We bring to your attention a sampling of recent media stories involving cyber risk & privacy liability. This month we’re highlighting massive regulatory fines (NERC, HIPAA, COPPA, GDPR), legal settlements, hackers, blockchain vulnerability, and more! Don’t miss the items below in ORANGE.

ENERGY
NERC fines Duke Energy $10 million for cybersecurity failings

North Carolina-based Duke Energy has been fined a record $10 million by NERC (North American Electric Reliability Corporation) for 127 violations of rules designed to keep the U.S. power system safe from physical and cyber attacks. Click to read entire article.

RETAIL
—MEGA SETTLEMENT—
Wendy’s Reaches $50 Million Breach Settlement With Banks

18 Million Payment Cards From 7,500 Financial Firms Compromised in Data Breach
Where’s the breach? In 2015 and 2016, it was at Wendy’s, when attackers infected 1,025 of its restaurants’ point-of-sale systems with malware, leading to the loss of massive quantities of payment card data. Click to read entire article.

HEALTHCARE
—CLASS ACTION ALERT—
HIPAA Breach Results in a $4,500,000 Class Action Settlement

Community Health System, one of the largest health systems in the United States, has agreed to pay $4,500,000 to settle claims made against it arising from a 2014 data breach. The data breach exposed the names, dates of birth, addresses, telephone numbers, and Social Security numbers of approximately 4.5 million patients. Click to read entire article.

Patients of a St. Francis medical practice caught in a data breach

Patients of a Bon Secours St. Francis Health System medical practice are being notified that their personal information may be at risk after a data breach at the practice. Officials determined that patient information may have included names, dates of birth, Social Security numbers, addresses, health insurance company, and other information related to care provided at Milestone Family Medicine. Click to read entire article.

UConn Health reports data breach

UConn Health stated last Friday that it discovered the incident on Dec. 24, 2018, and that it is not aware of any fraudulent activities as a result of the breach or even whether any personal information was viewed. According to WFSB, about 326,000 records may have been exposed, including 1,500 that included Social Security numbers. Click to read entire article.

HIGHER EDUCATION
Regents approve $5.6 million settlement

University will allow compensation for those with stolen data
In May 2017, the backup hard drive with data generated by WSU’s Social and Economic Sciences Research Center was stolen, he said. The hard drive contained sensitive information of about 1.2 million people at WSU. Click to read entire article.

SOCIAL MEDIA / MOBILE APPS
Dating app Coffee Meets Bagel announces data breach on Valentine’s Day

Happy Valentine’s Day! Or not so much, for users of the popular dating app Coffee Meets Bagel. A data breach may have affected over 6 million app users looking for love. The company sent an email to users Thursday to address the issue. Click to read entire article.

PUBLIC ENTITY
Pompano Beach warned nearly 4,000 residents of data breach

A data breach at a company that handles the billing for municipal water service has Pompano Beach city officials working to minimize the potential damage. Click to read entire article.

Kentucky Counseling Center data breach affects 16,400 patient records

The Kentucky Counseling Center, a statewide mental health services organization, notified the federal Department of Health and Human Services earlier this month of a data breach that exposed information of 16,400 patients. Click to read entire article.

PRIVACY ETHICS / WRONGFUL DATA COLLECTION
—COPPA REGULATION—
TikTok pays record $5.7M fine for collecting data from children

The FTC said the $5.7 million penalty was the largest ever settlement for a children’s privacy issue. TikTok, formerly known as Musical.ly, was accused of knowingly tracking data from underage users without obtaining parental consent, as required by law. Click to read entire article.

CLOUD
—LOSS OF DATA—
VFEMail suffers complete data wipe out!

On Monday, 11th February, Wisconsin-based email provider, VFEmail, was attacked by an intruder who trashed all of the company’s primary and backup data in the United States. … John Senchak, a longtime VFEmail user from Florida, told Krebs on Security, that the attack completely deleted his entire inbox at the company–some 60,000 emails sent and received over more than a decade were lost. Click to read entire article.

BLOCKCHAIN
Blockchain, Crypto Currencies Fall Victim To Hacker Thefts

Research by the Massachusetts Institute of Technology Review found that hackers have stolen nearly $2 billion worth of cryptocurrency since the beginning of 2017, mostly from exchanges, and that’s just what has been revealed publicly. “Marketing slogans and headlines that called the technology ‘unhackable’ were dead wrong.” The MIT study cited incidents last month where a security team at Coinbase spotted something strange going on in Ethereum Classic (one of the cryptocurrencies people can buy and sell using Coinbases’s popular exchange platform). Security noticed that an attacker had somehow gained control of more than half—why the method is called a “51 percent attack”—of the network’s computing power through blockchain, the history of all the transactions, and was using it to rewrite the transaction history. That made it possible to spend the same cryptocurrency more than once—known as “double spends,” the report explained. Click to read entire article.

TECHNOLOGY
Hacker Who Stole Data from 600 Million Plus Accounts Strikes Again

A hacker who stole close to 620 million user records from 16 websites earlier this week has struck again, this time breaking into 127 million more records from eight more websites. Click to read entire article.

LEGAL UPDATES – CCPA
California Consumer Privacy Act: The Challenge Ahead – The CCPA’s “Reasonable” Security Requirement

The CCPA allows consumers to sue businesses when their “nonencrypted or nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Click to read entire article.

GDPR UPDATES
—COOKIE WATCH—
Google-Style GDPR Fines for Everyone? Bavarian DPA Conducts Website Cookie Practices Sweep, Announces Fines under Consideration

Today, the Data Protection Authority (DPA) of the German state of Bavaria announced it was considering fining a number of companies under the GDPR for their website cookie practices. Click to read entire article.

CANADA
Hackers Attempt to Extort Ontario Healthcare Provider CarePartners

The hacking group Team OrangeWorm publicly dumped two troves of data, one allegedly with the encrypted medical data of 80,000 patients, to DataBreaches.net. Click to read entire article.

EUROPE
Germany sees big rise in security problems affecting infrastructure

Germany has experienced a big increase in the number of security incidents hitting critical infrastructure such as power grids and water suppliers, the BSI cybersecurity agency said on Sunday, adding however that they were not all due to hacking. Click to read entire article.

AUSTRALIA
Cyber Ransom Attacks On The Rise, As Toyota And Melbourne Hospital Become Latest Victims

A major Melbourne hospital and car manufacturer Toyota have had their systems infiltrated by hackers. A cyber crime syndicate accessed the medical files of 15,000 patients at Melbourne Heart Group at Melbourne’s Cabrini Hospital. … Meanwhile, Toyota Australia has confirmed it has been subject to an attempted cyber attack. Click to read entire article.

More than 800 data breaches reported to Australian privacy watchdog in 2018

Data from the Office of the Australian Information Commissioner (OAIC) reveals that last year it received 812 notifications as part of the mandatory breach reporting regime. Click to read entire article.

Australian bank customers caught in valuation firm data breach

Australia’s banks have started notifying customers that may have been caught up in an “industry-wide” data breach at an ASX-listed property valuation firm. Click to read entire article.