FBI investigating outage at Maryland hospital chain

— The FBI is looking into how a computer virus infected systems at MedStar Health, a large Maryland chain with 10 hospitals and dozens of clinics.

“Early this morning, MedStar Health’s IT system was affected by a virus that prevents certain users from logging into our system,” the hospital chain announced on its Facebook page Monday.

“MedStar acted quickly… to take down all system interfaces to prevent the virus from spreading throughout the organization,” it explained.

The yet-unidentified computer virus is forcing the hospital chain to rely on paper documents and some backup computer systems, the company said.

David Fitz, a spokesman for the FBI’s office in Baltimore, told CNNMoney that “the FBI is aware of the incident and is looking into the nature and scope of the matter.”

Fitz said the FBI was made aware of the issue on Monday afternoon.

MedStar did not immediately return calls to CNNMoney.

MedStar has several locations in and around Baltimore. The hospital chain reported treating 4.5 million patients during its 2015 fiscal year.

There’s heightened attention to cyberattacks now. In recent months, several American hospitals have been tossed into chaos after having their computers infected by hackers.

The weapon of choice has been ransomware, a particularly nasty type of computer virus that encrypts digital files. Hackers don’t give you a key to unlock documents until they are paid a ransom.

In mid-March, hackers attacked Methodist Hospital, an averaged-sized medical facility located in western Kentucky. They forced it to operate “in an internal state of emergency” for five days. Methodist Hospital refused to pay the ransom, instead shutting down the infected part of the computer system and relying on backup copies of the information stored elsewhere.

In February, the Hollywood Presbyterian Medical Center paid a $17,000 ransom in bitcoins to get its computer systems back up and running.

Several other American hospitals have also been hit by ransomware in recent weeks.

Why was your credit card number stolen? Retailers are lazy.

— Companies are losing your data to hackers because they get lazy about protecting it.

If a shop wants to accept credit cards, it needs to abide by strict payment card industry (PCI) rules and pass a test. But a new Verizon cybersecurity report shows that companies act like high school students cramming for an exam.

Companies will bulk up IT security just in time for their PCI inspection. But only 29% keep it up afterward, according to Verizon’s 2015 PCI compliance report.

So, while businesses claim you’re safe because they’ve met credit card industry standards, your data isn’t as protected as it seems.

“Officially they remain compliant, but only two or three weeks a year,” said Rodolphe Simonetti, a consultant with Verizon. “As soon as something else is in the list of priorities, security is dropped.”

The holiday shopping season is the worst, he explained. Companies are supposed to watch for break-ins into their payment network, restrict employee access to sensitive data and make sure new machines are properly secured. All of these priorities take a backseat as retailers shift their entire focus to flashy new website features and the barrage of purchases, Simonetti said.

The 2013 Target hack, which hit 110 million customers, is on example. The company reportedly ignored cybersecurity alarms it had in place just in case of a hack.

Companies routinely fail to patch systems for bugs, swap out old passwords and maintain an updated firewall that scans company Internet traffic.

Last year, a major hospital network’s failure to update its computer software allowed hackers to steal 4.5 million patient records.

And the worst problem is a simple one. Companies aren’t regularly testing their computer networks for holes. According to the Verizon report, only 33% of companies did this properly in 2014, even worse than the previous year.

Why is this happening? It’s all about the tension between conducting smooth business and playing it safe. It’s easier for a company to sell products and please customers if the system is relaxed. But that opens up holes for criminal hackers to get in.

Adding a new feature on the company website might create a pathway into the corporate network. Letting mid-level employees access customer data means that, if any of them open up malware-laced email, all that data is as good as stolen.

This problem applies to retailers, hospitals and any other company that lets you pay by credit card — anywhere. The Verizon report reviewed companies worldwide.

Verizon also found some pretty lame excuses for the lax security.

One hotel chain thought it was safe because it kept consumer data at a third-party data center, Simonetti said. It didn’t think it mattered that a hired computer server maintenance company had access to those machines. And some call centers don’t see the harm in letting phone operators retrieve consumer credit card data at a caller’s request.

“They should be able to input data. But a hotliner should not be able to retrieve data from customers. You never need to give back credit card numbers to your customers,” Simonetti said.

This kind of lazy behavior could backfire. Verizon found that insurance companies that offer cybersecurity policies are rejecting retailer’s claims “because they have failed to take adequate security measures,” the report said.


™ & © 2015 Cable News Network, Inc., a Time Warner Company. All rights reserved.

4 things Chase customers should do right now

— If you’re a Chase bank customer, you’re right to feel powerless right now.

Hackers broke into JPMorgan’s computer systems and stole more than 80 million customers’ personal information, including their names, emails, physical addresses and phone numbers.

Anyone who used online banking or the Chase smartphone app were affected.

It’s time to play defense.

  1. Watch out for scammers. Hackers now have enough information to contact you, and they know you’re a JPMorgan Chase customer.

Don’t trust any phone calls, emails or letters claiming to be from the bank. Instead, directly call the number on your bank card or a previous statement.

Scam artists will seek even more information from you — like your birthday, Social Security number or bank account number — so they can tap into your account and steal your money.

And beware: Scammers will likely scan your Facebook, Twitter or LinkedIn page first. Expect them to sound like a bank that knows about your personal habits.

  1. Don’t change your login or get new cards — yet. According to the bank, hackers didn’t manage to steal usernames, passwords, account numbers or Social Security numbers.

As such, don’t rush to change these things. It’s an unnecessary inconvenience.

More importantly, though, you might have to change all these things later. The New York Times reported that hackers got root access to the bank’s computer system. That’s as deep as it gets.

So, hackers might still be lurking in the bank’s computers — even if the bank claims it closed the hole and has “no evidence” hackers are still inside its network.

  1. Check your bank statement regularly. If hackers are still in the bank’s computers, they could grab even more information.

Operate under the assumption you’re at risk of fraud all the time. Carefully review your bank and credit card statements for any unexpected charges — especially tiny ones.

Fraudsters typically test a stolen debit or credit card by charging a few cents on the card. They do it to avoid catching your attention.

  1. Stay put. Don’t switch to a different bank. This is the hardest advice to take, because it’s rooted in a sense of despair.

The sad reality is, all banks are under attack.

And if you’re thinking about switching to a geographically close community bank, consider it a tradeoff.

The largest banks — Chase, Bank of America, Citigroup, Wells Fargo, etc. — will get hacked more often, because they are bigger targets.

But smaller banks get attacked too. And they don’t have the means to protect you as well, because they have less money to hire top-notch security teams.

You’re exposed everywhere anyway. That’s the argument of Kate Carruthers, who spent more than a decade doing IT for major Australian, New Zealand and U.S. banks.

“If people knew how these systems are handled and how clunky they are, they wouldn’t use banks,” she said. “But the reality is, they have to. They don’t have a choice.”

CNNMoney is investigating recent hacks. Have you had money stolen from your bank account? Has someone stolen your identity? Share your story.


™ & © 2014 Cable News Network, Inc., a Time Warner Company. All rights reserved.

Here’s Google’s plan to rid the world of cyberattacks

— A new team at Google is aiming to be the cybersecurity superheroes of the Internet.

They’re looking to exterminate those nasty computer bugs that let hackers and government spies sneak into our computers — not just for Google, but for everyone.

The special team is called Google Project Zero. And whether you use products by Adobe, Apple, Microsoft or software most people don’t know by name, the team is working on it.

“You should be able to use the Web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications,” Chris Evans, a Google researcher who’s leading the new effort, wrote in a blog post.

Project Zero is made up of some of the world’s smartest, well-intentioned hackers. They spend their days poking at holes in computer code we all rely on — and making sure those holes get patched.

The Project Zero name comes from the very types of bugs they’re trying to eliminate: “zero day” vulnerabilities, which are never-before-seen software flaws that hackers love to exploit.

When Google researchers discover flaws in another company’s software, they’ll quietly alert that firm. If nothing gets done soon, they’ll go public with it on their blog. And if the bug is particularly critical, they’ll put extra pressure on the company and try to develop an alternative themselves, Google told Wired, which first reported the story.

The team already spotted holes in Apple’s iOS device software and Microsoft’s malware protection program, and it got public nods from both.

There’s clearly a need for this kind of help. Devastating bugs that undermine our privacy and financial safety have been found in little-supported, community-maintained software we all use. That was the problem that led to the Heartbleed bug in April and the similar Handshake bug in June.

Why the stroke of benevolence? Google says it’s part of the company’s all-around altruistic mission to make the world a better place. And ex-Google folks tell CNNMoney they back that up 100%.

But it’s also good business.

“Google realized early on that what’s good for the Internet is good for Google,” said Shuman Ghosemajumder, an executive at cyberdefense firm Shape Security.

By creating Project Zero, Google is helping shoulder a burden presently carried by nonprofits. Groups like the Electronic Frontier Foundation spot digital weaknesses that threaten online safety and develop privacy tools. But now those volunteers have help from a superpower — with super money.

“The level of investment and resources, access to Google infrastructure and knowledge takes it to a completely different level,” Ghosemajumder said.

Also, putting together a ragtag team of coding geniuses is a relatively small cost for Google compared to what it’s getting.

“This gives Google the reputation of taking security seriously,” said Jay Kaplan, an ex-NSA analyst who now leads the cybersecurity firm Synack.

™ & © 2014 Cable News Network, Inc., a Time Warner Company. All rights reserved.

2 million Facebook, Gmail and Twitter passwords stolen in massive hack

— Hackers have stolen usernames and passwords for nearly two million accounts at Facebook, Google, Twitter, Yahoo and others, according to a report released this week.

The massive data breach was a result of keylogging software maliciously installed on an untold number of computers around the world, researchers at cybersecurity firm Trustwave said. The virus was capturing login credentials for key websites over the past month and sending those usernames and passwords to a server controlled by the hackers

On Nov. 24, Trustwave researchers tracked that server, located in the Netherlands. They discovered compromised credentials for 93,000 websites, including:

318,000 Facebook accounts 70,000 Gmail, Google+ and YouTube accounts 60,000 Yahoo accounts 22,000 Twitter accounts 9,000 Odnoklassniki accounts (a Russian social network) 8,000 ADP.accounts 8,000 LinkedIn accounts

Trustwave notified these companies of the breach. They posted their findings publicly on Tuesday.

“We don’t have evidence they logged into these accounts, but they probably did,” said John Miller, a security research manager at Trustwave.

Facebook and Twitter told CNNMoney they have since reset passwords for all of its compromised users. Google, Yahoo, ADP and LinkedIn did not provide immediate responses for comment.

Miller said the team doesn’t yet know how the virus got onto so many computers. Since the hackers set up the keylogging software to rout information through a proxy server, it’s impossible to track down which computers are infected.

Among the compromised data are 41,000 credentials used to connect to File Transfer Protocol (FTP, the standard network used when working from home) and 6,000 remote log-ins.

The hacking campaign started secretly collecting passwords on Oct. 21. The campaign could still be ongoing: Although Trustwave discovered the Netherlands proxy server, Miller said there are several other similar servers they haven’t yet tracked down.

Want to know whether your computer is infected? Just searching programs and files won’t be enough, because the virus running the background is hidden, Miller said. Your best bet is to update your antivirus software and download the latest patches for Internet browsers, Adobe and Java.

Of all the compromised services, Miller said he is most concerned with ADP. Those log-ins are typically used by payroll personnel who manage workers’ paychecks. Any information they can see can be viewed by hackers.

“They might be able to cut checks, modify people’s payments,” Miller speculated.

Delay in Obamacare – what you need to know

— The Obamacare employer mandate has been delayed by a year to 2015, meaning that many businesses can push back providing worker health insurance a bit longer.

When the Affordable Care Act was passed in 2010, it required that companies with 50-plus full-timers start providing them coverage in 2014 — or face penalties.

That changed on Tuesday. In a blog post, the U.S. Treasury Department explained that the government needs time to simplify reporting requirements, and businesses need breathing room to adapt to the changes.

“This provides vital breathing room. I think businesses are relieved there’s more time to get this right,” said James A. Klein, president of the American Benefits Council, an employer benefits advocacy group.

Here’s what businesses and workers need to know.

Who’s affected?

A relatively small share of the country’s businesses fall under Obamacare’s employer rules, and most of those that do already provide insurance. That might sound surprising, because the biggest Obamacare myth spouted by opponents is that it will crush small business.

The vast majority of the nation’s businesses, 97% of them, are too small to be affected.

What’s more, most larger employers already provide insurance anyway. Of the nation’s 6.5 million workplaces, only about 70,000 — a little more than 1% — must actually start providing insurance.

Then why does this matter?

The mandate affects most of the nation’s workers. According to the latest Census data, close to 80 million people work at firms that must provide insurance. Though most of them are offered insurance, that still leaves millions who will have to wait another year.

Has the mandate already affected businesses?

It has impacted those businesses that intend to dodge Obamacare by cutting worker hours. The employer mandate kicks in at 50 full-timers, and the law counts anyone who works at least 30 hours a week as full-time.

That’s given rise to the “29ers” phenomenon, in which business owners reduce workers’ hours from full-time to 29 hours per week. This has been especially prevalent in the franchising and restaurant industries, where shift hours are frequently swapped.

There’s no telling whether the mandate has already impacted hiring, though. Mark Zandi, chief economist at Moody’s Analytics, said hiring data has yet to show significant changes as a result of Obamacare.

What about the rest of Obamacare?

The Treasury said the latest change doesn’t affect the individual mandate, which requires that most taxpayers to buy insurance or pay a government fine.

In similar fashion, Treasury said the timeline hasn’t changed for the implementation of individual and small business exchanges — separate marketplaces where people and business owners can shop for insurance at the state level.

But there are doubts.

“This is just the beginning. The employer mandate is a cornerstone of the entire Obamacare exchange system,” said Timothy Finnell, president of the Group Benefits health consulting in Memphis, Tenn.

As originally planned, only those who don’t receive affordable coverage at work can receive federal subsidies while shopping for insurance on the individual exchanges. But now that employers don’t have to abide by Obamacare reporting requirements, Finnell fears the government will have no way to verify whether someone is incorrectly getting subsidies.

“There are going to be people who get a subsidy and end up costing taxpayers a whole lot more than anticipated,” he said.


™ & © 2013 Cable News Network, Inc., a Time Warner Company. All rights reserved.