We bring to your attention a sampling of recent media stories involving cyber risk & privacy liability. Exposures include business interruption (first-party exposure) and legal liability (lawsuits), also crisis costs to investigate the breach, notify the victims, and defend against class action lawsuits, regulatory actions and fines. Also, don’t miss the items below in ORANGE.


CYBER RISK SUMMIT – PHILADELPHIA, JUNE 12-14, 2018
SOLD OUT – limited seats still available for pre-conference events!

The first event, Intro to Cyber, is for designed for students, interns and summer associates who are interested in a career in cyber as an insurance, legal, or technical security professional. Free to attend – space is limited. Learn more.

The second event, Women in Cyber, is a luncheon featuring a candid panel discussion by experts with a wide range of backgrounds and professional experience from the cyber insurance, legal, and security sectors. Hosted by NetDiligence and sponsored by Kroll and Saul Ewing, there is a nominal charge to attend this event. Learn more.


RETAIL
I want my data back, data back, data back: Chili’s hit by data breach

If you have eaten at Chili’s restaurants within the past two months, then you might want to check your credit report and card statements. Chili’s parent company, Brinker International, announced over the weekend that customers’ payment information may have been exposed in a malware attack. Click to read entire article.

—VENDOR CAUSED—
Sears shares new details about customer information data breach

A vendor providing online support services to websites at Sears.com and Kmart.com informed the company that the vendor had experienced a security incident that may have affected the names, addresses, and payment card information for customers who placed or attempted to place orders on the Sears.com or Kmart.com websites. Click to read entire article.

FINANCIAL SERVICES
Data stolen in Sheffield Credit Union cyber attack

The personal data of about 15,000 members of a credit union has been stolen in a cyber attack. Sheffield Credit Union (SCU) said information including names, addresses, national insurance numbers and bank details had been accessed. Click to read entire article.

Verizon report raises big data security concerns for credit unions

According to Verizon’s 2018 Data Breach Investigations Report, 39 percent of malware-related data breaches involve malware, while Trojan botnets and denial of service (DoS) attacks are most common for the financial industry. Click to read entire article.

Student loan company tells 16,500 borrowers of data breach

A student loan services company recently notified 16,500 borrowers that files containing personal data were released to a business that wasn’t authorized to receive them. Click to read entire article.

HEALTHCARE
—LAWSUIT JETFUEL?—
OCR To Share HIPAA Data Breach Settlements With Victims

OCR is proposing to share a percentage of HIPAA data breach settlements with victims, as required by the HITECH law. …Christian said that OCR’s decisions on compensation for individuals or groups could provide an incentive for people to bring lawsuits because OCR decided that they should be compensated. Individuals could also file a lawsuit for other reasons, such as feeling like they weren’t compensated enough. Click to read entire article.

—CLASS ACTION ALERT—
UnityPoint data breach victims file class action lawsuit

The victims of a phishing attack targeting UnityPoint Health, which operates medical centers in Illinois, Iowa and Wisconsin, filed a class action lawsuit against the firm claiming victims were falsely told their social security numbers hadn’t been compromised, according to a federal class action lawsuit. Click to read entire article.

Data breach affects dental patients in Las Vegas area

About 3,750 patients of Las Vegas-area dental groups may have been compromised by a data breach. Click to read entire article.

Nuance Communications Breach Affected 45,000 Patients

Nuance Communications, which specializes in speech recognition software, says an unauthorized third party accessed one of its medical transcription platforms, exposing 45,000 individuals’ records. Click to read entire article.

The Oregon Clinic notifies patients after data breach

…The clinic has about 270 providers handling around 485,000 patient visits annually through 59 clinics serving northwest Oregon and southwest Washington. Click to read entire article.

ONLINE GAMES
Fortnite Battle Royale gamers at risk after data breach, experts say
800,000 players could be targets

Danny Jenkins, CEO and cybersecurity chief with Orlando based Threatlocker, told News 6 the users of the popular Epic Games video game are starting to see the consequences of that data breach. Click to read entire article.

Social Media
—WRONGFUL DATA COLLECTION/SHARING—
Facebook accused of massive new data breach

What are described as the ‘intimate’ details of some three million Facebook users was apparently accessible on a research website for four years. Click to read entire article.

TECHNOLOGY
$80 Million Deal for Yahoo Investors Over Data Breaches OK’d

Yahoo investors claiming they lost millions after a series of massive data breaches will get $80 million under a settlement approved by a federal judge late Wednesday. In early 2017, a class of investors led by Mark Madrack sued Yahoo following its admission on Dec. 14, 2016, that Russian hackers had stolen information from more than 500 million users in 2014. The next day, Yahoo’s stock price fell by $2.50. Click to read entire article.

PUBLIC ENTITY
Possible data breach may affect 30,000 Goodyear utility customers

A possible data breach has left some 30,000 Goodyear utility customers vulnerable. The City says it learned Monday about an apparent issue with its bill pay systems when a customer informed city officials of fraudulent activity on their bank account. Click to read entire article.

FMCSA’s examiner registry outage caused by attempted malware plant

An attempt by an unknown source to plant malicious software (aka malware) on the Federal Motor Carrier Safety Administration’s database of agency-approved medical examiners is the root cause of the lingering outage of FMCSA’s National Registry of Certified Medical Examiners (NRCME), the agency has told CCJ. Click to read entire article.

Cities under siege: Hackers holding data and services for ransom

Major U.S. cities like Atlanta and Baltimore have been crippled by cyber attacks in the last few weeks, forcing police departments to resort to pen and paper instead of computers. Hackers demanded $51,000 in Bitcoin from the city of Atlanta, but the city refused to pay. Atlanta did pay $2.6 million in recovery costs. Click to read entire article.

Dozens of Erie County Social Services files lost last year

News 4 has learned that information on dozens of Erie County Social Services clients was possibly breached in 2017. Click to read entire article.

HIGHER EDUCATION
Global University Provides Notice Of Data Breach

Global University (“Global”) is providing notice to current and former students of a recent event involving the potential exposure of certain personal information. To date, Global has not received any reports that the information has been misused. Click to read entire article.

TECH OPINIONS
Yes, the Blockchain Can Be Hacked

…However, powerful as blockchains may be, they are not immune to attack. Any technology has weak points and attack vectors, and the blockchain is no exception. Click to read entire article.

CANADA
CBC warns past, current staff personal data may be at risk after break-in, theft of computer

The CBC is warning more than 20,000 of its past, present and contract employees that their personal and financial information may be at risk after a break-in and the theft of computer equipment. Click to read entire article.

Ontario PC candidate resigns after private 407 freeway confirms ‘internal theft’ of data on 60,000 customers

Samples of the leaked information suggest it was at one point in the hands of a company linked to an organizer who helped would-be PC candidates recruit members. Click to read entire article.

EUROPE / UK
Worcester Bosch admits data breach affecting ‘tens of thousands’

British boiler-maker Worcester Bosch has suffered a data breach that has inadvertently revealed the home addresses of “tens of thousands” of customers. Click to read entire article.

American buyers of European rail tickets suffer three month data breach

Americans who booked European train tickets through Rail Europe North America (RENA) may be victims of a near-three month data breach of their e-commerce system. Click to read entire article.

Uber’s license revoked in Brighton over data breach handling

Brighton Council has rejected Uber’s request to renew its licence to operate in the city, citing concerns around the ride-hailing company’s handling of a recent data breach which affected some 57 million accounts. Click to read entire article.

ASIA / PACIFIC
NPC receives 57 data breach notifications since January

A total of 57 data breach notifications have been received by the National Privacy Commission (NPC) since January this year, but not all have progressed into an actual investigation by the data privacy body. Click to read entire article.

Family Planning NSW targeted by hackers with ransom demand, data of 8,000 people at risk

People looking for information about abortions and contraception could have had their personal information stolen, after a major data breach at Family Planning NSW (FPNSW). Click to read entire article.

Major Australian Bank Data Breach Very Serious, Says AG

The Australian government has labelled a data breach which saw the nation’s biggest bank lose details of 20 million accounts as “very disappointing.” Click to read entire article.

Millions of Indians’ financial information may have been stolen from an Aadhaar-linking site

A data breach at the Employees’ Provident Fund Organisation (EPFO), a retirement fund for salaried workers, may have exposed the personal information of millions of Indians. Click to read entire article.

Regards,
Mark Greisiger
NetDiligence®
Cyber Risk Readiness & Response