June 4 and June 15: On June 4, the U.S. Office of Personnel Management (OPM) announced that personally identifiable information (PII) of approximately 4 million people may have been compromised. On June 15, the OPM announced that information related to “background investigations of current, former, and prospective Federal Government employees” has been compromised – or, more bluntly, stolen. According to the announcement, the information stolen wasn’t limited to government employees, as information related to other individuals for whom a Federal background investigation has been conducted was also exposed. Although OPM hasn’t provided an updated number for how many people were affected by this latest breach, multiple sources are reporting that data for up to 14 million people was lost.
June 10: Medical Informatics Engineering announced a “data security compromise” for patients at several of its Midwest healthcare facilities. MIE did not say how many patients were affected, but does say that the information lost may include “the patient’s name, mailing address, email address, date of birth, and for some patients a Social Security number, lab results, dictated reports, and medical conditions.” No financial data was lost.
June 10: The security firm Kaspersky Labs announced that it was the target of a highly sophisticated cyber-attack. In this case, the attacker’s goal was not to steal personal, health, or financial information, but to “acquire information on the company’s newest technologies.” In the process of uncovering this industrial espionage attack, Kaspersky discovered Duqu 2.0, an advanced piece of malware stemming from the Duqu malware discovered in 2011 that exploits up to three zero-day vulnerabilities.
June 12: An SC Magazine article reports that Holiday Valley Resorts may have experienced a compromise of payment cards used at the resort’s point of sales devices between October of last year and early this month. In an undated FAQ on the breach, Holiday Valley says, “If you used your credit or debit card at any sales point at Holiday Valley Resort between October 17, 2014 and June 2, 2015 your card may be at risk of theft.” Information that has been lost likely includes credit and debit card numbers, names, expiration dates and CVV security numbers. Holiday Valley notes that debit card PINS were not lost.
June 15: Password management software vendor LastPass announced that account email addresses, password reminders, server per user salts (used in the hashing of passwords to help keep them secure), and authentication hashes were compromised. LastPass does say that there is no evidence that encrypted user vault data was stolen nor that user accounts were accessed. They go on to say, “We are confident that our encryption measures are sufficient to protect the vast majority of users.”
June 15: In his KrebsonSecurity blog, Brian Krebs reported that Fred’s Inc., an operator of 650 dollar stores throughout the southeast United States, is investigating a potential credit card breach. The store issued a statement that said it is aware of a potential data security incident and is conducting an investigation to determine the extent of the breach.
Just halfway in, June is shaping up to be among the busiest months in a year that will likely go down in history for cyber attacks and data breaches. Stay tuned… there’s surely more to come.
Data Protection Security Audit Checklist
Are you ready for your next security audit? Our checklist has 12 questions to help you prepare.
Related ArticlesFriday Five: 2/1 Edition
Apple vs. Facebook, Ohio's Data Protection Act, and India's largest bank exposes the data of millions - catch up on some of the week's biggest infosec news with this roundup!Friday Five: 1/18 Edition
Demystifying the 773 million record breach, how the government shutdown impacts cybersecurity, weaknesses in a DoD health agency, and more are covered in this week's Friday Five.With $10M Settlement, Target Looks to Shrug off Breach Costs
Target is well on its way to shrugging off the largest data breach in history, as the company agrees to pay $10M into an escrow account for victims.