Number of fingerprints stolen from OPM now at 5.6 million

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The Office of Per­son­nel Man­age­ment now says 5.6 mil­lion people’s fin­ger­prints were stolen as part of the hacks. That’s more than five times the 1.1 mil­lion gov­ern­ment offi­cials esti­mat­ed when the cyber attacks were first dis­closed. The total num­ber of those believed to be caught up in the breach­es, which includ­ed the theft of the Social Secu­ri­ty num­bers and address­es of more than 21 mil­lion for­mer and cur­rent gov­ern­ment employ­ees, remains the same. Breach­es involv­ing bio­met­ric data such as fin­ger­prints are par­tic­u­lar­ly con­cern­ing because of their per­ma­nence: Unlike pass­words and even Social Secu­ri­ty num­bers, fin­ger­prints can­not be changed. Those affect­ed by this breach may find them­selves grap­pling with the fall­out for years. Source: The Wash­ing­ton Post

Tainted App Store apps could be in the thousands

sh_app store_280Apple’s App Store secu­ri­ty breach could be far big­ger than first thought. It was ini­tial­ly thought that just 39 apps were infect­ed by XcodeGhost, which is able to trick users into shar­ing their user­names and pass­words with hack­ers. But cyber­se­cu­ri­ty firm Fire­Eye now says that more than 4,000 apps were infect­ed as a result of the sophis­ti­cat­ed attack. The apps in ques­tion were Tro­janised by a fake ver­sion of devel­op­er tool Xcode, which appar­ent­ly was wide­ly down­loaded in Chi­na. It was host­ed on a local serv­er, mean­ing it down­loaded faster than the offi­cial ver­sion host­ed on Apple’s U.S. servers. Apple has been strip­ping the App Store of the mali­cious apps, and has con­tact­ed devel­op­ers ask­ing them to check that they are using gen­uine soft­ware. Source: Sky News

Talk about rubbing salt in the wound

A Baton Rouge, La., man has been charged with rack­e­teer­ing after being accused of steal­ing more than 300 iden­ti­ties and $5 mil­lion in a nation­wide finan­cial fraud scheme. Attor­ney Gen­er­al James D. “Bud­dy” Cald­well says many of the iden­ti­ties stolen are those of chil­dren. Don­ald Lon­nell Batiste is charged with using his cred­it-repair com­pa­ny to engage in a pat­tern of rack­e­teer­ing activ­i­ty, includ­ing theft, iden­ti­ty theft and mon­ey laun­der­ing. He is accused of defraud­ing hun­dreds of indi­vid­u­als, in addi­tion to finan­cial insti­tu­tions and auto­mo­bile deal­er­ships across the Unit­ed States. “Through this bogus com­pa­ny, hun­dreds of Social Secu­ri­ty num­bers were stolen and then sold to cus­tomers who were try­ing to legit­i­mate­ly improve their cred­it and obtain loans,” Cald­well said. Source: WAFB, Baton Rouge, La.

Ensuring cybersecurity is shipshape

sh_warship_280Cyber attacks could prove just as dead­ly to tech­no­log­i­cal­ly advanced war­ships as mis­siles and tor­pe­does in the future, so the U.S. Navy has been devel­op­ing a defense sys­tem to pro­tect its ships against hack­ers who threat­en to dis­able or take con­trol of crit­i­cal ship­board sys­tems. The Resilient Hull, Mechan­i­cal, and Elec­tri­cal Secu­ri­ty sys­tem aims to pre­vent cyber attack­ers from com­pro­mis­ing the pro­gram­ma­ble log­ic con­trollers that con­nect a ship’s com­put­ers with on-board phys­i­cal sys­tems. The sys­tem uses slight­ly dif­fer­ent ver­sions of core pro­gram­ming for each phys­i­cal con­troller so that a cyber attack can’t dis­able or take over all ship­board sys­tems at once. Source: IEEE Spec­trum

Big breaches not rising, they just get bigger coverage

Researchers study­ing data intru­sions of the last decade found that large breach­es are not nec­es­sar­i­ly increas­ing as the head­lines and night­ly news reports might assert. The num­ber of large-scale breach­es actu­al­ly has decreased slight­ly since 2005, accord­ing to the research team. In their report, “Hype and Heavy Tails: A Clos­er Look at Data Breach­es,” researchers with the Uni­ver­si­ty of New Mex­i­co and the Lawrence Berke­ley Nation­al Lab­o­ra­to­ry said the study point­ed to a “heavy-tailed dis­tri­b­u­tion” and that the vast major­i­ty of breach­es are small, with large breach­es skew­ing the aver­age results. “We found that, despite anec­do­tal reports of an increase in large breach­es, there was no sta­tis­ti­cal evi­dence of an increase,” researchers said. “The fre­quen­cy of mali­cious breach­es, as opposed to those that were the result of acci­dent or neg­li­gence, actu­al­ly decreased slight­ly over the past 10 years.” The researchers did note that the occur­rence of acci­den­tal and neg­li­gent data breach­es was hold­ing steady dur­ing the same peri­od. Source: Gov­ern­ment Technology

No, you can’t look at your photos right now

sh_photo sharing_280Pho­to-shar­ing web­site Imgur, best known as the ori­gin point for many of the Internet’s viral GIFs, has been exploit­ed to launch a cyber attack against the image boards 4Chan and 8Chan. The dis­trib­uted-denial-of-ser­vice attack over­whelmed 4Chan and 8Chan with traf­fic, desta­bi­liz­ing the sites and slow­ing them to a crawl. Imgur announced on its web­site that an unknown hack­er had uploaded a mali­cious HTML file to Imgur that tar­get­ed all users of the 4Chan and 8Chan dis­cus­sion threads on Red­dit, a major source of traf­fic for 4Chan and 8Chan. When a user clicked a sin­gle link to 4Chan or 8Chan in that sub-Red­dit, that link would trig­ger hun­dreds of oth­er invis­i­ble win­dows. Who was behind the Imgur DDoS and what moti­vat­ed them remains unclear. “The vul­ner­a­bil­i­ty was patched yes­ter­day evening, and we’re no longer serv­ing affect­ed images, but as a pre­cau­tion, we rec­om­mend that you clear your brows­ing data, cook­ies and local stor­age,” Imgur said. Source: Inter­na­tion­al Busi­ness Times

The enemy of my enemy is my friend

Chi­na and the Unit­ed States need to work togeth­er to address cyber theft—or it will spi­ral out of con­trol and hurt the glob­al econ­o­my, says Hank Paul­son, for­mer Trea­sury sec­re­tary. The world’s two largest economies by GDP need to see eye-to-eye on the encroach­ing issue of cyber­se­cu­ri­ty, Paul­son said. “I think it’s just very, very impor­tant for our two coun­tries to come togeth­er, because we need a glob­al regime—a glob­al eco­nom­ic regime that’s going to be able to be enforce­able and to curb and to pun­ish cyber theft,” he said. “I think you’re only going to get that done on a mul­ti­lat­er­al basis. I don’t see how the glob­al eco­nom­ic sys­tem can func­tion if you ever have a cyber theft,” he said. “It’s going to be a lot eas­i­er to do that if we’re work­ing with Chi­na. And, ulti­mate­ly, Chi­na has a need to do some­thing here, too.” Source: Busi­ness Insider

Paying the piper, as punishment

sh_server_280The Secu­ri­ties and Exchange Com­mis­sion slapped invest­ment advis­er R.T. Jones Cap­i­tal Equi­ties Man­age­ment with a $75,000 penal­ty in a set­tle­ment over the firm’s fail­ure to estab­lish cyber­se­cu­ri­ty poli­cies and pro­ce­dures before a breach com­pro­mised the per­son­al infor­ma­tion of 100,000 peo­ple. An inves­ti­ga­tion found that dur­ing a four-year peri­od, R.T. Jones failed to adhere to a “safe­guards rule” that requires firms to “adopt writ­ten poli­cies and pro­ce­dures rea­son­ably designed to pro­tect cus­tomer records and infor­ma­tion.” Instead, the SEC said, R.T. Jones, which stored sen­si­tive infor­ma­tion on a third-par­ty serv­er, didn’t con­duct reg­u­lar risk assess­ments, imple­ment a fire­wall, adopt encryp­tion or even cre­ate a plan to respond to cyber­se­cu­ri­ty inci­dents. Once R.T. Jones dis­cov­ered that a breach of the serv­er had occurred in July 2013, expos­ing infor­ma­tion on cus­tomers and oth­ers, it called in a cyber­se­cu­ri­ty com­pa­ny to con­firm and inves­ti­gate the attack, which even­tu­al­ly was tracked to Chi­na. The invest­ment advis­er also sent a breach notice to all those poten­tial­ly affect­ed and offered free iden­ti­fy theft mon­i­tor­ing. Source: SC mag­a­zine

Perpetrators need to be schooled

British Colum­bia, Canada’s pri­va­cy com­mis­sion­er has launched an inde­pen­dent inves­ti­ga­tion into the largest pri­va­cy breach in the province’s his­to­ry. Eliz­a­beth Den­ham issued a state­ment con­firm­ing that she was noti­fied about the loss of an unen­crypt­ed hard dri­ve con­tain­ing infor­ma­tion on 3.4 mil­lion stu­dents and teach­ers. She said her probe will address the “very seri­ous pri­va­cy issues” and rec­om­mend steps to pre­vent fur­ther breach­es. Den­ham called the mag­ni­tude of the breach “espe­cial­ly trou­bling” giv­en the num­bers of stu­dents involved. Source: The (Vic­to­ria, B.C.) Times Colonist

Our patience is wearing thin

sh_insurance claim_280Patient records on insur­ance claims were accessed on a cloud-based back­up ser­vice, expos­ing records of pub­lic agen­cies in Cal­i­for­nia, Kansas and Utah. The data includ­ed police injury reports, drug tests, detailed doc­tor vis­it notes and Social Secu­ri­ty num­bers. A state­ment from Sys­tema Soft­ware indi­cat­ed that, “a sin­gle indi­vid­ual gained unap­proved access into our data stor­age sys­tem.” Sys­tema says a Texas man report­ed the exposed records and turned a hard dri­ve over to author­i­ties. “The Texas attor­ney gen­er­al has secured the hard dri­ve and, as an added mea­sure of pro­tec­tion, this indi­vid­ual has pro­vid­ed writ­ten con­fir­ma­tion to the (AG) that he has not shared or used the data inap­pro­pri­ate­ly,” Sys­tema said. “We … present­ly do not believe there is a need for cred­it mon­i­tor­ing or iden­ti­fy theft ser­vices as they relate to this issue.” The breach affect­ed a half-dozen com­pa­nies and orga­ni­za­tions, includ­ing CSAC Excess Insur­ance Author­i­ty, a Cal­i­for­nia “mem­ber-direct­ed insur­ance risk-shar­ing pool,” the Kansas State Self-Insur­ance Fund and Salt Lake Coun­ty, Utah. Source: Mod­ern Healthcare