We bring to your attention a sampling of recent media stories involving cyber risk and privacy liability. These exposures include business interruption, legal liability (such as class action lawsuits), as well as crisis costs to investigate the breach, notify the victims and defend/settle lawsuits, including AG regulatory enforcement actions and fines.


DON’T MISS OUT:
NetDiligence’s second annual Cyber Risk Summit in Toronto gets underway on Thursday. We have very few seats left, so REGISTER NOW  to secure your place!


EMAIL FRAUD
American company lost $100 million to email fraud, U.S. says

An unidentified American company was defrauded last year out of nearly $100 million by individuals who created a fake email address in order to pose as one of its legitimate vendors, U.S. authorities said on Thursday. Click to read entire article.

PROFESSIONAL SERVICES

Cravath Swaine discloses data breach

In a rare move, US law firm Cravath, Swaine & Moore has publicly confirmed a ‘limited breach’ of its IT systems in mid-2015. …WSJ reports that federal investigators are currently looking into whether the cybercriminals targeting the law firms may have been seeking to access data from large M&A firms for the purpose of insider trading. Click to read entire article.

MEDIA
Data breach at TV station reveals personnel information

A breach of confidential personnel information at WLNE-TV, Channel 6, has led the station to write an apologetic letter to current and former employees and contact the Rhode Island State Police. …The file included names, Social Security numbers, driver’s license numbers, bank account and credit card numbers, employment contracts, evaluations, and separation agreements. Click to read entire article.

—SONY CASE UPDATE—
Sony Data Breach $8M Settlement Gets Final Approval

U.S. District Court for the Central District of California approved the class settlement which will extend identity protection services for class members through December 2017. In addition, Sony will “establish a $2 million non-reversionary fund to reimburse” class members for preventative measures taken to prevent identity theft related to the cybersecurity attack and $2.5 million to class members who “experience actual” losses from identity theft related to the hack. The settlement also includes $3.49 million in attorney’s fees. Click to read entire article.

PUBLIC ENTITY

—TAX INFO GOTTEN—
Data breach hits Baltimore city workers, official confirms

A spokesman for Baltimore mayor Stephanie Rawlings-Blake confirms the city and federal authorities are investigating an unauthorized access of employee data. Someone or a group has stolen personal information from an unknown number of Baltimore City employees and filed fraudulent tax returns, the city announced Thursday to all employees. Click to read entire article.

—TAX INFO GOTTEN—
Lamar County school employees suffer data breach

Nearly 30 Lamar County School District employees’ had their personal information compromised after an employee portal experienced a data breach. Click to read entire article.

—PHISHED—
Wash. school district suffers data breach

The Olympia School District plans to offer its 2,164 employees free credit monitoring and identity theft resolution services in wake of a major data breach on Tuesday. An email — configured in a way to look as though it had originated from Olympia Superintendent Dick Cvitanich’s school district account — was sent to an employee requesting a list of employee names, addresses, salary information and Social Security numbers, officials say. A list with that information was released at about noon to the outside entity that had spoofed Cvitanich’s account, Gifford said Click to read entire article.

—TAX INFO GOTTEN, VENDOR CAUSED—
ECSS hit with payroll security breach

The Escambia County School System is one of three in the state hit with a recent payroll accounting system security breach that allowed fraudulent tax returns to be filed in employee names. Click to read entire article.

SaaS
—TAX INFO GOTTEN—
BackOffice Associates warns staff of breach

Global software and services company BackOffice Associates is dealing with a data breach that could affect some employees for years to come. The company told employees via email Monday that “tax documentation” – specifically the 2015 W-2s of its United States-based employees – was “inadvertently disclosed to an unknown individual.” Click to read entire article.

FINANCIAL SERVICES
‘Inadvertent’ cyber breach hits 44,000 FDIC customers

In yet another example of fragile security in federal cyber systems, data for 44,000 Federal Deposit Insurance Corp. customers were breached by an employee leaving the agency. …The March 18 memo from Lawrence Gross Jr., FDIC’s chief information officer and chief privacy officer, to FDIC Chairman Martin J. Gruenberg said the data were downloaded to a personal storage device “inadvertently and without malicious intent.” Click to read entire article.

CoinWallet.co Throws in the Towel after Suffering a Data Breach

CoinWallet.co has announced it is shutting down at the end of April and requested clients to withdraw all coins before the 1st of May 2016. The decision to close was based primarily on the fact that “on the 6th of April we suffered a data breach.” Click to read entire article.

SWIFT on $81M bank heist: Our system wasn’t breached

It was found out that unknown cyber criminals hacked the computer systems of Bangladesh Bank, attempting to steal a total of $951 million from its account at the Federal Reserve Bank of New York. Click to read entire article.

RETAIL
—CLASS ACTION UPDATE—
Panel revives suit over data breach

Consumers whose debit- or credit-card data may have been stolen got the go-ahead Thursday to sue the restaurant chain that was the target of a security breach. The 7th U.S. Circuit Court of Appeals revived a class-action lawsuit filed against P.F. Chang’s China Bistro Inc. after the restaurant chain’s computer system was hacked. Click to read entire article.

HEALTHCARE
—VENDOR RISK—
ACC notifies 1,400 institutions of potential data breach

The American College of Cardiology (ACC) notified 1,400 institutions that patient data from the National Cardiovascular Data Registry (NCDR) might have been breached. After discovering the issue in December, the ACC found that four software development vendors who were testing software had access to NCDR patient data, according to the ACC. …More than 2,400 hospitals and more than 2,000 outpatient providers participate in the NCDR. Click to read entire article.

Medical records breach affects Palm Beach County patients

More than 1,000 patients of Florida Department of Health clinics in Palm Beach County may be at risk of identity theft after a breach of medical records, state officials disclosed Monday. Federal investigators determined that patient names, Social Security numbers, phone numbers, dates of birth and medical record numbers were among the sensitive information that was taken, according to the Health Department. Click to read entire article.

—CLASS ACTION ALERT—
Plaintiffs Allege Data Breach by Boston Medical Center, Lawsuit to Go Ahead

Of all the potential data breaches that could lead to headache, heartbreak, identity theft and a data breach lawsuit, perhaps the most damning and potentially embarrassing breach is the unlawful access of medical records. Click to read entire article.

CONSTRUCTION
—PHISHED, TAX INFO GOTTEN—
Turner Construction suffers data breach affecting employees nationwide

The names and Social Security numbers of Turner Construction Co. employees were inadvertently exposed in a data breach affecting workers across the country. An employee mistakenly forwarded the employees’ information, along with earnings and tax information, to “a fraudulent email address”… Click to read entire article.

HIGHER EDUCATION
Yale Internet hacked, down for hours

Yale’s Internet network came under attack Thursday evening after unknown hackers jammed the YaleSecure network for hours into the night. Click to read entire article.

INSURANCE COVERAGE
Federal court bucks trend, rules general liability insurance covers data breach

In a verdict that runs contrary to recent judicial decisions under similar circumstances, a federal appeals court yesterday upheld a ruling that insurance firm Travelers Indemnity Company of America, under the terms of a commercial general liability (CGL) policy, has a duty to defend its client Portal Healthcare Solutions in a lawsuit stemming from an electronic data breach. Click to read entire article.

PRIVACY/WRONGFUL DATA COLLECTION
Emerson Scott, LLP Files Privacy Violation Class Action Lawsuit Against Vizio Holdings, Inc., VIZIO, Inc., and Cognitive Media Networks, Inc.

…There are approximately ten million VIZIO smart TV’s equipped with the company’s VIZIO Internet Apps (VIA or VIA Plus) smart platform, with its tracking algorithm called “Smart Interactivity.” This allows VIZIO to keep track of the users’ viewing habits without their knowledge. VIZIO may share that data with advertisers, sometimes without camouflaging a user’s Internet Protocol (IP) address, and advertisers can then connect those habits to a particular user’s other electronic devices. Click to read entire article.

REGULATORY UPDATES
Tennessee Enacted the Toughest Data Breach Law Yet

Tennessee looks to abolish the “encryption safe harbor” law that many data privacy lawyers believe creates unnecessary stress on businesses. Click to read entire article.

UK/EUROPE
50 million Turkish citizens could be exposed in massive data breach

As reported by The Telegraph, a compressed file has been posted online by an unnamed group appearing to contain information including names, addresses, parents’ first names, cities of birth, birth dates, and national identifier numbers used by the Turkish government. Click to read entire article.

National Childbirth Trust charity hit by major data breach

The National Childbirth Trust (NCT) has suffered a data breach that has exposed the registration details of 15,000 people. Click to read entire article.

ASIA/PACIFIC
Hacking exposes 55-M voters to identity theft

The Comelec is downplaying the hacking of its website last Mar. 27. But sensitive personal info on 55 million voters have been exposed. Dumped in public websites, the data include not only names, birth dates and addresses, but also fingerprints, photos and signatures, experts note. Click to read entire article.

RELATED: Bangladesh Bank hackers compromised SWIFT software, warning to be issued. Click to read entire article.

SBM security system was breached, says bank official

A possible system failure due to hacking of the online banking system on Sunday may have resulted in a large number of customers of State Bank of Mysore losing their money to online fraudsters, bank officials in Bengaluru have ascertained. Click to read entire article.

Regards,
Mark Greisiger

NetDiligence®
Cyber Risk Assessment & Data Breach Services

Mark.Greisiger@NetDiligence.com
610.525.6383 (office)
www.NetDiligence.com