PA: Millions of rehab records exposed on Steps to Recovery’s unsecured database

 Posted by at 10:48 am  Exposure, Health Data, U.S.
Apr 192019
 

Laura Hautala reports:

It’s some of the most sensitive medical information a person could have. Records for potentially thousands of patients seeking treatment at several addiction rehabilitation centers were exposed in an unsecured online database, an independent researcher revealed Friday [link corrected by DataBreaches.net].

The records included patients’ names, as well as details of the treatment they received, Justin Paine, the researcher, says. Each patient had multiple records in the database, and Paine estimates there could be about 145,000 patients total in the database.

Paine notified the main treatment center, as well as the website hosting company, when he discovered the database. The data has since been made unavailable to the public. Paine found the data by typing keywords into the Shodan search engine that indexes servers and other devices that connect to the internet.

Read more on CNET.

WSU to pay up to $4.7 million for data theft involving 1.2 million people

 Posted by at 10:19 am  Education Sector, Health Data, Of Note, Theft
Apr 192019
 

Breaches that involve health data generally will cost you more. Asia Fields reports:

Washington State University learned a costly lesson after a hard drive containing the personal information of more than a million people was stolen from a self-storage locker in 2017. Now, the university is going to have to pay even more.

In a settlement approved in King County Superior Court on Thursday, the university agreed to pay up to $4.7 million in cash reimbursements, attorneys fees and administrative expenses. On top of that, the university will pay for two years of credit monitoring and insurance services for up to 1,193,190 people, according to the settlement agreement.

Read more on Seattle Times.

Millstone man sentenced for hacking women’s accounts and then uploading their nude images

 Posted by at 10:19 am  Breach Incidents
Apr 192019
 

Vin Ebenau reports:

A Monmouth County man will spend five years in prison for hacking into the private cloud based accounts of two women and then stealing lewd videos and images of them which he preceded to post on publicly accessible websites, announced New Jersey Attorney General Gurbir Grewal.

Patrick S. Farrell, 37, of Clarksburg (Millstone Township) was sentenced by Superior Court Judge Richard W. English in Monmouth County.

Read more on WOBM.

NY: Operator of Global Cybercrime Marketplace Sentenced to 90 Months’ Imprisonment

 Posted by at 7:58 am  ID Theft
Apr 192019
 

Defendant’s “Codeshop” Website Sold Troves of Stolen Credit Card Data and Bank Account Logins on the Black Market

April 17 – Earlier today, in federal court in Brooklyn, Djevair Ametovski, a Macedonian citizen, was sentenced by United States District Judge Eric N. Vitaliano to 90 months’ imprisonment after previously pleading guilty to access device fraud and aggravated identity theft.  Those crimes related to Ametovski’s operation of “Codeshop,” a website he created for the sole purpose of selling stolen credit and debit card data, bank account credentials and personal identification information.  Judge Vitaliano also ordered the defendant to forfeit $250,000 and to pay restitution in an amount to be determined by the Court at a later date.  Ametovski was arrested in Ljubljana, Slovenia, in January 2014, and was extradited to the United States in May 2016.

Richard P. Donoghue, United States Attorney for the Eastern District of New York, and David E. Beach, Special Agent-in-Charge, United States Secret Service, New York Field Office (USSS), announced the sentence.

“Ametovski and his co-conspirators were merchants of crime, stealing victims’ information and selling that information to other criminals,” stated United States Attorney Donoghue.  “This Office and our law enforcement partners will tirelessly pursue cybercriminals who seek to profit at others’ expense.”  Mr. Donoghue thanked the Slovenian Ministry of the Interior and Ministry of Justice, the United States Marshals Service, the U.S. Department of State Regional Security Officers in Slovenia and the Netherlands, and the Justice Department’s Office of International Affairs, for their assistance with the investigation and prosecution of the defendant.

“The sentencing of this transnational cybercriminal emphasizes the commitment of the Secret Service to disrupt and dismantle global criminal networks,” stated USSS Special Agent-in-Charge Beach.  “The Secret Service will continue to work closely with our network of law enforcement partners to dismantle criminal enterprises seeking to victimize innocent people, regardless of geographic distance or borders.”

Ametovski and his co-conspirators operated Codeshop between August 2010 and January 2014, victimizing hundreds of thousands of individuals around the world by hacking into the computer databases of financial institutions and other businesses and through “phishing” scams designed to induce accountholders to unwittingly surrender private identification information.  They packaged this stolen data for sale and posted it on the Codeshop website, a fully indexed and searchable website that allowed users to search by bank identification number, financial institution, country, state and card brand to find the data they wanted.  The stolen data could then be used to make online purchases and to encode plastic cards to withdraw cash at ATMs.  Ametovski used a network of online money exchangers and anonymous digital currencies, including Bitcoin, to reap revenues from the Codeshop website and to conceal all participants’ identities, including his own.  Over the course of the scheme, Ametovski obtained and sold stolen credit and debit card data for more than 1.3 million cards.

The government’s case is being handled by the Office’s National Security & Cybercrime Section.  Assistant United States Attorneys Saritha Komatireddy and David K. Kessler are in charge of the prosecution.

The Defendant:

DJEVAIR AMETOVSKI (also known as “xhevo,” “codeshop,” “sindrom” and “sindromx”)
Age: 32

E.D.N.Y. Docket No. 16-CR-409 (ENV)

ME: City of Augusta hit by computer virus, City Center closed

 Posted by at 2:49 pm  Government Sector, Malware, U.S.
Apr 182019
 

Keith Edwards reports:

A malicious computer virus that hit the city overnight and froze the city’s computer network forced the closure of Augusta City Center Thursday.

The virus, which officials said was intentionally inflicted upon the city’s servers, also shut down computers used by public safety dispatchers — but not the city’s phone system or the public safety radio system relied upon for dispatchers, police, fire and ambulance staff in the field to communicate.

Dispatchers, who don’t have access to their usual computer-aided dispatching system, are tracking calls and the activity and whereabouts of police officers, firefighters and ambulance crews manually.

Read more on Sun Journal.

Thanks to the reader who sent in this link!

 Older Entries  Newer Entries