Yahoo Announces Class Action Settlement for Data Breach

Following on the heels of Equifax settlement in July, 2019, Yahoo has announced that it will settle class action litigation against it for its series of massive data breaches.

In case you can’t quite remember all that went wrong with Yahoo in regards to breaches, here is a quick recap from their press release:

  1. 2012 Data Security Intrusions: From at least January through April 2012, at least two different malicious actors accessed Yahoo’s internal systems. The available evidence, however, does not reveal that user credentials, email accounts, or the contents of emails were taken out of Yahoo’s systems.
  2. 2013 Data Breach: In August 2013, malicious actors were able to gain access to Yahoo’s user database and took records for all existing Yahoo accounts—approximately three billion accounts worldwide. The records taken included the names, email addresses, telephone numbers, birth dates, passwords, and security questions and answers of Yahoo account holders. As a result, the actors may have also gained access to the contents of breached Yahoo accounts and, thus, any private information contained within users’ emails, calendars, and contacts.
  3. 2014 Data Breach: In November 2014, malicious actors were able to gain access to Yahoo’s user database and take records of approximately 500 million user accounts worldwide. The records taken included the names, email addresses, telephone numbers, birth dates, passwords, and security questions and answers of Yahoo account holders, and, as a result, the actors may have also gained access to the contents of breached Yahoo accounts, and thus, any private information contained within users’ emails, calendars, and contacts.
  4. 2015 and 2016 Data Breach: From 2015 to September 2016, malicious actors were able to use cookies instead of a password to gain access into approximately 32 million Yahoo email accounts.

Do You Qualify for Compensation?

If you received a notice from Yahoo about the data breaches, or if you had a Yahoo account at any time between January 1, 2012 and December 31, 2016, and are a resident of the United States or Israel, you are a “Settlement Class Member.”

Under the terms of the Settlement, Yahoo has created a Settlement Fund of $117,500,000 and will provide victims a minimum of two years of Credit Monitoring Services to protect Settlement Class Members from future harm, or an alternative cash payment for those who verify they already have credit monitoring or identity protection.

If you can prove that you’ve had out-of-pocket losses, including but not limited to loss of time dealing with the breach you may qualify for additional compensation.

The complete list of all available legal rights and options can be found here.

Prevention is the Better Option

At Konsultek we firmly believe that an ounce of prevention is worth a pound of cure. The negative impact a breach can have on your brand is far greater than any fine or lawsuit that could potentially be levied against you. That is why we specialize in developing custom security solutions that utilize the most advanced prevention, detection and response technologies available.

Have manpower or talent issues? Our managed security suite allows organizations to gain access to superb security engineers as needed without the expense and hassle of recruiting and hiring staff. Call us today to learn about how your organization’s future can become more secure.

Entire Population of Ecuador’s Data Leaked

While in sheer numbers the Ecuadorian leak is far smaller than many corporate breaches in the US, the Ecuador government is taking the breach far more seriously than the US government ever has or probably ever will take a security breach and is meting out justice swiftly and decisively.

According to a post on vpnmentor.com more than 20 million people, including 7 million minors, had their most sensitive data leaked including the Ecuadorian equivalent of social security numbers, tax payer ID numbers and a host of other information including:

  • full name (first, middle, last)
  • gender
  • date of birth
  • place of birth
  • home address
  • email address
  • home, work, and cell phone numbers
  • marital status
  • date of marriage (if applicable)
  • date of death (if applicable)
  • level of education.

Image Source: CNN.com

A Significant Breach Deserves Significant Consequences

At least that is how the Ecuadorian Government feels. According to an article on CNN the Ecuadorian’s take their breaches a little more seriously than we do here in the States.

“On Monday, prosecutors and a federal police force raided the home of Novaestrat’s legal representative, William Roberto G., seizing electronic equipment and computers. Later that evening, the police found and detained him in Ecuador’s northwestern Esmeraldas province.

“He will be transferred immediately so that the Ecuador prosecutor can gather information in the framework of the investigation that is taking place,” tweeted Interior Minister Maria Paula Romo.

“If it’s confirmed that they violated the personal privacy of Ecuadorians, it is a criminal offense that must be punished,” said Telecommunications Minister Andres Michelena on Twitter.”

Imagine if the CEOs of Target, HomeDepot and Equifax were dragged out of their homes in response to their breaches! That might get the always challenged CISO budget enhanced and approved!

Konsultek Takes Security Seriously Too

Whether your organization handles the data for 30 or 30 million people, Konsultek will help keep your network safe and your data secure.

If you are unclear as to whether or not your security is up to the challenges of today’s hackers, we can help you find out.

Our team of experts is happy to provide an outside, independent and unbiased analysis of your network’s security. Simply give us a call or click here: https://konsultek.com/executive-risk-assessment/.

You’ll receive a complimentary Executive Risk Assessment. This assessment will not only show you the risk and impact to your most critical digital assets but also demonstrate the likelihood of a breach occurring.

Costs of Data Breaches Disproportionately High for Small Businesses

IBM’s 2019 Cost of a Data Breach Report finds among other things that data breaches have a disproportionately high negative impact on small businesses as compared to their larger brethren. Also, as compared to the rest of the world, the cost of data breaches in the United States is substantially higher than the rest of the world. Neither of these are good news if you are and SMB here in the States.

Image Source: IBM 2019 Cost of a Data Breach Report

“We found significant variation in total data breach costs by organizational size. The total cost for the largest organizations (more than 25,000 employees) averaged $5.11 million, which is $204 per employee. Smaller organizations with between 500 and 1,000 employees had an average cost of $2.65 million, or $3,533 per employee. Thus, smaller organizations have higher costs relative to their size than larger organizations, which can hamper their ability to recover financially from the incident.” –IBM Security

Some other interesting findings:

Lost Business is the Biggest Cost of a Breach

The loss of customer trust that accompanies a data breach translates into significant financial loss for businesses. The study found that the average cost of lost business attributable to a breach was $1.42 million or roughly 36% of the total average cost of a breach which now clocks in at a substantial $3.92 million.

Costs Linger for Years

Approximately 1/3 of data breach costs manifest more than one year after the incident occurs. So, while roughly 2/3 of the costs happen relatively quickly it can take upwards of 3 years or longer for all of the costs to work through the organization. The study found that the more regulated the environment the organization plays in the more evenly the costs are spread out over the first 3 years.

Breach Life Cycles are Getting Longer

As compared to previous years, the time between a breach incident and full containment of that breach is getting longer. This year’s report found a lifecycle increase of 5% vs. 2018.

Malicious Attacks are the Most Common and Most Expensive

This of course is bad news for all since the amount of breaches being caused by malicious attacks is growing by leaps and bounds. As compared to 2014, the share of malicious breaches has grown by 21% and now represents 51% of all breaches. And, because the life-cycle of a malicious breach tends to be longer their costs are also elevated. As compared to the average human error breach the average malicious attack costs roughly 27% more.

Prevention is Less Expensive than Recovery

As with most things, Ben Franklin’s adage “an ounce of prevention is worth a pound of cure” holds true when it comes to data and network security. Here at Konsultek we help our customers of all sizes and across all industries cost effectively prevent data loss by developing custom security solutions that fit their unique needs. So, if your organization agrees with Mr. Franklin, please give us a call sooner, rather than later to learn about how we can help you get an ounce of the right kind of prevention.

Equifax has Settled! What’s in it for You?

As reported on Fox Business Equifax has reached a proposed settlement with the Federal Trade Commission that could cost the company up to $700 million for their 2017 data breach. That breach, large by any standards, revealed the personal information of 147 million individuals (roughly half the US population), including social security numbers and has been and will likely be an ongoing catalyst for identity theft.

What Equifax is Offering?

As reported so far, the terms of the Equifax deal are as follows:

  1. Up to $20,000 for out-of-pocket costs incurred as a result of the breach. While you will not have to prove that your identity theft was a direct result of the Equifax breach, you will have to show that your particular situation could have arisen from the data stolen from Equifax.
  2. $25/hour for time spent addressing the breach. You may be eligible for up to 20 hours of personal time wasted dealing with the fallout of which 10 hours can simply be “self-certified” and will not require significant documentation.
  3. Ten years of free credit monitoring or a $125 cash payment. The monitoring will be done by a 3rd party and will include credit reports from the top 3 agencies, Equifax, Experian and TransUnion for the first 4 years as well as $1 million in identity theft insurance. Rather have the cash? You can get $125 and six free credit reports for 7 years instead.

How Will I Know What to do?

Equifax plans on emailing all affected parties 4 times, running social media and digital outreach campaigns, radio ads and print ads. You can also visit www.equifaxbreachsettlement.com or call them at 1-833-759-2982.

How Secure is Your Data?

At Konsultek our job is to keep our customers out of the news by preventing hacks and breaches. Our custom security solutions use a combination of technologies to prevent, detect and quarantine intrusions before they can cause damage. If you are unclear as to whether or not your security is up to the challenges of today’s hackers, we can help you find out.

Our team of experts is happy to provide an outside, independent and unbiased analysis of your network’s security. Simply give us a call or click here: https://konsultek.com/executive-risk-assessment/.

You’ll receive a complimentary Executive Risk Assessment. This assessment will not only show you the risk and impact to your most critical digital assets but demonstrate the likelihood of a breach happening.

Rush Joins List of Healthcare Providers with Significant Breach

Image Source: https://www.rushu.rush.edu/rush-experience/our-location

A few weeks back we wrote about Easton Hospital and the lawsuit surrounding their 2014 loss of 4.5 million patients’ personal data.

Monday it was reported that a breach of similar data has occurred at Rush University Medical Center. At an estimated 45,000 records the breach is 100 times smaller than that which occurred at Easton Hospital and that is not the only dramatic difference between the two.

Chinese Hacking vs. Improper Disclosure

In the case of the Easton Hospital breach forensics traced the breach to the malicious efforts of a Chinese hacking group. In the case of Rush, no “hacking” took place. Instead, according to an article on the Chicago Tribune  website, “At Rush, an employee of one of the hospital system’s billing processing vendors improperly disclosed a file to “an unauthorized party,” likely in May 2018, according to a letter sent to affected patients.”

Wall of Shame

The U.S. Department of Health and Human Services Office for Civil Rights breach portal euphemistically referred to as the “wall of shame” points out several interesting things about the state of data security in the healthcare industry.

  • Breaches on the Rise – As compared to the same period during 2018, 2019 is so far on a pace that is more than DOUBLE! (24 vs. 59)
  • Averaging About 1 Medical Related Breach a Day – In the 65 days of 2019 we’ve flipped past on the calendar so far this year there have already been 59 data breaches reported on the wall of shame.
  • Big Breach Small Breach – The number of records disclosed range from as few as 576 (Managed Health Services) to as many as 400,000 (Columbia Surgical Specialist of Spokane)
  • Mainly Attributed to Hacking – 36 of the 59 breaches are attributed to Hacking/IT Incidents with Unauthorized Disclosure (14) and Theft (9) accounting for the majority of the remaining breaches.

Even the Best Security Can be Compromised

At Konsultek we develop world class security solutions that prevent, detect and respond to attempts to breach networks. However, as the Rush breach and the 13 other cases of Unauthorized Disclosure highlight, even world class security solutions can be compromised by inadvertent/malicious activities of employees and sub-contractors.  Ultimately, Network Access Control has to be more than a digital solution. Training, procedures and other management controls must work in concert with IT’s security efforts in order to prevent human powered security incidents.

Easton PA Hospital Getting Close to Settling Breach Lawsuit

Easton, PA is a small town in Pennsylvania’s beautiful Lehigh Valley with a population of just under 30,000. It is probably best known as the home of America’s beloved Crayola crayons.

Image Source: Google Maps

Targeted by Chinese Hackers

It wasn’t Crayola however that Chinese hackers were interested in back in August, 2014 when they executed a cyberattack on another Easton landmark, it was the local hospital. At the time, Easton Hospital was owned by CHS (Community Health Systems) of Franklin, TN. According to Easton Hospital and CHS thieves stole the personal data of some 4.5 million patients including names, birthdates, phone numbers and Social Security numbers.

Lawsuit Pending Approval

Today, nearly 5 years later a host of lawsuits have been consolidated into one larger suit that is about to be settled by a judge in Atlanta. If approved by the judge this August, qualifying victims would be eligible for two types of payments:

  1. Up to $250 for out-of-pocket expenses and documented time lost from the breach.
  2. Up to $5,000 for losses due to identify fraud or identity theft from the cyberattack.

Joining an Ever Growing List

ClassAction.com maintains a list of notable data breaches to which the Easton breach could potentially be added based upon its scope. Here is the list:

  • Anthem: $115 million
  • Target: $28.5 million ($18.5M for states, $10M for consumers)
  • Home Depot (affected 50 million cardholders): $19.5 million settlement
  • Sony (PlayStation network breach): $15 million
  • Ashley Madison: $12.8 million ($11.6M for consumers, $1.2M for states and the FTC)
  • Sony (employee information breach): $8 million
  • Stanford University Hospital and Clinics: $4.1 million
  • AvMed Inc.: $3.1 million
  • Vendini: $3 million
  • Schnuck Markets: $2.1 million

A Wakeup Call for All Healthcare Providers

This settlement should serve as a wakeup call for all healthcare providers. If only a quarter of the 4.5 million patients receive just the $250 payout the cost to the affected parties would be over $281 million dollars!

Healthcare providers by nature have access to the most sensitive personal data on the planet. You know that, I know that and the cybercriminal element knows that. Because of this we foresee a continued targeting of healthcare providers going forward. From simple information stealing to more elaborate ransomware attacks, healthcare providers need to make certain that their network security is as robust as possible.

How Konsultek Can Help

At Konsultek we eat, sleep and breathe security.

Our team of engineers and account executives has the skills and resources to quickly and efficiently determine the vulnerability of your network and offer solutions for any weaknesses found.

If you are interested in getting an outside, independent and unbiased analysis of your network’s security, simply give us a call or click here: https://konsultek.com/executive-risk-assessment/.

The first 20 respondents will receive a complimentary Executive Risk Assessment. This assessment will not only show you the risk and impact to your most critical digital assets but demonstrate the likelihood of a breach happening.

 

Mortgage and Loan Data Leaked Twice

7 days ago Techcrunch revealed that independent security researcher Bob Diachenko had found 24 million financial and banking documents exposed to the world as a result of a server security flaw. Considering the type of data exposed – loan documents, sensitive financial and tax documents – this was a significant and very serious breach.

“These documents contained highly sensitive data, such as Social Security numbers, names, phones, addresses, credit history and other details which are usually part of a mortgage or credit report,” Diachenko told TechCrunch. “This information would be a gold mine for cyber criminals who would have everything they need to steal identities, file false tax returns, get loans or credit cards.”

The leaked documents were OCR (Optical Character Recognition) files and while the compromised server was immediately shut down once the security flaw was identified there is no telling how many cybercriminals might have already accessed the files.

Who’s at Fault?

After working through the various parties involved it appears that the source of the breach was the machine learning firm OpticsML. Which according to their website (now offline) “will automate the page indexing and data extraction process entirely. Different from traditional OCR companies, Optics Machine Learning trains computers to read and understand documents like a human, enabling an 80% reduction in labor needs alongside higher levels of accuracy so your analysts can focus on higher level tasks.”

Same Documents Released AGAIN!

In a surprising “you can’t make this stuff up” twist on this already monumental breach, the following day Dianchenko found the original loan documents on an “easy to guess” web address on an Amazon AWS server without so much as simple password protection! Considering that Amazon AWS storage servers have a default privacy setting of “private” it seems that someone either accidentally or consciously set the permissions to public.

While this may not end up being the largest data breach of 2019, with more than 11 months left in the year it surely has secured its place in the top 10 most significant breaches by virtue of the fact that the same information was exposed twice in two different formats on completely different storage networks.

Security On Your Mind?

At Konsultek we eat, sleep and breathe security. If you are interested in getting an outside, independent and unbiased analysis of your network’s security simply give us a call or click here https://konsultek.com/executive-risk-assessment/  First 20 that click thru get a complimentary Executive Risk Assessment. This assessment will not only show you risk and impact to your most critical digital assets but demonstrate the likelihood of a breach happening.  Our team of engineers and account executives has the skills and resources to quickly and efficiently determine the vulnerability of your network and offer solutions for any weaknesses found.

© Copyright 2018 Konsultek