Scam of the day – July 20, 2017 – Ashley Madison settlement awaits court approval

In July of 2015 it was first learned that the Ashley Madison dating site had experienced a major data breach affecting 36 million of its members. Ashley Madison, a website for people seeking to have extra-marital affairs formerly used the slogan, “Life is short, have an affair.” Ashley Madison was hacked by a group calling itself Impact Team.  Impact Team released information on 36 million users of Ashley Madison including names,  addresses, sexual interests and credit card details.

The Federal Trade Commission (FTC) and 13 state attorneys general sued Ashley Madison and later settled.  Under the terms of the settlement Ashley Madison was required to implement a comprehensive data security program and pay 1.66 million dollars to the FTC and the states involved with the charges.

Now it appears that Ashley Madison, which is owned by Ruby Corp. has agreed to a settlement of the separate class action brought by Ashley Madison customers whose personal information was leaked.  According to the terms of the 11.2 million dollar settlement, victims of the data breach will be paid up to $3,500 each.  The settlement has been agreed to, but needs court approval before it can be final.  I will report to you when that occurs.

TIPS

Perhaps the biggest takeaway from this matter, as millions of Ashley Madison customers suffered the consequences of having their involvement with the dating service made public, is that your personal information is only as safe as the places with the worst security that have your personal information.  It also is obvious that the more places that have your personal information, the more at risk you are.  Therefore you should limit the places that have your personal information as much as possible.  In addition, you should not leave your credit card on record with a company for convenience sake even if it is a company with which you regularly do business.  Unless you agree to have your credit card information saved, companies with which you use your credit card are not allowed to store that information.

Scam of the day – December 18, 2016 – Ashley Madison settles with FTC and state attorneys general

In July of 2015 it first became known that the Ashley Madison dating site had experienced a major data breach affecting 36 million of its members.  Ashley Madison, a website for people seeking to have extra-marital affairs formerly used the slogan, “Life is short, have an affair.” Ashley Madison was hacked by a group calling itself Impact Team.  Impact Team released information on 36 million users of Ashley Madison including names,  addresses, sexual interests and credit card details.

The Federal Trade Commission (FTC) and 13 state attorneys general have just settled charges they brought against Ashley Madison that will require the company to put into effect a comprehensive data security program and pay 1.5 million dollars to the FTC and the states involved with the charges.

TIPS

Perhaps the biggest takeaway from this matter, as millions of Ashley Madison customers suffered the consequences of having their involvement with the dating service made public, is that your personal information is only as safe as the places with the worst security that have your personal information.  It also is obvious that the more places that have your personal information, the more at risk you are.  Therefore you should limit the places that have your personal information as much as possible.  In addition, you should not leave your credit card on record with a company for convenience sake even if it is a company with which you regularly do business.  Unless you agree to have your credit card information saved, companies with which you use your credit card are not allowed to store that information.

Scam of the day – October 24, 2015 – Sony data breach class action settlement

In the wake of the major data breach at Sony Pictures Entertainment of November 2014 in which sensitive personal information including Social Security numbers and health data on thousands of present and former employees, nine former employees affected by the data breach sued Sony alleging that it was negligent in failing to protect their personal information.  I first reported to you about this lawsuit, Corona et al v. Sony Pictures Entertainment in my Scam of the day for March 13, 2015.  On September 7th I reported to of an apparent settlement of the lawsuit, however, at that time, the terms of the settlement were not disclosed.  Now the terms of the settlement which has been submitted to Judge R. Gary Klausner for approval have been made public.  Under the terms of the settlement, Sony will provide payments of up to $10,000 to  individual employees who suffered identity theft related financial losses related to the data breach up to a total of 2.5 million dollars for all claimants.  An additional 2 million dollars will be set aside to provide up to $1,000 to reimburse affected employees for the cost of their identity theft protection services.  Sony will also provide credit monitoring services through AllClear through December 31, 2017.  Finally, the plaintiffs’ lawyers will be paid up to 3.5 million dollars for legal fees.  A preliminary hearing on the settlement is scheduled before Judge Klausner on November 16th and it is expected that the entire matter could be wrapped up before the end of the year.

The hacking of Sony should be a wake-up call to all companies.  Despite Sony’s assertions that this was an unprecedented attack and that Sony had taken proper data security precautions, the facts do not support those assertions.  The list of Sony’s failings are many.  Data banks were not properly segregated.  The company was particularly susceptible to phishing attacks.  It retained personal information long after it was necessary and it kept an unencrypted file entitled “Passwords” with a compendium of passwords providing ready access to the hackers to sensitive information.  These are just a few of Sony’s failings., however, many of these failings are shared by many companies that hold personal information of all of us.

TIPS

There is little that we as consumers and employees of companies that hold our personal information can do to protect ourselves from data breaches other than to inquire of these companies as to what steps they take to protect the personal information that they hold and to refrain from doing business with companies that do not provide a satisfactory answer.  Additionally, we should try to limit as much as possible the personal information that we provide to such companies.  For instance, your medical care providers do not need your Social Security number although most medical care providers routinely ask for it.  The Sony lawsuit was the first of a trend of lawsuits against companies such as Sony and Ashley Madison that have suffered data breaches that many believe could have been prevented with better security.  Perhaps being held financially responsible for their lax security will serve as an incentive for companies to do a better job of protecting our information.

Scam of the day – September 21, 2015 – Dangerous new development in Ashley Madison hacking

By now everyone is aware of the major data breach at the Ashley Madison, the dating site for married people seeking to have an affair, in August the hackers followed through with their threat and released 9.7 gigabytes of the stolen data including email addresses, credit card transaction details, partial credit card numbers, addresses and even dating profiles.  Now a new and potentially dangerous development has been uncovered by the hacking group known as CynoSure Prime which discovered vulnerabilities in the password security algorithms used by Ashley Madison that put the passwords of 11.7 million users of Ashley Madison in danger of being hacked.  Ashley Madison switched over to a secure encryption program for protecting passwords in 2012, however, anyone who used Ashley Madison prior to June 14, 2012 continued to have their passwords protected by the weaker and more hackable security program used at that time.  Particularly, because many people use the same password for all of their accounts including online banking, those early users of Ashley Madison are in extreme danger of identity theft by hackers who can readily discover their passwords and use them to gain access to the online accounts of the early Ashley Madison users.

TIPS

The lesson here for early users of Ashley Madison is to change their passwords to all of their accounts as soon as possible.  The lesson to the rest of us is to remember that you should always have a distinct and unique password for each of your online accounts.  It should be a complex password so that it cannot be broken by simple brute force attacks that use millions of guessable combinations such as any word in the dictionary or such common passwords as 123456.  One good way to pick a complex password is to pick a phrase, such as “I Don’t like passwords” and turn it into the basis for a password by making it IDon’tLikePasswords.  This password is already complex in that it has words and a symbol.  Now add a couple of symbols at the end of the password so it may read IDon’tLikePasswords!!! and you have an easy to remember, but strong password.  Now you can just adapt it for each of your online accounts with a few letters to identify the account.  Thus, your Amazon password can be IDon’tLikePasswords!!!Ama and you have a strong, but easy to remember password.

Scam of the day – September 7, 2015 – Sony settles lawsuit with former employees over data breach

In the wake of the major data breach at Sony Pictures Entertainment last year in which sensitive personal information including Social Security numbers and health data on thousands of present and former employees, nine former employees affected by the data breach sued Sony alleging that it was negligent in failing to protect their personal information.  I first reported to you about this lawsuit, Corona et al v. Sony Pictures Entertainment in my Scam of the day for March 13, 2015.  Now a settlement agreement has been reached between the plaintiffs and Sony that has been submitted to the federal court for approval.  Terms of the settlement have not been disclosed.

The hacking of Sony should be a wake-up call to all companies.  Despite Sony’s assertions that this was an unprecedented attack and that Sony had taken proper data security precautions, the facts do not support those assertions.  The list of Sony’s failings are many.  Data banks were not properly segregated.  The company was particularly susceptible to phishing attacks.  It retained personal information long after it was necessary and it kept an unencrypted file entitled “Passwords” with a compendium of passwords providing ready access to the hackers to sensitive information.  These are just a few of Sony’s failings.

TIPS

There is little that we as consumers and employees of companies that hold our personal information can do to protect ourselves from data breaches other than to inquire of these companies as to what steps they take to protect the personal information that they hold and to refrain from doing business with companies that do not provide a satisfactory answer.  Additionally, we should try to limit as much as possible the personal information that we provide to such companies.  For instance, your medical care providers do not need your Social Security number although most medical care providers routinely ask for it.  The Sony lawsuit was the first of a recent number of lawsuits against companies such as Sony and Ashley Madison that have suffered data breaches that many believe could have been prevented with better security.

Scam of the day – July 22, 2015 – Ashley Madison website hacked

Ashley Madison, the website for people seeking to have extra-marital affairs that uses the slogan, “Life is Short.  Have an affair” has been hacked by a group calling itself Impact Team.  Impact Team has already released a small amount of the information stolen and has threatened to publicly release all of the data it has stolen from Ashley Madison, which claims to have 37 million members.  According to Impact Team, the information it has includes names,  addresses, sexual interests and credit card details of Ashley Madison’s members as well as employee documents and emails.  In an interesting twist, Impact Team is not demanding ransom from Ashley Madison in return for not releasing the rest of the stolen information, but rather is demanding that Avid Life Media, the company that owns Ashley Madison permanently take Ashley Madison and another similar website it owns named Established Men offline.  Impact Team also took issue with a $19 charge that Ashley Madison charged its customers who wished to have their information deleted.  According to Impact Team, even after paying the charge, their information was not fully deleted.  In response, Ashley Madison says that they do delete the information and that they will now waive the fee.  Here is a link to Ashley Madison’s press release about the data breach and their new policy about deleting information.  http://media.ashleymadison.com/statement-from-avid-life-media-inc-july-20-1225pm/

TIPS

Perhaps the biggest takeaway from this matter as millions of Ashley Madison customers wait in fear that their affairs will be exposed is that your personal information is only as safe as the places that have your personal information with the worst security.  It also is obvious that the more places that have your personal information, the more at risk you are.  Therefore you should limit the places that have your personal information as much as possible.  In addition, you should not leave your credit card on record with a company for convenience sake even if it is one with which you do much business.  Unless you agree to have your credit card information saved, companies with which you use your credit card are not allowed to store that information.  People may also consider using aliases rather than their real names when doing business online.