We bring to your attention a sampling of recent media stories involving cyber risk and privacy liability. These exposures include business interruption, legal liability (such as class action lawsuits), as well as crisis costs to investigate the breach, notify the victims and defend/settle lawsuits, including AG regulatory enforcement actions and fines. Also, don’t miss the items below in ORANGE.

CLOUD
—BUSINESS INTERRUPTION—
DDoS Attacks Storm Linode Servers Worldwide

Cloud hosting provider Linode reported a series of DDoS attacks affecting its Linode Manager and website, according to SecurityWeek. Infrastructure was also targeted, but in a few hours, the company’s IT teams had everything under control. Click to read entire article.

Web.com Failed To Protect Users From Data Breach, Suit Says

A Web.com customer hit the Internet service company with a proposed class action in California federal court Tuesday over a data breach discovered in August 2015 that affected almost 100,000 users. Click to read entire article.

RETAIL
Neiman Marcus Reports New Breach

A recent breach of customer accounts at luxury retailer Neiman Marcus is, once again, putting the spotlight on the vulnerabilities created by relying only on usernames and passwords for online authentication. Click to read entire article.

RELATED:

Judge Denies Neiman’s Motion to Dismiss Data Breach Class Action Click to read entire article.

Wendy’s Investigates Possible Data Breach

US fast food chain Wendy’s is said to be investigating a possible major data-stealing malware campaign aimed at multiple stores. Spokesperson Bob Bertini told security researcher Brian Krebs that the restaurant group has hired a security firm to look into reports from “payment industry contacts” that it may be a victim of a serious data breach. Click to read entire article.

RELATED:

Wendy’s Sued Over ‘Lackadaisical’ Security In Wake Of Attack Click to read entire article.

Rainforest Café, Morton’s, other Chicago restaurants affected by data breach

The owners of some popular restaurants in the Chicago area have notified customers to monitor their credit and debit card accounts, after a data breach affecting more than 500 restaurants nationwide. Click to read entire article.

HEALTHCARE
Boston Medical Center May Face Healthcare Data Breach Lawsuit

This lawsuit potentially challenges when a plaintiff has grounds to sue for monetary damages in a healthcare data breach. …According to BMC, the health information had only been “inadvertently made accessible to the public through an independent medical record transcription service’s online site,” and not accessed inappropriately. Click to read entire article.

Medicap Pharmacy warns of possible data breach

Medicap Pharmacy is warning customers about a possible data breach. The company said in a notice that an external hard drive was “inadvertently” disposed of on Nov. 5, 2015. Click to read entire article.

NCH Healthcare suffers data breach

NCH Healthcare Systems, which operates two hospitals in the Naples, Fla. area, notified employees and medical staff last week that two servers containing some personal information were accessed by unauthorized personnel. Click to read entire article.

St. Luke’s Hospital reports possible data breach involving patients’ info

St. Luke’s Cornwall Hospital is offering free identity-theft services in the wake of a possible data breach stemming from the theft of a thumb drive last October. The theft occurred Oct. 31 when someone entered a restricted area and stole a thumb drive appearing to contain “limited” information on some patients, according to a notice posted on St. Luke’s website. Click to read entire article.

Mont. Facility Reports Healthcare Data Breach Affecting 28K
Recent healthcare data breaches include cases of stolen devices and unauthorized access.

Montana-based New West Health Services d/b/a New West Medicare recently reported a potential healthcare data breach following a laptop theft. Click to read entire article.

Inuvik hospital confirms potential data breach by employees

Beaufort Delta Health and Social Services has hired two investigators to look into a potential data breach of patients’ confidential health records by employees at the Inuvik Hospital. Click to read entire article.

PUBLIC ENTITY
Okla. DAs Illegally Disclose Private Info, Resident Says

An Oklahoma woman is suing her home state and eight of its district attorneys for allegedly disclosing her birthday and full Social Security number on publicly available court documents, a state law violation that puts her at risk of identity theft. Click to read entire article.

Local towns notified about possible tax agency data breach
Area governments satisfied with response after potential exposure for hundreds of records

About 200 people in Clark and Champaign counties might have had their personal information exposed by a regional agency that several local communities use to collect income taxes. Click to read entire article.

Teachers’ personal data hacked

Hackers breached Lawrence Public Schools’ online database, acquiring teachers’ personal information, possibly including their Social Security numbers, school officials said. In an email to teachers Friday evening, Superintendent/Receiver Jeff Riley said the data breach was the result of a “phishing attack directed at Lawrence Public Schools.” Click to read entire article.

TECHNOLOGY
Russian Hacker Claims Citrix Data Breach, Company Acknowledges Incident

Citrix, a US company providing SaaS software solutions, has acknowledged this week a data breach that occurred last October, but denied claims that the hacker got access to company or customer data during the incident. Click to read entire article.

Scammers target Dell customers after apparent data breach

A number of Dell customers claim to have been contacted by scammers who had access to specific customer information that should have only been available to Dell. The company says it hasn’t been hacked but won’t offer an explanation for the seemingly stolen data. Click to read entire article.

FINANCIAL SERVICES
Tax Software Provider Discloses Data Breach
TaxSlayer Says About 8,800 Customers May Have Had Information Stolen

Criminals may have stolen personal and tax-return information from about 8,800 customers of TaxSlayer LLC, a provider of software to individuals who prepare their own tax returns, according to the company. Click to read entire article.

Tax Software Company TaxAct Discloses Data Breach

TaxAct announced that the tax return information of about 450 customers may have been stolen. The affected customers received a letter from the tax software company on January 11, informing them that their names and Social Security numbers may have been compromised. Click to read entire article.

HSBC online banking crashes after cyber attack
The bank says it is defending itself against the hackers, as disruption leaves customers locked out of their accounts

HSBC is apologising to angry customers after its online banking service crashed after coming under cyber attack. Click to read entire article.

RBC sends wrong RRSP info, including names and SINs, to ‘approximately 500’ customers
Some bank customers were mailed RRSP information for someone else, including names addresses and SINs

The biggest bank in Canada says it accidentally mailed hundreds of incorrect RRSP receipts to the wrong customers, exposing the names, addresses and social insurance numbers of those clients in the process. Click to read entire article.

UNIONS
Fraternal Order of Police asks FBI to investigate data breach

The nation’s largest police union said on Thursday that it’s asked the FBI to investigate a computer breach that allowed hackers to steal hundreds of internal documents that have since been published online. Click to read entire article.

HIGHER EDUCATION
FBI Investigates University of Virginia Data Breach

The University confirmed that, as a result of a phishing email scam, unauthorized individuals were able to access the human resources system, thus exposing the payroll records of approximately 1,400 employees, including W-2s for years 2013 and 2014, which include Social Security numbers. And, the direct-deposit banking information of 40 employees were accessed. Click to read entire article.

—CLASS ACTION ALERT—
Fla. University Hit With Class Action Over Data Breach

The University of Central Florida was hit with a proposed class action in Florida federal court on Friday alleging the university failed to adequately safeguard personal data when a recent hack exposed the confidential data of 63,000 current and former students and employees. Click to read entire article.

internet of things (IOT)
IoT Vulnerability Discovered in Children’s Connected Toy

News of this latest vulnerability comes courtesy of Mark Stanislav at Boston-based security firm Rapid7, who released a security alert about the Fisher-Price Smart Toy as well as the hereO GPS platform today. Both companies have since fixed the issues, according to Rapid7. Nevertheless, the news is a stark reminder of just how prevalent security flaws can be in consumer products. Click to read entire article.

TRANSPORTATION
Uber Fined $20,000 for Not Reporting Data Breach

On January 7, Uber was fined $20,000 by the New York Attorney General’s office for failing to report a September 2014 data breach. In addition to the fine, Uber had to agree to make security changes. Click to read entire article.

WRONGFUL DATA COLLECTION (PRIVACY ETHICS)
—SETTLEMENT ALERT—
Carrier IQ, Samsung Ink $9M Deal To End Privacy Suit

Consumers accusing software maker Carrier IQ, along with Samsung and other cellphone manufacturers, of illegally collecting their data told a California federal judge on Friday that they’ve reached a $9 million deal covering 79 million people after settlement negotiations stalled last year. Click to read entire article.

—CLASS ACTION ALERT—
Bose Illegally Collects Customer Info, Class Action Says

Audio equipment maker Bose was hit with a proposed class action on Friday in California federal court over its alleged illegal practice of requesting and recording customers’ personal information during credit card transactions at its California retail stores. Click to read entire article.

—SETTLEMENT ALERT—
$7.5M Deal In Mich. Magazine Privacy Row Gets Initial Nod

A Michigan federal judge on Friday granted preliminary approval to a $7.5 million settlement to resolve a putative class action accusing magazine publisher Meredith Corp. of violating the state’s Video Rental Privacy Act by disclosing subscribers’ personal data. Click to read entire article.

ADA LIABILITY
Lawsuits Rise: Blind Plaintiffs Sue Additional Retailers for Website Accessibility/ADA Claims

Patagonia, Ace Hardware, Aeropostale, Bed Bath & Beyond and Estee Lauder are the most recent companies sued by blind plaintiffs, alleging that the retailers’ websites are not accessible to the blind as required by the Americans with Disabilities Act (ADA). Click to read entire article.

CANADA
Education Ministry security failings blamed for massive student data breach

B.C.’s Education Ministry failed to properly provide adequate security surrounding the personal information of 3.4 million students and teachers, an investigation by the province’s privacy commissioner has found. Click to read entire article.

—CLASS ACTION ALERT—
Alleged Scotiabank privacy breach leads to proposed class action

An Antigonish woman has filed a proposed class action against the Bank of Nova Scotia, alleging an employee illegally accessed her personal information and then distributed it to third parties. Linda Matthews Mont filed the action in Nova Scotia Supreme Court in September 2014, alleging that at some point before March 29, 2012, a bank employee accessed and disseminated her personal information, including her name, social insurance number, home address, date of birth, financial information, credit history and other data. Click to read entire article.

EUROPE
A data breach in HMRC could cost it £13 billion

If HMRC gets hacked, and its users’ data gets compromised, it could face compensation claims of more than £13 billion, a new report by digital authentication provider, MIRACL, suggests. MIRACL asked 1,000 UK consumers about how much money they would ask as compensation if HMRC’s data gets breached, and the average amount was £1,316. Knowing that some ten million people are expected to complete their tax returns online by the end of this month, that puts the total amount to more than £13 billion, or exactly £13,160,000,000. Click to read entire article.

Interxion suffers data breach
Data centre provider notifies customers of incident

The European data centre company Interxion has notified customers of a data breach. According to the website of security speaker and commentator Graham Cluley, the company notified customers of a breach via e-mail, last weekend, that reportedly saw a hacker gain access to a customer relationship management (CRM) system. Cluley’s site said that a report had been run that accessed up to 23,000 contacts. Click to read entire article.

Lincolnshire council shuts down all IT after alleged 0-day breach
Medical records, addresses, dates of birth, and bank details all exposed according to insider

A 0-day security breach at Lincolnshire County Council has exposed locals’ medical records, addresses, and bank details, claimed an anonymous tipster, though the council denies any data was stolen. Click to read entire article.

Croydon NHS Trust rapped for data breach after sending patient’s private data to wrong address

A patient’s private medical details were posted to a stranger after a blunder by staff at Croydon’s NHS trust, the Information Commissioner has found. A temporary worker at Croydon Health Services sent “sensitive personal data” and “clinical information” to the wrong person after entering an incorrect address. Click to read entire article.

Faithless Fans Hit By Data Breach

Fans of the band Faithless might be suffering from more than insomnia this morning after it was revealed that thousands of user details had been stolen from the band’s website. Click to read entire article.

MIDDLE EAST
Bank Yerushalayim: Customer Money Safe, Despite Hack

Hackers broke into the servers of Bank Yerushalayim over the weekend, entering a customer database, where they accessed data on thousands of customers. The bank took the database offline after the breach was discovered, it reported in a notice sent to customers on Motzoei Shabbos. Click to read entire article.

ASIA
Data breach in China: 100 million records used to hack 20 million Taobao users

Taobao.com is a Chinese buying-and-selling site, like eBay in the US. Taobao is owned by China’s online giant, Alibaba, and offers what’s known as C2C, or consumer-to-consumer, retail. Click to read entire article.

Regards,
Mark Greisiger

NetDiligence®
Cyber Risk Assessment & Data Breach Services

Mark.Greisiger@NetDiligence.com
610.525.6383 (office)
www.NetDiligence.com