Cyber Security Idoits May 2011

X Factor Breach

‘X Factor’ hopefuls lost personal data in hack – Simon Cowell’s singing competition suffered a database security breach

Security News Daily, By Matt Liebowitz, May 4, 2011

The auditions for the upcoming season of the Simon Cowell-hosted singing competition “The X Factor” got off to a rocky start after the show’s network, Fox, revealed that cybercriminals hacked into a database containing the personal information of 250,000 potential contestants. Online thieves may have potentially made off with the names, emails, ZIP codes, phone numbers, genders and dates of birth of the quarter-of-a-million “X Factor” wannabes, according to an email from Fox about the security breach obtained by the Daily Star.  Although the show promises to vault its winner to celebrity stardom, this data breach is not the kind of widespread public exposure these would-be singing stars were hoping for. Fox’s email tells “X Factor” hopefuls that no financial information was accessed in the hack, and warns them to be cautious of phishing scams that may arise now that their sensitive information is in untrusted hands.

Second Major Data Breach To Hit Gaming Community In Recent Weeks

The Guardian, May 13, 2011

Hackers have accessed 25,000 customers’ details from video game developer Square Enix in a similar invasion that Sony PlayStation suffered. Hackers have broken into the vaults of the Japanese video game developer, Square Enix, accessing the details of 25,000 customers in the second major data breach to hit the gaming world in recent weeks. The software house, which is behind some of the world’s most successful computer game franchises, including Final Fantasy, Deus Ex and the Tomb Raider series, said the intruders could have stolen customer email addresses after cracking security on two of its websites. It said no credit card details were exposed, but admitted the CVs of 350 people applying for jobs in its Canadian offices could also have been downloaded.

Best Buy Customers Beware: Another Email Security Breach

The Consumerist, By MB Quirk, May 2, 2011

Remember just a few weeks ago when that email breach hit Best Buy, Kroger, TiVo, Walgreens and on and on? Well it seems the breach-y good times aren’t over yet, at least for Best Buy. The company has sent out another warning email to customers about a new leak which indicates that a third party finagled itself into a former Best Buy partner’s system, snatching up email addresses. Hopefully, that’s all they got.

Huntington bank sues ex-workers

Associated Press, May 8, 2011, By Brandy Brubaker

A lawsuit filed by Huntington National Bank claims six former employees stole more than 2,000 customer records before they quit to go work for the competition. The bank filed the lawsuit in federal court against former vice president Sandra D. Kokoska, former assistant vice president Kimberly A. Barnum, and mortgage department employees, Stewart P. McCaw, Lisa A. Musgrave, Carrie J. Swaniger and Marcie A. Lipscomb. The lawsuit alleges that the former employees committed a “brazen and egregious theft of trade secrets” when they abruptly resigned April 14 and opened a new loan origination office for MVB Bank in Cranberry Square, Morgantown, on April 18. Huntington claims that the defendants spent weeks leading up to their resignations downloading and printing confidential customer records from the bank’s secure database — records they then used to solicit Huntington’s existing and prospective customers. “These customer records did not merely include customer names, addresses and telephone numbers,” the lawsuit said. “In addition, the defendants took with them what is presently known to be over 2,000 customer Social Security numbers, dates of birth, bank account numbers, and other highly confidential, personal information of Huntington’s customers, the unwitting victims of this theft.”

Netflix Fires Call Center Worker for Stealing Data

IDG News Service, By Robert McMillan, May 04, 2011

Netflix has fired a call center worker for stealing credit card numbers from customers of the online movie service. The unnamed employee was fired after Netflix learned about the data theft on April 4, the company said in a letter to the office of the New Hampshire Attorney General that was published online this week.  The worker “accessed over approximately the past two months, without authorization, the credit card information of some Netflix customers who spoke with the individual over the telephone,” Netflix Senior Counsel Sharon Williamson wrote. The employee obtained customer names and credit card numbers, she wrote. Netflix is investigating the incident and has notified police. On Wednesday, Netflix declined to say how many customers were affected or whether any incidents of fraud had resulted from the theft. “We do everything we can to safeguard our members’ personal data and privacy, and when there’s an issue like this we deal with it swiftly and decisively,” said Steve Swasey, a Netflix spokesman.

Laptop stolen from contractor’s car affects 1,700 who sought to adopt children through Catholic Social Services

Data, May 4, 2011

A stolen laptop containing personal and protected health information of 1,700 clients of Catholic Social Services in Anchorage has resulted in a notification to the U.S. Dept. of Health & Human Services and affected clients. According to a notice on the CSS’s web site dated March 30: on February 2nd, CSS learned of a theft that had occurred on February 1. A laptop used by a contractor of the Pregnancy Support and Adoption Services program had been stolen from the contractor’s vehicle. According to CSS’s report to HHS, the contractor was Trisha Elaine Cordova. The laptop contained personal information on individuals who had requested a home study in order to adopt a child from 2008 – 2010. Information in the studies may have included some or all of the following for each individual: name, address, phone number, email, date of birth, driver’s license, health, family history, financial status, and recommendation for readiness to adopt. CSS noted that they did not expect the thief to be apprehended as the theft took place out of state, although they did not indicate where it occurred.

LastPass CEO Explains Possible Hack

PCWorld, By JR Raphael, May 5, 2011

The CEO of password management company LastPass says it’s highly unlikely hackers gained access to his millions of users’ data–but that he doesn’t want to take any chances. Speaking exclusively with PCWorld, LastPass CEO Joe Siegrist explained how his company came to the conclusion that its servers, which provide cross-platform password storage for millions of customers, may have been accessed by an outside party. Just one day earlier, LastPass announced via its blog that it had noticed a “network traffic anomaly” and was implementing additional security as a result. LastPass CEO Joe SiegristSiegrist now says he may have been “too alarmist” in assuming the worst, but that–even if it ended up hurting his company’s image–he wanted to act quickly and make sure everyone was informed. Given the proximity of the event to Sony’s Playstation Network hack, after all, security was certainly high on many users’ minds.


Central Oregon Community College Hackers May Have Compromised Student Information, May 7, 2011

1110 KBND points us to a statement on the Central Oregon Community College web site:

Central Oregon Community College officials have identified some information on the COCC web site that may have been exposed as part of the recent unauthorized intrusion. COCC has taken down the web site while it works with law enforcement officials and industry security experts. It has been replaced by a single page with links to sites of importance to COCC students, faculty and staff but that are not part of the COCC web site. Email access is available via this temporary page. Comprehensive student and employee information is NOT contained on the COCC website. The college is analyzing information to see if there is any additional cause for concern of personally identifiable information being accessed or any additional data bases which might have been exposed. The information identified was from students who applied to the COCC nursing program for the current year, and for COCC Foundation scholarship for the next year. Neither set of applications include social security numbers or credit card numbers. They do include email addresses and COCC ID numbers.

Computer with private Reid Hospital information taken in home burglary


A computer stolen from the home office of a Reid Hospital employee in early April may have contained files with personally identifiable information on approximately 20,000 Reid patients. Craig Kinyon, Reid president/CEO, said the computer was password protected and was one of numerous items stolen in the break-in, which indicates the information was not the target of the thieves.  The information included reports on some Medicaid and some Medicare patients who received services from 1999 to 2008. These reports include patient names and Social Security numbers or Medicare numbers.

Assurant reports breach in customer account information

Kansas City Star, May 9, 2011

Assurant Employee Benefits said Monday that 1,007 customers in the Kansas City area have been notified that their personal information inadvertently was made available to another business client administrator. The insurer said human error caused those customers’ names, addresses, dates of birth, social security numbers and types of coverage to be available to a business client other than the employer of those policy holders. Bradley Peak, Assurant vice president of products and marketing, said the information never was accessed and that the company human resource officer who incorrectly received access to the information immediately reported it. Access to the information was terminated as soon as the mistake was discovered, Peak said. Melonie Jones, Assurant’s chief privacy officer, said the company takes the security of customer information very seriously and “will continue to monitor and improve our accuracy in the customer advocacy area.”

Personal Information Stolen from Reedsport Clinic

KEZI News, May 10, 2011

REEDSPORT, Ore. — A Reedsport clinic is alerting patients about a recent data breach. Police are looking for a hard drive containing patient information from Dunes Family Health Care. The organization that downloads and stores the clinic’s electronic records says it went missing on March 11. The clinic sent notices to more than 16,000 current and former patients Tuesday about the data breach.

Database of Fox Employees’ Passwords and Emails Leaked

By Adrian Chen, Gawker

Fox Broadcasting employees might want to change their passwords: A database of about 300 employees and associates’ email addresses and passwords, apparently stolen from a database, have been leaked by a hacking group that previously stole thousands of X Factor contestants’ personal information. The group Lulz Security has taken credit for the hack. Last night, Lulz Security took over and defaced the LinkedIn accounts of 16 Fox Broadcasting employees and the Twitter accounts of two Fox affiliates, apparently to prove the leak’s validity. “Fox News 15 has decided to rape its own face. A sad day for our 25 viewers,” read one tweet. They then tweeted a list of emails and passwords, which are mainly employees of Fox Broadcasting and local affiliates of Fox and other networks.

Wyndham continues to identify and notify hotel guests impacted by past breaches

Data, May 12, 2011

Wyndham Hotels and Resorts,  which reported a hacking incident in 2008 and hacking incidents in 2009 and 2010, has recently notified the New Hampshire Attorney General’s Office of an update to its report of June 2010. That report did not and does not appear on the state’s breach report list, so I’m not sure what it said, but by letter dated April 29, 2011, Wyndham indicated that it had identified an additional 42 New Hampshire residents who were affected by prior incidents and who would first be notified, even though Wyndham does not believe it is required to make such notifications.

Laptop with financial information stolen from the home of Ohio Auditor’s Office employee

May 12, 2011, By Reginald Fields, The Plain Dealer

A state-owned laptop containing some financial audits of public offices in northwest Ohio was stolen this week during a burglary at a house in Findlay. It was the home of a regional auditor for the state Auditor’s Office.  The employee, whose identity has not been released, was suspended for 15 days because a password that opens access to the financial records was attached to the computer, a violation of the office policy.  The Auditor’s Office said the public offices whose information was contained on the computer are being notified, according to a news release from Auditor Dave Yost’s office.  The release said there was very little personal information included in the files on the laptop. A police report was filed on Tuesday with Findlay Police. In 2007, a data backup cartridge that contained sensitive information, including some Social Security numbers, for 1.3 million individuals, business and other  entities was stolen from a car owned by a state intern. After that incident, Ohio spent about $1.8 million for new software to better encrypt information on state computers and other electronic devices and add tracking devices to state computers so information could be deleted remotely.

Deputies: Man Used DMV Database In ID Theft

KPTV, May 13, 2011

PORTLAND, Ore. — Personal information belonging to more than a million Oregonians could be in the hands of criminals, deputies say. Sheriff’s detectives arrested Tim Nuss on April 28 in east Multnomah County. They say he had access to an old Oregon Department of Motor Vehicles database. Spokesman David House says the DMV database was once sold to marketing companies, but the department stopped selling the information in the late 1990s. House says the sold data include the names, addresses, birth dates, gender and ages of people who registered with the DMV, but no financial information. Police aren’t sure how Nuss was able to get a hold of the database, but Portland police say in previous cases, criminals have sold or traded the database using USB drives or CDs. Acting on a tip, deputies moved in on Nuss, who was staying at the Travelodge Motel near Troutdale. Inside the motel room, investigators found a laptop, four printers and the material used to produce fake checks and Oregon temporary driver’s licenses, investigators say.

Industry News


Sony Network Breach Shows Amazon Cloud’s Appeal for Hackers

Bloomberg, May 16, 2011, By Joseph Galante, Olga Kharif and Pavel Alpeyev

For three pennies an hour, hackers can rent Inc.’s servers to wage cyber attacks such as the one that crippled Sony Corp.’s PlayStation Network and led to the second-largest online data breach in U.S. history. A hacker used Amazon’s Elastic Computer Cloud, or EC2, service to attack Sony’s online entertainment systems last month, a person with knowledge of the matter said May 13. The intruder, who used a bogus name to set up an account that’s now disabled, didn’t hack into Amazon’s servers, the person said. The incident helps illustrate the dilemma facing Chief Executive Officer Jeff Bezos: Amazon’s cloud-computing service is as cheap and convenient for hackers as it is for customers ranging from Netflix Inc. to Eli Lilly & Co. Last month’s attack on Sony compromised more than 100 million customer accounts, the largest data breach in the U.S. since intruders stole credit and debit card numbers from Heartland Payment Systems in 2009. “Anyone can go get an Amazon account and use it anonymously,” said Pete Malcolm, chief executive officer of Abiquo Inc., a Redwood City, California-based company that helps customers manage data internally and through cloud computing. “If they have computers in their back bedroom they are much easier to trace than if they are on Amazon’s Web Services.”

There’s No Data Sheriff on the Wild Web

New York Times, By Nick Bilton, May 7, 2011

A company suffers a catastrophic attack on its servers. Gone are names, e-mail addresses, home phone numbers, passwords, credit card numbers.  Everything ends up in the hands of hackers. What federal law covers such a breach of consumers’ privacy?  None. This lack of federal oversight has incensed privacy advocates for years. But the last several months have been an online consumer’s worst nightmare.  About two weeks ago, hackers dived into Sony’s PlayStation 3 game system, resulting in the loss of up to 77 million customers’ personal and private information and over 12 million credit and debit card numbers.  Epsilon, an e-mail marketing company, lost millions of customers’ e-mail addresses to hackers in early April; Apple, Google and Microsoft have all been quietly collecting location data about mobile customers without their knowledge. And last year, AT&T was attacked through a bug in its iPad software, resulting in the loss of 100,000 customer e-mail addresses.  Each company was blamed for failing to properly protect consumer information. But for redress, consumers must rely on states, and serious punishment or fines rarely happen.  “There needs to be new legislation and new laws need to be adopted” to protect the public, said Senator Richard Blumenthal, Democrat of Connecticut, who has been pressing Sony to answer questions about its data breach and what the company did to avoid it.

White House Unveils Cyber-Security Proposals to Guard Critical Infrastructure

eWeek, By Fahmida Y. Rashid, May 13, 2011

The long-awaited cyber-security proposals from the White House address who protects critical infrastructure and calls for a federal data-breach-notification law. The Obama administration has unveiled a cyber-security plan to provide protection for critical infrastructure, data-breach-notification laws and cyber-defense. The plan closely endorses the bill sponsored by Sen. Harry Reid of Nevada that is currently under consideration in Congress. The White House proposal addresses how to protect critical infrastructure, including electric grids, financial systems and transportation networks, from cyber-attackers. The Department of Homeland Security would take the lead role in working with states and businesses to respond to cyber-attacks and provide immunity to organizations that share cyber-security information, according to a fact sheet posted May 12 on the White House blog. The administration struck a balance between securing critical infrastructure and not making decisions for the companies who actually own and operate the infrastructure. Companies retained a lot of authority to draw up their own cyber-security plans and implement them. The plan summaries have to be publicized and if it doesn’t seem comprehensive enough, DHS can modify it, according to the proposal. “Fundamentally, this proposal strikes a critical balance between maintaining the government’s role and providing industry with the capacity to innovatively tackle threats to national cyber-security,” said White House cyber-security coordinator Howard Schmidt.

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: