Yahoo admits 500 million accounts hacked

yahoo

Information from at least 500 million Yahoo accounts was stolen from the company in 2014, the company said Thursday, indicating it believes a state-sponsored actor was behind the hack.

The theft may have included names, email addresses, telephone numbers, dates of birth, and in some cases, encrypted or unencrypted security questions and answers

This is thought to be the largest data breach ever in terms of user accounts.

Approximately 1 billion people globally engage with Yahoo each month. About 250 million use Yahoo Mail, while another 81 million use Yahoo Finance and tens of millions use Yahoo Fantasy Sports. Yahoo said it was notifying potentially affected users and taking steps to secure their accounts, such as invalidating unencrypted security questions and answers. Users who haven’t changed their passwords since 2014 should do so, it said.

Banner Health named in class action lawsuit over data breach and failure to implement reasonable cybersecurity measures

banner-health1

 

On August 3, 2016, Defendant Banner Health announced that hackers had infiltrated their systems and compromised a broad spectrum of personal information, affecting over 3.7 million individuals. Because Banner failed to implement reasonable cybersecurity measures, the hackers were able to target and access payment card data at Banner food and beverage outlets, such as cardholder names, card numbers, expiration dates, and verification codes. But the hackers also infiltrated the computer systems where Banner stored its customers’ most private (and valuable) information, including their personal health details, Social Security numbers, health insurance information, financial information, names, birthdates, and addresses. Banner’s cybersecurity was so inadequate that the hackers even accessed the systems that stored information on Banner’s healthcare providers, including their Drug Enforcement Agency numbers, Tax Identification numbers, National Provider Identifiers, and Social Security numbers.

Banner claims that the breach began on June 17, 2016, and that it failed to detect that hackers had accessed its payment card systems until July 7, 2016. It also claims that it did not detect the compromise of patient and employee information until July 13, 2016. Even then, Banner did not publicly disclose the breach until August 3, 2016 and still has not notified all those affected.

The personal information of Banner customers and healthcare providers has been exposed—and their identities put at risk—because Banner failed to maintain reasonable and adequate security measures. Despite having legal and moral obligations to protect the vast amounts of extremely sensitive and valuable personal information it stored, Banner repeatedly failed to prevent, detect, or limit the scope of this breach.

The complaint alleges that, among other things, Banner (1) failed to implement adequate security measures to prevent hackers from infiltrating its systems; (2) failed to employ adequate security tools and techniques to detect unauthorized network activity or failed to respond to indicators of compromise; and (3) failed to adequately segment its networks, which would have limited the hackers’ ability to access the various systems and data warehouses within Banner’s computer networks.

Plaintiff is a former Banner patient who received a letter from Banner informing her that her personal information was involved in the breach. She brings this action on behalf of herself and all those whose personal information has been compromised as a result of the data breach. She seeks injunctive relief requiring Banner to implement and maintain adequate security practices, to comply with laws, regulations, and industry standards designed to prevent, detect, and mitigate, this type of breach, as well as restitution, damages, and other relief.

COMPLAINT

The Wendy’s Company named in class action lawsuit over data breach exposing customers’ private information

Wedny's

This is a class action against The Wendy’s Company (“Wendy’s” or “Defendant”) for its failure to secure and safeguard its customers’ credit and debit card numbers and other payment card data (“PCD”), and other personally identifiable information which Wendy’s collected at the time Plaintiff made a purchase of food items at one its restaurants (“PII”) (collectively, “Private Information”), and for failing to provide timely, accurate and adequate notice to Plaintiff and other Class members that their Private Information had been stolen and precisely what types of information were stolen.

Beginning at a point in time presently unknown, hackers utilizing malicious malware accessed the computer systems at Wendy’s locations throughout the United States and stole copies of Wendy’s customers’ Private Information (the “Data Breach”).

On January 27, 2016, Wendy’s announced that it had discovered malicious software designed to steal credit card and debit card data on computers that operate the payment processing systems for its restaurants. Wendy’s released very few details, nor did it explain why it had delayed notification of the public through a press release of the Data Breach. In its press release, Wendy’s acknowledged the weakness of its security system at the time of the Data Breach, and that since the Data Breach it had taken steps to strengthen the security of its systems.Unfortunately, Wendy’s did not explain why such security measures had not already been in place at the time of the Data Breach to prevent the loss of Plaintiff’s and class members’ PII.

According to the complaint, Wendy’s could have prevented this Data Breach. The malicious software used in the Data Breach was more than likely a variant of “BlackPOS, the identical malware strain that hackers used in last year’s data breach at many other retail establishments. While many retailers, banks and card companies responded to recent breaches by adopting technology that helps makes transactions more secure, Wendy’s has acknowledged that it has retained a security consultant to review and look into its systems. The quality of the measures in place are suspect and the need for judicial intervention and consumer and independent oversight is mandated by the circumstances described herein.

As alleged, Plaintiff s and Class members’ Private Information was improperly handled and stored, was unencrypted, and was not kept in accordance with applicable, required, and appropriate cyber-security protocols, policies, and procedures. As a result, Plaintiff s and Class members’ Private Information was compromised and stolen. However, as this same information remains stored in Wendy’s computer systems, Plaintiff and class members have an interest in ensuring that their information is safe, and they should be entitled to seek injunctive and other equitable relief, including independent oversight of Wendy’s security systems.

Complaint

 

Securus Technologies data breach suffers data breach compromising nearly 70 million phone calls made by inmates from 2011 to 2014

Securus_350_187

According to a recent report nearly 70 million phone calls made by prisoners in the United States have been hacked and leaked.

An anonymous hacker grabbed the files from Securus Technologies, which supplies phone services for prisons and jails across the United States. The batch unveiled contains recorded calls made between December 2011 and December 2014 in facilities located in 37 states and stored on Securus’s servers. The information was released via SecureDrop, a secure server set up by The Intercept for people to make anonymous data drops.

According to the Intercept website, about 14,000 of the recorded calls were between lawyers and inmates.

 

Target Corp. pays $10 million to settle a class-action lawsuit over massive data breach in 2013.

The proposed settlement provides a maximum of $10,000 but will likely be diluted by active participation in the settlement. The 2013 data breach exposed 40 million credit and debit card accounts.

The proposed settlement provides free credit monitoring for affected customers and promises that Target will overhaul its security systems.

Detailed information can be found at https://corporate.target.com/about/shopping-experience/payment-card-issue-faq

TD Bank to Pay $825,000 to Address Data Breach Involving Massachusetts Residents

TD Bank has agreed to pay $625,000 as part of a settlement with the Massachusetts Attorney General and agreed to strengthen its security practices after losing unencrypted back-up tapes containing personal information for more than 90,000 Massachusetts customers, and delaying a notice of the incident.

Upon learning that the tapes had not arrived, TD Bank undertook an internal investigation to determine the content of the tapes and determined that the tapes may have included the names, addresses, Social Security numbers, account numbers, or other data elements such as date of birth or driver’s license number, of Massachusetts residents. However, the bank did not notify the AG’s Office and potentially affected consumers about the breach as required under state law until October 2012. More than 260,000 consumers nationwide were impacted by the incident, including over 90,000 Massachusetts residents.

According to the settlement, the AG’s Office alleges that TD Bank violated state data security regulations, including by failing to comply with its own policies requiring encryption of the personal information on the tapes, and by failing to retain a third-party service provider capable of maintaining appropriate security measures when transporting the tapes. The AG’s Office also alleged that TD Bank violated the state data breach notice law by delaying providing notice of the March 2012 data security incident until October 2012. TD Bank represented that there has been no evidence of fraud or unauthorized access or use of the personal information involved in the incident.

Sitesearch Corp. and LeapLab LLC sued by FTC for selling personal information to internet market scammers

According to the complaint, LeapLab and Sitesearch Corp., a data broker operation sold sensitive personal information of hundreds of thousands of consumers – including Social Security and bank account numbers – to scammers who allegedly debited millions from their accounts, the Federal Trade Commission charged in a complaint filed today.

According to the FTC’s complaint, data broker LeapLab bought payday loan applications of financially strapped consumers, and then sold that information to marketers whom it knew had no legitimate need for it. At least one of those marketers, Ideal Financial Solutions – a defendant in another FTC case – allegedly used the information to withdraw millions of dollars from consumers’ accounts without their authorization.

The defendants collected hundreds of thousands of payday loan applications from payday loan websites known as publishers. Publishers typically offer to help consumers obtain payday loans. To do so, they ask for consumers’ sensitive financial information to evaluate their loan applications and transfer funds to their bank accounts if the loan is approved. These applications, including those bought and sold by LeapLab, contained the consumer’s name, address, phone number, employer, Social Security number, and bank account number, including the bank routing number.

The defendants sold approximately five percent of these loan applications to online lenders, who paid them between $10 and $150 per lead. According to the FTC’s complaint however, the defendants sold the remaining 95 percent for approximately $0.50 each to third parties who were not online lenders and had no legitimate need for this financial information.

The FTC’s complaint alleges that these non-lender third parties included: marketers that made unsolicited sales offers to consumers via email, text message, or telephone call; data brokers that aggregated and then resold consumer information; and phony internet merchants like Ideal Financial Solutions. According to the FTC’s complaint, the defendants had reason to believe these marketers had no legitimate need for the sensitive information they were selling

Sony Pictures named in class action lawsuit over data breach

In or around late November 2014, Sony Pictures suffered a catastrophic data breach of its corporate network. The hackers gained access to sensitive and confidential data available on the Sony Pictures corporate network, including: full names, home addresses, email addresses, password files, private key files, social security numbers, dates of birth, bank account information, passport and other personal identification information, retirement plan information, health insurance and medical information, as well as scores of other data.

To date, it has been reported that at least 25 gigabytes of sensitive data on tens of thousands of Sony employees was stolen – some of which has been leaked onto the internet by the hackers – and a hundred terabytes of data in total.

According to the complaint Sony Pictures suffered the catastrophic data breach because it failed to develop, maintain, and implement internet security measures on its corporate network. Indeed, many reports have indicated Sony Pictures’ serious lapses in industry standards regarding data protection measures, and much of the hacked information was available in plain text files that were not protected or encrypted.

Plaintiff, individually and on behalf of the Class of similarly affected persons seeks to obtain relief from Defendant  based on Sony Pictures’ failure to develop, implement, and maintain data security and protection policies that were adequate, reasonable, and reflected industry standards.

Complaint: Sony Complaint

Coca-Cola sued for negligence in association with multiple data breaches

This class action lawsuit is brought by Plaintiff who had his personal identifying and financial information (“PII”) accessed, stolen, and used without his authorization, and because of the negligence, breaches of statutory, common law and contractual duties, and other acts and omissions described herein on the part of the Defendants, he suffered actual harm and monetary damages.

Plaintiff brings this case as a class action on behalf of himself and the more than 70,000 people who have had their personal identifying, motor vehicle, and financial information accessed without their authorization and used illegally as a result of the acts and failures to act of the Defendants. The case seeks to remedy the harmful effects of the breach of their privacy interests, failure to timely and reasonably notify Plaintiff and the Class of the breach in accordance with the laws of most states.

As alleged, over a six-year period, from 2007 through 2013, approximately fifty-five (55) laptop computers were stolen from Coca-Cola Enterprises (“CCE”), the Coca-Cola Company’s (“Coke”) largest United States bottler, which Coke acquired in 2010. Coke recovered certain of these laptops from the thieves during November and December of 2013.

During the period from at least July 2007 through the present (hereinafter the “relevant time period”), the exact dates of which are unknown by the Plaintiff or any member of the Class at this time, the Defendants caused personal identifying, motor vehicle, and financial information about Plaintiff and the Class to be accessed, collected, downloaded, saved, distributed, transferred and used by various individuals and entities without knowledge or consent of Plaintiff and the Class. The corporate Defendants then failed to timely and reasonably notify Plaintiff and the Class of such unauthorized access and breach of their privacy interests.

Moreover, the notice that was finally sent months later was materially false and misleading as to the nature and scope of the breach (that was fully known by Defendants at the time).

The complaint contends that Defendants deliberately delayed in notifying Plaintiff of the breach. Had the Coke Defendants provided notice of the breach in accordance with the data breach notification laws of Pennsylvania and the other states in which the members of the Class reside, Plaintiff and the Class could have and would have taken steps to protect themselves. Instead, for reasons unknown to Plaintiff and the Class, but unrelated to any requirements of law enforcement, the Defendants chose to wait on until the earliest date of January 24, 2014 to inform people, by mail, about the incident.

The case seeks to remedy the harmful effects of the breach of the privacy interests of Plaintiff and the Class, the failure to timely and reasonably notify them of such breach in accordance with the law, and the misleading and deceptive notification sent on January 24, 2014. In addition, Plaintiff and the Class seek restitution, disgorgement, and remediation for the actual damages sustained as a result of the unlawful taking, disclosure, and use of their PII.

Complaint: Coca Cola 11-18-14

 

Horizon Healthcare Services, Inc., dba Horizon Blue Cross Blue Shield Of New Jersey named in class action lawsuit over data breach

This is a nationwide class action brought against Horizon Healthcare Services, Inc., dba Horizon Blue Cross Blue Shield Of New Jersey (“Defendant “)for failing to adequately secure and safeguard its members’ (1) sensitive personally identifiable information (“PII”), which includes without limitation members’ names, dates of birth, Social Security numbers, and addresses; and (2) protected health information (“PHI”) which contains PII, in addition to members’ demographic information, medical histories, test and laboratory results, insurance information, and other data collected by health care professionals to identify an individual and determine appropriate care.

As detailed in the complaint, in early November 2013, two unencrypted laptop computers were stolen from Defendant’s headquarters in Newark, New Jersey.  According to Defendant’s website, over 839,000 members were notified that their personal information may have been breached.

In its Privacy Policy, Defendant falsely claims that it “maintain[s] appropriate administrative, technical and physical safeguards to reasonably protect [members’] Private Information.”

The 2013 massive data breach could have been prevented. Six years earlier, in early January 2008, Horizon suffered a similar theft, placing it on notice of the vulnerability of its data security. At that time, a different laptop containing PII for roughly 300,000 members was stolen from the residence of one of Defendant’s employees. The massive breach caught the attention of government officials, prompting an inquiry into Defendant’s practices. Defendant responded by claiming to be in the process of encrypting all desktops, laptops, and portable media devices, a process it anticipated would be completed in March 2008

The laptops stolen in 2013 contained members’ unencrypted PII as well as PHI. Defendant’s failure to comply with longstanding industry standard encryption protocols was a violation of its own privacy practices and jeopardized Defendant’s members’ PII and PHI.

According to the lawsuit, because of the 2008 laptop theft and ensuing public concern, Defendant assuredly knew the risks involved in maintaining sensitive member PH and PHI on unencrypted laptops and indeed publicly stated it would change its practices; nonetheless, Defendant continued to store such sensitive material in an unsafe manner.

Plaintiffs bring this lawsuit on behalf of themselves and all others in the United States who enrolled in Defendant’s health insurance plans on or before November 3, 2013, and whose PII or PHI resided on one or more laptops stolen from Defendant’s headquarters in Newark on or about November 1-3, 2013, alleging that Defendant has violated the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. 1681 1681x, the New Jersey Consumer Fraud Act, breached its contract with Plaintiffs and members of the proposed Class, and acted negligently in safeguarding its members’ PII and PHI. Plaintiffs seek damages as well as injunctive relief requiring Defendant to take steps to ensure that its members’ PHI and PH are adequately protected.