Tuesday 29 December 2015

Hyatt Hotel Guests Hit by Payments System Hack

Hotel group Hyatt is warning visitors of a security breach in its customer payment system.
The company said it had found malware on the payment processing computers for the hotels it managed.
Hyatt's global president of operations Chuck Floyd said that the problem had been fixed, but advised past customers to check bank statements for any unusual activity.
"As soon as we discovered the activity, we launched an investigation," he said.
The Chicago-based Hyatt group has 627 properties in its portfolio, although it said only the 318 it managed directly were affected by the malware, with franchised hotels unaffected.
The company did not say whether the malware had led to any customer information being accessed, but did say it had hired independent cybersecurity experts to help investigate.
Hyatt has set up a webpage to communicate updates to its customers.
"We have taken steps to strengthen the security of our systems, and customers can feel confident using payment cards at Hyatt hotels worldwide," said Mr Floyd.
Hyatt is not the first hotel group to admit it has had to tackle such a cybersecurity breach.
The Hilton, Mandarin Oriental, Starwood and Trump Collection hotel groups have also faced security problems with customer payment information in 2015.

Friday 18 December 2015

Router Maker Finds 'Unauthorised' Code

Juniper Networks has issued a warning after discovering "unauthorised code" in its firewall software.
Analysis of the rogue code shows that it can decrypt scrambled data being sent through virtual private networks.
In a security advisory, the internet hardware maker said whoever wrote the code would be able to use it to spy on encrypted conversations.
Juniper has released patches to strip the code out of its firewall software and urged customers to apply them.

The code was found in Juniper's ScreenOS software with which many large firms using its hardware keep an eye on data traffic entering and exiting their networks.

Juniper's routers and network switches are widely used in ISPs and by many large corporates.
An internal code review revealed that ScreenOS was harbouring the unwanted passenger, said the firm. No information was given about where the code came from or how it found its way into the firewall's core software.
The range of products affected suggests that the extra software has been lurking inside different versions of ScreenOS since 2012.
Juniper added that it had no evidence that the loopholes the code opened were being actively exploited.

Monday 14 December 2015

Moonfruit Suffers DDoS Cyber Attack

Thousands of business and personal websites have been taken offline by web host Moonfruit, after it was threatened with a cyber-attack.
The Moonfruit service lets customers easily build templated websites.
But the company said it had been threatened with a cyber-attack and had decided to make its customers' websites unavailable for "up to 12 hours" to make infrastructure changes.
One business owner told the BBC it was "very bad timing".
On Thursday, 10 December, the company said it had been hit by a distributed denial of service (DDoS) attack.
Attackers bombarded the company's computers to overwhelm them with traffic, so they could not serve its legitimate users.
The company consequently told customers it had decided to take websites offline for "up to 12 hours" starting at 10:00 GMT on Monday.
Film-maker Reece de Ville said: "They have been slow to communicate via their website what is going on.
"I'm going to have hundreds of people finding my site today but not being able to access it.
"I could be losing out on a lot of money from potential clients, and they may not come back if they think the company has gone.
"It's incredibly bad timing, especially for businesses selling Christmas cards and gifts on their website."

In an email to its customers, the company apologised for giving them "short notice" that their websites would be offline.

"We have been working with law enforcement agencies regarding this matter and have spared no time or expense in ensuring we complete the work as quickly as possible," the company's director, Matt Casey, said in a statement.
The BBC has invited Moonfruit to comment.

Friday 11 December 2015

Supply Chain Disruption Caution by BSI

Nearly one in ten organizations are not aware of who their key suppliers are, leaving them open to severe disruption as they are unable to manage their supply chain effectively. That is according to a report published today by the Business Continuity Institute and supported by Zurich Insurance Group.
The Supply Chain Resilience Report highlighted that seven in ten organizations admit to not having visibility over their full supply chain, and as the survey also revealed that half of disruptions occur below the preliminary tier 1 supplier of goods, this makes it extremely difficult to establish where an organization lies within its suppliers’ priorities.
This could have major consequences when it comes to managing the supply chain and ensuring that disruptions are minimised, which is particularly important given that the report also found that 74% of organizations had suffered at least one disruption during the previous twelve months and that 14% had suffered cumulative losses of at least €1 million as a result.
Other findings of the report include:
  • Unplanned IT and telecommunications outage (64%), cyber attack and data breach (54%) and adverse weather (50%) are the top three causes of supply chain disruption. New entries to the top ten are: product quality incident (8th), business ethics incident (9th) and lack of credit (10th).
  • The top five consequences of disruption are loss of productivity (58%), customer complaints (40%), increased cost of working (39%), loss of revenue (38%) and impaired service outcomes (36%).
  • One third (33%) of respondents report high top management commitment to supply chain resilience, increasing from 29% last year.
  • About 7 out of 10 respondents (68%) report having business continuity arrangements in place to deal with supply chain disruptions.
Cited and more on this at Business Continuity Institute 
Supplier risk is real and requires increasingly proactive management in a challenging economic environment. ZeroDayLab’s Supplier Evaluation Risk Management Solution helps you overcome common barriers to effective supplier management by providing an automated approach, evaluating current risks and helping you manage risk and suppliers more efficiently, thus delivering greater ROI and reduced risk for the business. More on our SERM solution 

Wednesday 9 December 2015

Universities Lose Internet Connections Following Cyber Attack

A cyber attack is behind universities and fire services across the country losing their internet connections.

Universities across the country have lost their internet connections following a sustained cyber attack on a publicly-funded academic computer network, while fire services' networks are also believed to have been affected.
Network Janet, used by many institutions across the UK, came under a persistent Distributed Denial of Service (DDoS) attack this morning, causing multiple universities to lose their connections, according to the Mancunion.
"The Janet network is experiencing issues again this morning affecting a number of educational institutions including us. We’ll keep you updated,” IT services at the University of Manchester said.
Janet is responsible for the .ac.uk and .gov.uk domains, and is used by thousands of universities and colleges, including the University of Cambridge and University of Oxford. At the time of writing, the network's website was also down.
Many fire services also use the .org domain, with several believed to have also lost their internet connections.
The network confirmed on its Twitter account that a denial of service attack had been identified and that engineers and security teams were working to rectify the problem.
Cited and more on this story at The Telegraph

Friday 4 December 2015

JD Wetherspoon Suffers DataBreach

Pub chain JD Wetherspoon says card data of 100 customers has been stolen from a database after it was hacked.
"Very limited" credit and debit card information was accessed in the hack in June and it could not be used for fraud, the company said.
Other personal details, including names and email addresses may also have been stolen from more than 650,000 people.
The Information Commissioner's Office is being notified of the breach, which only came to light in recent days.
The database had details - including names, dates of birth, email addresses and phone numbers - of 656,723 customers.
The 100 affected whose card data was stolen had bought Wetherspoon vouchers online between January 2009 and August 2014, the company said.
Only the last four digits of payment cards were obtained in the hack as the remaining digits were not stored in Wetherspoon's database, chief executive John Hutson said.
The card data was not encrypted because other details were not stored on the database, the company said.

In a letter to customers, Mr Hutson apologised and advised customers to "remain vigilant for any emails that you are not expecting that specifically ask you for personal or financial information, or request you to click on links or download information".

The hack happened between 15 and 17 June on the pub chain's old website, which has since been replaced.
Cited and more on this story at BBC News