Payment Card Breach Leads RoundupAutoNation Says Vendor's System Breached
In this week's breach roundup, automotive retailer AutoNation is reporting a breach at one of its vendors that exposed customer information, including payment card details. Also, home improvement company Lowe's is notifying current and former employees that their personal information was compromised when a third-party vendor backed up data to an unsecured computer server.
Auto Retailer Reports Card Breach
Automotive retailer AutoNation says hackers gained access to one of its vendor's systems, exposing customer information, including payment card details.
TradeMotion, which hosts and operates three sites on AutoNation's behalf, including all payment functions, believes that criminal hackers were able to unlawfully access certain credit card information as it was being entered into their system between March 5 and May 2, AutoNation said in a letter to the Maryland attorney general's office.
Information that was compromised includes names, addresses, e-mail addresses and credit card numbers. "[We] are continuing to investigate which specific consumers were affected and what specific information was accessed," the company says. TradeMotion has notified the Federal Bureau of Investigation about the incident.
TradeMotion has removed the malicious software used by the hackers to access the customer information and is monitoring its systems for any ongoing activity, AutoNation says. TradeMotion is also conducting penetration testing and is monitoring its systems for any additional unauthorized activity.
A spokesperson for AutoNation says as many as 1,000 customers could be impacted by the incident.
Affected individuals are being offered one year of identity theft protection services.
Lowe's Employees Affected by Breach
Home improvement company Lowe's is notifying current and former employees that their personal information was exposed when one of its vendors mistakenly backed up the data to an unsecured computer server that was accessible via the Internet.
The vendor stores compliance documentation and information related to current and former drivers of Lowe's vehicles, as well as information about certain current and former employees who access and administer the third-party vendor system, the retailer says in a letter to the Maryland attorney general's office.
Personal information that was compromised includes names, addresses, dates of birth, Social Security numbers, driver's license numbers, sales IDs and other driving record information.
"Promptly after learning of the potential issue, [the vendor] blocked access to the unsecured backup server and retained data security experts to conduct an investigation of the incident," Lowe's says. Personal information on the backup server may have been accessed between July 2013 and April 2014, an investigation revealed.
Affected individuals are being offered one year of free identity protection and credit monitoring services. The breach affected 323 employees who reside in Maryland, Lowe's says. The company did not immediately respond to a request for more information, including the total number of individuals affected.
UK Loan Company Takes Security Steps
Student Loans Company Ltd. has agreed to take security steps after a series of data breaches affecting customers' records.
The business, which provides loans and grants to students at UK universities and colleges, reported several incidents where information about its customers, including medical details and a psychological assessment, had been sent to the wrong recipients, the UK Information Commissioner's Office says.
An investigation found that not enough checks were carried out when documents were being scanned to add to customer accounts, and more sensitive documents actually received fewer checks, according to the ICO.
The company, as part of its agreement with the ICO, has committed to ensuring proper checks are carried out before correspondence is sent out, as well as educating staff about its data protection policy.
"For the majority of students, the Student Loans Company represents a crucial service that they rely on to fund their studies," says Stephen Eckersley, head of enforcement for the ICO. "Students are obliged to provide personal information to the loans company, both while they receive the loan and in the years when they are paying it back, and they are right to expect that information to be properly looked after. Our investigation showed that wasn't happening."
Computer Theft Exposes Patient Info
Elliot Hospital in Manchester, N.H., is notifying 1,200 patients that their names and certain other information was compromised after four computer workstations were stolen from an employee's car.
The computers contained no electronic health records or financial information, according to local news publication the New Hampshire Union Leader. Only one Social Security number, which belonged to a hospital employee who is also a patient, was on the devices.
The computer workstations were in the car of an employee who was transporting them to the hospital's data destruction office, according to the news report.
Elliot Hospital did not immediately respond to a request for additional information.