Security SIG Talk: Slides are Available

Thank you to all who attended the Security SIG talk last week on Lessons Learned from the Top Healthcare Information Security Breaches. If you were not able to attend, or did attend but would like to review the information again, the slides are available here. (MIT certificate required.)


FBI: Data Breaches Up 400%; Workforce Needs To Be “Doubled or Tripled”

As a follow up to last week’s post about the lack of cybersecurity personnel, this article talks about the increase in attacks and breaches and how it relates to the need for a more robust cybersecurity workforce.

James Trainor, acting assistant director of the FBI’s Cyber Division, said the agency used to learn about a new, large-scale data breach every two or three weeks. “Now, it is close to every two to three days.”

Trainor also said the cybersecurity industry needs to “double or triple” its workforce in order to keep up with hacking threats.

Read the story at

Anthem Data Breach

If you are on the MIT Health Plan, you may have received an email from MIT Medical and MIT Benefits regarding the Anthem Data Breach. Anthem was the target of a sophisticated cyber attack that exposed personal data on almost 80 million customers. Read the news story here.

Attackers may have been able to access personal information from current and former members of Anthem and Blue Cross and Blue Shield (BCBSMA) insurance companies, including names, medical IDs, social security numbers, street addresses, email information and employment information, but no financial data.

The message from MIT outlines the impact this breach may have on current or former MIT members or their families who were or are on the MIT Health Plan. Only those who have received care in the fourteen states listed here could be affected.

If Anthem and/or BCBSMA believe you have been affected, they will contact you directly. Further information has been posted on the Anthem website.

The FBI says that it is “close” to identifying the parties responsible for the Anthem breach, but will not disclose the information until it is “absolutely sure.” Read the news story here.

What Happened in the JP Morgan Chase Breach?

According to news released last Thursday, 76 million household accounts and 7 million small businesses were affected by a breach that occurred earlier this year. JP Morgan Chase is one of the oldest, best-known and largest financial institutions in the world. The cyber attack leaked names, addresses, phone numbers and email addresses. There is no evidence yet of passwords, sensitive personal information, or account information being stolen.

The bank discovered the intrusion on its servers in mid-August and believes the breach may have begun as early as June, a spokesperson for the bank has said. They have “identified and closed all known access paths.” It is possible the original access point came by getting a password from an employee.

In a post on their website, they told customers there’s no need to change their password or account information. No cards will be reissued.

Because email addresses were accessed by the hackers, beware of any phishing emails; don’t click on links from email addresses you don’t know or links inside messages that look like they might come from Chase or another trusted source, and were received unexpectedly.

Read the full story in the news.

Home Depot Hit By Malware Similar to Target Breach

Security researcher, Brian Krebs, published information on his security blog yesterday about the cyber attack on Home Depot. Reportedly, the compromised credit cards were exposed through the same malware that exposed 40 million accounts of Target customers in December 2013. He points to a new variant of the malware strain “BlackPOS,” aimed at retail accounts, which has the ability to steal credit and debit card information from the physical memory of point-of-sale devices.

If this information is true, then it could mean the same people were responsible in both breaches. Credit card numbers allegedly stolen from Home Depot have appeared on an underground cybercrime shop known as Rescator, which has also been seen selling cards stolen in the Target breach. According to Krebs, the people involved harbor anti-American sentiments.

Read the story in the news.

Over a Billion Stolen Credentials Amassed

Earlier this month, the NY Times reported that a Russian crime ring has amassed 1.2 billion user name and password combinations and more than 500 million email addresses from the Internet. According to security firm Hold Security, many of the sites from which the credentials were stolen are still vulnerable.

There is a concern among the security community that keeping personal information out of the hands of thieves is increasingly a losing battle. Last December, 40 million credit card numbers and 70 million addresses, phone numbers and additional pieces of personal information were stolen from Target by Eastern European hackers. This latest discovery, however, prompts security experts to call for improved identity protection on the web.

Read the full story online.

As a result of the large amount of usernames and passwords that have fallen into the hands of criminals, one NY Times reporter came up with a two-step plan to prevent hackers from getting into his online accounts. He contacted all of the companies with which he does online financial transactions to find out if they support multi-factor authentication. He writes about his experience here.

If you are concerned about your online accounts and whether they are secure enough, you may want to take some similar steps or be proactive in other ways. One suggestion I would make — until all companies offer multi-factor authentication — is to update your passwords on a regular basis and manage them using a password storage manager, either LastPass, 1Password or KeePass.

The eBay Data Breach

On May 21 eBay announced that it suffered a major data breach, exposing personal data of up to 233 million registered users. The company is now being investigated by three states with a joint probe into its security practices.

eBay has been criticized for taking three months to notice the breach and then a few more weeks before making an announcement. No mass email was sent, but they did post a warning to their website, originally with a “learn more” link that lead to a blank page (now fixed).

eBay is telling all customers to reset their password. If members used their password at other sites, they should change their passwords for those sites as well.

The data was stolen via a number of compromised employee credentials, according to eBay. The thieves were then able to access the company’s corporate network.

What did the thieves get? There was no financial or other confidential personal information in the compromised database. But the thieves did get hold of real names, email addresses, phone numbers and home addresses of customers in addition to their passwords, which were encrypted.

Read the story in the news here and here.