The University at Buffalo reported that about 2,700 students, alumni, faculty and staff accounts were compromised when a third-party vendor was breached.
The student loan services company Access Group Education Lending is blaming a third-party business partner for inadvertently sending loan files containing borrowers’ personal information to another business that was not authorized to receive them.
According to various media outlets, Access Group notified roughly 16,500 borrowers of the breach in a letter that states the company learned of the breach on Mar. 28, 2018, five days after the incident occurred.
Access Group claims that Nelnet, a vendor providing student loan processing services, was responsible for sending the files to the unauthorized party.
“Immediately after Access Group learned of this vendor error, we contacted the business that mistakenly received the files. That company confirmed the transferred files had been deleted and agreed to have the appropriate manager sign a sworn statement that the files had been deleted with no copies retained,” reads a statement from Access Group, sent to SC Media. “Though exposure of any personal information was limited and access to any personal information was immediately terminated, Access Group provided written notice to those individuals whose files were included in the transfer and to their state Attorneys General.”
In response to the incident, Access Group says it will also offer one year of free credit monitoring services to affected individuals, and will “continue to diligently monitor our vendor partnerships, including requiring written data transfer protocols and demanding that vendor employees verify the recipients of data transfers before initiating the action.”
Careem, the ride-hailing company based in Dubai, revealed today it was the victim of a cyber breach.
Hackers accessed the names, email addresses, phone numbers and trip data of anyone who signed up for Careem prior to January 14. Careem said there’s no evidence the hackers accessed passwords or credit card information.
While the breach involved access to Careem’s data storage system for 14 million riders and 558,800 drivers (called captains), the company said it hasn’t seen any evidence of fraud or misuse.
Careem said it became aware of the security incident back in January. Since then, Careem said it has conducted an investigation and strengthened its security systems.
The company waited until now to tell people because “we wanted to make sure we had the most accurate information before notifying people,” the company wrote in a blog post.
Millions of Panera Bread customers may have had their personal data exposed by the fast-casual restaurant chain, according to security experts.
Until Monday, scores of customer information — including names, email addresses, home addresses, birth dates and final four credit card digits — was accessible as plain text on the company’s website, according to a report from security writer Brian Krebs. It’s not clear whether anyone actually accessed any of the data, which was supplied by customers who had made accounts for food delivery and other services.
Hackers stole information for more than 5 million credit and debit cards used at Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores.
Hudson’s Bay Company, which owns the retail chains, confirmed the breach Sunday, and said it has “identified the issue, and has taken steps to contain it.”
“Once the Company has more clarity around the facts, it will notify customers quickly and will offer those impacted free identity protection services, including credit and web monitoring,” Hudson’s Bay said in a press release.
The company added that the cards were used for in-store purchases, and there is “no indication” online purchases were affected. Hudson’s Bay said it’s cooperating with law enforcement in an ongoing investigation.
A cybersecurity firm called Gemini Advisory identified the breach and posted a blog post detailing its scope. The “attack is amongst the biggest and most damaging to ever hit retail companies,” according to the firm.
Gemini Advisory said a hacking syndicate put credit and debit card information it obtained from the hack up for sale on the dark web last week.
A “preliminary analysis” found credit card data was obtained for sales dating back to May 2017, according to the post. The breach likely impacted more than 130 Saks and Lord & Taylor locations across the country, but the “majority of stolen credit cards were obtained from New York and New Jersey locations.”
The hackers were also behind notorious data breaches that affected companies including Whole Foods, Chipotle, Omni Hotels & Resorts and Trump Hotels, Gemini Advisory said.
Facebook CEO Mark Zuckerberg finally broke his silence on the Cambridge Analytica data scandal on Wednesday, posting an explanation online and giving interviews to some news organizations.
“We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you,” Zuckerberg said in a statement on his Facebook page.
Over 50 million Facebook profiles were harvested by an app for data, which was then passed the information on to Cambridge Analytica. You can catch up with the full story here.
More user control of data
In his first statement, Zuckerberg set out steps that the social network would take to avoid a repeat of the abuse and give people a better idea of how their data are being used.
Facebook will investigate all apps that had access to large amounts of data and will audit apps with “suspicious activity,” Zuckerberg said. He added that the company would restrict developers’ access to data.
And Facebook will implement a new tool at the top of the News Feed that will show users which apps they are using and give them an easy way to revoke permissions to data.
While Zuckerberg didn’t say the word “sorry” in his initial Facebook post, the CEO did apologize in an interview with CNN.
“So this was a major breach of trust and I’m really sorry that this happened,” Zuckerberg said, adding that the company’s “responsibility now is to make sure that this doesn’t happen again.”
GRASS GROWS, DOGS BARK, THE WORLD GOES ROUND and companies keep suffering data breaches, the latest being travel booking website Orbitz.
The company fessed up to what is suspects was a cyber attack made against the personal and payment information of its customers, with data such as dates of birth, email addresses, billing addresses and phone numbers thought to have been exposed.
Credentials for some 880,000 payment cards may have also been nicked as part of the breach, Orbitz said.
The data breach appears to have involved hackers cracking into a legacy website run by Orbitz between January and June 2016, though the company only caught wind of in on 1 March.
A partner platform that also contained Orbitz customer data is also thought to have been breached between January 2016 and December 2017.
However, Orbitz noted that there’s no direct evidence from its investigation, so far at least, that any of the data was stolen. Equally, its parent company travel firm Expedia appears not to be affected, so users of Expedia services can breathe easy.
Federal prosecutors on Wednesday charged a former Equifax executive with insider trading, alleging that he profited from confidential information about the massive data breach at the company that compromised sensitive data of 148 million people.
Jun Ying, former chief information officer of a U.S. business unit of Equifax, faces both civil and criminal charges from the Securities and Exchange Commission and U.S. Attorney’s Office for the Northern District of Georgia.
”Ying used confidential information to conclude that his company had suffered a massive data breach, and he dumped his stock before the news went public,” Richard R. Best, Director of the SEC’s Atlanta Regional Office, said in a statement.
Cisco recently published its tenth annual data breach report, and some of the findings should be cause for concern by people who own, run, or work for businesses.
The firm’s 2017 edition of its annual cybersecurity report entitled “Cybersecurity Report: Chief Security Officers Reveal True Cost of Breaches And The Actions That Organizations Are Taking,” provides insights based on threat intelligence gathered by Cisco’s security experts, combined with input from nearly 3,000 Chief Security Officers (CSOs) and other security operations leaders from businesses in 13 countries.
Cisco noted that, according to its research, in 2016:
More than 50 percent of organizations faced public scrutiny after a security breach. Operations and finance systems were the most affected, followed by brand reputation and customer retention. (If you own or work for a business, take note: data breaches have repercussions.)
For organizations that suffered a breach, the effect was substantial: 22% of breached organizations lost customers — 40% of them lost more than a fifth of their customer base. 29% lost revenue, with 38% of that group losing more than a fifth of their revenue. 23% of breached organizations lost business opportunities, with 42% of them losing more than a fifth of such opportunities. (The repercussions are quite costly.)
CSOs cite budget constraints, poor compatibility of systems, and a lack of trained talent as the biggest barriers to advancing their security postures. Security leaders also reveal that their security departments are increasingly complex environments with nearly two thirds of organizations using six or more security products – some with even more than 50! – increasing the potential for security effectiveness gaps and mistakes. (Complexity and a lack of skilled professionals are putting businesses at risk.)
Criminals are leveraging “classic” attack mechanisms – such as adware and email spam – in an effort to easily exploit the gaps that such complexity can create. (Criminals often don’t need to spend resources crafting and executing advanced attacks – simple attacks can do the job.)
Spam is now at a level not seen since 2010, and accounts for nearly two-thirds of all email — with eight to 10 percent of it being outright malicious. Global spam volume is rising, often spread by large and thriving botnets. (Spam is a serious problem that has not gone away – because it works!)
Old-fashioned adware (that is, software that downloads advertising without users’ permission, continues to prove successful, infecting 75 percent of organizations polled. (…as is adware.)
Just 56 percent of security alerts are investigated and less than half of legitimate alerts actually lead to problems being corrected. Defenders, while confident in their tools, are undermined by complexity and manpower challenges; criminals are exploiting the inability of organizations to handle all important security matters in a timely fashion. (Information overload is causing a “Boy Who Cried Wolf” situation in some environments, and too many real alerts are overwhelming information-security professionals in others.)
Twenty-seven percent of employee-introduced, third-party cloud applications, intended to open up new business opportunities and increase efficiencies, were categorized as high risk and created significant security concerns. (Inadequately vetted applications can create risks.)
On the positive side, 90% of organizations that experienced a breach in 2016 are improving threat defense technologies and processes after attacks by separating IT and security functions (38 percent), increasing security awareness training for employees (38 percent), and implementing risk mitigation techniques (37 percent). (Thankfully, firms that have suffered breaches are investing in preventing future problems.)
Discussing the report, John N. Stewart, Cisco’s Senior Vice President and Chief Security and Trust Officer, noted that “In 2017, cyber is business, and business is cyber -that requires a different conversation, and very different outcomes. Relentless improvement is required and that should be measured via efficacy, cost, and well managed risk. The 2017 Annual Cybersecurity Report demonstrates, and I hope justifies, answers to our struggles on budget, personnel, innovation and architecture.”
Here are comments from several other industry insiders on the report.
David Vergara, Head of Global Product Marketing, VASCO Data Security:
“This report makes several things abundantly clear. The first is that cybercriminal’s weapon of choice is not always the sophisticated attack; generally, they prefer the path of least resistance, so security laggards beware. Second is the hard cost of a breach, through lost customers, revenue and business, is rising dramatically. This cost should drive more pointed security resource discussions and prop up related business cases.”
Brad Bussie, Director of Product Management, STEALTHbits Technologies:
“Statistics from this study, and others, show an alarming trend that asset risk is no longer being calculated correctly. Losing customers, revenue, and opportunities can be mapped directly back to breached systems. It would be interesting to see how much it would have cost to protect the systems in question, or to change to process that was exploited and compare it to what was lost because of the breach.”
Don Duncan, Security Engineer, NuData Security:
“Cisco’s findings that 22% of breached organizations lost customers and a significant number of these companies lost 20% of their entire customer base is a sobering data point for any organization when considering whether to disclose a breach publically. Regulations may be coming that will force disclosures. Until that happens, with so much at risk it’s no wonder that breach numbers are vastly underestimated.”
Brian Laing, VP of Business Development and Products, Lastline:
“The Cisco data breach report highlights the continually evolving techniques used by criminals to exfiltrate sensitive corporate data, and the resulting impact on business performance. Enterprises must continually expand and enhance their security capabilities to keep up with new techniques, schemes, and technology continually introduced by organized crime.”