So long as it receives federal court approval next month, the settlement terms of the class action lawsuit will also provide two years of free credit-monitoring services to U.S.- and Israel-based victims of the hack, which is believed to be the biggest data breach ever to have taken place.

The stolen information included names, email addresses, phone numbers, dates of birth, hashed passwords, as well as security questions and answers.

As if that wasn’t bad enough, Yahoo took three years to disclose details of the data theft, and even then, the true scope of the hack wasn’t properly revealed.

Complicating matters further, the revelation came after Verizon had agreed to buy the web company in a deal worth $4.8 billion. Issues connected with the security breach forced Yahoo to reduce that figure by $350 million.

The settlement reached this week in a federal district court in San Jose, California, covers around a billion accounts held by an estimated 200 million people in the U.S. and Israel from 2012 through 2016.

Verizon has agreed to pay half of the settlement cost, while Altaba — a firm set up to take on the parts of Yahoo not acquired by Verizon — will pay the rest.

Payout for those affected

Should the court approve the deal, affected users can put in claims for some of the $50 million fund.

“The costs can include such things as identity theft, delayed tax refunds or other problems linked to having had personal information pilfered during the Yahoo break-ins,” the AP said in its report.

For example, Yahoo account holders with documented losses can claim for up to 15 hours of lost time, which at $25 an hour would come to $375. Those unable to document losses can put in claims of up to five hours, or $125, for time spent dealing with the fallout of the hack.

In addition, Yahoo account holders who forked out up to $50 a year for a premium email account will be able to claim a 25-percent refund.

Final approval of the proposed settlement will be considered during a session at the Northern District of California on November 29, 2018, and if it goes through, affected account holders will be notified soon after.

SOURCE: Digital Trends

A total of 945 data breaches has led to 4.5 billion data records being compromised worldwide in the first half of 2018…

…according to Gemalto’s Breach Level Index, a global database of public data breaches.

Compared to the same period in 2017, the number of lost, stolen or compromised records increased by a staggering 133 percent, though the total number of breaches slightly decreased over the same period, signaling an increase in the severity of each incident.

A total of six social media breaches, including the Cambridge Analytica-Facebook incident, accounted for over 56 percent of total records compromised. Of the 945 data breaches, 189 (20 percent of all breaches) had an unknown or unaccounted number of compromised data records.

According to the Breach Level Index, almost 15 billion data records have been exposed since 2013, when the index began benchmarking publicly disclosed data breaches. During the first six months of 2018, more than 25 million records were compromised or exposed every day, or 291 records every second, including medical, credit card and/or financial data or personally identifiable information. This is particularly concerning, since only one percent of the stolen, lost or compromised data records were protected by encryption to render the information useless, a percent-and-a-half drop compared to the first six months of 2017, says Gemalto.

Jason Hart, VP and CTO of Data Protection, Gemalto
We also expect to see more data breaches reported by European Union countries bound by the new General Data Protection Regulation and in Australia with the new Notifiable Data Breaches law.

SOURCE: The Fast Mode
IMAGE: Gemalto

The nation’s second-largest health insurer has agreed to pay the government a record $16 million to settle potential privacy violations in the biggest known healthcare hack in U.S. history, officials said Monday.

The personal information of nearly 79 million people — including names, birthdates, Social Security numbers, and medical IDs — was exposed in the cyber attack, discovered by the company in 2015.

The settlement between Anthem Inc. and the Department of Health and Human Services represents the largest amount collected by the agency in a healthcare data breach, officials said.

“When you have large breaches it erodes people’s confidence in the privacy of their sensitive information, and we believe such a large breach of trust merits a substantial payment,” said Roger Severino, director of the HHS Office for Civil Rights. The office also enforces the federal health care privacy law known as HIPAA, or the Health Insurance Portability and Accountability Act.

Severino said the Anthem settlement is nearly three times larger than the previous record amount paid to the government in a privacy case. That sends a message to the industry that “hackers are out there always and large health care entities, in particular, are targets,” he added.

The Blue Cross-Blue Shield insurer also agreed to a corrective action plan under government monitoring, which involves a process for the company to assess its electronic security risks, take appropriate countermeasures and maintain ongoing surveillance.

Indianapolis-based Anthem covers more than 40 million people and sells individual and employer coverage in key markets like New York and California. The payment is in lieu of civil penalties that HHS may have imposed. Anthem admitted no liability. The civil case involving privacy laws is separate from any other investigation the government may be pursuing.

In a statement Monday, Anthem said it’s not aware of any fraud or identity theft stemming from the breach. The company provided credit monitoring and identity theft insurance to all customers potentially affected.

“Anthem takes the security of its data and the personal information of consumers very seriously,” the statement said. “We have cooperated with (the government) throughout their review and have now reached a mutually acceptable resolution.”

The company discovered the data breach in early 2015, but hackers had been burrowing into its systems for weeks. Security experts said at the time that the size and scope of the attack indicated potential involvement by a foreign government.

Hackers used a common email technique called spear-phishing in which unwitting company insiders are tricked into revealing usernames and passwords. The Anthem attackers gained the credentials of system administrators, allowing them to probe deeply into the insurer’s systems.

HHS said its investigation found that Anthem had failed to deploy adequate measures for countering hackers. The company lacked an enterprisewide risk analysis, had insufficient procedures to monitor activity on its systems, failed to identify and respond to suspected or known security incidents, and did not implement “adequate minimum access controls” to shut down intrusions from as early as February 2014.

SOURCE: The Republic

The U.S. Department of Defense confirmed on Friday that personal information and credit card data of some 30,000 U.S. military and civilian personnel have been compromised in a breach affecting a DoD’s third-party contractor.

Apparently, no classified information was accessed by the attackers.

What is known about the breach

The Associated Press cited an unnamed U.S. official who says that the breach might end up involving the information of more than 30,000 workers, but that the investigation is still ongoing.

Later, Pentagon spokesman Lt. Col. Joseph Buccino confirmed that they still don’t know the extent of the compromise and who the attackers are.

But, he pointed out that “this was a breach of a single commercial vendor that provided service to a very small percentage of the total population” of DoD personnel.

The breach was recently discovered but it’s still unknown how long the attacker had access to the information and to the third party vendor’s systems. DoD leaders were informed about it by a department cyber team on October 4.

Those affected will soon be notified directly by the DoD, and will be provided with fraud protection services, Buccino added.

He also said they won’t be naming the vendor due to security reasons, but that the DoD “has taken steps to have the vendor cease performance under its contracts.” He did not say whether that’s only a temporary cessation.

Poor security

The scope of this breach pales in comparison with the 2014/2015 breach of the US Office of Personnel Management’s (OPM) network when all kinds of sensitive information about current and former US federal government employees (including those in the DoD) was compromised.

The disclosure of this latest breach comes just days after the U.S. Government Accountability Office released a report saying that the DoD is doing an extremely poor job when it comes to securing weapon systems against cyber attackers.

“The testers found embarrassing, elementary screw-ups of the sort that would get a middle school computer lab administrator in trouble, to say nothing of someone safeguarding lethal weapon systems,” the Intercept reported.

SOURCE: Help Net Security


Cathay Pacific Data Breach Exposes 9.4 Million Passengers

Cathay Pacific, the Hong Kong-based international airline, acknowledged on Wednesday that its computer system had been compromised at least seven months ago, exposing the personal data and travel histories of as many as 9.4 million people.

The breach involved private user information, including phone numbers, dates of birth, frequent flier membership numbers and passport and government ID numbers, as well as information on passengers’ past travels. The airline said that 27 credit card numbers — but not their corresponding security codes — had been obtained, as had 403 expired credit card numbers.

The company said that no passwords were compromised and that the breach would not affect flight operations or safety. It said it learned in May that passenger data had been exposed after first discovering suspicious activity on its network in March. It did not immediately respond when asked whether it had any indication of who was responsible, and why it did not announce the breach earlier.

“The safety and security of our passengers remain our top priority,” said Rupert Hogg, the carrier’s chief executive.

As Asia’s economic might has grown over the past half-century, Cathay has become a major carrier in the region, one known globally for its customer service. Last year it carried nearly 35 million passengers to around 200 destinations in more than 50 countries or territories. But the security breach has come at a tough time for the company, which counts the state-backed carrier Air China as a major shareholder.

Cathay has faced growing competition in the region from low-cost carriers and other emerging rivals and has been losing money for the past two years. Its shares fell in Hong Kong trading on Thursday.

Airlines are juicy targets for hackers, with their vast stores of information not only on people’s identities and credit cards but also on where they have been.

In an era when issues of data protection have come to the fore in Washington and other global capitals, the Cathay breach does not stand out for its scale. The airline said in a filing with the Hong Kong Stock Exchange that around 860,000 passport numbers and 245,000 Hong Kong identity card numbers had been exposed. By contrast, the security breach discovered by Facebook last month involved 50 million user accounts.

Still, the types of information in Cathay’s systems that were compromised could be particularly useful to malicious agents. Names, birthdays, travel itineraries and passport details could be used to reset passwords or obtain private financial information.

Last month, British Airways said that criminals had stolen data on people who booked flights on its website or app during a roughly two-week period in August and September. That security breach exposed personal and financial details, the airline said, but not travel or passport information.

Delta Air Lines said earlier this year that customer payment information had been exposed after a security breach at a company that provided online chat services for it. In that case, no customers’ passport details were compromised, Delta said.

SOURCE: New York Times