We bring to your attention a sampling of recent media stories involving cyber risk & privacy liability. Among the stories we’re highlighting this month: stronger state laws (California & Arizona), GDPR-related breach outside the EU, increasing attacks on LATAM banks, major online data leaks/breaches, “HIPAA has teeth”, cloud services aggregation risk, and more. Also, don’t miss the items below in ORANGE.
GAME CHANGER – CALIFORNIA CONSUMER PRIVACY ACT
June 28th, 2018, marked a turning point in consumer data privacy protection in the United States, as California enacted the strongest such law in the country, giving consumers greater rights to restrict how private businesses collect and share/sell their personally identifiable information with third parties. Read our Security/Privacy Advisory on this important new legislation.
A marketing firm has reportedly leaked detailed information on hundreds of millions of Americans online. …The information didn’t include credit card details or social security numbers, but it did include everything from email addresses, home addresses and phone numbers to details on religion, smoking habits, and pets. Click to read entire article.
One of the world’s leading DNA-testing companies recently disclosed that a researcher had found on a private server the email addresses and hashed passwords of every customer that had signed up for its service. MyHeritage said Monday in a blog post that the breach involved roughly 92 million user accounts that were created through October of last year. Click to read entire article.
Concert ticketing service Ticketfly says it’s working to get its system back online after a data breach leaked users’ personal information and disrupted services at live music venues. A check of the Ticketfly website Sunday night shows the website unavailable with the following announcement: “Due to a recent cyber incident, ticketfly.com is offline.” Click to read entire article.
A major outage affected Comcast customers nationwide, including in the Philadelphia market, on Friday. The outage affected Comcast cable, telephone and internet services. Click to read entire article.
Nearly $1 million was stolen from CHET — Connecticut Higher Education Trust — accounts during a security breach and 21 account holders were affected, according to the Office of the State Treasurer. …Nappier said unauthorized individuals gained online access to 21 CHET account holders and made 44 withdrawals, amounting to a total of $1,416,635, of that, $442,540 was recovered or stopped. Click to read entire article.
HIPAA has teeth. On June 1, 2018, an Administrative Law Judge (ALJ) ruled that the University of Texas MD Anderson Cancer Center violated HIPAA. In doing so, the ALJ granted the Office of Civil Rights (OCR) summary judgment, requiring the hospital to fork up the $4,348,000 in civil monetary penalties imposed by OCR. Click to read entire article.
Healthcare claims services provider Med Associates is notifying its patients that the facility suffered a data breach in March potentially exposing PII, including medical diagnosis and payment card information. Click to read entire article.
University of Michigan’s Michigan Medicine announced June 25 that around 870 patients were affected by a healthcare data breach that involved the theft of an unencrypted laptop with PHI from an employee’s car. Click to read entire article.
About 23,000 accounts have been compromised by a data breach that took place at HealthEquity when an employee fell for a phishing scam. Click to read entire article.
The San Francisco-based health care facilities operator Dignity Health recently experienced an accidental email breach affecting 55,947 patients, according to a May 31 disclosure form the not-for-profit corporation filed with the U.S. Department of Health and Human Services. Click to read entire article.
According to an exclusive ZDNet report, a website bug on T-Mobile.com allowed anyone with access to a web browser to run a phone number and determine the home address and account PIN of the customer to whom it belonged. Click to read entire article.
A security breach has been reported to the City of Midwest City. The breach has affected Midwest City’s utility customer service online payment system. Midwest City said the Click2Gov online applications are at-risk including payments by cards stored in the service’s wallet. Midwest City said 2,256 customers were affected by the breach. Click to read entire article.
More than 3.75 million users are affected by a recent data breach at the handyperson-for-hire site TaskRabbit, a company spokeswoman confirmed Monday. Click to read entire article.
The personal details and payment card data of guests from hundreds of hotels, if not more, have been stolen this month by an unknown attacker, Bleeping Computer has learned. The data was taken from FastBooking, a Paris-based company that sells hotel booking software to more than 4,000 hotels in 100 countries — as it claims on its website. Click to read entire article.
Video game retailer GameStop confirmed Tuesday that it is in discussions with third parties for a potential buyout. Click to read entire article.
The restaurant “PDQ” is warning its customers about a widespread data breach. PDQ officials say a hacker got into the company’s computer system and accessed personal information of some of its customers. Click to read entire article.
News has surfaced that one of the world’s most popular flight tracking services Flightradar24, which shows real-time aircraft flight information on a map, has suffered a massive data breach that may have compromised email addresses and hashed passwords for more than 230,000 customers. Click to read entire article.
Among new requirements, the law boosts the maximum civil penalty for a knowing statute violation from $10,000 per breach to $500,000. Click to read entire article.
The world of cryptocurrencies operates on blockchain technology. While it is considered as one of the safest types of technology – comprised of an extremely complex algorithm – it is still vulnerable to attacks from hackers and their ingenious viruses. Click to read entire article.
…This “smokescreen” style of attack was most recently used against Banco de Chile, the country’s second largest bank, which on May 24 lost about $10 million due to fraudulent SWIFT wire transfers. The theft happened while the bank was dealing with hundreds of workstations and servers that suddenly stopped working. The Banco de Chile attack follows an uptick in attacks against banks in Latin America. Last month, five banks in Mexico saw attacks against the Interbank Electronic Payments, known as SPEI, which is used for domestic interbank transfers. Click to read entire article.
One of the province’s most well-known home care service providers has fallen victim of a cyber-attack. The attack has breached CarePartners’ computer system and as a result patient and employee information held in that system, including personal health and financial information, has been inappropriately accessed, according to Ontario’s Local Health Integration Network. Click to read entire article.
This is not the first – merely the latest – in a series of information security failures affecting the personal data of South Africans. It is probably not even the worst incident thus far, in terms of volume or nature of information compromised. It is, however, a South African company’s first publicly-admitted violation of GDPR (the European Union’s General Data Protection Regulations), upon which our own Protection of Personal Information (PoPI) Act was based. Click to read entire article.
Intruders also accessed 1.2 million personal data records, such as names, addresses or email addresses, in what is shaping up to be one of Britain’s biggest data breaches involving a single company. Click to read entire article.
A cybersecurity expert has warned firms must recognise cyber attacks as a “clear and present danger”, as the Central Bank fined an asset management company after it lost €650,000 of a client’s funds in an online scam. Click to read entire article.
Tasmanian Government is considering its legal position in regards to a possible data breach of online recruitment platform PageUp. The company last month revealed customer data had been accessed by a malware infiltration but investigations in Australia so far have not turned up evidence of data theft. Click to read entire article.
The Education Ministry has temporarily shut down the school examination analysis computer system, Sistem Analisis Peperiksaan Sekolah, to investigate a claim of an attack on the system, Education Minister Dr Maszlee Malik said in a statement today. Click to read entire article.
Mark Greisiger
NetDiligence®
Cyber Risk Readiness & Response