Morningstar resets clients’ passwords and notifies them of breach involving Morningstar Document Research

 Breach Incidents, Business Sector, Hack, U.S.  No Responses »
Jun 182013
 

A reader sent this in with a note that a bunch of folks in his office received this email this morning:

Dear Morningstar client:

I am writing to make you aware that some of your personal information, including your name, address, email address, and password, may have been compromised because of an illegal intrusion into the Morningstar Document Research (formerly 10-K Wizard) system. We recently became aware that this intrusion occurred around April 3, 2012. Earlier this year, we shut down the old servers and moved the data to a more secure infrastructure as part of a migration plan unrelated to this issue. We have taken other steps to prevent unauthorized access to our systems to protect your information. We are also working with law enforcement officials and conducting our own investigations.

We sincerely apologize for any inconvenience this may cause you. For your protection, we have reset all passwords for Morningstar Document Research. The next time you access your account, you will be required to create a new password. Also for your protection, we strongly suggest you avoid using thesame passwords across multiple accounts and be alert to potential phishing scams.

Phishing is a scam where people receive email messages from individuals purporting to be the true company. These messages often ask for detailed personal or financial information and may contain a link asking you to “confirm your account.” Morningstar never solicits your detailed personal or financial account information in emails. You should not click on links or open attachments from suspicious email messages. You can report these scams to us, or to local law enforcement, the Attorney General, or the Federal Trade Commission (FTC). These entities can also provide additional information about how to protect yourself online. The FTC’s website is located at
http://www.ftc.gov/idtheft.

Protecting the integrity of your information is of utmost importance to Morningstar. Again, we deeply regret any inconvenience this may cause you. I assure you that we are working diligently to protect your information and prevent this type of incident from happening again. If you have questions or require further assistance, please call us at 1-877-316-9552 or 1-312-384-4800, send an email to documentresearch_support@morningstar.com, or visit our website at http://documentresearch.morningstar.com/faq.pdf for answers to frequently asked questions.

Sincerely,
Chris Boruff
President
Morningstar Products Group

LinkedIn Seeks Dismissal Of Data-Breach Lawsuit

 Breach Incidents, Business Sector, Hack, U.S.  No Responses »
Jun 152013
 

Wendy Davis reports that LinkedIn is second dismissal of Khalilah Wright’s second amended complaint stemming from a breach affecting over 6 million users.

LinkedIn says that the consumer, Virginia resident Khalilah Wright, still hasn’t set out sufficient allegations to proceed with their lawsuit, which alleges that the company didn’t use basic encryption techniques to secure personally identifiable information.

A previous version of Wright’s lawsuit was dismissed in March, but the dismissal was without prejudice — which enabled Wright to amend her claims and try again.

Read more on MediaPost.

And try again she did. In her second amended complaint, she attached a declaration from Dr. Serge Egelman, who claims that his review of the available literature, LinkedIn’s security practices, and two surveys he conducted in April 2013 suggests that

when consumers pay for a ‘premium” social networking service, they expect their information to be protected with a heightened level of security, and that, at a bare minimum, industry-standard security protocols will be used to guard their information.

and

My research also showed that LinkedIn’s security practices fell far below industry standards, and that had LinkedIn disclosed its true security practices, its current and potential Premium Subscribers would have learned of those disclosures and factored them into their purchasing decisions

I’ve uploaded a copy of his declaration here, and have emailed Dr. Egelman to request a formal write-up of his sampling methods and survey questions.

In response, LinkedIn challenges plaintiff’s Article III standing and argues that even if she does have standing, she fails to state a claim upon which relief can be granted. Overpaying for a service with substandard security is not a claim for which relief can be granted? I’ll have to wade through more of their filings to understand that, I guess.

Raley’s warns customers after network attacked

 Breach Incidents, Business Sector, Hack  No Responses »
Jun 092013
 

Katie Nelson reports:

The Raley’s supermarket chain warned customers Thursday that part of the company’s computer network may have been targeted in a cyber attack.

The company stated in a news release that it could not confirm if any unauthorized access had been made to payment card data, but that an internal investigation remains ongoing. However, the company said it did not believe that debit PINs could have been accessed.

Raley’s does not collect Social Security or driver’s license numbers with payment card transactions.

Since the discovery of the cyber attack, the company said it has taken steps to enhance security measures already in place to protect customer data.

Read more on Contra Costa Times.

A statement, prominently linked from Raley’s home page on June 7, states:

Raley’s Family of Fine Stores has recently discovered that a portion of its computer network systems may have been the target of a complex, criminal cyber attack.

The company immediately initiated an investigation to determine whether cyber criminals may have obtained customer credit and debit card information. At this time, the company has not confirmed any unauthorized access to payment card data, but its investigation remains ongoing. Raley’s does not believe that debit PINs, could have been accessed.

We do not collect Social Security or drivers’ license numbers in association with payment card transactions.

The company has taken a series of immediate steps to enhance the security measures already in place to protect customer data. The company is confident that customers can continue using their payment cards in its stores.

“Our customers’ peace of mind is our top priority. We take protecting our customers’ privacy seriously and sincerely regret any inconvenience that the attack on our network may have caused,” said Mike Teel, Raley’s President & CEO. “We are working around-the-clock to gather details to determine the extent of any possible compromise of customer information.”

Raley’s has a dedicated response team available to answer customer questions and is providing customers updates as they become available at www.raleys.com. The company encourages customers who have used credit and debit cards at Raley’s, Bel Air, Nob Hill Foods, Food Source stores or Aisle One fuel stations to take the following steps to protect their accounts:

- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – -
1. Check and monitor your bank and credit card statements for evidence of unauthorized transactions.
2. Contact your bank or credit card company if you identify suspicious charges.
3. Know that cardholders are not held responsible for fraudulent charges made by unauthorized parties if reported promptly to the card issuer.
- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – -
Customers can reach Raley’s dedicated response team from 7 a.m. to 10 p.m. every day.
Phone: 800-925-9989
Website: www.raleys.com
For more information, see our customer fact sheet on cyber attacks.

The FAQ contains some additional details, such as the fact that this breach was not initially detected internally but was reported to Raley’s by a major credit card company. The chain does not indicate how many customers may have been affected, but I imagine we will find out eventually when this breach gets reported to states that require such disclosure.

Hetzner Security Breach Exposes Customer Passwords, Payment Information

 Business Sector, Hack, Non-U.S.  No Responses »
Jun 092013
 

Nicole Henderson reports:

German web hosting provider Hetzner Online AG discovered a backdoor on on its Nagios monitoring servers last week, and emailed customers on Thursday to let them know that password hashes and payment information was compromised.

According to a report by H-Online, founder Martin Hetzner says it’s not clear at this time how many customers have been impacted by the breach, that also included the compromise of its Robot management interface for dedicated servers and the customer payment data stored there, including credit card numbers, the expiry date, card type and the last three digits of credit card numbers.

Read more on WHIR.

 

FDIC: 2011 FIS Breach Worse Than Reported

 Financial Sector, Hack, Of Note  No Responses »
Jun 042013
 

More fascinating reporting by Brian Krebs:

A 2011 hacker break-in at banking industry behemoth Fidelity National Information Services (FIS) was far more extensive and serious than the company disclosed in public reports, banking regulators warned FIS customers last month. The disclosure highlights a shocking lack of basic security protections throughout one of the nation’s largest financial services providers.

Read about it on KrebsonSecurity.com.

Groupon Taiwan resets user passwords after hack, but credit card details not leaked

 Breach Incidents, Business Sector, Hack, Non-U.S.  No Responses »
May 282013
 

The Next Web reports:

Groupon Taiwan has revealed that it has been the victim of a hack which saw usernames and passwords belonging to its 4.1 million registered users compromised. On the positive side, the intruders did not access credit cards and financial details, the company said.

As Inside Taiwan reports [Chinese], the attack on the service — which is Taiwan’s biggest group-buying site — took place last week. The company has sent password reset prompts to all users compromised, but it is not revealing exactly how many were affected.

Read more on The Next Web.

 

 Older Entries