Apple ID Breach Update Leads RoundupFla. Company Source of IDs; Patients Notified of Insider Breach
In this week's breach roundup, BlueToad, a Florida-based company, says it was the source of the Apple unique device identifiers taken by hackers. Also, University of Miami Hospital has notified an undisclosed number of patients about an insider breach.
See Also: The Global State of Online Digital Trust
Fla. Company Source of Breached Apple IDs
Florida company BlueToad says it was the source of the Apple unique device identifiers, or UDIDs, recently taken by hackers. Original claims by hacktivist group AntiSec had stated that the 12 million UDIDs were breached from a computer of an FBI agent. The FBI denied the breach occurred, saying in a tweet that the hacktivists' claim was "totally false." And Apple said it did not provide the FBI with the UDIDs.
"When we discovered that we were the likely source of the information in question, we immediately reached out to law enforcement to inform them and to cooperate with their ongoing investigation of the parties responsible for the criminal attack and the posting of the stolen information," Paul DeHart, BlueToad CEO, said in a blog post. BlueToad works with publishers to translate printed content into digital formats.
Patients Notified of Insider Breach
University of Miami Hospital has notified an undisclosed number of patients that two employees were charged with inappropriately accessing patient information. The employees were terminated and public notice was delayed at the request of law enforcement who were conducting the investigation.
The employees were viewing registration face sheets, which contain basic identifying information, such as name, address, date of birth, insurance policy numbers and the reason for the hospital visit.
"While Social Security numbers are masked to display only the last four digits, some health insurance plans, such as Medicare and Medicaid, continue to use Social Security numbers as insurance policy numbers, which are included on the face sheet," the letter to affected individuals said.
Although the number of patients affected hasn't been revealed, those being notified are patients who may have been seen at one of the hospital's facilities, located at 1400 N.W. 12th Avenue in Miami, between October 2010 and July 2012. Computer systems were unaffected by the incident, the letter says.
Affected patients are being offered a complimentary two-year membership to Experian's ProtectMyID Elite identity protection service.
Gaming Breach Affects 8,500 Accounts
ArenaNet, developer of the popular computer game Guild Wars 2, was affected by a password-cracking campaign that affected 8,500 players. The attacks, the company says, were aided in part by compromised credentials taken from an unknown fan site that was also recently hacked, according to the technology site Ars Technica.
The company has started e-mailing customers when someone logs into their account from a different location, as well as encouraging users to develop strong, random passwords, Ars Technica reports.
Employees Suspended Over Privacy Violations
The British Columbia Ministry of Health in Canada has suspended seven employees without pay after they inappropriately accessed medical information, according to The Vancouver Sun.
The suspended employees worked in the area of research and evidence development, awarding drug research contracts for the ministry, the Sun said.
The ministry workers and two research contractors inappropriately accessed health data, according to the ministry. The agreements with the two research contractors have been terminated until an investigation into the incident has been completed, the report explains.
Man Sentenced in Botnet Access Scheme
A Phoenix, Ariz. man was sentenced to 30 months in prison for selling command-and-control access to thousands of malware-infected computers, also known as botnets, according to the U.S. Department of Justice.
In addition to the 30-month term, Joshua Schichtel was ordered to serve three years of supervised release. He pleaded guilty on Aug. 17, 2011, to one count of attempting to cause damage to multiple computers without authorization by the transmission of programs, codes or commands, a violation of the Computer Fraud and Abuse Act, the Justice Department said.
Individuals who wanted to infect computers with malware would contact Schichtel and pay for him to install malware on the computers that comprised the botnets, authorities said. He also pleased guilty to causing malware to be installed on approximately 72,000 computers on behalf of a customer who paid $1,500 to use the botnet.