Security

Dec 27

BevMo Data Breach

Beverages & More, better known as BevMo recently announced that a data breach may have allowed a hacker to steal credit card numbers and other information from more than 14,000 customers of their web site.

BevMo, headquartered in Concord, CA, 40 minutes northeast of San Jose, notified the Attorney General’s office in Sacramento that someone was able to plant malicious web site coding on its checkout page of its web site.

The malicious code was designed to record information from orders placed between August 2, 2018 and September 26, 2018.  Information recorded may have been customer names, phone numbers, addresses, and credit & debit card numbers  and their security codes.

BevMo says the code was removed and an investigation is under way.

Nov 30

Marriott Security Breach

FRIDAY, NOVEMBER 30, 2018 – Earlier today, Marriott announced that they had a security breach with their Starwood guest reservation database.  back on November 19, 2018 an investigation discovered that there was unauthorized access to their database, which stores guest information relating to reservations at Starwood properties on or before September 10, 2018.

On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States.  Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.  The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it.  On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.

The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property.  For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.  For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).  There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.  For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.

Marriott reported this incident to law enforcement and continues to support their investigation.  The company has already begun notifying regulatory authorities.

“Today, Marriott is reaffirming our commitment to our guests around the world.  We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center.  We will also continue to support the efforts of law enforcement and to work with leading security experts to improve.  Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network,” Mr. Sorenson continued.

Marriott will begin sending emails on a rolling basis starting today, November 30, 2018, to affected guests whose email addresses are in the Starwood guest reservation database.


PROTECTIVE MEASURES:

  1. If you have stayed at a Starwood Company hotel (Marriott, etc), then the first step you can take is to immediately call the financial institution that your credit/debit cards belong to and ask them to send you out at new card siting this security breach at Marriott and precautionary methods.
  2. Order peace of mine Identity Theft Protection from Zander Insurance for added protection.
  3. Contact each of the 4 credit bureaus (Innovis, experian, Equifax and TransUnion) and request a security freeze.  See our previous post pertaining security freezes.  Click here

This is your time to be proactive in regards to personal data security.

Oct 2

Facebook Hacked, What You Should Do

Their mission statement: “Give people the power to build community and bring the world closer together.”

Facebook is by now known to millions of people across the globe as a social media networking site that also features video programming, shopping/selling marketplace, and employment listing classifieds. But if you are not aware of what Facebook is, Facebook is an American online social media and social networking service company based in Menlo Park, California. Its website was launched on February 4, 2004, by Mark Zuckerberg, along with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin Moskovitz and Chris Hughes.

Facebook can be accessed from a large range of devices with Internet connectivity, such as desktop computers, laptops and tablet computers, smartphones, streaming media boxes, and smart televisions. After registering, users can create a customized profile indicating their name, occupation, schools attended and so on. Users can add other users as “friends”, exchange messages, post status updates, share photos, videos and links, use various software applications (“apps”), and receive notifications of other users’ activity. Additionally, users may join common-interest user groups organized by workplace, school, hobbies or other topics, and categorize their friends into lists such as “People From Work” or “Close Friends”. Additionally, users can report or block unpleasant people.

The one feature that Facebook has yet to be implemented is a “true” privacy setting for one’s personal profile. This is a setting that would not be searchable at all unless you know the person’s account direct e-mail address, direct user name, and/or phone number in which the account was registered. Unfortunately, the closest to this setting and the current highest level of privacy for a profile end user is to where “friends of your Friends” can submit friend requests and see your profile. This should not be the last line of privacy for a user.

Why is the above information of importance, it is because of a recent hack of a feature Facebook has, called “View As” this past Friday. This feature allows people to preview others personal profile without actually visiting their profile. Nearly 50 million users were affected by the hack. The attackers gained access to the digital “keys” that allow users to access Facebook from multiple devices without having to reenter one’s password. The keys could be used to take over people’s accounts, but Facebook says that the issue has now been fixed.

As of now, Facebook is uncertain of the compromised accounts and if they were misused or if sensitive information was accessed. Access keys for over 90 million users have all been reset. The only task users need to perform is to log back into their accounts – no password change was deemed necessary. However, the investigation is still in its early stages and more details of the overall impact could arise in the coming days.

OUR RECOMMENDATION: Change your password to your Facebook profile/pages, Instagram account (as your Instagram may be linked to your Facebook account), and to your WhatsApp account. Also always remember to completely log off, not only to social media accounts, but to any web site you log into once you are finished using them. Do not save your user name and passwords into your computers and/or smartphones for quick access in the future. Once you have finished using your devices for the day, before turning the power off, be sure to clean out ALL cookies and browsing history from your web browser (Safari, Chrome, Edge, Firefox, etc.). Also check your apps on your mobile devices, as they may store your search history as well (ie YouTube Mobile App). We also recommend a security package from Norton that will add protection to your devices plus they have a VPN (Virtual Private Network) service that secures your web browsing location identity. Lastly, get peace of mine by getting a Identity Theft Protection plan from Zander Insurance ($79 per year) as a insurance on your identity.

Aug 24

T-Mobile Cyber Breach Exposes Data of Nearly 2 Million Customers

Source: Zander Insurance ID Theft Solutions

What Happened?
On Thursday, August 23rd, T-Mobile released a statement  informing its customers that they had experienced a data breach, in which the attackers from from outside of the United States of America and gained access to only “certain information”.  The breach is said to have affected nearly 2 million people, which accounts for 3% of T-Mobile’s customers.  A T-Mobile spokesperson stated that the company caught and shut down the attack almost immediately.

What Information was Exposed?
T-Mobile claims that the financial data of their customers remained safe.  The infomration that was exposed included; names, billing zip codes, phone numbers, email addresses, account numbers, and account types (ie pre-paid or post paid).  For the customers whose accounts were exposed, T-Mobile will be making contact with via a direct text message.

Sep 17

Equifax Breach, What to do?

One of the nation’s four credit reporting agencies, Equifax, recently suffered a major security breach with their servers that store consumer data. There’s a high chance that you are one of the 143 million Americans who had their sensitive information compromised.

Here are the specifics of the data breach according to Equifax: the actual breach lasted from mid-May 2017 through July 2017. The hackers were able to access the following information:

  • People’s Names
  • Social Security Numbers
  • Birth Dates
  • Addresses
  • Driver’s Licenses (in some instances)
  • Credit Card Numbers for 209,000 people
  • Dispute Documents with Personal Identifying Information for approximately 182,000 people

Here are the step by step actions you need to be proactive in taking to protect yourself and/or minimize the damage from actually being a victim of this breach. Do not wait for Equifax to individually contact you and confirm whether you are one of the 143 million victims. Be proactive.

  1. Order your FREE credit reports from each of the four credit reporting agencies and your consumer files from CHexSystems (credit unions) and Emergeny Warning Services (banks) (Equifax, Experian, InnovisTransUnion, and ChexSystems and Early Warning Services).
  2. After you order ALL four credit reports, go and order a freeze to be placed on all of those same agencies (Equifax Freeze, Experian Freeze, Innovis Freeze, TransUnion Freeze, and ChexSystems Freeze). Depending on the state that you currently reside in, there may be a small fee. But it is definitely worth it.
  3. Once you get your credit freezes placed on your credit reports, be sure to print a copy of each credit freeze confirmation page. As you will be either assigned or have created a PIN as the only way to confirm a permanent or temporary release of your freeze at a future date.
  4. Now it’s time to get ID Protection from one of the two highly rated and reputable companies: LifeLock or Zander Insurance.

For step 1, while reviewing  your credit reports, if you notice accounts and/or activity that you can verify is not yours, visit IdentityTheft.gov to see what you can do.  You can also file a report with the credit report’s agency that you find the activity and/or accounts that are not yours on.  When initiating a report, keep a detailed record of all communication in the process as documentation, including the people who you are working with on any case that you open.

For step 2, a credit freeze on your credit report makes it harder for someone to open a new account in your name.  If you were in need to release the credit freeze either permanently and/or temporarily, you will need to utilize the unique PIN that either was automatically established by the agency or by you when you were initiating the freeze.


Video Courtesy: Ramsey Solutions – Why ID Theft Insurance is So Important


Be sure after every time you finish browsing the Internet, to clear your browser’s complete history, cookies and do not store any user names and passwords in your browser.  This is also key on your mobile devices (i.e. smartphones, tablets, and laptops).

For added protection with the IRS, you can contact them to see if they will assign you a IP PIN, which is issued to you annually around late December or January to add extra security when filing your taxes.  Visit their web page on Identity Protection for more information.

One last piece of security you can have is a cross shredding paper shredder. Be sure to shred any old and expired credit cards, debit cards, membership cards and paperwork that has your personal information and postal address.