Was Your Personally Identifiable Information (PII) Exposed?
These three significant breaches highlight just how vulnerable U.S. private networks are to black hat hacker threats. The massive data breach of Target in the last quarter of 2013 generated tremendous concern for PII. Despite all the attention and concern generated by the massive data breaches of the last year, many companies still appear unprepared to detect and mitigate network intrusions.
Electronic Medical Record Fraud
1) Supervalu Grocery Chain: Point of Sale System Hacked
On Thursday, August 14, 2014, grocery store chain Supervalu announced it had suffered a malicious black hat hacker intrusion that exposed account information belonging to customers who had shopped at about 180 of the company's stores in about a dozen states. The company, whose headquarters is in Eden Prairie, MN said the breach also affected customers from several other major grocery store chains for which Supervalu provides IT services.
Supervalu’s website says:
“SUPERVALU® experienced a criminal intrusion into the portion of its computer network that processes payment card transactions for some of its retail food stores under the Cub Foods, Hornbacher’s, Farm Fresh, Shop ‘N Save and Shoppers Food & Pharmacy banners, including some of its associated stand-alone liquor stores. The Company has not determined that any cardholder data was in fact stolen by the intruder, and it has no evidence of any misuse of any such data, but is making this announcement out of an abundance of caution. Please click here for more details.”
2) Community Health Systems: Electronic Medical Record System Hacked
On Monday, August 18, 2014, Community Health Systems, announced a data breach that affected 4.5 million people. The company, based in Franklin, TN, is one of the largest hospital networks in the country with 206 hospitals in 29 states. According to the company, intruders accessed and copied Personally Identifiable Information (PII) belonging to patients who were treated by or referred to the hospital's physicians. The Data compromised in the breach included Social Security numbers, birth dates and phone numbers.
A portion of the company’s “Data Breach Notification” reads:
“In July 2014, Community Health Systems Professional Services Corporation (“CHSPSC”) confirmed its computer network was the target of an external criminal cyber-attack in April and June 2014. CHSPSC, a Tennessee company, provides management, consulting, and information technology services to certain clinics and hospital-based physicians in this area.
“CHSPSC believes the attacker was an “Advanced Persistent Threat” group originating from China, which used highly sophisticated malware technology to attack CHSPSC’s systems. The intruder was able to bypass the company’s security measures and successfully copy and transfer some data existing on CHSPSC’s systems.”
The Healthcare Industry needs to increase security surrounding Electronic Medical Records (EMR) and Electronic Health Records (EHR): Healthcare Industry is Vulnerable to Cyber Attacks.
3) UPS Store Locations: Point of Sale System Hacked
In a statement Wednesday, August 20, 2014, UPS Store Inc., a wholly-owned subsidiary of United Parcel Service (“UPS”) of America, Inc. said it was recently notified by law enforcement officials about a "broad-based malware intrusion" of its systems. The company based in Atlanta, GA announced that credit and debit card information belonging to customers who did business at 51 UPS Store Inc. locations in 24 states this year may have been compromised as the result of an intrusion into the company's networks.
The UPS intrusion was based upon a previously unknown malware installed on systems in more than four-dozen stores. Only about 1% of the 4,470 UPS Store locations around the country were affected. The intrusion may have exposed transaction data from individual franchise Point of Sale (POS) systems. "For most locations, the period of exposure to this malware began after March 26, 2014," UPS said in a statement.
In addition to payment card information, the hackers also appear to have gained access to customer names, as well as postal and email addresses. Each of the independently owned stores has its own network so the exposure was limited.
Their breach notification begins:
“The UPS Store, Inc., among many other U.S. retailers, recently received a government bulletin regarding a broad-based malware intrusion not identified by current anti-virus software. Upon receiving the bulletin, The UPS Store retained an IT security firm and conducted a review of its systems and the systems of its franchised center locations. The UPS Store discovered malware identified in the bulletin on systems at 51 locations in 24 states (about 1%) of 4,470 franchised center locations throughout the United States.
“Based on the current assessment by The UPS Store and the IT security firm, certain customers’ information, who used a credit or debit card at the 51 impacted franchised center locations between January 20, 2014, and August 11, 2014, may have been exposed. For some center locations, the period of exposure to this malware began after January 20, 2014. The malware was eliminated as of August 11, 2014, and customers can shop securely at all The UPS Store locations.”
