We bring to your attention a sampling of recent media stories involving cyber risk & privacy liability. Exposures include business interruption (first-party exposure) and legal liability (lawsuits), also crisis costs to investigate the breach, notify the victims, and defend against class action lawsuits, regulatory actions and fines. Also, don’t miss the items below in ORANGE.

CYBER SECURITY WEBINAR
January 22, 2018 at 12:00 PM

Please join MedPower and NetDiligence® for an hour you can’t afford to miss. Anahi Santiago, chief information security officer at Christiana Care Health System will guide you through the steps necessary to safe guard your organization from what hackers have in store for 2018. Vinny Sakore, chief technology officer at NetDiligence will discuss the importance of data breach planning and how it can help you minimize the negative effects of a breach on your organization. Register now!


CYBER RISK SUMMIT – REGISTRATION OPEN
Join us in Toronto on February 23, 2018!

Featuring a designated Risk Management Track, Regulatory and Litigation Updates, What’s New in Cyber Coverage, Security Solutions, and more! Register now!


DATA AGGREGATOR
Alteryx data breach exposed 123 million American households’ information

… the consumer data industry is now grappling with after a discovery that Irvine marketing and analytics company Alteryx Inc. accidentally made public a file that contained the personal information of 123 million American households. (The U.S. has 126 million households in all, according to the Census Bureau.) The database contained information across 248 categories, including addresses, phone numbers, mortgage ownership, age, ethnicity and personal interests such as whether a person is a dog or cat enthusiast. The data did not include people’s names, Social Security numbers, credit card information or passwords. Click to read entire article.

AUTOMOTIVE
Nissan data breach: Over 1 million customers’ sensitive data feared stolen by hackers

Auto giant Nissan confirmed that its Canadian branch has been hit by hackers. Although the details of the breach are still murky, Nissan says that the hack may have impacted all of its current and past customers – around 1.13 million people. Click to read entire article.

RETAIL
Study: Majority of retailers lack data breach response plan

Only 28% of retailers said they have a fully tested plan in place in the event of a security breach. Meanwhile, 21% said their organization doesn’t have a plan at all, or the means to notify customers of a data breach within 72 hours (21%) — a requirement specified by the General Data Protection Regulation (GDPR), according to a new study from Tripwire. Click to read entire article.

HEALTHCARE
—SETTLEMENT ALERT—
MA Reaches Settlement Following Medicaid Data Breach

New Hampshire-based Multi-State Billing Services (MSB) must pay $100,000 and improve its security practices per a consent judgment from the Massachusetts attorney general’s office. The settlement stems from a Medicaid data breach where 2,600 children had some of their information exposed. Click to read entire article.

Possible data breach at Colorado Mental Health Institute in Pueblo

The Colorado Mental Health Institute at Pueblo is notifying the public and patients of a potential data breach. In a news release, the agency said on November 1st a staff member unintentionally allowed access to a state-issued computer through a phishing scam. Click to read entire article.

Banner Health Class Action Claims Survive Motion to Dismiss

Wednesday, a federal district court in Arizona denied in part and granted in part Banner Health’s motion to dismiss class action claims arising from a 2016 data breach. Click to read entire article.

HIGHER EDUCATION
UNC Health Warns 24,000 Patients of Potential Data Breach

The personal records of as many as 24,000 UNC Health patients could be compromised after the theft of a laptop computer at an outpatient dermatology clinic. Click to read entire article.

Unauthorized Server Access Creates Data Security Concern for 47K

Recent potential healthcare data security breaches include unauthorized server access, computer theft, and a ransomware attack. December 14, 2017 – Carl Albert State College (CASC) is re-notifying certain individuals of unauthorized server access from 2016 that may create data security concerns. Click to read entire article.

Stanford University school’s chief digital officer leaves role after data breach

Following a pair of data breaches that exposed highly sensitive student and employee information, the chief digital officer at Stanford University’s Graduate School of Business has reportedly stepped down. Click to read entire article.

PUBLIC ENTITY
Oklahoma alerts 47,000 clients about data breach for the 2nd time

The Oklahoma Department of Human Services is notifying 47,000 clients their records may have been breached — and it’s the second breach notification about the same incident because DHS neglected to alert the U.S. Department of Health and Human Services the first time. Click to read entire article.

FDL Water Bill Online Payment System Taken Down After Breach

The City of Fond du Lac water bill online payment system has been taken down until it can be rebuilt. Fond du Lac Credit Union officials reached out to the City after noticing some credit card customers were victims of fraudulent purchases. Click to read entire article.

Mecklenburg County leaders say 27 servers restored after hacking attack

Hackers breached the county’s servers last week and held files for ransom. The cybercriminals, believed to be from Ukraine or Iran, froze 48 of the county’s 500 servers. Click to read entire article.

UTILITIES
Data breach affects about 375,000 people who paid Duke Energy bills using cash or checks at walk-in sites

Duke Energy said Tuesday that a computer data breach potentially affects those who paid bills at one of the company’s 550 authorized walk-in payment centers between 2008 and 2017. Nearly 375,000 customers in the Carolinas may be affected. Click to read entire article.

Hacking of Connecticut Utility Company Exposes As Many As 52,000 Customers’ Information

The information of 52,000 people that may have been exposed includes payment card information, bank account information, Social Security and other government identification numbers, account usernames and passwords. Click to read entire article.

CANADA
—CLASS ACTION SETTLEMENT ALERT—
Ottawa to pay $17.5M to settle student loan privacy breach lawsuit

The federal government will pay at least $17.5 million to settle a class action lawsuit filed after a major privacy breach involving about 583,000 student loan recipients. Click to read entire article.

Top Canadian cyber security stories of 2017

A recap of the top 2017 cybersecurity stories covered in IT World Canada. Click to read entire article.

PayPal’s Canadian Payments Processing Company Suffers Breach

PayPal has acknowledged that TIO, the Canadian payments processing company that it acquired in July 2017 has suffered a data breach that compromised the information of up to 1.6 million users. TIO processes utility and other bill payments and has over 60,000 kiosks in North America. Click to read entire article.

EUROPE / UK
UK Ruling On Business Held Liable For Data Breach

A UK High Court has held a company liable for the actions of an employee that leaked employee data in an attempt to harm the employer. This is a precedent setting case as it was not found that the company itself was at fault for handling their data. With the onset of GDPR next year, this ruling could signal the way the court would rule in other cases regarding data breaches. Click to read entire article.

Data breach at St Canices Credit Union in Kilkenny

St Canices Credit Union has notified the Data Protection Commisioner and the Central Bank of Ireland after a small number of members inadvertently received account information relating to other members. Click to read entire article.

ASIA/PACIFIC
Security firm Sisa alerts banks on malware attack

Payment security firm Sisa has issued an advisory to all banks and payment processors after it discovered that hackers had managed to insert malicious software into the payment switch server of an unnamed bank. Click to read entire article.

Personal data of 80,000 people may have been leaked from Osaka Univ.

Osaka University said Wednesday that personal data of around 80,000 students, graduates, staff, former workers and others may have been stolen by hackers. Click to read entire article.

Obike becomes latest victim of global data breach

The breach into users of the bike sharer lasted at least two weeks, affecting users around the world. Click to read entire article.

Regards,
Mark Greisiger
NetDiligence®
Cyber Risk Readiness & Response