Security & Privacy Weekly News Roundup, Vol. 1, Issue 5

Security & Privacy Weekly News Roundup, Vol. 1, Issue 5

Eight isn’t great: A class-action lawsuit says hackers had access to Premera Blue Cross systems for about eight months before they were detected. The insurance company said on March 17 that hackers might have gained access to the personal information of 11 million people, including names, dates of birth, Social Security numbers and bank account information. Premera says no customer information appears to have been sold on the black market. Source: The Hill

Posting ‘Keep Out’ signs: Hollywood is turning to tech companies such as WatchDox, Intralinks and Varonis to manage data that lands in workers’ personal smartphones and Internet storage services. They surround files with encryption, passwords and monitoring systems to track who is doing what with the files. This has prompted venture capital firms to invest in companies that manage document security, with eight companies raising $134 million in funding in 2014. Source: The New York Times

Free resource: Stay informed with a free subscription to SPWNR

Small, less might? Community banks and credit unions are more likely to face cyberattacks because hackers think small organizations don’t have their guards up, says Scott McGillivray, senior vice president of Pacific Continental Bank in Eugene, Ore. He says many small businesses are exposed to ransomware, in which a piece of malware gets into a network and encrypts information. Institutions also may lack offline backup drives and servers, he said. Source: Bank Info Security

Cover me, digitally: Congress appears ready to encourage the insurance industry to help bolster cyber security, as the Senate Commerce Committee’s Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security held a hearing on cyber insurance. The coverage “may be a market-led approach to help businesses improve their cyber security posture by tying policy eligibility or lower premiums to better cyber security practices,” said Sen. Jerry Moran, R-Kan., chairman of the committee. Source: Business Insurance

Paying a ransom … again: An organization that’s been hit by ransomware is more likely to pay up again, says a study by ThreatTrack. About 30 percent of organizations surveyed said they would negotiate with cyber criminals for the safe recovery of stolen or encrypted data; that number hit 55 percent when asked of organizations that had been previous victims of cyber extortionists. Source: Dark Reading

Crafting a skeleton key: A few hundred dollars in equipment can bypass an iPhone’s lock-screen, researchers at security firm MDSec found. The lock-screen is designed to block a phone after 10 bad password guesses, but MDSec has found a way to power off the phone before it registers an incorrect guess, allowing attackers to cycle through 10,000 possible passcodes. It appears that any iPhones running 8.1 or earlier could be at risk. Source: The Verge

Able to be sentenced: A disability scam that lasted more than seven years and cost federal agencies hundreds of thousands of dollars has resulted in an 18-month sentence for former Postal Service employee Colette Lee of Baltimore. She also has been ordered to pay back about $245,000. Lee pleaded guilty to making false statements about injuries that allowed her to collect federal-employee disability benefits. Source: The Washington Post

Hey, not our fault: Although several dark Web forums were selling working logins for Uber for as little as $1, the car service insisted that it had not been hacked. “We investigated and found no evidence of a breach,” the company said in a statement. An Uber login can be used to record fraudulent trips and expose home addresses. Uber said the logins might have been taken by breaking passwords. Source: The Hill

Bad for what ails you: About 2,000 victims lost nearly $2 million in a telemarketing scam involving a medical-alert pendant called the Instant Response System, according to Postal Service inspectors, who said the elderly victims were often bullied into giving their bank information over the phone. “They would tell them, ‘We have recordings of you agreeing to go into this contract, and you now owe us $300 … $500,’ depending on the contract,” U.S. Postal Inspector Michelle Purnavel said. The Federal Trade Commission shut the company down, saying its practices violated the Telemarketing and Consumer Fraud and Abuse Act. Source: WITI Fox 6, Milwaukee

Not much of a blow: An analysis of the financial performance results of companies hit by major data breaches shows they don’t seem to cost the businesses much. Benjamin Dean, a fellow at Columbia University’s School of International and Public Affairs, found that the actual expenses reported by such companies as Sony, Home Depot and Target amounted to less than 1 percent of each company’s annual revenues. “After reimbursement from insurance and minus tax deductions, the losses are even less,” Dean said. Source: Fortune

That’s a lot of rubles: The U.S. is offering multimillion-dollar rewards for information leading to the arrest or conviction of two alleged Russian hackers, Roman Olegovich Zolotarev and Konstantin Lopatin. Both were indicted in U.S. courts, accused of involvement in the website “,” which was said to be used for identity theft, trafficking in stolen credit card accounts, and manufacturing counterfeit debit and credit cards. The case is estimated to have cost at least $50 million, according to the State Department. Source: PCWorld

No black gold here: Authorities reported that a multimillion-dollar, years-long scheme involved mixing used motor oil, which has little value, with pure heating oil and selling the tainted blend to, among others, the New York Police and Fire departments. Officials raided five of New York’s largest fuel oil companies, seizing about 50 delivery trucks and other evidence. Hospitals, apartment buildings and small businesses also were victims of the scam, authorities said. Source: The New York Post

Running a case: A Boston woman pleaded not guilty to fraudulently getting thousands of dollars by claiming she was hurt in the Boston Marathon bombing. Joanna Leigh was arraigned on charges of larceny and making a false claim to a government agency. Authorities say she was at the April 2013 marathon, but wasn’t hurt. Source: The Associated Press via WSBK Boston

Blocking the eye in sky? A Supreme Court summary opinion says that satellite-based monitoring is a Fourth Amendment search. Whether GPS-based tracking constitutes an unreasonable search, a Fourth Amendment violation, has yet to be decided. The opinion sends the case back to North Carolina state courts, which will now have to consider the Fourth Amendment implications and determine whether such a search is unreasonable. Source: ThreatPost

We’re watching you: Facebook tracks the Web-browsing activities of all visitors, even if they aren’t Facebook users, according to research commissioned by the Belgian data-protection agency. The tracking, used to provide targeted advertising, is carried out through the Like Button. A cookie is placed in the browser when someone visits any page in the domain, including sections that do not require an account. Source: ArsTechnica

Paying a ransom … again: An organization that’s been hit by ransomware is more likely to pay up again, says a study by ThreatTrack. About 30 percent of organizations surveyed said they would negotiate with cyber criminals for the safe recovery of stolen or encrypted data; that number hit 55 percent when asked of organizations that had been previous victims of cyber extortionists. Source: Dark Reading

A doofus move down under: The White House is looking into a November leak of President Obama’s passport data. The Australian Department of Immigration and Border Protection accidentally sent passport numbers and visa details about the president and 30 other world leaders at the 2014 G20 summit in Australia to organizers of the Asian Cup, a soccer tournament. Others whose information was shared were Britain’s David Cameron, Russia’s Vladimir Putin and Germany’s Angela Merkel. Source: The Guardian

No-fly zone: British Airways has locked down many frequent-flier accounts after unauthorized users apparently tried to access some Executive Club and Registered Customer accounts. The airline said attackers seemed to use login information “relating to a different online service that customers may have also used to access their Executive Club accounts.” The company told customers to reset their passwords. Source: SC Magazine

A broad appraisal: The Federal Communications Commission could create new rules that limit broadband providers’ ability to share data on users’ Web activity with advertisers. The FCC’s Wireline Competition and Consumer & Governmental Affairs Bureau plans a workshop on the privacy rights of broadband users on April 28 in Washington, D.C. Source: IAP

This article originally appeared on