Jan 162017

Pasquale Turbide reports:

Officials at Sainte-Justine Hospital are working to resolve a privacy breach after a pediatrician leaked confidential documents to a media outlet before taking his own life.

According to Radio-Canada, Dr. Alain Sirard sent a USB key last December to Québécor that contained confidential documents, such as excerpts of medical files and reports from the Direction de la protection de la jeunesse (child protective services).

The USB key also allegedly contained summaries of investigations carried out by the Human Rights Commission following complaints filed against the pediatrician.

Read more on CBC.

If the media outlet also received a suicide note or some explanation as to why the doctor was disclosing the documents about the children, their families, and his own disciplinary hearings, I hope they either quote it or explain it. Was this an act of revenge on the physician’s part, or was he convinced these children had been abused and that the government had not done right by the children?

And if the USB drive was sent to Quebecor, who did not name the families, how did Radio-Canada know the names of eight families to contact about this breach? I’ve tweeted an inquiry to them about how they came into possession of information that was reportedly sent to Quebecor, and will update this if I get an answer.

But all in all, this report raises more questions than it answers. The only thing that’s clear is that yes, this was a privacy breach involving sensitive information, and a tragedy.

Jan 162017

WAVY reports:

A cyber security breach at a third party vendor for Sentara Healthcare has compromised the records of over 5,000 patients.

The incident involves 5,454 vascular and thoracic patients seen between 2012 and 2015 at Sentara hospitals in Virginia.

Read more on WAVY. The vendor was not named, nor were many details about the nature of the breach provided in the news report. And it’s not even clear from Sentara’s statement, a portion of which is quoted below, whether they are talking about an external attack or an employee inappropriately accessing a patient database:

On November 17, 2016, in conjunction with law enforcement, Sentara Healthcare determined that one of its third party vendors experienced a cybersecurity incident. Patient information as it relates to some vascular and/or thoracic procedures that took place between 2012 and 2015 at a Sentara hospital in Virginia was inappropriately accessed. The information may have included patients’ names, medical record numbers, dates of birth, social security numbers, procedure information, demographic information and medications. This incident has and is still being investigated by law enforcement, Sentara’s Information Security team and the third party vendor.

This incident did not affect all Sentara patients, but only certain vascular and thoracic patients treated between 2012 and 2015.

We began mailing letters to affected patients on January 13, 2017, and have established a dedicated call center to answer any questions. If you believe you are affected but have not received a letter by January 29, 2017, please call 844-319-0134, Monday through Friday, from 9:00 a.m. to 9:00 p.m. EST (excluding national holidays)

We recommend that patients who are affected by this incident following the instructions on the letters they receive and remain vigilant for incidents of fraud or identity theft by reviewing account statements and free credit reports for any unauthorized activity.

As I have written about several times in the past few months, breaches involving third-party vendors or business associates are a significant risk. Such breaches accounted for a disproportionate percentage of records breached in 2016.

Eventually, I hope Sentara will clarify whether this was an external hack or a case of employee/insider-wrongdoing.

Jan 162017

So Zimbabwe hackers wear hoodies, too, it seems. Oh well….. 

ZimNews reports:

A 33-year-old Chitungwiza based computer hacker Isaiah Marange managed to hack into OK Zimbabwe’s Money Wave System and got away with $70,000.

He was remanded to February 14 on $300 bail.

Prosecuting, Mr Sebastian Mutizirwa alleged that on Christmas Day last year, Marange opened a Money Wave account at OK Mart with an initial deposit of $5 using the name Kundai Liberty Musamba.

It is the State’s case that on Boxing Day, Marange hacked the OK Zimbabwe Money Wave System and fictitiously credited $35 000 into his account purporting to have used OK Queensdale till number 5, when in actual fact no physical cash was deposited into the account.

Read more on ZimNews.

Jan 162017

Seen at MrExcel.com, a breach disclosure with some plain English writing and transparency. Although it’s not good if the hack occurred because vBulletin hadn’t been patched/updated, this disclosure is an example of clear and helpful writing. 

1) What happened?
This is Bill Jelen from MrExcel.com. On the morning of December 6, 2016, our moderators detected a hack in progress at the MrExcel forum. We quickly acted to shut the forum down, removed the user, and restored from the previous day’s backup. At the time, we had no reason to believe that the hack had compromised any user data. However, on or about January 8, 2017, we became aware of evidence suggesting that some user information had been acquired in the December 5 hack and had been posted online.

2) What Information Was Involved?
The hacker accessed and posted userid, e-mail address, and the encrypted password in the form of hash+salt. A hacker with a fast computer can test a billion passwords an hour and stands a 25% chance of breaking the password. The hacker also accessed and posted information from administrative fields showing your last login, number of posts and similar non-personally identifiable information. If you had an account at the MrExcel Message Board on or before December 6, 2016, you are affected.

3) What We Are Doing?
We previously scanned for malicious code and restored from a backup to remove any lingering effects from the hack. Additionally, we continue to update and patch the website software from vBulletin and we are converting the website to use a Secure Socket Layer.

4) What Can You Do?
We are requiring all users you to promptly change your password at MrExcel.com and encourage you to take other steps appropriate to protect this online account. We also encourage you to change your password and take steps to protect any other online accounts where you have used the same password with your username or email address for MrExcel.com. You are are further encouraged to maintain different passwords for MrExcel.com and for any other online account that connects to the same email address or password.

During the investigation of this incident, you can search also for your e-mail address at leakedsource.comto find a list of data breaches involving your e-mail address.

I deeply regret this incident occurred and I apologize.

5) For More Information
Contact Bill Jelen – [email protected]

Date of Notice: January 14, 2017.

Update: Frequent Questions:
Q: What is the longest password we can use?
A: 50 characters, a mix of letters, numbers, and symbols

Q: How can I delete my account?
A: Write to the e-mail address [email protected] and I will gladly remove you.

Q: How do I know this is not a clever Phishing scam?
A: When you are signed in on the board, you will see our notice. I’ve also been posting notices that this is not a hoax on Facebook and Twitter. See the Twitter notice here: https://twitter.com/MrExcel/status/820641834670104576

Q: Some members have their date of birth displayed. How can I delete mine?
A: Annoyingly, once the date of birth is entered, it does not seem to be removable. Please set it to a generic Jan 1, 1917 date. (Making sure you appear older than 13 to avoid COPPA issues).

Q: I also have an account at your MrExcel store. Was that data compromised?
A: No. 

Q: You just sent me an e-mail to [email protected] but when I try to sign in with that very same e-mail, it says I don’t have an account!
A: In most of these cases, I am finding the actual address in the forum is [email protected] and someone in I.T. has cleverly designed an e-mail forwarding recipe to send those e-mails to the new corporate name. If you can’t figure it out, send me a note to [email protected] and I will do a wildcard search to try to find you.

Jan 162017

Jack Sandlin reports:

Computer hackers infected the Valley Springs School District‘s computer system with malicious software Thursday, locking access and demanding a ransom to restore its files and programs.

The hackers demanded a payment of 7,000 British pounds — about $8,500 U.S. dollars — from the school district, Superintendent Judy Green said Friday. The hackers used “ransomware,” a program that locks a computer or computer network until a ransom is paid.

The school district won’t pay, Green said, and is working to rid its system of all malicious software.

Thursday’s cyberattack marks the latest in a recent spate of such attacks in Northwest Arkansas.

Read more on Arkansas Online.