Security Breach Report: December 22, 2014

Sony continues to garner headlines, Staples announces a bigger breach problem than originally expected, and more news from the world of data breaches, insider security incidents, social engineering threats, and cyber espionage:

• On December 19, office-supply retailer Staples announced that nearly 1.2 million customer payment cards may have been compromised in a data breach that involved malware installed on point-of-sale systems at 115 locations in 35 states. The impact of the breach was more significant that initially anticipated when Staples revealed the breach in October.
• Mobile payment solution provider Charge Anywhere recently informed its customers of a five-year-long data breach involving malware that went undetected on the company’s systems from November 2009 to September 2014. The number of victims has not yet been disclosed, but Charge Anywhere indicated that cardholder names, account numbers, expiration dates, and verification codes are likely to have been compromised.
• The Sony Pictures story continues to be a moving target. On December 19, U.S. officials put the responsibility for the Sony Pictures attack squarely on the shoulders of North Korea, which continues to deny involvement. Technical details and specifics related to the hack that rocked the company continue to evade authorities, though some sources have traced components of the attack to Bolivia, Thailand, and Japan.
• The retail chain bebe stores, inc. announced on December 5 that it had detected an attack on its in-store payment processing systems. Cardholder data of customers who shopped in the company’s U.S., Puerto Rico, and U.S. Virgin Islands stores from November 8 through November 26, 2014, may have been compromised.
• Two separate Israeli cyber security analysts said they discovered flaws in AliExpress — an online marketplace operated by e-commerce titan Alibaba — that exposed the data of millions of users and opened merchant accounts to potential tampering. Alibaba has indicated that it has since closed the security gaps, but it’s unclear whether any hackers took advantage of the loopholes prior to their discovery.
• As many as 1,600 current and former UC Berkeley employees may have had their social security numbers and/or credit card numbers exposed following a hack of servers and databases in the campus’s Real Estate Division. This isn’t the school’s first experience with a data breach; a larger-scale event in 2008 compromised personal and health information of 160,000 students and alumni. Regardless of size, both incidents help to reinforce Syscloud’s recent assessment that 35% of all security breaches take place in higher education.
• A U.S. Postal Service (USPS) data breach originally disclosed in November 2014 may go deeper than originally thought. Some employees are now receiving letters alerting them that their medical records, social security numbers, and bank routing information have been compromised.
• Online reports claim that e-cigarettes manufactured in China have malware built into their chargers. In a related story, Palo Alto Networks, a security research company, recently discovered that Chinese OEM Coolpad — one of the world’s largest manufacturers of smartphones — has incorporated a backdoor on millions of Android devices. Known as “CoolReaper,” the backdoor could expose more than 10 million users to potential malicious activity.
• TD Bank NA will pay Massachusetts $625,000 related to a 2012 breach that impacted more than 260,000 individuals. The breach allegedly occurred when the bank lost two unencrypted server backup tapes and failed to alert the state and affected parties in accordance with state laws.
• In HIPAA violation news, Anchorage Community Mental Health Services, Inc. (ACMHS) recently agreed to a settlement of $125,000 with the United States Department of Health and Human Services, Office for Civil Rights. Malware compromised ACMHS’s IT systems and resulted in a protected health information (PHI) breach that affected more than 2,700 individuals.
• Boston Children’s Hospital (BCH) will pay $40,000 and implement new security procedures resulting from a breach of 2,000 patients’ personal data and protected health information (PHI). More than 1,700 of the affected patients were under the age of 18. The breach happened after a BCH physician’s laptop was stolen while presenting at a 2012 conference. In the physician’s email was a message from a colleague that contained thousands of pieces of PHI, including names, dates of birth, and health diagnoses.