We bring to your attention a sampling of recent media stories involving cyber risk and privacy liability. These exposures include business interruption, legal liability (such as class action lawsuits), as well as crisis costs to investigate the breach, notify the victims and defend/settle lawsuits, including AG regulatory enforcement actions and fines. Also, don’t miss the items below in ORANGE.
Against Certain Directors in Connection with Customer Data Breach Filed
An investor in Wendys Co (NASDAQ:WEN) shares filed a lawsuit against certain Wendys directors in connection with a customer data breach. Click to read entire article.
A recent data breach affected 381,534 current and former members of Seattle-based Community Health Plan of Washington, The Seattle Times reports. The nonprofit organization, which provides insurance to Washington’s Medicaid members, began informing affected individuals Dec. 21. The patient information exposed in the breach includes names, addresses, Social Security numbers and health claims information. It does not include health providers’ notes on patients. Community Health Plan of Washington COO Marilee McGuire said there is not yet evidence of harm to members. Click to read entire article.
A health insurance data breach has affected approximately 19,000 people with employer-paid plans in Delaware, according to the Delaware Department of Insurance. The breach involved Summit Reinsurance Services and BCS Financial Corporation, subcontractors of Highmark Blue Cross Blue Shield of Delaware. Click to read entire article.
The data breach reportedly exposed personal and sensitive data of staff with the highest levels of security clearance. Click to read entire article.
Federal regulators said Monday that scores of pacemakers and implantable heart defibrillators made by St. Jude Medical are vulnerable to computer hacking, but a security patch is ready to address the problem. Click to read entire article.
A cache of data including 3.3 million user credentials belonging to Hello Kitty parent company Sanrio surfaced over the weekend. The breach was originally reported in December 2015, but at the time Sanrio denied any data was stolen as part of the breach. The breach was tied to a misconfigured MongoDB installation that was discovered by security researcher Chris Vickery. Click to read entire article.
A Los Angeles community college has paid a $28,000 ransom after a hacker took student data hostage. The Los Angeles Daily News reports that 1,800 Los Angeles Valley College teachers and staff were locked out of their computers last week, leaving the data of 20,000 students compromised. College administrators elected to pay the $28,000 ransom in bitcoins rather than leave students without their data. Click to read entire article.
On Dec. 12, a Georgia Tech employee conducted research on a trusted website that had been compromised by a malicious software known as ransomware. The ransomware infiltrated the employee’s computer, which was connected to Georgia Tech’s network, allowing access to a variety of files — some of which included sensitive, personal information of current and past Georgia Tech employees. Click to read entire article.
Vera Bradley (VRA) said it is investigating a potential security breach involving customer data at its retail stores over the summer. Click to read entire article.
A Tennessee federal judge on Thursday gave the final stamp of approval to a nearly $2 million deal settling claims over data security breaches at several Mapco Express stores, saying that the deal puts class members first. Click to read entire article.
The company behind many sports and other trading cards, Topps, has disclosed a data breach. According to a notice sent to Topps customers, the company became aware of the breach in mid-October 2016, something that triggered an investigation revealing that ‘one or more intruders’ possibly stole some customer data. That data could include credit and debit card numbers, names, email addresses, and more. Click to read entire article.
Los Angeles County officials announced they had been the victim of a phishing hack that potentially exposed the personal data of hundreds of thousands of people. The attack occurred May 13, 2016, when 108 county employees responded to an email they believed to be legitimate and provided their usernames and passwords, according to officials. Click to read entire article.
The state of Maryland will not release a detailed report, or other related records, on a recently discovered data breach, in which personal information of former Frederick County Public Schools students was stolen. Roughly 1,000 names, dates of birth and Social Security numbers of former Frederick County students were taken in a data breach that officials said happened before 2010. Click to read entire article.
New Hampshire’s health commissioner is offering an extra apology as his agency deals with a data breach that led to personal information of up to 15,000 people being posted online. Click to read entire article.
Dover Federal Credit Union recently sent a letter warning customers an employee transferred DFCU files to the employee’s personal Dropbox account. Click to read entire article.
It appears Akbank has been the target of an attack against SWIFT on December 8. That is rather surprising, as SWIFT issued guidelines to have their partners beef up security. It looks like Akbank did not take the necessary precautions to keep their systems safe. Click to read entire article.
LinkedIn and Microsoft subsidiary Lynda announced that 9.5 million user accounts are at risk. An unauthorized third party accessed a database that contained account holder contact information, learning data and a list of the courses the user has viewed. The company, which provides a subscription-based online learning service for business and technology skills, said there is no evidence that passwords were stolen in the recent breach. Click to read entire article.
For the second time in as many years, security researchers have determined that hackers have caused a power outage in Ukraine that left customers without electricity in late December, typically one of the coldest months in that country. Click to read entire article.
For the second time in as many years, security researchers have determined that hackers have caused a power outage in Ukraine that left customers without electricity in late December, typically one of the coldest months in that country. Click to read entire article.
Three officials with the Noble Network of Charter Schools signed off on using an improperly obtained list of Chicago Public School students’ names, addresses, current schools and grade levels to send recruitment postcards to the homes of at least 28,000 CPS kids, records obtained by the Chicago Sun-Times show. Click to read entire article.
The Federal Trade Commission (“FTC”) settled with online dating website AshleyMadison.com for $1.6 million stemming from FTC and state actions brought against the company as a result of a July 2015 data breach that exposed the profile and account information of approximately 36 million users. Click to read entire article.
E-Sports Entertainment Association (ESEA) got broken into last year with of over 1.5 million ESEA accounts compromised, and hackers were confirmed trying to extort a significant amount of money to remain silent regarding the incident. Click to read entire article.
InterContinental Hotels Group (IHG) has hired a computer security company to look into the potential breach. Some of its customers have reported fraudulent transactions on their credit and debit cards. Which hotels were breached? InterContinental Hotels Group is the parent company for over 5,000 hotels all over the world. They include Holiday Inn, Holiday Inn Express, InterContinental, Crowne Plaza, Staybridge Suites, Kimpton Hotels, Even Hotels, and Hotel Indigo. Click to read entire article.
The Massachusetts decision spells out new challenges for lawyers working with breached companies. Click to read entire article.
A recent IBM study found that the average cost of a data breach has hit $4 million—up from $3.8 million in 2015. Click to read entire article.
Computers at the University of Alberta in Canada were installed with malware which was intended to collect the school’s passwords. The incident happened late last year but the breach was only shared to the community on Thursday. Click to read entire article.
MANILA, Philippines — The decision of the National Privacy Commission (NPC) finding Commission on Elections (Comelec) Chairman Andres Bautista liable for the March 2016 data breach of the poll body’s voters’ database may be used by private individuals affected and victimized by the breach. Click to read entire article.
The breach took place months ago but users only got reset notification last week. Click to read entire article.
Mark Greisiger
NetDiligence®
Cyber Risk Assessment & Data Breach Services