Security Breach Report: March 5, 2015

Here is the latest news about cyber security and data breaches resulting from network vulnerabilities, social engineering attacks, and insider threats.

• According to recent reports, the massive Anthem data breach has been traced to a Chinese cyber espionage group and a professor with links to a Beijing defense contractor. Anthem is part of the Blue Cross Blue Shield Association and is the largest of the 37 insurers in the group. The breach, which first came to light in early February, allegedly compromised the personal data (including Social Security numbers, employment information, and health care ID numbers) of more than 80 million patients, including millions of children.
• On February 27, transportation service provider Uber announced that the personal data of 50,000 of its drivers may have been compromised by a third-party source. Details continue to emerge in this evolving story, but reports allege that the data breach occurred in May 2014 and was not discovered until September 2014 — and was not reported to affected drivers for another five months.
• UK phone and broadband provider TalkTalk — which services more than 4 million customers — acknowledged in late February that it had suffered a major data breach in late 2014. According to reports, account numbers, addresses, and phone numbers have been compromised, at least in part due to a third-party contractor that had legitimate access to the service provider’s customer accounts. Speculation is that an Indian call center was the source of a compromise. Many customers have reported vishing attacks in the aftermath of the breach, with some customers suffering financial losses as a result of the social engineering scams.
• In February 2015, it was revealed that the personal details and other sensitive data (including passwords, parent complaints, and attorneys’ correspondence) related to special education students in the Washington, D.C. public school district had been publicly available online since 2010. It’s not certain what information, if any, had been accessed during that time.
• In a report released last month, FireEye researchers reported that Pro-Assad parties in the Syrian conflict used social engineering tricks — in the form of female Skype avatars and related social media accounts — to deliver malware to opposition fighters and gather intelligence, including tactical plans and maps.
• Two natives of Ireland reportedly snuck into the Super Bowl, bypassing complex security protocols by tagging along with a group of First Aid workers. The game plan of these erstwhile social engineering masterminds was to “be super confident,” which appears to have worked, judging by posts to social media that showed them enjoying the game from $25,000 seats.
• At the end of January, Senior Health Partners (SHP), a New York-based provider of healthcare services to senior citizens, began notifying approximately 2,700 of its members about a physical security incident that led to a data breach. The data was lost when a laptop and smartphone were stolen from the apartment of an assessment nurse who worked for Premier Home Health, a business associate of SHP.
• A Japanese tourist reportedly created a major stir during a security breach close to Queen Elizabeth’s private apartments at Windsor Castle. The tourist, who was interviewed briefly and released, apparently gained access to a high-security zone through an internal door that had accidentally been left unlocked.
• Pennsylvania’s Benecard Services Inc., a prescription benefit company, faces a class-action lawsuit (filed on February 26) that claims the organization failed to alert customers and former employees about a recent data breach. The suit was filed on behalf of five former employees and those affected after several current and former Benecard employees had their tax returns rejected by the IRS because returns has already been filed in their names.
• According to a KrebsOnSecurity report, financial industry sources have traced a pattern of activity that indicates a breach of point of sale systems at Colorado-based Natural Grocers locations across the U.S. The company said it is working with law enforcement officials and a third-party data forensics company but stressed that it has not received any reports of suspicious credit card activity from its customers.
• In February, detailed banking information of more than 350 residents of the University of Limerick’s student village in Ireland was accidentally sent to a student as the result of a “human error.”