Tag Archives: exposure

[ISN] 216 Jimmy John’s Gourmet Sandwiches Shops Suffer Data Breach

http://www.infosecnews.org/216-jimmy-johns-gourmet-sandwiches-shops-suffer-data-breach/ By William Knowles @c4i Senior Editor InfoSec News September 24, 2014 Somewhat Freaky Fast Notification. Champaign Illinois based Jimmy John’s Gourmet Sandwiches Shops have announced on Wednesday they were the latest business to suffer a credit card breach. Joining the ranks of Target, Neiman Marcus, Michaels, and Home Depot. Here’s the company statement: On July 30, 2014, Jimmy John’s learned of a possible security incident involving credit and debit card data at some of Jimmy John’s stores and franchised locations. Jimmy John’s immediately hired third party forensic experts to assist with its investigation. While the investigation is ongoing, it appears that customers’ credit and debit card data was compromised after an intruder stole log-in credentials from Jimmy John’s point-of-sale vendor and used these stolen credentials to remotely access the point-of-sale systems at some corporate and franchised locations between June 16, 2014 and September 5, 2014. The security compromise has been contained, and customers can use their credit and debit cards securely at Jimmy John’s stores. Approximately 216 stores appear to have been affected by this event. Cards impacted by this event appear to be those swiped at the stores, and did not include those cards entered manually or online. The credit and debit card information at issue may include the card number and in some cases the cardholder’s name, verification code, and/or the card’s expiration date. Information entered online, such as customer address, e-mail, and password, remains secure. The locations and dates of exposure for each affected Jimmy John’s location are listed on AFFECTED STORES & DATES. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Identifying and mitigating healthcare IT security risks

http://healthitsecurity.com/2014/08/19/identifying-and-mitigating-healthcare-it-security-risks/ By Patrick Ouellette Health IT Security August 19, 2014 Being proactive in healthcare IT security means picking out risks before incidents occur, not after the fact. But the challenge is that potential risks are spread across a variety of areas within a healthcare organization. Blair Smith, Ph.D. Dean, Informatics-Management-Technology (IMT) at American Sentinel University, spoke with HealthITSecurity.com about security considerations for healthcare organizations. Smith was a professional IT consultant for a number of years and for the last 15 years was with the University of Phoenix, including the last five as the Dean of Information Systems prior to joining American Sentinel. With heavy experience in disaster recovery planning and said he always considered security a heavy risk area. What are some major security risks within healthcare at the moment? When I look at IT security for healthcare organizations, it’s not that much different from what many other retail or manufacturing organizations in that it’s a prominent topic. The key is to understand and identify areas of risk and potential exposure, and it’s where the HIPAA rules for risk assessment become very important. BYOD, for example, has its risks and benefits but from an industry perspective, the access to data housed [on the device] would be a concern. Similarly, cloud security opens another external pathway for data to possibly be exposed to a number of different risks such as inappropriate data access and loss. As we use more mobile devices, whether it’s a smart phone or tablet, those types of things really present a wide range of issues for security personnel. And what we’re seeing today is more hackers and outside threats bringing exposure and risks to organizations. For example, there’s the subject of single sign on (SSO) and how to have effective security controls while maintaining convenience. The idea is to move beyond prevention security to proactive response technology. How do we quickly mitigate and take care of any exposures. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] How healthcare can learn from retail’s IT security mistakes

http://healthitsecurity.com/2014/07/24/how-healthcare-can-learn-from-retails-it-security-mistakes/ By Patrick Ouellette Health IT Security July 24, 2014 There’s little doubt the healthcare industry’s perception of security and compliance has changed to a serious one within the past few years. While regulatory demands and business needs are certainly strong drivers, what should healthcare organizations be focusing on as cybersecurity threats grow in stature? Eric Cowperthwaite of Core Security and former CISO for Providence Health discussed with HealthITSecurity.com how identifying risks early on can help reduce exposures. The days of organizations that put effort into IT security being only large hospital systems and other organizations that had some sort of significant problem are certainly over. According to Cowperthwaite, there are a few indicators within the past 12-18 months that leads him to believe healthcare organizations, large and small, across the country are focusing on information security. “First is the amount of information security leaders hiring that’s being done,” he said. “And the second piece of it is the number of organizations that are sending their people to [security] conferences and training to help them interact with products and services providers.” Many of these changes have been driven by regulatory compliance, such as HIPAA, HITECH and Meaningful Use, but Cowperthwaite said there are other regulatory considerations, such as any hospital system being a tier 1 PCI merchant. Beyond compliance, the reality these days is that these organizations have a lot of data and there a lot of “bad actors” out there who like to steal data. There are main areas of focus that organizations should be beginning to worry about. First, Cowperthwaite said, though everyone is concerned about PHI disclosures because of bad publicity and potential fines, the other side of PHI disclosures is medical insurance fraud. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping

http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/ By Dan Goodin Ars Technica April 7, 2014 Researchers have discovered an extremely critical defect in the cryptographic software library an estimated two-thirds of Web servers use to identify themselves to end users and prevent the eavesdropping of passwords, banking credentials, and other sensitive data. The warning about the bug in OpenSSL coincided with the release of version 1.0.1g of the open-source program, which is the default cryptographic library used in the Apache and nginx Web server applications, as well as a wide variety of operating systems and e-mail and instant-messaging clients. The bug, which has resided in production versions of OpenSSL for more than two years, could make it possible for people to recover the private encryption key at the heart of the digital certificates used to authenticate Internet servers and to encrypt data traveling between them and end users. Attacks leave no traces in server logs, so there’s no way of knowing if the bug has been actively exploited. Still, the risk is extraordinary, given the ability to disclose keys, passwords, and other credentials that could be used in future compromises. “Bugs in single software or library come and go and are fixed by new versions,” the researchers who discovered the vulnerability wrote in a blog post published Monday. “However this bug has left a large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitations and attacks leaving no trace this exposure should be taken seriously.” The researchers, who work at Google and software security firm Codenomicon, said even after vulnerable websites install the OpenSSL patch, they may still remain vulnerable to attacks. The risk stems from the possibility that attackers already exploited the vulnerability to recover the private key of the digital certificate, passwords used to administer the sites, or authentication cookies and similar credentials used to validate users to restricted parts of a website. Fully recovering from the two-year-long vulnerability may also require revoking any exposed keys, reissuing new keys, and invalidating all session keys and session cookies. Members of the Tor anonymity project have a brief write-up of the bug here, and a this analysis provides useful technical details. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Five outstate Minnesota banks sue Target over data breach

http://www.startribune.com/business/246983121.html By: JENNIFER BJORHUS Star Tribune February 24, 2014 A group of First Farmers & Merchants banks in southern Minnesota have sued Target Corp. over alleged damages from the retailer’s data breach late last year. While a number of financial institutions from around the country have sued the company since news of the data heist broke, the First Farmer & Merchants lawsuit is believed to be the first by a financial institution on Target’s home turf in Minnesota. “The way that this has happened, it’s the banks whose exposure is greatest here, ” said Garrett Blanchfield, a lawyer at Reinhardt Wendorf & Blanchfield in St. Paul representing the local banks. “We think the Minnesota laws provide a sound basis for us.” The complaint doesn’t specify a damage amount but says the banks have had to refund fraudulent charges, close and reopen checking and savings accounts and cancel and re-issue credit and debit cards. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Texas Hospital Discloses Huge Breach

http://www.informationweek.com/healthcare/security-and-privacy/texas-hospital-discloses-huge-breach-/d/d-id/1113724 By David F Carr InformationWeek.com 2/5/2014 St. Joseph Health System has confirmed a security breach affecting the records of up to 405,000 past and current patients, as well as employees and employees’ beneficiaries. St. Joseph says it believed the attack occurred between Dec. 16 and 18, when one of its computer servers was hacked, and that the exposure ended on the 18th when the attack was discovered and the server was shut down. The health system hired national security and computer forensic experts to investigate. The ongoing investigation suggests the attackers may have gained access to records including names, Social Security numbers, dates of birth, and possibly addresses, as well as the medical information of patients and bank account data for employees. If substantiated, this would be one of the largest healthcare data breaches ever reported, and the largest by an individual health system. The largest, according to US Department of Health and Human Services data, involved 780,000 records in a 2012 incident at the Utah Department of Health and 475,000 records in a 2008 report from the Puerto Rico Department of Health. Since both of these are government agencies, the St. Joseph breach could potentially have the biggest loss of patient data reported by an individual hospital. So far, the damage done is a matter of speculation. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Coca-Cola Laptop Breach A Common Failure Of Encryption, Security Basics

http://www.crn.com/news/security/240165711/coca-cola-laptop-breach-a-common-failure-of-encryption-security-basics.htm By Robert Westervelt CRN.com January 27, 2014 Coca-Cola is notifying employees, contractors and people associated with its suppliers following a data breach at its Atlanta headquarters that resulted in the theft of laptops and information exposure on at least 74,000 people. The laptops, which have been recovered, were stolen by a former employee, according to the Wall Street Journal, which first reported the security incident Monday. A Coca-Cola spokesperson did not return repeated requests from CRN for a comment on Monday. Coca-Cola told the newspaper that the laptop was not encrypted and contained the names, Social Security numbers and addresses of the individuals and included other details, such as driver’s license numbers, compensation and ethnicity. The firm said the laptops were stolen by an employee who was assigned to properly dispose of the equipment. The newspaper reported that Coca-Cola is sending out notification letters to 18,000 people whose names and Social Security numbers were found on the laptops as well as 56,000 people who had other personal information potentially exposed. Coca-Cola said its security policy requires laptop encryption. Lost and stolen laptops containing corporate data is a common occurrence, security experts in the channel told CRN. The latest breach highlights a failure of some basic security policies followed by a lack of security technology that has long been available to enterprises. Laptop encryption and user provisioning policies to remove access privileges from terminated employees may have prevented the issue, they say. Meanwhile, network monitoring may have detected and contained the problem before the data on tens of thousands of people was exposed. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] HealthCare.gov riddled with flaws that could expose user data, experts say

http://arstechnica.com/security/2014/01/healthcare-gov-riddled-with-flaws-that-could-expose-user-data-experts-say/ By Dan Goodin Ars Technica Jan 16 2014 The federal government’s HealthCare.gov website continues to be riddled with flaws that expose confidential user data to the public, a security expert testified Thursday at a hearing on Capitol Hill. David Kennedy, founder of security firm TrustedSec, told members of the House of Representatives Science Committee that only one of 18 issues he reported in November had been fixed, and even then he identified ways that attackers could bypass the remedy. Kennedy didn’t discuss specifics of the vulnerabilities out of concern that details would make it easier for criminals to exploit the weaknesses. Generally, he said some of the weaknesses leaked usernames, e-mail addresses, and other data contained in user profiles onto the open Internet, making it possible for unauthorized people to access the information using Google or other search engines. The testimony came as top security officials from the US Department of Health and Human Services (HHS), which helps oversee HealthCare.gov, were appearing before a separate House hearing. “TrustedSec cannot state with 100 percent certainty that the back-end infrastructure is vulnerable,” Kennedy wrote in a statement submitted in advance of Thursday’s proceedings. “However, based on our extensive experience performing application security assessments for over 10 years, the website has the symptoms that lead to large-scale breaches for large organizations. Also note that all exposures have been reported, and TrustedSec would be more than willing to have discussions with HHS to address the security concerns.” HealthCare.gov is the portal website that administers Obamacare in 36 states. The difficulty it had scaling to levels of even basic public interest during its rollout in October badly tarnished what is arguably President Obama’s signature legislation. Shortly after the launch, Kennedy and several other security experts also criticized the site for failing to follow established practices for protecting user data. In November, Kennedy warned of 18 vulnerabilities. Since then, he said he has learned of at least 20 more from fellow researchers. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail