Feb 062019
 

ROSEVILLE, Calif., Feb. 5, 2019 /PRNewswire/ —

What Happened? In October of 2018, Bayside became aware of suspicious activity in certain employees’ email accounts.  Bayside immediately began an investigation to confirm the nature and scope of this activity.  Through the investigation, which included working with third party forensic investigators, we determined that the unauthorized actors accessed certain employees’ accounts without authorization between August 3, 2018 and October 20, 2018.  Unfortunately, the investigation was unable to determine which emails or attachments may have been viewed without authorization.  In an abundance of caution, the entire contents of the email accounts involved were reviewed to identify any personal information contained within the accounts.  On December 19, 2018, the programmatic and manual review was completed, and it was determined that certain personal information was contained within the accounts that were accessed without authorization.  To date, we have no information that there has been any actual or attempted misuse of the personal information within the accounts related to this event.

What Information Was Involved? The investigation in this matter confirmed that the following types of personal information were contained in the email accounts affected by this event included a combination of: name, address, Social Security Number, passport number, driver’s license number, financial account information, medical information, health insurance information, username and password for online account, and email and password.

What We Are Doing?  Bayside takes the confidentiality, privacy, and security of information in our care is seriously and it is one of our highest priorities.  Upon learning of the suspicious activity in the affected email accounts, we immediately commenced an investigation to confirm the nature and scope of the event.  We took steps to identify the personal information contained in the affected email accounts and are notifying potentially impacted individuals of the event.  As an added precaution, we are offering those individuals affected by the event access to credit monitoring, fraud consultation and identity theft repair services at no cost.  Bayside is also notifying relevant regulators of the event as well.

Read the full notification here.

Feb 042019
 

SAN FRANCISCO – A federal grand jury indicted Ahmad Wagaafe Hared and Matthew Gene Ditman with conspiracy to commit computer fraud and abuse, conspiracy to commit access device fraud, extortion, and aggravated identity theft, announced United States Attorney David L. Anderson and Federal Bureau of Investigation, Special Agent in Charge John Bennett.

According to the indictment unsealed today, Hared, 21, of Tucson, Ariz., and Ditman, 23, of Las Vegas, Nev., engaged in a scheme to obtain by fraud and extortion cryptocurrencies and other money and property owned and controlled by executives of cryptocurrency-related companies and cryptocurrency investors.  The indictment alleges Hared, Ditman, and their co-conspirators used fraud, deception, and social engineering techniques to induce representatives of cellphone service providers to provide information about the SIM cards of the conspirators’ victims.  A SIM card—short for Subscriber Identity Module or Subscriber Identification Module—is a technology used to identify and authenticate subscribers on mobile phone devices.  The conspirators allegedly convinced the representatives of cellphone service providers to transfer or port cellphone numbers from SIM cards in the devices possessed by victims to SIM cards in devices possessed by the conspirators, a practice known as SIM swapping.  The indictment further alleges that after Hared, Ditman, and others gained control of victims’ cellphone numbers, they used additional deceptive techniques to gain access to email, electronic storage, and other accounts of victims and ultimately to cryptocurrency accounts of victims.  Hared, Ditman, and their co-conspirators also extorted victims of the SIM swapping scheme.

Hared was arrested in Tucson and made his initial appearance in the District of Arizona on January 31, 2019.  He was released on a $100,000 bond.  His next scheduled appearance is at 9:30 a.m. on February 13, 2019, before the Honorable Laurel Beeler, U.S. Magistrate Court Judge.

Ditman was arrested in Las Vegas and made his initial appearance in the District of Nevada on January 31, 2019.  He was released on bond.  His next scheduled appearance is at 9:30 a.m. on February 6, 2019, before Judge Beeler.

The indictment charges the defendants with the following crimes and, if found guilty, they are subject to the following maximum statutory penalties:

Count Charge Maximum Penalties
One 18 U.S.C. § 1030(b) – Conspiracy to Commit Computer Fraud and Abuse Five years of imprisonment; $250,000 fine or not more than twice the gross gain or twice the gross loss; three years of supervised release; $100 special assessment; forfeiture; and restitution
Two 18 U.S.C. § 1030(a)(7) – Threatening to Damage a Protected Computer Five years of imprisonment; $250,000 fine or not more than twice the gross gain or twice the gross loss; three years of supervised release; $100 special assessment; forfeiture; and restitution
Three 18 U.S.C. § 875(d) – Interstate Communications with Intent to Extort Two years of imprisonment; $250,000 fine or not more than twice the gross gain or twice the gross loss; one year of supervised release; $100 special assessment; forfeiture; and restitution
Four 18 U.S.C. § 1029(b)(2) – Conspiracy to Commit Access Device Fraud Five years of imprisonment; $250,000 fine or not more than twice the gross gain or twice the gross loss; three years of supervised release; $100 special assessment; forfeiture; and restitution
Five 18 U.S.C. § 1028A(a)(1) – Aggravated Identity Theft Two-year mandatory minimum consecutive sentence

An indictment merely alleges that crimes have been committed, and all defendants are presumed innocent until proven guilty beyond a reasonable doubt.  However, any sentence following conviction would be imposed by the court after consideration of the U.S. Sentencing Guidelines and the federal statute governing the imposition of a sentence, 18 U.S.C. § 3553.

Assistant U.S. Attorney Robert S. Leach is prosecuting the case with the assistance of Mimi Lam and Rebecca Shelton.  The prosecution is the result of an investigation by the FBI.

Further Information:

Case #: 19-040 WHO

A copy of this press release will be placed on the U.S. Attorney’s Office’s website at www.usdoj.gov/usao/can.

Electronic court filings and further procedural and docket information are available at https://ecf.cand.uscourts.gov/cgi-bin/login.pl.

Judges’ calendars with schedules for upcoming court hearings can be viewed on the court’s website at www.cand.uscourts.gov.

Source:   U.S. Attorney’s Office,  Northern District of California

 

Feb 022019
 

Oliver Wright reports:

The Brexit campaign group Leave.EU and an insurance company run by its founder Arron Banks are facing fines of £120,000 for data protection breaches.

The Information Commissioner’s Office (ICO) is to fine Leave.EU £15,000 for unlawfully using Eldon Insurance customers’ details to send 300,000 political marketing messages, and a further £45,000 for its part in sending an Eldon marketing campaign to political subscribers. Eldon was fined £60,000.

Read more on The Times.

From the Information Commissioner’s Office, this statement:

The Information Commissioner’s Office (ICO) has issued fines totalling £120,000 to an EU referendum campaign and an insurance company for serious breaches of electronic marketing laws and is set to review how both are complying with data protection laws.

The ICO announced an audit and issued a preliminary enforcement notice as well as three notices of intent to fine Leave.EU and Eldon Insurance trading as Go Skippy Insurance, in November 2018 as part of its investigation into data analytics for political purposes.

After considering the companies’ representations, the ICO has issued the fines, confirming a change to one amount, with the other two remaining unchanged. The regulator has also issued two assessment notices to Leave.EU and Eldon Insurance to inform both organisations that they will be audited.

The ICO investigation found that Leave.EU and Eldon Insurance were closely linked. Systems for segregating the personal data of insurance customers’ from that of political subscribers’ were ineffective.

This resulted in Leave.EU using Eldon Insurance customers’ details unlawfully to send almost 300,000 political marketing messages. Leave.EU has been fined £15,000 for this breach.

Eldon Insurance carried out two unlawful direct marketing campaigns. The campaigns involved the sending of over one million emails to Leave.EU subscribers without sufficient consent. Leave.EU has been fined £45,000 and Eldon Insurance has been fined £60,000 for the breach.

Elizabeth Denham, Information Commissioner said:

“It is deeply concerning that sensitive personal data gathered for political purposes was later used for insurance purposes; and vice versa. It should never have happened.

“We have been told both organisations have made improvements and learned from these events. But the ICO will now audit the organisations to determine how they are using customers’ personal information.”

The assessment notices allow the ICO access to Leave.EU and Eldon’s joint offices, staff, and documentation. It is a criminal offence to obstruct an ICO audit or destroy information covered by it.

The ICO’s audit team will be looking at data protection practices including observing how personal data is processed, considering what policies and procedures are in place and looking at the types of training made available for staff. They will also be interviewing key employees across both organisations including the directors, staff and their data protection officers. The ICO’s audit findings will be made public at the conclusion of its work.

Eldon Insurance has also received an enforcement notice from the ICO ordering the company to take steps to ensure it complies with electronic marketing regulations.

Jan 242019
 

Jeffrey P. Taft and Matthew Bisanz of Mayer Brown write:

On January 7, 2019, the National Futures Association (“NFA”) announced that it had adopted amendments to its information security requirements that include a cybersecurity incident notification obligation.1 As discussed below, the NFA’s amendments represent the continued maturation of information security in the US financial services sector and are incremental, rather than radical, innovation. The NFA’s amendments become effective April 1, 2019, and, prior to that date, it will release procedures describing the manner in which NFA members should notify the NFA of cybersecurity incidents.

Read more on Mondaq.

Jan 222019
 

Zack Whittaker reports:

AIESEC, a non-profit that bills itself as the “world’s largest youth-run organization,” exposed more than four million intern applications with personal and sensitive information on a server without a password.

Bob Diachenko, an independent security researcher, found an unprotected Elasticsearch database containing the applications on January 11, a little under a month after the database was first exposed.

The database contained “opportunity applications” contained the applicant’s name, gender, date of birth, and the reasons why the person was applying for the internship, according to Diachenko’s blog post on SecurityDiscovery, shared exclusively with TechCrunch. The database also contains the date and time when an application was rejected.

Read more on TechCrunch.