Smucker's Breach Leads RoundupPayment Details Obtained During Online Checkout Process
In this week's breach roundup, Smucker's is notifying 23,000 of its online customers that their payment information was compromised following unauthorized access to the food company's systems. Also, North Dakota University has discovered suspicious activity on one of its servers and has shut down access.
Smucker's: Payment Card Info Exposed
Smucker's is notifying 23,000 of its online customers that their payment information was compromised following unauthorized access into the food company's systems.
Exposed information includes customer name, address, e-mail address, phone, credit or debit card number, expiration date and verification code.
Smucker's says the breach involved a sophisticated scheme that obtained customer information as it was being entered during the online checkout process. "We continue to thoroughly investigate this matter with federal authorities and have taken steps to address the cause of this incident," the company says.
Affected individuals conducted online transactions from December 2012 through January 2014, Smucker's says.
The company did not respond to a request for further information.
North Dakota University Warns of Breach
North Dakota University has discovered suspicious activity on one of its servers and has shut down access.
The university says an entity operating outside the U.S. apparently used the server as a launching pad to attack other computers, possibly accessing outside accounts to send phishing e-mails, according to a statement. The suspicious activity was discovered on Feb. 7, and the server was immediately locked down.
Records of more than 290,000 current and former students and about 780 faculty and staff were on the server, the university says. Exposed information includes names and Social Security numbers.
There is no evidence that the intruder accessed any of the personal information, the university says.
Affected individuals are being offered one year of free identity protection services. In response to the incident, the university also removed all access to the affected server, revalidated each individual user, initiated more stringent intrusion detection measures and developed a taskforce to improve data security measures.
Assisted Living Co. Workers Hit by Breach
Assisted Living Concepts, which operates 200 assisted living homes in 20 states, is notifying almost 44,000 former and current employees that their personal information was compromised due to unauthorized access to its payroll services vendor's systems.
On Feb. 14, Assisted Living Concepts was notified by its payroll vendor that an unauthorized third party improperly obtained access to their user credentials and hacked into their systems, gaining access to payroll files for current and former ALC employees. The unauthorized activity occurred between Dec. 14, 2013, and Jan. 14, 2014.
Compromised information includes names, addresses, birth dates, Social Security numbers and pay information, according to a letter sent to the New Hampshire Attorney General's office.
Upon discovering the incident, ALC deactivated the user credentials that were compromised and took its payroll systems offline until the issues were resolved, the letter says. The company also notified the FBI.
Affected individuals are being offered free credit monitoring for one year.
AvMed Settlement Gets Final Approval
A federal court has granted final approval for a previously announced $3 million settlement of a class action lawsuit against AvMed, a health plan company, stemming from a 2009 data breach. The settlement, which was reached last October, is significant because it awards payments to those who were not victims of identity theft.
Preliminary settlement documents filed in the U.S. District Court for the Southern District of Florida describe payments to be offered to 460,000 individuals whose personal information was contained on two stolen unencrypted laptops - and who paid insurance premiums to AvMed (see: Settlement in AvMed Breach Suit).
Information on the stolen devices included members' names, addresses, Social Security numbers and medical information.
The plaintiffs alleged that as a result of AvMed's failure to properly secure their information, they suffered damages from having their identities stolen and by overpaying for insurance coverage, the price of which, they allege, included the costs associated with protecting their information.
The 460,000 individuals will receive $10 for every year they paid premiums prior to the theft, with a maximum payment of $30. The settlement explains that amount represents what AvMed should have spent on protecting data, so it amounts to a refund of premium overpayment. Additionally, individuals who were victims of identity theft as a result of the breach can submit claims to be reimbursed for their monetary losses.