Data Security Breaches
Data Security Breaches
Data privacy and data security compliance are among the key challenges facing businesses and individuals today. Given rapidly changing technology, business models, and consumer needs; media and public scrutiny; and complex and emerging laws, data privacy is at a more increased risk than ever before.
Concerns over information, cybersecurity, and privacy have stressed the priority of the lawful collection and sharing of information and the protection of sensitive personal information. The truth is that there is a lack of resources spent on cybersecurity; much more are needed. Regulators, including state attorney generals and federal authorities such as the Federal Trade Commission (FTC), continue to bring new enforcement actions and the legal community notes that significant awards are a real potential for clients who have experienced issues involving forged emails and counterfeit websites, attacks involving denial of service, system and privacy hacks, and unauthorized access issues.
Parker Waichman's attorneys have deep and broad knowledge and experience with privacy, data, and cyber-security issues and our firm is investigating potential lawsuits on behalf of individuals and businesses that have suffered a data breach.
Hacks are on the Rise
The Ashley Madison extra-marital dating website has made recent headlines for a serious data breach, but is not the first hack that has made headlines in recent months. Security experts say that the trend is on the rise.
"I think we're going to see more of it as people see how effective it is," Bruce Schneier, chief technology officer for Resilient Systems, a security company, told The New York Times, in response to the breach at Ashley Madison. However, regardless of the type of service offered by a website, "consumers must be confident that their data will be protected," The New York Times writes.
Data Breach Compromises
Those impacted by data breaches are susceptible to identity theft. Among the many potential pieces of data, breaches typically impact at least the following types of information:
- Name: real and pseudonym
- Email address
- Financial data
- Birth date
- Social Security number
- Chat history and information, chat transcripts
- Member ID
- User name
- Telephone Number
- Employment information
- Credit or debit card information: Number, expiration dates, and card verification value (CVV)
- Other private, personal information
Ashley Madison Dating Website, Cougar Life, and Established Men Breach 2015
In July 2015, the Ashley Madison dating website was hacked. The dating website caters to married individuals seeking extramarital affairs and boasts some 37 million members. The operators of the website had previously touted its data security superiority.
Ashley Madison is an obvious draw to blackmailers and hackers given its massive member databases. What's more, the hacker-or hackers-involved are reportedly unhappy with Ashley Madison's "full delete service," according to CNN Money.
While the service promises a full deletion of a user's profile and all related data for a $19 fee, the hackers disagreed and were quoted as writing, in a manifesto published by Brian Krebs, a reporter who covers online security that, "Full Delete netted [Avid Life Media] $1.7 million in revenue in 2014. It's also a complete lie…. Users almost always pay with credit card; their purchase details are not removed as promised, and include real names and address, which is of course the most important information the users want removed."
Avid Life Media, Ashley Madison's parent company, defended its service, responded that it would provide the service free of charge, and indicated that it had hired "one of the world's top IT security teams" to work on the breach. Meanwhile, Avid Life Media owns another two popular websites that were also breached: Cougar Life and Established Men.
Avid Life Media indicated that the hackers-who go by the name Impact Team-may have obtained personal data about Ashley Madison's millions of members. Impact Team indicated that Avid Life Media must shut down Ashley Madison, or the data-real names, passwords, and members' financial transactions-will be released, The New York Times wrote. Impact Team did release some information online; however, what was released is not the bulk of what was collected. "We immediately launched a thorough investigation … utilizing leading forensics experts and other security professionals to determine the origin, nature, and scope of this incident," Avid Life Media responded.
Although Ashley Madison maintains that once a user deletes an account, all of the related information is erased, the hackers maintain that user information is never really deleted. Security experts indicate this knowledge points to the possibility that someone within the company is involved. Noel Biderman, chief executive of Avid Life Media, told Mr. Krebs that the hacker "was definitely a person here that was not an employee but certainly had touched our technical services," according to The New York Times.
American copyright law enables Ashley Madison to scrub the private user information that was leaked in the breach and posted elsewhere, and the company indicated that it was doing just that. According to Paul Ferguson, senior adviser for Trend Micro, a security software provider, information on Ashley Madison that was deleted in one online forum is now appearing on others. He told The New York Times, "Once something is published on the Internet, it's there forever."
Adult FriendFinder Hack 2015
In March 2015, the sexual preferences of over 3.5 million individuals were exposed, including fetishes and other secrets, when the Adult FriendFinder dating site was hacked. Adult FriendFinder indicates that it has 64 million members and that it has "helped millions of people find traditional partners, swinger groups, threesomes, and a variety of other alternative partners."
Exposed personal information included customer email addresses, user names, passwords, dates of births, and zip codes, according to CNN Money.
Sony Breach 2015
Sony admitted to having suffered a major cyber-security breach involving the deletion of data from its systems and theft and public release of pre-release movies, people's private information, and sensitive documents, according to Forbes.
Kevin Mandia, head of the Mandiant cybersecurity group retained by Sony to investigate the 2014 breach and ensure no future breaches, wrote in a memo to Sony staff from its CEO that the breach was an "unparalled crime" that was "unprecedented in nature." The firm claimed that the malware used was not detected by antivirus programs; an unusual claim given that undetectable malware has been in existence for more than 20 years, according to Forbes.
Meanwhile, nearly 10 years prior, Sony was warned about possible deficiencies in its information security program, such as use of weak passwords.
Stolen materials included unreleased movies, a key Sony asset, and significantly confidential documents that included salary schedules, social security numbers, and private communications. Documents reveal that Sony staff was using weak passwords and that Sony's established data management policies were poor. Also, data belonging to a different firm was potentially and inappropriately stored on Sony computers.
Anthem Data Breach 2015
A massive data breach at Anthem occurred in February 2015. Compromised data included names, birth dates, member IDs, social security numbers, addresses, telephone numbers, email addresses, and employment information.
The hackers apparently entered Anthem's servers, potentially stealing the personal information for approximately 80 million individuals. At the time, various States announced that Anthem did not appropriately communicate this information.
CNET reported that Anthem CEO, Joseph Swedish, indicated that Anthem planned on contacting all individuals whose data was compromised and also promised free credit monitoring and identity protection services. Attorneys generals (AGs) from 10 U.S. states-Arkansas, Illinois, Kentucky, Maine, Mississippi, Nebraska, Nevada, Pennsylvania, and Rhode Island-,according to CNET, previously indicated that Anthem never fulfilled these promises.
Information stolen from Target between November 27, 2013 and December 15, 2013 impacted 70 million individuals, 40 million more than the company's original estimates, according to Forbes. The hack involved upwards of 40 million credit card and debit card accounts with information that included customer names, credit or debit card number, card expiration dates, and card verification value (CVV) information. A follow-up to the number of individuals involved also updated the data involved to include mailing addresses, phone numbers, and email addresses.
PlayStation Breach at Sony 2011
Sony was subject to what Forbes described as a "major breach" and Reuters described as a "massive breach" in its PlayStation video game online network. The breach led to theft of PlayStation Network and Qriocity passwords, user names, online user handles,-and possibly credit card data, include names and addresses-for 77 million user accounts.
The attack was, at the time, considered "one of the largest-ever Internet security break-ins," wrote Reuters. It took Sony about one week to advise the public, although it shut down its network, including its PSN and Qriocity services, immediately. The hack occurred between April 17-19, 2011; Sony learned of the breach on April 19, 2015; and Sony advised the public about the breach on April 26, 2011.
According to Reuters, the "illegal and unauthorized person" obtained names, addresses, email address, birth dates, user names, passwords, logins, and security questions, to name just some, Sony wrote on its United States PlayStation blog at the time. Sony noted that children whose accounts were created by their parents might also have had data exposed. Also at the time, Alan Paller, research director of the SANS institute said that the breach may have been the largest theft of identity data information.
"This is a huge data breach," said Wedbush Securities analyst Michael Pachter. "The bigger issue with Sony is how will the hacker use the info that has been illegally obtained?" Paller said that Sony likely did not focus sufficient attention on security when developing the software that runs its network. "They have to innovate rapidly. That's the business model," Paller said. "New software has errors in it. So they expose code with errors in it to large numbers of people, which is a catastrophe in the making." Pachter indicated that he suspected that the hackers were able to enter the network via the system administrator's PC. The administrator had rights to sensitive information concerning Sony's customers and the hackers likely entered by sending the administrator an email message containing a piece of malicious software that was then downloaded onto that PC.
2009: 7-Eleven Inc., T.J. Maxx, Barnes & Noble, Sports Authority, OfficeMax, Target, Heartland Payment Systems, Hannaford Bros.
In 2009, computer hacker, Albert Gonzalez, pleaded guilty to stealing tens of millions of payment card numbers and agreed to a sentence of up to 25 years in federal prison. He said he broke into corporate computer systems at a variety of organizations, including 7-Eleven Inc., T.J. Maxx, Barnes & Noble, Sports Authority, OfficeMax, Hannaford Bros., Heartland Payment Systems, and Target. At the time, the hack was considered among the largest cases of identity theft in U.S. history, according to The Washington Post.
Mr. Gonzalez was charged with conspiracy, wire fraud, and aggravated identity theft in federal courts in New York and Boston. Court documents filed in Boston federal court indicate that he agreed to plead guilty to 19 counts and to have the two cases combined in federal court in Massachusetts. Had he been convicted of all the charges involved in the plea agreement, he would have faced a sentence of several hundred years. Outside of the plea deal at the time were additional pending charges in New Jersey.
The self-taught computer genius became addicted to technology and was accused of swiping credit and debit card numbers for more than 170 million accounts. He also spearheaded a group that targeted a variety of large companies. Gonzalez was arrested in 2003; however, charges were not filed and he was made an informant assisting the Secret Service in tracking down other hackers.
In May 2008, he was arrested by federal authorities while staying at a luxurious Miami Beach hotel. Agents collected $22,000 in cash, computer equipment, and a Glock 9mm handgun.
Indictments in New York and Massachusetts indicate that Mr. Gonzalez and two foreign co-defendants used hacking techniques such as "wardriving"-cruising through various areas with a laptop computer to seek retailers' accessible wireless Internet signals. Mr. Gonzalez had been negotiating a plea agreement on these charges when the U.S. attorney's office in New Jersey brought additional charges against him. As part of the deal, Mr. Gonzalez had to relinquish his computers, home, car, and cash. His girlfriend had to give up a Tiffany ring and his father and friends had to return Rolex watches they received from Gonzalez. Agents seized $1.1 million that was buried in his parents' back yard, as well, wrote The Washington Post.