Not
entirely clear what happened.
Promo.com
discloses data breach after 22M user records leaked online
Promo.com,
an Israeli-based marketing video creation site, has disclosed a data
breach after a database containing 22 million user records was leaked
for free on a hacker forum.
… In
a report shared with BleepingComputer by cybersecurity intelligence
firm CloudSEK, a well-known seller of data breaches posted a database
containing 22.1 million user records on a hacker forum.
This
data contains users email addresses, names, genders, geographic
location, and for 2.6 million of the users, their hashed passwords.
This
leak included 1.4 million cracked passwords, which means they were
decrypted and could immediately be used by attackers to log in to the
users' accounts or use the passwords in credential stuff attacks at
other sites.
… "On
July 21, 2020, our team became aware that a data security
vulnerability on a 3rd party service had caused a breach affecting
certain non-finance related Slidely and Promo user data. We
immediately stopped all suspicious activity and launched an internal
investigation to further learn about what happened," Promo's
data
breach notification states.
… Although
your account password was hashed and salted (a method used to secure
passwords with a key), it’s possible that it was decoded," the
data breach continues.
As
the salt for each user's
password was also included in the database, it is much
easier for threat actors to crack the passwords and see them in their
plain text form.
I
bet you didn’t know your laptop was worth a million dollars…
Lifespan
Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach
In
April, 2017, Lifespan
issued
a statement
disclosing
a stolen laptop incident involving unencrypted protected health
information. In at least two places in their statement they claim
that they are committed to protecting the security and
confidentiality of patient data.
Today,
OCR announced a settlement with Lifespan in which Lifespan is to pay
more than $1 million dollars and implement a corrective action plan.
It seems like OCR is
sending an expensive reminder to entities to encrypt mobile devices.
[About time!
Bob] Let’s see what OCR’s press release says:
Lifespan Health System Affiliated Covered Entity (Lifespan ACE), a non-profit health system based in Rhode Island, has agreed to pay $1,040,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to the theft of an unencrypted laptop. Lifespan ACE includes many healthcare provider affiliates in Rhode Island, and has designated itself as a HIPAA affiliated covered entity.1
On April 21, 2017, Lifespan Corporation, the parent company and business associate of Lifespan ACE, filed a breach report with OCR concerning the theft of an affiliated hospital employee’s laptop containing electronic protected health information (ePHI) including: patients’ names, medical record numbers, demographic information, and medication information. The breach affected 20,431 individuals.
OCR’s investigation determined that there was systemic noncompliance with the HIPAA Rules including a failure to encrypt ePHI on laptops after Lifespan ACE determined it was reasonable and appropriate to do so. OCR also uncovered a lack of device and media controls, and a failure to have a business associate agreement in place with the Lifespan Corporation.
“Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality. Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” said Roger Severino, OCR Director.
In addition to the monetary settlement, Lifespan has agreed to a corrective action plan that includes two years of monitoring. The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/sites/default/files/lifespan-ra-cap-signed.pdf – PDF*.
Non-virtual
hackers. Sometimes we forget they still exist.
Burglars
expose Walgreens customer data in a different kind of breach
Groups
of unidentified thieves broke into multiple Walgreens stores in late
May and early June and stole prescription information and other data
on some 70,000 customers, a spokesman for the pharmacy chain said
Monday.
The
assailants forced their way behind pharmacy counters and stole drug
prescriptions, and also took a “very limited number of hard drives
attached to stolen cash registers,” according to a letter Walgreens
sent affected customers. Customers’ health insurance and
vaccination information may have been swept up in the breach,
Walgreens said, but credit card data and Social Security numbers were
not affected.
Strange
this happened in San Francisco. Will there be an overreaction?
San
Francisco Police Accessed Business District Camera Network to Spy on
Protestors
EFF:
“The San Francisco Police Department (SFPD) conducted mass
surveillance of protesters at the end of May and in early June using
a downtown business district’s camera network, according to new
records obtained by EFF. The records show that SFPD received
real-time live access to hundreds of cameras as well as a “data
dump” of camera footage amid the ongoing demonstrations against
police violence. The camera network is operated by the Union
Square Business Improvement District (BID),
a special taxation district created by the City and County of San
Francisco, but operated by a private non-profit organization. These
networked cameras, manufactured by Motorola Solutions’ brand
Avigilon, are high definition, can zoom in on a person’s face to
capture face-recognition ready images, and are linked to a software
system that can automatically analyze content, including
distinguishing between when a car or a person passes within the
frame. Motorola Solutions recently unveiled plans to expand
its portfolio of
tools for aiding public-private partnerships with law enforcement by
making it easier for police to gain access to private cameras and
video analytic tools like license plate readers…”
This
‘ban’ seems to have a few holes in it.
Travelers
to DC Must Quarantine
“Beginning
Monday July 27, 2020, anyone visiting or returning to the District
for non-essential activities from 27 high-risk states will need to
isolate themselves and self-monitor for symptoms of COVID-19 for 14
days. The list is valid until Aug. 10, when local officials will
reevaluate and post an updated list on the D.C. health department’s
coronavirus portal. People
coming into the District for essential purposes are not required to
self-quarantine
on their arrival. Instead, D.C. health officials advise those
visitors to monitor for symptoms and seek medical attention or
testing if they start to feel ill. Travel
to and from Maryland and Virginia is exempt
from Bowser’s
new order.”
No comments:
Post a Comment