Security & Privacy Weekly News Roundup, Vol. 1, Issue 3

Security & Privacy Weekly News Roundup, Vol. 1, Issue 3

Health insurer stricken: Some 11 million customers of health insurance company Premera Blue Cross may have been affected by a May 2014 cyber attack. The company, licensed by Blue Cross Blue Shield, said the data breach wasn’t discovered until Jan. 29. Hackers may have gained access to customers’ Social Security numbers, bank account data, contact information and claims data. Premera plans to offer two years of free credit monitoring and identity theft protection services to those affected. Sources:, 

NASCAR raises caution flag: All three of Charlotte Motor Speedway’s Facebook pages were hacked March 12, sending spam to more than 200,000 viewers. The official speedway page, as well as the Dirt Track at Charlotte and zMAX DRAGWAY pages were all hit with spam posts, and administration access to the pages was disabled, a speedway official told Perform Media. All sites were up and running later in the day. Source:

Not the tax man calling: Calls from scammers posing as Internal Revenue Service employees and demanding money have risen so much recently, they’ve become the top item on the IRS’ 2015 “Dirty Dozen” list of tax scams. The scammers have even called the U.S. Treasury Department’s Timothy Camus, deputy inspector general for tax administration. The fake agents threaten those who refuse to pay with arrest, deportation or loss of a business or driver’s license, Camus said. More than 360,000 people have been called, and over 3,000 victims have been taken for a total of $15.5 million. Sources:, Wall Street Journal

Learning NOT to share: Researchers at the University of Michigan found that parents who overshare on social media may breach their families’ privacy. Strangers have stolen and misused family photos through cyber bullying and “digital kidnapping.” Source: Brighthouse Networks’ News 13, Florida

Here, there and everywhere: Theft of payment card data and other personal information is on the rise in industries across the globe, according to Verizon’s PCI Compliance Report, which includes data from 95 nations. Security breaches seem more widespread in the U.S. because other nations’ weak notification rules mean fewer such incidents are reported, says Verizon’s Franklin Tallah. Global losses related to card fraud doubled from $7 billion in 2009 to $14 billion in 2013, according to research firm BI Intelligence, Verizon notes. Source:

Paving the road to hell? It may have good intentions, but a proposed Senate bill could allow the government to collect user information from such companies as Google and Facebook without a warrant. The Cyber Information Sharing Act “encourages” private companies to share user data with the government with little oversight. The Senate Intelligence Committee approved the bill March 12. Its purpose is to block hacker attacks, but nonspecific language could expose user account information, IP address login history, even the type of phone used. Source:

But we’re the good guys! Security researchers fear that proposed changes to the Computer Fraud & Abuse Act and existing racketeering laws could make white-hat hacking illegal, with language that could be misinterpreted in court to criminalize crime-fighting operations. Common security practices such as penetration testing could be reined in under tougher mandates, and some security tools could become illegal. Source:

Oops; we thought we got this already: Microsoft has shipped a bundle of security updates to address more than three dozen vulnerabilities in Windows and associated software. Included is a fix for a flaw first patched in 2010, the same vulnerability that led to the discovery of Stuxnet. But the patch that Microsoft shipped to fix that flaw didn’t quite cover the hole, leaving Windows users exposed until now. Source:

Don’t unwrap this gift: An email pitch saying wrapping your car in an ad for Monster Energy, Coca-Cola or Heineken can net you up to $1,200 a month is a scam, the Better Business Bureau warned on March 16. The email promises an upfront payment, with a check for far more than the amount you’re “owed” arriving to cover the cost of the wrap. You’ll be told to wire the difference to the person handling the application. The check will bounce, but you might not know that for up to a week. Source:

Turn-down service gets new meaning: Hotel giant Mandarin Oriental Hotel Group is investigating a credit card breach, saying some point-of-sale systems were hit by malware that could steal customer data. Banking industry sources say the breach almost certainly affected most Mandarin hotels in the United States, including in Boston, Florida, Las Vegas, Miami, New York and Washington, D.C. The problem likely dates to just before Christmas. Source:

Yahoo for a simpler login: Yahoo announced its new “on-demand” passwords at South by Southwest’s opening weekend. Users won’t need a predetermined password to log in. Instead, they’ll get a text message with a verification code. Source:

Open, yet safe? The Pentagon wants to protect Americans’ private information, but still make it accessible for analysis by companies, health care providers and the government. A new program called Brandeis, after former Supreme Court Justice Louis Brandeis, who said privacy is the “right to be let alone,” started by the Defense Advanced Research Projects Agency, aims to “protect data that is knowingly provided to a third party, as opposed to data collected as a byproduct of interacting with the network or a system.” Source:

Bracing for the breach: More than half of surveyed security professionals—52 percent—expect their companies to be hacked in the next 12 months, says a new report from CyberEdge Group, up from 39 percent in 2013. Not surprisingly, spending on security issues is on the rise, with 62 percent of the security pros saying their budgets will rise this year. Source:

Fixed in a Flash: An Adobe update fixes at least 11 separate, critical security vulnerabilities in its Flash Player software. Adobe says it’s not aware of any exploits in the wild for issues covered in the update. Source:

WHOIS having a problem: Google told thousands of domain registrants that their private WHOIS information has been exposed, raising the risk of identity theft and scams. Researchers from Cisco Talos Security said the problem likely lies with Google registrar partner eNom and affects 94 percent of the 305,925 domains registered through the partnership. Google said a “software defect” in its Google Apps domain registration system was to blame. Source:

In a State of unease: A Russia-based hack of the State Department’s email system is the “worst ever” cyber attack on a federal agency, say law enforcement, intelligence and congressional officials briefed on the investigation. The attackers are thought to be behind hacks on White House email and other federal agencies, the officials say. Although former Secretary of State Hillary Clinton’s use of private email has been slammed as being less secure, the hack shows that the State Department has serious issues. Last November, the Cabinet department temporarily shut its email system to try to boost security. Source:

Tell it to the judge: The Judicial Conference Advisory Committee on Rules of Criminal Procedure voted March 16 to OK a rule change to broaden the FBI’s hacking authority despite Google’s fears that amended language is a “monumental” constitutional concern. Judges would have more flexibility approving warrants for electronic data, Justice says. The change would let judges grant warrants for remote searches of computers outside their judicial districts or when the location is unknown. Source:

No victims, no case, judge says: A federal judge on March 13 dismissed two would-be class-action lawsuits filed over an April 2014 data breach at the Paytime payroll firm. The plaintiffs cited a heightened risk of identity theft due to an April 2014 breach by unknown hackers, contending that about 233,000 Paytime clients were put at risk nationwide. Judge John E. Jones III noted that none of those who sued Paytime have proven that they have been victimized by identity thieves. Source:

Is it Zoup yet? Point-of-sale vendor NEXTEP Systems says a breach exposed data for payment cards used at “a large number” of the 75-restaurant Zoup chain. The most likely breach is remote access to point-of-sale devices, letting cyber thieves capture payment card numbers from the devices. NEXTEP is working “around the clock” to resolve the issue. Source:

Fair play? Sony’s customer service is under scrutiny after a victim of a PlayStation 4 hack was told he wouldn’t get a full refund. A Reddit user identified as Kadjar said he got email alerts that his account had bought about $600 in content; he also found that his PS 4 had been deactivated from PSN, and another system controlled the account’s primary system. Kadjar says Sony will refund $150, and only as a credit. If he pursues the issue with his bank, his account will be banned, his licenses wiped, and his PS 4 won’t be designated a primary console for six months. GameSpot has asked Sony for a response. Source:

this post originally appeared on