June 4 and June 15: On June 4, the U.S. Office of Personnel Management (OPM) announced that personally identifiable information (PII) of approximately 4 million people may have been compromised. On June 15, the OPM announced that information related to “background investigations of current, former, and prospective Federal Government employees” has been compromised – or, more bluntly, stolen. According to the announcement, the information stolen wasn’t limited to government employees, as information related to other individuals for whom a Federal background investigation has been conducted was also exposed. Although OPM hasn’t provided an updated number for how many people were affected by this latest breach, multiple sources are reporting that data for up to 14 million people was lost.
June 10: Medical Informatics Engineering announced a “data security compromise” for patients at several of its Midwest healthcare facilities. MIE did not say how many patients were affected, but does say that the information lost may include “the patient’s name, mailing address, email address, date of birth, and for some patients a Social Security number, lab results, dictated reports, and medical conditions.” No financial data was lost.
June 10: The security firm Kaspersky Labs announced that it was the target of a highly sophisticated cyber-attack. In this case, the attacker’s goal was not to steal personal, health, or financial information, but to “acquire information on the company’s newest technologies.” In the process of uncovering this industrial espionage attack, Kaspersky discovered Duqu 2.0, an advanced piece of malware stemming from the Duqu malware discovered in 2011 that exploits up to three zero-day vulnerabilities.
June 12: An SC Magazine article reports that Holiday Valley Resorts may have experienced a compromise of payment cards used at the resort’s point of sales devices between October of last year and early this month. In an undated FAQ on the breach, Holiday Valley says, “If you used your credit or debit card at any sales point at Holiday Valley Resort between October 17, 2014 and June 2, 2015 your card may be at risk of theft.” Information that has been lost likely includes credit and debit card numbers, names, expiration dates and CVV security numbers. Holiday Valley notes that debit card PINS were not lost.
June 15: Password management software vendor LastPass announced that account email addresses, password reminders, server per user salts (used in the hashing of passwords to help keep them secure), and authentication hashes were compromised. LastPass does say that there is no evidence that encrypted user vault data was stolen nor that user accounts were accessed. They go on to say, “We are confident that our encryption measures are sufficient to protect the vast majority of users.”
June 15: In his KrebsonSecurity blog, Brian Krebs reported that Fred’s Inc., an operator of 650 dollar stores throughout the southeast United States, is investigating a potential credit card breach. The store issued a statement that said it is aware of a potential data security incident and is conducting an investigation to determine the extent of the breach.
Just halfway in, June is shaping up to be among the busiest months in a year that will likely go down in history for cyber attacks and data breaches. Stay tuned… there’s surely more to come.
Data Protection Security Audit Checklist
Are you ready for your next security audit? Our checklist has 12 questions to help you prepare.
Related ArticlesSurvey finds Cyber Attacks Incredibly Common at Automotive Firms
A survey of automotive executives by KPMG finds that reports of data breaches are common - even as investment in security lags.Looming Crisis: Smart Medical Devices, Insecure Cloud
The leak of more than 300,000 self-administered blood tests from an obscure health services company may be an early sign of a looming data security crisis in the healthcare field.Once More Into the Breach Response
Reasonable people can, and often do, disagree about what constitutes a proper public response to a data breach. Some people want immediate and full disclosure of all of the details of the event, while others tend to favor a more measured approach, releasing some information at the beginning and more data as things shake out.