Archive for December, 2015

Hyatt Hotels suffers data breach

December 24th, 2015

Hyatt Hotels detected malware on the computer system. According to the reports, the system used to process payments for its hotels. The report didn’t mention the extent of damage done by the breach.

The actual number of customer data actually stolen, the time of malware presence on the system and number of affected properties are not known. Company’s operates 627 facilities in 52 countries.

Brands operated by the Hyatt Hotels Corporation include Hyatt, Park Hyatt, Andaz, Grand Hyatt, Hyatt Centric, Hyatt Regency, Hyatt Place, Hyatt House, Hyatt Zilara, Hyatt Ziva, Hyatt Residences and Hyatt Residence Club.

“As soon as we discovered the activity, we launched an investigation and engaged leading third-party cyber security experts,” Hyatt global president of operations Chuck Floyd said in a statement.

“We have taken steps to strengthen the security of our systems, and customers can feel confident using payment cards at Hyatt hotels worldwide,” Floyd added.

All Hyatt customers are being encouraged to review their payment card accounts.

“Hotel chains are prime targets for hackers since they store and process a treasure trove of sensitive customer data,” IDT911 chairman and founder Adam Levin told eSecurity Planet by email. “Consumers should immediately check their accounts for any suspicious activity and sign up with their bank, credit union, or credit card company for transactional monitoring so that they are notified any time there is activity in their credit or bank accounts.”

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Hello Kitty Data Breach

December 22nd, 2015

The online community for Hello Kitty, Badtz-Maru, My Melody and other Sanrio characters, was recently exposed online through database from SanrioTown, According to the reports, the database, which was discovered by researcher Chris Vickery, held 3.3 million accounts and included full names, birth dates, genders, countries of origin, email addresses, unsalted SHA-1 password hashes, and password hint questions and answers. The database included information on 186,261 people under the age of 18.

Users of hellokitty.com, hellokitty.com.sg, hellokitty.com.my, hellokitty.in.th and mymelody.com are also affected. Vickery said the data wasn’t exposed by hackers, but via a misconfigured MongoDB installation.

“We are conducting an internal investigation and security review into this incident; at this time we have no indication that users’ personal information was stolen by malicious parties,” Sanrio said in a statement published on December 22, 2015.

All users are being requested to change their passwords.

“Given that many organizations have not adjusted their cyber security stance to take into account today’s multi-level attacks, the Hello Kitty breach highlights yet again that organizations should be focusing on making sure sensitive data remains protected – and leveraging strong encryption with access control is critical to achieving this,” Vormetric CSO Sol Cates told eSecurity Planet by email.

“This is yet another case of an organization that has failed to put in place these security controls,” Cates added. “Protecting data and passwords using ‘hashing’ techniques is simply not enough.”

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Wis. Clinic suffers data breach

December 20th, 2015

A Wisconsin counseling center sent data breach notification to affected individuals. The data breach incident may have exposed mental health records for approximately 500 individuals.

According to the reports, data breach at Wisconsin counseling center may have included mental health records. The incident was the result of stolen laptop. Fox River Counseling Center had an “unsecured laptop” stolen. Outpatient mental health records of clients were reportedly on the computer. Wisconsin Disability Determination Bureau psychological evaluations were also included on the device.

Clinic psychologist Dr. Scott Trippe mentioned that client names, addresses, dates of birth, Social Security numbers, medical histories, mental status interviews, results of psychological testing, diagnoses and statements of work capacity were all included on the laptop.

The Wisconsin center did not specify how the computer was unsecured. It mentioned that it was an older model and has not yet been recovered. Since the incident the center reported that it “upgraded security, including encryption software.

Fox River Counseling Center reported the burglary to the Oshkosh Police Department. Laptop is still missing. A police spokesman did not immediately respond to a request from for information about the status of the investigation.

According to the statement:

For more information about identity theft, visit the website for Wisconsin’s Office of Privacy Protection at privacy.wi.gov.

Anyone who thinks their information might have been compromised may call one of the three major credit bureaus to put a fraud alert on their credit report. 

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Medical records found on the Street

December 18th, 2015

Florida-based Radiology Regional Center suffered data breach when its Medical records were found scattered on the street.

Chief Operating Officer Brad Reid explained that the records were at least 10 years old. Affected information present on the documents reportedly included financial accounting statements, old phone bills, invoices and front desk registration information.

“Even if it’s just your name, people can get a lot of info about you, because of the way the computer age is nowadays,” he said.

Reid added that the documents were supposed to be transported to the city incinerator. It was likely they fell from the back of the truck.

“Apparently they picked up that shipment container, I’m assuming sometime early this morning, and along the way they didn’t check the back doors on it,” Reid said.

The container used to transport documents for disposal is supposed to be double-locked, he explained, adding that Radiology Regional has a contract with the city to handle such disposals.

Radiology Regional is reaching potentially affected individuals, but it failed to mention the number of affected individuals.

A county spokeswoman says they are aware of the situation, and in a statement said, “standard operating procedures were followed. in light of this incident, solid waste staff will be reviewing its operating procedures.”

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Employee Theft and Data Breach

December 16th, 2015

Oregon-based Northwest Primary Care (NWPC) sent data breach notification to approximately 5,300 patients. As per the report, personal information was inappropriately accessed by a former employee. Former NWPC employee stole patient names, dates of birth, Social Security numbers, and credit card numbers.

“Northwest Primary Care will not tolerate any violation of our patients’ privacy,” NWPC Administrator Michael Whitbeck said in the press release.  “The former employee in connection to this violation deliberately and criminally chose to violate established clinic policies, the trust of our patients and the law.  We deeply regret that this crime has occurred and for any burden that this incident may cause.

Whitbeck added that this type of data security breach “is unacceptable,” and that NWPC will support the law enforcement investigation into the incident.

The organization mentioned that additional changes will be made to NWPC’s approach to security. It will expand its technology monitoring capabilities and employee training. Specifically, employee training “on safeguarding and accessing patient records to further bolster privacy safeguards.” Moreover, technical precautions will also be added, in an effort to better ensure patient privacy.

As per the statement:

NWPC is an Oregon Family Practice medical clinic that serves the Milwaukie, Clackamas, Sellwood, and Oregon City area. The practice performs reference checks on all employees.  Additional background checks are performed for highly sensitive positions, including positions with access to financial data. NWPC has comprehensive policies and procedures, as well as a Code of Conduct, which prohibit employees from accessing patient records when there is not a work-related reason to do so.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Centegra Health System Data Breach

December 14th, 2015

Centegra Health System sent data breach notification to 2,929 patients. According to the reports, mailing error may have exposed some of their personal information.

Medical bills detailing “limited” personal information of 3,000 Centegra Health System patients recently were sent to the wrong addresses because of a mail room error at a third-party contractor, a Centegra spokeswoman said.

At the vendor MedAssets, automatic mail filing equipment was accidentally changed.

This led to two Centegra billing statements to be put in one envelope.

“Centegra Health System and MedAssets apologize for this error and are committed to fully protecting patient privacy,” Green said. “Centegra is working closely with MedAssets to ensure it has taken every step necessary to address the incident.”

Affected information included patient names, addresses, account numbers, original account balance, third-party payment, billing discounts and adjustments, and the amount owed. Hospital service dates, a summary of services provided and related charges were also included.

Green mentioned that even though 6,000 Centegra patients were affected by the error, half received two billing statements – One for  their own hospital service and the second for detailed another patient’s service.

There is no reason to believe that the exposed information was inappropriately used, she said.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Security Tech Procurement Tips

December 12th, 2015

Ricardo Lafosse, CISO for Cook County, Ill said that procuring enterprise security technology is an involved process that requires numerous steps to ensure it goes smoothly. He also offered below tips for CISOs.

Ask Yourself Why

Lafosse  mentioned that before purchase, identify why you need the technology and how you came to that conclusion.

“You always want to buy the shiny new toy,” he said. “They look cool, but you don’t just go out and buy it.”

Ask Peers

“What’s really key are your peers,” he said. “I cannot stress this enough. Everyone deals with these [security] issues. In the Chicago area, we have a lot of great resources. We have our CISO group and a multi-state group. It is key to be a part of it because you can bounce ideas off everyone in an informal process. You get that actual first-hand experience from your peers.”

Analysis

Start with a needs analysis before going out to the market, Lafosse said.

Consider Staff, Integration Requirements

Ensure that the new technology provides a good operational fit, he said.

Budget

“Unfortunately, we have a lot of examples,” he said. “Use those to your benefit as much as you can from a budgetary perspective. Demonstrate operational efficiency when looking for a new product. For example, if you are going to implement product X, you will reduce the help desk time to re-mediate by 20 percent. Having those rough numbers goes a long way.”

Business Case

“Re-emphasize why you are making this purchase,” he added. “For us, we used the figure from Ponemon of $154 per breach. The network access control was also going to allow people to self-service.”

The self-service capability was critical because Lafosse has only three people in his department.

“One of the key attributes for any new procurement is automation,” he said. “The security controls need to share information with each other. The more automation, the easier us for us to protect our network.”

Guidelines

“Be candid with vendors. If you don’t like the solution, tell them,” Lafosse said. “Don’t waste your time, don’t waste their time. Offer clear-cut guidelines. It’s not fair if you don’t set rules of engagement upfront. If you are seeing everything move south, let the vendor  know right away.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Five Tips for Stronger Encryption

December 10th, 2015

The recent example of NSA whistle-blower Edward Snowden’s revelations has put security of many encryption products into doubt.

Please find the below methods to safeguard your data.

Encryption Ciphers

Robert Former, senior security consultant for Neohapsis, an Illinois-based security services company, says that organizations should stop using older encryption algorithms like the deprecated DES (Data Encryption Standard), and even its relative Triple DES, which is simply DES applied three times to each data block.

“In the last 30 years, no one can prove that the NSA did more than influence minor changes in their development. The bottom line is that in most cases the NSA appears to have actually improved the math.”

Longest Encryption Keys

Use the maximum key lengths possible to make it difficult for those who don’t have access to a back door to crack your encryption. “Today AES 128 is strong, but I say go to 512 or the highest key strength you can implement using what you have today,” Former says.

External Factors

External factors over which companies have very little control can compromise the security of encryption systems.

Encrypt in Layers

“I say if there is a way to encrypt, then encrypt. That means in your database encrypt each field, each table, then the whole database. You have to make it so hard for an attacker that it is not worth the effort,” he advises.

Encryption Keys

“If you can implement an encryption system where you control the keys to the data stored in the cloud, then that is going to be much more secure,” says Dave Frymier, chief security officer at IT services company Unisys. Devices such as cloud encryption gateways that handle the encryption to and from the cloud automatically can help companies achieve this sort of security.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

PHI Sharing and Cloud Security

December 8th, 2015

CloudLock investigated a total of eight IT security industries and numerous case studies. It found out that personally identifiable information (PII) and a surplus of data sharing are vital concerns to the industry.

  • Around 72 percent of practices concentrate most heavily on preventing excessive sharing in the cloud
  • Around 38 percent of organizations concentrate on protecting PII
  • Other concerns for organizations include diagnosis, financial information, medical condition, Social Security number, and diagnosis.

CloudLock suggested below steps to further secure the information.

  1. Organizations should monitor and identify cybersecurity issues, taking care in selecting who is in charge of these tasks.
  2. Organizations should intervene on potential hacks immediately. Following remediation efforts, healthcare organizations should reeducate their users. According to CloudLock, reeducation is key in ensuring adverse cyber security events do not occur in the future.
  3. Organizations should schedule routine checkups to ensure security efforts are continuing smoothly. During these checkups, IT workers should readjust certain strategies and fine tune cyber security efforts.

“Healthcare organizations take special care in assessing the compliance controls of cloud services, but employees can also introduce cloud services into the workplace, creating ‘shadow IT,’ which are services not known by the IT department,” the report’s authors explained.

According to another study conducted by Netskope, healthcare industry has the highest rate of cloud data loss prevention violations of any other tested industry.

“By better understanding where and how policy violations commonly occur, enterprises have a detailed picture of cloud app ecosystems and their respective industries to better mitigate risk,”said Netskope CEO and co-founder Sanjay Beri.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

MaineGeneral Health suffers data breach

December 6th, 2015

MaineGeneral Health suffered healthcare data breach recently. It is now sending notification letters to individuals who fell victim to the cyberattack.FBI notified that much of MaineGeneral Health data was on a website not affiliated with the system.

MaineGeneral and a third-party forensics team found that personal information had been breached for patients who were referred by a treating physician to radiology. Some MaineGeneral employee information was also breached along with personal information for potential donors.

Affected information includes names, addresses, and telephone numbers. MaineGeneral confirmed that no Social Security numbers, patient medical or health information, health records, driver’s license numbers, or financial information had been disclosed.

Data breach could include patients at all of MaineGeneral’s subsidiary clinics, including MaineGeneral Medical Center, MaineGeneral Rehabilitation and Long Term Care, MaineGeneral Retirement Community, and MaineGeneral Community Care.

Fraud Prevention Tips

MaineGeneral encourages everyone to remain vigilant against incidents of identity theft, especially this time of year. 

  • Reviewing account statements, medical bills, and health insurance statements regularly for suspicious activity, to ensure that no one has submitted fraudulent medical claims using your name and address. Report all suspicious or fraudulent charges to your account and insurance providers.  If you do not receive regular Explanation of Benefits statements, you can contact your health plan and request them to send such statements following the provision of services.
  • Contacting the IRS at www.irs.gov to request a PIN to file your taxes, so that no one can use your information to submit a fraudulent tax return. The IRS will begin offering PINs in mid-January 2016.

Ordering and monitoring your credit reports for suspicious activity. Under U.S. law, everyone is entitled to one free credit report annually from each of the three major credit bureaus.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.