Jun 232017

A proposed settlement has been reached in a class action lawsuit over the 2015 cyberattack of health insurer Anthem, Inc., involving the theft of the personal information of 78.8 million people. The $115 million settlement, if approved by the Court, will be the largest data breach settlement in history. Attorneys from Altshuler Berzon, Cohen Milstein, Girard Gibbs and Lieff Cabraser were court-appointed to lead the representation of the plaintiffs in the litigation.

The proposed settlement provides for Anthem to establish a $115 million settlement fund, which will be used to 1) provide victims of the data breach at least two years of credit monitoring; 2) cover out-of-pocket expenses incurred by consumers as a result of the data breach; and 3) provide cash compensation for those consumers who are already enrolled in credit monitoring. In addition to the monetary fund, the settlement will require Anthem to guarantee a certain level of funding for information security and to implement or maintain numerous specific changes to its data security systems, including encryption of certain information and archiving sensitive data with strict access controls. The settlement is designed to protect class members from future risk, provide compensation, and ensure best cybersecurity practices to deter against future data breaches.

“After two years of intensive litigation and hard work by the parties, we are pleased that consumers who were affected by this data breach will be protected going forward and compensated for past losses,” said Eve Cervantez, co-lead counsel representing the plaintiffs in the Anthem litigation.

“We are very satisfied that the settlement is a great result for those affected and look forward to working through the settlement approval process,” added Andrew Friedman, co-lead plaintiffs’ counsel.

In early 2015, Anthem acknowledged that it had been the target of a cyberattack, in which the personal information of 78.8 million individuals was stolen, including, for many of those individuals: names, dates of birth, social security numbers, and health care ID numbers.

Over 100 lawsuits were filed against Anthem across the country and the cases were consolidated in the United States District Court for the Northern District of California before Judge Lucy Koh, who appointed Eve Cervantez and Andrew Friedman as Co-Lead Plaintiffs’ Counsel, and Eric Gibbs and Michael Sobol to the Plaintiffs’ Steering Committee.

A motion for preliminary approval of the settlement was filed today by the Plaintiffs. Judge Koh is scheduled to hear Plaintiffs’ motion on August 17, 2017. If granted, the class members will be notified about the details of the settlement, and invited to participate in and comment on the settlement. For additional updates and information about the lawsuit and settlement, please visit the Anthem Data Breach Litigation Website.

SOURCE: Girard Gibbs LLP

Jun 232017

Jimmy Koo reports:

The Federal Trade Commission’s data security enforcement standard came under fire June 22 from a panel of federal appeals court judges ( LabMD, Inc. v. FTC , 11th Cir., No. 16-16270, oral argument 6/21/17 ).

As predicted, the level of harm required for the FTC to act was “front and center” during the oral argument. Attorneys for the FTC and the now-defunct medical testing company LabMD Inc. squared off before the U.S. Court of Appeals for the Eleventh Circuit over what level of data breach injury is sufficient to allow the privacy regulator to take enforcement action.

Read more on Bloomberg BNA.

Actually, no. If you haven’t done so already, first listen to the oral arguments (about 40 minutes, search for Docket 16-16270, LabMD, Inc., Petitioner v. Federal Trade Commission. You may well think, “WHOA….” when you hear the judges give the FTC a difficult time.

Then you can read the article.

Jun 232017

Detectives from the South East Regional Organised Crime Unit (SEROCU) have executed two warrants in Lincolnshire and Bracknell and arrested two men this morning (22/6) for conspiracy to gain unauthorised access to the Microsoft network.

 A 22-year-old man from Lincolnshire was arrested on suspicion of gaining unauthorised access to a computer.

A 25-year-old man from Bracknell was arrested under computer misuse act offences.

The investigation relates to unauthorised intrusion into networks belonging to Microsoft.

Det Sgt Rob Bryant from SEROCU’s Cyber Crime Unit, which led the UK warrants, said: “We are working closely with our colleagues in EMSOU (East Midlands Special Operations Unit), Microsoft’s cyber team, the FBI, EUROPOL and the NCA’s National Cyber Crime Unit (NCCU) to investigate these offences.

“This group is spread around the world and therefore the investigation is being coordinated with our various partners. We’ve made two arrests in the UK this morning and have seized a number of devices.

“We are still in the early stages of this investigation and will work with our partners to ensure that cyber criminals have no place to hide.

“It is too early to speculate on what information the group have accessed, however, after speaking with Microsoft we can confirm they did not gain access to customer information. The offences took place between January 2017 to March 2017.”

The two men arrested currently remain in police custody.

SOURCE: Southeast Regional Organised Crime Unit

Jun 232017

Mark Bergen reports:

Alphabet Inc.’s Google has quietly decided to scrub an entire category of online content — personal medical records — from its search results, a departure from its typically hands-off approach to policing the web.

Google lists the information it removes from its search results on its policy page. On Thursday, the website added the line: “confidential, personal medical records of private people.” A Google spokeswoman confirmed the changes do not affect search advertising but declined to comment further.

Read more on Bloomberg Technology.

I’m glad to see this, of course, but if you find personal medical information on the web, remember that you need to/should do more than just Google to de-index it, as the material will still be accessible on the web to those who know where to or how to look for it. Be sure to contact the site or webmaster to alert them that they are exposing confidential medical information.

And if that fails to get results, you can file a complaint with state or federal regulators – or just go to the media to see if any local news station might be interested in picking up the story and getting involved with it.

Jun 222017

Brodie Thomas reports:

Hackers have released more data from the Cowboys Casino hack of last year, this time with more sensitive information.

The second data dump appeared on a torrent site and on the website pastebin.com on Thursday.

“Cowboys Casino has still not taken the matter of their customers/employees security seriously, so we are releasing our 2nd data dump to the public,” reads the message.

Read more on Metro News.

As they have done in the past, an email was sent to DataBreaches.net to alert this site to the new paste/torrent. And as they have done in the past, this email came from a name and an email address not previously used to communicate with this site.

Of note, perhaps, the attackers made a point of including emails in their data dump that seem to support their claim that the casino had past problems with infosecurity. But curiously, or not, the emails in the data dump are not time-stamped, except for one email that was from 2014.

So where is the proof that the casino is still having infosecurity issues that would warrant the alleged hacktivism? The hackers, whom FireEye researchers call “FIN10,” warn:

more data dumps will continue until Cowboys Casino decides to resolve this issue.

But is the issue really infosecurity or is the issue payment of an extortion demand?

That said, the torrent does include what the hackers describe,  including employee disciplinary letters and other sensitive information. Most of the data and files appear to be older, with the most recent files appearing to be circa mid-2016.

DataBreaches.net asked the individual who notified this site of the new dump if they’d be willing to answer a few questions, but has gotten no response as yet.