At a glance.
- Financial research firm confirms data breach.
- Missouri medical center suffers patient data breach.
- Where everybody knows your name.
Financial research firm confirms data breach.
Zacks Investment Research, a market research company which uses advanced financial data analytics algorithms to help investors make stock buying decisions, has disclosed it suffered a data breach that exposed the data of 820,000 customers. Although an internal investigation has determined that intruders gained access to Zacks's network somewhere between November 2021 and August 2022, the company did not detect the breach until late last year, Bleeping Computer notes. The incident impacted customers of the Zacks Elite product who joined between November 1999 and February 2005, and the compromised data include their full names, addresses, phone numbers, email addresses, and user passwords. Zacks says it does not believe that any financial data were exposed. The company has initiated a password reset for the impacted accounts, and users employing SMS-based two-factor authentication (2FA) to secure their accounts are advised to switch to a different phone number or 2FA method.
Dark Reading adds that Zacks will be conducting an investigation to determine the full scope of the breach. The company stated, “Also while Zacks is constantly monitoring and updating our system to safeguard customer information, including in consultation with our outside cybersecurity expert, as a result of this incident, we are conducting an investigation and continuing our ongoing efforts to evaluate and implement additional measures to further enhance our protocols for the protection of your personal information.”
Roger Grimes, data-driven defense evangelist at KnowBe4, commented on how the company is doing a lot right, but is puzzled about the lag in detection and notification. "It looks like Zacks is doing a lot of the right things in order to restore trust with customers. I do wonder why it took almost a month from detecting the breach to notify customers and why it took 3-4 months to notice the breach? A month to notify affected customers that their current passwords, which are often shared with other unrelated sites and services, seems a bit excessive. Although there can always be extenuating circumstances and it just took that long to figure out what happened so they could clearly and accurately communicate what happened. Still, you would hope any breached company would notify affected customers within days and not take weeks to make an official announcement."
Iowa medical center suffers patient data breach.
Earlier this month Jefferson County Health Center, a twenty-five-bed acute care facility located in the US state of MIssouri, filed notice of a data breach with the Department of Health and Human Services Office for Civil Rights. Upon learning that private patient data had been accessed by an unauthorized party, the center conducted an internal investigation of the exposed files, determining that names, Social Security numbers, and other medical details were among the data compromised. JDSupra adds that the Jefferson County Health Department sent out data breach notification letters to all impacted individuals on January 13.
Where everybody knows your name.
The Austrian police yesterday revealed that a Dutch hacker arrested in November obtained and attempted to sell the data of nearly every Austrian resident, Reuters reports. Authorities have verified the authenticity of the data set, which consists of full names, genders, complete addresses, and dates of birth, and contains 9 million sets of data, just shy of Austria's total population of approximately 9.1 million people. According to authorities, the info consists of registration data, or basic details that residents are required to provide to the authorities. Police say they have reason to believe that unknown buyers did in fact purchase the data, stating, "Since this data was freely available on the Internet, it must absolutely be assumed that these registration data are, in full or in part, irrevocably in the hands of criminals.” The 25-year-old responsible for the hack is under investigation by the Dutch police and judicial authorities. Officials refrained from sharing details until now in order to preserve the investigation.