Tag Archives: Data Breach

Reality Check: Is Your Personal Data Safe Online?

The Facebook scandal involving personal data mishandled by Cambridge Analytica has raised concerns over the privacy of the information we share on our social media accounts.

Some countries have gone as far as to legislate Internet data privacy with laws granting the “right to be forgotten.”

Yet Facebook CEO Mark Zuckerberg says we don’t need such regulations here in the states. Is he right?

This is a Reality Check you won’t get anywhere else.

It’s an unsettling thought: your personal data, being manipulated on a global scale. Where you live, what kind of car you drive, how many children you have, what food you eat, how much you money you earn, what clothes you wear, how you exercise, the list goes on and on.

While other countries are tightening laws on Internet privacy and how corporations can use your data, such as the UK’s data protection law with its “right to be forgotten,” the United States seems to be stuck in the 1980s on the issue.

In California, privacy is a right in the state constitution. “Privacy” was added to the state’s “inalienable rights” by the legislature in 1972.

And though California has been a leader in privacy, the last meaningful update to the state’s privacy laws was in the 1980s, long before today’s technology.

For context, Census data shows that in 1989, 15 percent of American households owned a computer.

Today, according to Pew Research, 77 percent of Americans have a smartphone—a computer in their pocket or purse.

And in 2015, those smartphone owners used about 27 smartphone apps per month, according to Statista.

Just think about all of the information you give to the apps on your smartphone. Do you read their terms of use?

You know you don’t. And yet, a California-based group called the Californians for Consumer Privacy has raised concern about how our information is collected and sold.

From that group came the California Consumer Privacy Act. The act is intended to not only hold major corporations making $50 million per year or more responsible for their consumers’ data, but also giving Californians the right to know where and to whom their data is being disclosed or sold, and if their data is being properly protected.

There’s nothing in California today that allows users see what data has been collected on them. And data is being collected everywhere you go.

From the checkout at Target, to your Facebook account, browsing the Internet or even just walking on a city street—credit cards are being swiped, messages are being shared, and cameras are recording.

So are the rules of how businesses use your data fair and respectful of your privacy?

One of the key aspects of the California Consumer Privacy Act is a right of action against companies that store data but have not taken reasonable steps to secure that data. That means consumers can sue companies that didn’t protect their data.

What exactly “reasonable steps” means needs to be fleshed out in the courts, but there are plenty of examples of companies that didn’t take “reasonable steps” until after data was compromised.

From December 19, 2013, “Target says hackers breached its system and stole 40 million credit card numbers.”

From September 18, 2014, “Almost immediately after word broke that Home Depot had been hacked, security experts were noting that the breach was likely even worse than the massive Target that had preceded it.”

From October 2, 2014, “JP Morgan just revealing that an August data breach could affect 76 million households.”

From February 5, 2015, “One of America’s largest health insurers, Anthem, this morning confirmed a massive data breach. Reports say hackers may have stolen up to 80 million records. No credit card or medical information is in danger, but Social Security numbers, birthdays and addresses may have been compromised.”

What you need to know is that when we provide information to a corporation, we establish a relationship.

We believe the corporation will use our information for the purpose of their service. Once your information is outside of the intended use, it’s nearly impossible to control it.

And third party sharing of your data allows it is be used, shared and disseminated without any control on your part. Big data is powerful force in the United States. But should big data be allowed to do whatever it wants with your information. If not, how do we, as the public, get some control back?

Let’s talk about that, right now, on social media, while someone collects our data.

DNC Disciplines Sanders Campaign for Accessing Confidential Clinton Voter Data

After the Democratic National Committee became aware that presidential candidate Bernie Sanders’ campaign accessed confidential voter information from Hillary Clinton’s campaign, it determined that the Sanders campaign should face consequences.

As a result, the DNC suspended the Sanders campaign’s access to its own voter database, which includes information voters from across the country.

The breach was brought to light on Thursday after Jeff Weaver, Sanders’ campaign manager, admitted that one of Sanders’ staffers viewed the Clinton campaign’s private voter data. However, he insisted that it was due to a software glitch which allowed the access.

Weaver said none of the data was downloaded, so he believes the Sanders campaign no longer has access to it. He blamed the breach on the software vendor in charge of the DNC’s voter data.

Michael Briggs, a spokesman for Sanders’ campaign, also blamed the vendor, and claimed that “on more than one occasion, the vendor has dropped the firewall between the data of different Democratic campaigns.”

“Our campaign months ago alerted the D.N.C. to the fact that campaign data was being made available to other campaigns,” Briggs said. “At that time our campaign did not run to the media, relying instead on assurances from the vendor.”

Stu Trevelyan, the chief of the vendor NGP VAN, which handles the DNC’s master file of voter data and then disperses it to individual campaigns, told the Washington Post that the breach occurred on Wednesday “while a patch was being applied to the software.”

Briggs said the staffer who viewed the Clinton campaign’s data was fired after the incident, and he claimed that the glitch within the system also made the Sanders campaign’s voter data vulnerable to its competitors.

The suspension comes just before the third Democratic debate, which will be hosted by ABC News and held in Manchester, New Hampshire, on Saturday.

For more election coverage, click here.

At Least 15K Government Officials Among Ashley Madison Data Dump

August 19, 2015– On Tuesday, hackers made good on a promise that has left untold numbers of cheaters sweating bullets for weeks. The data of at least 32 million users of AshleyMadison.com, whose slogan is “Life is short. Have an affair.“, has been published.

Among the entries from the Ashley Madison published data, more than 15,000 of the email addresses appear to be hosted on American government and military servers using the (.gov) and (.mil) top-level domains.

Last month, hackers who self-identify as The Impact Team successfully hacked into databases owned by Avid Life Media, a Canadian company that owns multiple dating sites including Ashley Madison, Cougar Life, and Established Men. Hackers claim they took action because Avid Life Media was lying to their customers about a “full delete service” that required a $19 fee to be paid in order to completely scrub a users data from the site. Hackers say Avid Life Media took the money, but still retained the data.

Shortly after gaining access to the databases last month, hackers fired the warning shot:

“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”

Several data security experts have confirmed that the dumped data is indeed authentic. In fact, a journalist working at The Guardian who set up an Ashley Madison account as part of an investigation found his data in the dump.

Although it has been published, your garden variety internet user will have a difficult time accessing the data. The file is almost 10 gigabytes in size and can be viewed on the dark web using an Onion address accessible only through the Tor browser.

Image shows how Impact Team hackers released Ashley Madison data dump.
Image shows how Impact Team hackers released Ashley Madison data dump.

“Avid Life Media has failed to take down Ashley Madison and Established Men,” hackers wrote in a statement accompanying Tuesday’s data dump. “We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data…. Keep in mind the site is a scam with thousands of fake female profiles. See ashley madison fake profile lawsuit; 90-95% of actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters.”

It should be noted that emails are not required to be validated to have an account on the website. The only way of validating whether or not the government email addresses were indeed real accounts would be to cross reference them with the credit cards on file.

Follow Michael Lotfi on Facebook, Twitter & LinkedIn.

OPM Director Resigns Amid Cyberattack Revelations

Office of Personnel Management director Katherine Archuleta submitted her resignation on Friday morning in the aftermath of revelations that massive data breaches had occurred under her management.

Archuleta’s departure from OPM followed a previous declaration made late Thursday that she would not resign amidst requests from members of Congress that she step down.

Archuleta’s resignation came after an OPM announcement that was made on Thursday acknowledging that over 21 million Social Security numbers had been compromised due to a data breach. The cyberattack reportedly began in May 2014 and went undiscovered for a year.

Federal Bureau of Investigation Director James Comey said on Wednesday that his own personal information had been compromised in the breach. “I’m sure the adversary has my SF-86 now,” Comey said. “My SF-86 lists every place I’ve ever lived since I was 18, every foreign travel I’ve ever taken, all of my family, their addresses. So it’s not just my identity that’s affected. I’ve got siblings. I’ve got five kids. All of that is in there.”

The culprits have not officially been identified, but administration sources have suggested that Chinese hackers were likely behind the breach.

The most recently announced data breach is separate from, but overlapped, an announcement made in June of a breach affecting the personal information of 4.2 million government employees.

Cyber Attack Compromises Personal Data Of 4 Million Government Workers

A pervasive security breach at a U.S. government agency has compromised the personnel data of at least 4 million current and former government employees.

The Washington Post reported that data from the U.S. Office of Personnel Management (OPM), which was being stored at the Interior Department, was targeted by hackers late last year. The breach was discovered in April and confirmed in May. Government officials acknowledged that the data included personally identifiable information of government workers.

U.S. officials have blamed the most recently reported attack on China, an accusation quickly denied by Chinese officials. “We know that hacker attacks are conducted anonymously, across nations, and that it is hard to track the source,” foreign ministry spokesman Hong Lei said on Friday. “It’s irresponsible and unscientific to make conjectural, trumped-up allegations without deep investigation.”

China had been blamed by the U.S. for a separate cyber attack in March 2014 which had targeted an OPM system containing information about federal employees applying for clearances, including data regarding employee finances and information about family members.

The OPM said in a statement that following the latest intrusion, OPM has implemented more “network security precautions,” including “restricting remote access for network administrators and restricting network administration functions remotely; a review of all connections to ensure that only legitimate business connections have access to the internet; and deploying anti-malware software across the environment to protect and prevent the deployment or execution of tools that could compromise the network.”

“As a result of the incident, OPM will send notifications to approximately 4 million individuals whose PII may have been compromised. Since the investigation is on-going, additional PII exposures may come to light; in that case, OPM will conduct additional notifications as necessary,” read the statement. The OPM will begin notifying affected employees, and noted that there is a possibility of additional data exposure being discovered as the investigation continues.

U.S. Rep. Adam Schiff (D- Calif.), a member of the House select intelligence committee, expressed concern over a “series of massive data breaches” occurring in the past several months and said that “It’s clear that a substantial improvement in our cyber databases and defenses is perilously overdue.”

Exclusive: U.S. Postal Service Explains Data Breach to Employees with Simplified Handout

On Monday, employees of the United States Postal Service (USPS) were notified that there had been a breach in the system, and that their personal data had been compromised.

A document given to USPS employees on Monday morning, during a “stand-up” briefing, assured them that this type of intrusion was “not unique,” and was similar to previous intrusions into “U.S. companies and other Federal government agencies,” which USPS employees have likely “read multiple news stories on.

The Postal Service recently learned of a cyber intrusion into some of our information systems,” stated the document. “This basically means that someone who didn’t have permission was able to get into some of our computer networks.

USA Today reported that “classified briefings” from October 22 and November 7 showed that the U.S. Postal Service “told members of Congress that it had been hacked,” as early as October 22.

The document given to USPS employees assured them that the Postal Service “began investigating the intrusion” as soon as it was discovered, and that the agency is working with the FBI, the Department of Justice, the Postal Inspection Service, and the U.S. Computer Emergency Readiness Team, along with “outside experts who specialize in investigations and data systems” to find the cause of the breach, and to prevent another intrusion from occurring.

The investigation indicates that files containing employee information were compromised,” stated the document. “These files include information such as names, dates of birth, social security numbers, addresses, beginning and end dates of employment, and emergency contact information for all active employees.

According to the Washington Post, “Chinese government hackers are suspected of breaching the computer networks of the United States Postal Service,” which compromised the data of more than 800,000 employees.

However, Reuters reported, “Cybersecurity experts said it was too soon to know who was behind the attack but agreed the Postal Service was a rich target.

The employee handout explained that all employees impacted by the intrusion would receive individualized letters, which will provide them with “specific information about their particular situation.”

In a statement to the public, the U.S. Postal Service’s Manager for Media Relations, David Partenheimer, stated that there was “no evidence of malicious use of the compromised data,” and that no customer credit card data had been infringed upon:

Postal Service transactional revenue systems in Post Offices as well as on usps.com where customers pay for services with credit and debit cards have not been affected by this incident. There is no evidence that any customer credit card information from retail or online purchases such as Click-N-Ship, the Postal Store, PostalOne!, change of address or other services was compromised.

RT reported that an investigation done by the Associated Press revealed that “federal agents and contractors alike are all too guilty of letting systems become infected by clicking bogus links, accidentally installing malware or otherwise opening up networks to hackers by way of their own inept operational security.

Multiple U.S. Postal employees declined Benswann.com’s request for a comment on the issue, stating that they were told to refer all questions they received from the media to USPS customer relations.

Regarding the handout’s advice on how employees should answer questions from customers, it stated that they should assure customers that “the operations of the Postal Service are not impacted,” and that “Post Offices are functioning normally and mail and packages are being delivered as usual.”

Read the full document given to USPS employees: Screen Shot 2014-11-10 at 6.35.48 PM

76 Million Households Affected by JP Morgan Data Breach

On Thursday, JP Morgan Chase, one of the leading banks in the United States, released a report admitting that the hacking of its computer system, which began in June and was discovered in July, had a much larger impact than the bank originally speculated.

The invasion, which The Guardian is referring to as the “largest of its kind ever discovered,” affected the accounts of 76 million households and seven million small businesses.

In a regulatory securities filing from the bank, it claimed that, “As of such date, the firm continues not to have seen any unusual customer fraud related to this incident.

The bank maintained that while the names, addresses, phone numbers, and email addresses of account holders had been seized by hackers, no financial information, social security numbers, birth dates, or passwords had been compromised.

Bloomberg reported that hackers also obtained internal data from JP Morgan customers, which identified them by the type of category they were in, such as “private-bank, mortgage, auto or credit-card divisions.”

According to the New York Times, the hackers “appeared to have obtained a list of the applications and programs that run on JP Morgan’s computers,” and they used that list to “crosscheck with known vulnerabilities in each program and web application, in search of an entry point back into the bank’s systems.”

The Guardian reported that JP Morgan is “working with the Federal Bureau of Investigation and the US secret service to determine the roots of the attack.

Reality is dawning among regular corporations that you can’t keep these guys out,” said security expert, Brian Krebs. “The most you can do is stop the bleeding. It’s not clear yet how well that worked here. A month is a long time.

While the 76 million households affected stands as the largest number in the financial realm, it goes on record with the 110 million personal records taken when Target’s system was hacked last year, and the 145 million who were affected when EBay was hacked earlier their year, according to Bloomberg.

In a memo sent to JP Morgan employees, Chief Operating Officer, Matt Zames, wrote that the breach was “highly unfortunate,” and that employees should use it as a reminded that they must be “increasingly vigilant in the cyber world.”