TalkTalk Breach Week 8

For this week’s blog we are going outside of the United States. Remember in week 5 blog’s there was a saying, “No one is safe”, well it seems that the statement was true. The British phone company TalkTalk was hacked. The hackers were able to steal lots of personal data, which will be discussed in the following paragraphs.

So far they are not one hundred percent sure if customers names, addresses, date of birth, phone numbers, email address, TalkTalk account information, credit card details and/or bank details were stolen (Krebs, 2015). The hackers must be doing this for financial gain as they sent TalkTalk a 122,000 dollars ransom to be paid in the digital currency bit coin. Along with the ransom the hackers provided tables from its user database to prove that they were not faking the breach (Krebs, 2015). The hackers have threaten to sell customer information on the dark web if the ransom isn’t paid, but there is no guarantee that even if the ransom is pay they won’t sell or post it on the dark web. The database that the hackers sent as part of the ransom seems to have credit checks from over 400,000 of its customers. Since the investigating is still ongoing TalkTalk is not sure how many customers were affect or what data was stolen.

This breached happened, because of vulnerability called an SQL injection.  A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application (SQL Injection, 2014). When this attack is successful it can give the attacker administrative privileges on the database. The SQL injection vulnerability was posted on the website Xssposed.org. The attacker then became public knowledge allowing hackers to use this vulnerability to steal information.

TalkTalk has issues one year of free credit monitoring services. Again companies don’t take cybersecurity seriously. When you have a website that has vulnerabilities and you don’t take care of them this can happen. This is especially true when the website ties back to a database that houses all their customers’ information. It is good to see they are taking security seriously now, but just like Target they are too late.

References

Krebs, B. (2015, October 24). Krebs on Security. Retrieved October 24, 2015, from http://krebsonsecurity.com/2015/10/talktalk-hackers-demanded-80k-in-bitcoin/

SQL Injection. (2014, August 14). Retrieved October 24, 2015, from https://www.owasp.org/index.php/SQL_Injection

America's Thrift Store Breach Week 7

Entering week seven there has been a credit card breach at America’s Thrift Stores. America’s Thrift Stores headquarters is based in Birmingham, Alabama and also have stores in Mississippi, Tennessee, Georgia and Louisiana (Krebs, 2015). They have a total of 18 stores throughout the states listed above. Hackers are now targeting any businesses that have vulnerabilities to get credit card or any personal information from. No one is safe from attackers or malware no matter how big or small.

America’s Thrift Store was attacked by malware that was used to steal credit card information. This special malware targeted a third party software vulnerability. The malware that attacked America’s Thrift Store also has been infecting other stores throughout the United States. It seems that the malware was used by criminals in Eastern Europe, because that’s where the U.S Secret Service found the information was sent too. The hackers only got away with credit card numbers and expiration dates of the cards. The incident happen on September 1, 2015 and September 27 (LeClaire, 2015).  America’s Thrift Store is not going to give their customers any credit monitoring protection. America’s Thrift Store has verified they have removed the malware and will work with a third party forensic company to get more details about the breach.

The surprise this week is that malware was used to steal credit card information. In the past six weeks hackers have broken in to steal personal information, but haven’t used malware. Another interesting part of the story is that the malware targeted third party software. Most companies today are eliminating third party providers. Target was hacked through their HVAC company they hired. From experience most companies should stay away from integrating third party providers in with their software and network as this adds more risk to having a breach. The good thing is customer names, phone numbers, physical or e-mail addresses were not compromised in the breach (LeClaire, 2015).

References

Krebs, B. (2015, October 12). Krebs on Security. Retrieved October 17, 2015, from http://krebsonsecurity.com/2015/10/credit-card-breach-at-americas-thrift-stores/

LeClaire, J. (2015, October 14). America's Thrift Stores Hit by Data Breach, Payment Cards Compromised | NewsFactor Network. Retrieved October 17, 2015, from http://www.newsfactor.com/story.xhtml?story_id=0320011MKY80

Scottrade Breach Week 6

Going into week six there has been more stories to choose from. This week I'm going to focus on story that involves a well know online brokerage firm. Seems like even well know companies are getting breached. Online companies need a higher budget for security as they are more likely to get attacked. This week’s blog entry will give an overview of the story and what the company needs to do moving forward.

Scottrade was informed by the FBI that they may have been breach around two years ago. “The system that was hacked contain Social Security numbers, email addresses and other sensitive data” (Kirn, 2015). They believe that people’s contact information was targeted. This would include the names and street addresses of their clients. Scottrade says that the attackers may have been after this information because they wanted to facilitate stock scams via spam emails (Krebs, 2015). Scottrade says their client passwords are fully encrypted and there has not been any fraud related to the incident. They are providing their affected customers with a free year of credit monitoring.

The question everyone should be asking is why it took two years to discover they had been breached. Customers of Scottrade may need to rethink if they want to keep doing business with a company that didn’t find a breach on their network for two years. On top of that why did Scottrade have to find out from the FBI? After reviewing the information it seems they do not have proper security measures setup. Honestly, even if their passwords are encrypted and none of them have seemed to be stolen, Scottrade should make all users changed passwords for security reasons.

Not knowing how the attackers got in and took the information it’s tough to say how this could have been prevented. Security breaches are costing companies in the millions each year because of lax security. How much it is going to cost Scottrade? They have to provide credit monitoring services for about four and half million people. According to creditcard.com it can cost 10 to 15 dollars a month or 120 to 180 a year (Johnson). If you take that number times four and a half million the total amount just for credit monitoring services comes in at eight hundred and ten million dollars. That number is just for the credit monitoring services it may end up costing them almost a billion dollars, which could have possibly been avoided if there had been more security in place. Part of the reason it may cost them over a billion dollars is because they will have to pay a third party forensics team and the FBI for researching the breach. 

References

Kirn, J. (2015, October 8). Scottrade faces lawsuit over security breach. Retrieved October 10, 2015, from http://www.bizjournals.com/stlouis/news/2015/10/08/scottrade-faces-lawsuit-over-security-breach.html

Krebs, B. (2015, October 2). Krebs on Security. Retrieved October 10, 2015, from http://krebsonsecurity.com/2015/10/scottrade-breach-hits-4-6-million-customers/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed: KrebsOnSecurity (Krebs on Security)

Johnson, A. (n.d.). Credit monitoring services: Pros, cons and how to pick one. Retrieved October 10, 2015.

Hotel Breach Week 5

After four weeks of blogging, there has been a data breach at a school, hospital, and a physician's office. No one is safe from attackers wanting personal and credit card information. Anyone is vulnerable from department, grocery, and even clothing stores.  This week the Hilton Hotel has been breached. 

The breach happened on April 21, 2015 and continued through July 25, 2015. This happened at Hilton and other Hilton owned properties such as Embassy Suites, Doubletree, Hampton Inn and Suites, and Waldorf Astoria Hotels and Resorts. They have determined the breach didn't happen on their guest reservation system. “Rather, sources say the fraud seems to stem from compromised point-of-sale devices inside of franchised restaurants, coffee bars and gift shops within Hilton properties” (Krebs, 2015).

According to Visa’s policy they are not allowed to disclose who was breached. Since the name was not disclosed banks worked together and determined that the Hilton Hotels were breached. There are no other details as they are still investigating the breach.

When I started this blog I honestly thought that I might have some difficulty writing, but I’m amazed that there are so many breaches happening. Is this the same thing that happened to Target a year ago? Does Hilton take information security seriously? They say in the article that they do, but could this have been avoided? People were lucky that credit and debit cards were the only things that were taken. It is easier to close a credit card then have someone steal a social security number, address and birthdate.

References

Krebs, B. (2015, September 15). Krebs on Security. Retrieved October 2, 2015, from http://krebsonsecurity.com/2015/09/banks-card-breach-at-hilton-hotel-properties/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed: KrebsOnSecurity (Krebs on Security)

Hospital Data Breach Week 4

A data breach happened back in August at a physician’s office in Vermont. This data breach was not through the internet, but from a burglary. In the past weeks I have discussed data breaches over the internet, but not any physical ones. Companies are worried about data being stolen over the internet, but they also need to worry about physical break in’s as well.

About two thousand patients’ medical records are being exposed.  This includes patient names, dates of birth, Social Security numbers and Medicare/Medicaid numbers (Burglary of Vermont Medical Practice Reported). Since the break in the physician’s office has installed security cameras, they are going to encrypt the computers and train employees on data security. They have also given patients one free year of credit monitoring and identity theft repair as well. The good thing is that the doctor’s office had an identity theft insurance policy!

Why didn’t they have cameras install and the computers encrypted before the break in? Every business should have security cameras install, especially doctors’ offices and businesses that deal with people’s person information. It shouldn’t take a data breach to make businesses increase their security. After four weeks its becoming apparent that companies in both the physical and virtual aspect aren’t prepared for data breaches. I keep asking the same questions every week.

References

           

Burglary of Vermont Medical Practice Reported: PHI of 2,000 Patients Exposed - HIPAA Journal. (2015, September 16). Retrieved September 25, 2015, from http://www.hipaajournal.com/burglary-of-vermont-medical-practice-reported-phi-of-2000-patients-exposed-8103/ 

School Breach week 3

A data breach has happened at the vendor of Cal State called We End Violence. This is a vendor that is recommended by the White House. Students at eight California State University campuses had information such as their login names, course passwords, campus email addresses, gender, race, ethnicity, relationship status and sexual identity stolen when the Agent of Change website provided by vendor We End Violence was hacked (Derespina, 2015). There were about 80,000 students that were exposed in the hack. Students got lucky because no driver’s license numbers or social security numbers were stolen.

Once We End Violence found out about the hack they shut down their website two days after the incident. Any students that had their information stolen were alerted by the university. Cal State has given the students new usernames or login names and passwords. The vendor has contacted a third-party company about launching a forensic investigation.

This data breach could have been a lot worse than it was. Since the forensic investigation is still ongoing, there are no details as to why the hack happened. It is interesting to see that a third party vendor was hacked and not the actual college itself. Some data breaches occur this way. The hacker gets into the vendor’s system and pulls data from all their customers. So not only does the company have to be secure, but they have to make sure their vendors are secure as well. The university said, "Protecting student data and personal information is a top priority of the California State University (CSU)" (Eng, 2015).  It’s good to see that the university cares about the personal information of their students.

References

Derespina, C. (2015, September 11). Nearly 80,000 college students affected by data breach. Retrieved September 18, 2015, from http://www.foxnews.com/us/2015/09/11/nearly-80000-college-students-affected-by-data-breach/

Eng, J. (2015, September 10). Info on 79K Cal State Students Exposed in Hack of Third-Party Vendor. Retrieved September 18, 2015, from http://www.nbcnews.com/tech/security/info-79k-cal-state-students-exposed-hack-third-party-vendor-n425146

Health Records Breached Week 2

Earlier this week Excellus BlueCross BlueShield and another partner company had 10 million health records exposed. The breach follows Anthems this year in January with 80 million health records. Other health insurance based companies are being targeted as well. It's become such a large problem that law enforcement began warning health care industry companies last year that they may face an increased risk of data breach attacks (Hautala, 2015)

            It took Excellus over a year and a half to find out they had been breached. The companies said unauthorized computer access was discovered Aug. 5, and further investigation revealed that the initial attack occurred on Dec. 23, 2013 (Hack of Health Insurer Excellus May Have Exposed 10M Personal Records.). Excellus is not sure at this time if any of the information stolen had been sold or used.

            My question is if law enforcement warned them about data breach attacks why didn’t they increase their security? To me it seems the health insurance companies don’t have proper security measures setup for protecting their customer’s data. Would you trust these companies with your personal information? I know I wouldn’t trust them with my personal information if they have no way of keeping it safe. Excellus is doing the right thing by providing free credit monitoring for two years.

            I wonder how and when more of these incidents are going to happen? When will companies learn, the less you spend on security the more it will cost you when there is a data breach. I heard once from a security conference that if company a spent that extra 100,000 on security equipment it would have saved them 2.5 million when they got breached.

References

Hautala, L. (2015, September 10). Data breach exposes 10M health records from New York insurer - CNET. Retrieved September 12, 2015.

Hack of Health Insurer Excellus May Have Exposed 10M Personal Records. (2015, September 9). Retrieved September 12, 2015.