Feb 192017

Kevin Niedermier reports:

Cleveland police are still looking for the stolen car that contained personal information on 44 Greater Cleveland Food Bank clients. The car was stolen last month after a food bank worker had collected the written information on assistance applications.

Food bank Communications Director Karen Pozna says so far none of the affected clients have reported any instances of identity theft. They were sent letters alerting them about the stolen information and offered free credit-protection service for a year. Pozna says the worker, who’s no longer with the food bank, should have downloaded the written information onto a computer within 48 hours.

Read more on WKSU.

Feb 182017

Ben Hancock discusses another strategy for responding to state hacking: trying to sue them under the CFAA, although state claims would also be needed:

“It is important to consider other, complementary options,” added Hinnen, who previously dealt with national security issues as a senior lawyer at the Justice Department. “One option worth consideration is enabling victim companies to sue the foreign governments that attack them, which could result in public condemnation and recovery of damages.”

I’ll just wait over here while you begin to list all the obstacles to that approach.

As Hinnen and others see it, state-backed cyberattackers could be sued under the federal Computer Fraud and Abuse Act, which allows for civil litigation over unauthorized access or damage to computer systems and has extraterritorial scope. The suit would also have to include common or state law tort claims such as theft of trade secrets to fit under an exception to the FSIA for injury, death or property claims.

That’s not the only hitch. Simply serving the complaint to the correct government agency or taking discovery would be difficult. Then there are the business considerations, and the possibility that a state government targeted in a lawsuit would retaliate against the plaintiff company.


Read more on Law.com.

I’m still back at that “hitch” about identifying who you would even sue.  You think our government is going to give businesses the real details/evidence and methods by which they may have figured out who attacked you just so you can sue them?

Color me skeptical.

Feb 182017

Stephan Rockefeller reports:

Bingham County officials are scrambling to rebuild parts of their computer infrastructure after a ransomware attack took down county servers on Wednesday.

Although efforts have been made to correct the problem, computer issues remained as of Friday.

“Every department in the county is affected in some way,” Bingham County Commissioner Whitney Manwaring tells EastIdahoNews.com. “Phone systems, computer systems, everything. Some departments are handwriting documents.”

Read more on East Idaho News.

Feb 182017

Caroline Strange reports that the Grand Buffet restaurant in Essex Junction, Vermont, has settled charges brought by the VT Attorney General’s Office following an investigation into credit card fraud that affected the restaurant’s customers.

If that sounds a bit atypical to you (it did to me), it turns out that the restaurant had known there was a problem but had not taken remedial steps to prevent further problems. Specifically, following evidence of credit card fraud in 2012, the restaurant failed to consistently implement recommendations that had been made to it to prevent such problems. In 2014, at least 79 more customers became victims of credit card fraud.  The settlement explains that the restaurant was deemed to have engaged in unfair practices under Vermont’s law by failing to take appropriate security measures.


Here’s the announcement from the Attorney General’s Office:

Attorney General Thomas J. Donovan, Jr. reached a settlement yesterday with the Grand Buffet restaurant in Essex Junction. The investigation arose from security breaches where at least one employee stole customers’ credit card numbers. The thefts, which took place in 2014, involved at least 100 customers. The resulting credit card fraud totaled approximately $35,000. The settlement resolves the investigation with the restaurant, and its owner and manager. The employer had previously been notified about its employees’ mishandling of customer credit cards and failed to implement corrective action.

The settlement requires Grand Buffet to change how its employees handle credit cards, implement better record keeping, and pay a penalty of $30,000.

“Businesses must keep consumers’ personal financial information safe,” said Attorney General Donovan. “We know that small businesses are the lifeblood of Vermont’s economy. I will work with our small business community to give them the tools they need to protect their customers.”

Feb 182017

WISTV reports:

The employee database of the Lexington Medical Center is the latest victim of a cyberattack.

In a statement released by the hospital, the breach was discovered Friday morning. The breach showed that there has been unauthorized access to the employee information database, called eConnect/Peoplesoft. Medical center officials learned about the breach this week and told employees as quickly as possible.

Here’s the medical center’s statement:

Lexington Medical Center has learned that there has been unauthorized access into our employee information database, known as eConnect/Peoplesoft. Because the privacy of our employees’ information is very important to us, we wanted to let them know about this situation as soon as possible.

This database contains personally identifiable information on current and former employees including names, Social Security numbers and W-2 forms. Importantly, the database does not contain any patient information.

When Lexington Medical Center discovered this situation, we immediately eliminated further unauthorized access, promptly began an investigation and engaged several national cybersecurity professionals to assist us. We also contacted federal and state law enforcement officials.

Lexington Medical Center is committed to safeguarding our employees’ information and has dedicated resources to helping them resolve any issues related to this situation.

In addition to offering current and former employees free credit monitoring and identity theft protection services, Lexington Medical Center is establishing a dedicated, confidential call center for identify theft professionals to help answer any questions or concerns. The hospital has also provided information to employees on how they can help protect their identities and prevent fraudulent tax returns from being filed in their names.

So it doesn’t sound like a W-2 phishing scheme, but it’s not clear from the little they’ve said whether this was a hack that used an employee’s compromised credentials or an inside job, or….