Data Breach Bulletin: Home Depot, Healthcare.gov, JP Morgan

Here’s a roundup of this week’s data breach news:

Home Depot – A week after Brian Krebs broke the news that Home Depot had likely been hit with a credit card breach, Home Depot confirmed on Monday that its card system in stores in the United States and Canada have indeed been compromised. Home Depot says is investigating all transactions that have occurred since April. Given how long the breach lasted, some say the breach could end up being larger than the Target breach, costing Home Depot hundreds of millions of dollars. The same malware used in the Target breach was likely also used to compromise Home Depot, according to Krebs.

Healthcare.Gov – The drama over the Healthcare.Gov website continues. On Thursday, the Wall Street Journal broke the news that the government healthcare website had been hacked. Federal employees first noticed the breach on August 25, and no personal information was accessed in the breach because it only affected test servers, Medicare spokesperson Aaron Albright told the New York Times. What’s more concerning is the security vulnerabilities that led to the breach: the manufacturer’s default password on the server had never been changed, the server was not subject to security scans, the test servers were mistakenly connected to the internet. The attack did not appear to be targeting healthcare.gov specifically—instead malware was downloaded onto the server as part of a larger DDoS attack.  There are always going to be cyber threats that a company cannot anticipate, but at this point, changing passwords and using basic security scans should be common sense, especially for a government website containing healthcare information.

JP Morgan Corporate Challenge – It’s been a rough few weeks for JP Morgan Chase. First, there was the phishing campaign that targeted JP Morgan customers. Then came the news that the feds were investigating a breach at the bank. Now, at least 500 employees who registered on the J.P. Morgan Corporate Challenge website have been notified that the bank has noticed “suspicious server activity involving some login information.” Luckily, no financial information was involved in this breach. Those affected are encouraged to change their passwords, especially if they use the same password on multiple sites.

Bartell Hotels – As many as 55,000 guests who stayed at San Diego hotel chain may have had their credit card data and names compromised. Bartell Hotels’ investigation revealed that an attacker compromised the payment card processing system at five of Bartell’s seven hotel locations between February 16 and May 13, 2014. While the investigation is ongoing, the hotel is urging its customers to check their credit reports and monitor for fraud.

Memorial Hermann Health Systems – For more than six years, an employee at Memorial Hermann Health Systems in Texas improperly accessed health records belonging to 10,604 patients. In a press release on their website, the hospital said it discovered that an employee was accessing electronic medical records on July 7, 2014—and that this had been going on since December 2007. The information breached included health insurance information and some social security numbers.  After an investigation, the employee’s access to medical records was suspended.  Memorial Hermann says it has privacy training in place for all employees, but the hospital’s privacy policies are now under review.

California State University East Bay – Approximately 6,000 faculty and students at CSU East Bay were notified that their personal information may have been accessed in a website breach a year earlier. On August 11, 2014, the university discovered that faculty and student information had been accessed nearly a year earlier. An investigation revealed that an “unknown third-party broke into a University web server using an overseas IP address and a software tool designed to secretly access information on the server.” Names, addresses, Social Security numbers, and dates of births were accessed from the server which contained employment records and course information.