Breach Guide

Learn the steps to take in the event of a data breach and stay current on the cyber threat landscape with the FTC’s Data Breach Resources, FBI’s Daily Digest Library and San Diego’s Cyber Incident Response Guide.

Federal Trade Commission (FTC) Data Breach Resources

Find out the steps to take as a business or consumer if you experience a data breach.

ftc-gov

FBI Cyber Daily Digest Library

Stay current on the global threat landscape with the FBI’s daily circulation of published data breaches and articles.

  • How to Delete Old AOL and Yahoo Accounts

    • With AOL and Yahoo changing owners for the second time in a half-dozen years, now is a good time to delete any old and unused accounts. 
    • Verizon has agreed to sell AOL and Yahoo to the private-equity firm Apollo Global Management for $5 billion, significantly less than the combined purchase price of $9 billion for the two media companies in 2015 and 2017.
    • One of the most significant assets being sold to Apollo is the mountain of consumer data compiled by AOL and Yahoo over the decades. Yahoo still has about 900 million monthly users, and there are probably millions of additional people who set up AOL or Yahoo accounts years ago and then let them languish.
    • Apollo is likely to go to work trying to make more money off that data.
    • If your accounts have been idle, you're letting corporations trade your data and make money from it with no benefit to you. And if there's ever a data breach—such as a Yahoo data breach that began in 2013 and affected 500 million users—it just means hackers will get more of your information, which could be used for scams or identity theft.
    • It's easy to transfer old emails to most other email services. For instance, if you want to move Yahoo emails to a Gmail account, open your Gmail settings, then click on the Accounts & Import tab, and follow the directions.
    - Allen St. John | May 6, 2021
  • The Feds Can Access The Private Data On Your Phone Through Your Car

    • One of the largest law enforcement agencies in the U.S., the Customs And Border Protection, has now found a convenient back door to siphon much of the information from the fortress of your smartphone: your car.
    • All the CBP needed was a few hardware kits from a Swedish IT firm called MSAB:
    • MSAB marketing materials promise cops access to a vast array of sensitive personal information quietly stored in the infotainment consoles and various other computers used by modern vehicles — a tapestry of personal details akin to what CBP might get when cracking into one’s personal phone.
    • Using MSAB’s hardware, the CBP can access data as broad as the following, as The Intercept details:
    • MSAB claims that this data can include “Recent destinations, favorite locations, call logs, contact lists, SMS messages, emails, pictures, videos, social media feeds, and the navigation history of everywhere the vehicle has been.
    - José Rodríguez Jr. | May 5, 2021
  • Peloton’s leaky API let anyone grab riders’ private account data

    • My Peloton profile is set to private and my friend’s list is deliberately zero, so nobody can view my profile, age, city, or workout history. But a bug allowed anyone to pull users’ private account data directly from Peloton’s servers, even with their profile set to private.
    • As Biden was inaugurated (and his Peloton moved to the White House — assuming the Secret Service let him), Jan Masters, a security researcher at Pen Test Partners, found he could make unauthenticated requests to Peloton’s API for user account data without it checking to make sure the person was allowed to request it.
      • An API allows two things to talk to each other over the internet, like a Peloton bike and the company’s servers storing user data.
    • The exposed API let him — and anyone else on the internet — access a Peloton user’s age, gender, city, weight, workout statistics and, if it was the user’s birthday, details that are hidden when users’ profile pages are set to private.
    • Peloton had a bit of a fail in responding to a vulnerability report, but after a nudge in the right direction, took appropriate action. A vulnerability disclosure program isn’t just a page on a website; it requires coordinated action across the organisation.
    - Zack Whittaker | May 5, 2021
  • Cybersecurity can reassure consumers in an era of data anxiety

    • Although increasingly stringent consumer privacy and security laws are becoming the norm, companies should always be ahead of these changes when it comes to cybersecurity. They need to be transparent about how they collect and use consumer data, clear about their cybersecurity policies and protocols in the event of an attack, and most importantly, committed to educating employees on how to keep themselves, the company, and customers safe.
    • According to a 2021 PwC survey, 55 percent of companies say they’re planning to increase their cybersecurity budget and 72 percent say they’re capable of strengthening their cybersecurity platform while containing costs. One of the most cost-effective ways companies can become more secure is through employee education.
    • Cybersecurity (or a lack thereof) has drastic implications for consumer behavior – 85 percent of consumers say they won’t do business with a company if they have concerns about its security practices, while 81 percent will stop engaging with a brand online after a data breach.
    • An educated workforce is the most powerful element of any successful cybersecurity platform. The vast majority of cyberattacks rely on the manipulation of human beings – from phishing emails that convince employees to click on a corrupt link or download malware to business email compromise (BEC) schemes in which threat actors impersonate company leaders to coerce people into disclosing sensitive information.
    - Zack Shuler | May 4, 2021
  • 3 Ways to Find If Your Phone Number and Email Have Leaked in a Data Breach

    • Earlier this month, Facebook faced a huge data breach in which data of more than 533 million users from 106 countries had leaked online. This data included phone numbers, Facebook IDs, birthdates, etc. So, if you too are worried about this data breach or any other data breach online, you must want to check whether your data is secure or not.
    • Have I Been Pwned?
      • Go to ‘https://haveibeenpwned.com/’ on any device or search the website on Google.
      • Once the web page like the above screenshot appears, enter your email or phone number in the international format and click on the ‘pwned’ tab next to it.
      • The web page will show up a list of how many times your data was leaked.
    • Avast Hack Check
      • Visit Avast’s Hack Check tool page and enter your email address in the given box.
      • Click on ‘Check Now’ and it will show the results if your data have been leaked.
    • The News Each Day
      • Another tool for checking if your phone number was leaked in the Facebook data breach is a website called The News Each Day. Here, you can input your phone number to find if it was part of the breach.
    - Satyendra Pal Singh | May 4, 2021
  • Lawyers Encouraged to Vet Tech Vendors Carefully

    • Law firms are prime targets for hackers. Why? Because their computer networks contain highly concentrated, high-value information about many parties that is often not well-protected. One often-overlooked vulnerability is the security of computer networks operated by third-party vendors employed by the firm.
    • The five leading threats to law firms are:
      • Ransomware
      • Business Email Compromise / EAC
      • Spearphishing
      • Lost or stolen laptops and mobile devices
      • Third Party Risk
    • All law firms should carefully inventory the data they possess: What data is held by the firm, why it is being held, who has access to it, and for how long?
    • Vendors have capabilities that law firms do not, and it is often the case that cybersecurity measures in place at a vendor are better than those in place at the law firm itself. However, that is not always the case and no law firm should assume that a vendor’s cybersecurity measures are adequate for the assigned matter.
      • Trust but verify.
    - Jim Ballowe | May 3, 2021
  • Ransomware Hits Scripps Health, Disrupting Critical Care, Online Portal

    • Scripps Health in San Diego was hit by a ransomware attack over the weekend, forcing the health system into EHR downtime.
    • Monday appointments were also postponed due to the cyberattack, which disrupted operations at two of Scripps’ four main hospitals and backup servers that reside in Arizona.
    • Reports say all four hospitals in Encinitas, La Jolla, San Diego, and Chula Vista were placed on emergency care diversion for stroke and heart attack patients, who were diverted to other medical centers when possible. All trauma patients were also diverted.
    • The Scripps website was also down.
    - Jessica Davis | May 3, 2021
  • Scripps Health Hit By Cyberattack

    • Scripps Health confirmed Sunday their technology servers were hacked overnight, forcing the health care system to switch to offline chart systems and causing a disruption to their patient portals.
    • Some appointments were being canceled on Sunday and Monday as a result of the breach.
    • "We are working on how best to notify these patients about the need to reschedule," a statement from Scripps said.
    • The San Diego County Office of Emergency Services (OES) said ambulances were being diverted from Scripps' facilities to other hospitals in the area but that it was a precautionary measure.
    - Christina Bravo | May 2, 2021
  • More than 2 million affected by data breaches in April

    • In April, 41 organizations reported to HHS that 2,121,186 individuals were affected by data breaches.
    • Breaches of protected health information affecting more than 500 individuals are required to be listed on HHS' breach portal.
    | April 30, 2021
  • Click Studios asks customers to stop tweeting about its Passwordstate data breach

    • Last week, the company told customers to “commence resetting all passwords” stored in its flagship password manager after the hackers pushed the malicious update to customers over a 28-hour window between April 20-22.
    • The malicious update was designed to contact the attacker’s servers to retrieve malware designed to steal and send the password manager’s contents back to the attackers.
    • Click Studios said in a Wednesday advisory that customers are “requested not to post Click Studios correspondence on Social Media.” The email adds: “It is expected that the bad actor is actively monitoring Social Media, looking for information they can use to their advantage, for related attacks.”
    • It’s not clear if the company has disclosed the breach to U.S. and EU authorities where the company has customers, but where data breach notification rules obligate companies to disclose incidents. Companies can be fined up to 4% of their annual global revenue for falling foul of Europe’s GDPR rules.
    - Zack Whittaker | April 29, 2021

San Diego Cyber Incident Response Guide

Learn more about San Diego’s region-wide cyber incident response guide and available local, state and federal resources.

San Diego Cyber Incident Response Guide October 2017