Bitly Update Leads Breach RoundupCompany Implementing 2-Factor Authentication Following Incident
In this week's breach roundup, Bitly is implementing additional security measures following a breach that compromised user information. Also, a former Army assistant inspector general has pleaded guilty in connection with a scheme to obtain fraudulent bank loans using the stolen identities of active U.S. Army officers.
See Also: DevOps - Security's Big Opportunity
Bitly Enabling Two-Factor Authentication
Rob Platzer, the company's chief technology officer, said in a blog that the company is enforcing two-factor authentication for all third-party services. Bitly has also "accelerated development of [its] work to support two-factor authentication for bitly.com," he says.
Exposed information in the breach included users' e-mail addresses, encrypted passwords, API keys and OAuth tokens, CEO Mark Josephson said in a May 9 statement, which did not specify how many users were affected (see: Bitly Reports Data Breach).
Other security measures Bitly is taking following the incident include: rotating all SSL certificates; resetting credentials used for code deployment; accelerating development for e-mail confirmation of password changes; adding additional audit details to user security pages; and enabling detailed logging on its offsite storage systems.
Bitly did not immediately respond to a request for additional information.
Former Army Official Guilty in Fraud Scheme
A former Army assistant inspector general has pleaded guilty in connection with a scheme to obtain fraudulent bank loans using the stolen identities of U.S. Army officers, according to the U.S. Attorney's Office for the Middle District of Tennessee.
James Robert Jones of Woodlawn, Tenn., formerly an assistant inspector general at Fort Campbell, admitted to abusing his position to obtain personal identifying information, including Social Security numbers and dates of birth, of active duty U.S. Army officers, including those who were deployed to Afghanistan, the attorney's office says.
He used the stolen information to apply for loans in the officers' names, obtained loans from two federal-insured financial institutions, and used the money from the loans for his own personal benefit, prosecutors say. Jones admitted that he attempted to conceal his scheme by asking a colleague to delete records found on his U.S. Army-issued laptop computer, they add.
Jones faces up to 30 years in prison for the counts of bank fraud and making a false statement to a bank, up to 20 years in prison for obstructing justice, and up to 5 years in prison for making false statement to investigators. Jones will be sentenced on Aug. 11.
Hackers Break Into Payroll Solutions Firm
Paytime Inc., a payroll solutions company in Mechanicsburg, Pa., is investigating a breach last month that reportedly exposed its clients' corporate bank accounts and the personal information of their customers' employees.
"Our investigation has ... determined that the intruders were skilled hackers working from foreign IP addresses," the company told a local news outlet.
Compromised information for Paytime Inc.'s customers include their employees' names, Social Security numbers, direct deposit bank account information, dates of birth, hire dates, wage information, home and cell phone numbers, other payroll-related information and home addresses.
Paytime Inc. wouldn't disclose the number of individuals affected by the breach, news reports said, and the company did not respond to a request for additional information.
Ticketing Software Company Reports Cyber-Attack
Concert ticketing software firm Gingerbread Shed is notifying customers that their personal information may have been compromised following a four-month incident involving an unauthorized third party who access the company's systems.
The time period of the incident was from late November 2013 to mid-February 2014, the company said in a notification letter submitted to the Vermont Attorney General's office.
Compromised information includes names, addresses, telephone numbers, e-mail addresses, credit card information and the user names and passwords for the company's website accounts.
Gingerbread Shed is working with law enforcement to investigate the incident. Additionally, it has deployed additional security procedures. The company did not immediately respond to a request for additional information.