Google

UC San Francisco suffers data breach due to stolen laptop

July 5th, 2015

UC San Francisco is alerting the individuals about the burglary which led to potential breach. Unencrypted laptop which belonged to a faculty member in the Cardiac Electrophysiology & Arrhythmia Service was stolen. UC San Francisco mentioned that it contained some sensitive information of about 435 patients.

After the theft, UCSF promptly began an extensive technical analysis to identify what information was on the laptop. The analysis revealed that the computers contained some personal, research and health information.

The affected information includes names, dates of birth, medical record numbers, and health insurance ID numbers. However, Social Security numbers were not included. The computer was taken from the employee’s office. UCSF police and UCSF officials were immediately notified after the incident.

“UCSF deeply regrets any inconvenience this incident may cause,” UCSF said in the statement. “The university is committed to maintaining the privacy of personal, research and health information, and has taken additional steps to secure that information, including strengthening administrative, technical and physical processes for information security.”

As per the UCSF statement, there is no evidence of attempted access or misuse of the information on the laptop. Individuals who are potentially affected are being notified and the California Department of Public Health has also been alerted.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

UCSF Medical Center and Sutro Tower behind it....

UC San Francisco suffers data breach due to stolen laptop 

Flash Drive and Data Exposure

May 4th, 2015

According to the reports, a lost flash drive containing “limited patient information” rendered a hospital to send out notification letters. As per the statement, Roper St. Francis Hospital mentioned that the flash drive did not contain Social Security numbers, dates of birth or financial information. Affected information includes patients’ names, ages, diagnoses, and dates of procedures.

After conducting a thorough investigation, hospital spokesperson stated that Roper St. Francis does not believe that the information was inappropriately accessed or used in a malicious way.

The story was covered by South Carolina news station, WCSC. It did not state how the flash drive went missing, or if Roper St. Francis was making efforts to adjust its physical, technical, or administrative safeguards.

As per the mail to the security news website-

“A USB flash drive for a computer that contained some patient information was inadvertently misplaced.” The lost flash drive contained information for about 375 patients including name, age, diagnosis, date of service, length of stay, procedure, outcome and provider name, according to the spokesperson. However, it was reiterated that the flash drive did not contain Social Security numbers, financial information, dates of birth, addresses, or insurance information. 

“There is no evidence or reason to believe that the information has been improperly accessed, acquired, or misused in any way,” the spokesman wrote in the email. “We are notifying individuals affected to let them know what we are doing to protect their patient information.”

Ascension Health Facility hit by Email Phishing Scam

April 25th, 2015

Ascension Health Facility suffered consecutive data breaches due to email phishing scam. It is not confirmed whether two incident were related to each other. Seton Family of Hospitals, a division of Seton Healthcare Family (“Seton”) announced the breach on the website. According to the reports, 39,000 patients’ got affected. Username and passwords was targeted by the scammers.

“St.Vincent Medical Group sincerely apologizes for any inconvenience this unfortunate incident may cause and assures all of its patients that the faith-based organization is taking appropriate measures to avoid an incident of this nature happening in the future,” the facility said in a statement.

The exposed information includes patient demographic information, such as names and dates of birth, medical record numbers, insurance information, limited clinical information, and Social Security numbers in a few cases. Medical records or billing records were not included in the breach.

“Seton launched an investigation into the matter, and the investigation has required electronic and manual review of affected emails to determine the scope of the incident,” Seton said in its statement. “Seton engaged computer forensics experts to assist with the investigation.”

The facility said that patients who had their Social Security numbers potentially exposed will receive free identity monitoring and protection services. Seton said that it is working with its email service provider “to evaluate ways to enhance its already robust security program,” and will provide more employee education on email phishing scams.

“We value the privacy and security of protected information, and we are committed to protecting the confidentiality and privacy of our patients and employees,” Garza said. “It is our priority to support those who have been affected.”

Common sense can stop phishing attack

April 15th, 2015

What is phishing attack?

Phishing emails, websites and phone calls are designed to steal money. It can be also be done by installing malicious software. Cybercriminals asks you to install malware under pretext of useful software.

How to stop phishing attack?

Spelling & Grammar – Cybercriminals are not that good at spellings and grammar. Professional organizations have dedicated writers for drafting emails. So, the possibility of error in the phishing write up is more.

Fake Alerts – You may get the update from the company you know. Please check for the authenticity of the email and then take any action.

Website Links – Do not click the links from the email. They may also include direct download .exe file which installs malicious software on your computer.

Threats – One of the popular ways to steal the user is by threatening email which states that your account will get closed if you didn’t respond to the said email. Ignore such emails or mark them as spam.

Report Phishing Attack

Company Pretension – Verify the information with the official company helpdesk before taking action for the email, phone etc.

Phone Calls – Report to your local authorities if you receive any phishing phone call.

Emails – Report it to your email service provider like Google, Yahoo etc. if you receive phishing emails.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Online application glitch may lead to data breach

March 7th, 2015

A nonprofit organization, Painted Turtle based in California which runs a camp for children with life-threatening diseases and their families free of charge suffered data breach when some personal information may have been exposed because of online application glitch.

The affected information includes names, addresses, Social Security numbers, driver’s license numbers, personal medical information, and employment information.An error in the database of the painted Turtle’s online application server for campers and volunteers caused the data breach. Bank account and credit card information were not present on the server.

“We immediately brought the database offline to prevent anyone from being able to access your records,” Maher wrote. “Also, in an effort to prevent similar data breaches in the future, before bringing the system back online we updated our database’s code to prevent the issue from occurring again.”

According to the statement on the website:

Your information would not have been viewable unless a specific chain of events occurred.

Specifically: (1) you would have had to identify someone as a Reference in your application in 2013–2014, and (2) that person would have had to begin filling out an application as well, and (3) while that person’s application (and your application) was still pending, (4) they would have had to access their pending application and click “show related profiles” and your name. Again, your information would not have been accessible to anyone outside of the persons you listed as References in your application.

We became aware of this issue on January 12, 2015. As soon as this error was brought to our attention, we began taking steps to address and mitigate the risk to you. We immediately brought the database offline to prevent anyone from being able to access your records.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

File Sharing and Security

February 28th, 2015

In recent times, file sharing is done frequently on the internal servers, websites or through Instant Messaging service. Due to availability of various services on personal devices like smart phones it has become challenging for the organization to secure the sensitive information. Even unprotected Windows networking shares can be exploited by intruders in an automated way. Companies can follow below guidelines to protect themselves from data breach:

  • Protecting your computer against malicious file sharing tools and websites
  • Domain checking of the website for authenticity and then allowing permission to transfer data
  • Downloading data from trusted sites
  • Save downloads instead of running them from pop up window
  • Checking license agreement and privacy statement before installing any software
  • Avoiding illegal downloads
  • Don’t open mail from unknown sources
  • Don’t share your computer access
  • Regularly update your security software with the patches
  • Check your security on regular basis
  • Don’t open your IM on public list
  • Never send sensitive information or files like credit card numbers, SSN’s etc on IM
  • Secure your IM by contacting security admin regularly
  • Highly social nature of IM helps imposters to get information
  • Beware of sharing your personal as well as company information with strangers

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Second Data Breach in one Month

December 4th, 2014

Visionworks suffered two incident of data breach in span of two months which involved compromised protected health information (PHI). According to the reports, individuals who received services at Visionworks’ Jacksonville, Fl. are notified about the incident. During computer upgrade, a database server was lost which resulted in breach.

“The server potentially held partially unencrypted protected health information belonging to approximately 48,000 of the store’s customers,” the statement read. “All credit card information housed on the server was encrypted, and therefore should not be at risk. Customers’ exam information was not stored on the lost server.”

Visionworks also added that there is no potential reason for any misuse of the data on the server.

“Nevertheless, in an abundance of caution, Visionworks is notifying the customers potentially affected by the incident and informing them of the associated personal risks,” according to the statement. “In addition, Visionworks will provide those customers with free credit monitoring for one year.”

First data breach in Visionworks also involved a missing computer server that was lost during scheduled upgrades. As per the reports, around 75000 Visionworks customers were affected in that incident. The Visionworks stated that it was believed that the server was sent to one of the landfills along with other “miscellaneous refuse.”

According to the company’s statement:

In resolving this issue, Visionworks will comply with the state and federal notification requirements as provided by the HITECH Act of 2009.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

What is Use-After-Free Memory Risk?

July 19th, 2014

Recent updates from the Microsoft, Google or Mozilla shows use-after-free memory errors. Attackers take advantage of vulnerabilities in allocated memory and inject virus or arbitrary code to extract information.

“It does take a lot of knowledge and sophistication,” Karl Sigler, manager, SpiderLabs Threat Intelligence at Trustwave said. “But of course it only takes one researcher to make the discovery, and then everyone else can just copy the research. We’re seeing more use-after-free memory attacks than we ever have before,”

Evolution of attacker methods

It’s not that easy to hack free memory space and install arbitrary software. It requires certain level of sophistication.

“It can take some ninja-fu, it’s not brain dead easy,” Sigler said.

As said earlier, one research to exploit leads to many attacks using same techniques. Researchers make vulnerability exploitable using a technique known as return-oriented programming (ROP).

“ROP has become the method of getting executable code onto the stack,” Stigler said. “ROP chains hop through memory looking for executable pieces of code they can chain through and eventually find a method of getting to run.”

How to reduce the risk

There are ways suggested to stop the attacks as given below –

  •  A Web application firewall (WAF) can be used in some cases to provide a network-layer protection.
  • Microsoft recommends the use of its Enhanced Mitigation Experience Toolkit (EMET) as a technology.
  • Application developers should strive to build better security into their apps.

“Developers should understand what their code is actually using in memory,” Sigler said. “If the program is freeing memory and still flagging it as being able to be used, the program should be able to control what the memory is used for. That would eliminate a lot of the vulnerabilities that attackers have.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

 

UNC-Chapel Hill Data Breach affects 6000 people

December 15th, 2013

The University of North Carolina at Chapel Hill is a coeducational public research university located in Chapel Hill, North Carolina, United States. It is the second largest university in North Carolina.

According to UNC-Chapel Hill an online data breach of personal information affects more than 6,000 people, officials are investigating

As the files went online, they contained information belonging to some current and former employees, vendors, and students. Information contained names and Social Security or Employee Tax Identification numbers, and in some instances, addresses and dates of birth.

An information technology manager in the UNC Division of Finance and Administration was informed that some electronic files managed by the Division of Facilities Services became accessible on the Internet.

When university officials learned about the incident, they took steps to block access to the files and began an extensive investigation and the records are no longer accessible on the Internet.

the university began notifying affected individuals by mail.

The university also learned that as part of Google’s automated processes, these files were copied and made publicly accessible. The university asked Google to take the records down immediately, and Google complied.

UNC worked with a consultant to identify potentially affected individuals as soon as it had been confirmed that their personal information was included in the files.

in the notification letter sent to the affected people, Kevin Seitz, interim vice chancellor for finance and administration said “Other than Google’s activities described above, we have not been able to determine whether individual personal information was accessed by others or was misused as a result of this incident”.

“Please be assured that we continue to evaluate our computer and administrative systems and to implement appropriate measures to protect the sensitive information in our possession.”

According to Chris Kielt, vice chancellor for information technology, the university’s prompt, aggressive action underscores its commitment to protect sensitive data. Making sure the files were secured and notifying the affected people as quickly as possible were top priorities, he said in a statement.

To help protect personal information stored on campus servers, Information Technology Services (ITS) has a process in place for regularly scanning servers that have been identified by a unit’s system administrator as storing sensitive data.

“Furthermore, as part of a broader initiative to address the risk imposed by the exposure of sensitive data, ITS is working to formalize the process for identifying and safeguarding sensitive data university-wide,” he said.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

Cottage Health System: Data of 32,755 patients exposed on Google

December 8th, 2013

As a third-party vendor removed electronic security protections from one of the servers, data of 32,755 patients of Cottage Health System of California was exposed on Google. The affected patients were notified about the data breach incident. Patients treated at Goleta Valley Cottage Hospital, Santa Ynez Valley Cottage Hospital and Santa Barbara Cottage Hospital between September 29, 2009, and December 2, 2013 may have been affected by this data breach.

The possible data compromised included patient names, addresses, dates of birth and very limited protected health information for some patients related to diagnosis, lab results and procedures performed. The file did not include any Social Security numbers, driver’s license numbers, health insurance numbers, bank account numbers or any other financial information.

The Cottage Health announcement stated that it quickly removed the server from service and conducted a review of all servers to ensure that appropriate security measures are in place. To avoid reoccurrence, it’s conducting a security protocol audit and implementing additional measures. The organization has offered affected patients a toll-free phone number and identity management services through ID Experts.

Steve Fellows, executive vice president, chief operating officer and chief compliance officer at Cottage said “We deeply regret this incident. Cottage takes its obligation to protect health information very seriously and is taking aggressive steps to safeguard against this type of incident in the future. We want to assure our patients that we are doing a thorough review and have systems in place to address their concerns. We understand that the security vulnerability by our vendor was unintentional and we have no reason to suspect that the limited data exposed might be misused.”

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta