Tag Archives: Data Breach

Yahoo says about 32 million accounts accessed using ‘forged cookies’

A photo illustration shows a Yahoo logo on a smartphone in front of a displayed cyber code and keyboard on December 15, 2016. REUTERS/Dado Ruvic/File Illustration - RTX2VKYK

(Reuters) – Yahoo Inc <YHOO.O>, which disclosed two massive data breaches last year, said on Wednesday that about 32 million user accounts were accessed by intruders in the last two years using forged cookies.

The company said some of the latest intrusions can be connected to the “same state-sponsored actor believed to be responsible for the 2014 breach”, in which at least 500 million accounts were affected.

“Based on the investigation, we believe an unauthorized third party accessed the company’s proprietary code to learn how to forge certain cookies,” Yahoo said in its latest annual filing.

These cookies have been invalidated so they cannot be used to access user accounts, the company said.

Forged cookies allow an intruder to access a user’s account without a password.

Yahoo also said in December that data from more than 1 billion user accounts was compromised in August 2013, making it the largest breach in history.

The company said on Wednesday that it would not award Chief Executive Marissa Mayer a cash bonus for 2016, following the independent committee’s findings related to the 2014 security incident.

Mayer has also offered to forgo any 2017 annual equity award as the breaches occurred during her tenure, Yahoo said.

Last month, Verizon Communications Inc <VZ.N>, which is in the process of buying Yahoo’s core assets, lowered its original offer by $350 million to $4.48 billion.

(Reporting by Rishika Sadam in Bengaluru; Editing by Anil D’Silva)

New York state cyber security regulation to take effect March 1

projection of man in binary code representing cyber security or cyber attack

By Karen Freifeld and Jim Finkle

NEW YORK/BOSTON (Reuters) – New York state on Thursday announced final regulations requiring banks and insurers to meet minimum cyber-security standards and report breaches to regulators as part of an effort to combat a surge in cyber crime and limit damages to consumers.

The rules, in the works since 2014, followed a series of high-profile data breaches that resulted in losses of hundreds of millions of dollars to U.S. companies, including Target Corp, Home Depot Inc and Anthem Inc .

They lay out unprecedented requirements on steps financial firms must take to protect their networks and customer data from hackers and disclose cyber events to state regulators.

“These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place” to protect businesses and clients “from the serious economic harm caused by these devastating cyber-crimes,” Governor Andrew Cuomo said in a statement.

The state in December delayed implementation of the rules by two months and loosened some requirements after financial firms complained they were onerous and said they would need more time to comply.

The new rules call for banks and insurers to scrutinize security at third-party vendors that provide them goods and services. In 2015, the New York Department of Financial Services found that a third of 40 banks polled did not require outside vendors to notify them of breaches that could compromise data.

The revised rule requires firms to perform risk assessments in order to design a program particular to them, and gives them at least a year-and-a-half to comply with the requirements. The final rule took into account the burden on smaller companies, a spokeswoman for the agency said.

Covered entities must annually certify compliance.

Institutions subject to the regulation include state-chartered banks, as well as foreign banks licensed to operate in the state, along with any insurer that does business in New York.

A task force of U.S. state insurance regulators is also developing a model cyber security law, which individual state legislatures could ultimately choose to adopt.

Number of U.S. government ‘cyber incidents’ jumps in 2015

WASHINGTON (Reuters) – The U.S. government was hit by more than 77,000 “cyber incidents” like data thefts or other security breaches in fiscal year 2015, a 10 percent increase over the previous year, according to a White House audit.

Part of the uptick stems from federal agencies improving their ability to identify and detect incidents, the annual performance review from the Office and Management and Budget said.

The report, released on Friday, defines cyber incidents broadly as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices.” Only a small number of the incidents would be considered as significant data breaches.

National security and intelligence officials have long warned that cyber attacks are among the most serious threats facing the United States. President Barack Obama asked Congress last month for $19 billion for cyber security funding across the government in his annual budget request, an increase of $5 billion over the previous year.

The government’s Office of Personnel Management was victim of a massive hack that began in 2014 and was detected last year. Some 22 million current and former federal employees and contractors in addition to family members had their Social Security numbers, birthdays, addresses and other personal data pilfered in the breach.

That event prompted the government to launch a 30-day “cyber security sprint” to boost cyber security within each federal agency by encouraging adoption of multiple-factor authentication and addressing other vulnerabilities.

“Despite unprecedented improvements in securing federal information resources … malicious actors continue to gain unauthorized access to, and compromise, federal networks, information systems, and data,” the report said.

(Reporting by Dustin Volz; Editing by Alistair Bell)

Home Depot settles consumer lawsuit over big 2014 data breach

(Reuters) – Home Depot Inc has agreed to pay $13 million to compensate consumers affected by a massive 2014 data breach in which payment card or other personal data was stolen from more than 50 million people.

The home improvement retailer also agreed to pay $6.5 million to fund 1-1/2 years of identity protection services for card holders, and take steps to improve data security.

Terms of the preliminary settlement were disclosed in papers filed on Monday with the federal court in Atlanta, where Home Depot is based.

Court approval is required, and Home Depot did not admit wrongdoing or liability in agreeing to settle.

The company also agreed to pay legal fees of the plaintiffs’ lawyers, on top of the settlement fund.

“We wanted to put the litigation behind us, and this was the most expeditious path,” Home Depot spokesman Stephen Holmes said. “Customers were never responsible for any fraudulent charges.”

According to court papers, the settlement covers about 40 million people who had payment card data stolen, and 52 million to 53 million people who had email addresses stolen, with some overlap between the two groups.

The $13 million will compensate consumers with documented out-of-pocket losses or unreimbursed charges.

Home Depot has said the breach affected people who used payment cards on its self-checkout lines in U.S. and Canadian stores between April and September 2014.

In November, Home Depot said it had incurred $152 million of expenses from the breach, after accounting for expected insurance proceeds.

(Reporting by Jonathan Stempel in New York; Additional reporting by Nate Raymond; Editing by Chris Reese)

21st Century Oncology investigating cyber breach

(Reuters) – Cancer care provider 21st Century Oncology Holdings Inc said it was investigating a breach of its computer network, but had no indication that patient information had been misused.

The Federal Bureau of Investigation had advised the company of the breach in November but had asked it to hold off on making an announcement so as to not impede the investigation, 21st Century Oncology said on Friday.

The Fort Myers, Florida-based company operates 145 cancer treatment centers in the United States and 36 in Latin America.

The company said an investigation by a forensics firm it had hired showed that the intruder may have gained access to its database in early October.

The database contains personal information of some patients, including their names, social security numbers, physicians, diagnoses and treatment, as well as insurance data, the company said.

The FBI said on Friday the investigation remained ongoing and no further comments would be provided for now.

21st Century Oncology is notifying about 2.2 million of its current and former patients that certain information may have been copied and transferred, the company said in a regulatory filing.

The company said it would offer one year of free identity protection services to the affected individuals.

(Reporting by Natalie Grover in Bengaluru; Editing by Saumyadeb Chakrabarty)

IRS notifying more taxpayers about potential data breach

Hackers may have accessed the tax transcripts of approximately 724,000 United States taxpayers by using stolen personal information, the Internal Revenue Service announced Friday.

The agency also said hackers targeted another 576,000 accounts, but could not access them.

The announcement followed a nine-month investigation into its “Get Transcript” application.

The tool was launched in January 2014 and gave taxpayers a way to download or order several years of their transcripts through the IRS website.

However, the agency announced last May that “criminals” had been able to access other tax histories that were not their own by using personal information that had been stolen elsewhere.

The IRS originally announced that about 114,000 transcripts may have been improperly accessed, while hackers targeted another 111,000 but were unsuccessful in their attempts.

The tool has been offline ever since while officials searched for other suspicious activity.

The Treasury Inspector General for Tax Administration (TIGTA) has handled the investigations.

In August, the IRS announced TIGTA found about another 220,000 cases of potential breaches since “Get Transcript” debuted, and about 170,000 more unsuccessful suspicious attempts.

On Friday, the IRS announced TIGTA’s latest review found about 390,000 potential additional cases of improper access, and some 295,000 cases where tax data was targeted but not obtained.

The IRS noted that some of the attempts might not have been malicious.

“It is possible that some of those identified may be family members, tax return preparers or financial institutions using a single email address to attempt to access more than one account,” it said in a statement, though added it is notifying all of the affected taxpayers as a precaution.

The latest wave of taxpayers will be notified through the mail beginning Feb. 29, the IRS said.

“The IRS is committed to protecting taxpayers on multiple fronts against tax-related identity theft, and these mailings are part of that effort,” IRS Commissioner John Koskinen said in Friday’s announcement. “We appreciate the work of the Treasury Inspector General for Tax Administration to identify these additional taxpayers whose accounts may have been accessed.”

The agency is offering all affected taxpayers free identity theft protection services and the chance to obtain an identity protection PIN, which helps protect Social Security numbers on returns.

Canada stops sharing some spy info with allies after breach

OTTAWA (Reuters) – Canada has stopped its electronic spy agency from sharing some data with key international allies after discovering the information mistakenly contained personal details about Canadians, government officials said on Thursday.

Ottawa acted after learning that the Communications Security Establishment (CSE) agency had failed to properly disguise metadata – the numbers and time stamps of phone calls but not their content – before passing it on to their international partners.

“CSE will not resume sharing this information with our partners until I am fully satisfied the effective systems and measures are in place,” Defense Minister Harjit Sajjan said in a statement.

Sajjan, who has overall responsibility for the agency, did not say when Canada had stopped sharing the data in question.

Canada is part of the Five Eyes intelligence sharing network, along with the United States, Britain, Australia and New Zealand. CSE, like the U.S. National Security Agency, monitors electronic communication and helps protect national computer networks.

While the agency is not allowed to specifically target Canadians or Canadian corporations, it can scoop up data about Canadians while focusing on other targets.

Sajjan, blaming technical deficiencies at CSE for the problems, said the metadata that Canada shared did not contain names or enough information to identify individuals and added: “The privacy impact was low.”

He made the announcement shortly after an official watchdog that monitors CSE revealed the metadata problem. The watchdog said CSE officials themselves had realized they were not doing enough to disguise the information they shared.

An NSA program to vacuum up Americans’ call data was exposed publicly by former NSA contractor Edward Snowden in 2013 and prompted questions about the CSE’s practices.

(Reporting by David Ljunggren; Editing by Diane Craft)

Wendy’s probing likely fraudulent payment-card charges

(Reuters) – Burger chain operator Wendy’s Co said on Wednesday it was investigating reports of unusual activity with payment cards used at some of its 5,700 locations in the United States.

“Reports indicate fraudulent charges may have occurred elsewhere after payment cards were legitimately used at some restaurants,” Wendy’s spokesman Bob Bertini told Reuters in an email statement.

Large retailers such as Target Corp and Home Depot Inc have been victims of security breaches in recent years. Gourmet sandwich chain Jimmy John’s was also breached in 2014.

“Until this investigation is completed, it is difficult to determine with certainty the nature or scope of any potential incident,” Bertini said. “We have hired a cyber security firm to assist, but are not disclosing the name at this point.”

Security blog Krebs on Security first reported the development earlier in the day.

(Reporting by Subrat Patnaik and Sruthi Ramakrishnan in Bengaluru; Editing by Savio D’Souza and Maju Samuel)

White House announces major background checks overhaul following data breach

WASHINGTON (Reuters) – The U.S. government will set up a new agency to do background checks on employees and contractors, the White House said on Friday, after a massive breach of U.S. government files exposed the personal data of millions of people last year.

As a part of a sweeping overhaul, the Obama administration said it will establish a National Background Investigations Bureau. It will replace the Office of Personnel Management’s (OPM) Federal Investigative Services (FIS), which currently conducts investigations for over 100 Federal agencies.

The move, a stiff rebuke for FIS and OPM, comes after last year’s disclosure that a hack of OPM computers exposed the names, addresses, Social Security numbers and other sensitive information of roughly 22 million current and former federal employees and contractors, as well as applicants for federal jobs and individuals listed on background check forms.

Unlike FIS, the new agency’s information systems will be handled by the Defense Department, making it even more central to Washington’s effort to bolster its cyber defenses against constant intrusion attempts by hackers and foreign nationals.

“We can substantially reduce the risk of future cyber incidents” by applying lessons learned in recent years, said Michael Daniel, White House cyber security policy coordinator, on a conference call with reporters.

The White House gave no timeline for implementing the changes, but said some would begin this year. It will seek $95 million more in its upcoming fiscal 2017 budget for information technology development, according to a White House fact sheet.

‘NOT THERE YET’

Officials have privately blamed the OPM data breach on China, though security researchers and officials have said there is no evidence Beijing has maliciously used the data trove.

Controversy generated by the hack prompted several congressional committees to investigate whether OPM was negligent in its cyber security practices. OPM Director Katherine Archuleta resigned last July as the government intensified a broad push to improve cyber defenses and modernize systems.

“Clearly we’re not there yet,” Admiral Mike Rogers, head of the National Security Agency, said at a cyber security event in Washington this week when asked about U.S. preparedness against hacks. The damage done by cyber attacks, he added, “is going to get worse before it gets better.”

OPM has been plagued by a large backlog of security clearance files, prompting it to rely on outside contractors for assistance, possibly compromising cyber security.

The Defense Department and OPM did not respond when asked if the government will still rely on support from contractors.

Representative Jason Chaffetz, the Republican chairman of a House of Representatives panel that has been looking into the issue, said Friday’s announcement fell short.

“Protecting this information should be a core competency of OPM,” Chaffetz said in a statement. “Today’s announcement seems aimed only at solving a perception problem rather than tackling the reforms needed to fix a broken security clearance process.”

(Additional reporting by Mark Hosenball and Andrea Shalal; editing by Kevin Drawbaugh, Susan Heavey and Alan Crosby)

Hyatt says data breach started in August

(Reuters) – Hyatt Hotels Corp said a previously reported malware attack on its payment processing system occurred between August 13 and Dec. 8.

The hotel operator said on Thursday it identified unauthorized access to payment card data from cards used onsite at certain Hyatt-managed locations, primarily at its restaurants.

The company also said the “at-risk window” for a limited number of locations began on or shortly after July 30.

Shares of Hyatt were down 3.1 percent in afternoon trading.

Hyatt also said it has arranged a third-party identity protection and fraud detection firm to provide one year of services to affected customers at no cost.

The company did not disclose the number of cards affected.

The company disclosed in December that its payment processing system was infected with information-stealing malware but did not mention how long its network was infected.

Hyatt, controlled by the billionaire Pritzker family, is the fourth major hotel operator to warn of a breach since October.

Hilton Worldwide Holdings Inc and Starwood Hotels & Resorts Worldwide Inc disclosed attacks on payment processing systems in November.

Donald Trump’s luxury hotel chain, Trump Hotel Collection, also confirmed the possibility of a data security incident.

(Reporting by Radhika Rukmangadhan in Bengaluru; Editing by Don Sebastian)