The Data Breach Thread

[Moliere]

The time with website source code.

The “Impact Team” hackers who on Tuesday evening posted 10 gigabytes of user data from infidelity-facilitator Ashley Madison seem to have released a second trove of company data on Thursday. And this one is double the size at nearly 20GB.

Unlike the first data dump, this one isn't a accompanied by a full letter. Instead the message from the hackers is simple: "Hey Noel, you can admit it's real now." Noel Biderman is the CEO of Ashley Madison owner Avid Life Media.

[El Guapo]

So the new stuff is company emails and source code, as opposed to the previous which was user data?

[GreenGoo]

re: Rip's post about research.

Well, of course. Or someone is using my email address without my permission. Whatever is easier to believe, that's my story and I swear to it.

[Moliere]

UT represent!

[Isgrimnur]

Suicide investigations

The hack of the cheating website Ashley Madison has triggered extortion crimes and led to two unconfirmed reports of suicides, Canadian police said Monday.

The company behind Ashley Madison is offering a $500,000 reward for information leading to the arrest of members of a group that hacked the site.
...
[Toronto Police acting staff-Supt. Bryce] Evans said there are confirmed cases of criminals attempting to extort Ashley Madison clients by threatening to expose them unless payment is received.

The police official did not offer further details of the unconfirmed suicides. He also said hate crimes may be connected to the hack but did not provide details.

[LawBeefaroni]

Uber.

On Thursday, a site-specific search on Google for trip.uber.com produced dozens of links to Uber rides that have been completed and cancelled, in countries around the world including the U.S., England, Russia, France and Mexico.

Each link leads to a Web site with a map showing the ride's route, with the pickup and destination tagged with markers. A card on the page also shows the first name of the rider and driver, along the driver's photo, make and model of the car, and license plate number.

...

In the code, exact addresses for the pick-up spot and destination can be found. So can the car's license plate and the exact date and time of the ride.

Though this is less a breach and more an "Oops!" from riders and drivers not un-sharing their rides.

[El Guapo]

Uber.

On Thursday, a site-specific search on Google for trip.uber.com produced dozens of links to Uber rides that have been completed and cancelled, in countries around the world including the U.S., England, Russia, France and Mexico.

Each link leads to a Web site with a map showing the ride's route, with the pickup and destination tagged with markers. A card on the page also shows the first name of the rider and driver, along the driver's photo, make and model of the car, and license plate number.

...

In the code, exact addresses for the pick-up spot and destination can be found. So can the car's license plate and the exact date and time of the ride.

Though this is less a breach and more an "Oops!" from riders and drivers not un-sharing their rides.

So if I understand this right, unless I specifically shared ride links on social media, this doesn't impact me?

[Moliere]

Excellus

Only 10 million health insurance records compromised.

[LawBeefaroni]

Uber.

On Thursday, a site-specific search on Google for trip.uber.com produced dozens of links to Uber rides that have been completed and cancelled, in countries around the world including the U.S., England, Russia, France and Mexico.

Each link leads to a Web site with a map showing the ride's route, with the pickup and destination tagged with markers. A card on the page also shows the first name of the rider and driver, along the driver's photo, make and model of the car, and license plate number.

...

In the code, exact addresses for the pick-up spot and destination can be found. So can the car's license plate and the exact date and time of the ride.

Though this is less a breach and more an "Oops!" from riders and drivers not un-sharing their rides.

So if I understand this right, unless I specifically shared ride links on social media, this doesn't impact me?

According to Uber, that's the case. You had to use the Share Your ETA feature. If that Share Your ETA link makes it anywhere that Google indexes, it shows up in a search. But as far as I can tell it's always been unsecured. Just not easily found.

[Isgrimnur]

Cal State via We End Violence

A data breach at a third-party vendor that provides online training to prevent sexual violence has exposed the personal information of 79,000 students at eight California State University campuses, school officials said.

Cal State said the hack of computer systems of the vendor, We End Violence, compromised the data of students at CSU Channel Islands, Cal State Los Angeles, CSU San Bernardino, CSU Maritime Academy, California Polytechnic University (Pomona), CSU Northridge, San Diego State and Sonoma State University.
...
We End Violence has a contract with Cal State to provide a one-hour online training class on sexual violence prevention. The noncredit class is required for all students under state law.

The exposed data included names, student IDs, campus-issued email addresses and mailing addresses. Cal State officials said no Social Security numbers, driver's license numbers or other personal identifiable information was put at risk.

School officials have notified all impacted students, and their login information has been erased.

[El Guapo]

Does it qualify as a breach if the door was left wide open?

Boston’s License Plate Reader Database Was Online in Plain Text With No Password Protection

[Isgrimnur]

We really need better ways to punish government for acting with callous disregard to its citizens. You'd be hard pressed to prove any damages, and any financial damages are the equivalent of taking money out of your own pocket. It's sure not a huge enough deal that anyone is going to get voted out of office. And a scapegoat isn't going to solve anything.

[Isgrimnur]

Your luggage:

It's a basic fact of life that once you publish something on the Internet, it's pretty much impossible to get it back. Now illustrating that point with painful clarity, images of the TSA's master luggage keys have been published online, meaning that anyone with a 3D printer can make their own.

It all started when The Washington Post published a story last November about "the secret life of baggage" that was reportedly accompanied -- only briefly -- by a photo of the master keys the Transportation Security Administration uses to open what it calls "TSA recognized" luggage locks.

The photo was hastily taken down, but -- predictably -- not before it was snagged and circulated. Reports about the leak began to appear last month, but it wasn't until this week that detailed blueprints showed up on GitHub.
...
Now, anyone with a 3D printer can create their own copies of the TSA master keys -- and create them they have, according to reports from exuberant users.
...
The TSA's master keys are designed to enable security officers to inspect luggage without having to cut off any locks protecting it. They work on locks created specifically for that purpose through partnerships between the agency and lock manufacturers.

[Moliere]

Your fingerprints

On Wednesday, the Office of Personnel Management admitted that the number of federal employees’ fingerprints compromised in the massive breach of its servers revealed over the summer has grown from 1.1 million to 5.6 million.

[Cortilian]

Your fingerprints

On Wednesday, the Office of Personnel Management admitted that the number of federal employees’ fingerprints compromised in the massive breach of its servers revealed over the summer has grown from 1.1 million to 5.6 million.

wow

[Freyland]

Your fingerprints

On Wednesday, the Office of Personnel Management admitted that the number of federal employees’ fingerprints compromised in the massive breach of its servers revealed over the summer has grown from 1.1 million to 5.6 million.

Well, duh! Each employee has five fingers on their hand.

[LawBeefaroni]

Your fingerprints

On Wednesday, the Office of Personnel Management admitted that the number of federal employees’ fingerprints compromised in the massive breach of its servers revealed over the summer has grown from 1.1 million to 5.6 million.

Well, duh! Each employee has five fingers on their hand.

Nice.

[Freyland]

[Isgrimnur]

WE have come to an understanding:

The United States and China have agreed not to "conduct or knowingly support" cyber-theft of intellectual property or commercial trade secrets, the presidents of both countries announced Friday in an address at the White House Rose Garden.

Chinese President Xi Jinping, whose arrival in the U.S. this week marked his first-ever visit as president, jointly led the press conference with Obama. Despite mounting reports of cyberattacks on U.S. entities being linked to China, the nation has repeatedly denied involvement in such hacks.

"I raised, once again, our very serious concerns about growing cyber threats," Obama said of his discussions with Xi. "I indicated that it has to stop."

The agreement didn't go as far as some had hoped. Obama stopped short of calling the conclusion a true cease-fire, characterizing the talks instead as a "common understanding on the way forward."

In addition to the agreement to stop theft of trade secrets, China and the U.S. will also create two related working groups: one panel of experts who will hold "further discussions" on the cyber topic," and "a high-level" group focused on how to fight cyber crime, the White House said in a statement that provided more details. That high-level group will meet once by the end of 2015 and twice a year after that.

[Isgrimnur]

Hilton

Multiple sources in the banking industry say they have traced a pattern of credit card fraud that suggests hackers have compromised point-of-sale registers in gift shops and restaurants at a large number of Hilton Hotel and franchise properties across the United States. Hilton says it is investigating the claims.
...
ources at five different banks say they have now determined that the common point-of-purchase for cards included in that alert had only one commonality: They were all were used at Hilton properties, including the company’s flagship Hilton locations as well as Embassy Suites, Doubletree, Hampton Inn and Suites, and the upscale Waldorf Astoria Hotels & Resorts.

In a written statement, a Hilton spokesperson said the company is investigating the breach claims.
...
As with other recent card breaches at major hotel chains — including Mandarin Oriental and White Lodging properties — the breach does not appear to be related to the guest reservation systems at the affected locations. Rather, sources say the fraud seems to stem from compromised point-of-sale devices inside of franchised restaurants, coffee bars and gift shops within Hilton properties.

It remains unclear how many Hilton properties may be affected by this apparent breach. Several sources in the financial industry told KrebsOnSecurity that the incident may date back to November 2014, and may still be ongoing.

[LawBeefaroni]

Hilton

Rather, sources say the fraud seems to stem from compromised point-of-sale devices inside of franchised restaurants, coffee bars and gift shops within Hilton properties.

POS terminals that are often left unattended in hotels...



Cash, baby, cash.

[Isgrimnur]

If you're traveling to Mexico, I would recommend reading Krebs' three part series on compromised ATMs.

[LawBeefaroni]

If you're traveling to Mexico, I would recommend reading Krebs' three part series on compromised ATMs.

I only use bank branch housed ATMs. I figure if they get compromised nothing is really safe.

When I go out of the country I usually take cash and use tellers if necessary. I may have used an ATM in Iceland. Of course I have no idea how it works in Mexico. I imagine if I every find myself down there I'll have to come up with a plan. Step one would probably be "Figure out what the heck I'm doing in Mexico."

[Isgrimnur]

Finally, many readers have asked if any of the skimmed ATMs I found in Mexico were bank-owned and operated ATMs, or machines on the premises of bank properties. None of them were: All were free-standing cash machines owned and operated by private companies.

[LawBeefaroni]

Finally, many readers have asked if any of the skimmed ATMs I found in Mexico were bank-owned and operated ATMs, or machines on the premises of bank properties. None of them were: All were free-standing cash machines owned and operated by private companies.

Well, there you go. So I guess my curmudgeon system system would work in Mexico too.

[Isgrimnur]

For now. In his sample size. Not every bank administers their own ATM networks. Mine recently changed from one provider to another. But at the moment, it would seem to be the safer way to go.

[LawBeefaroni]

Total aside, but you know how some ATMs have a headphone jack for visually impaired users? Or they did, not sure if they still do. Anyway, I was at a bank branch and had my headphones on so just out of curiosity, I plugged into the ATM to see how it worked. Security was on me in about 45 seconds asking what I was doing. They accepted my explanation and I was impressed. Granted, this was a huge branch on Michigan Ave but still, impressive.

[Pyperkub]

Trump Hotels:

Hackers snuck a computer virus into Trump hotels across the United States and Canada, potentially stealing customer credit card data for an entire year.

The Trump Hotel Collection recently acknowledged the computer infection on its website.

Apparently, hackers managed to hide inside the company's computers for a long time. The hotel chain warned that anyone who visited a Trump hotel between May 19, 2014 and June 2, 2015 "may have been affected."

[Isgrimnur]

Experian; T-Mobile

A massive data breach at Experian, one of the country's major credit rating bureaus that companies use to conduct credit checks, has exposed the personal information of as many as 15 million T-Mobile customers, according to the mobile carrier.
...
While Experian handles the personal information of many Americans, the bureau said the hack, which was discovered on Sept. 15, is only limited to T-Mobile customers. Here's what you need to know.

Who Is Affected

Experian said the incident is "isolated" and is only limited to consumers who applied for T-Mobile USA services between Sept. 1, 2013, and Sept. 16, 2015.

What's Been Exposed

The information exposed to hackers includes names, addresses, social security numbers, date of birth, and various identification numbers, including a passport, driver's license or military identification number, according to Experian.

[LawBeefaroni]

That's some juicy data right there. And a huge fail by Experian. Isn't that who you go to for monitoring when your data gets compromised?

[Isgrimnur]

I'm sure Equifax and TransUnion are throwing parties.

[Isgrimnur]

ScottTrade

Discount broker Scottrade said on Friday that it believes it was the victim of a cyber attack from late 2013 to early 2014 that targeted client names and addresses.

The firm said in a posting on its website it was notifying an estimated 4.6 million clients of the breach and offering them identity protection services.

[Isgrimnur]

Krebs

In an email sent today to customers, St. Louis-based Scottrade said it recently heard from federal law enforcement officials about crimes involving the theft of information from Scottrade and other financial services companies.
...
The notice said that although Social Security numbers, email addresses and other sensitive data were contained in the system accessed, “it appears that contact information was the focus of the incident.” The company said the unauthorized access appears to have occurred over a period between late 2013 and early 2014.

Asked about the context of the notification from federal law enforcement officials, Scottrade spokesperson Shea Leordeanu said the company couldn’t comment on the incident much more than the information included in its Web site notice about the attack. But she did say that Scottrade learned about the data theft from the FBI, and that the company is working with agents from FBI field offices in Atlanta and New York. FBI officials could not be immediately reached for comment.

[Pyperkub]

I'm sure Equifax and TransUnion are throwing parties.

it's the third time in a year and a half

[Isgrimnur]

Trump Hotels:

Hackers snuck a computer virus into Trump hotels across the United States and Canada, potentially stealing customer credit card data for an entire year.

The Trump Hotel Collection recently acknowledged the computer infection on its website.

Apparently, hackers managed to hide inside the company's computers for a long time. The hotel chain warned that anyone who visited a Trump hotel between May 19, 2014 and June 2, 2015 "may have been affected."

Deets

The Trump advisory named the individual properties that were hit with the card-stealing malware, including Trump SoHo New York, Trump National Doral, Trump International New York, Trump International Chicago, Trump International Waikiki, Trump International Hotel & Tower Las Vegas, and Trump International Toronto. The hotel collection said transactions on the point-of-sale terminals at the Las Vegas and Waikiki properties may also have been intercepted by card thieves.

This tracks almost exactly what I heard from banks in June of this year, who told me they had little doubt that Trump properties in several U.S. locations — including Chicago, Honolulu, Las Vegas, Los Angeles, Miami, and New York — were dealing with a card breach that appeared to extend back to at least February 2015. Turns out, it was quite a bit longer than that.

[Isgrimnur]

Timeline

October 1, 2015 – Liability will shift to acquirers for domestic and cross-border counterfeit fraud card-present POS transactions if the merchant does not have an EMV-enabled POS device.

If the card loss isn't your fault, you still have the current protections in place.

The date passed with nary a peep. Even I forgot.

Krebs

Effective October 1, 2015, U.S.-based merchants that have not yet installed card readers which accept more secure chip-based cards assume responsibility for the cost of fraud from counterfeit cards. While most experts believe it may be years after that deadline before most merchants have switched entirely to chip-based card readers (and many U.S. banks are only now thinking about issuing chip-based cards to customers) cyber thieves no doubt well understand they won’t have this enormously profitable cash cow around much longer, and they’re busy milking it for all it’s worth.

[stessier]

ScottTrade

Discount broker Scottrade said on Friday that it believes it was the victim of a cyber attack from late 2013 to early 2014 that targeted client names and addresses.

The firm said in a posting on its website it was notifying an estimated 4.6 million clients of the breach and offering them identity protection services.

Just got this today. It ain't short, hence the spoiler tags.

Spoiler:

We are writing to share with you important information about a security compromise involving a database containing some of your personal information, as well as steps we are taking in response, and the resources we are making available to you.

What Happened

Federal law enforcement officials recently informed us that they’ve been investigating cybersecurity crimes involving the theft of information from Scottrade and other financial services companies. We immediately initiated a comprehensive response.

Based upon our subsequent internal investigation coupled with information provided by the authorities, we believe a list of client names and street addresses was taken from our system. Importantly, we have no reason to believe that Scottrade’s trading platforms or any client funds were compromised. All client passwords remained encrypted at all times and we have not seen any indication of fraudulent activity as a result of this incident.

Although Social Security numbers, email addresses and other sensitive data were contained in the system accessed, it appears that contact information was the focus of the incident.

The unauthorized access appears to have occurred over a period of several months between late 2013 and early 2014. We have secured the known intrusion point and conducted an internal data forensics investigation on this incident with assistance from a leading computer security firm. We have taken appropriate steps to further strengthen our network defenses.

What Happens Now

Federal authorities had requested that they be allowed to complete much of their investigation before we notified clients. In coordination with them, we are now able to alert you of this incident. We are fully cooperating with law enforcement in their investigation and prosecution of the criminals involved.

Notices like this one are being sent to all individuals and entities whose information was contained in the affected database, and we have included here information about steps you can take to protect yourself.

Information about this incident is available online at and we will update that web page if new data becomes available.

What You Can Do

As always, we encourage you to regularly review your Scottrade and other financial accounts and report any suspicious or unrecognized activity immediately. As recommended by federal regulatory agencies, you should remember to be vigilant for the next 12 to 24 months and report any suspected incidents of fraud to us or the relevant financial institution. Please also read the important information included on ways to protect yourself from identity theft.

We encourage clients to be particularly vigilant against email or direct mail schemes seeking to trick you into revealing personal information. Never confirm or provide personal information such as passwords or account information to anyone contacting you. Please know that Scottrade will never send you any unsolicited correspondence asking you for your account number, password or other private information. If you receive any letter or email requesting this information, it is fraudulent and we ask that you report it to us at. Be cautious about opening attachments or links from emails, regardless of who appears to have sent them.

Identity Theft Protection

As a precaution, Scottrade has arranged with AllClear ID to help you protect your identity at no cost to you for a period of one year. You are pre-qualified for identity repair and protection services and have additional credit monitoring options available, also at no cost to you.

You can call AllClear ID with any concerns about your identity at 855.229.0083. This hotline is available from 8:00 am to 8:00 pm (central) Monday through Saturday.

We have also included additional steps you could consider at any time if you ever suspect you’ve been the victim of identity theft. We offer this out of an abundance of caution so that you have the information you need to protect yourself.

We are very sorry that this happened and for any uncertainty or inconvenience this has caused you. We know that incidents like these are frustrating. We take the security of your information very seriously and are committed to continually strengthening and evolving our defenses based on new and emerging threats.

Sincerely,
Scottrade

Brokerage products and services offered by Scottrade, Inc. - Member FINRA and SIPC.


AllClear ID Identity Theft Protection

We have arranged to have AllClear ID help you protect your identity for one year at no cost to you, effective Oct. 2, 2015. You are pre-qualified for AllClear SECURE identity repair and protection services and have additional credit monitoring options available with AllClear PRO, also at no cost to you.

AllClear SECURE: The team at AllClear ID is ready and standing by if you need identity repair assistance. This service is automatically available to you with no enrollment required. If a problem arises, simply call 855.229.0083 and a dedicated investigator will do the work to recover financial losses, restore your credit and make sure your identity is returned to its proper condition.

AllClear PRO: This service offers additional layers of protection including credit monitoring and a $1 million identity theft insurance policy. To use the PRO service, you will need to provide your personal information to AllClear ID. You may sign up online at or by phone by calling 855.229.0083.

This hotline is available from 8:00 am to 8:00 pm (central) Monday through Saturday.

Please note: Additional steps may be required by you in order to activate your phone alerts and monitoring options.

Important Identity Theft Information: Additional Steps You Can Take to Protect Your Identity

The following are additional steps you may wish to take to protect your identity.

Review Your Accounts and Credit Reports

Regularly review statements from your accounts and periodically obtain your credit report from one or more of the national credit reporting companies.

You may obtain a free copy of your credit report online at by calling toll-free 1.877.322.8228, or by mailing an Annual Credit Report Request Form (available at to: Annual Credit Report Request Service. P.O. Box 105281, Atlanta, GA, 30348-5281. You may also purchase a copy of your credit report by contacting one or more of the three national credit reporting agencies listed below.

• Equifax, P.O. Box 740241, Atlanta, Georgia 30374-0241. 1.800.685.1111.
• Experian, P.O. Box 9532, Allen, TX 75013, 1.888.397.3742.
• TransUnion, 2 Baldwin Place, P.O. Box 1000, Chester, PA 19016. 1.800.916.8800.

Consider Placing a Fraud Alert

You may wish to consider contacting the fraud department of the three major credit bureaus to request that a "fraud alert" be placed on your file. A fraud alert notifies potential lenders to verify your identification before extending credit in your name.

Equifax: Report Fraud: 1.800.525.6285
Experian: Report Fraud: 1.888.397.3742
TransUnion: Report Fraud: 1.800.680.7289

Security Freeze for Credit Reporting Agencies

You may wish to request a security freeze on your credit reports. A security freeze prohibits a credit reporting agency from releasing any information from a consumer’s credit report without written authorization. However, please be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing or other services. If you have been a victim of identity theft, and you provide the credit reporting agency with a valid police report, it cannot charge you to place, lift or remove a security freeze. In all other cases, a credit reporting agency may charge you up to $10.00 each to place, temporarily lift, or permanently remove a security freeze.

To place a security freeze on your credit report, you must send a written request to each of the three major consumer reporting agencies by regular, certified or overnight mail at the following addresses:

• Equifax Security Freeze, P.O. Box 105788, Atlanta, GA 30348
• Experian Security Freeze, P.O. Box 9554, Allen, TX 75013
• TransUnion Security Freeze, Fraud Victim Assistance Department, 2 Baldwin Place, P.O. Box 1000, Chester, PA 19016

To request a security freeze, you will need to provide the following:

• Your full name (including middle initial, Jr., Sr., Roman numerals, etc.)
• Social Security number
• Date of birth
• Address(es) where you have lived over the prior five years
• Proof of current address such as a current utility bill
• A photocopy of a government-issued ID card
• If you are a victim of identity theft, include a copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft
• If you are not a victim of identity theft, include payment by check, money order, or credit card (Visa, MasterCard, American Express or Discover only). Don’t send cash through the mail.

The credit reporting agencies have three business days after receiving your request to place a security freeze on your credit report. The credit bureaus must also send written confirmation to you within five business days and provide you with a unique personal identification number (PIN) or password, or both that can be used by you to authorize the removal or lifting of the security freeze.

To lift the freeze to allow a specific entity or individual access to your credit report, you must call or send a written request to the credit reporting agencies by mail and include (1) proper identification (name, address, and Social Security number), (2) the PIN number or password provided to you when you placed the security freeze; and (3) the identities of those entities or individuals you would like to receive your credit report or the specific period of time you want the credit report available. The credit reporting agencies have three business days after receiving your request to lift the security freeze for those identified entities or for the specified period of time.

To remove the security freeze all together, you must send a written request to each of the three credit bureaus by mail and include proper identification (name, address, and Social Security number) and the PIN number or password provided to you when you placed the security freeze. The credit bureaus have three business days after receiving your request to remove the security freeze.

Suggestions if You Are a Victim of Identity Theft

• File a police report. Get a copy of the report to submit to your creditors and others that may require proof of a crime.
• Contact the U.S. Federal Trade Commission (FTC). The FTC provides useful information to identity theft victims and maintains a database of identity theft cases for use by law enforcement agencies. File a report with the FTC by calling the FTC’s Identity Theft Hotline: 1-877-IDTHEFT (438-4338); online at or by mail at Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Ave., N.W., Washington, D.C. 20580. Also request a copy of the publication, "Take Charge: Fighting Back Against Identity Theft" from
• Keep a record of your contacts. Start a file with copies of your credit reports, the police reports, any correspondence, and copies of disputed bills. It is also helpful to keep a log of your conversations with creditors, law enforcement officials, and other relevant parties.
Take Steps to Avoid Identity Theft

Further information can be obtained from the FTC about steps to take to avoid identity theft through the following paths: calling 1-877-IDTHEFT (438-4338); or write to Consumer Response Center, Federal Trade Commission, 600 Pennsylvania Ave., N.W., Washington, D.C. 20580.
Maryland residents can learn more about preventing identity theft from the Maryland Office of the Attorney General, by visiting their web site at calling the Identity Theft Unit at 410.567.6491, or requesting more information at the Identity Theft Unit, 200 St. Paul Place, 16th Floor, Baltimore, MD 21202.

North Carolina residents can learn more about preventing identity theft from the North Carolina Office of the Attorney General, by visiting their web site at calling 919.716.6400 or requesting more information from the North Carolina Attorney General’s Office, 9001 Mail Service Center Raleigh, NC 27699-9001.

Vermont residents may learn helpful information about fighting identity theft, placing a security freeze, and obtaining a free copy of your credit report on the Vermont Attorney General’s website at

Massachusetts residents are reminded that you have the right to obtain a police report and request a security freeze as described above. The consumer reporting agencies may charge you a fee of up to $10 to place a security freeze on your account, and may require that you provide certain personal information (such as your name, Social Security Number, date of birth and address) and proper identification (such as a copy of a government-issued ID card and a bill or statement) prior to honoring your request. There is no charge, however, to place, lift or remove a security freeze if you have been a victim of identity theft and you provide the consumer reporting agencies with a valid police report.

[Moliere]

Dow Jones

Dow Jones & Co. disclosed that hackers had gained unauthorized entry to its systems, accessing contact information for current and former subscribers in order to send fraudulent solicitations.

The data breach potentially accessed payment card information for fewer than 3,500 individuals, said Dow Jones, a unit of News Corp and owner of The Wall Street Journal, MarketWatch and Barron’s. The goal of the hack seems to have been to obtain contact information, Dow Jones said.

[LawBeefaroni]

I got a new Target card in the mail. No magnetic strip or signature space on the back. It has a chip and requires a PIN to use.

Only my second chipped card.

[Isgrimnur]

America's Thrift Stores

Another charity store chain has been hacked: America’s Thrift Stores, an organization that operates donations-based thrift stores throughout the southeast United States, said this week that it recently learned it was the victim of a malware-driven security breach that targeted software used by a third-party service provider.

“This breach allowed criminals from Eastern Europe unauthorized access to some payment card numbers,” the company’s CEO said in a statement. “This virus/malware, is one of several infecting retailers across North America.”
...
“The U.S. Secret Service tells us that only card numbers and expiration dates were stolen. They do not believe any customer names, phone numbers, addresses or email addresses were compromised. This breach may have affected sales transactions between September 1, 2015 and September 27, 2015. If you used your credit or debit card during this time to purchase an item at any America’s Thrift Store location, the payment card number information on your card may have been compromised.”
...
The company is headquartered in Birmingham, Alabama and operates stores in Alabama, Georgia, Tennessee, Mississippi and Louisiana. According to the company’s site, the organization employs over 1,000 employees and pays over $4 million to its non- profit partners annually, as it turns donated items into revenue for their missions.