“Hackers will go after anyone with health care information,” said John Pescatore, director of emerging security trends at the SANS Institute, adding that in recent years hackers have increasingly set their sights on EHRs (electronic health records).
With medical data, “there’s a bunch of ways you can turn that into cash,” he said. For example, Social Security numbers and mailing addresses can be used to apply for credit cards or get around corporate antifraud measures.
This could explain why attackers have recently targeted U.S. health insurance providers. Last Tuesday, Premera Blue Cross disclosed that the personal details of 11 million customers had been exposed in a hack that was discovered in January. Last month, Anthem, another health insurance provider, said that 78.8 million customer and employee records were accessed in an attack.
Both attacks exposed similar data, including names, Social Security numbers, birth dates, telephone numbers, member identification numbers, email addresses and mailing addresses. In the Premera breach, medical claims information was also accessed.
If the attackers try to monetize this information, the payout could prove lucrative.
Credentials that include Social Security numbers can sell for a couple of hundred dollars since the data’s lifetime is much longer compared to pilfered credit card numbers, said Matt Little, vice president of product development at PKWARE, an encryption software company with clients that include health care providers. Credit card numbers, which go for a few dollars, tend to work only for a handful of days after being reported stolen.
Target is reportedly close to paying out $10m to settle a class-action case that was filed after it was hacked and stripped of tens of millions of peoples’ details.
Target was smacked by hackers in 2013 in a massive cyber-thwack on its stores and servers that put some 70 million people’s personal information in harm’s way.
The hack has had massive repercussions. People are losing faith in industry and its ability to store their personal data, and the Target incident is a very good example of why people are right to worry.
As well as tarnishing Target’s reputation, the attack also led to a $162m gap in its financial spreadsheets.
The firm apologized to its punters when it revealed the hack, and chairman, CEO and president Gregg Steinhafel said he was sorry that they have had to “endure” such a thing
Now, according to reports, Target is willing to fork out another $10m to put things right, offering the money as a proposed settlement in one of several class-action lawsuits the company is facing. If accepted, the settlement could see affected parties awarded some $10,000 for their troubles.
We have asked Target to either confirm or comment on this, and are waiting for a response. For now we have an official statement at Reuters to turn to. There we see Target spokeswoman Molly Snyder confirming that something is happening but not mentioning the 10 and six zeroes.
“We are pleased to see the process moving forward and look forward to its resolution,” she said.
Not available to comment, not that we asked, will be the firm’s CIO at the time of the hack. Thirty-year Target veteran Beth Jacob left her role in the aftermath of the attack, and a replacement was immediately sought.
“To ensure that Target is well positioned following the data breach we suffered last year, we are undertaking an overhaul of our information security and compliance structure and practices at Target,” said Steinhafel then.
“As a first step in this effort, Target will be conducting an external search for an interim CIO who can help guide Target through this transformation.”
“Transformational change” pro Bob DeRodes took on the role in May last year and immediately began saying the right things.
“I look forward to helping shape information technology and data security at Target in the days and months ahead,” he said.
“It is clear to me that Target is an organization that is committed to doing whatever it takes to do right by their guests.”
We would ask Steinhafel for his verdict on DeRodes so far and the $10m settlement, but would you believe it, he’s not at Target anymore either having left in the summer last year with a reported $61m golden parachute.
Two Vietnamese men have been charged, with one pleading guilty, for hacking into eight U.S. email service providers and stealing 1 billion email addresses and other confidential information, resulting in what’s believed to be the largest data breach in U.S. history, the U.S. Department of Justice announced.
The attacks, running from February 2009 to June 2012, resulted in the largest data breach of names and email addresses “in the history of the Internet,” Assistant Attorney General Leslie Caldwell said in a statement. After stealing the email addresses, the defendants sent spam emails to tens of millions of users, generating US$2 million in sales, according to the DOJ.
Viet Quoc Nguyen, 28, of Vietnam, allegedly hacked into the email service providers, stealing proprietary marketing data containing more than 1 billion email addresses, the DOJ said. Nguyen, along with Giang Hoang Vu, 25, also of Vietnam, then allegedly used the data to send spam messages, the agency alleged.
The indictments of the two men were unsealed Thursday. On Feb. 5, Vu pleaded guilty in U.S. District Court for the Northern District of Georgia to conspiracy to commit computer fraud.
Vu was arrested by Dutch law enforcement in 2012 and extradited to the U.S. a year ago. He is scheduled to be sentenced on April 21. Nguyen remains at large.
In addition to the unsealing of the indictments, a federal grand jury returned an indictment this week against a Canadian citizen for conspiring to launder the proceeds obtained as a result of the massive data breach.
David-Manuel Santos Da Silva, 33, of Montreal, was indicted for conspiracy to commit money laundering for helping Nguyen and Vu to generate revenue from the spam emails and launder the proceeds.
Uber found out about a possible breach of its systems in September, and a subsequent investigation revealed an unauthorized third party had accessed one of its databases four months earlier, the company said.
The files accessed held the names and license plate numbers of about 50,000 current and former drivers, which Uber described as a “small percentage” of the total. About 21,000 of the affected drivers are in California. The company has several hundred thousand drivers altogether.
It’s in the process of notifying the affected drivers and advised them to monitor their credit reports for fraudulent transactions and accounts. It said it hadn’t received any reports yet of actual misuse of the data.
Uber will provide a year of free identity protection service to the affected drivers, it said, which has become fairly standard for such breaches.
The company said it had filed a “John Doe” lawsuit Friday to help it confirm the identity of the party responsible for the breach.
Chinese PC and mobile phone maker Lenovo Group Ltd acknowledged that its website was hacked, its second security blemish days after the U.S. government advised consumers to remove software called “Superfish” pre-installed on its laptops.
Hacking group Lizard Squad claimed credit for the attacks on microblogging service Twitter. Lenovo said attackers breached the domain name system associated with Lenovo and redirected visitors to lenovo.com to another address, while also intercepting internal company emails.
Lizard Squad posted an email exchange between Lenovo employees discussing Superfish. The software was at the center of public uproar in the United States last week when security researchers said they found it allowed hackers to impersonate banking websites and steal users’ credit card information.
In a statement issued in the United States on Wednesday night, Lenovo, the world’s biggest maker of personal computers, said it had restored its site to normal operations after several hours.
“We regret any inconvenience that our users may have if they are not able to access parts of our site at this time,” the company said. “We are actively reviewing our network security and will take appropriate steps to bolster our site and to protect the integrity of our users’ information.”
Lizard Squad has taken credit for several high-profile outages, including attacks that took down Sony Corp’s PlayStation Network and Microsoft Corp’s Xbox Live network last month. Members of the group have not been identified.
Starting 4 p.m. ET on Wednesday, visitors to the Lenovo website saw a slideshow of young people looking into webcams and the song “Breaking Free” from the movie “High School Musical” playing in the background, according to technology publication The Verge, which first reported the breach.
Although consumer data was not likely compromised by the Lizard Squad attack, the breach was the second security-related black eye for Lenovo in a matter of days.
Nearly half of all security breaches come from vulnerabilities that are between two and four years old, according to this year’s HP Cyber Risk Report entitled The Past Is Prologue.
The annual report found that the most prevalent problems came as a result of server misconfiguration, and that the primary causes of commonly exploited software vulnerabilities are defects, bugs and logic flaws.
But perhaps most disturbing of all was the news that Internet of Things (IoT) devices and mobile malware have introduced a significant extra security risk.
The entire top 10 vulnerabilities exposed in 2014 came from code written years, and in some cases decades, previously.
The news comes in the same week that HP took a swipe at rival Lenovo for knowingly putting Superfish adware into its machines.
“Many of the biggest security risks are issues we’ve known about for decades, leaving organisations unnecessarily exposed,” said Art Gilliland, senior vice president and general manager for enterprise security products at HP.
“We can’t lose sight of defending against these known vulnerabilities by entrusting security to the next silver bullet technology. Rather, organisations must employ fundamental security tactics to address known vulnerabilities and, in turn, eliminate significant amounts of risk.”
The main recommendations of report are that network administrators should employ a comprehensive and timely patching strategy, perform regular penetration testing and variation of configurations, keep equipment up to date to mitigate risk, share collaboration and threat intelligence, and use complementary protection strategies.
The threat to security from the IoT is already well documented by HP, which released a study last summer revealing that 90 percent of IoT devices take at least one item of personal data and 60 percent are vulnerable to common security breaches.
The No. 2 U.S. health insurer said on Wednesday that hackers breached its computer system containing data on up to 80 million people.
Anthem announced the warning about the email scam in a statement, saying they purport to come from Anthem and ask recipients to click on a link to obtain credit monitoring. Anthem advised recipients not to click on links or provide any information on any website.
The company said it will contact current and former members about the attack only via mail delivered by the U.S. Postal Service. It is not calling members regarding the breach and is not asking for credit card information or Social Security numbers over the phone.
Anthem said there was no indication the email scam was connected to those who perpetrated the security breach.
The insurer acknowledged that data accessed by hackers had not been encrypted, as is the normal practice at many companies.
“When the data is moved in and out of the warehouse it is encrypted. But when it sits in the warehouse, it’s not encrypted,” Anthem spokeswoman Cindy Wakefield said.
Anthem needs to be able to easily access patient data in order to create the numerous reports it generates for customers and regulators as part of doing business, Wakefield explained. “I think that is standard practice,” she added.
“How we managed our data in the warehouse has been appropriate,” Wakefield said. “No one has pointed a finger and said you did this wrong and this is why this happened.”
But Richard Marshall, a former senior cybersecurity defense expert at the U.S. National Security Agency, said the numbers should have been encrypted.
“Social Security numbers can be sold to people who are here illegally,” said Marshall, who now advises private security firms. “Identity theft is a major issue.”
Hundreds of thousands of websites running WordPress have been infected by a piece of malware called SoakSoak. Google has flagged more than 11,000 domains hosting a WordPress website as malicious.
Websites running a third-party plug-in called Slider Revolution are being hacked, and malicious code is being installed that will in turn infect those who visit the website. The developers of the plug-in, ThemePunch, have admitted that they knew about the vulnerability in February this year but kept quiet about it.
ThemePunch in developed 29 security fixes from February to September, resisting a public call for action because of a “fear that an instant public announcement would spark a mass exploitation of the issue”.
The company had hoped that most users would install these updates, solving the problem, but it now admits that this was “sadly not the case.”
“We as a team would like to apologize officially to our clients for the problems that arose due to the security exploit in Revolution Slider Plugin versions older than 4.2, ? it says on its website.
Short answer is that you have to upgrade everything that moves on your wordpress site or it will be toast.
Sony Corp’s movie studio could face tens of millions of dollars in costs from the massive network breach that severely hindered its operations and exposed sensitive data, according to cybersecurity experts who have studied past breaches.
The tab will be less than the $171 million Sony estimated for the breach of its Playstation Network in 2011 because it does not appear to involve customer data, the experts said.
Major costs for the attack by unidentified hackers include the investigation into what happened, computer repair or replacement, and steps to prevent a future attack. Lost productivity while operations were disrupted will add to the price tag.
The attack, believed to be the worst of its type on a company on U.S. soil, also hits Sony’s reputation for a perceived failure to safeguard information, said Jim Lewis, senior fellow at the Center for Strategic and International Studies.
“Usually, people get over it, but it does have a short-term effect,” said Lewis, who estimated costs for Sony could stretch to $100 million.
It typically takes at least six months after a breach to determine the full financial impact, Lewis said.
Sony has declined to estimate costs, saying it was still assessing the impact.
The company has insurance to cover data breaches, a person familiar with the matter said. Cybersecurity insurance typically reimburses only a portion of costs from hacking incidents, experts said.
More than a week after a massive cyber attack on Sony Pictures Entertainment, the Hollywood studio isstill struggling to restore some systems as investigators searched for evidence to identify the culprit.
Some employees at the Sony Corp entertainment unit were given new computers to replace ones that had been attacked with the rare data-wiping virus, which had made their machines unable to operate, according to a person with knowledge of Sony’s operations.
In a memo to staff seen by Reuters, studio co-chiefs Michael Lynton and Amy Pascal acknowledged that “a large amount of confidential Sony Pictures Entertainment data has been stolen by the cyber attackers, including personnel information and business documents.”
They are “not yet sure of the full scope of information that the attackers have or might release,” according to the memo first reported by Variety, and encouraged employees to take advantage of identity protection services being offered.
Their concern underscores the severity of the breach, which experts say is the first major attack on a U.S. company to use a highly destructive class of malicious software that is designed to make computer networks unable to operate.
Government investigators led by the FBI are considering multiple suspects in the attack, including North Korea, according to a U.S. national security official with knowledge of the investigation.
The FBI said Tuesday that it is working with its counterparts in Sony’s home country of Japan in the investigation.
That comes after it warned U.S. businesses on Monday about hackers’ use of malicioussoftware and suggested ways to defend themselves. The warning said some of the software used by the hackers had been compiled in Korean, but it did not discuss any possible connection to North Korea.
Palo Alto Networks Inc has uncovered a new group of malware that can infect Apple Inc’s desktop and mobile operating systems, underscoring the increasing sophistication of attacks on iPhones and Mac computers.
The “WireLurker” malware can install third-party applications on regular, non-jailbroken iOS devices and hop from infected Macs onto iPhones through USB connector-cables, said Ryan Olson, intelligence director for the company’s Unit 42 division.
Palo Alto Networks said on Wednesday it had seen indications that the attackers were Chinese. The malware originated from a Chinese third-party apps store and appeared to have mostly affected users within the country.
The malware spread through infected apps uploaded to the apps store, that were in turn downloaded onto Mac computers. According to the company, more than 400 such infected apps had been downloaded over 350,000 times so far.
It’s unclear what the objective of the attacks was. There is no evidence that the attackers had made off with anything more sensitive than messaging IDs and contacts from users’ address books, Olson added.
But “they could just as easily take your Apple ID or do something else that’s bad news,” he said in an interview.
Apple, which Olson said was notified a couple weeks ago, did not respond to requests for comment.
Once WireLurker gets on an iPhone, it can go on to infect existing apps on the device, somewhat akin to how a traditional virus infects computer software programs. Olson said it was the first time he had seen it in action. “It’s the first time we’ve seen anyone doing it in the wild,” he added.
A team of cybersecurity firms financed by big banks plan to introduce a platform that will allow financial companies to communicate faster about potential cyber breaches, the Wall Street Journal reported.
The move follows cybersecurity attacks on some big banks last month, where JPMorgan Chase & Co’s computer systems were hacked exposing the contact details of 73 million households and 7 million small businesses.
The group gathered funds from 16 banks including JPMorgan,Citigroup Inc , BB&T Corp and U.S. Bancorp, to help lead the effort, the newspaper said.
The product, called ‘Soltra Edge’, is being launched by Financial Services Information Sharing Analysis Center (FS-ISAC) and the Depository Trust & Clearing Corp (DTCC). It has been in works for more than a year and is expected to be out next month, the report said.
Earlier this year, JP Morgan said it expects to spend more than $250 million on cyber security, with about 1,000 people working on that area, after being warned by U.S. regulators about the threat of rising cyber attacks on bank machines.
A pilot version of Soltra was used in spreading the information received by FS-ISAC from JPMorgan after the breach, the Journal said, citing sources.
Soltra, which offers a free edition as well as a paid one, will help track threat information within seconds, a spokesman for Soltra told Reuters.
The banks would be major competitors to handset makers Apple and Google because unlike others pushing mobile wallet technology, such as mobile phone carriers and retailers, they already have an intimate relationship with consumers and know their spending habits.
“Banks all around the world are working on this right now,” said James Anderson, senior vice president for mobile and emerging payments at MasterCard.
Anderson didn’t name any of the banks, but said MasterCard is already in conversations with them on how to add mobile payment capability to the existing apps that millions of consumers already have on their phones.
The most likely way will be through a technology called host card emulation, that was introduced in Android 4.4 “KitKat” and allows software apps to emulate the secure element chip found on some bank cards and the iPhone 6. Using software means wider compatibility with phones than if a dedicated chip was required.
The mobile payments market had been relatively quiet until recently. Google Wallet and Softcard, a competitor backed by cellular carriers, were in the market but consumer awareness and interest appeared to be low.
That changed with the launch of Apple Pay on Oct. 20. A million cards were activated in the first three days of use and early adopters have praised its ease of use: users just need to hold their thumb over the iPhone 6 fingerprint reader and bring the device near a terminal for payment to be made.
As a result, competitors are planning their attack. Next year CurrentC, backed by some of the biggest retailers in the U.S., will launch and companies like PayPal are also hoping to expand their footprint in stores.
But an app from a bank might have an edge because it removes a potential hurdle to adoption: unease among consumers that at a third-party is getting access to details of purchases they make.
Apple has stressed that it doesn’t see any of the purchases made by its users but Google’s system is set up so that all payments run through the company’s servers — giving the company an additional layer of information into the lives of its users.
A bank already has access to this information because of its nature and is presumably trusted by its customers. If a customer has a banking app on their phone, it would suggest they also have faith in the bank’s online security system.
A comprehensive security audit of its ads code was recently completed, but Facebook “would like to encourage additional scrutiny from whitehats to see what we may have missed,” wrote Collin Greene, a security engineer, in a blog post. “Whitehats” refers to ethical security researchers, as opposed to “blackhats” who take advantage of vulnerabilities.
According to bug bounty program guidelines, Facebook pays a minimum of $500 for a valid bug report. Until the end of the year, that has been increased to $1,000.
Greene wrote that the majority of reports it receives concern more common parts of Facebook’s code, but the company would like to encourage interest in ads “to better protect businesses.”
Facebook’s ad tools include the Ads Manager, the ads API (application programming interface) and Analytics, which is also called Insights, Greene wrote. The company also wants close scrutiny of its back-end billing code.
“There is a lot of backend code to correctly target, deliver, bill and measure ads,” Greene wrote. “This code isn’t directly reachable via the website, but of the small number of issues that have been found in these areas, they are relatively high impact.”
Greene wrote that Facebook typically sees bugs such as incorrect permission checks, insufficient rate-limiting, edge-case CSRF (cross-site request forgery) issues and problems with Flash in its ads code.
Last month, the FBI warned healthcare providers to guard against cyber attacks after one of the largest U.S. hospital operators, Community Health Systems Inc, said Chinese hackers had broken into its computer network and stolen the personal information of 4.5 million patients.
Security experts say cyber criminals are increasingly targeting the $3 trillion U.S. healthcare industry, which has many companies still reliant on aging computer systems that do not use the latest security features.
“As attackers discover new methods to make money, the healthcare industry is becoming a much riper target because of the ability to sell large batches of personal data for profit,” said Dave Kennedy, an expert on healthcare security and CEO of TrustedSEC LLC. “Hospitals have low security, so it’s relatively easy for these hackers to get a large amount of personal data for medical fraud.”
Interviews with nearly a dozen healthcare executives, cybersecurity investigators and fraud experts provide a detailed account of the underground market for stolen patient data.
The data for sale includes names, birth dates, policy numbers, diagnosis codes and billing information. Fraudsters use this data to create fake IDs to buy medical equipment or drugs that can be resold, or they combine a patient number with a false provider number and file made-up claims with insurers, according to experts who have investigated cyber attacks on healthcare organizations.
Medical identity theft is often not immediately identified by a patient or their provider, giving criminals years to milk such credentials. That makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected.
Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company. He obtained the data by monitoring underground exchanges where hackers sell the information.