Mystery hacker steals data on 1,000 North Korean defectors in South

FILE PHOTO: A North Korean flag flutters on top of a 160-metre tower in North Korea's propaganda village of Gijungdong, in this picture taken from the Tae Sung freedom village near the Military Demarcation Line (MDL), inside the demilitarised zone separating the two Koreas, in Paju, South Korea, April 24, 2018. REUTERS/Kim Hong-Ji

By Hyonhee Shin

SEOUL (Reuters) – The personal information of nearly 1,000 North Koreans who defected to South Korea has been leaked after unknown hackers got access to a resettlement agency’s database, the South Korean Unification Ministry said on Friday.

The ministry said it discovered last week that the names, birth dates and addresses of 997 defectors had been stolen through a computer infected with malicious software at an agency called the Hana center, in the southern city of Gumi.

“The malware was planted through emails sent by an internal address,” a ministry official told reporters on condition of anonymity, due to the sensitivity of the issue, referring to a Hana center email account.

The Hana center is among 25 institutes the ministry runs around the country to help some 32,000 defectors adjust to life in the richer, democratic South by providing jobs, medical and legal support.

Defectors, most of whom risked their lives to flee poverty and political oppression, are a source of shame for North Korea. Its state media often denounces them as “human scum” and accuses South Korean spies of kidnapping some of them.

The ministry official declined to say if North Korea was believed to have been behind the hack, or what the motive might have been, saying a police investigation was under way to determine who did it.

North Korean hackers have in the past been accused of cyber attacks on South Korean state agencies and businesses.

North Korea stole classified documents from the South’s defense ministry and a shipbuilder last year, while a cryptocurrency exchange filed for bankruptcy following a cyber attack linked to the North.

North Korean state media has denied those cyber attacks.

The latest data breach comes at a delicate time for the two Koreas which have been rapidly improving their relations after years of confrontation.

The Unification Ministry said it was notifying the affected defectors and there were no reports of any negative impact of the data breach.

“We’re sorry this has happened and will make efforts to prevent it from recurring,” the ministry official said.

Several defectors, including one who became a South Korean television celebrity, have disappeared in recent years only to turn up later in North Korean state media, criticizing South Korea and the fate of defectors.

(Reporting by Hyonhee Shin; Editing by Robert Birsel)

Saks, Lord & Taylor hit by payment card data breach

The Lord & Taylor flagship store building is seen along Fifth Avenue in the Manhattan borough of New York City, U.S., October 24, 2017. REUTERS/Shannon Stapleton

By Jim Finkle and David Henry

TORONTO/NEW YORK (Reuters) – Retailer Hudson’s Bay Co on Sunday disclosed that it was the victim of a security breach that compromised data on payment cards used at Saks and Lord & Taylor stores in North America.

One cyber security firm said that it has evidence that millions of cards may have been compromised, which would make the breach one of the largest involving payment cards over the past year, but added that it was too soon to confirm whether that was the case.

Toronto-based Hudson’s Bay said in a statement that it had “taken steps to contain” the breach but did not say it had succeeded in confirming that its network was secure. It also did not say when the breach had begun or how many payment card numbers were taken.

“Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring,” the statement said.

A company spokeswoman declined to elaborate.

The breach comes as Hudson’s Bay struggles to improve its financial performance as a tough retail environment has weighed on sales and margins. Last June, it launched a transformation plan to cut costs and is working to monetize the value of its substantial real estate holdings.

Hudson’s Bay disclosed the incident after New York-based cyber security firm Gemini Advisory reported on its blog that Saks and Lord & Taylor had been hacked by a well-known criminal group known as JokerStash.

JokerStash, which sells stolen data on the criminal underground, on Wednesday said that it planned to release more than 5 million stolen credit cards, according to Gemini Chief Technology Officer Dmitry Chorine.

The hacking group has so far released about 125,000 payment cards, about 75 percent of which appear to have been taken from the Hudson’s Bay units, Chorine told Reuters by telephone.

The bulk of the 5 million card numbers that JokerStash said it plans to release are likely from Saks and Lord & Taylor, but it is too early to say for sure, Chorine said.

“It’s hard to assess at the moment, primarily because hackers have not released the entire cards in one batch,” he told Reuters.

Alex Holden, chief information security officer with cyber security firm Hold Security, confirmed that the 125,000 cards had been released by JokerStash but said it was too soon to estimate how many had been taken from Hudson’s Bay.

If in fact millions of records were stolen, the breach would be one of the largest involving payment cards in the past year, but it would still be far smaller than any of the biggest thefts on record, which occurred a decade ago.

Hackers stole more than 130 million credit cards from credit-card processor Heartland Payment Systems, convenience store operator 7-Eleven Inc and grocer Hannaford Brothers Co, from 2006 to 2008, according to U.S. federal investigators.

Cyber criminals stole some 40 million payment cards in a 2013 hack on Target Corp and 56 million from Home Depot Inc in 2014.

Hudson’s Bay said there is no indication its recent breach involved online sales at Saks and Lord &Taylor outlets or its Hudson’s Bay, Home Outfitters and HBC Europe units.

The company said that customers will not be liable for fraudulent charges resulting from the breach.

(Reporting by Jim Finkle in Toronto and David Henry in New York; Editing by Bill Rigby and Steve Orlofsky)

U.S. warns public about attacks on energy, industrial firms

U.S. warns public about attacks on energy, industrial firms

By Jim Finkle

(Reuters) – The U.S government issued a rare public warning about hacking campaigns targeting energy and industrial firms, the latest evidence that cyber attacks present an increasing threat to the power industry and other public infrastructure.

The Department of Homeland Security and Federal Bureau of Investigation warned in a report distributed via email late on Friday that the nuclear, energy, aviation, water and critical manufacturing industries have been targeted along with government entities in attacks dating back to at least May.

The agencies warned that hackers had succeeded in compromising some targeted networks, but did not identify specific victims or describe any cases of sabotage.

The objective of the attackers is to compromise organizational networks with malicious emails and tainted websites to obtain credentials for accessing computer networks of their targets, the report said.

U.S. authorities have been monitoring the activity for months, which they initially detailed in a confidential June report first reported by Reuters. That document, which was privately distributed to firms at risk of attacks, described a narrower set of activity focusing on the nuclear, energy and critical manufacturing sectors.

Homeland Security and FBI representatives could not be reached for comment on Saturday morning.

Robert Lee, an expert in securing industrial networks, said the report describes activities from two or three groups that have stolen user credentials and spied on organizations in the United States and other nations, but not launched destructive attacks.

“This is very aggressive activity,” said Lee, chief executive of cyber-security firm Dragos.

He said the report appears to describe groups working in the interests of the Russian government, though he declined to elaborate.  Dragos is also monitoring other groups targeting infrastructure that appear to be aligned with China, Iran, North Korea, he said.

The hacking described in the government report is unlikely to result in dramatic attacks in the near term, Lee said, but he added that it is still troubling: “We don’t want our adversaries learning enough to be able to do things that are disruptive later.”

The report said that hackers have succeeded in infiltrating some targets, including at least one energy generator, and conducting reconnaissance on their networks. It was accompanied by six technical documents describing malware used in the attacks.

Homeland Security “has confidence that this campaign is still ongoing and threat actors are actively pursuing their objectives over a long-term campaign,” the report said.

Government agencies and energy firms previously declined to identify any of the victims in the attacks described in June’s confidential report.

(Reporting by Jim Finkle in Toronto; Editing by Nick Zieminski)

Merck cyber attack may cost insurers $275 million: Verisk’s PCS

Merck cyber attack may cost insurers $275 million: Verisk's PCS

NEW YORK (Reuters) – Insurers could pay $275 million to cover the insured portion of drugmaker Merck & Co’s loss from a cyber attack in June, according to a forecast by Verisk Analytics Inc’s Property Claim Services (PCS) unit.

Merck, however, has not disclosed the magnitude of its uninsured losses from the “NotPetya” attack, which disrupted production of some Merck medicines and vaccines.

The company was among dozens of firms worldwide hit in the June 27 attack, which began in Ukraine, then rapidly spread through corporate networks of multinationals with operations or suppliers in Eastern Europe.

“Merck has not yet fully quantified its losses, much less given any of its insurers an estimate of the total amount of those losses,” Merck spokeswoman Claire Gillespie said in a statement.

She reiterated that Merck has insurance that would cover some costs, but declined to elaborate or say how much Merck expects to have to pay on its own.

The drugmaker said in July that it had suffered a worldwide disruption of its operations as a result of the malware. It was still in the process of restoring its manufacturing operations a month later.

Merck said then that it was confident it would be able to maintain a continuous supply of its top-selling and life-saving drugs, but warned of temporary delays in delivering some other products.

NotPetya is a destructive virus that spread quickly across computer networks, crippling computers by encrypting hard drives so that machines cannot run. The attacks caused massive disruptions to industrial networks that rely on computers because businesses must individually replace damaged drives, a labor-intensive process.

Cyber insurance can be expensive to buy and is not widely used outside the United States, with one insurer previously describing the cost as $100,000 for $10 million in data breach insurance.

Policies typically cover expenses stemming from a data breach, such as forensics and data restoration, among other costs. Coverage also helps pay for business interruption expenses when a breach or malware attack shuts down a company’s website.

Some companies without cyber insurance have used their policies covering kidnap, ransom and extortion to recoup losses caused by ransomware viruses.

PCS provides estimates on a wide variety of insured losses, ranging from damages caused by hacks to hurricanes and wildfires.

(Reporting by Michael Erman in New York and Noor Zainab Hussain in Bengaluru, additional reporting by Suzanne Barlyn; editing by Jim Finkle and G Crosse)

IRS puts Equifax contract on hold during security review

FILE PHOTO: Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia, U.S., September 8, 2017. REUTERS/Tami Chappell/File Photo

By John McCrank

NEW YORK (Reuters) – The U.S. Internal Revenue Service has temporarily suspended a contract worth more than $7 million it recently awarded to Equifax Inc following a security issue with the beleaguered credit reporting agency’s website on Thursday.

Equifax, which disclosed last month that cyber criminals breached its systems between mid-May and late July and made off with sensitive data on 145.5 million people, said on Thursday it shut down one of its website pages after discovering that a third-party vendor was running malicious code on the page.

“The IRS notified us that they have issued a stop-work order under our Transaction Support for Identity Management contract,” an Equifax spokesperson said on Friday.

“We remain confident that we are the best party to perform the services required in this contract,” the spokesperson said. “We are engaging IRS officials to review the facts and clarify available options.”

The IRS is the first organization to say publicly that it is suspending a contract with Equifax since the credit reporting agency’s security problems came to light.

Atlanta-based Equifax said its systems were not compromised by the incident on Thursday, which involved bogus pop-up windows on the web page that could trick visitors into installing software that automatically displays advertising material.

Still, the IRS said it decided to temporarily suspended its short-term contract with Equifax for identity-proofing services.

“During this suspension, the IRS will continue its review of Equifax systems and security,” the agency said in a statement. There was no indication that any of the IRS data shared with Equifax under the contract had been compromised, it added.

The move means that the IRS will temporarily be unable to create new accounts for taxpayers using its Secure Access portal, which supports applications including online accounts and transcripts. Users who already had Secure Access accounts will not be affected, the IRS said.

IRS granted the $7.25 million contract to Equifax on Sept. 29, weeks after Equifax disclosed the massive data hack that drew scathing criticism from several lawmakers.

“From its initial announcement, the timing and nature of this IRS-Equifax contract raised some serious red flags … we are pleased to see the IRS suspend its contract with Equifax,” Republican Representatives Greg Walden and Robert Latta said in a joint statement on Friday.

“Our focus now remains on protecting consumers and getting answers for the 145 million Americans impacted by this massive breach,” they said.

Government contracts in areas such as healthcare, law enforcement, social services, and tax and revenue, are major sources of revenue for Equifax.

In 2016, government services made up 5 percent of Equifax’s overall $3.1 billion in revenue, accounting for 10 percent of its workforce solutions revenues, 3 percent of its U.S. information solutions revenues, and 7 percent of its international revenues, according to a regulatory financial filing.

(Reporting by John McCrank in New York; additional reporting by Dustin Volz in Washington; Editing by Bill Rigby)

Equifax takes down web page after reports of new hack

The logo and trading information for Credit reporting company Equifax Inc. are displayed on a screen on the floor of the New York Stock Exchange (NYSE) in New York, U.S., September 26, 2017. REUTERS/Lucas Jackson

By John McCrank

NEW YORK (Reuters) – Equifax Inc said on Thursday it has taken one of its customer help web pages offline as its security team looks into reports of another potential cyber breach at the credit reporting company, which recently disclosed a hack that compromised the sensitive information of 145.5 million people.

The move came after an independent security analyst on Wednesday found part of Equifax’s website was under the control of attackers trying to trick visitors into installing fraudulent Adobe Flash updates that could infect computers with malware, the technology news website Ars Technica reported.

“We are aware of the situation identified on the equifax.com website in the credit report assistance link,” Equifax spokesman Wyatt Jefferies said in an email. “Our IT and security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline.”

The Atlanta-based company, which has faced seething criticism from consumers, regulators and lawmakers over its handling of the earlier breach, said it would provide more information as it becomes available.

Equifax disclosed on Sept. 7 that its systems had been breached between mid-May and late July. In the fallout, the company has parted ways with its chief executive, chief information officer and chief security officer.

The breach has prompted investigations by multiple federal and state agencies, including a criminal probe by the U.S. Department of Justice.

As a credit reporting agency, Equifax keeps vast amounts of consumer data for banks and other creditors to use to determine the chances of their customers’ defaulting.

(Reporting by John McCrank; Editing by Bill Rigby)

Rising hacker threat will trigger boom in cyber crime insurance, Tryg says

People pose in front of a display showing the word 'cyber' in binary code, in this picture illustration taken in Zenica December 27, 2014. REUTERS/Dado Ruvic

COPENHAGEN (Reuters) – Insurer Tryg <TRYG.CO> expects 90 percent of its corporate customers to buy cyber crime insurance within five years as the threat from hackers and viruses to crucial data and IT systems grows.

Tryg, Denmark’s biggest insurer, has sold 5,000 cyber crime insurance policies since the turn of the year when it launched a new product providing assistance in restoring data and getting systems up and running if a firm is hit by a cyber attack.

“There are no corporate clients today that don’t have insurance on their buildings or cars, but I think that within a very few years it will be just as evident that you should insure against cyber crime,” chief executive Morten Hubbe told Reuters on Wednesday.

The initial rise in demand for cyber insurance was prompted by the ransomware attack, named “Wannacry”, that infected more than 300,000 computers worldwide in May.

He estimated that around 50 percent of the firm’s corporate clients would buy such an insurance by 2020 and from that point it would only take “a couple of years” to reach 90 percent.

Tryg’s two business segments for small and medium size businesses and larger corporate customers accounts for 44 percent of the group’s total premium income.

“The biggest risk to us is that significantly more customers get hit than we believe and that it gives us a huge economic loss,” said Hubbe.

While the firm has good insight into how often a house burns down or a bicycle is stolen on average, the frequency and extent of cyber crimes is hard to predict.

Tryg will also offer extensions to the basic insurance that cover consequential losses, back-up of data and a so-called DNS box aimed at blocking web pages known to contain viruses and malware.

For the big industrial players, Tryg would look to cooperate with global reinsurers to spread the risk when big companies lose revenues in connection with cyber attacks.

The world’s biggest container shipping firm Maersk Line <MAERSKb.CO> saw a $2-300 million bill from a June cyber attack that disrupted its operations for weeks.

(Reporting by Stine Jacobsen; editing by Ken Ferris)

Yahoo says all three billion accounts hacked in 2013 data theft

Yahoo says all three billion accounts hacked in 2013 data theft

By Jonathan Stempel and Jim Finkle

(Reuters) – Yahoo on Tuesday said that all 3 billion of its accounts were hacked in a 2013 data theft, tripling its earlier estimate of the size of the largest breach in history, in a disclosure that attorneys said sharply increased the legal exposure of its new owner, Verizon Communications Inc <VZ.N>.

The news expands the likely number and claims of class action lawsuits by shareholders and Yahoo account holders, they said. Yahoo, the early face of the internet for many in the world, already faced at least 41 consumer class-action lawsuits in U.S. federal and state courts, according to company securities filing in May.

John Yanchunis, a lawyer representing some of the affected Yahoo users, said a federal judge who allowed the case to go forward still had asked for more information to justify his clients’ claims.

“I think we have those facts now,” he said. “It’s really mind-numbing when you think about it.”

Yahoo said last December that data from more than 1 billion accounts was compromised in 2013, the largest of a series of thefts that forced Yahoo to cut the price of its assets in a sale to Verizon.

Yahoo on Tuesday said “recently obtained new intelligence” showed all user accounts had been affected. The company said the investigation indicated that the stolen information did not include passwords in clear text, payment card data, or bank account information.

But the information was protected with outdated, easy-to-crack encryption, according to academic experts. It also included security questions and backup email addresses, which could make it easier to break into other accounts held by the users.

Many Yahoo users have multiple accounts, so far fewer than 3 billion were affected, but the theft ranks as the largest to date, and a costly one for the internet pioneer.

Verizon in February lowered its original offer by $350 million for Yahoo assets in the wake of two massive cyber attacks at the internet company.

Some lawyers asked whether Verizon would look for a new opportunity to address the price.

“This is a bombshell,” said Mark Molumphy, lead counsel in a shareholder derivative lawsuit against Yahoo’s former leaders over disclosures about the hacks.

Verizon did not respond to a request for comment about any possible lawsuit over the deal.

Verizon, the likely main target of legal actions, also could be challenged as it launches a new brand, Oath, to link its Yahoo, AOL and Huffington Post internet properties.

In August in the separate lawsuit brought by Yahoo’s users, U.S. Judge Lucy Koh in San Jose, California, ruled Yahoo must face nationwide litigation brought on behalf of owners accounts who said their personal information was compromised in the three breaches. Yanchunis, the lawyer for the users, said his team planned to use the new information later this month to expanding its allegations.

Also on Tuesday, Senator John Thune, chairman of the U.S. Senate Commerce Committee, said he plans to hold a hearing later this month over massive data breaches at Equifax Inc <EFX.N> and Yahoo. The U.S. Securities and Exchange Commission already had been probing Yahoo over the hacks.

The closing of the Verizon deal, which was first announced in July, had been delayed as the companies assessed the fallout from two data breaches that Yahoo disclosed last year. The company paid $4.48 billion for Yahoo’s core business.

A Yahoo official emphasized Tuesday that the 3 billion figure included many accounts that were opened but that were never, or only briefly, used.

The company said it was sending email notifications to additional affected user accounts.

The new revelation follows months of scrutiny by Yahoo, Verizon, cybersecurity firms and law enforcement that failed to identify the full scope of the 2013 hack.

The investigation underscores how difficult it was for companies to get ahead of hackers, even when they know their networks had been compromised, said David Kennedy, chief executive of cybersecurity firm TrustedSEC LLC.

Companies often do not have systems in place to gather up and store all the network activity that investigators could use to follow the hackers’ tracks.

“This is a real wake up call,” Kennedy said. “In most guesses, it is just guessing what they had access to.”

(Reporting by Munsif Vengattil, Jim Finkle, Jim Christie, Jon Stempel, and David Shepardson; writing by Stephen Nellis in San Francisco; Editing by Andrew Hay and Lisa Shumaker)

Former Equifax chief will face questions from U.S. Congress over hack

FILE PHOTO: Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia, U.S., September 8, 2017. REUTERS/Tami Chappell/File Photo

By John McCrank and David Shepardson

WASHINGTON (Reuters) – U.S. lawmakers are due to question the former head of Equifax Inc <EFX.N> at a Tuesday hearing that could shed light on how hackers accessed the personal data of more than 140 million consumers.

Richard Smith retired last week but the 57-year-old executive will answer for the breach that the credit bureau acknowledged in early September.

Late Monday, Equifax said an independent review had boosted the number of potentially affected U.S. consumers by 2.5 million to 145.5 million.

In March, the U.S. Homeland Security Department alerted Equifax to an online gap in security but the company did nothing, said Smith.

“The vulnerability remained in an Equifax web application much longer than it should have,” Smith said in remarks prepared for delivery on Tuesday. “I am here today to apologize to the American people myself.”

Smith will face the House Energy and Commerce Committee on Tuesday but there will be three more such hearings this week.

Equifax keeps a trove of consumer data for banks and other creditors who want to know whether a customer is likely to default.

The cyber-hack has been a calamity for Equifax which has lost roughly a quarter of its stock market value and seen several top executives step down alongside Smith.

Smith’s replacement, Paulino do Rego Barros Jr., has also apologized for the hack and said the company will help customers freeze their credit records and monitor any misuse.

There has been a public outcry about the breech but no more than 3.0 percent of consumers have frozen their credit reports, according to research firm Gartner, Inc.

Smith said hackers tapped sensitive information between mid-May and late-July.

Security personnel noticed suspicious activity on July 29 and disabled web application a day later, ending the hacking, Smith said. He said he was alerted the following day, but was not aware of the scope of the stolen data.

On Aug. 2, the company alerted the FBI and retained a law firm and consulting firm to provide advice. Smith notified the board’s lead director on Aug. 22.

(Patrick Rucker contributed from Washington; editing by Clive McKeef.)

Equifax apologizes as U.S. watchdog calls for more oversight

FILE PHOTO: Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia, U.S., September 8, 2017. REUTERS/Tami Chappell/File Photo

By John McCrank

(Reuters) – Equifax Inc promised to make it easier for consumers to control access to their credit records in the wake of the company’s massive breach after the top U.S. consumer financial watchdog called on the industry to introduce such a system.

Equifax’s interim chief executive officer, Paulino do Rego Barros Jr., vowed to introduce a free service by Jan. 31 that will let consumers control access to their own credit records.

Barros, who was named interim CEO on Tuesday as Richard Smith stepped down from the post amid mounting criticism over the handling of the cyber attack, also apologized for providing inadequate support to consumers seeking information after the breach was disclosed on Sept. 7. He promised to add call-center representatives and bolster a breach-response website.

“I have heard the frustration and fear. I know we have to do a better job of helping you,” Barros said in a statement published in The Wall Street Journal.

Equifax announced the free credit freeze service after the Consumer Financial Protection Bureau’s (CFPB) director, Richard Cordray, told CNBC earlier in the day that the agency would beef up oversight of Equifax and its rivals.

“The old days of just doing what they want and being subject to lawsuits now and then are over,” Cordray said.

He also called for implementing a scheme of preventive credit monitoring.

“They are going to have to accept that. They are going to have to welcome it. They are going to have to be very forthcoming,” Cordray said.

The Equifax hack compromised sensitive data of up to 143 million Americans and prompted investigations by lawmakers and regulators, including the New York Department of Financial Services (DFS), which issued a subpoena to Equifax demanding more information about the breach.

Federal laws give the CFPB the power to supervise and examine large credit-reporting firms to ensure the quality of information they provide. In January, the CFPB fined TransUnion and Equifax $5.5 million in total for deceiving customers about the usefulness and cost of their credit scores.

Cordray called for expanded powers to cover data security to prevent breaches and suggested placing monitors inside credit reporting firms, borrowing a tactic from the regulatory regime for banks.

The CFPB is working with the Federal Trade Commission and New York’s DFS on a new regulatory framework, Cordray said. He also called for Congress to tighten oversight of the industry.

TransUnion said in a statement that it had “long been subject to regulatory oversight from state and federal regulators including the CFPB.”

Experian did not respond to requests for comment.

(Reporting by John McCrank in New York; Additional reporting by Lisa Lambert in Washington and Jim Finkle in Toronto; Writing by Michelle Price; Editing by Tom Brown and Leslie Adler)