We bring to your attention a sampling of recent media stories involving cyber risk & privacy liability. Among the stories we’re highlighting this month: stronger state laws (California & Arizona), GDPR-related breach outside the EU, increasing attacks on LATAM banks, major online data leaks/breaches, “HIPAA has teeth”, cloud services aggregation risk, and more. Also, don’t miss the items below in ORANGE.

In case you missed it:
GAME CHANGER – CALIFORNIA CONSUMER PRIVACY ACT
June 28th, 2018, marked a turning point in consumer data privacy protection in the United States, as California enacted the strongest such law in the country, giving consumers greater rights to restrict how private businesses collect and share/sell their personally identifiable information with third parties. Read our Security/Privacy Advisory on this important new legislation.
ONLINE MARKETING
A New Data Leak Reportedly Exposed 230 Million Americans’ Personal Information

A marketing firm has reportedly leaked detailed information on hundreds of millions of Americans online. …The information didn’t include credit card details or social security numbers, but it did include everything from email addresses, home addresses and phone numbers to details on religion, smoking habits, and pets. Click to read entire article.

ONLINE SERVICES
DNA testing service MyHeritage says 92 million customer email addresses were exposed

One of the world’s leading DNA-testing companies recently disclosed that a researcher had found on a private server the email addresses and hashed passwords of every customer that had signed up for its service. MyHeritage said Monday in a blog post that the breach involved roughly 92 million user accounts that were created through October of last year. Click to read entire article.

BUSINESS INTERRUPTION
Data breach disrupts concert ticketing service Ticketfly

Concert ticketing service Ticketfly says it’s working to get its system back online after a data breach leaked users’ personal information and disrupted services at live music venues. A check of the Ticketfly website Sunday night shows the website unavailable with the following announcement: “Due to a recent cyber incident, ticketfly.com is offline.” Click to read entire article.

Comcast Dealing With Major Outage Nationwide

A major outage affected Comcast customers nationwide, including in the Philadelphia market, on Friday. The outage affected Comcast cable, telephone and internet services. Click to read entire article.

FINANCIAL SERVICES
Nearly $1 Million Stolen from CHET Accounts During Security Breach

Nearly $1 million was stolen from CHET — Connecticut Higher Education Trust — accounts during a security breach and 21 account holders were affected, according to the Office of the State Treasurer. …Nappier said unauthorized individuals gained online access to 21 CHET account holders and made 44 withdrawals, amounting to a total of $1,416,635, of that, $442,540 was recovered or stopped. Click to read entire article.

HEALTHCARE
ALJ Judge Upholds OCR’s $4,348,000 Data Breach Penalty on Texas Hospital

HIPAA has teeth. On June 1, 2018, an Administrative Law Judge (ALJ) ruled that the University of Texas MD Anderson Cancer Center violated HIPAA. In doing so, the ALJ granted the Office of Civil Rights (OCR) summary judgment, requiring the hospital to fork up the $4,348,000 in civil monetary penalties imposed by OCR. Click to read entire article.

270,000 Med Associates records possibly compromised in data breach

Healthcare claims services provider Med Associates is notifying its patients that the facility suffered a data breach in March potentially exposing PII, including medical diagnosis and payment card information. Click to read entire article.

Michigan Medicine Admits to Healthcare Data Breach in Laptop Theft

University of Michigan’s Michigan Medicine announced June 25 that around 870 patients were affected by a healthcare data breach that involved the theft of an unencrypted laptop with PHI from an employee’s car. Click to read entire article.

HealthEquity breach exposes PII of 23,000 customers

About 23,000 accounts have been compromised by a data breach that took place at HealthEquity when an employee fell for a phishing scam. Click to read entire article.

Dignity Health discloses multiple data breaches to HHS

The San Francisco-based health care facilities operator Dignity Health recently experienced an accidental email breach affecting 55,947 patients, according to a May 31 disclosure form the not-for-profit corporation filed with the U.S. Department of Health and Human Services. Click to read entire article.

TELECOMMUNICATIONS
T-Mobile website data breach exposed customer addresses, PINs

According to an exclusive ZDNet report, a website bug on T-Mobile.com allowed anyone with access to a web browser to run a phone number and determine the home address and account PIN of the customer to whom it belonged. Click to read entire article.

PUBLIC ENTITY
Security Breach Reported At MWC’s Utility Online Payment System

A security breach has been reported to the City of Midwest City. The breach has affected Midwest City’s utility customer service online payment system. Midwest City said the Click2Gov online applications are at-risk including payments by cards stored in the service’s wallet. Midwest City said 2,256 customers were affected by the breach. Click to read entire article.

MOBILE APP
TaskRabbit says data breach affected 3.75 million app users and contractors

More than 3.75 million users are affected by a recent data breach at the handyperson-for-hire site TaskRabbit, a company spokeswoman confirmed Monday. Click to read entire article.

HOSPITALITY
—CLOUD SP/AGGREGATION RISK—
Hundreds of Hotels Affected by Data Breach at Hotel Booking Software Provider

The personal details and payment card data of guests from hundreds of hotels, if not more, have been stolen this month by an unknown attacker, Bleeping Computer has learned. The data was taken from FastBooking, a Paris-based company that sells hotel booking software to more than 4,000 hotels in 100 countries — as it claims on its website. Click to read entire article.

RETAIL
GameStop confirms buyout talks in wake of struggles and a data breach

Video game retailer GameStop confirmed Tuesday that it is in discussions with third parties for a potential buyout. Click to read entire article.

PDQ chicken restaurant warns customers of a data breach

The restaurant “PDQ” is warning its customers about a widespread data breach. PDQ officials say a hacker got into the company’s computer system and accessed personal information of some of its customers. Click to read entire article.

AIRLINE/TRAVEL
Popular Flight Tracker Flightradar24 Suffers Security Breach

News has surfaced that one of the world’s most popular flight tracking services Flightradar24, which shows real-time aircraft flight information on a map, has suffered a massive data breach that may have compromised email addresses and hashed passwords for more than 230,000 customers. Click to read entire article.

STATE LAW UPDATES
Arizona gets tough on businesses with new data breach reporting law

Among new requirements, the law boosts the maximum civil penalty for a knowing statute violation from $10,000 per breach to $500,000. Click to read entire article.

CRYPTOCURRENCY
Cryptocurrency Exchange Bitfinex Suffered Brief Outage After Cyberattack

The world of cryptocurrencies operates on blockchain technology. While it is considered as one of the safest types of technology – comprised of an extremely complex algorithm – it is still vulnerable to attacks from hackers and their ingenious viruses. Click to read entire article.

LATIN AMERICA
Banco de Chile Loses $10 Million in SWIFT-Related Attack

…This “smokescreen” style of attack was most recently used against Banco de Chile, the country’s second largest bank, which on May 24 lost about $10 million due to fraudulent SWIFT wire transfers. The theft happened while the bank was dealing with hundreds of workstations and servers that suddenly stopped working. The Banco de Chile attack follows an uptick in attacks against banks in Latin America. Last month, five banks in Mexico saw attacks against the Interbank Electronic Payments, known as SPEI, which is used for domestic interbank transfers. Click to read entire article.

CANADA
Cyber-attack accessed financial and personal information of CarePartner clients

One of the province’s most well-known home care service providers has fallen victim of a cyber-attack. The attack has breached CarePartners’ computer system and as a result patient and employee information held in that system, including personal health and financial information, has been inappropriately accessed, according to Ontario’s Local Health Integration Network. Click to read entire article.

SOUTH AFRICA – GDPR-RELATED
Liberty Data Breach – Setting A Precedent For GDPR?

This is not the first – merely the latest – in a series of information security failures affecting the personal data of South Africans. It is probably not even the worst incident thus far, in terms of volume or nature of information compromised. It is, however, a South African company’s first publicly-admitted violation of GDPR (the European Union’s General Data Protection Regulations), upon which our own Protection of Personal Information (PoPI) Act was based. Click to read entire article.

EUROPE / UK
Major breach at British retailer Dixons Carphone affects nearly six million bank cards

Intruders also accessed 1.2 million personal data records, such as names, addresses or email addresses, in what is shaping up to be one of Britain’s biggest data breaches involving a single company. Click to read entire article.

Firm hit with €443,000 fine for cyber breach

A cybersecurity expert has warned firms must recognise cyber attacks as a “clear and present danger”, as the Central Bank fined an asset management company after it lost €650,000 of a client’s funds in an online scam. Click to read entire article.

ASIA / PACIFIC
Tasmanian Government considers legal position on possible PageUp data breach

Tasmanian Government is considering its legal position in regards to a possible data breach of online recruitment platform PageUp. The company last month revealed customer data had been accessed by a malware infiltration but investigations in Australia so far have not turned up evidence of data theft. Click to read entire article.

Exam analysis system shut down after report of security breach

The Education Ministry has temporarily shut down the school examination analysis computer system, Sistem Analisis Peperiksaan Sekolah, to investigate a claim of an attack on the system, Education Minister Dr Maszlee Malik said in a statement today. Click to read entire article.

Regards,
Mark Greisiger
NetDiligence®
Cyber Risk Readiness & Response