Welcome back to the Data Breach Ripples, we've missed you!
In this week's issue, over 190 million U.S. voter records have been exposed, the BBB warns consumers of fake OPM breach notification letters, a fake IRS spam email is installing malware, the Michaels data breach lawsuit has been thrown out, and for this week's Rippleshot content, we look at three data breach new year resolutions that you should implement in your organization.
A data breach involving a database that contained the information of 191 million registered U.S. voters was exposed shortly before the holidays. Security researchers Chris Vickery and Steve Ragan first discovered the data exposure on December 20, but the database was not taken offline until December 28. Similar voter lists often contain personally identifiable information (PII) including name, date of birth, gender and mailing address. At this time, it is still unclear as to why the database was improperly secured and how the breach took place.
On December 11, the Office of Personnel Management announced that nearly 93 percent of notification letters for the 21.5 million Americans affected by the OPM data breach had been mailed. Nearly a month later, there are concerns regarding the legitimacy of breach notification letters that affected individuals are receiving. The Better Business Bureau (BBB) has issued a warning regarding fake OPM notification letters that are sent by fraudsters to obtain sensitive information. In BBB blog post, the bureau points out that legitimate letters will contain the signature of OPM’s acting director Beth F. Cobert and include a 25 digit PIN to register for credit and identity monitoring services.
Security researchers at Heimdal Security have identified a new spam email campaign from the Internal Revenue Service (IRS). According to Heimdal Security blog post, a spoof email is being distributed to unsuspecting individuals by indicating that they are the recipient of an additional tax refund, requiring an attachment to be opened. If downloaded and opened, two forms of malicious software are installed: Kovter ransomware and CoreBot malware. Once given access, Kovter’s purpose is to encrypt a victim’s data and then CoreBot forces a system shutdown. Once a restart has been completed, the affected user is informed that their data has been encrypted and will only be freed after paying a Bitcoin ransom.
A U.S. District Court judge for the Eastern District of New York has dismissed a class action suit against Michaels for their 2014 data breach. Judge Joanna Seybert has stated that the plaintiff, Mary Jane Whalen, had failed to demonstrate that the breach had either a "substantial risk that harm will occur" or that injuries are "certainly impending." Both statements are the standard for Article III, established in the 2013 Supreme Court ruling in Clapper v. Amnesty International USA. This case has often been used as grounds to dismiss consumer class action suits against companies involving data security risks.
While this court decision has hampered victims of the Michael's data breach, it is now easier for consumers to sue over data breaches.
With over 750 data breaches reported in 2015, security against data breaches has become a top priority for organizations across a variety of industries. Experian’s annual Data Breach Industry Forecast was released recently, highlighting five predictions in 2016. For this week’s Rippleshot content, we have created a list of three data breach goals that your organization should strive for in the new year. We cover everything from the expected shift in fraud from card-present transactions to online transaction, employee security training and creating a strategy to deter cyber-extortion.
To learn more, click here.