We bring to your attention a sampling of recent media stories involving cyber risk & privacy liability. Exposures include business interruption (first-party exposure) and legal liability (lawsuits), also crisis costs to investigate the breach, notify the victims, and defend against class action lawsuits, regulatory actions and fines. Also, don’t miss the items below in ORANGE.

We look forward to seeing you there!

Registration for the Cyber Risk Summit in Philadelphia opens Friday, March 16th. Learn more!

Akorn Shares Crash 34% After Fresenius Warns on Takeover Amid Data Breach Probe

Akorn Inc. shares plunged Tuesday after Germany’s Fresenius SE (FSNUY) said a probe into possible data breaches at the generic drugmaker could force it to drop a planned $5 billion takeover. Click to read entire article.

Pennsylvania Sues Uber Over Late Breach Notification

State Could Seek As Much as $13.5 Million in Civil Penalties
Pennsylvania on Monday filed a lawsuit against Uber for allegedly violating the state’s mandatory breach notification law. It’s the latest in a long string of legal and regulatory actions Uber is facing from a serious data breach the company waited more than a year to disclose. Click to read entire article.

Tesla cloud resources are hacked to run cryptocurrency-mining malware

Add Tesla to the legion of organizations that have been infected by cryptocurrency-mining malware. In a report published Tuesday, researchers at security firm RedLock said hackers accessed one of Tesla’s Amazon cloud accounts and used it to run currency-mining software. Click to read entire article.

City of Allentown computer systems hit by virus that will require nearly $1M fix

A serious computer virus that has struck the city of Allentown’s most critical systems is expected to cost nearly $1 million to remove and has forced the city to shut down some financial and public safety operations. Click to read entire article.

Kansas agency reports possible data breach

Officials with the Kansas Department for Aging and Disability Services has been notifying individual consumers about an incident where personal or protected health information was released to a group of business associated. Click to read entire article.

Baker ‘extremely disappointed’ with data breach at revenue department

Governor Charlie Baker said he is “extremely disappointed” with a Department of Revenue data breach that made private information from about 39,000 business taxpayers visible to other companies, potentially including competitors. Click to read entire article.

Data breach exposes thousands of California state employees

Officials say a former California state employee downloaded sensitive personal information on thousands of fellow workers, potentially exposing them to identity theft. The Sacramento Bee reported Friday that the information included Social Security numbers for Department of Fish and Wildlife employees and contractors. Click to read entire article.

Aetna and KCC Spar in 2 Lawsuits Over HIV Data Breach

What was perhaps the most prehistoric data breach in recent memory has turned 2 former business allies into foes. The health insurance titan Aetna and its onetime legal services vendor, Kurtzman Carson Consultants (KCC), filed lawsuits against each other this week, following a snail mail snafu that exposed 12,000 customers’ HIV-related information and resulted in a $17 million class-action judgment. Click to read entire article.

Hackers hit patient records at St. Peter’s center

On Friday, St. Peter’s Surgery & Endoscopy Center revealed that hackers potentially compromised medical records of about 135,000 patients earlier this year. The breach has been reported as required under law to the Office of Civil Rights at the U.S. Department of Health and Human Services. Hackers from an “unknown and unauthorized third party” installed malware on computer servers. Click to read entire article.

Decatur County General Hospital warns 24K patients of data breach involving EHR server

A community hospital in Tennessee is warning 24,000 patients their information may have been exposed last year during a cyberattack linked to its EHR system. The attack involved unauthorized software installed on a server that hosts Decatur County General Hospital’s (DCGH) EHR system, according to a letter (PDF) sent to patients impacted by the incident. Click to read entire article.

Records of 1,882 U.Va. patients impacted by security breach

Ohio man indicted in connection to software breach that lasted 19 months
The University Health System is in the process of notifying 1,882 patients about a security breach that occurred between May 2015 and December 2016 where an unauthorized Ohio man, Phillip Durachinsky, may have been able to view patient information. Click to read entire article.

70K Notified in Tufts Health Plan Data Breach in Vendor Error

A small amount of patient information was visible in the windows of envelopes sent out, leading to the Tufts Health Plan data breach. Click to read entire article.

GitHub Suffers Most Powerful DDOS Attack In History

At around 12:15 PM ET on Wednesday, a DDOS attack of 1.3 terabits per second hit Github – one of the largest development platforms in the world. This gigantic DDOS attack was the biggest in history, although GitHub servers were surprisingly resilient despite this extremely heavy load. Click to read entire article.

WSU faces lawsuit over data breach

Plaintiffs argue inadequate security measures led to hard drive theft last spring
Four people are bringing a class-action lawsuit against WSU, alleging they suffered identity theft after a hard drive containing sensitive information for more than 1 million people was stolen from a WSU facility in April. Click to read entire article.

University of Alaska Data Breach Hits Staff, Students

Officials say a data breach at the University of Alaska has impacted dozens of current and former employees and students. Click to read entire article.

A hacker returned $17.4 million worth of Ethereum to the victim

For reasons unknown, a hacker decided to return millions of dollars – twice. Click to read entire article.

2018 Data Breaches Total 140 Incidents (So Far)

The latest count from the Identity Theft Resource Center (ITRC) reveals that there have been 140 data breaches recorded this year through February 21 and that nearly 3 million records have been exposed since the beginning of the year. Click to read entire article.

Supreme Court denial of CareFirst case benefits plaintiffs’ broad claims of data-breach harm

The Supreme Court’s rejection of a request by healthcare giant CareFirst to review a high-profile data breach case is likely good news for plaintiffs in arguing the threat of identity theft is sufficient for filing class-action lawsuits against companies that suffer a breach. Click to read entire article.

Inconvenience: the new standard for certifying privacy breach class actions?

Judges in class action lawsuits involving privacy breaches are going to become “more accepting of the notion that you can get money for your inconvenience,” a lawyer said on Friday at NetDiligence’s Cyber Risk Summit in Toronto. Click to read entire article.

Data breach liability: a landmark UK court ruling and its impact on Middle East businesses

Deliberate or negligent acts of employees are a common source of data breaches globally. On 1 December 2017, the High Court of England and Wales ruled that a company can be held liable for the acts of a rogue employee who was responsible for a deliberate data breach. The employee in question exposed the personal data of almost 100,000 employees on the internet. Click to read entire article.

University of Canberra data breach will not be investigated by OAIC

The Office of the Information Commissioner will not investigate a data breach at the University of Canberra where some staff were accidentally sent every employee’s personal details. Click to read entire article.

NIS America Hit By Data Breach

Nippon Ichi Software announced news that its American division, NIS America, was the victim of a major data breach that exposed the personal and financial data of online customers. Click to read entire article.

SPARK data breach points to non-compliance with digital signature system

Thiruvananthapuram: Amid the debate over security of individuals’ private data, it was found that most of the government departments in Kerala have not incorporated the digital signature technology to their electronic files transactions, rendering them vulnerable to data theft and loss of privacy. Click to read entire article.

Mark Greisiger
Cyber Risk Readiness & Response