We bring to your attention a sampling of recent media stories involving cyber risk and privacy liability. These exposures include business interruption, legal liability (such as class action lawsuits), as well as crisis costs to investigate the breach, notify the victims and defend/settle lawsuits, including AG regulatory enforcement actions and fines. Also, don’t miss the items below in ORANGE.


DON’T MISS OUT: NetDiligence’s Cyber Liabilty Conference, October 17-19 in Santa Monica, is rapidly approaching. We have very few seats left. REGISTER NOW  to secure your place!


HEALTHCARE
—CLAIMS: 43% INSIDERS; 29% HACKERS & BAS/VENDORS CAUSED 19%—
Report: 8.8 million patient health records breached in August

There were 44 reports of data breaches in August, and 233 from January through August, according to the monthly Protenus Breach Barometer. Click to read entire article.

Banner Health Suits Raise Significant Questions for Data Breach Class Actions

Banner Health recently announced that hackers may have gained “unauthorized access to patient information” and “payment card data” from approximately 3.7 million patients, health plan members, food and beverage customers, and physicians. Click to read entire article.

—CAUSED BY VENDOR—
Data breach impacts Lancaster County enrollees in Gateway Health Plan

An insurer that serves Medicaid enrollees in Lancaster County is among organizations affected by a data breach that reportedly could affect up to 3.3 million people. Click to read entire article.

Vendor Error Leads to Another Possible Healthcare Data Breach

Recent possible healthcare data breaches include cases of accidental online exposure, email error, and unauthorized email access. Click to read entire article.

FINANCIAL SERVICES
—LAPTOP STOLEN—
One of Portland’s largest financial firms warns of possible data breach

Portland-based M Holdings Securities Inc., a subsidiary of M Financial Holdings Inc., has informed California’s attorney general of a stolen laptop with client information, including social security numbers. Click to read entire article.

—CLASS ACTION ALERT—
Oregon credit union sues Noodles & Company over breach

Oregon credit union SELCO Community Credit Union accused Noodles & Company of failing to implement or maintain adequate data security measures for customer information despite highly publicized breaches at large national retailers and restaurant chains, according to court documents filed in a class action lawsuit. Click to read entire article.

Mystery Surrounds Possible BlueSnap Data Breach

Roughly 324,000 payment card details for over 105,000 users were leaked in July 2016 by a hacker going by the name of 0x2Taylor. Click to read entire article.

RETAIL
MICROS Point-of-Sale Systems Hit by Data Breach: 330K Merchants Vulnerable

MICROS POS credit card payment systems operated by software company Oracle has thousands of companies around the world concerned about customer data safety. Oracle’s MICROS is one of the top three POS vendors in the world, and it is estimated to be used at approximately 330,000+ global locations, including over 200,000 food and beverage outlets, 100,000 retail stores and 30,000 hotels. Click to read entire article.

Eddie Bauer Is Latest Retailer Infected With Data Breach Malware

The outdoor clothing and accessories retailer Eddie Bauer is the latest victim of point-of-sale malware to admit that its customers’ card details may have been stolen. Click to read entire article.

EZContactsUSA to pay $100,000 after alleged data breach potentially exposed consumer information

– Provision Supply LLC – doing business as EZcontactsUSA.com – will pay a $100,000 penalty and strengthen its data security practices after allegations of a data breach, New York Attorney General Eric T. Schneiderman has announced. Click to read entire article.

PUBLIC ENTITIES
STATE: Fraudulent Unemployment Claims Targeted State Employees

The personal information, including social security numbers, of state employees was used to apply for state unemployment claims. That’s according to the Nevada Department of Transportation which notified its employees yesterday of the situation. Click to read entire article.

Computer security breach reported at main courthouse server in Anderson County

A computer security breach has been reported at the main courthouse server in Anderson County, officials said this week. It’s a system-wide breach, said Anderson County Law Director Jay Yeager. “The extent, type, and amount of data compromised has not yet been fully determined,” Yeager said. “However, this may include your confidential personal identifying data including Social Security numbers, dates of birth, home addresses, health insurance information and claims, payroll information, bank accounts, routing numbers, Veterans Service Office benefit documents, and possible employee credit union account information.” Click to read entire article.

RELATED: County agrees to spend up to $100,000 to fix computer security breach

A computer security breach in Anderson County could have affected about 1,800 full-time and part-time government employees, and the Anderson County Commission has agreed to spend up to $100,000 to fix it. Click to read entire article.

ONLINE MARKETING
Over 6 million ClixSense users compromised by data breach

ClixSense, a site which pays users to view ads and take surveys, was the victim of a massive data breach compromising around 6.6 million user accounts. Usually when there’s a data breach of this size, the information stolen contains usernames, passwords, and some other personal information, but due to the nature of ClixSense and the service it provided, home addresses, payment histories, and other banking details have also been compromised. Click to read entire article.

HOSPITALITY
Hutton Hotel enhances security measures after breach

The Hutton Hotel is warning customers about a data breech that may have compromised the credit card information of thousands of guests. Click to read entire article.

HIGHER EDUCATION
Mat-Su campus hit by data breach

The University of Alaska Anchorage’s Mat-Su campus has been hit by a data breach, according to a University of Alaska news release Tuesday. Click to read entire article.

TECHNOLOGY
Dropbox data breach: 68 million user account details leaked

Four years after a data breach at cloud storage service Dropbox, details of more than 68 million user accounts have reportedly been leaked. Click to read entire article.

—CAUSED BY STAFF – PHISHED—
Seagate Employees sue their own company following hack attack that led to data breach

Earlier this year, a senior HR executive at Seagate fell for a phishing scam, which resulted in thousands of employees’ tax information being exposed. The employee was fooled into giving away personally identifiable information (PII) of 10,000 past and current employees and W-2 forms that include their Social Security numbers along with their wage, salary and tax information to the scammers who posed as the CEO Stephen Luczo of the company. Click to read entire article.

MEDIA / PUBLISHING
Science site EurekAlert taken offline after security breach

EurekAlert — a widely-used web-based news service that serves the world’s science and medical writers — was taken offline Wednesday morning due to a serious security breach. Click to read entire article.

CYBER RISK STUDIES
Data Breaches Up 15% to Date in 2016

…The latest data breach count from the Identity Theft Resource Center (ITRC) reports that there have been 657 data breaches recorded this year through September 8, 2016, and that nearly 29 million records have been exposed since the beginning of the year. Click to read entire article.

CANADA
Massive unreported security breach, $2 million alleged fraud at NorQuest College

Shortly after the work day began on Feb. 19, 2013, a bizarre email popped up in the inboxes of dozens of NorQuest College senior executives and staff. Click to read entire article.

Data breach settlement approved in Canadian class action lawsuit against Home Depot

An Ontario court recently approved a settlement in a class action lawsuit against Home Depot of Canada, Inc. and its corporate parent arising from a data breach in 2014 that affected its payment card system. Click to read entire article.

Privacy Breach at GBHS

GBHS says hundreds of patients records were opened without authorization. Click to read entire article.

EUROPE/UK
VoIP Talk Admits Possible Data Breach

UK-based IP Telephony service VoIPtalk warned customers of a potential data breach over the weekend. The firm has implemented tighter security controls and advised customers to change their passwords. Click to read entire article.

Sage Data Breach Highlights Need for Least Privilege Access and Two Common Errors Businesses Make, Warns Hypersocket Software

The data breach at UK accounting software company Sage has brought the insider threat facing businesses into focus and, according to security experts Hypersocket Software, highlights the need for more stringent access control. Click to read entire article.

‘Massive data breach’ at Almelo municipaility

Hackers have stolen 22 gigabytes of data from municipal servers in Almelo, reports NU.nl. Click to read entire article.

Opera announces data breach: stored passwords stolen for 1.7M users

Opera offers a product called Opera sync: a convenient cloud-based service that keeps track of what do in Opera as you go along. … Of course, this leaves more to go wrong in the case of a network intrusion, and unfortunately for Opera sync users, the company announced a breach late last week. Click to read entire article.

Northern Ireland nursing home fined £15,000 over data breach

A Northern Ireland nursing home has been fined after a data breach relating to sensitive details about patients and staff, connected to the theft of a computer. Click to read entire article.

ASIA/PACIFIC
NBTC to investigate AIS data breach

An investigation panel was formed yesterday by the national telecom regulator to examine the causes of a customer data breach perpetrated by an Advanced Info Service (AIS) employee. Click to read entire article.


Regards,
Mark Greisiger
NetDiligence®
Cyber Risk Assessment & Data Breach Services