Xfinity Data Breach 2023- Take action now

The Comcast Cable Communications, doing business as Xfinity, data breach announced this week impacts over 36 million, that may include both current and former customers. As a society, we may becoming numb to responding due to the sheer number of incidents, but in this case, if you’ve ever used Comcast, take action now.

What Happened? On October 10, 2023, one of Xfinity’s software providers, Citrix, announced a vulnerability in one of its products used by Xfinity and thousands of other companies worldwide. At the time Citrix made this announcement, it released a patch to fix the vulnerability. Citrix issued additional mitigation guidance on October 23, 2023. We promptly patched and mitigated our systems.

However, we subsequently discovered that prior to mitigation, between October 16 and October 19, 2023, there was unauthorized access to some of our internal systems that we concluded was a result of this vulnerability. We notified federal law enforcement and conducted an investigation into the nature and scope of the incident. On November 16, 2023, it was determined that information was likely acquired.”

What Information Was Involved? On December 6, 2023, we concluded that the information included usernames and hashed passwords. For some customers, other information was also included, such as names, contact information, last four digits of social security numbers, dates of birth and/or secret questions and answers. However, our data analysis is continuing, and we will provide additional notices as appropriate.”

I’m a customer, why am I just hearing about this now?

Xfinity put out a press release on Monday December 18, 2023, which was picked up by the all the major news networks. Email notifications were not sent to all Xfinity customers, but if a customer attempts to login to their account, a password change is automatically prompted for.

Xfinity falls short on privacy and account modifications.

It’s clear that the web site has a new look and feel, maybe in part due to responding to the data breach. After changing password, with required authentication steps, users cannot update their privacy setting without providing a mobile number.

What action should you take?

  1. Change password login. Only use strong passwords with at least 16 characters, and don’t use the password for any other web site. If you’re not using a password management system, get one now.
  2. Change secret questions and answers. Don’t use questions where answers are easily obtained through social media or past web site uses. Due to prior internet data breaches, criminals have vast amounts of information on everyone; software makes it easy to compile data from multiple sources and create automated attacks.
  3. If Xfinity secret questions and answers are used anywhere else, including the credit reporting agencies like Experian, change them. If in doubt, update all financial institution and phone service secret questions immediately, due to potential harmful impact if those were compromised.
  4. The data breach was in October and consumers are finding out about it in December. If you don’t normally review your financial transactions, look closely. Also, check your credit report activity. https://www.annualcreditreport.com/index.action
  5. Review privacy settings may not be what they were prior to recent web updates.

Comcast has a history of using social security numbers to open accounts that goes back decades. In response to data breaches, US government regulations have been modified and expanded over the years to reduce risk of consumer data being exposed by limiting when social security numbers may be required to mostly financial and government institutions. Cable, phone and healthcare companies still routinely require them in order to receive services. Consumers can refuse to provide one, but might be denied the service.

Xfinity no longer requires social security numbers, but they can be used as a secondary form of identification. Even “an expired photo driver’s license which is not more than five years old from the expiration date” qualifies as acceptable. At what point should an ID be removed from systems to protect consumer data? After a customer has satisfactorily paid their bill for a year? Or 5, which is the basic lifespan of secure computers? If the hashed 4 digit social security number, or any other ID, truly has no value, then why not delete it after a designated period of time?

Resources:

2023 Merchant Credit Card Data Breach List

The 2023 credit card data breach was updated March 2023, and is not all inclusive. Is your business safe from a credit card data breach? The list below highlights some credit card data breaches and the primary cause at the time the data breach was announced. While malware reigns as a top cause of payment data breaches, employee theft is still a problem too. To make the list, typically companies are only listed if full card data is stolen.

Restaurants

January 2020 Chick-fil-A says less than 2% of customers affected by breach via website and mobile application between December 18, 2022 and February 12, 2023 using login credentials obtained from a third-party source. Name, email address, Chick-fil-A One membership number and mobile pay number, QR code, masked credit/debit card number, and the amount of Chick-fil-A credit (e.g., e-gift card balance) on your account (if any). In addition, if saved to your account, the information may have included the month and day of your birthday, phone number, and address. Importantly, unauthorized parties would only have been able to view the last four digits of your payment card number.

Retail & Ecommerce

January 2023: JD Sports– online store November 2018 and October 2020, announced January 2023. Among other shopper data for 10 million customers was the last four digits of card numbers. JD Sports is based in the UK and can expect fines up to the higher maximum permitted under Part 6 of the Data Protection Act 2018, so potentially £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

Technology

January 18, 2023: Paypal, about 35,000 customers exposed information included names, addresses, Social Security numbers, individual tax identification numbers, and dates of birth. Unauthorized access by credential stuffing.

Don’t be the next credit card data breach victim!

Christine Speedy is Qualified Integrator and Reseller certified by the Payment Card Industry Security Standards Council. QIRs are integrators and resellers specially trained by PCI Security Standards Council to address critical security controls while installing merchant payment systems. QIRs reduce merchant risk and mitigate the most common causes of payment data breaches by focusing on critical security controls. Call Christine for technology, merchant services and check processing needs.

Block, formerly known as Square, Confirms Cash App Data Breach

On April 4, 2022, Block, Inc. (the “Company”) announced that it recently determined that a former employee downloaded certain reports of its subsidiary Cash App Investing LLC (“Cash App Investing”) on December 10, 2021 that contained some U.S. customer information. While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended.

The information in the reports included full name and brokerage account number (this is the unique identification number associated with a customer’s stock activity on Cash App Investing), and for some customers also included brokerage portfolio value, brokerage portfolio holdings and/or stock trading activity for one trading day.

The reports did not include usernames or passwords, Social Security numbers, date of birth, payment card information, addresses, bank account information, or any other personally identifiable information. They also did not include any security code, access code, or password used to access Cash App accounts. Other Cash App products and features (other than stock activity) and customers outside of the United States were not impacted.

Upon discovery, the Company and its outside counsel launched an investigation with the help of a leading forensics firm. Cash App Investing is contacting approximately 8.2 million current and former customers to provide them with information about this incident and sharing resources with them to answer their questions. The Company is also notifying the applicable regulatory authorities and has notified law enforcement.

The Company takes the security of information belonging to its customers very seriously and continues to review and strengthen administrative and technical safeguards to protect the information of its customers. Future costs associated with this incident are difficult to predict. Although the Company has not yet completed its investigation of the incident, based on its preliminary assessment and on the information currently known, the Company does not currently believe the incident will have a material impact on its business, operations, or financial results.

SEC event filing of Cash App data breachhttps://www.sec.gov/ix?doc=/Archives/edgar/data/0001512673/000119312522095215/d343042d8k.htm

FTC Takes Action Against CafePress for Data Breach Cover Up

March 15, 2022- Commission orders e-commerce platform to bolster data security and provide redress to small businesses.

The Federal Trade Commission today took action against online customized merchandise platform CafePress over allegations that it failed to secure consumers’ sensitive personal data and covered up a major breach. The FTC alleges that CafePress failed to implement reasonable security measures to protect sensitive information stored on its network, including plain text Social Security numbers, inadequately encrypted passwords, and answers to password reset questions. The Commission’s proposed order requires the company to bolster its data security and requires its former owner to pay a half million dollars to compensate small businesses.

“CafePress employed careless security practices and concealed multiple breaches from consumers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “These orders dial up accountability for lax security practices, requiring redress for small businesses that were harmed, and specific controls, like multi-factor authentication, to better safeguard personal information.”

In a complaint filed against Residual Pumpkin Entity, LLC, the former owner of CafePress, and PlanetArt, LLC, which bought CafePress in 2020, the FTC alleged that CafePress failed to implement reasonable security measures to protect the sensitive information of buyers and sellers stored on its network. In addition to storing Social Security numbers and password reset answers in clear, readable text, CafePress retained the data longer than was necessary. The company also failed to apply readily available protections against well-known threats and adequately respond to security incidents, the complaint alleged. As a result of its shoddy security practices, CafePress’ network was breached multiple times.

According to the complaint, a hacker exploited the company’s security failures in February 2019 to access millions of email addresses and passwords with weak encryption; millions of unencrypted names, physical addresses, and security questions and answers; more than 180,000 unencrypted Social Security numbers; and tens of thousands of partial payment card numbers and expiration dates. Some of the information was later found for sale on the Dark Web.

After being notified a month later that it had a security vulnerability and that hackers had obtained consumer data, CafePress patched the vulnerability but failed to properly investigate the breach for several months despite additional warnings, the complaint alleged. This included a warning in April 2019 from a foreign government, which notified the company that a hacker had illegally obtained CafePress customer account information and urged the company to notify affected customers. The company, however, withheld this essential information, and instead only told customers to reset their passwords as part of an update to its password policy.

The complaint alleges CafePress did not inform affected customers until September 2019—one month after the breach was reported widely. The company’s lax security practices, however, still left many consumers at risk. For example, the company continued to allow people to reset their passwords on the website by answering security questions associated with customer email addresses—the same information that had been previously stolen by hackers.

According to the complaint, CafePress was aware of problems with its data security prior to the 2019 data breach. Through at least January 2018, when CafePress determined that certain accounts of shopkeepers had been hacked, CafePress closed the accounts and charged the victims a $25 account closure fee. The company also experienced several malware infections to its network prior to the 2019 hack but failed to investigate the source of such attacks.

In addition to its security failures, the FTC alleged the company misled users by using consumer email addresses for marketing despite its promises that such information would only be used to fulfill orders consumers had placed.

As part of the proposed settlement, Residual Pumpkin and PlanetArt will be required to implement comprehensive information security programs that will address the problems that led to the data breaches at CafePress. This includes replacing inadequate authentication measures such as security questions with multi-factor authentication methods; minimizing the amount of data they collect and retain; and encrypting Social Security numbers.

In addition, the proposed settlement requires Residual Pumpkin to pay $500,000 in redress to victims of the data breaches. PlanetArt will be required to notify consumers whose personal information was accessed as a result of CafePress’s data breaches and provide specific information about how consumers can protect themselves. Both companies will be required to have a third party assess their information security programs and provide the Commission with a redacted copy of that assessment suitable for public disclosure.

The Commission voted 4-0 to issue the proposed administrative complaint and to accept the consent agreement with the companies.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $46,517.

https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-cafepress-data-breach-cover

Chinese PAX payment terminal manufacturer raided by FBI in Florida

PAX Technology Warehouse in Jacksonville Florida was the subject of a search and investigation October 26, 2021 by the Federal Bureau of Investigation, the Department of Homeland Security, and several other agencies. PAX is a Chinese credit card terminal provider that significantly grew it’s global reach, including the US, during the transition to EMV chip terminals.

Brian Krebs, a cybersecurity investigative journalist, reported a major US payment processor noticed that PAX terminals were being used both as a malware “dropper” — a repository for malicious files — and as “command-and-control” locations for staging attacks and collecting information. Something didn’t add up and PAX didn’t give any good answers.

FBI Statement: “The FBI Jacksonville Division, in partnership with Homeland Security Investigations, Customs and Border Protection, Department of Commerce, and Naval Criminal Investigative Services, and with the support of the Jacksonville Sheriff’s Office, is executing a court-authorized search at this location in furtherance of a federal investigation. We are not aware of any physical threat to the surrounding community related to this search. The investigation remains active and ongoing and no additional information can be confirmed at this time.”

US vendors in the payments ecosystem were quick to respond. The sale and installation of PAX terminals has already been prohibited by some.