June 2015: The Month of the Breach?



From the very large to the very small, the drumbeat of stolen data continues. This blog post lists the more – and less – notable data breaches announced in the last two weeks. While some of these breaches have received very little press attention, they are no less important for those people whose information has been stolen.


OPM Data Breach Announcement

June 4 and June 15: On June 4, the U.S. Office of Personnel Management (OPM) announced that personally identifiable information (PII) of approximately 4 million people may have been compromised. On June 15, the OPM announced that information related to “background investigations of current, former, and prospective Federal Government employees” has been compromised – or, more bluntly, stolen. According to the announcement, the information stolen wasn’t limited to government employees, as information related to other individuals for whom a Federal background investigation has been conducted was also exposed. Although OPM hasn’t provided an updated number for how many people were affected by this latest breach, multiple sources are reporting that data for up to 14 million people was lost.


Medical Informatics Engineering Data Security Compromise Notification

June 10: Medical Informatics Engineering announced a “data security compromise” for patients at several of its Midwest healthcare facilities. MIE did not say how many patients were affected, but does say that the information lost may include “the patient’s name, mailing address, email address, date of birth, and for some patients a Social Security number, lab results, dictated reports, and medical conditions.” No financial data was lost.


Kaspersky Duqu 2.0 Cyber Attack Disclosure

June 10: The security firm Kaspersky Labs announced that it was the target of a highly sophisticated cyber-attack. In this case, the attacker’s goal was not to steal personal, health, or financial information, but to “acquire information on the company’s newest technologies.” In the process of uncovering this industrial espionage attack, Kaspersky discovered Duqu 2.0, an advanced piece of malware stemming from the Duqu malware discovered in 2011 that exploits up to three zero-day vulnerabilities.


Holiday Valley Resorts Credit Card Breach FAQ

June 12: An SC Magazine article reports that Holiday Valley Resorts may have experienced a compromise of payment cards used at the resort’s point of sales devices between October of last year and early this month. In an undated FAQ on the breach, Holiday Valley says, “If you used your credit or debit card at any sales point at Holiday Valley Resort between October 17, 2014 and June 2, 2015 your card may be at risk of theft.” Information that has been lost likely includes credit and debit card numbers, names, expiration dates and CVV security numbers. Holiday Valley notes that debit card PINS were not lost.


LastPass Data Breach Security Notice

June 15: Password management software vendor LastPass announced that account email addresses, password reminders, server per user salts (used in the hashing of passwords to help keep them secure), and authentication hashes were compromised. LastPass does say that there is no evidence that encrypted user vault data was stolen nor that user accounts were accessed. They go on to say, “We are confident that our encryption measures are sufficient to protect the vast majority of users.”


Fred's Inc. Data Breach Investigation

June 15: In his KrebsonSecurity blog, Brian Krebs reported that Fred’s Inc., an operator of 650 dollar stores throughout the southeast United States, is investigating a potential credit card breach. The store issued a statement that said it is aware of a potential data security incident and is conducting an investigation to determine the extent of the breach.

Just halfway in, June is shaping up to be among the busiest months in a year that will likely go down in history for cyber attacks and data breaches. Stay tuned… there’s surely more to come.

Harriet Cohen

Data Protection Security Audit Checklist

Are you ready for your next security audit? Our checklist has 12 questions to help you prepare.

Download Now

Related Articles
Cyber Needs More Perp Walks

The arrest of a 29-year-old man in Prague for suspected involvement in the 2012 hack of LinkedIn is a big victory for law enforcement. Even more important: viral video of the arrest.

Friday Five: 10/27 Edition

Catch up on all the week's InfoSec news with this roundup!

Financial Service Associations Petition for Data Breach Legislation

Financial services trade groups this week are pushing Congress to create a federal data breach notification standard.

Harriet Cohen

Harriet Cohen is a senior product manager at Digital Guardian where she works in the Office of the CTO to turn innovative ideas for enhanced threat protection into product reality. Harriet has over ten years of experience in the security arena, encompassing both data protection and identity and access management.

Please post your comments here