We bring to your attention a sampling of recent media stories involving cyber risk & privacy liability. Exposures include business interruption (first-party exposure) and legal liability (lawsuits), also crisis costs to investigate the breach, notify the victims, and defend against class action lawsuits, regulatory actions and fines. Also, don’t miss the items below in ORANGE.


CYBER RISK SUMMIT – PHILADELPHIA, JUNE 12-14, 2018
Thank you Corporate Risk & Insurance!

Corporate Risk & Insurance is a Media Sponsor for the NetDiligence® Cyber Risk Summit in Philadelphia, June 12-14. Check out Captives: Underdogs in cyber security, a recent article featuring Mark Greisiger of NetDiligence. You may also want to sign up for their weekly newsletter, which provides risk management professionals the latest in risk trends through peer profiles, perspectives from industry insiders, data, webinars and white papers.


SOCIAL MEDIA
—WRONGFUL SHARING/PRIVACY ETHICS—
Facebook Just Doubled the Number of People Exposed in Data Breach

Facebook Inc. said that data on as many as 87 million people, most of them in the U.S., may have been improperly shared with research firm Cambridge Analytica. Click to read entire article.
Related: Cook County Files Lawsuit Against Facebook, Cambridge Analytica For Misuse of User Data

ONLINE SERVICES
Over Half a Million Payment Cards Vulnerable in Orbitz Data Breach

Popular online booking website, Orbitz, has announced that its legacy site, Amextravel.com, was compromised due to a data breach. The period of exposure runs from January 1, 2016 through December 22, 2017. The company is reporting that up to 880,000 payment cards could’ve been exposed during the breach. Along with credit or debit card information being stolen, personal information such as the customer’s full name, date of birth, phone number, email address, physical and/or billing address and gender could also be among the information obtained by the hackers. Click to read entire article.

AIRLINES
Delta Air Lines Just Revealed Stunning Data Breach (and Your Payment Information May Have Been Exposed)

It seems that no company that has a public website is immune to hackers and data thieves anymore. Delta Air Lines just found that out the hard way when it that [24]7.ai–a company that provides online chat services for a variety of companies including Delta–was involved in a “cyber incident.” This cyber incident allowed Delta customer payment information to be accessed during the period from September 26, 2017 to October 12, 2017. Click to read entire article.

RETAIL
Under Armour hit by data breach affecting 150 million users

Sports apparel merchant Under Armour has become the latest victim of a massive digital theft of sensitive information about tens of millions of customers. The Baltimore company disclosed Thursday that an intruder grabbed the email addresses and login information during a February break-in affecting about 150 million users of its food and nutrition website, MyFitnessPal. Click to read entire article.

Panera Bread Breach Raises Questions, Concerns About Data Security

The restaurant chain’s web site exposed millions of customer records –including names, email and home addresses, birthdays and the last four digits of customer credit card numbers – for at least eight months according to Brian Krebs in his blog KrebsOnSecurity. The data contained records for online customers of the St. Louis-based company, which has more than 2,100 North American locations. Click to read entire article.

Employee Phishing Likely To Blame For Saks, Lord & Taylor Breach

Experts say an employee phishing scam is likely to blame for the data breach affecting millions of Saks Fifth Avenue and Lord & Taylor payment cards. Hudson’s Bay disclosed the breach on Sunday and said an estimated 5 million cards were compromised. The Canadian company noted it has commenced an investigation. Click to read entire article.

PUBLIC ENTITY
Atlanta Hit By Cyber Attack

Much of Atlanta city government has been forced to rely on pen and paper this week thanks to a Ransomware attack. Click to read entire article.

Marion County Sheriff’s Department Reports a Data Breach of Their Booking Computer System

The Marion County Sheriff’s Department has sent letters to an undisclosed number of those booked into the Marion County Jail telling them of a security breach that has allowed some of their personal information to be compromised. Click to read entire article.

Baltimore Encounters Breach of its 911 Dispatch Systems

An unknown individual else group of persons hacked the total 911 dispatch computers of Baltimore during past Saturday-Sunday, causing the automated dispatching to be tentatively shutdown. Click to read entire article.

MANUFACTURING
Ransomware virus hits Boeing, affecting “small number of systems”

American plane manufacturer Boeing announced that it “detected a limited intrusion of malware” that infiltrated “a small number of systems,” according to a statement released by a company official. The Seattle Times reports that Boeing fell victim to the WannaCry virus, which held computers hostage earlier this year in the largest cyberextortion scheme ever, CNET reports. Click to read entire article.

FINANCIAL SERVICES
City of Corpus Christi: Customers should monitor bank accounts after Frost Bank breach

The City of Corpus Christi wants everyone to monitor their bank accounts after a breach that may have affected some residents. Click to read entire article.

HEALTHCARE
—SETTLEMENT ALERT—
NJ’s Virtua Medical Group to Pay Fine Following Data Breach Investigation

In addition to paying the state $417,816, Virtua will move internally to enhance its data security practices, according to a statement.
Virtua Medical Group, one of southern New Jersey’s largest health care providers, will pay more than $400,000 in fines and penalties in order to settle claims that it failed to properly protect the privacy of patients whose medical records were made available online. Click to read entire article.

Middletown Medical admits data breach of patient information

In a statement on their website, Middletown Medical administrators claim that a software security setting may have allowed unauthorized users access to patients’ names, dates of birth and treatment information back in January. Click to read entire article.

N.Y. hospital data breach, 135,000 patients potentially affected

An Albany, N.Y. hospital suffered a data breach affecting about 135,000 patients when an unauthorized party gained access to its servers. Click to read entire article.

NEW STATE LAWS
South Dakota is 49th State to Pass Data Breach Notification Law

South Dakota Governor Dennis Daugaard signed the state’s first data breach notification law in March 2018, which will go into effect on July 1, 2018. Click to read entire article.

Oregon Governor Signs Data Breach Law

Oregon is the latest state to enact a consumer protection law that would require residents to be notified within a specific time if their data has been breached. Click to read entire article.

Alabama Last US State to Enact Data Breach Notification Law

Alabama is now the 50th state to have data breach notification law, accounting for medical information. Click to read entire article.

CANADA
DriveHer, ride-sharing app for women, suspends service after data breach exposes personal information

Software left women who signed up for it vulnerable to having personal information exposed like their names, home addresses and drivers’ licences. Click to read entire article.

EUROPE / UK
Passwords of some 3.3 million Dutch on online search engine

A large number of emails and some 3.3 million passwords of Dutch people can be found easily online through a special search engine, newspaper AD discovered on Friday. The emails and passwords of employees of manly large Dutch organizations, companies and government institutions are found on this search engines, including of organizations that fulfill a vital function, the newspaper writes. Click to read entire article.

17,000 Tesco Bank Travel Money customers’ details leaked online by Travelex – who’s affected

Thousands of Tesco Bank customers have had their details exposed after a data leak instigated by its travel money partner Travelex, Mirror Money has learned. Click to read entire article.

INM journalists threaten lawsuit over data breach

A number of former employees of Independent News & Media whose personal data was allegedly compromised by a third-party security firm are considering taking legal action. Click to read entire article.

Regards,
Mark Greisiger
NetDiligence®
Cyber Risk Readiness & Response