NullCrew Arrest Leads Breach RoundupAlleged Member Suspected of Hacking Bell Canada Supplier
In this week's breach roundup, a suspected member of the NullCrew hacktivist group has been charged in connection with hacking into one of Bell Canada's third-party supplier's IT system. Also, Paytime Inc. is facing a class action lawsuit following a breach that impacted approximately 233,000 individuals.
See Also: The Global State of Online Digital Trust
Suspected NullCrew Hacker Arrested
A suspected member of the NullCrew hacktivist group has been arrested and charged in connection with hacking into one of Bell Canada's third-party supplier's information technology system (see: Canadian Telecom Firm Reports Breach).
The underage defendant, who was not named, was charged with one count of unauthorized use of a computer and two counts of mischief, according to the Royal Canadian Mounted Police. The attack against Bell Canada's third party resulted in the exposure of more than 22,000 usernames and passwords, along with five valid credit card numbers of Bell Canada's small business customers.
The defendant is scheduled to appear in court in Ottawa on August 19, authorities say. "Cooperation with our FBI counterparts permitted us to pursue this investigation, which ultimately led to identifying a Canadian suspect," says Dean Buzza, officer in charge of specialized operational services for RCMP.
The charge against the Canadian follows the arrest of Timothy Justin French of Morristown, Tenn., another alleged member of NullCrew who conspired to launch cyber-attacks on two universities and three companies last summer (see: Alleged Hacker Charged in Five Attacks).
Paytime Sued Following Breach
Paytime Inc., a payroll solutions company in Mechanicsburg, Pa., is now facing a class action lawsuit following a breach that exposed approximately 233,000 individuals' usernames and passwords for the company's client service center (see: Paytime Breach May Impact 233,000).
The lawsuit, brought by three individuals who use Paytime's services, claims the company failed prevent vulnerabilities from being taken advantage of in its computer system, which resulted in the exposure of sensitive customer information, including names, Social Security numbers, bank account data, street addresses, birth dates, wages, hiring dates and phone numbers.
Accusing Paytime of negligence and breach of contract, the plaintiffs are seeking monetary damages, payment of attorneys' fees and injunctive relief, including providing victims with credit monitoring services for at least 25 years.
Third-Party Hack Impacts Evernote Forums
The hacker was able to retrieve forum members' profile information from the third party's database, the company says. Compromised information includes e-mail addresses, passwords and dates of birth.
"Even though this immediate security breach occurred on a server managed by another company, Evernote is absolutely responsible for the problem," says Dave Engberg, Evernote's CTO. "Even the disclosure of an e-mail address is a mistake that we need to disclose to our users and prevent in the future."
A spokesperson for Evernote did not comment beyond what was included in the company's post, but said the forum incident was not related to the earlier DDoS attack.
Patient Info Inappropriately Accessed
Penn State Milton S. Hershey Medical Center in Pennsylvania is notifying 1,800 patients that their protected health information may have been compromised after an employee viewed the information outside of the organization's secured system.
The hospital says it learned on April 11 that an employee had been accessing from his home information related to a type of test ordered by clinicians of the organization's women's health or family medicine departments.
Although the employee was authorized to access and use the information, he inappropriately access the information using systems and devices outside the secured Penn State Hershey system, using his personal computer, a removable USB drive and his personal e-mail account.
Potentially compromised information pertains to patient visits that occurred at Penn State Hershey's women's health and family practice clinician offices as well as information from other physicians' offices that used the organization's lab to perform the tests over the same time period. Information potentially exposed includes patient names, medical record numbers, name of lab test, visit dates and test results.
In the aftermath of the incident, Penn State Hershey is increasing employee education efforts, "focusing on the essential responsibility of all staff to safeguard patient health information at all times and follow proper practices for doing so," according to a statement.