Is Your Private Data
Safe? Think again
In the never
ending battle to keep your personal information private, it’s not just hackers
you have to worry about but lax security and stupidity. No one cares more about
keeping your information safe than you do.
Unfortunately, in our modern digital age, every company we deal with
wants a piece of our privacy pie and we have no choice to give it to them if we
wish to conduct business with them. However, a survey of data breaches in this
year 2014 continues to show an increasing number of incidents in which data,
including names and addresses, credit card and Social Security numbers, and
medical records was lost or exposed to criminals. Scared? You should be. According
to the Justice Department, 16.6 million adults were victims of ID theft in
2012.
43% of companies had a data breach in the past year. The
report, released October 3, 2014, was conducted by the Ponemon Institute, which
does independent research on privacy, data protection and information security
policy. That's up by 10% from the year before. A total of 589 data breaches
have been recorded so far in 2014 by the Identity Theft Resource Center. About
76.7 million records have be exposed. Every Two Seconds in This Country, Someone's Identity is Stolen. Are You At Risk?
Sears owned K-Mart is the latest company to get hacked into
and have data stolen. They don’t even have a number yet as to how many accounts
were affected. It appears based on the information that they’ve shared that
Kmart’s point of sale systems were compromised by malicious software. Kmart has
discovered themselves in the unenviable position of being shoulder to shoulder
with other hacked into companies like Dairy Queen, Neiman Marcus, AT&T and more.
From Kmart: “Based on the forensic investigation to
date, no personal information, no debit card PIN numbers, no email addresses
and no social security numbers were obtained by those criminally responsible.
There is also no evidence that kmart.com customers were impacted. This data
breach has been contained and the malware has been removed. I sincerely
apologize for any inconvenience this may cause our members and customers.”
From Kmart: “If customers see any sign of suspicious
activity, they should immediately contact their card issuer. More guidance is
also available on our website, kmart.com and customers can contact our customer
care center at 888-488-5978.
Dairy Queen
On Thursday, October 9, Dairy Queen confirmed that nearly
400 Dairy Queen locations (and one Orange Julius location) were compromised by
Backoff malware in August. When news of a potential breach first broke in
August, Dairy Queen denied the the breach initially but then began an
investigation. The investigation revealed that the attackers used compromised
account credentials from a third party vendor to get into Dairy Queen’s
systems. Customers’ names, card information, and expiration dates were all
accessed in the breach. Dairy Queen now believes that the malware has been
contained, and the company’s website lists all affected stores as well as the
dates of the attack.
AT&T
An employee accessed personal information belonging to
approximately 1,600 AT&T customers in August, Reuters reports. AT&T
informed these customers in a letter that their Social Security numbers,
driver’s license numbers, and internal AT&T information were all potentially
compromised by the employee, who has since been fired. AT&T is offering
free credit monitoring services to customers, and recommends they change their
account passcodes.
JP Morgan Chase is notifying customers that their contact
information, “specifically name, address, phone number and email address,” was
compromised in a data breach that has reportedly affected 76 million Chase
customers who have used Chase’s “web or mobile services: Chase.com, JPMorgan
Online, Chase Mobile or JPMorgan Mobile,” according to a post on the company’s
web site. In a filing to the Securities and Exchange Commission, the company
said that the compromise impacts approximately 76 million households and 7
million small businesses.
Chase said that “there is no evidence that your account
numbers, passwords, user IDs, date of birth or Social Security number were
compromised during this attack.” The company also said that unlike recent
attacks on retailers, “we have seen no unusual fraud activity related to this
incident.”
Home Depot reported that cyber thieves stole information
from 56 million credit and debit cards, far worse in terms of data loss than a
similar attack late last year on the Target store chain, but no less worrying.
Malicious software, or malware, was placed on Home Depot point-of-sale
terminals, or cash registers, from April to September 2014, the company said in
a news release. The malware was found in Home Depot stores in the USA and
Canada. The home improvement chained confirmed that the 56 million credit cards
may have been exposed during a five month attack on its system, and fraudulent
transactions have begun to strikes its customers. In some cases, criminals have
used the stolen card data to buy prepaid cards, electronics, and groceries. As
if that isn’t enough, the criminals also siphoned cash from card owners’ bank
accounts. The number of cards involved in Home Depot's loss dwarfs the 40
million Target says were compromised over a three-week period. Target said that
breach also resulted in the theft of personal data for up to 70 million
customers — including names, phone numbers, mailing addresses or email
addresses — but the amount of overlap is unknown.
The Home Depot and Target cases show that big-box retailers
are particularly vulnerable to cyber thieves.
Thieves "are able to invest time in researching their
targets to find a way into the network," says Trey Ford, a global security
strategist at the security firm Rapid7, in a statement. "Once they're in,
they stay quiet and fly unobserved under the radar."
Brian Krebs, who first broke news of the breach in his
KrebsOnSecurity blog, reported that the malware was installed in terminals in
self-service aisles, which limited the data loss. Though both credit and debit
information was taken, the chain says, the thieves would have been unable to
retrieve PIN numbers used on the debit cards.
Home Depot says the criminals "used unique,
custom-built malware to evade detection. The malware had not been seen
previously in other attacks," according to Home Depot's security partners.
Target, after acknowledging that as many as 110 million
customers had personal information and card data stolen, said it would speed up
its adoption of more secure payment technology. Suddenly, banks were being
pressured to issue customers new cards with microchips, which have been used in
Europe for more than 20 years. Congressional committees asked, with urgency,
what more could be done.
Breached at Target: 70 million had names, addresses, emails
and phone numbers stolen. 40 million
credit and debit accounts and data of cards used at Target were stolen.
EBay
The online retailer suffered one of the biggest data
breaches yet reported by an online retailer. Attackers compromised a “small
number of employee log-in credentials” between late February and early March to
gain access to the company’s network and, through it, compromised a database
that contained customer names, encrypted passwords, email addresses, physical
addresses, phone numbers and dates of birth. The breach is thought to have
affected the majority of the company’s 145 million members, and many were asked
to change their passwords as a result.
Michaels Stores
The point-of-sale systems at 54 Michaels and Aaron Brothers
stores “were attacked by criminals using highly sophisticated malware” between
May 2013 and January 2014. The company said up to 2.6 million payment card
numbers and expiration dates at Michael’s stores and 400,000 at Aaron Brothers
could have been obtained in the attack. The company received confirmation of at
least some fraudulent use.
Montana Department of
Public Health and Human Services
Triggered by suspicious activity, officials conducted an
investigation in mid-May that led to the conclusion that a server at the
Montana Department of Public Health and Human Services had been hacked. The
server held names, addresses, dates of birth and Social Security numbers on
roughly 1.3 million people, although the department said it has “no reason to
believe that any information contained on the server has been used improperly
or even accessed.”
Variable Annuity Life
Insurance Co.
A former financial adviser at the company was found in
possession of a thumb drive that contained details on 774,723 of the company’s
customers. The drive was provided to the company by law enforcement as the
result of a search warrant served on the former adviser. The thumb drive
included full or partial Social Security numbers, but the insurance company
said it didn’t believe any of the data had been used to access customer
accounts. It’s not the first time the company has lost data on a thumb drive.
In 2006, it wrapped up a lawsuit against a former financial adviser for downloading
“confidential customer information” onto “a portable flash drive.”
Spec’s
A 17-month-long “criminal attack” on the Texas wine
retailer’s network resulted in the loss of information of as many as 550,000
customers. The intrusion began in October 2012 and affected 34 of the company’s
stores across the state. It continued until as late as March 20 this year, and
the company fears hackers got away with customer names, debit or credit card
details, card expiration dates, card security codes, bank account information
from checks and possibly driver’s license numbers.
St. Joseph Health
System
A server at the Texas health care provider was attacked
between Dec. 16 and 18 last year. It contained “approximately 405,000 former
and current patients’, employees’ and some employees’ beneficiaries’
information.” This included names, Social Security numbers, dates of birth,
medical information and, in some cases, addresses and bank account information.
As with many other hacks, an investigation wasn’t able to determine if the data
was accessed or stolen.
In closing, there really isn’t anything we can do to keep
our data safe, except to no longer do business with anyone, unless it is
strictly cash. If you are fortunate to be able to do so, paying cash for
everything will keep your data more safe and private than any company can keep
it. As most people cannot afford to pay everything with cash, limit your use of
private data to those that absolutely need it. Don’t give anything and
everything out simply because someone asks for it. Try to limit your
transactions with a small number of companies. Don’t apply for every credit
card available to you. The less your data is out there, the less chance that
some cyber thief will steal it. Remember, in this day and age, there is no such
thing as privacy. Your data is always subject to being compromised.
I’m enclosing a few contact numbers in the case you are
subject to identity theft:
Internal Revenue
Service: Telephone Assistance for Individuals who believe they may be a
victim of Identity Theft: No Tax Administration Impact - Did not receive a
notice from the IRS. Toll-Free 1-800-908-4490 (Automated and live assistance)
Hours of Operation:
Monday – Friday, 7:00 a.m. – 7:00 p.m. your local time (Alaska & Hawaii
follow Pacific Time). For additional information, refer to our Identity Theft
and Your Tax Records page on IRS.gov.
Federal Bureau of Investigation: FBI.gov or your local field
office. A stolen identity is a powerful cloak of anonymity for criminals and
terrorists…and a danger to national security and private citizens alike.
If you are the victim of identity theft, take these steps
immediately:
1) Place an “Initial Fraud Alert” with one of the three
credit reporting agencies.
2) Order your free copy of your credit report.
Until next post, I wish you well. May all your dreams come
true. Stay Safe. Show compassion. Be kind to one another and those without a
voice. Don't share your personal information just because one asks for it.
Regards,
S.J. Francis
In Shattered Lies: "It's All About Family." Coming in 2015 from Black Opal Books.
My Black Opal Books Author Page: