Breach Guide

Learn the steps to take in the event of a data breach and stay current on the cyber threat landscape with the FTC’s Data Breach Resources, FBI’s Daily Digest Library and San Diego’s Cyber Incident Response Guide.

Federal Trade Commission (FTC) Data Breach Resources

Find out the steps to take as a business or consumer if you experience a data breach.

ftc-gov

FBI Cyber Daily Digest Library

Stay current on the global threat landscape with the FBI’s daily circulation of published data breaches and articles.

  • Fraudsters Use HTML Legos to Evade Detection in Phishing Attack

    • Researchers with Trustwave SpiderLabs are warning of a phishing campaign that employs what it calls "HTML Lego" to deliver a fake login page.
    • The phishing campaign is aimed at Microsoft 365 users and designed to mimic a Microsoft login interface. Trustwave says the emails contain nothing in the email body but have an attachment that appears to be an Excel file offering information about an investment. This attachment is actually an HTML document with two sections of URL encoded text.
    • “This phishing campaign design was a little more tricky than usual,” researchers say in a summary of the findings. “By improvising an HTML email attachment that incorporates remote JavaScript code located on a free JavaScript hosting site, and ensuring the code is encoded uniquely, the attackers seek to fly under the radar to avoid detection.”
    • A detailed analysis of the campaign can be found here.
    | April 8, 2021
  • ASH data breach more extensive than initially reported

    • On March 18, the Department of State Hospitals (DSH) announced that an employee with access to Atascadero State Hospital data servers improperly obtained more than 1,400 patient and former patient names, more than 600 employee names, as well as COVID-19 test results and health information related to COVID-19 tracking.
    • "The newly identified data was discovered during the investigation of the same employee," according to a department statement. "DSH is continuing its investigation of the data breach and has placed the principal subject of the investigation on administrative leave pending completion of the investigation."
    • The breach was first detected on Feb. 25, and the investigation so far indicates that the individual started improperly accessing the data 10 months prior.
    • To prevent a similar breach in the future, the department plans to log, monitor, and review administrator access and activity more regularly.
    New Times SLO - Maria Martin | April 8, 2021
  • California man indicted for stealing Shopify customer data

    • A California man has been indicted for stealing Shopify customer data with the help of two company employees.
    • The employees sent screenshots or Google Drive links with customers’ names, addresses, purchase histories, and other personal information.
    • Shopify acknowledged last year that two “rogue members” of its support team had breached customers’ security. It said the incident affected fewer than 200 merchants and emphasized that the breach stemmed from employees abusing their access rather than a technical vulnerability.
    - Adi Robertson | April 7, 2021
  • Mark Zuckerberg's Details Leaked in Facebook Data Breach

    • Facebook CEO Mark Zuckerberg's own personal information was among the details of 533 million Facebook users that leaked in a data breach, it has emerged.
    • Facebook has now confirmed that the leaked data was obtained not by a hack, but by scraping the platform prior to September 2019. The company now says that an exploit was found in its contact importer, but the "specific issue that allowed them to scrape this data in 2019 no longer exists."
    • Facebook has not clarified exactly what personal information leaked about the 533 million users, and has only said that "the information did not include financial information, health information or passwords."
    • Pundits investigating the data breach discovered that Zuckerberg is in fact a user of the encrypted messaging app Signal. Since WhatsApp, which is owned by Facebook, announced a number of changes to its privacy policy that would allow for more data sharing with its parent company, Signal has seen a surge in popularity, so it is interesting to see that the Facebook CEO himself is a user of the privacy-focused rival app.
    - Hartley Charlton | April 7, 2021
  • Utah is the 2nd State to Create a Safe Harbor for Companies Facing Data Breach Litigation

    • In mid-March, Utah Governor Spencer Cox signed into law the Cybersecurity Affirmative Defense Act (HB80) (“the Act”), an amendment to Utah’s data breach notification law, creating several affirmative defenses for persons (defined below) facing a cause of action arising out of a breach of system security, and establishing the requirements for asserting such a defense.
    • In short, the Act seeks to incentivize individuals, associations, corporations, and other entities (“persons”) to maintain reasonable safeguards to protect personal information by providing an affirmative defense in litigation flowing from a data breach.
    • A person that creates, maintains, and reasonably complies with a written cybersecurity program that is in place at the time of the breach will be able to take advantage of an affirmative defense to certain claims under the Act:
      • A claim alleging that the person failed to implement reasonable information security controls that resulted in the breach of system security.
      • A claim that the person failed to appropriately respond to a breach of system security.
      • A claim that the person failed to appropriately notify an individual whose personal information was compromised in a breach of security.
    • A person may not claim an affirmative defense, however, if:
      • The person had actual notice of a threat or hazard to the security, confidentiality, or integrity of personal information;
      • The person did not act in a reasonable amount of time to take known remedial efforts to protect the personal information against the threat or hazard; and
      • The threat or hazard resulted in the breach of system security.
    - Joseph J. Lazzarotti and Jason C. Gavejian | April 7, 2021
  • Class action lawsuit filed against Roper St. Francis Healthcare over data breach

    • A lawsuit has been filed against Roper St. Francis alleging a breach of private patient data, including financial and medical information, was compromised.
    • “At all relevant times, Roper knew the data it stored was vulnerable to cyberattack based upon these repeated and ongoing data breaches,” the lawsuit claims.  “Specifically, Roper St. Francis had three previous hacking incidents before the one complained of herein: (a) The first reported on January 29, 2019 that effected 35,253 people; (b) The second reported on September 3, 2020 that affected 6,000 people; and (c) The third reported on September 8, 2020 that effected 92,963 people.”
    • The lawsuit seeks:
      1. Plaintiff and Class members be awarded economic and non-economic damages
      2. Plaintiff and the Class members compensatory, consequential and actual damages in an amount to be proven at trial;
      3. Plaintiff and the Class members statutory and injunctive relief;
      4. Plaintiff and the Class members seek punitive damages in an amount to be proven at trial;
      5. Plaintiff and the Class members prejudgment interest, costs, and reasonable attorneys’ fees.
    Count on NEWS 2 - Tim Renaud | April 5, 2021
  • Stanford, UC warn of major data breach

    • Stanford University and the University of California are warning users of their computer systems to take extra caution following a nationwide cyberattack that affects its computer systems.
    • The two universities acknowledged their systems were part of the widespread security breach involving the Accellion file sharing system, in which an unknown number of university users' files were compromised, subjecting them to possible demands for money to prevent the files' contents from being revealed or destroyed.
    • UC said the cyber attackers have "published online screenshots of personal information" in an attempt to "scare people into giving them money."
    • Some computer users were sent a message that says: "Your personal data has been stolen and will be published."
    SECURITY INFOWATCH.com - Steve Rubenstein | April 5, 2021
  • 3 security practices educators should consider adopting

    • Before the COVID-19 pandemic, much of the conversation around security in postsecondary institutions was focused on physical safety.
    • With the transition to remote learning, all of that has shifted. The campus is also no longer the central hub and devices are spread across the homes of students, teachers and administrators – meaning universities have less control over these personal networks, and less in-person oversight into websites and applications being accessed.
    • Three security practices educators should consider adopting (or revisiting) in the semester ahead:
      1. Contain your app sprawl
      2. Know what security threats exist
      3. Go back to security basics
    - Fred King | April 5, 2021
  • Massive Facebook data breach leaks info on millions of users

    • Around 533 million Facebook users are thought to have been affected by the data breach, with phone numbers, Facebook ID, full name, location, past location, birthdate, email address, account creation date, relationship status, and personal bios all available.
    • The data could be a couple of years old and could have been extracted using the bug that Facebook said it fixed back in 2019 - before being first made available online back in January.
    • Users should remain careful of "social engineering attacks" as hackers may try to access Facebook accounts using the information obtained through this fresh dump of data.
    - Mike Moore, Jitendra Soni | April 5, 2021
  • Brand Breached: How data breaches erode brand value

    • Most brand custodians and consumers continue to think of cybersecurity as little more than a hygiene factor. It’s almost ironical that the presence of a robust cybersecurity system in itself is never reason enough for a customer to trust a brand, but the absence of it certainly drives them away.
    • A brand’s relative strength is impacted by a cybersecurity incident, most notably, in three ways:
      1. Presence - The degree to which a brand feels omnipresent to relevant audiences, is talked about positively, and is easily recalled when a customer has a need in the brand’s category.
      2. Affinity - The degree to which customers feel a positive connection with the brand, based on the functional and/or emotional benefits provided, and a sense of having shared values.
      3. Trust - The extent to which a brand is seen to deliver against the (high) expectations that customers have of it, is perceived to act with integrity and with customers’ interests in mind.
    | March 31, 2021

San Diego Cyber Incident Response Guide

Learn more about San Diego’s region-wide cyber incident response guide and available local, state and federal resources.

San Diego Cyber Incident Response Guide October 2017