements and the Consumer Financial Protection Bureau’s recent order in Dwolla, it is expected that data security will be a priority item in any future Ohio financial institution examinations.

Data Breach, General News

Another hospital system targeted by possible ransomware cyber-attack

MedStar Health, which operates 10 hospitals in Maryland and Washington, D.C., has become the latest hospital system victimized by a cyber-attack on its medical records system.

On Tuesday, March 29, it was reported in the Washington Post that the system was “crippled” by a virus and was forced to shut down its records system on Monday. The newspaper also reported that the attack was causing delays in treatment and diversion of patients. Information that was not confirmed by the hospital system indicated that the attackers were holding the system’s records hostage, demanding 45 bitcoins (approximately $19,000) to release the data. The FBI said it was investigating whether the unknown hackers demanded a ransom to restore systems. The hospital system stated that it had acted quickly to contain the virus and had found no evidence that information had been stolen by the attackers.

Unfortunately, this is at least the third such attack on hospital systems in recent months, following the attacks on Hollywood Presbyterian Medical Center in California and Methodist Hospital in Kentucky.

Data Breach, General News

Cyber attack, real world impact

When people hear the phrase “cyber attack,” they likely envision criminals sitting at computers stealing intangible data. The term “cyber” seems to remove the physical, real world danger of the criminal act. Even when the attack results in monetary loss, the threat of physical harm associated with other crimes like robbery or theft is not present. But this is not always the case.

Take pirating for example. (Not the illegal pirating of music or movies, but actual pirates at sea.) In a recent string of attacks, millions of dollars’ worth of cargo was stolen from half a dozen ships in the South Pacific. Strangely, the pirates involved in these attacks worked quickly and targeted only those containers carrying diamond jewelry — leaving other, much larger cargo, such as cars, untouched.

Read more in the latest Cybersecurity Insight.

Data Breach, General News

Home Depot settles data breach lawsuit for almost $20 million

In 2014, Home Depot suffered a massive data breach “in which payment card or other personal data was stolen from more than 50 million people,” CNBC reports.

The home improvement store continues to grapple with the fallout. Most recently, it has agreed to settle a consumer class lawsuit for almost $20 million — $13 million in cash and $6 million in personal data protection and monitoring. “The $13 million will compensate consumers with documented out-of-pocket losses or unreimbursed charges.” The federal court in Atlanta must still approve the settlement. 

This is just a small piece of Home Depot’s losses, however. Back in November, the company estimated that it had already incurred $152 million in expenses from the breach. If your company collects consumer data, there is nothing more important than keeping that data secure. Monitor your systems and have them audited regularly. Or it could cost you, too.   

Data Breach

Colleges and universities are prime cyber attack targets

A recent cyber attack at the University of California, Berkeley is just one of many recent security threats on higher education institutions. The attack on the university’s computer system, which occurred in late December, jeopardized the financial data of more than 80,000 people, including students, faculty, alumni and vendors. Similar hacking attempts at colleges and universities are becoming increasingly frequent, often occurring on a daily basis and unbeknownst to the institution. Universities are increasingly vulnerable to cyber attacks, which can be costly. However, there are a few tips in dealing with cyber events that every higher education administrator should know.

Data Breach, Prevention
  • 1
  • 2