The Data Breach Thread

[Moliere]

Target To Pay $10 Million To Settle Lawsuit From Massive Data Breach

Target Corp has agreed to pay $10 million in a proposed settlement of a class-action lawsuit related to a huge 2013 data breach that consumers say compromised their personal financial information, court documents show.

Under the proposal, which requires federal court approval, Target will deposit the settlement amount into an interest bearing escrow account, to pay individual victims up to $10,000 in damages.

[Moliere]

Twitch

[Isgrimnur]

AT&T fined

On Wednesday, the Federal Communications Commission announced that AT&T would pay $25 million to settle an investigation into data breaches that occurred at the company's call centers in Mexico, Colombia, and the Philippines. The FCC said that at least two employees confessed to stealing private information belonging to thousands of US customers, including names, full and partial social security numbers, and account-related data, known as customer proprietary network information (CPNI). CPNI data is usually found on a person's phone bill and contains call metadata.

In all, the FCC estimates that almost 280,000 US customers were affected.
The commission also said that it had been looking into whether AT&T had promptly notified law enforcement regarding the theft of customers' CPNI.

According to a consent decree between the FCC and AT&T (PDF), the commission began investigating the matter in May 2014 when it learned of a possible data breach that occurred between November 2013 and April 2014 at a Mexican call center that AT&T contracted with to provide Spanish-language customer support services. AT&T told the FCC's Enforcement Bureau that it found that three employees of the call center had used login credentials improperly to steal names and the last four digits of social security numbers.

When questioned, at least two of the employees told the FCC “that they sold the information obtained from the breaches to a third party, known to them as 'El Pelón,'" which in Spanish refers to a bald man. According to The New York Times, “[t]he employees sought out the names and details corresponding to specific phone numbers that El Pelón had provided.” Those names and details were used to request handset unlock codes for stolen AT&T phones and for secondary market phones that El Pelón or others wanted to unlock. According to a senior FCC official speaking to The New York Times, "AT&T terminated its contract with the Mexican call center in September."
...
In addition, a history of lax privacy practices were found in the foreign call centers. “In Bogota, until May 27, 2014, full Social Security numbers were accessible in the ordinary course of business to three of the managers whose login credentials were used in these activities,” the FCC wrote. “After May 27, 2014, AT&T implemented measures to mask full Social Security numbers for AT&T Mobility Call Center managers.” AT&T said that it never found any evidence that those three managers had used the Social Security numbers improperly.

As a former AT&T Mobility (née Cingular) Call Center manager, I can confirm that this information was available. My faulty memory says that between 2004 and 2008 was when the viewability was taken away from the reps.

[Isgrimnur]

White Lodging

In February 2015, KrebsOnSecurity reported that for the second time in a year, multiple financial institutions were complaining of fraud on customer credit and debit cards that were all recently used at a string of hotel properties run by hotel franchise firm White Lodging Services Corporation. The company said at the time that it had no evidence of a new breach, but last week White Lodging finally acknowledged a “suspected” breach of point-of-sale systems at 10 locations.
...
In a press release issued April 8, 2015, White Lodging announced the “suspected breach of point of sales systems at food and beverage outlets, such as restaurants and lounges, from the period July 3, 2014 through February 6, 2015 at 10 properties.

While it acknowledged some of the locations breached this time around were the same as last year’s victim locations, the company emphasized that this was a separate breach.

Their properties include:

• Courtyard
• Fairfield Inn and Suites
• Residence Inn
• Full-Service Marriott
• Renaissance Hotels
• Springhill Suites
• Embassy Suites
• Hilton Garden Inn
• Homewood Suites
• IHG Hotels
• Starwood Hotels
• HYATT brands
• Hampton Inn
• Preferred Hotels

[Isgrimnur]

mSpy

Last week, KrebsOnSecurity broke the news that sensitive data apparently stolen from hundreds of thousands of customers mobile spyware maker mSpy had been posted online. mSpy has since been quoted twice by other publications denying a breach of its systems. Meanwhile, this blog has since contacted multiple people whose data was published to the deep Web, all of whom confirmed they were active or former mSpy customers.

mSpy told BBC News it had been the victim of a “predatory attack” by blackmailers, but said it had not given in to demands for money. mSpy also told the BBC that claims the hackers had breached its systems and stolen data were false.
...
News of the mSpy breach prompted renewed calls from Sen. Al Franken for outlawing products like mSpy, which the Minnesota democrat refers to as “stalking apps.” In a letter (PDF) sent this week to the U.S. Justice Department and Federal Trade Commission, Franken urged the agencies to investigate mSpy, whose products he called ‘deeply troubling’ and “nothing short of terrifying” when “in the hands of a stalker or abuse intimate partner.”

Last year, Franken reintroduced The Location Privacy Protection Act of 2014, legislation that would outlaw the development, operation, and sale of such products.

[Isgrimnur]

CareFirst BCBS

CareFirst BlueCross BlueShield on Wednesday said it had been hit with a data breach that compromised the personal information on approximately 1.1 million customers. There are indications that the same attack methods may have been used in this intrusion as with breaches at Anthem and Premera, incidents that collectively involved data on more than 90 million Americans.

According to a statement CareFirst issued Wednesday, attackers gained access to names, birth dates, email addresses and insurance identification numbers. The company said the database did not include Social Security or credit card numbers, passwords or medical information. Nevertheless, CareFirst is offering credit monitoring and identity theft protection for two years.

Nobody is officially pointing fingers at the parties thought to be responsible for this latest health industry breach, but there are clues implicating the same state-sponsored actors from China thought to be involved in the Anthem and Premera attacks.

[Isgrimnur]

Adult FriendFinder

Casual-dating website Adult FriendFinder has been hacked, an investigation from Channel 4 News has found — and the personal details of millions of users have been leaked.

With 63 million global users, Adult FriendFinder is one of the largest dating and casual encounter networks online. (For reference, there were an estimated 50 million Tinder users in late 2014.) But 3.9 million users' accounts have allegedly been leaked online, and are circulating in spreadsheets on forums.
...
The leak is also highly embarrassing for Adult FriendFinder in another way. Channel 4 News analysed the data and found that almost no women actually use the adult social network. "Among the 26,939 users with a UK email address," technology producer Geoff White writes, "there are just 1,596 who identified as female: a ratio of one woman to every 16 men."

[LawBeefaroni]

The leak is also highly embarrassing for Adult FriendFinder in another way. Channel 4 News analysed the data and found that almost no women actually use the adult social network. "Among the 26,939 users with a UK email address," technology producer Geoff White writes, "there are just 1,596 who identified as female: a ratio of one woman to every 16 men."

[Isgrimnur]

If they're all nymphomaniacs, it might not be a problem.

[LawBeefaroni]

Pretty sure a lot of them are prostitutes. Or men.

[Blackhawk]

Funny, I've known four or five people who have used that site (no, not 'known' in that sense) and every one of them was female. Real ones, with boobs and everything!

[GreenGoo]

Boobs are the best!

[Isgrimnur]

IRS

According to the Associated Press, the IRS has disclosed a hack where blackhats "used an online service provided by the agency" to access data for more than 100,000 taxpayers.

The IRS issued a statement today saying the compromised system was "Get Transcript." The AP reports thieves were able to bypass the security screen requiring user information such as SSN, date of birth, and street address. The IRS has shut down the service currently, and it claims "Get Transcript" was targeted for more than two months between February and mid-May.

Thus far, neither the AP nor the IRS has detailed exactly what information was obtained by hackers ("tax returns and other tax information on file with the IRS," according to the AP). Precisely how the attackers were able to bypass the necessary login screen has not been revealed at this time either.

Given this story is breaking, Ars will continue to monitor the situation and either update this post or file a follow-up story when more information becomes available.

[Moliere]

IRS

According to the Associated Press, the IRS has disclosed a hack where blackhats "used an online service provided by the agency" to access data for more than 100,000 taxpayers.

The IRS issued a statement today saying the compromised system was "Get Transcript." The AP reports thieves were able to bypass the security screen requiring user information such as SSN, date of birth, and street address. The IRS has shut down the service currently, and it claims "Get Transcript" was targeted for more than two months between February and mid-May.

Thus far, neither the AP nor the IRS has detailed exactly what information was obtained by hackers ("tax returns and other tax information on file with the IRS," according to the AP). Precisely how the attackers were able to bypass the necessary login screen has not been revealed at this time either.

Given this story is breaking, Ars will continue to monitor the situation and either update this post or file a follow-up story when more information becomes available.

When in doubt, blame social media!

Mr. Koskinen, when asked how impostors obtained answers to these so-called “out-of-wallet” questions, suggested social media might have played a role.

“This is not a hack or data breach. These are impostors pretending to be someone who has enough information” to get more, said Mr. Koskinen, who said thieves might be using sophisticated programs to aggregate and mine data.

[Moliere]

4 million federal workers via the Office of Personnel Management and the Interior Department

[RunningMn9]

I was one of the lucky 100k that got my past IRS info stolen and subsequently had some Russian goon file a fraudulent return on my behalf. They used TurboTax to file and when I got the Feds to stop the refund (as soon as I let them know that I owed money, they immediately flagged the other return as fake), I got a letter from TT kindly requesting their fee for filing the fake return. Idiots.

[Isgrimnur]

Executive Branch Federal Employees

Four million current and former federal employees, from nearly every government agency, might have had their personal information stolen by Chinese hackers, U.S. investigators said.

U.S. officials believe it could be the biggest breach ever of the government's computer networks. China called the allegation irresponsible.

The Office of Personnel Management, which is conducting background checks, warned it was urging potential victims to monitor their financial statements and get new credit reports.
...
The breach was initially thought to have affected the Office of Personnel Management and the Department of Interior, but government officials said hackers hit nearly every federal government agency.

An assessment continues, and it is possible millions more government employees may be affected.
...
U.S. investigators believe they can trace the breach to the Chinese government. Hackers working for the Chinese military are believed to be compiling a massive database of Americans, intelligence officials told CNN on Thursday night.

It is not clear what the purpose of the database is.
...
Employees of the legislative and judicial branches and uniformed military personnel were not affected.
...
The federal personnel office learned of the data breach after it began to toughen its cybersecurity defense system. When it discovered malicious activity, authorities used a detection system called EINSTEIN to unearth the information breach in April, the Department of Homeland Security said.

A month later, the federal agency learned sensitive data had been compromised.

The FBI is investigating what led to the breach.

[Moliere]

Social Security Numbers Of Every Federal Employee Stolen In Data Breach, Union Says

[Moliere]

Second hack exposed military and intel data

Hackers linked to China appear to have gained access to the sensitive background information submitted by intelligence and military personnel for security clearances, several U.S. officials said Friday, describing a second cyberbreach of federal records that could dramatically compound the potential damage.

The forms authorities believed to have been accessed, known as Standard Form 86, require applicants to fill out deeply personal information about mental illnesses, drug and alcohol use, past arrests and bankruptcies. They also require the listing of contacts and relatives, potentially exposing any foreign relatives of U.S. intelligence employees to coercion. Both the applicant's Social Security number and that of his or her cohabitant is required.

The officials spoke on condition of anonymity because the security clearance material is classified.

"This tells the Chinese the identities of almost everybody who has got a United States security clearance," said Joel Brenner, a former top U.S. counterintelligence official. "That makes it very hard for any of those people to function as an intelligence officer. The database also tells the Chinese an enormous amount of information about almost everyone with a security clearance. That's a gold mine. It helps you approach and recruit spies."

[LawBeefaroni]

It also most likely included background check information and reasons for denial of clearance. A treasure trove of individuals to approach for blackmail or because they may be disgruntled.

Sensitive information gathered in the background checks of current, former and prospective federal employees may have been compromised in hacks, the Office of Personnel Management said Friday.

An investigation by the Department of Homeland Security and the FBI found "there was a high degree of confidence" that information from background checks was revealed. Officials shared that information with federal agencies on Monday and it was made public Friday.

And of course, exposure to straight up strongarming:

The form required the listing of contacts and relatives, potentially exposing any foreign relatives of US intelligence employees to coercion, the report said. The form also required the applicant's Social Security number and that of their cohabitant.

[Isgrimnur]

OPM Chief Resigns

U.S. officials said on Friday that the embattled chief of the federal Office of Personnel Management, Katherine Archuleta, is resigning in the aftermath of the massive computer hacks that exposed personal data of more than 21 million government employees and contractors.

A White House official said Beth Cobert, currently working in the White House budget office, will assume the role of acting director of the personnel office.

I'm sure that will fix everything.

[Max Peck]

When in doubt, blame social media!

Mr. Koskinen, when asked how impostors obtained answers to these so-called “out-of-wallet” questions, suggested social media might have played a role.

“This is not a hack or data breach. These are impostors pretending to be someone who has enough information” to get more, said Mr. Koskinen, who said thieves might be using sophisticated programs to aggregate and mine data.

Necro-question: Was he blaming social media, or just describing one social engineering vector that might have been employed? I can't access the article to see the full context of the quote.

[em2nought]

Someone just started using my credit card that hasn't been out of it's rfid wallet for the past year, and it's still there.

[YellowKing]

Headline: Breach at IRS Exposes Tax Returns

“This is not a hack or data breach

[ericb]

The biggest problem with the OPM breach is the amount of information. If you don't know, the form in question includes:

Your complete name, alternative names, addresses, any other addresses within 7-10 years along with status (own, rent, house, apt, etc)
All of your personal information including SSN, selective service, date of birth, place of birth
5 neighbors including names, dates, addresses and phone numbers
3 references including names, dates and multiple phone numbers to be contacted
Your current spouse's and/or former spouse's name, previous names, date of birth, addresses, SSN, dates, marriage or divorce dates
All immediate relatives (former spouse, kids, step kids, parents, grandparents, in-laws, siblings) along with addresses, date of birth and citizenship
Your complete educational history starting with high school
Your complete work history (for at least the past 7 years) including where, how long, supervisor, addresses, phone numbers and why you left
Citizenship history, your military history, your family foreign interests especially property and citizenship
Police record, medical release, drug history, history with mental illness with the name of your therapist, civil court findings
Financial history including credit, releases, judgments and bankruptcy
Other information like adultery or security lapses

This is literally the complete life history of someone dating back at least seven years from the time it was turned in. For Top Secret you're looking at 10+ years. If they got the investigator's findings along with the original form (which seems likely) then most of the information is now officially verified and confirmed by the US Govt along with copies of certain reports (like your military record, full police report and your full credit report).

This isn't identify theft anymore...they could literally become you. Heads should be rolling down the streets of DC over this. 21 million records including the information above are now in the hands of chinese or russian hackers. Almost all of which are involved in or were involved in sensitive, secret or top secret clearance level federal government jobs. That's not including the tens of millions of spouses and kids in the same household also now compromised.

[Kraken]

they could literally become you.

Well I hope they do a better job of being me than I did. I'm not very good at it.

[Isgrimnur]

Trump Hotels

The Trump Hotel Collection, a string of luxury hotel properties tied to business magnate and now Republican presidential candidate Donald Trump, appears to be the latest victim of a credit card breach, according to data shared by several U.S.-based banks.
...
The Trump Organization just acknowledged the issue with a brief statement from Eric Trump, executive vice president of development and acquisitions: “Like virtually every other company these days, we have been alerted to potential suspicious credit card activity and are in the midst of a thorough investigation to determine whether it involves any of our properties,” the statement reads. “We are committed to safeguarding all guests’ personal information and will continue to do so vigilantly.”

[Isgrimnur]

CVS Photo

Nationwide pharmacy chain CVS has taken down its online photo center CVSphoto.com, replacing it with a message warning that customer credit card data may have been compromised. The incident comes just days after Walmart Canada said it was investigating a potential breach of customer card data at its online photo processing store.
...
Last week, Walmart Canada warned it was investigating a similar breach of its online photo Web site, which the company said was operated by a third party. The Globe and Mail reported that the third-party in the Walmart Canada breach is a company called PNI Digital Media.

According to PNI’s investor relations page, PNI provides a “provides a proprietary transactional software platform” that is used by retailers such as Costco, Walmart Canada, and CVS/pharmacy to sell millions of personalized products every year.”

[hepcat]

I almost used them last week to create a custom mouse pad.

[LordMortis]

Costco

That could be be a problem. Costco is literally the only place I use debit card because of their only AmEx and Discover credit card crap.

If my CU account gets hacked because CostCo end us also being breached. :anger unto head exploding:

[Isgrimnur]

Assuming you aren't using their photo services website, you should be fine. For now.

[LawBeefaroni]

Costco

That could be be a problem. Costco is literally the only place I use debit card because of their only AmEx and Discover credit card crap.

If my CU account gets hacked because CostCo end us also being breached. :anger unto head exploding:

It sounds like only data residing with that 3rd party was compromised and they only have that if you did an online photo item order.

[Pyperkub]

Assuming you aren't using their photo services website, you should be fine. For now.

Yeah, don't scare me.

[Pyperkub]

UCLA Medical:

Hackers broke into the massive hospital network of the University of California, Los Angeles, accessing computers with sensitive records of 4.5 million people.

Names, medical information, Social Security numbers, Medicare numbers, health plan IDs, birthdays and physical addresses -- all were potentially stolen, according to the university.

That could affect anyone who has visited -- or works -- at the university's medical network, UCLA Health, which includes four hospitals and 150 offices across Southern California.

Ack! It's been decades since I was seen there, hopefully my records were never digitized...

[LawBeefaroni]

UCLA Medical:

Hackers broke into the massive hospital network of the University of California, Los Angeles, accessing computers with sensitive records of 4.5 million people.

Names, medical information, Social Security numbers, Medicare numbers, health plan IDs, birthdays and physical addresses -- all were potentially stolen, according to the university.

That could affect anyone who has visited -- or works -- at the university's medical network, UCLA Health, which includes four hospitals and 150 offices across Southern California.

Ack! It's been decades since I was seen there, hopefully my records were never digitized...

That's a huge deal. A hospital gets a laptop stolen and the wrath of the feds is felt. I can't imagine a wholesale breach with PHI and SSNs. Holy crap.

[Isgrimnur]

Ashley Madison

Ashley Madison, a dating website targeting married people, was breached by hackers, exposing the information of millions of its customers, site owner Avid Life Media confirmed.

In a statement released Monday on the Ashley Madison site, Avid Life Media says they were flagged on an unauthorized attempt to gain access to their systems. The company says sites have since been secured.
...
Avid, which also runs dating sites CougarLife and Established Men, did not say what data was compromised as a result of the breach. According to the blog Krebs on Security, the company's "user databases, financial information and other proprietary information" were affected.

In a later statement, the company says it used the Digital Millennium Copyright Act to remove posts related to the breach and any personal information posted online.

[Isgrimnur]

Krebs coverage

According to the hackers, although the “full delete” feature that Ashley Madison advertises promises “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — aren’t actually scrubbed.

“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie,” the hacking group wrote. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”

Their demands continue:

“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”

It’s unclear how much of the AshleyMadison user account data has been posted online. For now, it appears the hackers have published a relatively small percentage of AshleyMadison user account data and are planning to publish more for each day the company stays online.

“Too bad for those men, they’re cheating dirtbags and deserve no such discretion,” the hackers continued. “Too bad for ALM, you promised secrecy but didn’t deliver. We’ve got the complete set of profiles in our DB dumps, and we’ll release them soon if Ashley Madison stays online. And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.”

[Max Peck]

Ashley Madison

The schadenfreude is strong with this one...

[LawBeefaroni]

Krebs coverage

“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”

Oh, wow. An interesting game of chicken.



Also, when they say:

a significant percentage of the population is about to have a very bad day

All I can think of:

On August 29th, 1997 2015, it's gonna feel pretty fucking real to you too. Anybody not wearing 2 million sunblock on that site is gonna have a real bad day. Get it?

[Default]

Ashley Madison - you're gonna get screwed!