Office of Personnel Management: 4 Million People’s Personal Information Compromised


The U.S. Office of Personnel Management announced late Thursday afternoon that it lost 4 million people’s personally identifiable information as a result of a data breach.

Chinese hackers cracked the federal government’s systems in December, according to the Washington Post.

OPM has undertaken an aggressive effort to update its cybersecurity posture, adding numerous tools and capabilities to its networks. As a result, in April 2015, OPM became aware of the incident affecting its information technology (IT) systems and data that predated the adoption of these security controls.

The human resources arm of the federal government conducts background checks on employees. It will begin notifying those affected starting next week.

From the Associated Press, which initially broke the news of the data breach:

In November, a former DHS contractor disclosed another cyberbreach that compromised the private files of more than 25,000 DHS workers and thousands of other federal employees.

DHS said its intrusion detection system, known as EINSTEIN, which screens federal Internet traffic to identify potential cyber threats, identified the hack of OPM’s systems and the Interior Department’s data center, which is shared by other federal agencies.

The former director of the National Security Agency, Mike McConnell, in the wake of the Anthem breach (allegedly perpetrated by Chinese hackers) earlier this year [37:00]:

A lot of the speculation revolving around that potential nation-state sponsored attack assumed that the Chinese might be interested in building databases on people in businesses and governments.

The idea is that while a hacker might not be able to breach the security of. say, the President’s computer, that person might be able to infiltrate all the systems surrounding the Commander in Chief, in essence making the job of spying easier.


Heartland Payment Systems Reports Stolen Computers, (Potential) Data Breach

In a letter to those affected: 

What Happened?

Heartland Payment Systems, Inc. (“Heartland”), was notified on May 8, 2015 that your personal information may have been compromised. An incident occurred at our office in Santa Ana, California. Many items, including password protected computers belonging to Heartland were stolen. One of these computers may have stored your Social Security number and/or bank account information processed for your employer. We have seen no evidence suggesting that the data has been accessed on the stolen computers or used in any way, and we have no reason to believe any such use will occur. We have involved state and federal regulatory and law enforcement agencies to assist us in determining how to proceed with the matter at hand. Heartland continues to monitor the situation carefully and has increased its internal security and review procedures to watch for any unusual activity. We are providing this notice to you out of an abundance of caution so that you can take steps to help protect your information from unauthorized use, such as the steps detailed in the enclosed state notification requirements.

The Princeton, NJ payment processor may sound familiar because several years ago it disclosed a monmumentally more severe event.

From Wikipedia:

On January 20, 2009 Heartland announced that it had been “the victim of a security breach within its processing system in 2008”.[5] The data stolen included the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards; with that data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.[6] One estimate claimed 100 million cards and more than 650 financial services companies were compromised; at the time, it was characterized as the largest ever criminal breach of card data.[7]

An American computer hacker, Albert Gonzalez, was sentenced in March 2010 to 20 years in prison for his role in the hacking ring that broke into the Heartland computer systems.[8]

On May 1, 2009, Visa and Heartland issued a statement that Heartland successfully validated its compliance with PCI DSS and was returned to Visa’s list of PCI DSS Validated Service Providers.[9]

Fla. School District Begins Monitoring Students, Staff Social Media Accts

From the Orlando Sentinel:

What Orange County students — and staff — post on social media sites such as Twitter, Facebook and YouTube is now being monitored by their school district to “ensure safe school operations,” the district announced this morning.

Central Florida’s largest school district said it had a new licensing agreement for software that would allow it to monitor a number of social media sites for posts “that may impact students and staff.”

Spokesman Shari Bobinski said the monitoring program is now up and running, though not at full scale. Security staff began using it about a month ago.

From the Insurance Journal (2013):

The issue of social media and how far school districts should go is garnering national attention because of a monitoring program Huntsville City Schools started in 2013.

The district paid a former FBI agent $157,000 to operate SAFe, or Students Against Fear, a monitoring program that targeted 600 of the system’s 24,000 students and resulted in expulsion of 14 students.

Huntsville said it started the program after receiving a tip from the National Security Agency involving a threat against a teacher. The NSA said it has no record of contact with school officials.

Regardless of what led Huntsville to start the program, the American Civil Liberties Union views what students post on social media sites as free speech that shouldn’t lead to punishment at school.

“The ACLU is concerned about the systemic monitoring of student speech across the country,” said Randall Marshall, legal director of the ACLU of Alabama.

Spotify (Internal) Data Breach; Initially Only One User Affected

Target Still Doesn’t Know the Full Cost of Its Breach:PaymentsSource

From the SourceMedia joint: 

About a half year after Target suffered a massive data breach, the retailer is still anticipating further financial hits.

“Our outlook does not have additional costs for the data breach. We believe we have the financial strength to move beyond the financial impacts once they are known,” said John Mulligan, Target’s interim president and CEO, during a May 21 conference call to discuss the Minneapolis-based retailer’s first-quarter earnings. The previous president and CEO, Gregg Steinhafel, resigned May 5.

In the first quarter 2014, Target reported $18 million of net expense that was driven in part by the breach, or $26 million of total expenses offset by $8 million in expected insurance reimbursement. These costs do not reflect future claims by payment card networks for fraud losses connected to the breach, and the retailer may not have visibility into those costs until the third quarter. 

iPhone 6 Will Have NFC: Morgan Stanley

From FinExtra

 In a group report, the bank’s Katy Huberty says: “Mobile payments is a major opportunity for Apple to improve user experiences and potentially add a new revenue stream.”

Huberty’s colleague Craig Hettenbach predicts that NFC will be a core part of Apple’s assault on payments, citing the recent patent filings by the company and the emergence of Host Card Emulation, which would let Apple break free from wireless operators. 

He also notes that the new mPOS system Apple is rolling out in its stores includes a VeriFone-made iPhone sleeve that is equipped for NFC, and highlights recent reports of a contactless payments agreement with China UnionPay.

FTC, LabMD Update


Washington, D.C. (May 15, 2014) – Today, Cause of Action (CoA) is filing an emergency appeal on behalf of LabMD, following a federal judge’s ruling that he lacked jurisdiction even while telling the Federal Trade Commission (FTC) “the public is served by guiding people beforehand rather than beating them up after.”