We bring to your attention a sampling of recent media stories involving cyber risk and privacy liability. These exposures include business interruption, legal liability (such as class action lawsuits), as well as crisis costs to investigate the breach, notify the victims and defend/settle lawsuits, including AG regulatory enforcement actions and fines. Also, don’t miss the items below in ORANGE.

FINANCIAL SERVICES
—DATA BREACHES OVERALL UP 35% FROM PRIOR YEAR—
Breaches Setting Blistering Pace, Double at FIs

As of May 30, the total number of breaches in the U.S. captured in the 2017 ITRC Breach Report from the San Diego-based Identity Theft Resource Center now totals 698, an increase of 35.3% over last year’s record pace (516) for the same time period. Of that total, 36 incidents took place at financial institutions, twice as many as last year for the same period and affected a reported 520,000 records. Click to read entire article.

MOBILE APP
Zomato Breach Threatens 17 Million Users

Zomato, the restaurant app, disclosed Thursday (May 18) that around 17 million users’ information has been stolen in a data breach. According to a report in CNN, the hackers took off with the email addresses and encrypted passwords from a Zomato data base. The app covers more than one million restaurants across 24 countries and competes with Yelp. Click to read entire article.

RETAIL
—LATE NOTICE TO VICTIMS—
Tempur Sealy Customer Brings Class Action Over Data Breach

Tempur Sealy International Inc. and its former website host were slapped with a proposed class action in Georgia federal court Monday alleging that their lacking security practices opened the door to a 2016 data breach, which the company failed to inform customers about in a timely fashion. Click to read entire article.

Chipotle Says Hackers Hit Most Restaurants in Data Breach

Chipotle said it did not know how many payment cards or customers were affected by the breach that struck most of its roughly 2,250 restaurants for varying amounts of time between March 24 and April 18, spokesman Chris Arnold said via email. Click to read entire article.

GameStop Alerts Customers About Potential Credit Card Information Theft

It appears a data breach of the company’s servers had taken place, which could have lead to the criminals obtaining a lot of sensitive personal and financial information. To be more specific, the company acknowledges the data breach. Among the information potentially exposed to assailants are customer names and address, as well as credit card information. Click to read entire article.

Sears Holdings reports Kmart data breach

Sears Holdings says some customers who shopped at Kmart stores may be the victims of a data breach. The company isn’t saying how many credit cards were affected, but it believes some credit card numbers have been compromised. Click to read entire article.

Report: Cost of Target’s Data Breach Nearing $300 Million

A report at SSL Store says the payout has hit $292 million already, and this figure does not include the several lawsuits that are still outstanding. The list of costs includes:

    • $10 million paid in a class action lawsuit to affected consumers in March 2015.
    • $19 million paid to Mastercard in an April 2015 settlement.
    • $67 million paid to Visa in August 2015.
    • $39.4 million paid to banks and credit unions for losses and costs related to the breach, in a December 2015 settlement.
    • $18.5 million settlement.

Click to read entire article.

TECHNOLOGY
Password manager OneLogin compromised by data breach

OneLogin Inc., the provider of a single-sign-on password management service, announced today that it has suffered a data breach that may have put user information at risk. While OneLogin admitted the breach today, the company did not reveal to what extent its systems had been compromised. Click to read entire article.

Watch What You Click (Again!): DocuSign Confirms Data Breach Incident

Well-known and very popular digital signature service DocuSign acknowledged a data breach incident in which a large number of customer email addresses were stolen. The company announced on its website that the data stolen was limited to customer email addresses and that “no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed.” Click to read entire article.

HIGHER EDUCATION
One million people affected by WSU data breach

Names and personal data of about a million people may have been compromised in a burglary involving Washington State University property. This month the university started alerting people who could be impacted. Click to read entire article.

OU shuts down file sharing service after failing to protect thousands of students’ records

OU unintentionally exposed thousands of students’ educational records — including social security numbers, financial aid information and grades in records dating to at least 2002 — through lax privacy settings in a campus file-sharing network, violating federal law. Click to read entire article.

Exam cancelled as security breach at sixth form college is probed

STUDENTS were sent home from an exam after it was revealed the question paper had been stolen in a possible hacking attack. Click to read entire article.

HEALTHCARE
—CLASS ACTION LAWSUIT ALERT—
Virginia Mason Patient Data Privacy Breach Leads to Lawsuit

After receiving $8.5 million in a medical negligence lawsuit, a Washington couple is filing another lawsuit against Virginia Mason Medical Center for its alleged actions following a patient data privacy breach. Click to read entire article.

—SETTLEMENT ALERT—
LI firm pays $130K to state following data breach

New Hyde Park-based CoPilot Provider Support Services has agreed to pay $130,000 to settle with New York State after the company failed to alert customers of a data breach in a timely fashion. New York State Attorney General Eric Schneiderman said the firm violated general business law by waiting over a year to notify clients of data breach that exposed 221,178 patient records. He said that CoPilot has agreed to pay $130,000 in penalties and to improve its notification and legal compliance program. Click to read entire article.

Officials announce data breach after more than 1,800 patient health documents found near dumpster

The Health and Human Services Commission is notifying people about the accidental loss of protected personal information. The breach may affect 1,842 people in the Houston area. A box of forms containing client information was found beside an unsecured dumpster in Houston at the E. 40th St. complex, an eligibility office. Click to read entire article.

Online Security Breach Exposes PHI of 5K Medicaid Patients

On April 7, 2017, officials from the Mississippi Division of Medicaid (DOM) discovered evidence of a potential online security breach exposing the PHI of approximately 5,220 patients. Click to read entire article.

Beverly Hills Plastic Surgery Clinic Rocked by Patient Records Heist: “There Is Still Outstanding Stolen Property”

A week after an inside job at a Rodeo Drive reconstructive surgery practice, police are still piecing together clues and searching for stolen materials that compromised private medical and financial information of about 15,000 patients and several stars. Click to read entire article.

CLASS ACTION LITIGATION (SUMMARY)
Anthem, AmEx, PayPal, Must Face ID Theft Suit in Calif.

Health insurance, financial services, and payment card companies failed to keep a California attorney’s identify theft lawsuit in federal court and must face the allegations back in state court, the U.S. District Court for the Northern District of California held May 31 ( Gallo v. Unknown No. of Identity Thieves , 2017 BL 183260, N.D. Cal., No. 17-CV-01465-LHK, 5/31/17 ). Click to read entire article.

PUBLIC ENTITY
Social Security numbers may have been stolen from Florida agriculture department

Nearly 500 people may have had their Social Security numbers obtained in a data breach at the Florida Department of Agriculture and Consumer Services. Also, the names of 16,190 concealed-weapon license holders — out of more than 1.75 million in the state — may have been acquired in the hack. Click to read entire article.

SECURITY STUDIES
Data breaches will cost businesses more than $8 trillion over next 5 years

Criminal data breaches will cost businesses a total of $8 trillion over the next five years, according to a global report from U.K-based market intelligence firm Juniper Research. Click to read entire article.

49% of Orgs Report File Sharing Data Breach in Past 2 Years

A recent Ponemon/Metalogix report indicates that healthcare entities should be mindful to avoid a potential file sharing data breach. Click to read entire article.

Outdated Operating Systems, Browsers Correlate with Real Data Breaches

Study shows companies running out-of-date OSes were three times more likely to suffer a data breach, and those with the outdated browsers, two times more likely. Click to read entire article.

ENERGY
Industroyer Cyber-Attack Revealed as Cause of Ukraine Power Outage

It was a multi-pronged attack: Not only did the malware shut down internal production at power companies, it also froze operators’ screens, leading them to believe operations were running normally. Click to read entire article.

CANADA
1.9 million Bell Canada customer account details stolen, leaked

Anonymous hackers have stolen and leaked 1.9 million email addresses and some 1,700 names and active phone numbers of Bell Canada customers. Click to read entire article.

Data breaches in Canada: Reporting obligations, class actions and breach management

Click to read article.

EUROPE / UK
GDPR regulations could cost banks over €4.7bn in fines in first three years

A report from business management consultants Consult Hyperion has predicted that European FIs could face fines of up to €4.7bn ($5.2bn) in the first three years as financial services begin to adapt to the new regulations. Click to read entire article.

Business Law: Victoria Spellman explains how a data breach cost a council a £150,000 fine

Basildon Council was recently fined £150,000 for publishing sensitive personal information about a traveller family on its website, including details about disabilities and mental health issues. Click to read entire article.

Over 5,000 Wind Tre customers hit by data breach

Italy’s data protection authority, Garante Privacy, has ordered Wind Tre to write to customers to notify them of a data breach that occurred on 20 March. Click to read entire article.

AFRICA
Old Mutual tightens security after customers’ data breach

Old Mutual, South Africa’s prominent financial services company, has notified its customers of a data breach. This follows the company’s detection of an unauthorised entry to one of its systems. Click to read entire article.

MIDDLE EAST
Dark web: Hackers selling stolen data from Qatar National Bank and UAE InvestBank

Hackers are reportedly selling stolen data from the Qatar National Bank (QNB) and UAE InvestBank on the dark web. Both the banks suffered major data breaches in 2016 and the data of thousands of customers was later leaked online by hackers. Now, even as tensions escalate between the two Middle Eastern nations, cybercriminals appear to be cashing in on the underground cybercrime community. Click to read entire article.

Regards,
Mark Greisiger
NetDiligence®
Cyber Risk Readiness & Response