We bring to your attention a sampling of recent media stories involving cyber risk and privacy liability. These exposures include business interruption, legal liability (such as class action lawsuits), as well as crisis costs to investigate the breach, notify the victims and defend/settle lawsuits, including AG regulatory enforcement actions and fines. Also, don’t miss the items below in ORANGE.

DIRECTORS & OFFICERS RISK
Lawsuit for Investors in Shares of Wendys Co

Against Certain Directors in Connection with Customer Data Breach Filed
An investor in Wendys Co (NASDAQ:WEN) shares filed a lawsuit against certain Wendys directors in connection with a customer data breach. Click to read entire article.

HEALTHCARE
Community Health Plan of Washington data breach affects nearly 400k

A recent data breach affected 381,534 current and former members of Seattle-based Community Health Plan of Washington, The Seattle Times reports. The nonprofit organization, which provides insurance to Washington’s Medicaid members, began informing affected individuals Dec. 21. The patient information exposed in the breach includes names, addresses, Social Security numbers and health claims information. It does not include health providers’ notes on patients. Community Health Plan of Washington COO Marilee McGuire said there is not yet evidence of harm to members. Click to read entire article.

Health insurance data breach affects many in Delaware

A health insurance data breach has affected approximately 19,000 people with employer-paid plans in Delaware, according to the Delaware Department of Insurance. The breach involved Summit Reinsurance Services and BCS Financial Corporation, subcontractors of Highmark Blue Cross Blue Shield of Delaware. Click to read entire article.

Booz Allen subcontracted firm leaked classified US military personnel data – Report

The data breach reportedly exposed personal and sensitive data of staff with the highest levels of security clearance. Click to read entire article.

INTERNET OF THINGS (IoT)
FDA says St. Jude heart devices vulnerable to hacking

Federal regulators said Monday that scores of pacemakers and implantable heart defibrillators made by St. Jude Medical are vulnerable to computer hacking, but a security patch is ready to address the problem. Click to read entire article.

Hello Kitty Database of 3.3 Million Breached Credentials Surfaces

A cache of data including 3.3 million user credentials belonging to Hello Kitty parent company Sanrio surfaced over the weekend. The breach was originally reported in December 2015, but at the time Sanrio denied any data was stolen as part of the breach. The breach was tied to a misconfigured MongoDB installation that was discovered by security researcher Chris Vickery. Click to read entire article.

HIGHER EDUCATION
Los Angeles college pays hacker student data compromised

A Los Angeles community college has paid a $28,000 ransom after a hacker took student data hostage. The Los Angeles Daily News reports that 1,800 Los Angeles Valley College teachers and staff were locked out of their computers last week, leaving the data of 20,000 students compromised. College administrators elected to pay the $28,000 ransom in bitcoins rather than leave students without their data. Click to read entire article.

Human Resources Notifies Employees of Data Breach

On Dec. 12, a Georgia Tech employee conducted research on a trusted website that had been compromised by a malicious software known as ransomware. The ransomware infiltrated the employee’s computer, which was connected to Georgia Tech’s network, allowing access to a variety of files — some of which included sensitive, personal information of current and past Georgia Tech employees. Click to read entire article.

RETAIL
Vera Bradley Taking Action to Address Potential Data Breach Involving Payment Cards at Stores

Vera Bradley (VRA) said it is investigating a potential security breach involving customer data at its retail stores over the summer. Click to read entire article.

—CLASS ACTION SETTLEMENT—
$1.9M Mapco Express Data Breach Deal Gets Final OK

A Tennessee federal judge on Thursday gave the final stamp of approval to a nearly $2 million deal settling claims over data security breaches at several Mapco Express stores, saying that the deal puts class members first. Click to read entire article.

Topps, maker of sports cards, discloses data breach

The company behind many sports and other trading cards, Topps, has disclosed a data breach. According to a notice sent to Topps customers, the company became aware of the breach in mid-October 2016, something that triggered an investigation revealing that ‘one or more intruders’ possibly stole some customer data. That data could include credit and debit card numbers, names, email addresses, and more. Click to read entire article.

PUBLIC ENTITY
5 things to know about the LA County email hack and data breach

Los Angeles County officials announced they had been the victim of a phishing hack that potentially exposed the personal data of hundreds of thousands of people. The attack occurred May 13, 2016, when 108 county employees responded to an email they believed to be legitimate and provided their usernames and passwords, according to officials. Click to read entire article.

State refuses to release report on Frederick County Public Schools data breach

The state of Maryland will not release a detailed report, or other related records, on a recently discovered data breach, in which personal information of former Frederick County Public Schools students was stolen. Roughly 1,000 names, dates of birth and Social Security numbers of former Frederick County students were taken in a data breach that officials said happened before 2010. Click to read entire article.

NH health commissioner apologizes to families over DHHS data breach notices

New Hampshire’s health commissioner is offering an extra apology as his agency deals with a data breach that led to personal information of up to 15,000 people being posted online. Click to read entire article.

FINANCIAL SERVICES
Dover Federal Credit Union employee sent customer info to a personal Dropbox

Dover Federal Credit Union recently sent a letter warning customers an employee transferred DFCU files to the employee’s personal Dropbox account. Click to read entire article.

Turkey’s Akbank Suffers Online Attack, Faces US$4m In Damages

It appears Akbank has been the target of an attack against SWIFT on December 8. That is rather surprising, as SWIFT issued guidelines to have their partners beef up security. It looks like Akbank did not take the necessary precautions to keep their systems safe. Click to read entire article.

TECHNOLOGY
9.5 Million Users Exposed in Lynda Data Breach

LinkedIn and Microsoft subsidiary Lynda announced that 9.5 million user accounts are at risk. An unauthorized third party accessed a database that contained account holder contact information, learning data and a list of the courses the user has viewed. The company, which provides a subscription-based online learning service for business and technology skills, said there is no evidence that passwords were stolen in the recent breach. Click to read entire article.

BUSINESS INTERRUPTION (DDoS ATTACK)
Hackers trigger yet another power outage in Ukraine

For the second time in as many years, security researchers have determined that hackers have caused a power outage in Ukraine that left customers without electricity in late December, typically one of the coldest months in that country. Click to read entire article.

Tumblr outage reported in US and Europe; may be result of DDoS attack

For the second time in as many years, security researchers have determined that hackers have caused a power outage in Ukraine that left customers without electricity in late December, typically one of the coldest months in that country. Click to read entire article.

WRONGFUL DATA COLLECTION / PRIVACY ETHICS
3 Noble charter staffers OK’d using CPS student data to recruit

Three officials with the Noble Network of Charter Schools signed off on using an improperly obtained list of Chicago Public School students’ names, addresses, current schools and grade levels to send recruitment postcards to the homes of at least 28,000 CPS kids, records obtained by the Chicago Sun-Times show. Click to read entire article.

ANTI-SOCIAL MEDIA
—SETTLEMENT ALERT—
FTC Settles Data Breach Case with AshleyMadison for $1.6 Million

The Federal Trade Commission (“FTC”) settled with online dating website AshleyMadison.com for $1.6 million stemming from FTC and state actions brought against the company as a result of a July 2015 data breach that exposed the profile and account information of approximately 36 million users. Click to read entire article.

E-Sports Network ESEA Hacked, 1.5m Records Compromised After Alleged Failed Extortion Attempt

E-Sports Entertainment Association (ESEA) got broken into last year with of over 1.5 million ESEA accounts compromised, and hackers were confirmed trying to extort a significant amount of money to remain silent regarding the incident. Click to read entire article.

HOSPITALITY
Top Story: Major hotel chain investigating serious data breach

InterContinental Hotels Group (IHG) has hired a computer security company to look into the potential breach. Some of its customers have reported fraudulent transactions on their credit and debit cards. Which hotels were breached? InterContinental Hotels Group is the parent company for over 5,000 hotels all over the world. They include Holiday Inn, Holiday Inn Express, InterContinental, Crowne Plaza, Staybridge Suites, Kimpton Hotels, Even Hotels, and Hotel Indigo. Click to read entire article.

LEGAL UPDATES
How a Massachusetts Decision to Publish Data Breach Info Will Affect Big Law

The Massachusetts decision spells out new challenges for lawyers working with breached companies. Click to read entire article.

CYBER RISK STUDIES
How much is a data breach going to cost you?

A recent IBM study found that the average cost of a data breach has hit $4 million—up from $3.8 million in 2015. Click to read entire article.

CANADA
University Of Alberta Hit By Security Hack Attack

Computers at the University of Alberta in Canada were installed with malware which was intended to collect the school’s passwords. The incident happened late last year but the breach was only shared to the community on Thursday. Click to read entire article.

ASIA/PACIFIC
NPC: Victims of data leak may file suit

MANILA, Philippines — The decision of the National Privacy Commission (NPC) finding Commission on Elections (Comelec) Chairman Andres Bautista liable for the March 2016 data breach of the poll body’s voters’ database may be used by private individuals affected and victimized by the breach. Click to read entire article.

Pakistan automotive giant PakWheels Hacked, 700k accounts stolen

The breach took place months ago but users only got reset notification last week. Click to read entire article.

Regards,
Mark Greisiger
NetDiligence®
Cyber Risk Assessment & Data Breach Services