Update. Still not clear. Are those Hyatt's
processing systems or a third party?
Card Breach
Affects 250 Hyatt Hotels Worldwide
Following
an investigation into a breach
of its payment processing systems, Chicago-based hotel operator Hyatt
Hotels has determined that the incident affects 250 hotels worldwide.
According
to the company, the investigation revealed
unauthorized access to data associated with payment cards used at
Hyatt-managed locations, mainly restaurants, between August 13, 2015
and December 8, 2015.
… Customers
for whom Hyatt does not have any contact information are advised to
check the list
of affected hotels to determine if they are impacted.
… “Though
it is common to see malware capture credit cards at the time of the
swipe, in this instance, the
malware collected card data while it was being routed through the
affected payment processing systems,
according to Hyatt’s statement,” said Brad Cyprus, chief of
security and compliance at Netsurion, a provider of remotely-managed
security services for multi-location businesses.
I
would have expected attacks to drop like the price of oil. (Unless
of course you are trying to slow production to raise prices.)
Oil and Gas
Industry Increasingly Hit by Cyber-Attacks: Report
According
to the study,
which was conducted by Dimensional Research in November 2015, 82
percent of oil and gas industry respondents said their organizations
registered an increase in successful
cyber-attacks over the past 12 months. Moreover, 53 percent of the
respondents said that the rate of cyber-attacks has increased between
50 and 100 percent over the past month.
… The
report also reveals that 69 percent of respondents said they were
“not confident” in their organizations’ ability to detect all
cyber-attacks.
Sad to see that this still happens. Does no one
know how the technology they use every day works?
Earlier this week, Jigsaw Security noted
that they had discovered that improper redaction of documents posted
on the Virginia Dept of
Human Resource Management website was potentially
exposing employees’ personal information:
A PDF posted by this organization contained information that was obfuscated by blocks but was a layered image so if you edit the document the blocks can be removed and the original content is then visible.
The Jigsaw Security Operations Center sent a standard notification advising them of the issue but they have failed to respond to the request.
Because there were many improperly redacted files
putting employees’ SSN, salary, and other details at risk, Jigsaw
reached out to DataBreaches.net to help with the notification. On
January 12, this site sent a notification to the same DHRM liaison
that Jigsaw had attempted to notify, but also contacted DHRM’s
media contact to ask for a statement. When there was no
response from either party, this site sent a second
request to their media contact. That one got their attention, and
they asked me for my real name and documentation. I sent them a link
to Jigsaw’s post and offered to send them screenshots showing
unmasked employee information. I also told them I would delay
publication to give them a chance to remove the files from view.
That seemed to produce results. DHRM thanked me
for reaching out to them and the next day, they informed this site
that DHRM was addressing the security concern by:
-
Removal of the referenced documents and links from DHRM’s servers so that data is no longer exposed that might impact employee privacy and security;
-
Software that has proper redacting capability was being supplied to users; and
-
Staff training was introduced to ensure that no lapses will occur in the future.
DHRM’s ITECH director and security officer also
reached out to Jigsaw Security, who provided DHRM with additional
assistance with the issue and also provided them with information
about other vulnerabilities the intel firm had spotted. Hopefully,
DHRM is addressing those issues, too.
And thus ends another adventure in trying to
notify entities of security problems. But it shouldn’t be
difficult to notify state agencies of security problems. Hopefully,
DHRM is addressing that, too, so the next time a white hat tries to
alert them to a problem, they get the notification.
“We gonna protect everything, except for almost
everything.”
Bill Fitzgerald (@FunnyMonkey) writes:
….As described in this FERPA directory information model form, “Directory information, which is information that is generally not considered harmful or an invasion of privacy if released, can also be disclosed to outside organizations without a parent’s prior written consent.”
The list of information included as part of directory information – or “information that is generally not considered harmful or an invasion of privacy if released” – is pretty complete:
-
Student’s name
-
Address
-
Telephone listing
-
Electronic mail address
-
Photograph
-
Date and place of birth
-
Major field of study
-
Dates of attendance
-
Grade level
-
Participation in officially recognized activities and sports
-
Weight and height of members of athletic teams
-
Degrees, honors, and awards received
-
The most recent educational agency or institution attended
-
Student ID number, user ID, or other unique personal identifier used to communicate in electronic systems
-
A student ID number or other unique personal identifier that is displayed on a student ID badge
If this information was compromised as part of a data breach, it would be considered substantial – yet, this information about children can be shared without parental consent, for their entire K12 experience.
Read more on his
blog.
Note that if these data are breached, if
student ID is not SSN, then many states would not even require breach
notification under their statutes. And we know that the U.S.
Education Dept. has never withheld federal funds from any k-12
institution over a breach.
Consequences for breaches at the post-secondary
level can be more costly for universities and colleges who may find
themselves sued (generally unsuccessfully), but again, federal
enforcement is lacking: USED does nothing and FTC has no authority
other than enforcing the Safeguards Rule if financial information is
involved – an authority it seemingly declined to use in the case of
the massive MCCCD breach that I reported on DataBreaches.net.
If student privacy is to be truly protected, it’s
time to revise FERPA to make sharing of “directory” information
opt-in, not opt-out. And it’s time to recognize that Google is not
a school official – it’s a vendor that is not in business to be
charitable. There is no such thing as a free lunch when it comes to
student data and tech.
Does Facebook have to drop the people who signed
up because of this? Being aggressive had benefits that this court
can't reverse.
Harro ten Wolde reports:
Germany’s highest court has declared unlawful a feature that encourages Facebook users to market the social media network to their contacts, confirming the rulings of two lower courts.
A panel of the Federal Court of Justice ruled that Facebook’s “friend finder” promotional feature constituted advertising harassment in a case that was filed in 2010 by the Federation of German Consumer Organisations (VZBV).
Read more on Reuters.
My tax dollars at work? Guideline promising more
guidelines?
Transportation Secretary Anthony Foxx was in
Detroit on Thursday to
announce that the administration will request
close to $4 billion over ten years to "accelerate the
development and adoption of safe vehicle automation through
real-world pilot projects." The testing would take place in
certain areas of the country, according to a release, and the program
would "work with industry leaders to ensure a common multistate
framework for connected and autonomous vehicles."
… The National Highway Traffic Safety
Administration also rolled out new
policy guidance on autonomous vehicles, which included
a commitment to produce policy guidelines within six
months for states grappling with how to regulate self-driving cars.
… California's Department of Motor Vehicles
recently released draft regulations that would require a licensed
human driver behind the wheel of every autonomous vehicle.
Might be useful for Data Mining and Analytics.
Yahoo
Releases Largest Cache of Internet Data
… On Thursday, the embattled Internet company
said it would release the largest cache of Internet behavior data—the
clicks, hovers and scrolls of some 20 million anonymous users on
Yahoo’s sports, finance, news, real estate and other pages. The
trove, which will be available
only to universities, is expected to give researchers a
rare, real-world look at how large numbers of people behave online.
… The Yahoo data set weighs in at 13.5
terabytes, about two-thirds
the size of the library of Congress.
That is larger than anything available to the vast
majority of academic computer scientists, and so big that it likely
will have to be stored outside a university system, possibly in a
cloud computing center run by Amazon.com Inc. or Alphabet
Inc. ’s Google, said
Carnegie’s Moore, a former Google executive.
(Related)
Jordan Pearson reports:
Yahoo Labs, the research wing of Yahoo, just released what the company is calling the “largest ever” machine learning dataset for artificial intelligence researchers to use in their work, for free. For example, to create a Facebook-like recommendation algorithm.
In doing so, Yahoo also released information that could potentially be used by researchers who download the database—and anyone they share it with—to identify Yahoo customers.
The behemoth dataset consists of 13.5 terabytes of user interactions with news items from some 20 million users, which the company says have been “anonymized.” While there are no names attached to the data, seven million users in the database also had information about their age, gender, the city they were in when they accessed the page, whether they used a mobile device or a desktop, and a timestamp of when they accessed the news item, included in the dataset.
Read more on Motherboard.
“Bragging for Budget?” Politics as usual.
January
Terror Threat Snapshot: 21 ISIS-linked Plots in the US
… The report
also mentions 139 terrorist cases involving homegrown Islamist
extremists since 9/11, along with a running tally of ISIS supporters
arrested in the U.S. to date: 79 people.
How does this relate to the profit made selling
toxic mortgages? Did everyone return their commissions and bonuses?
Goldman
Sachs Reaches $5.1 Bln Settlement Over Mortgage-Backed Securities
The Goldman Sachs Group Inc. (GS)
said Thursday that it agreed to a $5.1 billion settlement to resolve
U.S. and state claims related to securitization, underwriting and
sale of residential mortgage-backed securities from 2005 to 2007.
The agreement in principle will reduce earnings for the fourth
quarter of 2015 by about $1.5 billion on an after-tax basis.
… As per the terms of the agreement in
principle, the firm will pay a $2.385 billion civil monetary penalty,
make $875 million in cash payments and provide $1.8 billion in
consumer relief. [Leaving
400 million for the lawyers? Bob]
A significant economic development? Certainly an
opportunity, if we can learn from Bitcoin's failures.
I’ve spent more than 5 years
being a Bitcoin developer. The software I’ve written has been used
by millions of users, hundreds of developers, and the talks I’ve
given have led directly to the creation of several startups. I’ve
talked about Bitcoin on Sky TV and BBC
News. I
have been repeatedly cited by the Economist as a Bitcoin expert and
prominent developer. I have explained Bitcoin to the SEC, to
bankers and to ordinary people I met at cafes.
From the start, I’ve always
said the same thing: Bitcoin is an experiment and like all
experiments, it can fail. So don’t invest what you can’t afford
to lose. I’ve
said this in interviews, on stage at conferences, and over email.
So have other well known developers like Gavin Andresen and Jeff
Garzik.
But despite knowing that
Bitcoin could fail all along, the now inescapable conclusion that it
has failed still saddens me greatly. The fundamentals are
broken and whatever happens to the price in the short term, the long
term trend should probably be downwards. I will no longer be taking
part in Bitcoin development and have sold all my coins.
“There's an App (or website or social network or
...) for every purpose under heaven.” (apologies to Pete Seeger)
How Big Is
Twitch.tv? You Won’t Believe These Stats & Facts
There’s a video service on the Internet that’s
pretty popular called Twitch.tv. Even if you’ve never played a
video
game in your life, you’ve probably heard of it.
But just how big is Twitch?
How much time do people spend watching others play video
games? You seriously won’t believe some of these facts about
just how popular it is:
-
Twitch has over 100 million unique users. That’s not 100 million page views, which would be impressive for most websites, but the actual number of people who come to the site every month.
-
The average Twitch user watches 1 hour and 46 minutes of video per day.
-
In total, users watch 16 billion minutes of content on the service each month.
-
It’s not just viewers, as 1.7 million people actually broadcast themselves playing games on Twitch.
-
Of those, more than 12,000 of them are partners, meaning they get paid to stream!
As I read it, there are only three or four skills
that aren't completely “techie.”
LinkedIn's
Top 25 Most In-Demand Career Skills
No comments:
Post a Comment