Capital One Financial Corp. announced late Monday that more than 100 million people had their personal information hacked.
The hacker got information including credit scores and balances, plus the Social Security numbers of about 140,000 customers and 80,000 bank-account numbers from credit-card customers, the bank said. It will offer free credit-monitoring services to those affected. The hack affected about 100 million people in the U.S. and 6 million in Canada.
Capital One couldn’t say for sure whether the leaked data was used for fraud. It first heard about the hack on July 19, but waited until July 29 to inform customers. Over that time, it sought help from law enforcement.
The hacker also stole the names, addresses, phone numbers, dates of birth, credit scores and other financial data, Capital One COF, -1.18% said. The company couldn’t say for sure whether the leaked data was used for fraud. It first heard about the hack on July 19, but waited until July 29 to inform customers; it sought help from law enforcement to catch the alleged perpetrator.
Two years after Equifax EFX, +0.27% revealed that hackers accessed the personal information of up to 147 million people, the credit bureau recently announced a settlement for up to $700 million, including $425 million in relief for those who have been affected, although there are some key requirementspeople should be aware of before they file a claim.
Last year, Facebook FB, -1.91% announced that U.K.-based Cambridge Analytica improperly accessed 87 million Facebook users’ data. Facebook Chief Executive Mark Zuckerberg testified before Congress and vowed to do more to fix the problem, and help make sure that nothing like that happens again. Cambridge Analytica closed down in the wake of the scandal. Earlier this month, the Federal Trade Commission fined Facebook $5 billion.
WhatsApp, the messaging and audio app owned by Facebook, announced last May that hackers were able to install spyware on Android smartphones and AppleAAPL, +0.93% iPhones. “The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” it said at the time.
More than 57 million customers of Uber UBER, -1.44% had their data exposed by a massive hack in October 2016. Uber fired its chief security officer, Joe Sullivan, and one of his deputies for concealing the hack, which included the email addresses of 50 million Uber riders around the world. The revelation was made a year after the attack. It also affected 7 million drivers.
Be on your toes after a major hack or data breach. Consumers should never give out personal details over the telephone, even if the caller seems to represent Capital One or the email appears to be from a Capital One email address.
Be on your toes after a major hack or data breach. Consumers should never give out personal details over the telephone, even if the caller seems to represent Capital One or the email appears to be from a Capital One address. Consumers need to be careful whenever they are contacted by an unsolicited caller. Hang up and call the number on your card. “Phishing” scams — calls, emails or text messages that appear to offer protection — are actually trying to get more data from customers.
Security experts generally recommend never re-using security passwords and say people should use two-factor authentication on their phones, which requires a user to put a code sent to a phone or email into an app or website in order to log in from a new device or to change a password. They also say those affected by such hacks should freeze their credit report.
Don’t be pawned off by an offer of credit monitoring. Credit monitoring only looks for changes on a credit report, indicating that someone is using your personal information to open new accounts in your name. Here’s the bad news: Such security precautions would not help people protect against a data breach like the one Capital One announced Monday evening. Exposure of data that can’t be changed, such as Social Security numbers, are the hallmarks of particularly severe data breaches.
Here’s what else you should do now:
1. Check if your accounts have been affected
There still aren’t many formal ways to check if your data has been compromised in a breach. Often, the company will alert affected customers, but they aren’t required to. Some states, like California, have laws requiring companies to disclose data breaches that affect a certain number of customers, and the Federal Trade Commission has discussed proposing similar regulations. Consumers can also monitor their credit report to shut down fraudulent activity as quickly as possible.
2. Know the difference between a credit freeze and a lock
A freeze means that a consumer cannot take out a new loan or credit card without “unfreezing” the report first, but also prevents a hacker from taking out a loan in your name. Credit agencies also offer a service called credit “locking,” which offers the same protections as a freeze, but typically cost a monthly fee. Contact Equifax, Experian EXPN, +1.53% and TransUnion TRU, -1.34% to request a freeze.
3. Sign up for additional fraud protection
Those affected should sign up for services that go beyond typical credit freezing and alert services, such as Lifelock, EZ Shield and Identity Guard. The most basic version of Lifelock costs $9.99 per month and provides benefits including address change verification, help canceling or replacing lost credit cards, driver’s licenses, Social Security cards and insurance cards, plus a “restoration team” that helps correct any identity-theft issues and black-market website surveillance.
4. Know the difference between a hack and a breach
A breach is when data is unintentionally left unsecured and vulnerable to hacking, as a result of malicious activity or from negligence. A hack specifically refers to the activities of cyber attackers who purposely compromise IT infrastructure to steal information or to hold systems ransom; that’s what happened with Capital One. If your data was part of a breach, it’s possible it was just left exposed online and was not stolen.
Source: Market Watch
Facebook makes a U-turn on Blockchain and cryptocurrency ads, CNBC reports. Hence, more crypto-oriented companies will be able to promote their products on the biggest social media network.
‘Facebook Coin’ Reportedly Coming in First Half of 2019
No need for pre-approval
As reported by U.Today, Facebook relaxed is crypto ad ban back in June, but ICOs were still barred from the website. Despite this announcement, the social media giant continued to blackball the majority of crypto-related ads. The thing is, Facebook only readmitted the companies that already got the green light before the ban, but the majority of new submissions have been rejected (mostly for some obscure reasons).
Now, a wide range of crypto-related ads does not need to be pre-approved at all. It appears that only those ads that are promoting ICOs and other crypto projects will be vetted as usual by Facebook.
“While we will still require people to apply to run ads promoting cryptocurrency, starting today, we will narrow this policy to no longer require pre-approval for ads related to blockchain technology, industry news, education or events related to cryptocurrency,” the blog post read.
Back in October, Google also reversed its crypto ban for regulatory compliant exchanges after banning crypto ads along with a slew of other tech companies, such as LinkedIn and Snapchat.
Facebook’s crypto bet
Facebook had no choice but loosen its grip on crypto since it’s prepping to issue its own cryptocurrency that is supposed to become a major disruptor in the industry. Facebook’s foray into crypto is allegedly the reason why major institutions are becoming enthusiasticabout digital assets.
Source: U Today
We would’ve been talking about an extraordinarily low number of breached records this month if it hadn’t been for a string of incidents in India, another Facebook gaffe and a massive blunder in China, in which a series of companies exposed almost 600 million citizens’ CVs.
Still, April 2019 saw a not completely disastrous 1,334,488,724 breached records. That’s better than last month, bringing the annual total to 5.64 billion and reducing the monthly average to 1.46 billion.
Here’s the list in full:
- Criminal accesses personal data of faculty staff and students at Georgia Tech(1.3 million)
- Bangladesh Oil, Gas and Mineral Corporation’s website hacked hours after recovering from previous attack (unknown)
- Australian Signals Directorate confirms data was stolen in parliament IT breach(unknown)
- Massachusetts hospital caught in phishing scam (12,000)
- Hacker breached Minnesota state agency email (11,000)
- South Carolina’s Palmetto Health discloses phishing attack dating back to 2018(23,811)
- Phishing scam exposes personal data at Florida’s Clearway Pain Solutions Institute (35,000)
- Customer data stolen as website of Japanese luxury railway hit by cyber attack(8,000)
- Dakota County, MN, discloses breach after an employee’s email is hacked(1,000)
- Blue Cross of Idaho notifies members of privacy breach after thwarting financial fraud (5,600)
- Texas’s Questcare Medical Services investigating business email compromise attack (unknown)
- Ontario’s Stratford City Hall recovers from cyber attack (unknown)
- IT outsourcing and consulting giant Wipro hacked (unknown)
- Texas-based Metrocare Services discloses second breach in five months (5,290)
- California-based Centrelake Medical Group notifies patients of security incident(unknown)
- North Carolina’s Klaussner Furniture Industries notifies employees of security incident (9,352)
- Customers at US fast food retailer Chipotle say their accounts have been hacked (unknown)
- Minnesota’s Riverplace Counseling Center notifies patients after malware infection (11,639)
- Hacktivists attack UK police sites to protest arrest of Julian Assange (unknown)
- Texas-based EmCare says patient and employee data has been hacked (60,000)
- Idaho-based bodybuilding.com discloses employee-related data breach(unknown)
- Illinois dental insurer notifies members after phishing attack (unknown)
- Attackers breached Docker Hub, grabbed keys and tokens (190,000)
- Atlanta’s Woodruff Arts Center shuts down network amid security breach(unknown)
- University of Alaska discloses data breach that occurred more than a year ago(unknown)
- Magecart hackers steal data from Atlanta Hawks’ online shop (unknown)
- Genesee County, MI, government suffers ‘aggressive’ ransomware attack(unknown)
- Ransomware attack affects Women’s Health Care Group of PA (300,000)
- Greenville, NC, government’s systems knocked out by ransomware (unknown)
- Ransomware attack hits Garfield County, UT (unknown)
- Augusta, ME, hit by ransomware, forcing City Center to close (unknown)
- New Jersey-based paediatric orthopaedic surgeon hit by ransomware (unknown)
- Ransomware at Florida’s Stuart City Hall “more than likely” caused by phishing(unknown)
- Massachusetts-based medical billing services notifies patients of ransomware attack (unknown)
- Idaho’s Sugar-Salem School District 322 hit by ransomware during ISAT testing(unknown)
- Ransomware disables Cleveland airport’s email systems, information screens(unknown)
- Indian government leaves healthcare database exposed on web (12.5 million)
- West Yorkshire council data leak leaves couple who adopted abused children living in fear (2)
- History repeats itself as Facebook third-party apps expose users’ personal data(540 million)
- Canadian pension firm loses microfiche containing personal data (unknown)
- Crook swipes Winnipeg Regional Health Authority employee’s bag; patients’ records taken (75)
- VoterVoice exposes database containing ‘treasure trove’ of personal data(300,000)
- Ohio government accidentally leaks information of those seeking job, family services and health aid (993)
- Chinese companies responsible for massive data breach of CVs (590 million)
- Texas’s Weslaco Regional Rehabilitation Hospital discloses data breach(unknown)
- Russian hospital dumps medical waste, sensitive data in landfill site (unknown)
- UK’s Home Office sorry for EU citizen data breach (240)
- Pennsylvania’s Community College of Allegheny County discloses data breach(unknown)
- Patients at Toledo, OH, rehab hospital subject to data breach (unknown)
- Washington state-based RS Medical discloses incident that may have compromised patient information (unknown)
- Athens, OH, rehabilitation centre notifies patients after unauthorised access to network (20,485)
- Sensitive data found on hard disks may be India’s largest ever data breach (78 million)
- California-based LD Evans says it has only just learned about 2018’s Citrix vulnerability (631)
- India’s JustDial service is breaching users’ personal data in real time (100 million)
- Drug addicts’ personal data found in rehab centres’ unexposed databases (4.91 million)
- Researcher uncovers exposed personal data from Iranian ride-hailing app(6,772,269)
- Pennsylvania-based Partners for Quality discloses data breach (3,673)
- US health provider Inmediata discovers patients’ information was exposed on the web (unknown)
- ‘Horrendous’ privacy breach at Australia’s Centrelink sees clients’ names published on Facebook (unknown)
- Personal data of employees at Lauderdale County, MS, emailed to colleagues(100)
- US consumer commission warns of data breach affecting safety information(unknown)
- Almost $500,000 swiped in Tallahassee, FL, payroll hack (unknown)
- AeroGrow says hackers stole months of credit card data (unknown)
- Florida-based United Way of the Big Bend says tax payers’ info was stolen (64)
- KPMG faces fine of up to $1.6 million after leaking payroll data (41)
Malicious insiders and miscellaneous incidents
- Former IT aide to New Hampshire senator caught keylogging (unknown)
- Employee at Cleveland’s University Hospital accidentally shared patients’ health info (840)
- University of Toledo counsellor fired after allegedly disclosing a student’s PTSD(1)
- Maine’s Acadia Hospital mistakenly release confidential information of Suboxone patients (300)
- Employee at California’s St. Boniface Hospital “inappropriately” viewed patient records (38)
In other news…
- USB stick containing sensitive data (and the movie Gone Girl) discovered during manslaughter trial (6,385)
- Barking resident jailed for blackmailing porn watchers (unknown)
- Source code of Iranian cyber-espionage tools leaked on Telegram (unknown)
- Supply chain hackers snuck malware into video games (unknown)
Source: IT Governanace
Last Friday, Marriott sent out millions of emails warning of a massive data breach — some 500 million guest reservations
had been stolen from its Starwood database.
One problem: the email sender’s domain didn’t look like it came from Marriott at all.
Marriott sent its notification email from “email-marriott.com,” which is registered to a third party firm, CSC, on behalf of the hotel chain giant. But there was little else to suggest the email was at all legitimate — the domain doesn’t load or have an identifying HTTPS certificate. In fact, there’s no easy way to check that the domain is real, except a buried note on Marriott’s data breach notification site that confirms the domain as legitimate.
But what makes matters worse is that the email is easily spoofable.
Often what happens after a data breach, scammers will capitalize on the news cycle by tricking users into turning over their private information with their own stream of fake messages and websites. It’s more common than you think. People who think they’re at risk after a breach are more susceptible to being duped.
Companies should host any information on their own websites and verified social media pages to stop bad actors from hijacking victims for their own gain. But once you start setting up your own dedicated, off-site page with its unique domain, you have to consider the cybersquatters — those who register similar-looking domains that look almost the same.
Take “email-marriot.com.” To the untrained eye, it looks like the legitimate domain — but many wouldn’t notice the misspelling. Actually, it belongs to Jake Williams, founder of Rendition Infosec, to warn users not to trust the domain.
“I registered the domains to make sure that scammers didn’t register the domains themselves,” Williams told TechCrunch. “After the Equifax breach, it was obvious this would be an issue, so registering the domains was just a responsible move to keep them out of the hands of criminals.”
Equifax, the biggest breach of last year, made headlines not only for its eye-watering hack, but its shockingly bad response. It, too, set up a dedicated site for victims — “equifaxsecurity2017.com” — but even the company’s own Twitter staff were confused, and inadvertently sent concerned victims to “securityequifax2017.com” — a fake site set up by developer Nick Sweeting to expose the company’s vulnerable incident response.
With the Equifax breach not even a distant memory, Marriott has clearly learned nothing from the response.
Many others have sounded the alarm on Marriott’s lackluster data breach response. Security expert Troy Hunt, who founded data breach notification site Have I Been Pwned, posted a long tweet thread on the hotel chain giant’s use of the problematic domain. As it happens, the domain dates back at least to the start of this year when Marriott used the domain to ask its users to update their passwords.
Williams isn’t the only one who’s resorted to defending Marriott customers from cybercriminals. Nick Carr, who works at security giant FireEye, registered the similarly named “email-mariott.com” on the day of the Marriott breach.
“Please watch where you click,” he wrote on the site. “Hopefully this is one less site used to confuse victims.” Had Marriott just sent the email from its own domain, it wouldn’t be an issue.
A spokesperson for Marriott did not respond to a request for comment.
Source: Tech Crunch
Question-and-answer website Quora has been hacked, with the names and email addresses of 100 million users compromised. The breach also included encrypted passwords, and questions people had asked.
In a statement, Quora said the situation had been “contained”.
Last week, hotel chain Marriott admitted that personal information on up to 500 million guests had been stolen.
Quora released a security update in a question-and-answer format.
“We recently became aware that some user data was compromised due to unauthorized access to our systems by a malicious third party,” it began.
“We have engaged leading digital forensic and security experts and launched an investigation, which is ongoing. We have notified law enforcement officials.”
It said it was also in the process of notifying all affected customers and reassured them that it was “highly unlikely” that the incident would lead to identity theft “as we do not collect sensitive information like credit card or social security numbers”.
Security expert Troy Hunt was one of those affected. He tweeted: “Short of not using online services at all, there’s simply nothing you can do to ‘not’ be in a breach, there’s only things you can do to minimize the impact when it inevitably happens.
Users were asked to reset their password and will be prompted to do so when they next try to log in. Those wishing to delete their account can do so in the settings section and the deactivation will happen immediately.
Some users commented on Twitter that they had forgotten they used the service.
One tweeted: “Nothing like a data breach to remind me that I have a Quora account.”