Dec 20, 2019 | Consumer Protection, Employment & Technology Archive
Malware Discovered on Wawa In-Store Payment Processing Systems At Potentially All Wawa Locations – Massive Data Breach Affected Wawa Customer Payment Card Information
On December 19, 2019, “An Open Letter from Wawa CEO Chris Gheysens to [Wawa] Customers” stated, among other things, that ” . . . Wawa . . . experienced a data security incident . . . on Wawa payment processing servers on December 10, 2019, and contained it by December 12, 2019.” The CEO’s “Notice of Data Breach” also stated that the ” . . . malware affected customer payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019 and until it was contained.”
According to Wawa’s data breach notice, “. . . at different points in time after March 4, 2019, malware began running on in-store payment processing systems at potentially all Wawa locations. Although the dates may vary and some Wawa locations may not have been affected at all, this malware was present on most store systems by approximately April 22, 2019. [Wawa’s] information security team identified this malware on December 10, 2019, and by December 12, 2019, they had blocked and contained this malware.” [Emphasis added.]
Further, Wawa’s data breach notice stated that the
malware affected payment card information, including credit and debit card numbers, expiration dates, and cardholder names on payment cards used at potentially all Wawa in-store payment terminals and fuel dispensers beginning at different points in time after March 4, 2019 and ending on December 12, 2019. Most locations were affected as of April 22, 2019, however, some locations may not have been affected at all. No other personal information was accessed by this malware. Debit card PIN numbers, credit card CVV2 numbers (the three or four-digit security code printed on the card), other PIN numbers, and driver’s license information used to verify age-restricted purchases were not affected by this malware. If you did not use a payment card at a Wawa in-store payment terminal or fuel dispenser during the relevant time frame, your information was not affected by this malware. At this time, we are not aware of any unauthorized use of any payment card information as a result of this incident. The ATM cash machines in our stores were not involved in this incident. [Emphasis added.]
In addition to the data breach notice, Wawa has provided FAQs and other Resources for its customers.
Have You Been Impacted by A Data Breach?
If so, please either contact Kehoe Law Firm, P.C. Partner Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or send an e-mail to [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
Dec 3, 2019 | Consumer Protection, Employment & Technology Archive
Database Run by TrueDialog Reportedly Left Unprotected
On December 1, 2019, TechCrunch.com reported (“Millions of SMS messages exposed in database security lapse”) that “[a] massive database storing tens of millions of SMS [] text messages, most of which were sent by businesses to potential customers, has been found online.” According to TechCrunch.com, the database of SMS messages is “. . . run by TrueDialog, a business SMS provider for businesses and higher education providers, which lets companies, colleges, and universities send bulk text messages to their customers and students.”
TechCrunch.com reported that “[t]he database stored years of sent and received text messages from its customers and processed by TrueDialog. But because the database was left unprotected on the internet without a password, none of the data was encrypted and anyone could look inside.”
Some of the data reviewed by TechCrunch.com, reportedly, “contained detailed logs of messages sent by customers who used TrueDialog’s system, including phone numbers and SMS message contents,” as well as “information about university finance applications, marketing messages from businesses with discount codes, and job alerts, among other things.”
The data, according to TechCrunch.com, “also contained sensitive text messages, such as two-factor codes and other security messages, which may have allowed anyone viewing the data to gain access to a person’s online accounts.” Further, “[m]any of the messages [TechCrunch.com] reviewed contained codes to access online medical services to obtain, and password reset and login codes for sites including Facebook and Google accounts[,] as well as “usernames and passwords of TrueDialog’s customers, which if used could have been used to access and impersonate their accounts.”
On December 1, 2019, PhoneArena.com reported (“Over 100 million Americans had their personal data exposed in major text data breach”) that “[t]he information available from the breached database not only includes tens of millions of texts from hundreds of millions of American users, it also contained millions of usernames, passwords (some in cleartext, others encoded but easy to decrypt) and more.” According to PhoneArena.com:
The database is hosted by Microsoft Azure and runs in the U.S. on the Oracle Marketing Cloud. It contains 1 billion entries adding up to 604GB of data. This data includes information about TrueDialog’s business, its business clients and the latter’s customers. All of this information could have been used by bad actors to steal identities and money from those with information exposed in the breach. Additionally, all of this data could have been sold to marketers and scammers. Knowing all of this information would make it easier for bad actors to engage in phishing schemes.
Have You Been Impacted by A Data Breach?
If so, please either contact Kehoe Law Firm, P.C. Partner Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or send an e-mail to [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
Dec 3, 2019 | Consumer Protection, Employment & Technology Archive
McLaren Health Plan Notifies Members of Phishing Attack at One of Its Third-Party Vendors
Beckershospitalreview.com reported (“Michigan insurer alerts members of data breach”) that “. . . McLaren Health Plan began notifying members Nov. 27 of a phishing attack at one of the insurer’s third-party vendors, according to mlive.com.”
According to mlive.com (“McLaren patient information may have been accessed in phishing scam”):
Magellan Health, Inc. announced Wednesday Nov. 27, its subsidiary, Magellan Rx Management, discovered that an anonymous, unauthorized third party accessed the email account of one employee who handled member data for McLaren Health Plan in Flint.”
Magellan Rx was contracted with McLaren Health Plan through December 31 of 2018, according to a Magellan Rx Management news release.
On July 5, Magellan Health, Inc. learned an unauthorized party accessed an employee’s email May 28. The company immediately secured the employee’s email account and conducted a “thorough investigation” of all email accounts and all other Magellan systems.
Beckershospitalreview.com reported that “Patient data that may have been exposed included names, dates of birth, identification numbers, health plan information, providers, diagnosis, drug information and authorization information.”
Have You Been Impacted by A Data Breach?
If so, please either contact Kehoe Law Firm, P.C. Partner Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or send an e-mail to [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
Nov 19, 2019 | Consumer Protection, Employment & Technology Archive
On November 19, 2019, Tripwire.com reported (“Macy’s Says Security Incident Might Have Exposed Customers’ Data“) that
Macy’s is notifying customers about a data security incident that might have exposed some of their personal and financial information.
The American department chain store said that it first learned of the incident back in mid-October. At that time, Macy’s security teams launched an investigation into a suspicious connection between macys.com and another website. They found that an unauthorized third party had added unapproved code to two of the chain’s web pages: the checkout page and the wallet page, which is accessible via My Accounts.
This code might have exposed customers’ personal and financial information in the event they used Macy’s website to make a purchase or store their payment data. These details might have included customers’ names, email addresses and payment card credentials. [Emphasis added.]
On November 18, 2019, Bleepingcomputer.com reported (“Macy’s Customer Payment Info Stolen in Magecart Data Breach“) that
Macy’s has announced that they have suffered a data breach due to their web site being hacked with malicious scripts that steal customer’s payment information.
This type of compromise is called MageCart attack and consists of hackers compromising a web site so that they can inject malicious JavaScript scripts into various sections of the web site. These scripts then steal payment information that is submitted by a customer.
According to a ‘Notice of Data Breach‘ issued by Macy’s, their web site was hacked on October 7th, 2019 and a malicious script was added to the ‘Checkout’ and ‘My Wallet’ pages. If any payment information was submitted on these pages while they were compromised, the credit card details and customer information was sent to a remote site under the attacker’s control. [Emphasis added.]
Have You Been Impacted by A Data Breach?
If so, please either contact Kehoe Law Firm, P.C. Partner Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or send an e-mail to [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
Nov 14, 2019 | Consumer Protection, Employment & Technology Archive
Phishing E-Mail Campaign Allowed Unknown Actor To Gain Access to Employee Office 365 Accounts From April 2, 2019 to June 20, 2019
On November 13, 2019, Solara Medical Supplies, LLC (“Solara”), issued a press release providing notice of a data incident “that may affect the security of some information relating to certain individuals associated with Solara including current and former patients and employees.”
The “Notice of Data Incident” stated, among other things, the following:
On June 28, 2019, Solara determined that an unknown actor gained access to a limited number of employee Office 365 accounts, from April 2, 2019 to June 20, 2019, as a result of a phishing email campaign. Solara worked with third party forensic experts to investigate and respond to this incident and confirm the security of relevant Solara systems. Through this investigation on July 3, 2019, Solara determined that certain information present within the employee Office 365 accounts may have been accessed or acquired by an unknown actor at the time of the incident. Solara undertook a comprehensive manual and programmatic review of the accounts to identify what personal information was stored within the accounts and to whom that information related. [Emphasis added.]
Further, the “Notice of Data Incident” stated that
[t]he personal information present in the accounts at the time of the incident varied by individual but may have included first and last names and one or more of the following data elements: name, address, date of birth, Social Security number, Employee Identification Number, medical information, health insurance information, financial information, credit / debit card information, driver’s license / state ID, passport information, password / PIN or account login information, billing / claims information, and Medicare ID / Medicaid ID. [Emphasis added.]
Have You Been Impacted by A Data Breach?
If so, please either contact Kehoe Law Firm, P.C. Partner Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or send an e-mail to [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
Nov 12, 2019 | Consumer Protection, Employment & Technology Archive
Data Breach Affected Undisclosed Number of Individuals and May Have Included, Among Other Things, Dental/Treatment, Insurance, Social Security, and Date of Birth Information
On November 12, 2019, Healthsecurity.com reported that “Delta Dental of Arizona is notifying an undisclosed number of individuals that their personal and medical data was potentially breached by a phishing attack in July.”
Delta Dental of Arizona’s “Notice of Data Incident” stated, among other things, that
[o]n or around July 8, 2019, Delta Dental of Arizona became aware of suspicious activity related to an employee’s email account. [Delta Dental of Arizona] immediately commenced an investigation, working with third party forensic investigators, to assess the nature and scope of the email account activity. The investigation confirmed that the employee fell victim to an email phishing scheme that allowed an unauthorized actor to gain access to the email account. While [Delta Dental of Arizona has] no evidence of actual or attempted misuse of any information present in the email account, [Delta Dental of Arizona] could not rule out the possibility of access to data present in the account. Delta Dental of Arizona undertook a lengthy and labor-intensive process to identify the personal information contained in the affected account. In an abundance of caution, Delta Dental of Arizona is notifying individuals because [Delta Dental of Arizona] confirmed that certain personal information was present in the affected account. [Emphasis added.]
Additionally, Delta Dental of Arizona stated that its “. . . investigation determined that the information present in the affected email account may include: name, address, date of birth, Social Security number, Member or Subscription identification number, driver’s license number, government issued identification number, state identification number, passport number, financial account information, credit and/or debit card information, dental/treatment information, dental insurance information, digital signature, and/or username and password.” [Emphasis added.]
According to Healthitsecurity.com, “[t]he notification did not explain the delay in reporting the incident. Under HIPAA, covered entities and business associates are required to provide breach notifications within 60 days of discovery.”
Have You Been Impacted by A Data Breach?
If so, please either contact Kehoe Law Firm, P.C. Partner Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or send an e-mail to [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
