CyberScout is the nation’s premier consultative provider of identity and data risk management, resolution and education services.

Watch for a letter from the IRS …

Watch for a letter from the IRS …
March 4, 2016

sh_IRS tax hack mail_750

About 685,000 taxpayers will be getting letters from the Internal Revenue Service this week warning that hackers may have stolen their tax information. After a nine-month investigation, the IRS concluded that 390,000 taxpayer accounts may have been accessed, and another 295,000 were targeted, but not accessed. The IRS said hackers used Social Security numbers found elsewhere to get into the Get Transcript service, which was designed to make it easy for filers to get tax returns from previous years. With information from previous returns, hackers presumably could prepare a phony new return in an individual’s name and seek a refund. The service was discontinued in May 2015 when it was discovered that 225,000 taxpayer documents may have been hacked. Since then, the investigation has turned up more potential victims. In all, more than 1.2 million tax filers were targeted by ID thieves. Source: The Chicago Tribune

… Or, maybe, two letters from the tax agency

To protect previous victims of falsified returns and data breaches—such as the IRS’s own 2015 hacking, which resulted in 724,000 stolen taxpayer records, according to the agency’s most recent investigation—the IRS assigns them an Identity Protection PIN. That’s a six-digit code that acts as a second form of verification and must be included on all tax forms. But at least one of these IP PINs has itself been compromised, according to security researcher Brian Krebs. South Dakota accountant Becky Wittrock told Krebs she was assigned a PIN in 2014, after becoming a victim of fraud, and that when she went to file her tax return this year, the agency told her that PIN had already been used. Thieves had beaten her to filing by more than three weeks, and filed a large refund request. When she called the agency, she said, they told her that the fraudulent use of IP PINs was “a big problem for them this year.” Source: Money magazine

Pentagon says, come on, hack us; we dare you

sh_hacker_280The Defense Department is inviting “vetted hackers” to test its cybersecurity in a new pilot program called Hack the Pentagon. “This innovative project is a demonstration of [Secretary of Defense Ashton] Carter’s continued commitment to drive the Pentagon to identify new ways to improve the department’s security measures as our interests in cyber space evolve,” the Pentagon said in a statement Wednesday announcing the initiative. It’s the first “cyber bug bounty program in the history of the federal government” and is modeled after similar competitions held by the nation’s biggest companies, the Pentagon said. Hackers must register and submit to a background check to participate in the program. Hackers must be U.S. citizens. Qualified participants will then try to identify vulnerabilities in Pentagon applications, websites and networks. They could be eligible for monetary awards and other recognition. The program launches in April. Source: The Hill

They’re really getting personal

Theft of identities along with personal information still accounts for the majority of data breaches, a global survey by Gemalto has found. According to the 2015 Breach Level Index, identity theft accounted for 53 percent of all data breaches as well as 40 percent of “all compromised records” last year. “In 2014, consumers may have been concerned about having their credit card numbers stolen,” said Jason Hart, vice president and chief technology officer for data protection at Gemalto. “However, in 2015, criminals shifted to attacks on personal information and identity theft.” The survey also shows that health care and government data breaches have overtaken those in the retail sector. Source: We Live Security

Gone phishing, Snapchat style

sh_Snapchat_280Snapchat disclosed that an employee “fell for a phishing scam and revealed some payroll information about our employees,” compromising the identities of some current and former employees. “A scammer impersonated our chief executive officer and asked for employee payroll information,” Snapchat said. “Payroll information about some current and former employees was disclosed externally. None of our internal systems were breached, and no user information was accessed.” Source: Digital Trends

From the tool box

Microsoft has a new tool, Windows Defender Advanced Threat Protection, designed to help detect threats to Windows 10 machines after a threat has penetrated the network. “Even with the best defense, sophisticated attackers are using social engineering and zero-day vulnerabilities to break in to corporate networks,” said Terry Myerson, Microsoft’s executive vice president of Windows. The new tool searches for problems using machine learning based on Microsoft’s Security Graph, a collection of security intelligence information the company has accumulated. Source: Tech Crunch

That spear hit its mark

sh_spear phish_280Nearly 11,000 Main Line Health employees fell victim to a “spear phishing” scam that exposed key personal information, including birth dates and Social Security numbers, the health system said. An employee responded to an email believed to be a legitimate request for Main Line employees’ information, which also included names, addresses and salaries. No patient information was released, said Main Line. Source: The Philadelphia Inquirer

School bells ring the alarm

Thirteen faculty and staff members at Illinois State University were the apparent victims of an information breach that allowed someone to divert their direct-deposit payroll payments to another account. ISU Chief of Staff Jay Groves said the breach appears to be limited to these 13 people and no students. A total of about $50,000 was involved, and the university has made sure the affected people have the proper amount credited to their accounts, he said. “In talking with the FBI and others, there have been five universities around the country that we know of” where similar crimes have occurred, Groves said. … A hacker broke into the University of California, Berkeley computer system holding financial data of 80,000 students, alumni, current and former employees, school officials said. The university said that although there is no evidence that any information has been stolen, it has notified potential victims of the breach so they can watch for signs of possible misuse of their personal data. Those notified include students and staff who received nonsalary payments though electronic fund transfers, such as financial aid awards and work-related reimbursements. Vendors whose financial information was in the system for payment purposes also are at risk. Sources: The (Bloomington, Ill.) PantagraphFox News

Dies ist nicht gut, Herr Facebook

sh_German court_280Facebook has been fined 100,000 euros by a German court over its refusal to comply with consumer law. The social network was ordered to change its terms and conditions for German users in March 2012, after a complaint from the Federation of German Consumer Organisations. According to the complaint, it was unclear how much the site’s terms allowed the company to license users’ pictures and video to third parties. Although Facebook now has changed the wording of the relevant passage, the court said it had not done enough to clarify the issue, and that the core content remained the same. The company maintains that the recent ruling was based on the speed of the changes, rather than the content. Source: IT Pro

You don’t have to unlock that iPhone … in New York

sh_iPhone_280A federal judge denied a government motion to force Apple to unlock an iPhone—but it’s not in the San Bernardino, Calif., case. However, the ruling could have implications for Apple’s current battle with the FBI over San Bernardino shooter Syed Farook’s iPhone 5c. In the U.S. District Court for the Eastern District of New York, Magistrate Judge James Orenstein ruled that the All Writs Act is being applied overly broadly by the government. Apple is making a similar legal argument in both cases, that the government shouldn’t be using the All Writs Act to issue certain warrants. That law, first passed in 1789 and updated most recently in 1948, authorizes the government to issue warrants that aren’t covered by other existing statutes. Apple says that the Communications Assistance for Law Enforcement Act, which outlines specific guidelines, is more appropriate, or a new law yet to be passed. Source: Macworld

Brits gobsmacked by government’s latest proposal

Authorities in the U.K. will be able to hack into phones and look through Web browsing records under a government proposal to increase surveillance powers of British authorities investigating crimes and fighting terrorism. A new version of the Investigatory Powers Bill, dubbed “Snooper’s Charter” in the U.K., was published after the government was forced to rewrite an earlier draft of the bill because of lack of privacy safeguards. Source: CNN


The post Watch for a letter from the IRS … appeared first on Third Certainty.

Offer 24/7 CyberScout Protection

CyberScout's partnership options help you safeguard the identity and privacy of your policyholders, customers, members and employees. Discover how a customized program can help build brand loyalty, customer retention, and quickly generate long-term recurring revenue.

Get Started