June 4 and June 15: On June 4, the U.S. Office of Personnel Management (OPM) announced that personally identifiable information (PII) of approximately 4 million people may have been compromised. On June 15, the OPM announced that information related to “background investigations of current, former, and prospective Federal Government employees” has been compromised – or, more bluntly, stolen. According to the announcement, the information stolen wasn’t limited to government employees, as information related to other individuals for whom a Federal background investigation has been conducted was also exposed. Although OPM hasn’t provided an updated number for how many people were affected by this latest breach, multiple sources are reporting that data for up to 14 million people was lost.
June 10: Medical Informatics Engineering announced a “data security compromise” for patients at several of its Midwest healthcare facilities. MIE did not say how many patients were affected, but does say that the information lost may include “the patient’s name, mailing address, email address, date of birth, and for some patients a Social Security number, lab results, dictated reports, and medical conditions.” No financial data was lost.
June 10: The security firm Kaspersky Labs announced that it was the target of a highly sophisticated cyber-attack. In this case, the attacker’s goal was not to steal personal, health, or financial information, but to “acquire information on the company’s newest technologies.” In the process of uncovering this industrial espionage attack, Kaspersky discovered Duqu 2.0, an advanced piece of malware stemming from the Duqu malware discovered in 2011 that exploits up to three zero-day vulnerabilities.
June 12: An SC Magazine article reports that Holiday Valley Resorts may have experienced a compromise of payment cards used at the resort’s point of sales devices between October of last year and early this month. In an undated FAQ on the breach, Holiday Valley says, “If you used your credit or debit card at any sales point at Holiday Valley Resort between October 17, 2014 and June 2, 2015 your card may be at risk of theft.” Information that has been lost likely includes credit and debit card numbers, names, expiration dates and CVV security numbers. Holiday Valley notes that debit card PINS were not lost.
June 15: Password management software vendor LastPass announced that account email addresses, password reminders, server per user salts (used in the hashing of passwords to help keep them secure), and authentication hashes were compromised. LastPass does say that there is no evidence that encrypted user vault data was stolen nor that user accounts were accessed. They go on to say, “We are confident that our encryption measures are sufficient to protect the vast majority of users.”
June 15: In his KrebsonSecurity blog, Brian Krebs reported that Fred’s Inc., an operator of 650 dollar stores throughout the southeast United States, is investigating a potential credit card breach. The store issued a statement that said it is aware of a potential data security incident and is conducting an investigation to determine the extent of the breach.
Just halfway in, June is shaping up to be among the busiest months in a year that will likely go down in history for cyber attacks and data breaches. Stay tuned… there’s surely more to come.
Data Protection Security Audit Checklist
Are you ready for your next security audit? Our checklist has 12 questions to help you prepare.
Related ArticlesSouth Carolina School District Does the Ransomware Two Step
A South Carolina school district is the latest to do the ransomware two step: assuring parents that data encrypted and held hostage by the criminals wasn’t “accessed” by them. Nice try.Don’t Call it a Leak: D&B Unit Coughs up Data on 33m Professionals
Like the ‘flaming river’ that eventually prompted anti-pollution laws, the casual leak of data on 33 million U.S. professionals is a sign that our online environment is badly compromised. But can we fix it?Sabre Agrees to $2.4M Settlement Following 2017 Data Breach
The travel company Sabre has agreed to pay $2.4 million and make changes to its cybersecurity policies following a 2017 data breach that exposed 1.3 million consumer credit cards.