Missouri Credit Union customer information leaked on website

COLUMBIA, Mo--Missouri Credit Union is informing all of its customers about a security breach after personal information was made public on its website.

On Aug 5, MCU discovered a file containing customer information was posted on its website. That file contained a list of customer names, addresses, Social Security numbers, account numbers, and MCU teller/call-in passwords.

The credit union says there were ten visits to the file's location in the "short time" it was accessible. MCU does not know if anyone actually looked at the information.

"On behalf of myself and everyone at MCU, I apologize to all members affected by this incident," said president Hal James in a statement to ABC 17 News. "Please be assured that we are working to enhance our security measures to prevent something like this from happening in the future."

MCU began notifying all of its on Aug 16 about the security issue. The company is arranging for AllClearID to protect the identity of each of its members for one year.

Any customer can contact MCU for additional information by calling 877-437-4006.

http://www.abc17news.com/news/missouri-credit-union-customer-information-leaked-on-website/-/18421100/21546504/-/pqlh8s/-/index.html

Lost flash drive compromises data for thousands of students

More than 20,000 students across 36 schools in the Boston Public School (BPS) system had their data compromised when the district's ID card vendor Plastic Card Systems lost a flash drive containing the information.

How many victims? 21,054 students.

What type of personal information? Names, schools, ages, grades, ID numbers, library card numbers and CharlieCard numbers (used on smartcards to pay for Massachusetts Bay Transportation Authority travel). ID photos for roughly 14,000 students also were included on the flash drive.

What happened?  Plastic Card Systems picked up the flash drive from a BPS location. The vendor reported later that day that the memory stick was missing.

What was the response? Plastic Card Systems reported the drive as missing on a Friday and the drive did not turn up after being searched for throughout the weekend. BPS is changing the design of their student ID cards. In addition it is invalidating affecting CharlieCard and library card numbers. Families of affected students received phone calls and were sent letters.

Details: Plastic Card Systems picked up the drive from a BPS location on Aug. 9 and lost it later that day. BPS high schools were affected, as well as some middle schools spanning grades 6 to 12. Elementary schools, K-8 schools and standalone middle schools were not affected. Students are expected to receive new ID badges on schedule at the beginning of the school year.

Quote: “It is important to emphasize the information on the drive is limited to what appears on ID badges – and this cannot be used to access student records,” said John McDonough, BPS interim superintendent.

“Plastic Card Systems deeply regrets the unfortunate accidental loss of the Boston Public Schools student data files, and we understand how families will be upset, as we are upset, by the situation,” said Plastic Card Systems President Don Axline. “We will make all efforts to help Boston Public Schools in addressing this situation and will assist in any way possible to quickly rectify the situation.”

http://www.scmagazine.com/lost-flash-drive-compromises-data-for-thousands-of-students/article/307298/#

High-tech toilet gets hacker warning; nothing is safe

A vulnerability in a toilet-control app leads to an unusual warning about potential bathroom hacking hijinks.

By: Amanda Kooser

Privacy has been big news lately after revelations of NSA activities hit hard. But apparently it's not just your phone calls and Internet activity you need to be concerned about. There could be hackers gunning for your toilet, too.

Security company Trustwave issued a warning about potential bathroom breaches of luxury Satis smart toilets from Lixil. The toilets can be controlled using an Android app, but the Bluetooth PIN is hard-coded to "0000." Just knowing that code number means the awesome power of the Satis could fall into evil hands. All a hacker would have to do is download the My Satis app, get in range, pair it to the toilet using the code, and flush away.

The Android app lets toilet aficionados trigger activities such as flushing and playing music. If a malicious hacker got in Bluetooth range and took control of your toilet, all sorts of havoc could ensue. You might have to listen to the combined sounds of Justin Bieber and constant flushing while you're trying to do your business.

"Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user," Trustwave cautions. Trustwave made several attempts to contact Lixil for a response, but the company has not yet commented on the issue.

The bigger mystery here may be why someone would want a remote control to flush a toilet, but it could be handy for absent-minded toilet users or germaphobes who want to minimize contact with the porcelain throne. With a starting price of around $2,400, you will pay for the privilege.

The security issue is real, though it's hard not to snicker about it. Perhaps an app update will take care of this matter of national security. If you've already been impacted by this issue, then you can finally rest easy knowing your toilet isn't haunted. It's just been hacked.

http://news.cnet.com/8301-1009_3-57596704-83/high-tech-toilet-gets-hacker-warning-nothing-is-safe/