Calvert Internal Medicine notifies employees of possible compromise of their SSN, payroll info

 Healthcare Sector, Malware, Subcontractor  No Responses »
Jun 092013
 

On March 19, Calvert Internal Medicine in Maryland notified current and former employees of a computer compromise that may have exposed their Social Security numbers to misuse. A copy of their notification was sent to the Maryland Attorney General’s Office. From reading their description of the breach, it seems that ADP failed to restore a firewall after attempting to deal with another problem, but it’s not clear whether that simply accounts for the spam run problem or if it also contributed to a malware problem that may have compromised employees’ information. See what you think:

Calvert Internal Medicine Group (CIMG) Sequence of Events Relating to Potential IT Breach March 20, 2013

- During the week of March 10, 2013, CIMG was notified by its domain service that ~9,000 spam emails were identified as originating from CIMG’s mail server’s domain. Spam sources were distributed across the internet using a CIMG finance department employee’s email account, an account which was hosted off-site on an independent network’s service computer. Malware was detected in files in the spam inbox of the suspected computer.

- Several weeks prior to the spam discovery, in an effort to resolve a time clock data transmission problem, the finance department employee using the suspect computer placed a service call to ADP technical support. During the call, ADP technical support took control of the computer and disabled the computer’s fire wall. At the end of the service call, ADP technical support failed to reactivate the computer’s firewall.

- During the week of March 10, 2013, the suspect personal computer was removed from CIMG’s server. A new computer was installed.

- The finance department employee’s CIMG domain email account was disabled and replaced with a new, password protected, email address.

- Access passwords were changed for payroll (ADP), accounting (PeachTree) and banking services portals/software which resided on the computer.

- During the week of March 17, 2013, a CIMG employee was notified of irregular personal financial activity by a federal agency.

- Given the proximity of the two events, spam email originating from CIMG’s domain and suspicious activity involving an employee’s personal information/data, CIMG elected to notify all active and terminated employees of a suspected IT breach involving payroll- related information, employees’ names, addresses and social security numbers.

- With counsel’s assistance an employee notification document (attached) was drafted.

Rosewood Inn of the Anasazi to notify customers of security breach

 Breach Incidents, ID Theft, Malware, U.S.  No Responses »
May 312013
 

So it seems Anasazi Hotel LLC had a server compromise that began on June 18, 2012, but they didn’t find out until they were notified by their card processor on March 21, 2013. Now, almost a year after the breach began, they will first be sending out letters to those who stayed at the Rosewood Inn of the Anasazi in Santa Fe.

A template of the notification letter that is scheduled to be mailed to consumers in June is posted on the California Attorney General’s site. The letter indicates that after their card processor notified them that they were a common point of compromise in fraudulent transactions that occurred after guests’ stays there, forensic investigators uncovered evidence that Anasazi had suffered a malware insertion that had the potential to exfiltrate names and credit card data.

While the forensic experts found no actual evidence that credit card information was in fact transmitted to the attackers, the forensic experts have concluded that the malware discovered on the Anasazi systems is consistent with that typically used to gather and transmit sensitive credit card data.

Out of an abundance of caution, we are providing this notice to you even in the absence of hard evidence that your credit card data was in fact taken by the attackers.

If the card processor identified them as a common point of compromise while investigating actual fraud incidents, that strongly suggests (if not proves) that data were exfiltrated. Their absence of evidence is not evidence of absence under the circumstances, and I wouldn’t personally consider this “an abundance of caution.”

To their credit, Anasazi specifically notes that they were not asked to delay notification, which may lead some customers to wonder or complain about the delay between discovery and notification.

Customers receiving notification letters will also be informed that AllClear SECURE and AllClear PLUS services have been arranged for them at no cost.

This breach report represents a fairly common situation, but it’s still not a situation that a hotel wants to be in.

ME: Port Clyde General Store discloses breach due to malware

 Breach Incidents, Business Sector, Malware, U.S.  No Responses »
May 282013
 

Stephen Betts reports:

The Port Clyde General Store was one of hundreds of companies across the country that had data from its customers’ credit cards breached by hackers recently.

Attorney Stephen Hayes of Augusta, who represents the store, confirmed that the market was notified by police on May 21 that its system for processing credit card payments “had been compromised by a sophisticated group of criminal hackers.”

Read more on Bangor Daily News.  The article also notes other breach reports recently received by the Maine Attorney General’s Office recently, including VendiniBeachbody LLCYourTel, the Edgemont CentrePiedmont Healthcare P.A.Green Fun Store (operated by AHW LLC), and TD Bank.

The following statement was posted on the Port Clyde General’s Store web site:

On May 21, 2013, the Port Clyde General Store was notified by law enforcement authorities that its system for processing credit card payments had been compromised by a sophisticated group of criminal hackers. The data breach was discovered during an investigation of data security breaches that impacted dozens of Maine businesses and hundreds of companies across the United States. Port Clyde General Store immediately cooperated with the legal authorities and implemented the additional security measures recommended to protect our customers and their confidential information.

Port Clyde General Store uses an outside professional firm to install and manage the hardware and software for its credit card processing. The measures employed to protect customer data complied with all state and federal requirements, including encryption of customer data and daily erasure of customer information following transmission to the card processing company. The servers are protected by firewalls and are regularly scanned with updated antivirus and anti-malware software. The security breach was caused by malware that was designed to avoid industry- standard precautions. As the Maine Attorney General’s office explained to us, in this age it is not a question of “if” a business and its customers will be victims of a criminal computer attack but “when.”

Based upon our investigation and information provided by law enforcement, we believe that the data breach was of short duration and was not caused or aided by any action of our employees. We are highly confident that the measures taken will prevent a recurrence of any disclosure to unauthorized individuals. Nonetheless and despite our best efforts, it is likely that confidential information of some of our customers, including their credit card numbers, may have been captured by criminals for fraudulent purposes. We are sincerely apologetic for any loss or inconvenience this may have caused you. Many of our employees also encountered problems.

It is extremely important that our customers carefully scrutinize their credit card accounts for suspicious charges, a precaution that should be part of your normal practice. If you discover anything out of order, please immediately contact your credit card issuer and notify them. Under federal law, credit card customers are responsible for only the first $50 of fraudulent charges; many card issuers, including issuers of debit cards, have more generous policies. Please also report any fraudulent activity to Detective Don Murray of the Knox County Sheriff’s Department, 327 Park St., Rockland, Maine.

Sincerely, Linda L. Bean, Owner

 

GA: Callaway Gardens alerts customers of potential credit card fraud

 Business Sector, Malware, U.S.  No Responses »
May 252013
 

Chuck Williams reports that a number of companies have been notified by card processors of what may be a major breach. In Callaway Gardens’ case, it seems to involve malware, but the other companies affected are not named nor whether the same malware was involved in their compromises:

Consumers who have used credit or debit cards at Callaway Gardens are being urged to check their accounts for possible fraudulent charges after the Harris County resort was notified this week of a breach of its system.

The problems could impact anyone who used a card at the resort before Friday, according to a news release from Callaway Gardens. The release did not say when the problem started.

A credit card processing company identified and notified multiple companies, including Callaway Gardens, that sophisticated fraudulent credit card activity had been detected, according to the news release. The companies were identified by common points of counterfeit purchases reported by consumers, according to the release.

Read more  on Ledger-Enquirer. I don’t see any notice or link on the resort’s home page, but a Google search led me to this notice on their site.

Anyone know who the other companies are? If anyone has any additional details, please email me or contact me via Twitter, @pogowasright.

MAPCO Express experiences security breach

 Breach Incidents, Business Sector, Hack, Malware  Comments Off
May 062013
 

MAPCO Express issued a press release today concerning a security breach as well as this notice on their web site:

At MAPCO, we care about our customers and respect their privacy.  We want to alert you that we have experienced a security breach by third-party hackers that may have compromised the credit/debit card information of certain MAPCO customers.  We truly regret any inconvenience this may have caused you and we have implemented further security measures designed to prevent these incidents in the future.

to our Credit and Debit Card Customers

If you used a credit or debit card to make a payment within the MAPCO Express, Inc. family of retail fuel and convenience stores, we want to alert you to a payment card information breach that may have exposed your credit or debit card information.  These stores include MAPCO Express®, MAPCO Mart®, East Coast®, Discount Food Mart™, Fast Food and Fuel™, Delta Express®, and Favorite Markets® locations in Tennessee, northern and central Alabama, Arkansas, northern Georgia, Kentucky, northern Mississippi, and Virginia.

Third party hackers used malware to access the payment card processing systems in our stores between March 19-25, April 14-15, and April 20-21, 2013.  These systems transmit certain card information needed for the approval of transactions.  The hackers may have stolen information that could potentially be used to initiate fraudulent credit and debit card transactions.

Although it is not clear if any of your card information was stolen, we wanted to notify you about this criminal activity.  As soon as we learned of the malware, we took steps to disable the malware and further strengthen the security of our payment card processing systems.  We also began working with a nationally-recognized computer forensics investigation firm and the payment card associations to determine exactly what happened and what information may have been compromised.  We are cooperating with federal law enforcement, including the FBI’s Joint Cyber Crime Task Force, to find the third party hackers responsible for this crime.  We are providing this notice to you after law enforcement advised that notice would not impede their criminal investigation.

If you suspect that your card information may have been compromised, you should immediately contact your bank, credit union, or credit or debit card company.  In all cases, we advise you to remain vigilant by reviewing your account statements and monitoring your credit reports.  Even though we have implemented internal security controls to contain any data loss, any card information that was already accessed by the hackers could still be used to initiate fraudulent transactions.

Please see the Important Disclosures linked below and  call us for further information and assistance at 1‑877‑297‑2081 Monday through Friday 7 a.m. to 10 p.m. Central Time and on Saturday and Sunday from 8 a.m. to 4 p.m. Central Time.  Please refer back to this site from time to time for updates as we continue our investigation into this crime.

We value your business and take the security of your payment card information very seriously.  We sincerely apologize for any inconvenience this incident may cause you.

Important Disclosures
Credit and Debit Card Accounts

Credit Reports
Fraud Alerts  |  Review Credit Reports  |  Security Freeze  |  Law Enforcement

Frequently Asked Questions
Frequently Asked Questions

From the companion FAQ on the breach:

How did this breach occur and what is MAPCO doing to inform and protect customers?
We believe that third party hackers were able to remotely install malware on the payment card processing systems used in certain of our retail stores.  This malware may have been active in all of our stores from March 19-25, 2013, in our 1301 Dickerson Road, Goodlettsville, Tennessee and 6624 Charlotte Pike, Nashville, Tennessee stores from April 14-15, 2013 and in certain stores from April 20-21, 2013.  If you used a credit or debit card at these locations during these time periods, your card information may have been compromised.

[...]

How do I know whether the store I went to was impacted by this breach?
The impacted stores are part of the MAPCO Express, Inc. family of retail fuel and convenience stores and include MAPCO Express®, MAPCO Mart®, East Coast®, Discount Food Mart™, Fast Food and Fuel™, Delta Express®, and Favorite Markets® locations in Tennessee, northern and central Alabama, Arkansas, northern Georgia, Kentucky, northern Mississippi, and Virginia.

The hackers accessed the payment processing systems used in all of our stores from March 19-25, in certain stores from April 20-21, 2013, and at 2 stores in Goodlettsville and Nashville, TN from April 14-15, 2013.  If you used your credit or debit card at one of these locations during these time periods, you card data may have been compromised.

Central Hudson Completes Internal Cyber-Security Investigation Experts Report it May be Impossible to Ever Confirm Information Transfer; Law Enforcement Investigation Continues

 Breach Incidents, Business Sector, Malware, U.S.  Comments Off
Apr 162013
 

Central Hudson Gas & Electric Corporation has issued a press release updating its customers on the breach disclosed in February that affected 110,000 customers:

(POUGHKEEPSIE, NY) Though New York State and federal law enforcement officials continue to investigate the incident externally, forensic computer experts have completed their internal investigation into the February cyber-security incident that had the potential to involve banking information for approximately one third of Central Hudson Gas & Electric Corporation customers.

“Despite an exhaustive review, these cyber-security forensic experts could not confirm if any private banking information for any of our customers was transferred,” said James P. Laurito, Central Hudson’s president. “They also report that it is likely that it may never be possible to document if information was transferred.

“As a result, we continue to err on the side of extreme caution in advising the notified customers to be vigilant in monitoring their bank accounts and credit reports. Any unauthorized transactions should be reported immediately to their bank and local law enforcement agency,” he said.

Laurito recommends that potentially impacted customers take advantage of the complimentary credit monitoring services that Central Hudson offered to them via mail. Eligible customers received enrollment instructions by U.S. Mail but they must sign up by June 30, 2013, in order to be covered. The coverage is retroactive until February 15, 2013, and will extend until June 16, 2014; it will cover all verifiable claims, providing that customers enroll and file fraud complaints promptly.

The investigation conducted by an expert forensic computer firm on Central Hudson’s internal systems confirmed that the incident was the result of malware that infiltrated Central Hudson’s information systems during or prior to September 2012 but likely lay dormant until earlier this year, Laurito said. “The malware, which Central Hudson personnel discovered and disabled on February 19, 2013, was designed to seek out and export information. While the potential exists that information contained on the front of bank checks was exported, it cannot be confirmed what, if any, information was ever actually transferred,” Laurito said.

“We sincerely regret the understandable concern that this incident has caused our customers. We take this incident very seriously, and we will continue to add new safeguards and procedures to further bolster our cyber security systems,” said Laurito. He said those steps include isolating computers with sensitive data from the internet, changing password protocols, educating employees about how to identify security issues, updating software patches, and auditing security procedures to continually improve them.

“While we want our customers to know that we are doing everything possible to investigate this incident, we also want them to know that the complimentary credit monitoring program is designed to provide them with peace of mind,” Laurito said.

He added that customers who received enrollment letters should contact Experian at 877-371-7902 to enroll in the free credit monitoring service; those with questions regarding this incident or any matter related to their account should visit Central Hudson at www.CentralHudson.com or call 1-800-527-2714.

 Older Entries