Nov 142018

Hmm.  This one could result in big numbers.

A notification from Title Nine about Annex Cloud.  Annex Cloud is a service provider that you may never have heard of but may have used many times. The notification explains:

Annex Cloud provides a service that enables individuals to use their user name and password from social media and other websites, like Facebook and Google, to login to merchants’ websites, including Annex Cloud recently informed Title Nine that they had detected and removed unauthorized code that had been inserted into Annex Cloud’s systems that operate its login application. In its report, Annex Cloud identified four periods of time when the unauthorized code was present and could have captured information entered during the checkout process on our website. We removed Annex Cloud’s code from our website and mailed letters to those customers to let them know what occurred.

Despite its first report that only identified four time periods, Annex Cloud informed Title Nine that they had identified additional time periods between December 28, 2017 and July 9, 2018 when the unauthorized code was or could have been present. If present, the unauthorized code could have captured information entered during the checkout process on our website. Through October 25, 2018, Title Nine sought additional information from Annex Cloud to determine the transactions that might be involved, and Annex Cloud supplied additional information about their analysis regarding these periods, including their belief that there are certain times inside these additional periods when it cannot be determined if the unauthorized code was present. Thus, we are notifying you because you entered information during the checkout process during a time period when it is possible the unauthorized code may have been present.

What Information Was Involved

The information entered during the checkout process that the code may have been accessed includes name, address, payment card number, expiration date, and card security code (CVV).

So then today, I saw saw this notification from Stein Mart.

I wonder how many more notifications we will see linked to Annex Cloud.

Nov 132018

Another Click2Gov breach, this time affecting up to 24oo residents of the City of Bakersfield. The city’s statement, below, doesn’t indicate whether they were ever warned by CentralSquare Technologies, and if so, what they had done in response. has filed under freedom of information to try to obtain more records showing what CST had told the city and when.

Notice to Individuals Regarding Privacy Incident Involving the City of Bakersfield


The City of Bakersfield (“Bakersfield”) values the relationship it has with its customers and understands the importance of protecting their information.  This notice relates to information of some of its customers.

What Happened

After receiving reports that fraudulent activity was detected on payment cards used legitimately on our website, Bakersfield immediately launched an investigation. Through our investigation, we determined that an unauthorized party had inserted unauthorized code into Bakersfield’s online payment system, Click2Gov, which is developed by its third-party vendor, CentralSquare Technologies (“CentralSquare”). The unauthorized code was designed to capture payment card data and other information entered on Bakersfield’s Click2Gov online payment system between the dates of August 11, 2018 and October 1, 2018. Upon learning of the unauthorized code, Bakersfield began working with CentralSquare to remove the unauthorized code from our website’s Click2Gov online payment system.

What Information Was Involved

The information entered on the Click2Gov online payment system on Bakersfield’s website includes name, address, email address, payment card number, expiration date, and card security code (CVV).

What We Are Doing

Upon learning of the incident, Bakersfield worked swiftly to address the issue by immediately removing the malicious code from the Click2Gov online payment system on our website and initiating an expanded security review with CentralSquare. To prevent another incident, we are enhancing our existing security protocols and re-educating our vendors on the importance of protecting personal information. Bakersfield also contacted law enforcement and is continuing to support law enforcement’s investigation.

What You Can Do

We remind you to remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized charges. You should immediately report any unauthorized charges to your card issuer because payment card network rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of your payment card. Bakersfield will begin mailing letters to the potentially affected individuals on November 12, 2018, and Bakersfield has established a dedicated call center to answer any questions. If you believe you may be affected by this incident but did not receive a letter by November 26, 2018, call (888) 278-8028 Monday through Friday, between 9:00 a.m and 6:00 p.m., Pacific Time.


The City of Bakersfield recommends that you remain vigilant for incidents of fraud or identity theft by reviewing your account statements and free credit reports for any unauthorized activity.  You may obtain a copy of your credit report, free of charge, once every 12 months from each of the three nationwide credit reporting companies. To orderyour annual free credit report, please visit or call toll free at 1-877-322-8228.  Contact information for the three nationwide credit reporting companies is as follows:

Equifax, PO Box 740241, Atlanta, GA 30374,, 1-800-685-1111

Experian, PO Box 2002, Allen, TX 75013,, 1-888-397-3742

TransUnion, PO Box 2000, Chester, PA 19016,, 1-800-916-8800

If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Attorney General’s office in yourstate. You can obtain information from these sources about steps an individual can take to avoid identity theft as well as information about fraud alerts and security freezes. You should also contact your local law enforcement authorities and file a police report.  Obtain a copy of the police report in case you are asked to provide copies to creditors to correct your records.  Contact information for the Federal Trade Commission is as follows:

Federal Trade Commission, Consumer Response Center600 Pennsylvania Avenue, NW Washington, DC20580,, 1-877-IDTHEFT (438-4338)

Nov 122018

LPL Financial has sent a notification about a third-party hack that was shared with by a reader. The hack involving Capital Forensics, Inc. has reportedly affected a number of that vendor’s clients (but not all clients).

From their November 9th notification to advisors, LPL writes:

*What Happened*
LPL works with a firm called Capital Forensics, Inc. (CFI) on a limited basis in support of document production and data analysis efforts. On November 1, an unauthorized person accessed a third party file-sharing system that CFI uses with its customers, including LPL. The unauthorized person appears to have gained access to data files containing personally identifiable information, including investor names, addresses, social security numbers, and account numbers.

*What We Are Doing to Protect Affected Investors*
To protect impacted investors, we have implemented internal procedures that will provide heightened monitoring of their accounts to help prevent fraudulent activity. We have also worked with the vendor to provide credit monitoring and identity protection service at no charge for any impacted investor. We’ll also be mailing a letter to impacted investors regarding this incident. emailed an inquiry to CFI earlier this morning, but has received no response by publication time.  The inquiry asked how the attack occurred, how many people had their personal or financial information accessed or acquired, and whether there was any extortion or ransom demand as part of the incident.

This post will be updated if CFI responds or more information becomes available. It appears that RIABiz did get some statement from CFI last week. They report:

The hack was discovered four hours after it began, and it was sealed within six, says a Capital Forensics spokesman, in a prepared statement, via email. “All affected clients have been notified, and we’re working closely with them to remediate this matter … we’re conducting a thorough investigation and taking steps to further protect all our clients.”

Nov 102018

This week, Huntsville Hospital in Alabama disclosed a breach involving their vendor, Jobscience. The breach affected those applying for employment with the hospital.

But Huntsville wasn’t the only hospital affected by Jobscience’s breach. In October, and flying under most media radar, Tallahassee Memorial Hospital in Florida disclosed that they had been contacted by Jobscience on September 26. In TMH’s case, the breach affected job applicants spanning March 2005 to August 2018, and may have included first and last name, home address, date of birth, social security number, email address, selected passcode for the application, security question and selected answer, and work history.

Because these breaches involve employees and not patients, we won’t see them on HHS’s breach tool. has sent an email to Jobscience at Bullhorn to ask for more information on the incident and will update if more details are received.

Update Nov. 11:  In researching this, I found that on October 31, Softpedia reported yet a third affected entity. From Jobscience’s notification to California:

On October 3, 2018, Jobscience, Inc. advised NorthBay that an unauthorized individual accessed NorthBay applicant information. Jobscience, Inc. is a contracted vendor that provides NorthBay with online employment application management system services. The access involved information pertaining to applicants that applied for a position with NorthBay between December 2012 and May 2018.

Jobscience, Inc. reported that this incident may have included your first and last name, home address, date of birth, email address, Social Security number, or alien registration number.


Nov 092018

From Huntsville Hospital, this press release yesterday, seen at WAFF:

“Regrettably, we’ve learned that Jobscience, Inc., the vendor which we’ve used for online employment application services since 2006, had a data breach which may have involved information from individuals who applied for jobs at Huntsville Hospital. Because of this, notification letters are being sent to the affected persons.

Although we have no indication that any information has been misused in any way, out of an abundance of caution, we are offering identity theft protection to those job applicants whose Social Security Number may have been compromised.

The hospital no longer uses the services of Jobscience.”

DataBreaches. net sent an inquiry to Huntsville yesterday with four questions:

1. How many applicants had their data involved in this incident?
2. When did it occur, or when did it start? When was it discovered?
3. How did it occur? and
4. When did the hospital first learn of this breach from Jobscience?
5. Did the hospital terminate its contract with Jobscience because of the breach or was the termination unrelated?

The hospital did respond by deadline. If they do respond, this post will be updated.