At a glance.
- Pepsi Bottling Ventures discloses data breach.
- When do data breach victims have standing to sue?
- Two US colleges impacted in the MOVEit hack.
- Data of thousands of Dublin airport staff exposed in third-party data breach.
Pepsi Bottling Ventures discloses data breach.
Pepsi Bottling Ventures disclosed Monday that it had discovered a data breach back in January, and that it was taking steps to protect those affected. "The impacted information varies by individual, and may have included: first and last names (including individual and/or parents’ legal surname prior to marriage); home address; email address; financial account information (including a limited number of passwords, PIN codes, or other access numbers); state and federal government issued identification numbers such as driver license numbers, ID cards, social security numbers and passport information; digital signatures; and information related to benefits and employment, including certain limited medical history, health and health insurance claims, and health insurance information such as policy numbers." This is a lot of information. The company has contracted with Kroll "to provide identity monitoring at no cost for at least one year for those impacted. Identity monitoring services include Credit Monitoring, a Current Credit Report, Web Watcher, Public Persona, Quick Cash Scan, $1 Million Identity Fraud Loss Reimbursement, Fraud Consultation, and Identity Theft Restoration." People who believe they may have been affected may call (866) 674-3149, Monday through Friday, from 9:00 a.m. to 6:30 p.m. Eastern Time (excluding US holidays).
Willy Leichter, VP of Marketing at Cyware, finds the long delay in discovery and response dismaying. “Unfortunately, this type of long delay in discovering and acting upon a breach is all too common. But saying that they have "contained" the breach after not discovering it for six months stretches credulity. Indicators of compromise of breaches need to be discovered in hours or days for there to be any chance of limiting the damage.”
Roy Akerman, Co-Founder & CEO of Rezonate, notes that an identity cannot simply be replaced. “Unlike a credit card, username, password and other personally identifiable information (PII), an identity cannot be simply replaced and will be forever compromised and at risk. The highest paying intel on the dark web was and will continue to be PII and healthcare information. Identity data will therefore continue to be the number one target and the means which attackers leverage to compromise systems and organizations." It's an obvious point, but one that can be all too easy to overlook: fullz are valuable, and it can be difficult to recover from identity theft.
When do data breach victims have standing to sue?
A US federal appeals court has determined that an individual whose data were abused due to a data breach has standing to sue the entity that experienced the breach. In the case in question, the plaintiff, Alexsis Webb, alleged she suffered injury-in-fact after her data were stolen from home-delivery pharmacy Injured Workers Pharmacy (IWP). IWP suffered the data breach in 2021, and Webb’s info was subsequently used to file a fraudulent tax return. Although the breach occurred in January, IWP didn’t discover it until almost four months later and did not notify customers until after a seven-month investigation. Even then, the plaintiff asserts, the notification did not adequately communicate the size or scope of the incident and IWP claimed there was no evidence the stolen data had been misused. Webb claims she “fears for her personal financial security and [for] what information was revealed in the [d]ata [b]reach,” “has spent considerable time and effort monitoring her accounts to protect herself from . . .identity theft,” and “is experiencing feelings of anxiety, sleep disruption, stress, and fear” as a result. Alower court dismissed the suit for lack of standing. DataBreaches.net asserts that cases of this nature are typically hard to win because it’s difficult for the plaintiff to demonstrate a connection between the breach and the fraud they experienced, but in this case the appeals court found in favor of the plaintiff because of the clear misuse of the data and the sequence of events leading up to it.
Two US colleges impacted in the MOVEit hack.
The ripple effect of the MOVEit mass-hack continues to claim victims, this time two colleges in the US’s New England region. Middlebury College in the US state of Vermont and Trinity College in Connecticut have confirmed that Teachers Insurance and Annuity Association of America (TIAA) was impacted in the hacking of the popular MOVEit file transfer application. TIAA is a nonprofit that provides financial services for academic employees, and spokesperson Chad Peterson told TechCrunch that the organization was not directly targeted in the MOVEit hack, but was impacted by a breach at one of its third-party vendors that uses the application. “No information was obtained from TIAA’s systems and TIAA systems were not at risk from the MOVEit Transfer vulnerability,” Peterson said. “We have not observed any related unusual activity from this event involving TIAA accounts.” Trinity Colleges says Social Security numbers and dates of birth were among the data shared with TIAA, which handles the school’s’ annuity plan. Middlebury confirmed that in addition to the TIAA breach, was also impacted by a MOVEit attack on National Student Clearinghouse. According to Emsisoft threat analyst Brett Callow, the MOVEit hack has so far claimed at least 160 victims, and while only twelve of these victims have confirmed the number of individuals affected, the total already surpasses 16 million people.
Data of thousands of Dublin airport staff exposed in third-party data breach.
Reuters reports that the financial data of employees at the Dublin airport were exposed in a cyberattack targeting Aon, a global professional services and management consulting firm.
A spokesperson for Dublin Airport Authority (DAA) stated on Sunday, "DAA can confirm that as a result of a recent cyber-attack on Aon, a third-party professional service provider, data relating to some employees’ pay and benefits was compromised.” And, you guessed it, the Aon attack is being attributed to the wide-reaching mass-hack of MOVEit, which Aon used as a file transfer tool. It’s reported that two thousand Dublin airport staff were impacted by the breach.