We bring to your attention a sampling of recent media stories involving cyber risk and privacy liability. These exposures include business interruption, legal liability (such as class action lawsuits), as well as crisis costs to investigate the breach, notify the victims and defend/settle lawsuits, including AG regulatory enforcement actions and fines. Also, don’t miss the items below in ORANGE.

DON’T MISS OUR LONDON CONFERENCE!

NetDiligence is bringing its popular educational programming to London. The first annual NetDiligence® Cyber Risk Summit in London takes place May 9, 2017 at The Willis Building. Conference chairs include Glyn Thoms of Willis Towers Watson, Andrew Lewis of QBE Europe, Dan Trueman of Novae, Hans Allnutt of DAC Beachcroft LLP and Mark Camillo of AIG..

TECHNOLOGY / CLOUD
Microsoft’s Docs.com found to be leaking private data of millions of users

Microsoft has been forced to pull the search feature from its Docs.com website after it was found to be inadvertently leaking private data on millions of users. Click to read entire article.

Apple Disputes Hacker Group’s Claim of Massive iCloud Breach

Contrary to a hacker group’s claims, Apple said none of its systems, including iCloud and Apple ID, have been breached recently. However, the company said it is keeping an eye open for potential problems and recommends that users employ security measures such as strong passwords and two-factor authentication. According to a report Tuesday in Motherboard, a group calling itself the “Turkish Crime Family” claimed it could remotely access hundreds of millions of Apple accounts and could use that access to wipe users’ devices. The hacker(s) said they would do so on April 7 unless Apple paid a ransom of $75,000 to $100,000. Click to read entire article.

SSL sues Orbital ATK over confidential data breach

Space Systems Loral (SSL) has filed a lawsuit against Orbital ATK after an employee of that company accessed sensitive information in a NASA computer system about SSL satellite servicing technologies. Click to read entire article.

Wishbone app data breach affects huge number of users

Wishbone, an app popular among teenagers, has suffered a data breach, it has been revealed. The company informed its users of the intrusion in a notification recently, saying it became aware of the data swipe on March 14. The notification says that unknown individuals “may have had access” to the company’s API and used it to nab data on the service’s users. The info may contain more than 2 million email addresses, among other things. Click to read entire article.

HEALTHCARE
—SETTLEMENT ALERT—
Horizon Healthcare Services settles data breach case for $1.1 million

New Jersey Attorney General Christopher S. Porrino announced Feb. 17 that Horizon Healthcare Services Inc., the state’s largest health care provider, will pay $1.1 million and improve data security practices after allegations of failing to properly protect the privacy of close to 690,000 New Jersey policyholders. Click to read entire article.

Vanderbilt UMC notifies 3,000+ patients of data breach

Between May 2015 and December 2016, two VUMC patient transporters accessed information from VUMC patients’ electronic medical records, including names, birthdates, medical record identification numbers and some Social Security numbers. Click to read entire article.

Austin clinic warns data breach may have exposed medical records

A clinic with locations throughout Central Texas is warning patients their records – including medical information – might have been obtained during a data breach. In a letter sent this week, Urology Austin says it was the victim of a ransomware attack on Jan. 22. “Within minutes, we were alerted to the attack, our computer network was shut down, and we began an investigation,” the letter says. “We also began to take steps to restore the impacted data and our operations.” Urology Austin says records it believes were obtained during the attack include names, addresses, birthdates, Social Security numbers and medical records. Click to read entire article.

160K affected by Med Center data breach

The FBI continues its look into a breach of personal information from about 160,000 patients serviced at some Med Center Health affiliates between 2011 and 2014. Click to read entire article.

—CLASS ACTION ALERT—
Hospital Breach Lawsuit Gets Class-Action Status

In a March 17 ruling, a U.S. district judge said the lawsuit against Flowers Hospital in Dothan, Alabama, merited class-action status despite the lack of clear evidence that all of the individuals on whose behalf the lawsuit was filed suffered damages as a result of the 2013 breach incident, involving the theft of paper records. Click to read entire article.

VA University Health System Security Breach Impacts 2.7K

Recent data breaches include a ransomware attack, a stolen server, and unauthorized access of employee emails. Click to read entire article.

FINANCIAL SERVICES
Credit union sues Eddie Bauer for failing to prevent data breach

Veridian Credit Union accused Eddie Bauer of deploying lax security standards, forcing Veridian and other financial institutions to bear costs related to theft of payment-card information from the clothier’s point-of-sale systems. Click to read entire article.

Verifone, Largest Maker Of Card Payment Terminals, Targeted By Hack

Verifone, the company behind many of the payment systems you see at retailers across the country, is reportedly the latest hack attack victim. Krebs on Security reports that Verifone, the largest maker of credit and debit card payment terminals, is investigating a breach of its corporate computer networks that may have targeted payment systems at dozens of gas stations. Click to read entire article.

PUBLIC ENTITY
1.4M affected in data breach at Illinois employment department

A hacker gained access last month to about 1.4 million job seekers’ personal information on file with the Illinois Department of Employment Security’s online job board, including their names, Social Security numbers and birth dates. Click to read entire article.

BBB: Watch out for piggyback scams after IdahoWorks breach

After 170,000 people were announced to be part of a data breach of IdahoWorks, the Idaho Department of Labor’s job seeker program, Better Business Bureau says it’s received a number of calls from people wondering if the notification email is a scam. Click to read entire article.

Hundreds of Powhatan school employees compromised in data breach

Employees of Powhatan County Public Schools have been notified of a data breach that occurred Monday that has exposed their person information to a scammer. Click to read entire article.

Groton’s School Business Manager Placed On Leave After Massive Cyber Breach: Update

Personal documents of school district employees were obtained by someone posing as Groton’s Schools Superintendent. Click to read entire article.

RETAIL
—CLASS ACTION ALERT—
Arby’s Whacked with More Data Breach Class Action Lawsuits

As we previously reported, Arby’s was hit with malware that infected over 1,000 of its fast food locations throughout the U.S. between October 25, 2016, and January 19, 2017, and was hit with multiple class action suits over the data breach. Click to read entire article.

—SETTLEMENT ALERT—
Neiman Marcus To Pay $1.6 Million in Shopper Data Breach Lawsuit

Neiman Marcus has agreed to pay $1.6 million to settle a data breach class action in Illinois federal court. The three-year-old case stemmed from the December 2013 cyber attack that exposed credit card data of an estimated 350,000 Neiman Marcus shoppers. Click to read entire article.

HOSPITALITY
Rosen Hotels Fined After Data Breach and Facing Federal Lawsuit

This week Rosen Millennium Technology Group, the sister company to Rosen Hotels & Resorts, was sued by its insurance company, St. Paul Fire & Marine, which is denying coverage for a data breach that was discovered in 2016. Visa, MasterCard, and American Express have issued hefty fines against Rosen and the company may incur additional expense if customers affected by the data breach pursue any available causes of action. Click to read entire article.

HIGHER EDUCATION
Daytona State College officials warn of potential data breach

For the second time this month, Daytona State College officials are warning of a potential data breach, this one potentially affecting students and parents who applied for federal financial aid. Click to read entire article.

MANUFACTURING
Boise sugar company’s data breach is a reminder to protect your identity

Nearly 3,000 Idahoans’ identities are at risk after a scammer persuaded an employee to give up tax information at the Boise-based Amalgamated Sugar Co. in late February. Click to read entire article.

CloudPets Notifies California AG of Data Breach

Spiral Toys, the parent company behind CloudPets, yesterday sent the California Attorney General a breach notification that on many fronts contradicts what experts have said about a database breach that exposed user data and private voice messages, many of which were made by children. Click to read entire article.

Boeing data breach traced to employee who needed help from their spouse

The Boeing Co. has traced a recent data breach involving personal information of 36,000 of its workers to an employee who sought help formatting a spreadsheet from their spouse, which resulted in the company losing control of the information for a period of time late last year. Click to read entire article.

CYBER RISK RESEARCH
Middle East data hacks on the rise, research shows

The number of data breaches in the Middle East has risen 16.67 percent since 2015 as hackers become increasingly sophisticated, according to research. New data from global cybersecurity firm Gemalto found that approximately 45.2 million data records in the Middle East were compromised in 2016, compared to 38.5 million in the previous year. Click to read entire article.

Nearly 400 2017 Data Breaches Have Exposed More Than 7 Million Records

The latest report from the Identity Theft Resource Center (ITRC) indicates that there have been 392 data breaches recorded this year through March 28, 2017, and that nearly 7.4 million records have been exposed since the beginning of the year. The total represents a 51% increase in the number of breaches to date compared with 2015. Click to read entire article.

CANADA
McDonald’s Canada careers website hack compromises 95,000 job seekers’ personal data

McDonald’s Canada said on Friday (31 March) that its career website was recently hacked, compromising the personal data of around 95,000 restaurant job applicants. The accessed information included names, addresses, email addresses, phone numbers, employment background and other standard job application information of people who applied online for a job at McDonald’s Canada restaurants between March 2014 and March 2017. Click to read entire article.

CRA, Statscan services back online after shutdowns due to hacking vulnerability

Canada’s federal agencies in charge of statistics and taxes both say they have fixed vulnerabilities in their computer systems that forced them to shut down some online services over the weekend. Click to read entire article.

Feds set to regulate reporting of digital data breaches

Pending legislation will require Canadian businesses to report cyber breaches of personal information to the Office of the Privacy Commissioner or face fines of up to $100,000. Click to read entire article.

ASIA/PACIFIC
New mandatory data breach notification requirements

On 22 February 2017, the Privacy Amendment (Notifiable Data Breaches) Act 2017 received Royal Assent, giving the green light to the commencement of the long-awaited mandatory data breach reporting regime in Australia. The Bill that was passed is available from here. Click to read entire article.

Cosmos Bank’s Website Compromised With RIG Exploit Kit; Cerber Ransomware Infects Website Visitors!

Quick Heal has detected a serious security breach at Cosmos Bank’s website. As per the findings, their website has been compromised by RIG Exploit Kit, and as a result, all visitors to their website are being automatically infected by the infamous Cerber Ransomware. Cosmos Bank was established in 1906. Headquartered in Pune, it is hailed as one of the oldest Urban Co-operative Banks in India.Click to read entire article.

McDonald’s India App Leaks Personal Data Of 2.2 Mn Customers, Company Denies Claims

According to media reports, US-based fast food restaurant chain, McDonald’s India app, McDelivery, has reportedly leaked the personal data of more than 2.2 Mn users. Click to read entire article.

Regards,
Mark Greisiger
NetDiligence®
Cyber Risk Assessment & Data Breach Services