Drupal Breach Leads RoundupUnauthorized Access Leads to Password Reset
In this week's breach roundup, Drupal.org, an open-source content management framework provider, has reset all account-holder passwords after the organization discovered unauthorized access to account information. Also, Champlain College in Burlington, Vt., is notifying 14,000 students about a security incident.
Drupal Resets Passwords After Breach
Drupal.org, an open-source content management framework provider, has reset all account-holder passwords after the organization discovered unauthorized access to account information.
Information exposed included usernames, e-mail addresses and country information, as well as hashed passwords. An investigation is ongoing to determine if other information was compromised, Drupal says in a statement.
The intruders installed third-party software on the Drupal.org server infrastructure, which led to the access, according to the statement.
"The notice applies specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally," the statement says.
Drupal.org passwords are both hashed and salted, the organization said, although some older passwords on some subsites were not salted.
The organization didn't specify how many users were affected.
College Reports Misplaced Drive
Champlain College in Burlington, Vt., is notifying about 14,000 students that a thumb drive containing their names and Social Security numbers was misplaced in a campus computer lab.
The college has no evidence of any misuse of the information stored on the device, which eventually was returned to the information systems department, according to a statement posted to the college's website.
Information on the drive was provided to the college's admissions and financial aid offices from 2010 to 2013.
The college is offering affected students free credit monitoring services for a year.
Improper Records Access Prompts Notification
Bon Secours Hampton Roads Health System in Suffolk, Va., is notifying about 5,800 patients about a breach involving improper access to medical records.
During an April audit of a patient's medical record, the health system identified suspicious access, according to a statement on the health system's website. An investigation determined that two members of the patient care team accessed patients' medical records in a manner that was "inconsistent with their job functions and hospital procedures, and inconsistent with the training they received regarding appropriate access of patient medical records," the statement said.
The employees have been terminated, the hospital said.
Information that was inappropriately accessed includes patient names; dates and time of service; provider and facility names; internal hospital medical record and account numbers, which may have included Social Security numbers; dates of birth; and treatment information, such as diagnoses, medications and vital signs.
The healthcare system is offering affected patients free credit monitoring services for one year.