At a glance.
- LG Uplus breach worse than predicted.
- Lawsuits motivate improvements in customer data security.
- Diligent says Colorado patient data exposed in last year’s data breach.
- Background check services confirm data leak.
LG Uplus breach worse than predicted.
South Korean mobile network operator LG Uplus suffered a data breach last month, and the company has now disclosed that the total number of individuals impacted is more than suspected. The Weekend Leader reports that the data of approximately 290,000 users were compromised, about 110,000 more than initially estimated. LG Uplus had been storing the data under the e-commerce consumer protection law. "We are actively cooperating with the investigation by the authorities and the government to determine when and how the personal data was leaked," the company said. An investigation conducted by the Seoul Metropolitan Police Agency, the Personal Information Protection Commission, and the Korea Internet & Security Agency is underway.
Lawsuits motivate improvements in customer data security.
More and more, after data breaches companies are finding themselves facing class-action lawsuits carried out by the victims, who claim their data were compromised as a result of negligence on the company’s part. And these cases come with hefty price tags; the 2020 cyberattack at Equifax resulted in a class action lawsuit that awarded a $700 million settlement. A recent survey of in-house litigation leaders from global corporations found that cybersecurity and data protection issues will be among the top reasons for new legal disputes in coming years. While company heads have no doubt seen the damage a data breach can have, both on reputation and on their wallets, many are ill-equipped to make the necessary changes to protect customer data. Tanium offers several recommendations for actions companies can take to prevent breaches and the legal disputes that could follow. Suggestions include creating a culture of cybersecurity that starts with the C-Suite, leading more discussions about data security controls, and taking a good, hard look at the organization’s cybersecurity weaknesses by conducting a self-critical analysis. Mike Morgan, US head of global privacy and cybersecurity at global law firm McDermott Will & Emery, states, “One of the issues that comes up in lawsuits is to what extent your organization’s legal adversary—whether that’s a plaintiff, plaintiff’s lawyer, or regulator—can have access to your organization’s self-critical analysis of its own cybersecurity program.”
Background check services confirm data leak.
In June of last year, US software-as-a-service company Diligent Corp disclosed a cyber incident in which an unauthorized actor accessed a network supporting Diligent’s firm Steele Compliance. At the time, Diligent submitted a report to the Maine Attorney General’s Office stating that 1,184 people were impacted by the breach and had been notified of the incident. However, it has come to light that the company notified the University of Colorado Hospital Authority just last month that the data of 48,879 patients were also compromised. Databreaches.net reports that Diligent submitted an updated notification to state attorneys, as well as a new notification to customers stating, “Diligent recently learned the precise scope of the unauthorized third party’s access, when the third party posted a set of files that it had acquired on an external site. That access appears to have included access to personal data we did not initially believe was accessed, including some data regarding you.”
Background check services confirm data leak.
Hackers have leaked a 2019 backup database containing the info of millions of users of background check services TruthFinder and Instant Checkmate, and PeopleConnect, the company that owns the two services, has confirmed they experienced a data breach. Bleeping Computer recounts that the stolen data, which allegedly belong to customers who used the services up to April 16th, 2019, was posted by a member of the Breached hacking and data breach forum on January 21. Owner of the forum Pompompurin says the data were stolen from an exposed database backup found by a forum member, and the dumped data include customer email addresses, hashed passwords, first and last names, and phone numbers. When PeopleConnect learned of the leak, the company immediately conducted an investigation. On Friday notices were posted on both services’ websites stating, "We learned recently that a list, including name, email, telephone number in some instances, as well as securely encrypted passwords and expired and inactive password reset tokens, of TruthFinder subscribers was being discussed and made available in an online forum.” The notice goes on to state the list originated within the company, and though the investigation is ongoing, PeopleConnect believes the exposure was the result of “an inadvertent leak or theft.”