We bring to your attention a sampling of recent media stories involving cyber risk & privacy liability. Exposures include business interruption (first-party exposure) and legal liability (lawsuits), also crisis costs to investigate the breach, notify the victims, and defend against class action lawsuits, regulatory actions and fines. Also, don’t miss the items below in ORANGE.
Registration for the Cyber Risk Summit in Philadelphia opens Friday, March 16th. Learn more!
Akorn Inc. shares plunged Tuesday after Germany’s Fresenius SE (FSNUY) said a probe into possible data breaches at the generic drugmaker could force it to drop a planned $5 billion takeover. Click to read entire article.
State Could Seek As Much as $13.5 Million in Civil Penalties
Pennsylvania on Monday filed a lawsuit against Uber for allegedly violating the state’s mandatory breach notification law. It’s the latest in a long string of legal and regulatory actions Uber is facing from a serious data breach the company waited more than a year to disclose. Click to read entire article.
Add Tesla to the legion of organizations that have been infected by cryptocurrency-mining malware. In a report published Tuesday, researchers at security firm RedLock said hackers accessed one of Tesla’s Amazon cloud accounts and used it to run currency-mining software. Click to read entire article.
A serious computer virus that has struck the city of Allentown’s most critical systems is expected to cost nearly $1 million to remove and has forced the city to shut down some financial and public safety operations. Click to read entire article.
Officials with the Kansas Department for Aging and Disability Services has been notifying individual consumers about an incident where personal or protected health information was released to a group of business associated. Click to read entire article.
Governor Charlie Baker said he is “extremely disappointed” with a Department of Revenue data breach that made private information from about 39,000 business taxpayers visible to other companies, potentially including competitors. Click to read entire article.
Officials say a former California state employee downloaded sensitive personal information on thousands of fellow workers, potentially exposing them to identity theft. The Sacramento Bee reported Friday that the information included Social Security numbers for Department of Fish and Wildlife employees and contractors. Click to read entire article.
What was perhaps the most prehistoric data breach in recent memory has turned 2 former business allies into foes. The health insurance titan Aetna and its onetime legal services vendor, Kurtzman Carson Consultants (KCC), filed lawsuits against each other this week, following a snail mail snafu that exposed 12,000 customers’ HIV-related information and resulted in a $17 million class-action judgment. Click to read entire article.
On Friday, St. Peter’s Surgery & Endoscopy Center revealed that hackers potentially compromised medical records of about 135,000 patients earlier this year. The breach has been reported as required under law to the Office of Civil Rights at the U.S. Department of Health and Human Services. Hackers from an “unknown and unauthorized third party” installed malware on computer servers. Click to read entire article.
A community hospital in Tennessee is warning 24,000 patients their information may have been exposed last year during a cyberattack linked to its EHR system. The attack involved unauthorized software installed on a server that hosts Decatur County General Hospital’s (DCGH) EHR system, according to a letter (PDF) sent to patients impacted by the incident. Click to read entire article.
Ohio man indicted in connection to software breach that lasted 19 months
The University Health System is in the process of notifying 1,882 patients about a security breach that occurred between May 2015 and December 2016 where an unauthorized Ohio man, Phillip Durachinsky, may have been able to view patient information. Click to read entire article.
A small amount of patient information was visible in the windows of envelopes sent out, leading to the Tufts Health Plan data breach. Click to read entire article.
At around 12:15 PM ET on Wednesday, a DDOS attack of 1.3 terabits per second hit Github – one of the largest development platforms in the world. This gigantic DDOS attack was the biggest in history, although GitHub servers were surprisingly resilient despite this extremely heavy load. Click to read entire article.
Plaintiffs argue inadequate security measures led to hard drive theft last spring
Four people are bringing a class-action lawsuit against WSU, alleging they suffered identity theft after a hard drive containing sensitive information for more than 1 million people was stolen from a WSU facility in April. Click to read entire article.
Officials say a data breach at the University of Alaska has impacted dozens of current and former employees and students. Click to read entire article.
For reasons unknown, a hacker decided to return millions of dollars – twice. Click to read entire article.
The latest count from the Identity Theft Resource Center (ITRC) reveals that there have been 140 data breaches recorded this year through February 21 and that nearly 3 million records have been exposed since the beginning of the year. Click to read entire article.
The Supreme Court’s rejection of a request by healthcare giant CareFirst to review a high-profile data breach case is likely good news for plaintiffs in arguing the threat of identity theft is sufficient for filing class-action lawsuits against companies that suffer a breach. Click to read entire article.
Judges in class action lawsuits involving privacy breaches are going to become “more accepting of the notion that you can get money for your inconvenience,” a lawyer said on Friday at NetDiligence’s Cyber Risk Summit in Toronto. Click to read entire article.
Deliberate or negligent acts of employees are a common source of data breaches globally. On 1 December 2017, the High Court of England and Wales ruled that a company can be held liable for the acts of a rogue employee who was responsible for a deliberate data breach. The employee in question exposed the personal data of almost 100,000 employees on the internet. Click to read entire article.
The Office of the Information Commissioner will not investigate a data breach at the University of Canberra where some staff were accidentally sent every employee’s personal details. Click to read entire article.
Nippon Ichi Software announced news that its American division, NIS America, was the victim of a major data breach that exposed the personal and financial data of online customers. Click to read entire article.
Thiruvananthapuram: Amid the debate over security of individuals’ private data, it was found that most of the government departments in Kerala have not incorporated the digital signature technology to their electronic files transactions, rendering them vulnerable to data theft and loss of privacy. Click to read entire article.
Mark Greisiger
NetDiligence®
Cyber Risk Readiness & Response