Number of fingerprints stolen from OPM now at 5.6 million

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The Office of Personnel Management now says 5.6 million people’s fingerprints were stolen as part of the hacks. That’s more than five times the 1.1 million government officials estimated when the cyber attacks were first disclosed. The total number of those believed to be caught up in the breaches, which included the theft of the Social Security numbers and addresses of more than 21 million former and current government employees, remains the same. Breaches involving biometric data such as fingerprints are particularly concerning because of their permanence: Unlike passwords and even Social Security numbers, fingerprints cannot be changed. Those affected by this breach may find themselves grappling with the fallout for years. Source: The Washington Post

Tainted App Store apps could be in the thousands

sh_app store_280Apple’s App Store security breach could be far bigger than first thought. It was initially thought that just 39 apps were infected by XcodeGhost, which is able to trick users into sharing their usernames and passwords with hackers. But cybersecurity firm FireEye now says that more than 4,000 apps were infected as a result of the sophisticated attack. The apps in question were Trojanised by a fake version of developer tool Xcode, which apparently was widely downloaded in China. It was hosted on a local server, meaning it downloaded faster than the official version hosted on Apple’s U.S. servers. Apple has been stripping the App Store of the malicious apps, and has contacted developers asking them to check that they are using genuine software. Source: Sky News

Talk about rubbing salt in the wound

A Baton Rouge, La., man has been charged with racketeering after being accused of stealing more than 300 identities and $5 million in a nationwide financial fraud scheme. Attorney General James D. “Buddy” Caldwell says many of the identities stolen are those of children. Donald Lonnell Batiste is charged with using his credit-repair company to engage in a pattern of racketeering activity, including theft, identity theft and money laundering. He is accused of defrauding hundreds of individuals, in addition to financial institutions and automobile dealerships across the United States. “Through this bogus company, hundreds of Social Security numbers were stolen and then sold to customers who were trying to legitimately improve their credit and obtain loans,” Caldwell said. Source: WAFB, Baton Rouge, La.

Ensuring cybersecurity is shipshape

sh_warship_280Cyber attacks could prove just as deadly to technologically advanced warships as missiles and torpedoes in the future, so the U.S. Navy has been developing a defense system to protect its ships against hackers who threaten to disable or take control of critical shipboard systems. The Resilient Hull, Mechanical, and Electrical Security system aims to prevent cyber attackers from compromising the programmable logic controllers that connect a ship’s computers with on-board physical systems. The system uses slightly different versions of core programming for each physical controller so that a cyber attack can’t disable or take over all shipboard systems at once. Source: IEEE Spectrum

Big breaches not rising, they just get bigger coverage

Researchers studying data intrusions of the last decade found that large breaches are not necessarily increasing as the headlines and nightly news reports might assert. The number of large-scale breaches actually has decreased slightly since 2005, according to the research team. In their report, “Hype and Heavy Tails: A Closer Look at Data Breaches,” researchers with the University of New Mexico and the Lawrence Berkeley National Laboratory said the study pointed to a “heavy-tailed distribution” and that the vast majority of breaches are small, with large breaches skewing the average results. “We found that, despite anecdotal reports of an increase in large breaches, there was no statistical evidence of an increase,” researchers said. “The frequency of malicious breaches, as opposed to those that were the result of accident or negligence, actually decreased slightly over the past 10 years.” The researchers did note that the occurrence of accidental and negligent data breaches was holding steady during the same period. Source: Government Technology

No, you can’t look at your photos right now

sh_photo sharing_280Photo-sharing website Imgur, best known as the origin point for many of the Internet’s viral GIFs, has been exploited to launch a cyber attack against the image boards 4Chan and 8Chan. The distributed-denial-of-service attack overwhelmed 4Chan and 8Chan with traffic, destabilizing the sites and slowing them to a crawl. Imgur announced on its website that an unknown hacker had uploaded a malicious HTML file to Imgur that targeted all users of the 4Chan and 8Chan discussion threads on Reddit, a major source of traffic for 4Chan and 8Chan. When a user clicked a single link to 4Chan or 8Chan in that sub-Reddit, that link would trigger hundreds of other invisible windows. Who was behind the Imgur DDoS and what motivated them remains unclear. “The vulnerability was patched yesterday evening, and we’re no longer serving affected images, but as a precaution, we recommend that you clear your browsing data, cookies and local storage,” Imgur said. Source: International Business Times

The enemy of my enemy is my friend

China and the United States need to work together to address cyber theft—or it will spiral out of control and hurt the global economy, says Hank Paulson, former Treasury secretary. The world’s two largest economies by GDP need to see eye-to-eye on the encroaching issue of cybersecurity, Paulson said. “I think it’s just very, very important for our two countries to come together, because we need a global regime—a global economic regime that’s going to be able to be enforceable and to curb and to punish cyber theft,” he said. “I think you’re only going to get that done on a multilateral basis. I don’t see how the global economic system can function if you ever have a cyber theft,” he said. “It’s going to be a lot easier to do that if we’re working with China. And, ultimately, China has a need to do something here, too.” Source: Business Insider

Paying the piper, as punishment

sh_server_280The Securities and Exchange Commission slapped investment adviser R.T. Jones Capital Equities Management with a $75,000 penalty in a settlement over the firm’s failure to establish cybersecurity policies and procedures before a breach compromised the personal information of 100,000 people. An investigation found that during a four-year period, R.T. Jones failed to adhere to a “safeguards rule” that requires firms to “adopt written policies and procedures reasonably designed to protect customer records and information.” Instead, the SEC said, R.T. Jones, which stored sensitive information on a third-party server, didn’t conduct regular risk assessments, implement a firewall, adopt encryption or even create a plan to respond to cybersecurity incidents. Once R.T. Jones discovered that a breach of the server had occurred in July 2013, exposing information on customers and others, it called in a cybersecurity company to confirm and investigate the attack, which eventually was tracked to China. The investment adviser also sent a breach notice to all those potentially affected and offered free identify theft monitoring. Source: SC magazine

Perpetrators need to be schooled

British Columbia, Canada’s privacy commissioner has launched an independent investigation into the largest privacy breach in the province’s history. Elizabeth Denham issued a statement confirming that she was notified about the loss of an unencrypted hard drive containing information on 3.4 million students and teachers. She said her probe will address the “very serious privacy issues” and recommend steps to prevent further breaches. Denham called the magnitude of the breach “especially troubling” given the numbers of students involved. Source: The (Victoria, B.C.) Times Colonist

Our patience is wearing thin

sh_insurance claim_280Patient records on insurance claims were accessed on a cloud-based backup service, exposing records of public agencies in California, Kansas and Utah. The data included police injury reports, drug tests, detailed doctor visit notes and Social Security numbers. A statement from Systema Software indicated that, “a single individual gained unapproved access into our data storage system.” Systema says a Texas man reported the exposed records and turned a hard drive over to authorities. “The Texas attorney general has secured the hard drive and, as an added measure of protection, this individual has provided written confirmation to the (AG) that he has not shared or used the data inappropriately,” Systema said. “We … presently do not believe there is a need for credit monitoring or identify theft services as they relate to this issue.” The breach affected a half-dozen companies and organizations, including CSAC Excess Insurance Authority, a California “member-directed insurance risk-sharing pool,” the Kansas State Self-Insurance Fund and Salt Lake County, Utah. Source: Modern Healthcare