May 29, 2019 | Consumer Protection, Employment & Technology Archive
On May 29, 2019, The New York Times reported that New York’s Department of Financial Services “is investigating a security vulnerability at First American Financial Corporation, a title insurance company, that exposed an estimated 885 million records related to mortgage deals.”
According to The New York Times:
The inquiry, by the Department of Financial Services, is likely to be followed by other investigations from regulators and law-enforcement authorities into a security failure that exposed 16 years of digital documents containing bank account statements, tax records, Social Security numbers, wire transaction receipts and images from drivers licenses.
In terms of the sheer number of exposed records, the breach appears to be the largest since an attack on Yahoo that compromised three billion user accounts. First American left the documents on a website that was publicly accessible, without any authentication protections, according to a report published on Friday by KrebsOnSecurity, a security news site.
First American said on Tuesday that it had shut down external access to the web application that had revealed the customer data. But the data already revealed was not easy to erase, and some of it remains accessible in search engine caches.
The New York Times also reported that the probe by the Department of Financial Services “is the first begun by the agency under a new state cybersecurity regulation,” a regulation “considered the strictest in the nation,” and which “requires financial companies to regularly audit and report on how they protect sensitive data.” The cybersecurity regulation also, according to The New York Times “allows the agency to impose financial penalties on companies for violations it considers reckless or willful.”
Kehoe Law Firm, P.C.
May 29, 2019 | Consumer Protection, Employment & Technology Archive
On May 29, 2019, Tampa, Florida-based Checkers Drive-In Restaurants, Inc. (“Checkers” or the “Company”) issued a “Notice of Data Breach,” which, among other things, stated that the Company “. . . recently became aware of a data security issue involving malware at certain Checkers and Rally’s locations. After discovering the issue, [Checkers] quickly engaged leading data security experts to conduct an extensive investigation and coordinated with affected restaurants and federal law enforcement authorities to address the matter. [The Company has] worked closely with the third-party security experts to contain and remove the malware.”
Checkers also advised that it “. . . determined that malware was installed on certain point-of-sale systems at some Checkers and Rally’s locations, which appears to have enabled an unauthorized party to obtain the payment card data of some guests.” The data breach notice provides a “list of the impacted locations and their respective estimated dates of exposure.” According to Checkers, “[a]pproximately 15% of Checkers and Rally’s restaurants were affected by this issue.”
Checkers advised that “[t]he malware was designed to collect information stored on the magnetic stripe of payment cards, including cardholder name, payment card number, card verification code and expiration date,” and “[n]ot all Checkers and Rally’s restaurants and not all guests who visited the impacted restaurants during the relevant time periods were affected by this issue.”
The Tampa Bay Times reported that Checkers and Rally’s in 20 states “at just over 100 Checkers and Rally’s locations” experienced a data breach. According to the Tampa Bay Times, “Checkers did not disclose over what period of time the breach took place.”
Please click here for a “List of Affected Restaurants and Estimated Windows of Exposure,” and please click here for data breach-related FAQs published by the Company.
May 29, 2019 | Consumer Protection, Employment & Technology Archive
On May 29, 2019, Forbes.com reported that “Flipboard, the hugely popular news aggregation app that is used by 150 million people each month, has been hacked. Twice. According to a security notice posted by Flipboard, what it calls ‘unauthorized access’ to databases took place between June 2, 2018 and March 23, 2019 as well as April 21, 2019 and April 22, 2019. The hacker is confirmed as having ‘potentially obtained copies of certain databases containing Flipboard user information.'”
On May 29, 2019, theinquirer.net reported that “[t]he data of 1.5 million accounts is thought to have been affected, but sensitive information such as passwords should be ok because they are protected with ‘salted hashing’.”
Flipboard’s “Notice of Security Incident” reported the following:
What happened
[Flipboard] recently identified unauthorized access to some of our databases containing certain Flipboard users’ account information, including account credentials. In response to this discovery, [Flipboard] immediately launched an investigation and an external security firm was engaged to assist. Findings from the investigation indicate an unauthorized person accessed and potentially obtained copies of certain databases containing Flipboard user information between June 2, 2018 and March 23, 2019 and April 21 – 22, 2019.
What information was involved
The databases involved contained some of [Flipboard] users’ account information, including name, Flipboard username, cryptographically protected password and email address.
Flipboard has always cryptographically protected passwords using a technique known by security experts as “salted hashing”. The benefit of hashing passwords is that [Flipboard] never need[s] to store the passwords in plain text. Moreover, using a unique salt for each password in combination with the hashing algorithms makes it very difficult and requires significant computer resources to crack these passwords. If users created or changed their password after March 14, 2012, it is hashed with a function called bcrypt. If users have not changed their password since then, it is uniquely salted and hashed with SHA-1.
Additionally, if users connected their Flipboard account to a third-party account, including social media accounts, then the databases may have contained digital tokens used to connect their Flipboard account to that third-party account. [Flipboard has] not found any evidence the unauthorized person accessed third-party account(s) connected to users’ Flipboard accounts. As a precaution, [Flipboard has] replaced or deleted all digital tokens.
Importantly, [Flipboard does] not collect from users, and this incident did not involve, Social Security numbers or other government-issued IDs, bank account, credit card, or other financial information. [Emphasis added.]
For additional information about what steps Flipboard is taking, what Flipboard users can do, as well as additional information about the data breach, please click here.
May 29, 2019 | Consumer Protection, Employment & Technology Archive
On May 29, 2019, HealthITSecurity.com reported that “. . . Medical Informatics Engineering has reached a $900,000 settlement in the country’s first federal multistate lawsuit, stemming from its health data breach impacting 3.5 million patients in 2015.”
According to HealthITSecurity.com:
The settlement comes just days after the Department of Health and Human Services Office for Civil Rights announced its settlement with MIE, which included a $100,000 civil monetary penalty and a corrective action plan.
The multistate agreement stems from the 2018 lawsuit filed against MIE by the patients across 16 states who were impacted by the EMR service vendor’s 2015 hack. Officials discovered a “sophisticated cyberattack” on their servers in May 2015 that gave hackers access to the protected health information of millions of patients, including Social Security numbers and clinical data. [Emphasis added.]
HealthITSecurity.com also reported that
[t]he proposed multistate consent judgement will resolve allegations that MIE violated HIPAA provisions, along with state personal information protection laws, notice of data breach statutes, and unfair and deceptive practice laws.
Under the multistate agreement, MIE is required to implement and maintain an information security program and a security incident and event monitoring security tool to detect and respond to malicious cyberattacks. Further, MIE must implement data loss prevention technology to prevent and detect unauthorized data exfiltration.
MIE is also required to create password policies and procedures to enforce the use of strong, complex passwords. The vendor will also need to implement multi-factor authentication procedures for remote-access processes on systems that store or permit access to electronic protected health information.
Lastly, MIE must implement controls during the creation of accounts that allow access to ePHI. The $900,000 financial penalty will be distributed to the 16 states involved in the lawsuit: Florida, North Carolina, Arizona, Arkansas, Wisconsin, Kansas, Kentucky, Louisiana, Michigan, Nebraska, Minnesota, West Virginia, Iowa, Indiana, Tennessee, and Connecticut. [Emphasis added.]
Source: HealthITSecurity.com
May 28, 2019 | Consumer Protection, Employment & Technology Archive
First American Financial Corporation Issues Statement Regarding Its Ongoing Investigation Into a Reported Security Incident
On May 28, 2019, First American Financial Corporation (“First American”) issued a press release which, among other things, stated:
First American Financial Corporation advises that it shut down external access to a production environment with a reported design defect that created the potential for unauthorized access to customer data. The company is working diligently to address the defect and restore external access.
An outside forensic firm has been retained to aid in assessing the extent to which any customer information may have been compromised. Though the ongoing investigation is in its early stages, at this time there is no indication that any large-scale unauthorized access to sensitive customer information occurred. The company plans to provide updates on its investigation exclusively on its website at https://www.firstam.com/incidentupdate.
. . .
If the investigation shows that any confidential information has been compromised, the company will notify and provide credit monitoring services to the affected consumers. First American will soon provide a mechanism through its website, https://www.firstam.com/incidentupdate, that will give consumers who believe their confidential information has been compromised the ability to report this to the company. [Emphasis added.]
As previously reported, on May 27, 2019, a class action complaint was filed in United States District Court, Central District of California, against First American Financial Corporation and First American Title Company alleging, among other things, that defendants, “[d]espite explicitly promising customers robust data security as part of the high cost of title services, . . . allowed anyone to access the sensitive files of millions of customers.”
The class action was filed on behalf of a proposed class of “[a]ll persons who utilized First American’s title insurance or other closing services in a real estate transaction that involved mortgage financing.”
On May 19, 2019, Krebsonsecurity.com reported that “[t]he [w]eb site for Fortune 500 real estate title insurance giant First American Financial Corp. . . . leaked hundreds of millions of documents related to mortgage deals going back to 2003, until notified . . . by KrebsOnSecurity. The digitized records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images — were available without authentication to anyone with a [w]eb browser.”
May 28, 2019 | Consumer Protection, Employment & Technology Archive
On May 27, 2019, a class action complaint was filed in United States District Court, Central District of California, against First American Financial Corporation and First American Title Company (collectively, “First American”) alleging, among other things, that First American, “[d]espite explicitly promising customers robust data security as part of the high cost of title services, . . . allowed anyone to access the sensitive files of millions of customers.”
According to the complaint:
First American made it incredibly easy for the public to access this private information by failing to implement even rudimentary security measures. Suppose that you are a First American customer. The company provides you with a URL to access your documents on its website. That URL might end in “DocumentID= 000000075.”
Now suppose you want to access someone else’s personal file. Type the same URL but alter the Document ID number by one digit—say, “DocumentID= 000000076”—and someone else’s personal file will appear. Change the numbers again (and again), and you will reveal still more personal files.
It took no computer sleuthing to uncover numbers that will pull personal data; First American’s document identification numbers were sequential. Follow that sequence 885 million times—1, 2, 3, 4, and so forth—and you could access all 885 million documents.
Because First American breached promises and was negligent in its data security, the American dream of home ownership is now a financial security nightmare, as individuals who did business with this company face a serious threat of identity theft or other financial harms. [Emphasis added.]
Moreover, according to the complaint:
First American’s document storage solutions were not secure. On May 24, 2019, cybersecurity researcher Brian Krebs announced that 885 million files were available on First American’s website for anyone to access.[] The files contained bank account numbers, Social Security numbers, financial and tax records, and images of drivers’ licenses.[] [Emphasis added.]
The class action was filed on behalf of a proposed class of “[a]ll persons who utilized First American’s title insurance or other closing services in a real estate transaction that involved mortgage financing.”
For additional information, see “First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records.”
