Tag Archives: database

Breach Brief – Exactis

Who is Exactis and what do they know about me? That is the question you need to be asking.  No, you haven’t heard of Exactis but they may have exposed some of your most personal information to hackers. You, along and the everybody else in the U.S.

Exactis is a major data gathering company based in Palm Coast, FL. The Exactis website describes the company as a compiler and aggregator of business and consumer data. Exactis claims to have a store of information it refers to as a “universal data warehouse” that contains 3.5 billion consumer, business and digital records. Exactis claims these records are updated monthly. According to Exactis’ LinkedIn profile it is a privately owned company with only 10 employees. Exactis gathers this information from cookies on personal computers. credit and debit transaction records and other sources.

Now you should ask what do they know about me? The exposed records contains more than 400 different characteristics that include whether the person smokes, what their religion is and whether they have dogs or cats. But, according to Wired.com some of the information is inaccurate or outdated.

Your next question is; how did this happen? According to security researcher Vinny Troia the company leaked the data of 340 million individuals by storing it on an unsecured server accessible through the internet. According to Wired.com Troia discovered what he describes nearly two terabytes of data. 

Troia reported the data breach to both Exactis and the FBI. Exactis reacted by securing the data so that it’s no longer accessible.

But now ask; did criminals know this? Did they access the information? The answer to that question is unknown. But since Exactis has not admitted to the data breach and it is no longer accessible no one really know how many people are affected. According to Wired.com Troia found two versions of the database each holding an estimated 340 million records. This number breaks down into 230 million consumers records  and 110 million on business contacts.  

But Marc Rotenberg, the executive director of the non-profit Electronic Privacy Information Center said,  “The likelihood of financial fraud is not that great , but the possibility of impersonation or profiling is certainly there. Rotenberg stated that while some of the data is available in public records, much of it appears to be the sort of non-public information that data brokers aggregate from sources like magazine subscriptions, credit card transaction data sold by banks, and credit reports. “A lot of this information is now routinely gathered on American consumers,” Rotenberg adds.

 

 

Breach Brief – Nationwide Voter Database

 voting-boothA massive and mysterious voter database has been exposed online and no one knows who it belongs to, how it got there or when it will be removed.

An independent security researcher by the name of Chris Vickery discovered the database. The files contain the names, phone numbers home addresses, birth dates, genders, ethnicity, dates of voter registration, party affiliation, e-mail addresses belonging to 191 million Americans from all fifty states and Washington, DC.  To make matters worse the database contains information on who the voters voted for since 2000. The voting records do not include driver’s license numbers, social security numbers, financial records or any kind of familial information. Vickery reported the discovery to DataBreaches.net, which keeps track of massive online security blunders. 

The FBI and the California Attorney General’s Office have been contacted regarding the breach. These organizations have the power to remove the database but have not done so yet. The researchers have not revealed where they found the database.

 

 

ALERT! CareFirst Health Insurance Hacked…Last June ALERT!

carefirstbcbs2color_2According to a Wall Street Journal report Washington, D.C.-based not-for-profit health insurer CareFirst BlueCross BlueShield announced Wednesday it had suffered a major data breach…last June! 

The data breach was announced Wednesday, following cyber security firm FireEye completed review of the attack late last week.

Hackers targeted and gained access to the personal information including birth dates, names, email addresses and subscriber information of over one million of its customers. 

“This breach provides further evidence that cyber security defenses in the healthcare industry are still one step behind sophisticated hackers. The first question to ask is: was the compromised database properly encrypted? Encryption is widely recognized as a best practice and it is vitally important for a company like CareFirst, which is handling sensitive patient information. Healthcare companies are prime targets for hackers,” Greg Kazmierczak, CTO of Wave Systems, told DC Inno.

CareFirst, along with Anthem Insurance and Primera BlueCross, becomes the third major health insurer this year to report a data breach. CareFirst has hired FireEye to investigate the breach and mitigate the damage.

“The intrusion was orchestrated by a sophisticated threat actor that we have seen specifically target the health-care industry over the past year,” FireEye said in a statement.

A representative of CareFirst stated that the compromised database “contained no member social Security numbers, medical claims, employment, credit card or financial information.” The insurer also stated that when they first detected the attempted attack last April, they believed they were successful in deflecting the infiltration.

But criticism of CareFirst has already begun. “Not only should the database have been encrypted, but access to the database should have been protected by 2-factor authentication. By having multiple identifying factors, it is dramatically harder for a hacker to gain entry into this type of database. While CareFirst stated that social security numbers and credit cards were not held in the database, access to names, birth dates, and email addresses can lay the groundwork for future intelligence gathering and cyber intrusions. Without strong encryption and access management, expect medical fraud and identity theft to run unchecked,” Kazmierczak said.

Breaking It Down

This is simply another sign of sloppy data handling by a major company. This should have never happened to CareFirst. But what do you expect when you have absolutely poor data security standards in the health care industry. Another sad fact is that the company experienced this data breach last year but is just announcing it now. Thats why we have to have a national data breach standard law and we need it now! CareFirst is trying to make its customer feel better by saying no information such as social security numbers, medical claims, employment, credit card or financial information was in the data base. So what! The information that was there is enough for a cyber criminal to use to hijack an email account, launch a phishing campaign, or even steal an identity. With the information they did get they can get the rest.  As for black people who ask “what does that mean to me?” I just told you.

RadioShack is Selling Your Information

Radio-Shack-Logo-297x300Remember RadioShack? At one time there was no better place to buy your electronics or electronic equipment. They had it all, from amplifiers to circuit boards. Ahh, those were the good old days.

Now the chain of electronic stores is slowly dying and has filed for bankruptcy. For years, RadioShack asked those strange questions like your name, address and phone number to buy batteries. Now, as part of bankruptcy proceedings, the electronics retailer has auctioned that data to the highest bidder. This database includes names, email addresses and phone numbers of almost anybody who has purchased something at RadioShack. By some estimates that adds up to about 100 million people.

And the winner is; Standard General . A hedge fund and RadioShack’s largest shareholder. But not so fast! Before Standard General can take possession of the data a bankruptcy court has to approve the sale. 

 The problem is that RadioShack has to overcome some legal hurdles before turning over customer data. Texas Attorney General Ken Paxton is opposing the sale of the data because it would be illegal under Texas law. Texas doesn’t permit companies to sell personal information if it violates that companies own privacy policies. This appears to be exactly what Radio Shack is doing. You can find signs in their stores that clearly state;”We pride ourselves on not selling our private mailing list.” Paxton estimates that this data sale would affect 117 million people.

This case has created some strange bedfellows. AT&T has argued that it wants the data destroyed for its own competitive reasons. AT&T is opposed to the sale because it does not believe RadioShack is entitled to the personal information it collected from wireless sales. AT&T is primarily concerned that the mountain of data might fall into a competitors hands. According to Bloomberg one bidder for the data has suggested that RadioShack become co-branded as Sprint stores.

As with all cases like this the court will decide based on precedent or previous court rulings and this case has precedent that cuts both ways. In 2011, the Federal Trade Commissions decision permitted Borders Books to auction personal data under certain conditions. These are; the buyer has to be in the same business, have the same privacy policy and the data is sold alongside other assets. Standard General is planning to keep some RadioShack stores open and may argue that it’s putting the data to similar uses. 

But again; not so fast. A 2000 FTC lawsuit stopped a bankrupt Toysmart.com from selling its customer database. The database was eventually destroyed.

Breaking It Down

Everyone who has ever bought something from RadioShack needs to be aware of this. I see a problem when it comes to having my name, address and other information sold like any other asset of a bankrupt company and here’s why? First of all its my information and I’m not getting a cut of the pie. I personally think that a lot of information sales would cease if one nasty lawyer decided to file a class action lawsuit demanding a price for information sold from its original collector. The deal would work like this. If I decided to give you my information with the understanding that you have assured me that  you would not sell it then we have an agreement. That is what RadioShack did. Now RadioShack has decided to sell the information violating our agreement. So where is my share of the money? 

If your information is in RadioShack’s database, and there are plenty of black people who shop at “The Shack”, then you need to be concerned. If that data base is sold then you can expect to have an increase in direct mail advertisements, spam, cold calls and everything else that comes with loose information. I guarantee you that once Standard General takes possession of this database they will cut, slice and categorize the information and sell it in chunks to the highest bidder. You get annoyed, they get the cash.