Verizon Data Breach Exposed 1.5 Million Customers’ Information

No consumer data was accessed, however.

Verizon Communications said an attacker had exploited a security vulnerability on its enterprise client portal to steal contact information of a number of customers.

The company said the attacker however did not gain access to Customer Proprietary Network Information (CPNI) or other data.

CPNI is the information that telephone companies collect including the time, date, duration and destination number of each call and the type of network a consumer subscribes to.

Krebs On Security, which first broke the news of the breach, said a member of a underground cybercrime forum had posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise.

The seller priced the entire package at $100,000, but offered to sell it off in parts of 100,000 records for $10,000 apiece, Krebs added.

The vulnerability, which was investigated and fixed, did not leak any data on consumer customers, Verizon said in a statement on Thursday.

The company is currently notifying customers impacted by the breach.

Source: http://time.com/money/4272778/verizon-data-breach/

Categories: Cybercrime, Data Protection, hacking, Network Security, PII, SecureData, Targeted Attack, Uncategorized | Tags: Cybercrime, cybersecurity, Hacked, hacking, PII, SecureData, vulnerability | Permalink.

SevOne Falls Victim to Spear-Phishing Data Breach

“SevOne fell victim to a cybersecurity attack that has put current and former employees at risk for identity fraud.

The tech company has confirmed it released W-2 wage and tax data to an unauthorized recipient outside the company. That information is believed to include Social Security numbers, home addresses, dates of birth and other personal information criminals can use to file false tax returns and commit other forms of identity theft.”

For the full story please visit the original source: http://www.delawareonline.com/story/money/business/2016/03/09/sevone-released-employee-data-online-scammers/81532396/

 

Categories: Data Privacy, Data Protection, hacking, Infection, Malware, Phishing, PII, SecureData, Security, Social Engineering, Spyware, Targeted Attack, Trojan, Uncategorized | Tags: Cybercrime, cyberdefense, cybersecurity, Data, Hacked, hacking, Malware, PII, SecureData, spear-phishing | Permalink.

Jail threat for company bosses over Popi

Cape Town – Company executives who fail to secure data in South Africa may face jail time, the Protection of Personal Information Act, known as Popi says.

However, while the act specifies prison time for people who fail to keep personal information confidential, SA has not yet fully implemented the legislation.

“Until the Act is implemented it is difficult to know what such conditions could be, particularly in light of the fact that similar laws in the UK and Australia do not prescribe custodial sentences for breaches,” Wayne Mann, director of Group Risk at The Unlimited, told Fin24.

Popi legislation specifies penalties of jail time up to 10 years and R10m for contravening sections related to data protection.

“If one breaches the following sections of the Act, 100, 103(1) and 104(2), 105(1) and 106, which deal, among other things with the powers of the Regulator to enforce compliance with its provisions, obstructing the Regulator in the performance of the Regulator’s duties, the selling, disposing or processing of a person’s account number in a manner not authorised by the Act, a prison sentence of up to 10 years can be imposed,” Mann said.

Outright fraud

The legislation demands that people who “knowingly or recklessly, without the consent of the responsible party” share personal data are guilty of an offence in terms of the act.

Mann, though, argued that outright fraud was more likely to result in jail time than contravening Popi.

“In our view the offences that overlap with our common law crimes such as fraud and theft, for example the unauthorised selling of a person’s account number, are more likely to be frowned upon by society and it is these offences that could result in prison sentences being imposed.”

Popi, which was modelled on European legislation, was intended to give citizens the right to protect their reputations, said an attorney.

“Popi is modelled on Europe’s EUDPD [EU Data Protection Directive]. Popi gives ‘data subjects’ (SA citizens) control over their personal information relating to criminal activity or negative and damaging behaviour they may have committed in the past or are suspected to have committed,” specialist technology attorney Russel Luck told Fin24.

“Popi categorises this type of personal information as ‘special personal information’ under S26 of Popi and can only be processed by a “responsible party” in certain circumstances,” he added.

In the UK, the Data Protection Act was passed in 1998, but compliance took more than a decade and SA may face a similar situation.

“The Act does provide for a 12 month compliance period from the date that certain provisions become effective – which is only likely to happen once the office of the Information Regulator is established (which has commenced). Given the length of time that the act has been in the public arena, our view is that it is very unlikely that the 12 month compliance period will be extended, said Mann.

Source: http://www.fin24.com/Tech/News/Jail-threat-for-company-bosses-over-Popi-20151006

Categories: News, POPI, SecureData, Uncategorized | Tags: PII, PoPI, SecureData | Permalink.

Twitter warns some users of possible state-sponsored cyber attack

SAN FRANCISCO (Reuters) – Twitter Inc issued an alert to some users warning them that state-sponsored hackers may have tried to obtain sensitive data from their accounts, the company said, the first such warning by the micro blogging site.

The notice said there was no indication the hackers obtained sensitive information from what it said were a “small group of accounts” targeted.

It did not provide additional information about the attack or possible suspects in its investigation.

Twitter’s notice is the latest amid concern about cyber attacks by state-sponsored organizations. Government agencies, businesses and media have all been hacked.

Motherboard, a tech news site, and the Financial Times earlier reported on Twitter’s warning.

One organization that said it received the notice, a Winnipeg-based nonprofit called Coldhak, said the warning from Twitter came on Friday. The notice said the attackers may have been trying to obtain information such as “email addresses, IP addresses, and/or phone numbers”.

Coldhak’s Twitter account, @coldhakca, retweeted reports from a number of other users who said they received the notice. Coldhak and the other users did not indicate why they may have been singled out.

Colin Childs, one of the founding directors of Coldhak, told Reuters his organization has seen “no noticeable impact of this attack”.

Google and Facebook have also started issuing warnings to users possibly targeted by state-sponsored attacks.

(Reporting and writing by Stephen R. Trousdale; editing by Grant McCool)

Source: http://news.yahoo.com/twitter-warns-users-possible-state-sponsored-cyber-attack-030250212–finance.html

Categories: Cybercrime, Data Privacy, hacking, SecureData, Security | Tags: Cybercrime, Hacked, hacking, PII, SecureData | Permalink.

CVS confirms data breach at photo site

CVS Health has sent e-mails to customers of its former online photo service confirming that personal information may have been stolen by hackers earlier this summer.

The photo service, CVSPhoto.com, is managed and hosted by PNI Digital Media, a vendor owned by Staples Inc. CVS took down the site in June after learning about a possible breach.

The Woonsocket, R.I., company said Friday that investigators have learned that the site was indeed hacked and the data breach included credit-card information for some customers, as well as names, phone numbers, e-mail addresses, usernames, and passwords. CVS said it appears that the hackers did not steal any photographs.

CVS declined to say how many customers were affected. A spokesman said customers who had their credit-card information stolen will receive one year of free credit monitoring and identity theft resolutions services through Experian.

Staples said it is continuing to investigate the data security breach.

“While the investigation is ongoing, the results to date suggest that an unauthorized party entered PNI’s systems and was able to deploy malware designed to capture user input on PNI’s servers that support some of its customers’ websites,” said Kirk Saville, a Staples spokesman. “At this time, there is no reason to believe that the unauthorized party accessed photos or PIN numbers.”

The breach also affected other retailers.

Source: http://www.bostonglobe.com/business/2015/09/11/cvs-confirms-data-breach-photo-site-this-summer/xc7mG3YFVgkKLYBQHfrIwI/story.html?event=event25

Categories: Cybercrime, Data Privacy, hacking | Tags: cybersecurity, Hacked, PII, SecureData | Permalink.

Hackers stole social security numbers from 21.5 MILLION people in massive breach

Hackers stole 21.5 million social security numbers in an extraordinary data breach, the US Office of Personnel Management (OPM) has revealed.

The files, accessed in May, included those of 19.7 million individuals who had applied for security clearances to qualify for a job with the government. Another 1.8 million belonged to non-applicants, such as applicants’ spouses or partners.

At least 1.1 million of the stolen records included fingerprints, the OPM said in a news release.

Michael Daniel, special assistant to the president and cybersecurity coordinator at the National Security Council, said he was ‘not really prepared to comment’ on whether China was responsible for the hack.

The incident comes after a ‘separate, but related’ incident in April, when files of 4.2 million current and former federal workers were stolen.

According to OPM, both breaches were discovered as the agency conducted a forensics investigation into the way federal data is managed.

The government will now be forced to provide three years of support from a private firm specializing in data breaches for all 21.5 million victims to monitor their children, credit files and identity.

Stolen records include identification details such as Social Security Numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and more.

Some records also include findings from interviews conducted by background investigators and fingerprints.

Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen.

There is significant overlap between the two groups, according to the OPM news release.

Human vices, such as infidelity, compulsive gambling, problems with alcohol or drugs, as well as emotional and behavioral issues, raise red flags for officials who gather so-called ‘adjudication information’ – information that government investigators gather during the vetting process of potential hires and current employees seeking a higher level of clearance.

The U.S. government has attributed sophisticated attacks – including the original large-scale data theft last month – to increasingly advanced state-affiliated teams from China.

China has denied any connection with the OPM attack and little is known about the identities of those involved in it.

Asked during a conference call with reporters whether China was responsible, Michael Daniel, special assistant to the president and cybersecurity coordinator at the National Security Council, said that ‘at this point the investigation into the attribution of this event is still ongoing and we are exploring all of the different options that we have.’

He added that ‘we’re not really prepared to comment at this time on the attribution behind this event.’

Source: http://www.dailymail.co.uk/news/article-3155340/U-S-personnel-office-25-million-records-affected-hacking.html

Categories: Cybercrime, hacking, PII | Tags: Cybercrime, Hacked, hacking, PII, SecureData | Permalink.

FireKeepers data breach

An investigation of a data-security incident at FireKeepers Casino Hotel revealed that about 85,000 credit and debit cards may have been affected between September and April, the casino announced.

The investigation showed someone gained unauthorized access to the casino’s computer system, including its file-storage server.

Information including credit and debit card numbers, cardholder names, verification codes and the card expiration dates were compromised for food, beverage and retail purchases at the casino between Sept. 7 and April 25, FireKeepers said in a news release. The file-storage server held information of customers, employees and their dependents. Social Security and driver’s license numbers as well as health-benefit selections and medical billing information for current and former employees were stored on the server.

Cards used for hotel reservations, cash advances and ATM transactions were not affected by the breach, FireKeepers said. The Red Hot Rewards Club database also was not affected.

The incident was discovered April 16 after the casino learned about “a possible security incident involving payment card information.” The investigation confirmed several consumer reports indicating concern about their bank and credit card statements.

The casino replaced its point-of-sale equipment with a system not tied to the casino’s main computer systems during the investigation, Vice President of Marketing Jim Wise said.

Absent from the casino’s release about the incident was information about who’s responsible for the data security breach. Wise said the investigation of the incident is ongoing and that FireKeepers wouldn’t comment about it last week.

FireKeepers is offering credit monitoring and identity protection services to those affected though AllClear ID at www.firekeepers.allclearid.com.

Source: http://www.freep.com/story/news/local/michigan/2015/07/07/firekeepers-casino-data-breach/29805997/

Categories: Cybercrime, hacking | Tags: Cybercrime, Hacked, PII, SecureData | Permalink.

5 Ways the IRS Scammers Could Have Stolen All Those Tax Returns

Great article from Adam Levin, here is the original story – http://blog.credit.com/2015/06/5-ways-the-irs-scammers-could-have-stolen-all-those-tax-returns-117956/

Last week, the Internal Revenue Service revealed that a group of organized criminals effectively walked through their front door and used an application on its “Get Transcript” site to pore over the past tax returns of more than 100,000 Americans. According to several news reports, the stolen information was deployed to commit tax fraud, with an estimated take of up to $50 million in bogus tax refunds before the IRS discovered the ploy.

“We’re confident that these are not amateurs,” John Koskinen, the IRS commissioner, told the New York Times. “These actually are organized crime syndicates that not only we but everybody in the financial industry are dealing with.”

But if I may be so bold, isn’t the IRS supposed to be better at this? It is, after all, the chief tax collector for the U.S. government, for Heaven’s sake. It’s frustrating that the government isn’t better, but it’s not terribly shocking that scammers got through, considering the well-practiced foe the agency is facing.

Unless you’ve been sleeping off a fairytale curse, it should not create cognitive dissonance that organized criminal syndicates committing information-based crimes are on the rise. There are myriad reasons for this, and more than a few involve bad habits at the consumer level, but the overarching reason this particular crime wave keeps growing is simple: opportunity. Data security sadly lags behind both innovation and the hordes of increasingly sophisticated criminals who are hell-bent on exploiting human error and other weaknesses in the way personally identifiable information (PII) is collected and stored. Our digital lives are like so many undiscovered pharaohs’ tombs — wildly valuable and poorly protected — waiting to be discovered.

The millions in tax refunds stolen (or yet to be stolen) by the “Get Transcript” scammers was almost certainly made possible by the ready availability of stolen personal data. Sure it was a brazen heist, but it was also a simple one. The criminals drilled through a multiple-factor authentication process that included a taxpayer’s Social Security number (SSN), date of birth and street address (not to mention a host of “out of wallet” questions like “What was your high school mascot?”) — information that can be had from a variety of sources. Here are just a few of the ways the masterminds behind the IRS hack could have gotten the information they needed to walk through the U.S. government’s front door.

1. Buying PII on the Dark Web

The Dark Web may sound like something straight out of a Marvel comic book, but it is very real. While it may not be as big as lore would suggest, and it is to a distressing extent populated with sexual content that is both illegal and an affront to our collective humanity, it also hosts the black markets where criminals buy and sell PII. Ever wonder where all those email addresses, SSNs, phone numbers, ZIP codes, and credit card numbers in the over one billion files that have been compromised end up? It’s a good bet you won’t find them in the magic trunk of the Identity Fairy, but you can find that information on the Dark Web.

2. Social Engineering

Whether you call it social engineering, wetware or the human element, we are often the cause of our own demise — but it doesn’t have to rise to the level of a Shakespearean tragedy. Phishing, spearphishing, vishing (phone-based phishing), smishing (text-based phishing) are different tactics to get consumers to part with their PII. The bottom line here is that if someone asks for your information, make sure you know who’s doing the asking. If you receive a phone call from a company with which you do business, hang up and call them back. Ditto with a cold call from a company or government entity you either think you know or don’t know.

3. Building a Dossier

While identity thieves may buy your information on the Dark Web and start cobbling together a file on you, they can do it more simply by data-scraping the social networking sites that you use. In the same way advertisers use data purchased from Facebook and other social media sites to find male cat owners who only buy organic products, hackers can find out enough about you to answer security questions in the authentication process of many websites and companies with which you do business.

4. Hacking

Why buy the info you need on the Dark Web when some hackers offer it up for free? While some hackers are inspired by profits, others are driven by the desire to publicly shame and embarrass companies by getting access to sensitive information then posting it for the world to see.

Hacked information is a treasure trove for the kind of approach used in the IRS heist. And there is an abundance of free hacked data out there, especially after the attacks on Target, Home Depot and countless other compromised companies and organizations in recent years.

5. Insiders

This is probably the hardest tactic to defend against: a bad player with access to sensitive information. Employees aren’t always honest, or at the very least not at all immune to making mistakes. Those who are in a moment of personal crisis, for example, can be extorted or bribed to hand over information or leave a room with files open and unsecured for a predetermined half hour.

According to anonymous sources cited by the Associated Press, the “Get Transcript” scammers were located in Russia, but unfortunately in our connected world it matters less and less where any particular crime originates. In a significant number of cases, hackers operate beyond our jurisdiction or under the protection of foreign governments with little incentive to cooperate with us. Ultimately, what matters here is that 100,000 taxpayers had their sensitive data stolen and are now at risk for other crimes, and that millions of our tax dollars went walkabout.

Whether data compromises give rise to breaking news stories or pounding headaches, anything less than a zero-tolerance attitude toward identity-related crimes won’t get us to the place we need to be. It may be true at this moment that there is no way to stop the flow of ill-gotten gains nabbed by criminals in possession of our PII — but the first step is adopting a “no compromise is acceptable” rule, and holding organizations to that standard.

What Can You Do?

As for consumers – now that their data is out there, there’s no telling how it could be further used against them. While it’s impossible to stop every form of identity fraud once your data is in the hands of a criminal, the best thing you can do is monitor for problems and work to contain and repair the damage as soon as you detect it. In terms of your finances, keep an eye on your financial accounts – daily. And check your credit reports at least once a year – you can get them for free on AnnualCreditReport.com – and consider using free monitoring tools that are out there (like Credit.com’s free credit report summary, which updates your info monthly), or any of the number of reputable paid services.

But it’s clear as ever: The focus now must be on stanching the seemingly universal information hemorrhage that’s underway, and denying Cyber Cossacks a piece of our PII.

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its affiliates.

Source: http://blog.credit.com/2015/06/5-ways-the-irs-scammers-could-have-stolen-all-those-tax-returns-117956/

Categories: Cybercrime, Data Privacy, hacking, PII | Tags: Cybercrime, cyberdefense, cybersecurity, fraud, PII, SecureData | Permalink.

BeeBone Botnet Taken Down By Internationaly Cybercrime Taskforce

U.S. and European law enforcement agencies have shut down a highly sophisticated piece of the botnet that had infected more than 12,000 computers worldwide, allowing hackers to steal victims’ banking information and other sensitive data.

The law enforcement agencies from the United States, United Kingdom and the European Union conducted a joint operation to get rid of the botnet across the globe and seized the command-and-control server that had been used to operate the nasty Beebone (also known as AAEH) botnet.

What’s a Botnet?

A botnet is a network of large number of computers compromised with malicious software and controlled surreptitiously by hackers without the knowledge of victims.

Basically, a “botnet” is a hacker’s “robot” that does the malicious work directed by hackers.

Hackers and Cyber Criminals have brushed up their hacking skills and started using Botnets as a cyber weapon to carry out multiple crimes such as DDoS attacks (distributed denial of service), mass spamming, advertising revenue manipulation, cyber espionage, mining bitcoins, surveillance etc.

However, this is not first time we hear about a sophisticated botnet took down by law enforcement agencies.

Just two months ago, law Enforcement took down Ramnit botnet, which infected over 3.2 Million computers worldwide, and last year the FBI and Europol torn down the GameOver Zeus botnet, although it came back a month after its took down.

So, What’s new about Beebone Botnet?

Beebone botnet is a downloader software (kind of botnet downloader) that installs other forms of malicious software, including ransomware and rootkits, onto victims’ machines without their even consent.

The size of the network it infected was not significant, but the operators managed to maintain control of the infected machines over the years by making Beebone botnet polymorphic in nature, so that it can update itself in order to avoid antivirus detection.

Here’s the Kicker:

Beebone botnet updates itself as many as 19 times a day which makes the malware slightly different threat from all the existing botnets as well as prevent botnet detection.

Once infected, the machines was ordered to “distribute malicious software, harvest users’ credentials for online services, including banking services, and extort money from users by encrypting key files and then demanding payment in order to return the data to a readable state,” the US Computer Emergency Response Team (US-CERT) said.

5 MILLION UNIQUE SAMPLES OF BEEBONE IN THE WILD

Initial figures show:

Beebone has infected over 12,000 computers, which seems to be a tiny number compared to other Zeus botnet infection in the past that infected millions of computers across the world.

However, it is believed that there are many more to come. According to Europol, currently there are more than 5 Million unique samples of Beebone botnet in the wild, with over 205,000 samples taken from a total of 23,000 computer systems between 2013 and 2014.

BEEBONE INFECTION WORLDWIDE

The footprint of Beebone botnet is worldwide:

Beebone infections spread across more than 195 countries. Most of the infections are reported in the United States, followed by Japan, India, and Taiwan, said Europol’s Deputy Director of Operations, Wil van Gemert.

What’s the best part?

The Federal Bureau of Investigation (FBI) is currently working with other U.S. law enforcement agencies and Europol’s European Cybercrime Centre (EC3), the Dutch National High Tech Crime Unit and the Joint Cybercrime Action Taskforce in order to combat Beebone.

Why Botnets re-emerged after took down?

The main reason, according to me, is that the author of the botnet did not get arrested.

It really doesn’t matter how many domains the law enforcement took down or how many sinkholes security researchers create if the attackers not arrested…

…nobody can stop criminals from building new Botnet from zero.

Thus, I really appreciate the FBI effort to weed out GameOver Zeus botnet by announcing a reward of $3 Million for the information leading to the direct arrest or conviction of Evgeniy Mikhailovich Bogachev — The alleged author of GameOver Zeus botnet that stole more than $100 Million from bank accounts.

Source: http://thehackernews.com/2015/04/beebone-botnet-malware-hacking.html

Categories: Botnet, Cybercrime, hacking | Tags: Botnet, Cybercrime, cybersecurity, PII, SecureData, Zeus | Permalink.

Twitch Breached – Personal Information of Users Leaked!

Twitch (an Amazon-owned game video streaming service) reset passwords for all its users after warning of a security breach that may have allowed unauthorized access to user names, passwords, first and last name, phone number, address, date of birth and IP address information of its users, here is the email I received from Twitch:

We are writing to let you know that there may have been unauthorized access to some of your Twitch user account information, including possibly your Twitch username and associated email address, your password (which was cryptographically protected), the last IP address you logged in from, and any of the following if you provided it to us: first and last name, phone number, address, and date of birth.

For your protection, we have expired your password and stream keys. In addition, if you had connected your account to Twitter or YouTube, we have terminated this connection.

You will be prompted to create a new password the next time you attempt to log into your Twitch account. If applicable, you will also need to re-connect your account to Twitter and YouTube, and re-authenticate through Facebook, once you change your password. We also recommend that you change your password at any other website where you use the same or a similar password.

We apologize for this inconvenience.

The Twitch Team

Categories: Cybercrime, Data Privacy, Data Protection, hacking, PII, POPI | Tags: Compliance, Cybercrime, cyberdefense, cybersecurity, Hacked, hacking, PII, SecureData | Permalink.