Aug 8, 2019 | Consumer Protection, Employment & Technology Archive
State Farm Data Breach – “Bad Actor” Was Able to Confirm Valid Online Account Usernames and Passwords
On August 7, 2019, zdnet.com reported (“State Farm says hackers confirmed valid usernames and passwords in credentials stuffing attack”) that State Farm “suffered a credential stuffing attack in July and is now notifying impacted customers.”
The zdnet.com story reported that
US banking and insurance giant State Farm said it suffered a credential stuffing attack during which “a bad actor” was able to confirm valid usernames and passwords for State Farm online accounts.
State Farm said it reset account passwords to all impacted accounts to prevent future abuse from the bad actor. The company is now notifying affected customers.
A State Farm spokesperson told ZDNet the company discovered the credential stuffing attack on July 6, 2019. However, the company did not respond to a direct question asking about the number of impacted accounts. [Emphasis added.]
According to zdnet.com, “[c]redential stuffing attacks are when hackers take username and password combinations that have been made public through security breaches at other companies, and use them to gain access to accounts on other services, hoping that users had reused passwords across accounts.” Further, zdnet.com reported that
[c]ompanies like ad blocker AdGuard, banking giant HSBC, social media site Reddit, video sharing portal DailyMotion, delivery service Deliveroo, enterprise tool Basecamp, restaurant chain Dunkin’ Donuts, tax filing service TurboTax, and UK telco Sky have all publicly acknowledged being on the receiving end of credential stuffing attacks in the past year alone.
Hackers typically use credential stuffing attacks to confirm passwords for online accounts, which they later resell online, on hacking forums or on the dark web. [Emphasis added.]
State Farm’s “Submitted Breach Notification Sample,” submitted to the California Attorney General, among other things, stated:
State Farm recently detected an information security incident in which a bad actor used a list of user IDs and passwords obtained from some other source, like the dark web, to attempt access to State Farm online accounts. During our investigation, we determined that the bad actor possessed the user ID and password for your State Farm online account.
. . .
During the attempted access, the bad actor received confirmation of a valid user name and password for your account. No sensitive personal information was viewable. After a review of your online account, we have also confirmed that no fraudulent activity occurred. [Emphasis added.]
Additionally, State Farm’s data breach notice stated that State Farm reset passwords “in an effort to prevent additional attempts by the bad actor.”
Have You Been Impacted by A Data Breach?
If so, please either contact Kehoe Law Firm, P.C. Partner Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or send an e-mail to [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
Aug 7, 2019 | Consumer Protection, Employment & Technology Archive
On August 7, 2019, latesthackingnews.com reported that “CafePress.com, an American e-commerce platform, turns out to be another victim of a cyber attack. Although the store hasn’t revealed anything officially. The news surfaced online suggesting a hacking attack happened earlier this year. It turns out that the site CafePress.com suffered a data breach impacting 23 million accounts.”
Latesthackingnews.com also reported that the hack of CafePress.com occurred in February 2019 and impacted 23,205,290 accounts, “exposing the personal details of users,” such as “names, email addresses, SHA-1 hashed passwords, physical addresses, and phone numbers of the users.”
On August 5, 2019, engadget.com reported that “T-shirt seller CafePress has been asking customers to choose new passwords as part of an updated ‘password policy,’ but the news came soon after reports that the site had been the victim of a data breach in February. Have I Been Pwned claimed that over 23.2 million accounts had been exposed, including email addresses, names, physical addresses and phone numbers.
According to engadget.com, “[p]rovided the reports of a breach are accurate, they raise a number of questions. How recently did CafePress learn of the breach? Has it done anything else to improve security? And why would it only acknowledge a breach through a password reset that doesn’t even mention the security incident? There has been pressure for clearer data breach disclosures, and this could be a textbook example of why. Many users might not even know that there was a breach, let alone how it affects their personal info.”
Have You Been Impacted by A Data Breach?
If so, please either contact Kehoe Law Firm, P.C. Partner Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or send an e-mail to [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
Jul 30, 2019 | Consumer Protection, Employment & Technology Archive
Former Seattle Technology Company Software Engineer Arrested For Theft of Capital One Financial Corporation Data
On July 29, 2019, USA TODAY reported the following:
Capital One said . . . that personal information, including the Social Security and bank account numbers of more than 100 million individuals, were compromised in a massive data theft that led to the arrest of a Seattle woman.
Paige A. Thompson, 33, a former software engineer, is accused of stealing data from Capital One credit card applications in what is one of the top 10 largest data breaches ever, according to USA TODAY research.
The FBI arrested Thompson on Monday for the theft, which occurred between March 12 and July 17, court records show. Among the data allegedly collected from a company cloud-based server were Social Security and bank account numbers. [Emphasis added.]
According to Capital One:
Based on [Capital One’s] analysis to date, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada.
Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised.
The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Beyond the credit card application data, the individual also obtained portions of credit card customer data, including:
Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information[;]
Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018[.]
No bank account numbers or Social Security numbers were compromised, other than:
About 140,000 Social Security numbers of our credit card customers[;]
About 80,000 linked bank account numbers of our secured credit card customers[.]
For [Capital One’s] Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident. [Emphasis added.]
The U.S. Department of Justice press release regarding Thompson’s arrest stated:
A former Seattle technology company software engineer was arrested today on a criminal complaint charging computer fraud and abuse for an intrusion on the stored data of Capital One Financial Corporation, announced U.S. Attorney Brian T. Moran. PAIGE A. THOMPSON a/k/a erratic, 33, made her initial appearance in U.S. District Court in Seattle today and was ordered detained pending a hearing on August 1, 2019.
According to the criminal complaint, THOMPSON posted on the information sharing site GitHub about her theft of information from the servers storing Capital One data. The intrusion occurred through a misconfigured web application firewall that enabled access to the data. On July 17, 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft. After determining on July 19, 2019, that there had been an intrusion into its data, Capital One contacted the FBI. Cyber investigators were able to identify THOMPSON as the person who was posting about the data theft. This morning agents executed a search warrant at THOMPSON’s residence and seized electronic storage devices containing a copy of the data. [Emphasis added.]
Jun 28, 2019 | Consumer Protection, Employment & Technology Archive
Kehoe Law Firm, P.C. Investigating Potential Claims on Behalf of Victims of Dominion National’s Cyberattack.
Bleepingcomputer.com reported that “[c]ustomers of Dominion National dental and vision insurer and administrator started to receive notifications about a potential intrusion on the company’s computer systems that may have exposed personal information to an unauthorized party. Reportedly, “[t]he breach may have occurred almost nine years ago, on August 25, 2010, and was uncovered only recently following an internal alert.” Bleepingcomputer.com also reported that “the company assesses that the systems accessed without authorization included information like names and postal addresses, dates of birth, email addresses, social security numbers, taxpayer IDs, bank details (account, routing numbers), as well as member ID, group, and subscriber numbers.”
If you believe you were a victim of Dominion National’s data breach and have questions or concerns about Kehoe Law Firm’s data breach investigation or potential legal claims, please contact Kehoe Law Firm, P.C., Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], [email protected].
Dominion National, “an insurer and administrator of dental and vision benefits,” posted a “Notice of Data Security Incident,” which stated that the data breach “may have involved information related to Dominion National members, members of plans [it] provide[s] administrative services for, producers, and healthcare providers.”
According to the data incident notice:
On April 24, 2019, through [Dominion National’s] investigation of an internal alert, with the assistance of a leading cyber security firm, [Dominion National] determined that an unauthorized party may have accessed some of [Dominion National’s] computer servers. The unauthorized access may have occurred as early as August 25, 2010. . . .
[Dominion National has] undertaken a comprehensive review of the data stored or potentially accessible from those computer servers and [has] determined that the data may include enrollment and demographic information for current and former members of Dominion National and Avalon vision, and current and former members of plans [Dominion National] provide administrative services for. In addition, the data may include personal information for producers who placed Dominion National and Avalon vision policies, and healthcare providers participating in the insurance programs of Dominion National. The member information may have included names, addresses, email addresses, dates of birth, Social Security numbers, member ID numbers, group numbers, and subscriber numbers. For members who enrolled online through Dominion National’s website, their bank account and routing numbers may have also been included in the data. The provider information may have included names, dates of birth, Social Security numbers, and/or taxpayer identification numbers. The producer information may have included names and Social Security numbers. [Emphasis added.]
Jun 10, 2019 | Consumer Protection, Employment & Technology Archive
On June 10, 2019, cpomagazine.com reported that “First American, the largest real estate title insurance company in the United States, just won a particularly awful silver medal. An ongoing data leak at the company appears to have exposed the transaction records of about 900 million customers, which would make it the second-largest data breach in history behind the 3 billion accounts that were impacted by the Yahoo! hack of 2013.”
Cpomagazine.com reported that
Brian Krebs of KrebsOnSecurity broke the story, reporting that the documents involve mortgage deals and date back 16 years to 2003. Krebs reports that the leaked documents include bank account numbers and transaction records, Social Security numbers, driver’s license images, tax records and more. The leaked documents are a treasure trove for cyber criminals in terms of both personal identity theft and business email compromise attacks.
The worst part of all this is that this devastating leak wasn’t the result of a phishing scam, or even an insecure Amazon bucket. First American appears to have failed to secure unique URLs to these documents properly, using a sequential system and allowing anyone to access customers information simply by entering the right URL into a web browser.
Additionally, cpomagazine.com reported that
[t]he First American data leak is likely to have a long reach and cause a lot of pain. Millions of Americans may now have their most sensitive personal financial details available on the dark web; the company also has clients in Canada and Europe that may have been exposed. First American has retained an outside security firm to determine the extent of the data leak access, but it will likely be difficult given that exfiltration was as simple as knowing the correct master URL. [Emphasis added.]
First American stated in a recent SEC Form 8-K filing that “First American Financial Corporation advises that it shut down external access to a production environment with a reported design defect that created the potential for unauthorized access to customer data. The company is working diligently to address the defect and restore external access.”
A state regulator is, reportedly, investigating First American’s security vulnerability.
Jun 7, 2019 | Consumer Protection, Employment & Technology Archive
Reportedly, “[t]he research team at vpnMentor discovered a major data leak at the Tech Data Corporation (NASDAQ: TECD), a Fortune 500 company providing tech products, services, and solutions globally.” Further,“vpnMentor’s researchers, led by security researchers Noam Rotem and Ran Locar, identified the consequential data breach that exposes access to 264GB of Tech Data’s client servers, invoices, SAP integrations, plain-text passwords, and much more.” [Emphasis added.]
vpnMentoralso reported that “Tech Data – the 45 year old veteran infrastructure solutions company working with vendors such as Apple, Cisco, Samsung, Symantec, et al – had a full database leak that seemed to affect much of the corporate and personal data of clients and employees.” According to vpnMentor, the data included, among other things, private API keys, bank information, payment details, and user names and unencrypted passwords.
According to Techcrunch.com,
[t]he server was running a database used for logging internal company events for its StreamOne cloud service, which let customers buy cloud services from a variety of providers and vendors. The logging data contained error data that Tech Data staff can use to troubleshoot issues that arise when customers try to buy service online.
But the tech giant did not put a password on the server, allowing anyone with a web browser to look over daily logs for the last several months.
. . .
TechCrunch also obtained a portion of the records, which [was] examined for authenticity.
The database contained an array of data, but [TechCrunch] found large swathes of customer data, including names, postal addresses and email addresses, job titles and invoicing data and receipts. The records also contained partial payment information, such as card type, cardholder names and expiry dates.
Aside from obfuscated card numbers, none of the data was encrypted.
It’s not known exactly how many customer records are in the database. The portion of data . . . obtained contained data on tens of thousands of customers — but the database was vastly bigger in size. [Emphasis added.]
