In separate incidents, networks at the University of Central Florida (UCF) and the retailer Neiman Marcus were both recently breached.
UCF yesterday announced that an intrusion into its network, discovered in January 2016, had compromised the personally identifiable information (PII), including Social Security numbers, of approximately 63,000 current and formers students, staff and faculty members.
Those affected include current student-athletes, as well as some former student-athletes who played for UCF in 2014-15, and some student staff members, such as team managers. Some undergraduate student employees are also affected, including those in work-study positions, graduate assistants, housing resident assistants, adjunct faculty instructors, and student government leaders.
All those affected are being offered one year of free access to credit monitoring and identity protection services.
“We have already begun taking several actions to help prevent this type of incident from occurring in the future,” UCF said in a statement. “These actions include enhancing user account and password security and expanding campuswide information security education and training. We also are conducting a thorough review of our online systems and protocols.”
“We will be scheduling forums where you can learn more about this incident, UCF’s response and how you can best protect your personal information in the cyber world,” the university added.
The FBI’s Jacksonville office told the Orlando Sentinel that it has sent out notifications to all U.S. colleges “in an effort to identify other potential victims.”
Separately, the Neiman Marcus Group (NMG) recently began notifying approximately 5,200 customers that their user names, passwords, basic contact information, purchase history and the last four digits of their credit card numbers may have been accessed by hackers (h/t SC Magazine).
Those affected include online customers of the company’s Neiman Marcus, Bergdorf Goodman, Last Call, CUSP and Horchow websites.
On or around December 26, 2015, the attackers began trying to access NMG customer accounts by trying various login and password combinations using automated attacks.
“We suspect this activity was due to large breaches at other companies (not the Neiman Marcus Group), where user login names and passwords were stolen and then used for unauthorized access to other accounts, such as NMG online accounts, where a user may use the name login name and/or password,” NMG senior vice president Lindy Rawlinson explained in the notification letter [PDF] sent to those affected.
In a small number of cases, Rawlinson wrote, the attackers were able to leverage the breached accounts to make purchases. All those who were impacted have been credited for the full amounts of the unauthorized purchases.
“We strongly recommend that you change your password on all NMG websites, and every other site where you use that same user name and password combination,” Rawlinson wrote. “If you have multiple Neiman Marcus Group accounts, we recomend you change your password on all accounts. The next time you logon to your account, you will be required to reset your password.”
VASCO Data Security vice president John Gunn told eSecurity Planet by email that breaches like the one at Neiman Marcus show that too many retailers are still stuck in the “dark ages” of account protection. “Even the most simple methods of fraud detection and two-factor authentication would have prevented this attack,” he said. “New authentication methods work in the background of the transaction and place no burden on the customer — no password vaults, nothing to purchase.”
“With the broad adoption of EMV cards in the U.S., you will see many more attacks of this type as hackers are forced to shift from retail to card-not-present attacks,” Gunn added. “It is really up to the merchant to protect the customer, and there are many anti-fraud and authentication tools available today, it shouldn’t be every man (or consumer) for himself.”
In any case, George Rice, senior director of payments for HPE Security – Data Security, said simply protecting the sensitive data involved could have avoided data loss. “There’s simply no excuse today not to follow best practices of encrypting all sensitive personal and financial data as it enters a system, at rest, in use and in motion,” he said. “The ability to render data useless if lost or stolen, through data-centric encryption, is an essential benefit to ensure data remains secure.”