We bring to your attention a sampling of recent media stories involving cyber risk and privacy liability. These exposures include business interruption, legal liability (such as class action lawsuits), as well as crisis costs to investigate the breach, notify the victims and defend/settle lawsuits, including AG regulatory enforcement actions and fines. Also, don’t miss the items below in ORANGE.
As of May 30, the total number of breaches in the U.S. captured in the 2017 ITRC Breach Report from the San Diego-based Identity Theft Resource Center now totals 698, an increase of 35.3% over last year’s record pace (516) for the same time period. Of that total, 36 incidents took place at financial institutions, twice as many as last year for the same period and affected a reported 520,000 records. Click to read entire article.
Zomato, the restaurant app, disclosed Thursday (May 18) that around 17 million users’ information has been stolen in a data breach. According to a report in CNN, the hackers took off with the email addresses and encrypted passwords from a Zomato data base. The app covers more than one million restaurants across 24 countries and competes with Yelp. Click to read entire article.
Tempur Sealy International Inc. and its former website host were slapped with a proposed class action in Georgia federal court Monday alleging that their lacking security practices opened the door to a 2016 data breach, which the company failed to inform customers about in a timely fashion. Click to read entire article.
Chipotle said it did not know how many payment cards or customers were affected by the breach that struck most of its roughly 2,250 restaurants for varying amounts of time between March 24 and April 18, spokesman Chris Arnold said via email. Click to read entire article.
It appears a data breach of the company’s servers had taken place, which could have lead to the criminals obtaining a lot of sensitive personal and financial information. To be more specific, the company acknowledges the data breach. Among the information potentially exposed to assailants are customer names and address, as well as credit card information. Click to read entire article.
Sears Holdings says some customers who shopped at Kmart stores may be the victims of a data breach. The company isn’t saying how many credit cards were affected, but it believes some credit card numbers have been compromised. Click to read entire article.
A report at SSL Store says the payout has hit $292 million already, and this figure does not include the several lawsuits that are still outstanding. The list of costs includes:
-
- $10 million paid in a class action lawsuit to affected consumers in March 2015.
- $19 million paid to Mastercard in an April 2015 settlement.
- $67 million paid to Visa in August 2015.
- $39.4 million paid to banks and credit unions for losses and costs related to the breach, in a December 2015 settlement.
- $18.5 million settlement.
OneLogin Inc., the provider of a single-sign-on password management service, announced today that it has suffered a data breach that may have put user information at risk. While OneLogin admitted the breach today, the company did not reveal to what extent its systems had been compromised. Click to read entire article.
Well-known and very popular digital signature service DocuSign acknowledged a data breach incident in which a large number of customer email addresses were stolen. The company announced on its website that the data stolen was limited to customer email addresses and that “no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed.” Click to read entire article.
Names and personal data of about a million people may have been compromised in a burglary involving Washington State University property. This month the university started alerting people who could be impacted. Click to read entire article.
OU unintentionally exposed thousands of students’ educational records — including social security numbers, financial aid information and grades in records dating to at least 2002 — through lax privacy settings in a campus file-sharing network, violating federal law. Click to read entire article.
STUDENTS were sent home from an exam after it was revealed the question paper had been stolen in a possible hacking attack. Click to read entire article.
After receiving $8.5 million in a medical negligence lawsuit, a Washington couple is filing another lawsuit against Virginia Mason Medical Center for its alleged actions following a patient data privacy breach. Click to read entire article.
New Hyde Park-based CoPilot Provider Support Services has agreed to pay $130,000 to settle with New York State after the company failed to alert customers of a data breach in a timely fashion. New York State Attorney General Eric Schneiderman said the firm violated general business law by waiting over a year to notify clients of data breach that exposed 221,178 patient records. He said that CoPilot has agreed to pay $130,000 in penalties and to improve its notification and legal compliance program. Click to read entire article.
The Health and Human Services Commission is notifying people about the accidental loss of protected personal information. The breach may affect 1,842 people in the Houston area. A box of forms containing client information was found beside an unsecured dumpster in Houston at the E. 40th St. complex, an eligibility office. Click to read entire article.
On April 7, 2017, officials from the Mississippi Division of Medicaid (DOM) discovered evidence of a potential online security breach exposing the PHI of approximately 5,220 patients. Click to read entire article.
A week after an inside job at a Rodeo Drive reconstructive surgery practice, police are still piecing together clues and searching for stolen materials that compromised private medical and financial information of about 15,000 patients and several stars. Click to read entire article.
Health insurance, financial services, and payment card companies failed to keep a California attorney’s identify theft lawsuit in federal court and must face the allegations back in state court, the U.S. District Court for the Northern District of California held May 31 ( Gallo v. Unknown No. of Identity Thieves , 2017 BL 183260, N.D. Cal., No. 17-CV-01465-LHK, 5/31/17 ). Click to read entire article.
Nearly 500 people may have had their Social Security numbers obtained in a data breach at the Florida Department of Agriculture and Consumer Services. Also, the names of 16,190 concealed-weapon license holders — out of more than 1.75 million in the state — may have been acquired in the hack. Click to read entire article.
Criminal data breaches will cost businesses a total of $8 trillion over the next five years, according to a global report from U.K-based market intelligence firm Juniper Research. Click to read entire article.
A recent Ponemon/Metalogix report indicates that healthcare entities should be mindful to avoid a potential file sharing data breach. Click to read entire article.
Study shows companies running out-of-date OSes were three times more likely to suffer a data breach, and those with the outdated browsers, two times more likely. Click to read entire article.
It was a multi-pronged attack: Not only did the malware shut down internal production at power companies, it also froze operators’ screens, leading them to believe operations were running normally. Click to read entire article.
Anonymous hackers have stolen and leaked 1.9 million email addresses and some 1,700 names and active phone numbers of Bell Canada customers. Click to read entire article.
A report from business management consultants Consult Hyperion has predicted that European FIs could face fines of up to €4.7bn ($5.2bn) in the first three years as financial services begin to adapt to the new regulations. Click to read entire article.
Basildon Council was recently fined £150,000 for publishing sensitive personal information about a traveller family on its website, including details about disabilities and mental health issues. Click to read entire article.
Italy’s data protection authority, Garante Privacy, has ordered Wind Tre to write to customers to notify them of a data breach that occurred on 20 March. Click to read entire article.
Old Mutual, South Africa’s prominent financial services company, has notified its customers of a data breach. This follows the company’s detection of an unauthorised entry to one of its systems. Click to read entire article.
Hackers are reportedly selling stolen data from the Qatar National Bank (QNB) and UAE InvestBank on the dark web. Both the banks suffered major data breaches in 2016 and the data of thousands of customers was later leaked online by hackers. Now, even as tensions escalate between the two Middle Eastern nations, cybercriminals appear to be cashing in on the underground cybercrime community. Click to read entire article.
Mark Greisiger
NetDiligence®
Cyber Risk Readiness & Response