Dec 152018
 

Joshua Chan reports:

Dozens of students were shocked to learn that they were suspended from SF State last week when an email appearing to be from California State University’s chancellor gave them the bad news. But when they clicked on a link in the email, the truth was revealed — they had just been hacked.

The phishing email was sent around Dec. 4. Aliea Glenn, a biology major, was among those targeted.

[…]


Another fake email claimed that students need to “re-validate” their email storage, and that their account was unable to receive new emails until they clicked the link. 

Read more on Golden Gate Express.

Dec 152018
 

 A statutory health body has apologised for a data breach in which the email addresses of unsuccessful applicants to a job were mistakenly shared.

In an email informing individuals that their application had been unsuccessful, the email addresses of about 200 other applicants were shared.

The email, seen by TheJournal.ie, was sent by the Pre-Hospital Emergency Care Council (PHECC) on Tuesday. PHECC is an independent statutory body which sets the standards for education and training for pre-hospital emergency care in Ireland. 

Read more on TheJournal.ie.

Dec 142018
 

Courtney Godfrey reports:

Taking work home with you sounds like something a hardworking employee would do, unless that work includes private, sensitive data like it did with one employee in Wright County.


The county knew about the data breach for seven months before notifying possible victims.


It wasn’t until FOX 9 filed a public records request that Wright County notified victims of the data breach.

Now it is seven months after the county became aware that more than 1,000 people were potential victims of the breach.

Read more on Fox9.  It seems that the breach was the employee taking PII home on a USB and then transferring the files/data to his home computer. There’s no report of any misuse or sale or other exposure of the data. 

Update:  KSTP reports that about 72,000 are being notified. And they got the former employee to talk to them (wow!). That individual says that he was an hourly worker and had been told he had to go home, so he took the work with him. He insists he didn’t do anything nefarious with it, but of course, isn’t it possible that his home computer had some malware or compromise at some point? 

Dec 142018
 

Zack Whittaker reports:

Popular animated avatar creator app Boomoji, with more than five million users across the world, exposed the personal data of its entire user base after it failed to put passwords on two of its internet-facing databases.


The China-based app developer left the ElasticSearch databases online without passwords — a U.S.-based database for its international customers and a Hong Kong-based database containing mostly Chinese users’ data in an effort to comply with China’s data security laws, which requires Chinese citizens’ data to be located on servers inside the country.


Anyone who knew where to look could access, edit or delete the database using their web browser. And, because the database was listed on Shodan, a search engine for exposed devices and databases, they were easily found with a few keywords.

Read more on TechCrunch.  Reportedly, Boomoji did not provide an accurate answer or explanation when TechCrunch reached out to them, leading TechCrunch to practice skills U.S. journalists are getting a lot of practice at — the art of calling someone a liar.

After TechCrunch reached out, Boomoji pulled the two databases offline. “These two accounts were made by us for testing purposes,” said an unnamed Boomoji spokesperson in an email.

But that isn’t true.

Read the rest of Zack’s report to find out how they proved that Boomoji’s assertion wasn’t accurate. 

Dec 142018
 

It seems Contra Costa Health Plan discovered that a contractor that they had hired and who had access to EHR beginning on December 1, 2014 had used a falsified identity to get the contractor position. The position involved access to EHR as part of the contractor’s functions relating to utilization management.

In a letter to those affected, Frank Lee, J.D., Director of Compliance and Government Relations, writes that CCHP has no indication that the contractor misused the information that she accessed, but under the circumstances, they are notifying everyone whose records she might have accessed.  The number of patients is not indicated in CCHP’s sample notification letter, which is reproduced below. The incident is not yet up on HHS’s breach tool, although I imagine we will see it there eventually.

CCHP-CA-AG-Breach_0