Tag Archives: Data Breach

IRS notifying more taxpayers about potential data breach

Hackers may have accessed the tax transcripts of approximately 724,000 United States taxpayers by using stolen personal information, the Internal Revenue Service announced Friday.

The agency also said hackers targeted another 576,000 accounts, but could not access them.

The announcement followed a nine-month investigation into its “Get Transcript” application.

The tool was launched in January 2014 and gave taxpayers a way to download or order several years of their transcripts through the IRS website.

However, the agency announced last May that “criminals” had been able to access other tax histories that were not their own by using personal information that had been stolen elsewhere.

The IRS originally announced that about 114,000 transcripts may have been improperly accessed, while hackers targeted another 111,000 but were unsuccessful in their attempts.

The tool has been offline ever since while officials searched for other suspicious activity.

The Treasury Inspector General for Tax Administration (TIGTA) has handled the investigations.

In August, the IRS announced TIGTA found about another 220,000 cases of potential breaches since “Get Transcript” debuted, and about 170,000 more unsuccessful suspicious attempts.

On Friday, the IRS announced TIGTA’s latest review found about 390,000 potential additional cases of improper access, and some 295,000 cases where tax data was targeted but not obtained.

The IRS noted that some of the attempts might not have been malicious.

“It is possible that some of those identified may be family members, tax return preparers or financial institutions using a single email address to attempt to access more than one account,” it said in a statement, though added it is notifying all of the affected taxpayers as a precaution.

The latest wave of taxpayers will be notified through the mail beginning Feb. 29, the IRS said.

“The IRS is committed to protecting taxpayers on multiple fronts against tax-related identity theft, and these mailings are part of that effort,” IRS Commissioner John Koskinen said in Friday’s announcement. “We appreciate the work of the Treasury Inspector General for Tax Administration to identify these additional taxpayers whose accounts may have been accessed.”

The agency is offering all affected taxpayers free identity theft protection services and the chance to obtain an identity protection PIN, which helps protect Social Security numbers on returns.

Canada stops sharing some spy info with allies after breach

OTTAWA (Reuters) – Canada has stopped its electronic spy agency from sharing some data with key international allies after discovering the information mistakenly contained personal details about Canadians, government officials said on Thursday.

Ottawa acted after learning that the Communications Security Establishment (CSE) agency had failed to properly disguise metadata – the numbers and time stamps of phone calls but not their content – before passing it on to their international partners.

“CSE will not resume sharing this information with our partners until I am fully satisfied the effective systems and measures are in place,” Defense Minister Harjit Sajjan said in a statement.

Sajjan, who has overall responsibility for the agency, did not say when Canada had stopped sharing the data in question.

Canada is part of the Five Eyes intelligence sharing network, along with the United States, Britain, Australia and New Zealand. CSE, like the U.S. National Security Agency, monitors electronic communication and helps protect national computer networks.

While the agency is not allowed to specifically target Canadians or Canadian corporations, it can scoop up data about Canadians while focusing on other targets.

Sajjan, blaming technical deficiencies at CSE for the problems, said the metadata that Canada shared did not contain names or enough information to identify individuals and added: “The privacy impact was low.”

He made the announcement shortly after an official watchdog that monitors CSE revealed the metadata problem. The watchdog said CSE officials themselves had realized they were not doing enough to disguise the information they shared.

An NSA program to vacuum up Americans’ call data was exposed publicly by former NSA contractor Edward Snowden in 2013 and prompted questions about the CSE’s practices.

(Reporting by David Ljunggren; Editing by Diane Craft)

Wendy’s probing likely fraudulent payment-card charges

(Reuters) – Burger chain operator Wendy’s Co said on Wednesday it was investigating reports of unusual activity with payment cards used at some of its 5,700 locations in the United States.

“Reports indicate fraudulent charges may have occurred elsewhere after payment cards were legitimately used at some restaurants,” Wendy’s spokesman Bob Bertini told Reuters in an email statement.

Large retailers such as Target Corp and Home Depot Inc have been victims of security breaches in recent years. Gourmet sandwich chain Jimmy John’s was also breached in 2014.

“Until this investigation is completed, it is difficult to determine with certainty the nature or scope of any potential incident,” Bertini said. “We have hired a cyber security firm to assist, but are not disclosing the name at this point.”

Security blog Krebs on Security first reported the development earlier in the day.

(Reporting by Subrat Patnaik and Sruthi Ramakrishnan in Bengaluru; Editing by Savio D’Souza and Maju Samuel)

White House announces major background checks overhaul following data breach

WASHINGTON (Reuters) – The U.S. government will set up a new agency to do background checks on employees and contractors, the White House said on Friday, after a massive breach of U.S. government files exposed the personal data of millions of people last year.

As a part of a sweeping overhaul, the Obama administration said it will establish a National Background Investigations Bureau. It will replace the Office of Personnel Management’s (OPM) Federal Investigative Services (FIS), which currently conducts investigations for over 100 Federal agencies.

The move, a stiff rebuke for FIS and OPM, comes after last year’s disclosure that a hack of OPM computers exposed the names, addresses, Social Security numbers and other sensitive information of roughly 22 million current and former federal employees and contractors, as well as applicants for federal jobs and individuals listed on background check forms.

Unlike FIS, the new agency’s information systems will be handled by the Defense Department, making it even more central to Washington’s effort to bolster its cyber defenses against constant intrusion attempts by hackers and foreign nationals.

“We can substantially reduce the risk of future cyber incidents” by applying lessons learned in recent years, said Michael Daniel, White House cyber security policy coordinator, on a conference call with reporters.

The White House gave no timeline for implementing the changes, but said some would begin this year. It will seek $95 million more in its upcoming fiscal 2017 budget for information technology development, according to a White House fact sheet.

‘NOT THERE YET’

Officials have privately blamed the OPM data breach on China, though security researchers and officials have said there is no evidence Beijing has maliciously used the data trove.

Controversy generated by the hack prompted several congressional committees to investigate whether OPM was negligent in its cyber security practices. OPM Director Katherine Archuleta resigned last July as the government intensified a broad push to improve cyber defenses and modernize systems.

“Clearly we’re not there yet,” Admiral Mike Rogers, head of the National Security Agency, said at a cyber security event in Washington this week when asked about U.S. preparedness against hacks. The damage done by cyber attacks, he added, “is going to get worse before it gets better.”

OPM has been plagued by a large backlog of security clearance files, prompting it to rely on outside contractors for assistance, possibly compromising cyber security.

The Defense Department and OPM did not respond when asked if the government will still rely on support from contractors.

Representative Jason Chaffetz, the Republican chairman of a House of Representatives panel that has been looking into the issue, said Friday’s announcement fell short.

“Protecting this information should be a core competency of OPM,” Chaffetz said in a statement. “Today’s announcement seems aimed only at solving a perception problem rather than tackling the reforms needed to fix a broken security clearance process.”

(Additional reporting by Mark Hosenball and Andrea Shalal; editing by Kevin Drawbaugh, Susan Heavey and Alan Crosby)

Hyatt says data breach started in August

(Reuters) – Hyatt Hotels Corp said a previously reported malware attack on its payment processing system occurred between August 13 and Dec. 8.

The hotel operator said on Thursday it identified unauthorized access to payment card data from cards used onsite at certain Hyatt-managed locations, primarily at its restaurants.

The company also said the “at-risk window” for a limited number of locations began on or shortly after July 30.

Shares of Hyatt were down 3.1 percent in afternoon trading.

Hyatt also said it has arranged a third-party identity protection and fraud detection firm to provide one year of services to affected customers at no cost.

The company did not disclose the number of cards affected.

The company disclosed in December that its payment processing system was infected with information-stealing malware but did not mention how long its network was infected.

Hyatt, controlled by the billionaire Pritzker family, is the fourth major hotel operator to warn of a breach since October.

Hilton Worldwide Holdings Inc and Starwood Hotels & Resorts Worldwide Inc disclosed attacks on payment processing systems in November.

Donald Trump’s luxury hotel chain, Trump Hotel Collection, also confirmed the possibility of a data security incident.

(Reporting by Radhika Rukmangadhan in Bengaluru; Editing by Don Sebastian)

Database of 191 Million U.S. Voters Exposed on Internet: Researcher

By Jim Finkle and Dustin Volz

(Reuters) – An independent computer security researcher uncovered a database of information on 191 million voters that is exposed on the open Internet due to an incorrectly configured database, he said on Monday.

The database includes names, addresses, birth dates, party affiliations, phone numbers and emails of voters in all 50 U.S. states and Washington, researcher Chris Vickery said in a phone interview.

Vickery, a tech support specialist from Austin, Texas, said he found the information while looking for information exposed on the Web in a bid to raise awareness of data leaks.

Vickery said he could not tell whether others had accessed the voter database, which took about a day to download.

While voter data is typically considered public information, it would be time-consuming and expensive to gather a database of all American voters. A trove of all U.S. voter data could be valuable to criminals looking for lists of large numbers of targets for a variety of fraud schemes.

“The alarming part is that the information is so concentrated,” Vickery said.

Vickery said he has not been able to identify who controls the database, but that he is working with U.S. federal authorities to find the owner so they can remove it from public view. He declined to identify the agencies.

A representative with the Federal Bureau of Investigation declined to comment.

A representative with the U.S. Federal Elections Commission, which regulates campaign financing, said the agency does not have jurisdiction over protecting voter records.

Regulations on protecting voter data vary from state to state, with many states imposing no restrictions. California, for example, requires that voter data be used for political purposes only and not be available to persons outside of the United States.

Privacy advocates said Vickery’s findings were troubling.

“Privacy regulations are required so a person’s political information can be kept private and safe,” said Jeff Chester, executive director of the Washington-based Center for Digital Democracy. The leak was first reported by CSO Online and Databreaches.net, computer and privacy news sites that Vickery said helped him attempt to locate the database’s owner.

CSO Online said the exposed information may have originally come from campaign software provider NationBuilder because the leak included data codes similar to those used by that firm.

In a statement, NationBuilder Chief Executive Officer Jim Gilliam said the database was not created by the Los Angeles-based company, but that some of its information may have come from data it freely supplies to political campaigns.

“From what we’ve seen, the voter information included is already publicly available from each state government, so no new or private information was released in this database,” Gilliam said.

(Reporting by Jim Finkle and Dustin Volz; Editing by Jonathan Oatis)

Children among 5 million affected by VTech hack

Hackers gained access to the private information of about 5 million adults and children who used VTech toys, and some security experts warn that similar data breaches could follow.

The Hong Kong-based digital toy manufacturer announced the massive data breach in a news release on Friday, saying a hacker compromised the company’s Learning Lodge earlier this month. The Learning Lodge is a portal that customers use to download content to VTech toys.

The hackers gained access to VTech’s customer database, which the company said includes information like email addresses and passwords but not social security or credit card numbers.

PC Magazine reported the hack was the fourth largest breach of consumer data on record.

The online technology magazine Motherboard reported on Monday that it spoke to the hacker behind the breach. The hacker claimed he also accessed photographs of children and transcripts of conversations between parents and their kids, some of which dated back to last November.

That data was reportedly sent through VTech’s Kid Connect service, a channel through which adults with smartphones and children with VTech tablets can exchange text and audio messages.

The hacker told Motherboard he didn’t intend to publish or release any of the data he obtained.

VTech said it investigated the breach and implemented steps to combat further attacks. Attorney generals from Connecticut and Illinois said they will also investigate, Reuters reported Monday.

The Reuters report quoted cyber security experts who cautioned that additional breaches like this one are possible. While many digital toys collect data, the experts told Reuters that toy makers don’t necessarily have the same security background as others in the tech industry.

“VTech is a toymaker and I don’t expect them to be security superstars,” Tod Beardsley, the security research manager at the cyber security company Rapid7 Inc., told Reuters. “They are amateurs in the field of security.”

Hong Kong’s Office of the Privacy Commissioner for Personal Data began a “compliance check” on VTech on Tuesday, according to a news release. The inquiry will examine if VTech did enough to safeguard the data before it was breached, as well as the corrective measures it implemented.