We bring to your attention a sampling of recent media stories involving cyber risk & privacy liability. Among the stories we’re highlighting this month: final settlement in the Anthem breach, more class actions, phishing, a coordinated international cyber heist using ATMs, business interruption, and more. Also, don’t miss the items below in ORANGE.

LONDON REGISTRATION IS OPEN
Join us at NetDiligence® Cyber Risk Summit London—Tuesday, 6 November, 2018—to connect with experts in cyber risk and privacy liability and learn about the most relevant cyber threats facing Europe today. Early Bird pricing is available. Click here to learn more or register!
SOCIAL MEDIA
Facebook Says Security Breach Affected About 50 Million Accounts

Facebook Inc. said it discovered a security breach earlier this week that affected almost 50 million accounts, the latest in a series of missteps that are undermining confidence in the company’s social network and business model. Click to read entire article.

MOBILE APP
Uber to pay $148 million over data breach it concealed

Ride hailing service Uber agreed to pay a $148 million penalty over a massive 2016 data breach which the company concealed for a year, the company and state officials announced Wednesday. The agreement stems from a breach affecting some 57 million Uber riders and drivers disclosed by the California company, prompting litigation that was eventually joined by officials from the 50 US states and the District of Columbia. Click to read entire article.

FreshMenu 2016 Data Breach Reportedly Exposed Records of 110,000 Users, Company Responds

A report has now surfaced online that claims FreshMenu had a massive data breach back in 2016; a breach that exposed personal data of over 110,000 customers including their names, email addresses, phone numbers, home addresses, device information, and order histories. Click to read entire article.

RETAIL
Wendy’s faces lawsuit for unlawfully collecting employee fingerprints

Restaurant chain faces class-action lawsuit in Illinois for breaking BIPA state law. The complaint is centered around Wendy’s practice of using biometric clocks that scan employees’ fingerprints when they arrive at work, when they leave, and when they use the Point-Of-Sale and cash register systems. Click to read entire article.

Adidas Class Action Claims Data Breach Caused By Security Flaws

A consumer says Adidas exposed the private information of millions in a June data breach that allegedly occurred because of the shoe company’s security flaws. Click to read entire article.

Newegg Suffers Huge Data Breach: What to Do

The company revealed today (Sept. 19) that its online-checkout pages had been infected by data-skimming malware from Aug. 14 until yesterday. The thieves behind it seem to be the same who hit British Airways earlier this month and the U.K. branch of Ticketmaster in July. Click to read entire article.

HEALTHCARE
Independence Blue Cross Admits to Healthcare Data Breach

Philadelphia-based Independence Blue Cross (IBC) announced Sept. 17 that PHI was uploaded by an employee to a website that was publicly accessible between April 23 and July 20, 2018. KYW news radio reported that around 17,000 IBC customers were affected. Click to read entire article.

UMass Memorial to Pay $230,000 for Healthcare Data Breaches

UMass Memorial healthcare entities have agreed to pay $230,000 to the state of Massachusetts to resolve claims that two separate healthcare data breaches exposed PHI of more than 15,000 state residents. Click to read entire article.

PUBLIC ENTITIES
Adams County clerk resigns after data breach that affected up to 250,000 people

The resignation comes after a data breach that affected up to 250,000 people was announced by Adams County on Aug. 10. The Adams County Board had been investigating Clerk Cindy Phillippi’s role in the data breach, according to county documents.
Click to read entire article.

BUSINESS INTERRUPTION
888 Poker Suffers DDoS Attacks

A recent string of Distributed Denial of Service (DDoS) attacks among online poker sites has claimed another victim, with 888 Poker confirming its status as the latest poker room to fall prey to the service disruptions that severely hamper operations and frustrate players. Click to read entire article.

CRYPTO-CURRENCY
Zaif cryptocurrency exchange loses $60 million in recent hack

The Osaka-based cryptocurrency exchange discovered hack two days ago, and is working to secure funds to reimburse affected users. Click to read entire article.

PRIVACY ETHICS / WRONGFUL DATA COLLECTION
New Mexico Sues Google and Other App Makers For Collecting Data of Child Users

The state of New Mexico filed a lawsuit against Google, Twitter, and several other companies that create mobile gaming apps targeted at kids. The state is now saying that many of these apps illegally collect data on children that could put their safety and privacy at risk. Click to read entire article.

LEGAL / LITIGATION UPDATES
GDPR: Data Breach Class Action Lawsuits Come to Europe

“Class actions are here to stay for data breaches,” says attorney Jonathan Armstrong, who’s a partner at London-based Cordery. “They’re more likely to succeed here than in the U.S., albeit with the caveat that their numbers will be smaller,” he says in an interview with Information Security Media Group. Click to read entire article.

CYBER RISK STUDIES
SMBs face costs of up to $2.5 million after a data breach

Over half of SMBs have now had a taste of how disastrous the consequences of a data breach can be. According to Cisco’s SMB Cybersecurity Report, released on Wednesday, 53 percent of midmarket companies have experienced a data breach. Click to read entire article.

EUROPE / UK
BA faces multi-million pound lawsuit on top of possible data breach fine

British Airways faces the threat of legal action over the unprecedented data breach that saw 380,000 passengers’ bank details stolen. The airline is already facing a fine of up to £500 million from the Information Commissioner’s Office for the breach. Click to read entire article.

—9,000 BANK CUSTOMERS AFFECTED—
Record-breaking £30m fine for Tesco Bank cyber security breach

Tesco’s banking arm is now facing a record fine from the UK’s financial regulator over the 2016 cyber security breach, with the Financial Conduct Authority (FCA), said to be considering a fine of up to £30m. …The relatively small number of customers affected adds shock value to the size of the proposed fine, which was first disclosed by Sky News. Click to read entire article.

SHEIN Notifies Customers Who May Have Been Affected By Data Breach

On August 22, 2018, SHEIN became aware that certain personally identifiable information of its customers was stolen during a concerted criminal cyberattack on its computer network. It is our understanding that the breach began in June 2018 and continued through early August 2018 and involves approximately 6.42 million customers. Click to read entire article.

Asia / Pacific
ASIC Report Reveals ‘Unacceptable Delays’ by FIs in Handling Breaches

Some financial institutions are taking an average time of 1,726 days – or more than 4.5 years – to identify significant breaches, according to a new report by corporate regulator ASIC. Click to read entire article.

Perth Mint Says 3,200 Customers Affected By Data Breach

On Sept. 8, Australian broadcaster ABC reported a data breach affecting 13 people who used Perth Mint’s Depository Online, a web-based platform for purchasing precious metals. The leaked data included names, addresses, passport numbers and bank account details. Perth Mint, however, has upped the number of customers affected to 3,200, saying that the data exposed includes “customers’ address, bank details or identification details.” The revised figure represents slightly over 3 percent of Perth Mint’s 100,000 global customers. Click to read entire article.

Westpac employee gave 80 bank customers’ passwords to a mortgage broker in heinous security breach

More than 30 privacy breaches from Australia’s big four banks were reported to the Office of the Australian Information Commissioner between January 2012 and April 2018. One such breach involved a Westpac manager, who no longer works at the bank, handing over the banking passwords of 80 customers to a mortgage broker. Click to read entire article.

Regards,
Mark Greisiger
NetDiligence®
Cyber Risk Readiness & Response