There are so many breaches to choose from when putting these roundups together that we’ve started to look for themes, just to keep things interesting. This month it was no trouble: schools and banks dominated. But we also had an oddball one that we just had to mention: a guy hacking in to his own insulin pump just to prove a point, which his pump-maker apparently did not 
appreciate.
Hackers get $13 million in cash in ATM scam; Citigroup suffers another breach
More details emerged this month about an attack that first came to light in May against Fidelity National Information Services, Inc., a large processor of prepaid debit cards. While FIS admitted it incurred a loss of $13 million involving 22 prepaid cards and its Sunrise, Fla. based eFunds Prepaid Solutions unit, it never said how. But security guru Brian Krebs got to the bottom of it:
According to sources close to the investigation, cyber thieves broke into the FIS network and targeted the Sunrise platform’s “open-loop” prepaid debit cards. The balances on these prepaid cards aren’t stored on the cards themselves; rather, the card numbers correspond to records in a central database, where the balances are recorded. Some prepaid cards cannot be used once their balance has been exhausted, but the prepaid cards used in this attack can be replenished by adding funds…. Apparently, the crooks were able to drastically increase or eliminate the withdrawal limits for 22 prepaid cards that they had obtained. The fraudsters then cloned the prepaid cards, and distributed them to co-conspirators in several major cities across Europe, Russia and Ukraine.
Sources say the thieves waited until the close of business in the United States on Saturday, March 5, 2011, to launch their attack. Working into Sunday evening, conspirators in Greece, Russia, Spain, Sweden, Ukraine and the United Kingdom used the cloned cards to withdraw cash from dozens of ATMs. Armed with unauthorized access to FIS’s card platform, the crooks were able to reload the cards remotely when the cash withdrawals brought their balances close to zero.
Citigroup, meanwhile, can’t catch a break. After suffering a security breach in May that resulted in hackers stealing $2.7 million from 3,400 North American customers, Citi’s Japanese unit has now been hit. According to TheStreet:
Citi Cards Japan said in a statement on its Web site that “certain personal information of 92,408 customers has allegedly been obtained and sold to a third party illegally.” Information compromised included account numbers, names, addresses, phone numbers, date of birth, gender and the date the account was opened.
Univ. of Wisconsin joins Yale in suffering security breach
Colleges and universities have certainly suffered their fair share of security breaches and this month is no exception.
First up, the University of Wisconsin. As eWeek reports:
Malware planted on a document-management database server may have exposed 75,000 student and staff Social Security numbers and names, the University of Wisconsin-Milwaukee said Aug. 10.
The story goes on to explain how the university made a critical mistake after discovering the breach: it shut down the affected server.
That is one of the biggest mistakes organizations make after discovering a breach, Geoff Webb, senior product marketing manager at Credant Technologies, told eWEEK. While senior management may be saying “shut everything down,” the security team should resist the pressure and take the time to investigate what happened without alerting the attackers, Webb said. If the attackers figure out they’ve been detected, they would try to cover their tracks and potentially destroy any evidence on the breached system, according to Webb.
Google apparently inadvertently had a hand in a breach at Yale, which exposed Social Security numbers of 43,000 people, according to eCampusNews.com:
The Yale breach is the latest high-profile data security incident in higher education—one that originated in September 2010, when Google announced its searches would include file transfer protocol (FTP) servers, which previously had been off-limits to general internet queries.
Social Security numbers of students, faculty, and alumni affiliated with the prestigious university in 1999 were available on the web for anyone to see after Google made its search change to include FTP servers, according to a Yale announcement released Aug. 26.
“Yale has secured the file, and Google has confirmed that its search engine no longer stores any information from the file,” the university said in its statement, adding that the school’s exposed file didn’t include financial information, birth dates, or other sensitive information.
Yale hired a data security firm to monitor credit reports of those affected by the breach – an Ivy League-level response.
Security expert hacks his own insulin pump
Cybersecurity expert Jay Radcliffe hacked into his own insulin pump at the Black Hat cybersecurity conference in early August, to raise awareness about the potential harm that could be done to patients like himself with similar devices, including pacemakers and heart defibrillators. He did not name the manufacturer of the pump until said manufacturer allegedly rebuffed his repeated attempts to show them how he did it, in hopes they would address the issue. We won’t name the manufacturer here but will close with his words of advice, as reported by the StarTribune:
“Saying it’s never been done is no assurance that it can’t be done in the future,” he said. “Just because nobody’s exploited your system doesn’t make it secure.”
