Insurance Co. Breach Leads RoundupNationwide Network Hacked; AT&T Hacker Convicted
In this week's breach roundup, Nationwide Insurance is investigating an attack on a portion of its computer network. Also, a federal jury convicted a hacker for breaching AT&T servers and stealing e-mail addresses and other personal information belonging to approximately 120,000 Apple iPad users.
See Also: The Power and Scale of XDR
Nationwide Insurance's Network Breached
Nationwide Insurance Co. is investigating an Oct. 3 attack on a portion of its computer network that affected an undisclosed number of Nationwide and Allied Insurance customers.
"Nationwide is not aware of any misuse of personal information at this time," a company spokesperson says.
The attack compromised the personally identifiable information of current, former and prospective customers. While Nationwide wouldn't confirm how many customers were affected, the spokesperson confirms that the breach affects individuals in more than one state.
Oklahoma Insurance Commissioner John Doak told Insurance Journal that the breach affected 534 individuals in his state. The compromised information included Social Security numbers, driver's license numbers, birth dates and possibly their marital statuses, genders and occupations, the journal reports.
Nationwide is working with law enforcement and independent experts to analyze the affected computer network. State regulators have also been notified of the intrusion. Affected customers are being notified by mail and offered free credit monitoring and identity theft protection for one year through Equifax, the Nationwide spokesperson says.
Man Convicted of Hacking AT&T Servers
A New Jersey federal jury convicted Andrew Auernheimer, 27, of New York, of breaching AT&T servers and stealing e-mail addresses and other personal information belonging to about 120,000 Apple iPad users.
Auernheimer, who was the head of a self-described "security research" hacking group called Goatse Security, disclosed the stolen information to an Internet magazine, U.S. Attorney Paul J. Fishman said in a press release.
AT&T automatically linked an iPad 3G user's e-mail address to an Integrated Circuit Card Identifier, a number unique to the user's iPad, when a user registered, the release notes. Every time a user accessed the AT&T site, the ICC-ID was recognized and the e-mail address was automatically populated for faster access on the site.
In 2010, when an iPad 3G communicated with the AT&T site, the ICC-ID was automatically displayed in the URL in plain text. Seeing this, hackers wrote a script called "iPad 3G Account Slurper" that harvested the ICC-ID/e-mail address pairings, the press release said.
Auernheimer was convicted on two counts, including conspiracy to access AT&T servers without authorization and disclosing that information to a reporter at Gawker magazine, and possession and transfer of a means of identification for more than 120,000 iPad users.
Auernheimer faces a sentence of up to five years in prison and a fine of $250,000 on each count.
A co-conspirator, Daniel Spitler, 27, of San Francisco, previously pleaded guilty to the same charges and is awaiting sentencing.
Nintendo System Online Platform Hacked
A Nintendo Wii U customer hacked into parts of the console's online platform hours after buying the new gaming system, according to news reports.
The customer posted on a gaming forum how he was able to access the administrative system of the Miiverse, a new feature of the Wii U, which gave him authorization to delete the accounts of others, according to reports.
The user was also able to see Nintendo employees setting up test surveys, had access to a debug menu, and could read developer messages, which hinted at future games for the system.
Nintendo confirmed to gaming site ComputerAndVideoGames that the incident wasn't a hoax.
"It has come to our attention that some people were able to access a mock up menu on Miiverse following the launch of Wii U in the US," the statement to the site read. "Please note that this was only a mock-up menu and has now been removed and is not accessible."
Patients Alerted About Potential Breach
The University of Arkansas for Medical Sciences is notifying 1,500 patients of a potential breach involving a former resident physician who the academic medical center claims kept patient lists and notes after leaving the organization in 2010.
The documents the physician kept, dating from January to June 2010, contained patient names, partial addresses, medical record numbers, dates of birth, ages, locations of care, dates of service, diagnoses, medications, surgical and other procedure names, and lab results, according to a university statement.
The organization discovered the incident on Oct. 9, when the resident physician produced the documents during her lawsuit against UAMS regarding her termination. The university became aware on Nov. 7 that additional documents the resident kept had been provided to UAMS attorneys June 25.
"The records are now protected by a court order, which prevents them from becoming a public record and will prevent anyone from further using or disclosing the documents," the statement said.
The resident also assured UAMS under oath that she did not share the documents with anyone except her attorneys with whom she has a business associate agreement that specifically protects this information, according to the statement.