Category Archives: Breaches

Breach Notifications

70M Subscribers to PlayStation

Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID,” wrote Patrick Seybold, senior director of corporate communications for Sony Computer Entertainment America. “It is also possible that your profile data, including purchase history and billing address … and your PlayStation Network/Qriocity password security answers may have been obtained. … While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility.

The following letter has been sent to subscribers:

 

From: PlayStation Network <PlayStation_Network@playstation-email.com>
To:
Sent: Tuesday, April 26, 2011 7:29 PM
Subject: Important information regarding PlayStation Network and Qriocity services
===================================
PlayStation(R)Network
===================================
Valued PlayStation(R)Network/Qriocity Customer:
We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network. In response to this intrusion, we have:
1) Temporarily turned off PlayStation Network and Qriocity services;
2) Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
3) Quickly taken steps to enhance security and strengthen our network infrastructure by rebuilding our system to provide you with greater protection of your personal information.
We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable. Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have  authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no  evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through  PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
For your security, we encourage you to be especially aware of email, telephone and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the  PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly  recommend that you change them as well. To protect against possible identity theft or other financial loss, we encourage you to remain  vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who  wish to consider it:
– U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free  credit report, visit www.annualcreditreport.com or call toll-free (877) 322-8228.
– We have also provided names and contact information for the three major U.S. credit bureaus below.  At no charge, U.S. residents can  have these credit bureaus place a “fraud alert” on your file that alerts creditors to take additional steps to verify your identity prior to  granting credit in your name. This service can make it more difficult for someone to get credit in your name. Note, however, that because it  tells creditors to follow certain procedures to protect you, it also may delay your ability to obtain credit while the agency verifies your identity.  As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to  place a fraud alert, or should you have any questions regarding your credit report, please contact any one of the agencies listed below:
Experian: 888-397-3742; www.experian.com; P.O. Box 9532, Allen, TX 75013
Equifax: 800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
TransUnion: 800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
– You may wish to visit the website of the U.S. Federal Trade Commission at www.consumer.gov/idtheft or reach the FTC at 1-877-382-4357 or 600 Pennsylvania Avenue, NW, Washington, DC 20580 for further information about how to protect yourself from   identity theft. Your state Attorney General may also have advice on preventing identity theft, and you should report instances of known or suspected identity theft to law enforcement, your State Attorney General, and the FTC. For North Carolina residents, the Attorney General  can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; telephone (877) 566-7226; or www.ncdoj.gov. For Maryland  residents, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; telephone: (888) 743-0023; or  www.oag.state.md.us.
We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working  around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will  continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority. Please contact us at 1-800-345-7669 should you have any additional  questions.
Sincerely,
Sony Computer Entertainment and Sony Network Entertainment
===================================
LEGAL
“PlayStation” and the “PS” Family logo are registered trademarks and “PS3” and “PlayStation Network” are trademarks of Sony Computer  Entertainment Inc.
(C) 2011 Sony Computer Entertainment America LLC.
Sony Computer Entertainment America LLC
919 E. Hillsdale Blvd., Foster City, CA 94404

The breach has prompted Sony to rebuild systems and restore services within the week.

 

Janitor charged with felony: Allegedly recycled 14 boxes of health records

Robert Sanders was arrested on Friday, September 10, 2010 then charged on Monday for allegedly selling 14 boxes of patient health records from Los Angeles County’s MLK Multi-Service Ambulatory Care Center in Willowbrook .  The records included personal health information (PHI) such as patient names, addresses, phone numbers, and medical record numbers.  According the Los Angeles County Exec William T Fujioka, the records did not include “private medical information.”  The charge which Sanders was arrested for is felony commercial burglary.   County Exec Fujioka claims “There’s nothing in there that speaks to their diagnosis, their illness, their injury…That’s the real sensitive information.”  The supervisor for that clinic, Mark Ridley-Thomas, stated “We have to have appropriate internal controls to make sure there is no breach in privacy with respect to the delivery of services to our patients.”

ID Theft from Starbucks job applications

A U.S. Attorney in Ohio has indicted a woman, Chantay Ware, 26, an ex employee of HMS Host (which managed the airport Starbucks at Cleveland Hopkins International Airport) for allegedly using personally identifiable information (PII) from February 2006 to November 2008 to falsely obtain and use 65 Citibank or Capital One credit cards to the sum of $115,000.  The indictments are for charges of Identity Theft and aggravated Fraud.

“The charges make it very clear that she violated the trust of these people who are looking for jobs in a tough economy,” said Michael Tobin from the U.S. Attorney’s Office in Cleveland.

All HMS Host business at that airport has since been replaced by another company.

Durex Condom Online Data Breach

On 5th March 2010, I discovered a data breach on the Durex India website Kohinoor Passion. I had earlier ordered Durex products off their estore, and my order had arrived by courier in a nondescript shipping package as promised. Later, I passed an eye over the invoice enclosed with my order. I noticed that it appeared to have been printed off a website, since the url of the website was printed at the bottom of the invoice. Since my computer was switched on and connected to the internet at the time, I idly entered the url in my browser, and received a surprise when my invoice came up on screen, looking exactly as printed – showing my name, contact information, products ordered and amount invoiced.

I considered that my login to the Durex estore might still have been alive from my shopping session, and so tried again after clearing my browser history, cache and cookies. For good measure, I even restarted my computer. I could still access my invoice online.

Now my curiosity was piqued. I noticed that my order number was part of the url, and so randomly changed this number. To my amazement, another invoice came up, with the order details of someone else who had ordered Durex products online at the estore.

Each Durex estore invoice looks something like this:

Now replace the billing and shipping details with actual online shoppers’ names, postal and email addresses, and phone numbers, and you’ll realize the enormous amount of information that was at an unsecured location, freely available to anyone with a connection to the internet. (The main admin page http://www.kohinoorpassion.com/admin/ required a username and password, but apparently the subpages didn’t.)

I immediately starting emailing the following people (using my real name and email address) informing them of the breach:

13:39    TTK-LIG Customer Service (TTK-LIG is the marketer of the Durex brand in India)
14:49    SSL International Open Door (SSL is the owner of the Durex brand worldwide)
20:22    Lisa Caton, Consumer Relations Manager at SSL (I received a vacation response)
20:29    Garry Watts, Chief Executive at SSL
20:50    Paul Doherty, Head of Corporate Affairs at SSL
20:54    Consumer Relations at SSL

When I went to bed, the data breach was still active, and more invoices seemed to have been added that day.

When I checked the next morning, the website had been modified, and any direct invoice access attempts redirected to the admin login page. Although I appreciated the speed taken to solve the problem, especially on a weekend, it is anyone’s guess how long the data breach was active before I discovered it, or how many customer records were accessed in that time from unauthorized locations.

FAQs

Q. Did you hack into the Durex customer database?
A. No, the Durex customer database was freely available online. I neither had to guess a username and password, nor did I have to spoof my IP address or use any other tricks to access the invoices online.

Q. What was the date range of invoices you could access?
A. The earliest invoice I noticed had been issued on 23-Feb-2009. That means a range of 376 days before 6-Mar-2010, the date the breach was plugged.
Q. Does that mean the data breach was active for 376 days before you discovered it?
A. I don’t know. By some coincidence, the breach could have opened up just a few minutes before I tried accessing the website on 5-Mar-2010, maybe as an accidental result of a website maintenance happening at that very instant. However, that possibility seems unlikely. TTK-LIG and SSL are the right people to answer this question, since they have access (I hope) to their website change logs.
Q. Yikes! I just looked through my records and notice that I have an invoice issued in the date range mentioned. Did someone other than SSL or TTK-LIG access it?
A. I have no idea, since I do not have access to the kohinoorpassion.com website logs. What is quite certain though, is that your invoice was publicly accessible on the internet for some amount of time, and in that duration anyone could have downloaded it easily.
Q. I haven’t bought any Durex products, but I did buy Kohinoor products online. Could my information have been compromised, too?
A. Since both Durex and Kohinoor likely use the same admin website, it is possible that your details were made public too. Please contact TTK-LIG regarding this, and update me if they reply.
Q. After you brought the breach to the notice of Durex, have they made the site completely secure?
A. Since I am not a data security expert, I cannot comment on this. The admin section of the site (which contains the customer information) is still on the internet, though it now requires a username and password to access. The logic behind choosing this (arguably low) level of security needs to be questioned. Studies have shown that it is statistically not tough to guess someone’s password.
Q. Who can I contact to express my concern regarding this breach?
A. The Contacts page has a list of some people you can write / email / call / fax.
Q. Who are you?
A. I am a customer of the Durex India estore, whose records have been compromised by this data breach. Beyond that, I have no desire to reveal anything more about myself.
Q. Why create this website? What do you want?
A. I’d like an unconditional apology from TTK-LIG Limited or SSL International plc, for being negligent with my personal data.
Q. What will you do with the data that you could access from the Durex website?
A. I will not share the personal data with anyone for any reason, period. Also, I will not contact anyone in the list personally, unless they contact me first. Once SSL and/or TTK-LIG contacts all us affected customers and releases an apology and statement that addresses all concerns satisfactorily, I will delete all traces of the data from my system.
Q. I am an affected customer too. Since you know about me now, I’d like to know more about you, too.
A. That’s a fair argument, but with such a large number of affected customers out there, I cannot risk letting my identity be leaked by any one of them, and soon becoming public knowledge. I have a long career ahead of me, and do not want to spend it being known as the person who blew the whistle on Durex.
Now if my identity becomes public for any reason, I will know that someone at SSL or TTK-LIG is responsible, since they are the only people who know who I am. And that will be a far more serious incident than an unintentional release of information (I’m guessing and hoping this data breach is unintentional).
Q. Why is this such a big deal?
A. Besides the obvious, Durex had posted a privacy policy on their website, which I went through repeatedly before placing my order. The privacy policy begins by stating:
“When you visit the Durex website you may be asked to provide personal information, such as your name, mailing address, email address, telephone number, and other personal information. SSL International plc, the owners of the Durex brand, will ensure the privacy, safety and security of this information.”
Clearly, SSL International plc has not done a very good job of ensuring.
If SSL believes that it is not responsible for TTK-LIG’s mess-ups, they should navigate through the Durex website and notice how it seamlessly leads to the Durex India estore, keeping the Durex brand consistent, and without any warning that the user was entering an area where SSL policies were not applicable. In any case, TTK-LIG (the operator of the India estore) has posted its own privacy policy on the Durex India website, which states:
“Under no circumstances will user information be shared in any manner with external organizations for any reason whatsoever except to the group companies of TTK-LIG Limited for use for purposes stated herein.”

Q. You dumb nut, don’t you know better than to order products of a sexual nature online? Especially in India, a country not really known for upholding privacy values?
A. I know, I know.. I am not the sort of person to shy away from visiting a chemist. However, a lot of products on the Durex estore are not commonly available at chemists. I know this, because I have specifically asked for them at multiple stores. After looking at the Durex India website a bunch of times over many months, and learning more about the available products, order process and privacy policy, curiosity finally got the better of me and I went ahead and ordered. Chalk it up as yet another of the dumb things that people will do for (good and safe) sex.
Also, hindsight is 20/20 (or, since we follow metric in India, 6/6)
Q. Will you still buy Durex?
A. Yes, I believe they make the best available-in-India products in their market segments. I just hope they make their entire product range widely available in stores, since I will be very reluctant to buy them online now.

TicketMaster’s CAPTCHA hacked for years

Kenneth Lowson, 40, Kristofer Kirsch, 37, and Faisal Nahdi, 36, all of Los Angeles, and Joel Stevenson, 37, of Alameda, California were known as The Wiseguys.  They worked with programmers from Bulgaria to circumvent CAPTCHA.  CAPTCHA requires people to read distorted images of letters, numbers and characters on a screen and retype them before buying tickets.  The Wiseguys used the CAPTCHA code of major concert and event vendors’ merchant websites like Ticket Master, Live Nation Entertainment, Telecharge, etc to script their way to first dibs on high priced tickets much quicker than humans manually could accomplish the task.  Often, they purchased the tickets prior to the actual official sale date.

Prosecutors allege they resold  Kelly Clarkson, Kenny Chesney, Billy Joel, Miley Cyrus, Barbra Streisand, and Bon Jovi and made more than $28.9 million in profit from 2005 to 2008.  All four men are charged with one count of conspiracy and 10 counts of wire fraud. All except Faisal Nahdi have been charged with nine counts of obtaining information from a protected computer and 10 counts of accessing a protected computer with intent to defraud.