June 2015: The Month of the Breach?
From the very large to the very small, the drumbeat of stolen data continues. This blog post lists the more – and less – notable data breaches announced in the last two weeks. While some of these breaches have received very little press attention, they are no less important for those people whose information has been stolen.
June 4 and June 15: On June 4, the U.S. Office of Personnel Management (OPM) announced that personally identifiable information (PII) of approximately 4 million people may have been compromised. On June 15, the OPM announced that information related to “background investigations of current, former, and prospective Federal Government employees” has been compromised – or, more bluntly, stolen. According to the announcement, the information stolen wasn’t limited to government employees, as information related to other individuals for whom a Federal background investigation has been conducted was also exposed. Although OPM hasn’t provided an updated number for how many people were affected by this latest breach, multiple sources are reporting that data for up to 14 million people was lost.
June 10: Medical Informatics Engineering announced a “data security compromise” for patients at several of its Midwest healthcare facilities. MIE did not say how many patients were affected, but does say that the information lost may include “the patient’s name, mailing address, email address, date of birth, and for some patients a Social Security number, lab results, dictated reports, and medical conditions.” No financial data was lost.
June 10: The security firm Kaspersky Labs announced that it was the target of a highly sophisticated cyber-attack. In this case, the attacker’s goal was not to steal personal, health, or financial information, but to “acquire information on the company’s newest technologies.” In the process of uncovering this industrial espionage attack, Kaspersky discovered Duqu 2.0, an advanced piece of malware stemming from the Duqu malware discovered in 2011 that exploits up to three zero-day vulnerabilities.
June 12: An SC Magazine article reports that Holiday Valley Resorts may have experienced a compromise of payment cards used at the resort’s point of sales devices between October of last year and early this month. In an undated FAQ on the breach, Holiday Valley says, “If you used your credit or debit card at any sales point at Holiday Valley Resort between October 17, 2014 and June 2, 2015 your card may be at risk of theft.” Information that has been lost likely includes credit and debit card numbers, names, expiration dates and CVV security numbers. Holiday Valley notes that debit card PINS were not lost.
June 15: Password management software vendor LastPass announced that account email addresses, password reminders, server per user salts (used in the hashing of passwords to help keep them secure), and authentication hashes were compromised. LastPass does say that there is no evidence that encrypted user vault data was stolen nor that user accounts were accessed. They go on to say, “We are confident that our encryption measures are sufficient to protect the vast majority of users.”
June 15: In his KrebsonSecurity blog, Brian Krebs reported that Fred’s Inc., an operator of 650 dollar stores throughout the southeast United States, is investigating a potential credit card breach. The store issued a statement that said it is aware of a potential data security incident and is conducting an investigation to determine the extent of the breach.
Just halfway in, June is shaping up to be among the busiest months in a year that will likely go down in history for cyber attacks and data breaches. Stay tuned… there’s surely more to come.