[HN Gopher] Delta Dental says data breach exposed info of 7M people
___________________________________________________________________
Delta Dental says data breach exposed info of 7M people
Author : mikece
Score : 224 points
Date : 2023-12-15 14:59 UTC (8 hours ago)
(HTM) web link (www.bleepingcomputer.com)
(TXT) w3m dump (www.bleepingcomputer.com)
| mikece wrote:
| At this point I'm willing to bet that every single American --
| including the Amish -- have been part of at least one major data
| breach. And for everyone on HN... probably at least ten.
| fatnoah wrote:
| I've been part of four or five breaches. My favorite part is
| the complete lack of value in the mitigations for me. I was
| part of the OPM data breach, and the data included was
| literally everything, since it was everything collected as part
| of my application for a security clearance. A result of that
| was 10 years of credit monitoring, so every new breach's offer
| of 12 or 24 months of monitoring is useless.
|
| Until there are statutory damages for data breaches, and even
| steeper ones for failure to report breaches, companies aren't
| going to properly safeguard data.
| bonton89 wrote:
| My understanding is about everyone in America (and bizarrely a
| lot of people in Europe) got f'ed by the Equifax breech
| already.
| flutas wrote:
| TBH, I know of at least one other breach that everyone got
| hit by too...afaik it was never made public though.
|
| It's been a while since I was told the story, so bear with
| me. It was Experian. They shipped tape backups of essentially
| their entire consumer credit DB, unencrypted, via UPS.
|
| UPS truck got robbed at gunpoint, only one package stolen...
|
| EDIT: Transunion -> Experian
| michaelcampbell wrote:
| Back when people got physical checks for payroll, I worked
| at a company that did this, and gave physical stubs to
| those of use who did direct deposit which was still kind of
| new.
|
| Biweekly, the person handing them out would take them home
| to sort by floor/area/whatever to ease their work the next
| day.
|
| You guessed it, one day their car was stolen, with ALL of
| our checks/stubs in them. And our SSN's were printed on
| them too.
|
| We were given a year of credit monitoring at the credit
| unions, paid for by the company. And they stopped printing
| the SSN's on them.
| shnock wrote:
| Could you please share some online references or sources
| for this?
|
| "It was never made public" - do you mean to imply that this
| is otherwise unverifiable
| ffpip wrote:
| Might be this -
| https://www.nytimes.com/2005/06/07/business/personal-
| data-fo...
|
| First result for "experian ups truck stolen"
| eli wrote:
| Wow that MoveIT hack sure was bad. How did they manage to keep
| from becoming a punching bag like SolarWinds?
|
| Also the title should probably clarify this is Delta Dental of
| California.
| __derek__ wrote:
| The title is borderline click-bait: I have had Delta Dental
| insurance at every employer, so I clicked through to read more,
| but I've never lived in California or been employed by a
| California company.
| gowld wrote:
| Did the title say your info was leaked?
| eli wrote:
| "Delta Dental" is actually 39 different affiliated
| companies sharing a brand. Of those 38 seem to be
| unaffected.
| __derek__ wrote:
| My info was not leaked because I've never done business
| with Delta Dental of California. The title omits the
| essential "of California" context.
| hn_throwaway_99 wrote:
| > who had their names, financial account numbers, and
| credit/debit card numbers, including security codes, exposed.
|
| Delta Dental should be rightly and truly f'd for that one.
| Storing security codes at all is totally forbidden by PCI rules.
| Delta Dental should have their ability to process credit cards
| completely revoked for this egregious breach.
| vaxman wrote:
| Yep, that vendor is a major HMO for Defense workers with Top
| Secret clearances.
|
| Does SiteLink have issues too? I think they do.
| robertlagrant wrote:
| Why they are doing their own payments processing is beyond me.
| Is it just too expensive to use someone like Stripe?
| packetlost wrote:
| Stripe? Oh yeah. At their scale, they'd likely be talking to
| Fidelity or some other big player directly.
| mrweasel wrote:
| I was going to ask something similar. Especially US companies
| seems rather fond of storing credit card information, but I
| never seem it done in Denmark, regardless of the size of the
| company. The most common solution is to let your payment
| processor deal with those sorts of things, you just have a
| token, which can only be used to deposit money into your
| account. So even if it's stolen or leaked, you can transfer
| the money back, they can't be transferred to a third party.
|
| Why on earth you'd want to deal with credit card information
| and the attacks it attracts is beyond me. It's not like
| you're locked to the your provider, the tokens can be
| transferred... Not easily, but it can be done.
|
| And no, companies would never pay Stripes asking price. You
| can negotiate much much lower rates with companies like
| Valitor/Rapyd or certain banks.
| Kalium wrote:
| For a long time, payment processors in the US would charge
| more to offer tokenization services. Cost-conscious
| companies with an eye on their unit economics reacted in
| predictable ways.
| mrweasel wrote:
| > Cost-conscious companies with an eye on their unit
| economics reacted in predictable ways.
|
| That seems like the likely explanation. I don't know what
| the additional cost would be, but with 7 million
| customers, it could be a million dollars a year in
| saving. That would require you to be able to be PCI
| compliant for less than that amount and the risk is still
| considerable, you could lose your VISA or MasterCard
| contract pretty quickly and then you're out of business.
|
| We had a situation where scammers would use our site to
| check stolen credit cards, we got at most 7 days to
| handle the problem or VISA would close our account. I'd
| imagine that failing out of compliance would hit equally
| hard.
| wayfinder wrote:
| I used to work at a medium-sized non-tech company (<200
| employees) that had a fair amount of IT staff. Stripe is
| expensive asf and we always talked with banks and payment
| processors directly.
|
| We never stored CVVs or any of that insane nonsense though.
| Our systems only ever saw CC info in transit but they were
| never stored on-site.
|
| God I miss that company. Working with smart people is great.
| fatnoah wrote:
| It's totally forbidden by PCI rules as well as common sense.
| Wayyyy back in 2002, I worked at a startup making a billing
| product. A customer asked for a screen to be able to see CC
| numbers for their own customers, and our response was a flat
| no. Any sensitive data was encrypted and sequestered, and
| security codes were absolutely not stored.
|
| In my current role at a startup, when a conflict between
| schedule/time or convenience conflicts with proper data
| security, I ask people to envision how our processes would look
| as a news headline or would fare in a legal discovery.
| ngneer wrote:
| Out of curiosity, and without naming names, what is people's
| typical response and what is the dynamic? Data security is
| hardly ever convenient, and most often vies for resources
| with other features or quality improvements, especially in a
| startup seeking to make its fortune. Can people even imagine
| breach ramifications without having been previously burnt, or
| is the main incentive to be able to tout compliance?
| fatnoah wrote:
| > or is the main incentive to be able to tout compliance?
|
| At the time I joined, the existing goals were around
| compliance and checking boxes on security questionnaires,
| which is exactly the problem I'm trying to solve.
| Specifically, compliance was driven by the IT/Infra teams
| and mostly around access to access to cloud infra. That's
| obviously useless if a db server is locked down and change
| managed, but the software access the data isn't.
|
| So, the bulk of my efforts in this area have been around
| bridging the gap from checking boxes to actual compliance
| with various standards. Fortunately, we rely heavily on
| data, so it's not a hard sell to properly protect things.
|
| In general, people receive the questions well, as it makes
| the strong point that there's a big gap between checking a
| box that people in sales & marketing care about, vs. how
| any issues arising from not having "real" compliance would
| be catastrophic and business ending for a company of our
| size.
| neilv wrote:
| > _what is people 's typical response and what is the
| dynamic?_
|
| Not the OP. One place, a few times when I was doing an
| integration with a large company, I discovered a grave
| security flaw in the customer's systems.
|
| One time, had I done the integration despite the flaw, it
| would've required me to knowingly code some obviously 100%
| wrong use of cryptographic protocol.
|
| When I started to tell the director to whom I reported, I
| felt an initial "oh no..." mixed with skepticism, from
| hints in their voice. So I explained, and answered their
| questions.
|
| Then they seemed to switch from dread, to solving it.
| Instead of quietly taking the client's money, they halted
| integration, and put together a presentation for the
| customer, telling them how part of their security had a
| grave problem. (Possibly awkward, because it might've been
| a team internal to the customer who had made such a mistake
| on something so sensitive.)
|
| I'd say that the dynamic in that case was what you'd like
| to imagine from engineers who'd risen in influence:
| acknowledging the problem, understanding and doing the
| right thing, when it had to be done, even when they wish it
| didn't.
| neilv wrote:
| I've also seen other dynamics, in which pointing out what
| should be showstopper problems didn't go as well.
|
| I assume that the most common in business as a whole is a
| variation on: someone doesn't want to hear about it,
| because (put broadly) acknowledging it would conflict
| with business goals or their individual goals. Example
| conflicts: don't get a sale, slip the schedule, fail to
| meet some individual OKR/KPI, or expose an earlier
| mistake of the individual.
|
| Also, the dynamic doesn't have to come down to conflicts
| between plausibly rational motivations (for business or
| self). Egos and irrational cognition are also parts of
| our collective human situation, and an individual's
| particular traits (or a personal challenge they're going
| through) can sometimes lead to that taking over
| decisions. It happens, and we should try to realize when
| that's the cause (rather than just an attempt at cover
| for some rational motive they don't want to state), so
| that we can try to get to rational decision-making.
|
| A different thing, or a complication: There are also be
| dynamics in which an 'ambitious' person in an org, not
| naturally involved in the situation, uses the situation
| to grandstand or hit a rival. And obviously this can
| affect the dynamics for people who are involved (e.g.,
| person A would normally do the aligned thing for the
| company, but it's more complicated now that B will twist
| that to gun for their job). Fortunately, I don't
| immediately recall seeing an egregious example first-
| hand, but have heard of it.
| Sohcahtoa82 wrote:
| > A customer asked for a screen to be able to see CC numbers
| for their own customers
|
| I'd be curious what reason they had.
| bee_rider wrote:
| In 2002? Probably something now-crazy like "how else will I
| process returns?"
|
| It is not directly related, but as a hopefully funny semi-
| related anecdote, the federal government stopped states
| from putting social security numbers on drivers licenses in
| 2004. Renewals frequency depends on the state, but it is
| typically in the 4-8 year range, so plausibly until 2012
| people were going around showing their SSN to anybody that
| needed to see ID.
|
| I specifically remember this caused stressful situations as
| a teenager working retail, people justifiably didn't want
| to show an ID when doing returns because it had their SSN.
| A credit card number is hardly anything comparably!
|
| This all seems absurd nowadays, but the past is not really
| that long ago.
| wombatpm wrote:
| At one time it was routine to have your SSN and Drivers
| License # printed on your checks. And in 1988 my student
| ID number as university was my SSN.
| bee_rider wrote:
| But 1988 is officially The Past, ask any millennial, my
| self image can't deal with the fact that our anecdotes
| objectively belong side-by-side.
| pavel_lishin wrote:
| At the risk of instantly drying into dust by suggesting
| that 2002 is also The Past, but my SSN was also my
| student ID then.
| QuercusMax wrote:
| In 2002 my school (Kent State) was in the process of
| phasing out SSNs as student numbers. I was working as a
| student IT employee in one of the departments and spent
| quite a bit of time updating systems to remove the use of
| SSNs.
| zeven7 wrote:
| SSNs shouldn't have to be kept any more secret than your
| name. The fact that somehow they started being used as
| passwords is the insane thing.
| ahi wrote:
| Well into the 2000s it was routine to find unredacted
| SSNs in public Federal bankruptcy filings. Likewise, the
| old Congressional Records contain thousands of SSNs of
| newly promoted military officers. Librarians have spent a
| lot of time tracking these down in their archives to
| redact them.
| jstarfish wrote:
| A fly-by-night IT training/certification/voucher reseller I
| worked for around that time saved customer billing
| information as a convenience.
|
| No joke-- credit card numbers, billing addresses, CVV
| codes, all stored in plaintext in an Access database. Tiny
| shop though; I don't know if they were big enough for PCI
| to even apply.
| silveira wrote:
| That's a good point. The best way to not leak a secret is to
| not have the secret in the first place. I don't know anything
| of PCI rules but I would imagine there is a way to implement
| the feature "store this credit card information for future
| purchases" without storing the raw credit card information.
| csunbird wrote:
| Yes, you ask for an authorization token for recurring
| payments from your payment provider if you intend to make
| subsequent charges from that card. Then you store that token
| only (and maybe last 4 digits of the card for the customer's
| convenience) and use the token without any other card
| information to make charges.
| coldcode wrote:
| I assume they kept these in a database, which was sent or
| exported in some way to use Move-IT to transfer somewhere else.
| The hack was at Move-IT's servers I think, which allowed people
| to read the contents. The question I have is was this
| information encrypted by DD or did they just assume Move-IT was
| safe? If the latter, it's pretty stupid.
| paulcole wrote:
| I've done a lot of research into HIPAA (I work in a dental-
| adjacent field) and my guess is that it's almost certainly
| the latter - an assumption, maybe based on something they
| were told. But it's still on them regardless of whether they
| were deceived or simply didn't ask.
|
| There have been very few dental practices who have paid fines
| for HIPAA violations and one that stands out is one who hired
| a document shredding firm to destroy old paper patient
| records. The shredders pick up a bunch of files and just
| drove around the corner and hucked them into an open dumpster
| where they were found. The dentist was fined as the result of
| their assumption that a document shredding firm would, you
| know, shred documents.
| Scoundreller wrote:
| Not USA, but we had a case where the discarded unshredded
| health files somehow ended up being used in a movie shoot
| for "special effects" and strewn all over a street
| somewhere.
|
| https://decisions.ipc.on.ca/ipc-
| cipvp/phipa/en/item/135056/i...
|
| Another where a manager lit a big bonfire at home but put
| in too much at a time and they asteroided around in burnt
| and unburnt manner.
|
| Pre-tech breaches :)
| ryandrake wrote:
| > Storing security codes at all is totally forbidden by PCI
| rules.
|
| It's kind of silly though. They are no more "secret" than your
| credit card number itself or expiration date. Once you give it
| out once or hand your credit card to literally anyone, it's
| out. Now instead of acquiring N numbers, the hacker needs to
| acquire N+3 (or N+4) numbers.
|
| Our payment system needs something like:
| struct { string credit_card_number;
| string expiration_date; string insecurity_code;
| };
|
| ...to complete a credit card transaction. At some point that
| record is in a computer or in your restaurant waiter's brain,
| so it's vulnerable to exfiltration, regardless of what part of
| that record gets redacted for long term storage.
|
| We are living in a world with bozos in charge who can't seem to
| develop a secure payment system, so we as users need to simply
| assume that all information required to make a purchase on our
| behalf is public knowledge, and instead diligently check our
| records for inaccuracies. I don't sweat these "breaches"
| because I freeze my credit and review all my bank and credit
| card transactions daily now.
| gosub100 wrote:
| its not silly just because it can't solve all problems. It
| goes a long way to gas station type skimmers less valuable
| because you can't print a phony card from them, or the phony
| card you can print is limited to a subset of possible
| purchases. perfect-enemy-of-good yadayda.
| gunapologist99 wrote:
| You're not wrong, but GP is saying that 3 digits is a
| pretty weak 'security' code and gas station skimmers are on
| the tail end of the threat model compared to exfil of data
| at any point in the processing chain.
| ryandrake wrote:
| I tried to better clarify what I'm saying in [1]. I'm not
| saying the small number of digits makes it insecure, it's
| that "moar numbers" is not really adding anything in
| terms of multi-factor or secrecy. Instead of knowing N
| digits, you merely need to know N+M digits. It is not
| changing the nature of the secret.
|
| 1: https://news.ycombinator.com/item?id=38655609
| cbsmith wrote:
| It's a different sent of protocols, reducing the surface
| area of successful breach strategies. If you simply added
| three digits to credit card numbers but maintained the
| same protocols on the credit card numbers, it wouldn't
| improve security nearly as much. There's fewer tactics
| that will successfully get you N+M digits those that
| would get you the N digits. Most 2FA works the same way.
| It's not like the six digits of Google Auth add security,
| but the protocols around them.
|
| To put it another way: the value of those extra three
| digits is that they are indeed "more secret". They exist
| on far fewer hard drives.
| gosub100 wrote:
| I think this topic came up a week or 2 ago, and I made an
| almost identical comment as you, which was why the
| content of my reply was fresh in my memory. Anyway, in
| the recent convo, a kind hn poster provided this
| explanation of CVV
|
| https://randomoracle.wordpress.com/2012/08/25/cvv1-cvv2-c
| vv3...
|
| I totally see why it just seems like "moar numbers"
| though, and I find them unnecessarily annoying. I wish
| they could reduce the complexity (maybe letters, colors
| or shapes, something more human-compatible), but there's
| just too much legacy code with too little benefit.
| hn_throwaway_99 wrote:
| It's not silly. The point is that security codes are only
| ever supposed to be sent in transit, and the only place they
| are ever stored is by the issuing processor.
|
| It's not supposed to solve every potential vulnerability, but
| there is a whole class of exploits, exactly like the one in
| the article, that result from stolen _storage_ , that this
| rule is designed to protect against.
| chefandy wrote:
| > Now instead of acquiring N numbers, the hacker needs to
| acquire N+3 (or N+4) numbers
|
| This seems _almost_ as reductive as suggesting my mechanic
| should keep her customers ' key(k) in their cars(c) in her
| parking lot because instead of just acquiring c, now the
| thieves just need to acquiring c+k.
|
| If we were talking about 3 extra digits on the card number,
| that would be one thing. But we're talking about a separate
| authentication factor, which seems pretty worthwhile to me.
| Getting that info isn't exactly a snap if you don't just find
| it laying around-- it's not like you can brute force it. I'd
| be pretty astonished if a credit card company didn't cancel
| someone's credit card if someone was tried a handful of
| transactions with random security codes, let alone enough to
| guess one number in a thousand.
|
| Sure, there are undoubtedly better ways to handle these
| transactions, but lacking magic wands to change a giant
| dinosaur of an industry that should have wanted to change on
| its own, this is a prudent policy-based strategy to mitigate
| harm. Whether or not _you_ sweat these breaches is a good way
| to gauge _your own_ processes, but it 's not a useful way to
| gauge industry-wide processes.
| ryandrake wrote:
| > If we were talking about 3 extra digits on the card
| number, that would be one thing. But we're talking about a
| separate authentication factor, which seems pretty
| worthwhile to me.
|
| It's not really another factor in the sense of the three
| types of factors: Something you know, something you have,
| something you are. It's just more digits of "something you
| know" so it's the same factor. It's why 2-factor auth isn't
| just 2 separate passwords.
| chefandy wrote:
| Seems to me that when you turn it into data, it pretty
| much all becomes "something you know." If a credit card
| required biometric authentication to make credit card
| transactions and a vendor stored my biometric signature
| in a database along with my credit card number, it would
| be no more or less secure than a 3 digit number.
|
| There are better ways to handle it. Policy is a good
| interim step to mitigate damage before they're
| implemented.
| 13of40 wrote:
| > I'd be pretty astonished if a credit card company didn't
| cancel someone's credit card if someone was tried a handful
| of transactions with random security codes, let alone
| enough to guess one number in a thousand.
|
| If you have a whole database of them, the trick is to try
| one code with a thousand cards. Even so, that was a major
| improvement over the status quo before, which was to use
| the expiration date, meaning you only had to try about 24
| or 36 cards with one month/year.
| 8n4vidtmkvmk wrote:
| I think visa or MasterCard would catch on in that
| situation too, no? There's only a few processors, they
| should notice the pattern.
| spunker540 wrote:
| They process so many transactions per second. It doesn't
| seem too hard to try wrong ccv at a pace slow enough to
| avoid detection.
| chefandy wrote:
| I would need to hear that from someone who actually works
| in a CC company fraud department because I don't think
| it's that straightforward. I've had MC transactions
| declined on a card I use for everyday purchases at two
| stores in my neighborhood. I don't think reasoning about
| their transaction monitoring like someone might monitor
| network traffic is a good analog-- they're specifically
| looking for patterns in small-scale, localized events
| without many data points. They don't have to connect the
| events to stymie the fraudster's efforts.
| skibbityboop wrote:
| > If you have a whole database of them, the trick is to
| try one code with a thousand cards
|
| That still sounds like a crapshoot... Of those 1,000
| cards, there might be 14 that have 982 as CSV, 9 that
| have 307, and none with 118. In other words, there's no
| guarantee whatsoever that any given CSV will be used in a
| batch of 1,000 or even 10,000 cards.
| jjav wrote:
| Of course there is no _guarantee_ , but statistically if
| you have 1/1000 probability of success and you try a 1000
| times, that's not bad.
| chefandy wrote:
| Their fraud detection algorithms are specifically looking
| for small, localized, per-transaction events with few
| data points as well as overall patterns-- I doubt it
| would be that straightforward. It might not mean you'd be
| targeted, but on a per-transaction basis, I there's a
| good chance you'd get blocked for any individual attempt
| even if you got a match.
| gregw2 wrote:
| Kind of silly? Can't/don't the three digits get rotated
| independently of rotating your credit card or account number
| though?
|
| Also some clearer rules/expectations in place that nobody
| should ever persist the data on disk?
| jldugger wrote:
| They usually (always?) get rotated at the same time as the
| expiration date.
| glimshe wrote:
| It is a poor person's version of a password for using the
| credit card, only available to people that has the credit
| card in their hands. Not silly at all.
| mikestew wrote:
| _It 's kind of silly though. They are no more "secret" than
| your credit card number itself or expiration date._
|
| Apple Card rotates the CCV (fixed time interval, AFAICT, not
| per transaction), so it _is_ a secret, even if only
| temporarily.
|
| _Once you give it out once or hand your credit card to
| literally anyone, it 's out._
|
| Sure, the cashier now has it, but they're not supposed to be
| entering it into a database so that _everyone_ has it, hence
| the "PCI" part.
| skybrian wrote:
| For physical transactions, change is happening, but it's a
| slow migration. Looks like MasterCard has plans to remove the
| magnetic stripe [1].
|
| Online, perhaps credit cards will disappear into password
| managers and mobile payments (Google and Apple Pay, etc.)
| with ordinary businesses storing very little.
|
| [1] https://www.theverge.com/2021/8/17/22628455/mastercard-
| magne...
| PH95VuimJjqBqy wrote:
| if no one is storing it, they don't have it. If someone is
| storing it, it increases the likelihood that they can acquire
| it.
|
| perfect is the enemy of good.
| wintogreen74 wrote:
| it's not supposed to be a secret in the "something you know"
| way, but rather "something you have" - i.e. the physical
| card. If they store it you no longer need the physical card
| for an entire family of attacks & frauds.
| spunker540 wrote:
| I agree with you. When the secret is always collected side-
| by-side with the number it seems little comfort that only one
| part is "supposed to be stored".
| jjav wrote:
| > bozos in charge who can't seem to develop a secure payment
| system
|
| Actually, the credit card system is very secure to you the
| consumer.
|
| By regulation, you're not liable for anything if your card
| number is abused in a card not present transaction (typically
| the case here for numbers stolen over the internet).
|
| I don't have any other form of payment that is as secure, so
| good job credit cards.
|
| (As a cryptography and security nerd, it took me a long time
| to learn that while mathematically guaranteed security is
| very cool, sometimes you can achieve an equal result just by
| passing a law.)
| lovecg wrote:
| They won't and it won't be.
| 93po wrote:
| Hey come on, when Target had their data breach in 2015 due to
| massive negligence and incompetence, the largest data breach
| ever to date, they had to pay about 1.6% of their average net
| income at the time in penalties. I imagine Delta will pay
| less than that since, you know, it isn't as bad.
| wrs wrote:
| Storing the CVV would be very bad, but the form they're linking
| to is ambiguous:
|
| "Information Acquired - Name or other personal identifier in
| combination with: Financial Account Number or Credit/Debit Card
| Number (in combination with security code, access code,
| password or PIN for the account)"
| AndrewKemendo wrote:
| I find this especially ironic given the fact that most tech
| companies I've been at used Delta dental of California
|
| I feel like we all deserve this somehow for allowing bad
| practices like this to proliferate in the favor of business
| objectives
| koolba wrote:
| Delta is like the Blue Cross of dental plans.
| andrei_says_ wrote:
| I use delta dental. What does this mean? Why would they store
| my CC info when I'm paying directly to my dentist and delta
| dental is also paying the dentist?
|
| How does my CC info get transferred to the insurer? There's no
| such transaction afaik.
| calfuris wrote:
| How are you paying your premium? For individual plans, I
| suspect that a lot of people use a card.
| accrual wrote:
| At least at my $dayjob, premiums are deducted before I get
| my check, along with taxes, retirement, etc.
|
| Like you mentioned, it's probably different for those who
| purchase their own insurance.
| CWuestefeld wrote:
| the OP says "Delta Dental of California", for one thing. I
| imagine that means that I'm safe.
|
| California is not the entire world, believe it or not.
| trimethylpurine wrote:
| That would just force the company to form back up with the same
| people under a new name. Unless individuals can be held
| responsible, there's nothing we can do about it.
| highwaylights wrote:
| Surely the data breaches we hear about are the tip of the
| iceberg?
|
| Just think of what needs to happen after a hack for you to hear
| about it:
|
| - someone at the company needs to be aware it has happened.
|
| - they need to accurately identify what was accessed.
|
| - they need to disclose that this has happened.
|
| - it needs to be visible enough that it gets picked up and talked
| about.
|
| Each step of that funnel must have some drop-off that is non-
| zero. Do we hear about 80% of breaches? 5%?
|
| Honestly I've no idea.
| sofixa wrote:
| Well thankfully point #3 is mandatory in places with laws such
| as the GDPR or California or Brazil's equivalents which mandate
| disclosure to impacted users and publicly.
| willcipriano wrote:
| Murder is similarly forbidden. Still happens.
| kossTKR wrote:
| Yes, i'm pretty sure no more than 5% of breches and leaks gets
| public press.
|
| There's so many internal company filters a breach has to go
| through to become public all the way from some engineer messing
| up and "just closing the terminal" with a beating heart hoping
| no one will notice - to a long chain of managers who has to
| send the message upwards, then the leadership approving public
| disclosure, all with negative pressure to not disclose because
| of career, stress, extra work, penalties, all the way to
| stakeholder value.
| lofaszvanitt wrote:
| Just get into the proper forums and see all the data offered
| for sale.
| rightbyte wrote:
| I would honestly guess about 0.1% of bad leaks (e.g. not just
| email and user name or whatever) are disclosed in the end.
|
| It has to be really hard for the police or card providers to
| correlate frauds with customer databases.
|
| And like, how do you even notice you are hacked? Unless the
| hacker sends you extortion messages, which I guess is the main
| reason for disclosure. Otherwise the hacker can tip off the an
| attorney and 'pwn' corporate lawyers for real. A risk the
| lawyers won't take even if the company wanted to.
|
| I sometimes feel lawyers are the only group of workers with
| real agency ...
| ourmandave wrote:
| And finding out shouldn't be like pulling teeth.
| iAMkenough wrote:
| Delta should leave the teeth pulling to the dentists.
| droopyEyelids wrote:
| You're only looking at it from one end of the funnel.
|
| On the other end you have security researchers who are active
| in the cybercrime underground markets, and have the same
| opportunity to buy stolen data as the criminals themselves.
|
| So disclosure can come from the other end when it becomes
| apparent that a certain company's data is being sold, and I
| think almost all of it does get sold eventually, even if the
| initial hacker has a way to exploit it privately: After they've
| finished, they can make money selling the leftovers.
| jimmygrapes wrote:
| Cool, Delta Dental is one of the few dental insurance providers
| the VA recommends and offers plans with. Nothing says "we support
| veterans" like a good old fashioned sell-off of data.
| nickthegreek wrote:
| The data was siphoned from Delta Dental, not sold by Delta
| Dental.
| sokoloff wrote:
| If I have three simultaneous/overlapping years of free credit
| monitoring from various breaches, am I triple-protected?
| tyingq wrote:
| When I ask my non-techie friends about stuff like this, they
| really don't care anymore unless they actually get hacked,
| scammed, etc. It happens so often that there's now "breach
| fatigue". Meaning little pressure on companies to do better.
| MattGaiser wrote:
| Even as a tech person, I am indifferent. I've adapted to a
| world where cards get stolen, so I never use debit, review my
| statements, and have spending notifications turned on for my
| phone. I have the apps so I can instantly lock my card. I have
| already learned to live in a financial castle.
|
| It is obviously not great, but an additional breach has little
| marginal impact on my life.
| Dalewyn wrote:
| >so I never use debit, review my statements,
|
| Even the most Joe of Joe Averages should be doing that,
| honestly.
|
| The primary reason to use credit cards over debit is for the
| fraud protection, and reviewing monthly statements is just
| something everyone should do.
| pants2 wrote:
| The real question is why online credit card payments still
| involve using the whole card number, as opposed to some
| message signed by the card's private key authorizing certain
| spending limits for a retailer.
| sokoloff wrote:
| Online retailers almost surely do better by allowing easy
| use of credit cards by even the least technical 5% of
| Americans than they would from a lower fraud system that
| required a moderate or higher level of technical acumen to
| operate.
|
| Suppose I'm at a computer ready to buy a PS5 on BestBuy's
| site. What's the complexity now vs under a proposed
| private-key system? What's the loss in conversion rate on
| the latter?
| pants2 wrote:
| I'm not sure exactly what that might look like, but if
| you look at crypto wallets for example, you could have a
| browser extension (or something like Apple Pay) that's
| able to custody the private key and sign transactions.
| Once you have it set up, it would be much easier than
| entering a CC number.
| 8n4vidtmkvmk wrote:
| Then offer both until the general public learns. The
| savvy can use the more secure system and the rest can
| upgrade when they're feeling brave.
| BytesAndGears wrote:
| That's exactly what we have in the Netherlands -- there is
| a system where you can go to check out, using iDeal.
|
| It gives you a QR code at checkout, which you can scan with
| a banking app on your phone. It shows on your phone the
| amount you're sending, and to whom, with a button to
| approve or deny.
|
| You can also set it up as a recurring payment in the app
| and say "authorize this same payment automatically in the
| future, up to EURxyz amount". Then you can see a list of
| all of your authorized recurring payments, and cancel or
| change them any time from the bank app.
|
| It's a great system!
| shnock wrote:
| Yet another example of NL's actual understanding of the
| public and common good
|
| I miss thee dearly!
| kube-system wrote:
| Because smart card readers aren't very common on home
| computers.
| closeparen wrote:
| It's a weird skeuomorphism that online payments are even
| related to physical cards. It should just be through your
| online banking account.
| kube-system wrote:
| It's just a legacy pattern. Online credit card payments
| predate online banking. The whole model for US card
| payments online was created as an extensions of the way
| credit cards were used to pay via mail or telephone.
| yieldcrv wrote:
| Apple Pay is a virtual number all the time, and Amex with
| Google Chrome is or can do it too
|
| baby steps, significant ones, but an incomplete solution
| sologoub wrote:
| It's pretty sad that after decades of such breaches, these still
| do damage. We have had tech, such as security keys, for some
| time. Even basic Authenticator app helps. These should be
| standard with anything remotely sensitive.
|
| Another sad point is that there is rarely true accountability.
| Offering 24 months of some service is a pittance and an expense
| of doing business that could be factored/priced in, continuing
| the poor security practices.
| vladgur wrote:
| Does this only impact people who purchase individual coverage
| through Delta Dental?
|
| I'm assuming employees with employer-sponsored Delta Dental plans
| have no reason to provide Delta with their credit cards
| jebarker wrote:
| I have Delta Dental through employer and I'm pretty sure I've
| never had to give them any CC info. Any copays go directly to
| the dentist.
| fn-mote wrote:
| They knew about the breach June 1, confirmed June 6, but the
| information is only made public after almost five months,
| November 27? (After a "second, more lengthy investigation".)
|
| This is better than nothing, but it seems absurd.
| oasisbob wrote:
| It is absurd, and it violates the mandatory timely notification
| laws which are in place in many states, including Washington.
|
| Umpqua bank was also affected by MoveIt by way of one of their
| fintech vendors (FIS), they didn't even bother to notify my
| state's AG, as required by law, nor did they provide timely or
| accurate notifications.
|
| Maybe companies feel a diffusion of responsibility when there
| are so many others affected.
| vkou wrote:
| They feel a diffusion of responsibility because they are
| never held responsible for it.
| gunapologist99 wrote:
| According to the article, this applies mostly or only to Delta
| Dental of California.
|
| Slightly OT: Delta Dental was the company that Costco used to
| sell Dental Insurance through. (unfortunately, that partnership
| has ended with no replacement.)
|
| Careington and Thrive both offer overlapping discount plans that
| (especially combined) can more than offset the much higher
| monthly (not low annual) prices that Delta Dental is now
| charging, especially for a family.
| Podgajski wrote:
| When are they going to be consequences for the companies that let
| these data breaches happen?
| teeray wrote:
| It's lamentable that any of this information still has value to
| fraudsters. Once it became clear that companies cannot safely
| control this data, it should have been stripped of any value by
| having some security token under user control provide the actual
| payment authorization.
| bradgessler wrote:
| I'll never forget when a Citibank employee that processes
| mortgage applications asked me for my credit card over email.
|
| They also had a "secure messaging center" that would take your
| message, put it in a PDF, password protect the PDF, and then send
| it to the email address along with instructions for them to login
| to the website to get the PDF password.
|
| The list goes on of bad things banks do with security and is a
| blatant reminder, "rules for thee but not for me"
| chrbr wrote:
| The entire home-buying process (in the US, at least) seems to
| be built on shady-looking ways to nickel and dime people. I
| remember telling friends when going through it that it'd be
| easy to scam me because I got so used to urgent requests to pay
| some fee for inspections or legal stuff or whatever that I'd
| just shell out the money without asking questions.
| wharvle wrote:
| It's got nothing on medical billing. Seemingly random bills
| from entities you may never have heard of showing up _months_
| later even when you paid a shitload (thousands) up-front.
|
| [EDIT] Oh and they may not put enough info on the bill to
| figure out WTF it's even for, without calling them. It'll
| have some uselessly-generic single-line item for what was
| probably multiple things, but you'll have to spend an hour on
| hold to find out what you're supposed to be paying for.
| deepsquirrelnet wrote:
| Sidebar, but does anybody else get incensed by the fact that
| Delta frequently uses customer's SSN as their account number? My
| dentist looked at me like I was crazy when I told them I didn't
| want my account information being stored on their computers for
| that reason.
|
| But maybe in this moronic system, resistance is futile.
| excerionsforte wrote:
| Really basic security practices weren't followed. I cancelled my
| plan now and switching to my new primary health insurance dental
| plan which I should've looked at. I don't know why these
| companies wait for a breach before looking at their systems after
| all these data breaches. I mean storing credit cards is Do Not Do
| 101.
| vlod wrote:
| If you've been putting it off, a friendly reminder to freeze your
| account at the credit card agencies. Make sure you do all 3!
|
| Here's details from NerdWallet:
| https://www.nerdwallet.com/article/finance/how-to-freeze-cre...
| laweijfmvo wrote:
| Good tip! It's awful what this entails:
|
| 1) Creating accounts with the major credit reporters,
| presumably subject to hacks or social engineering
|
| 2) Accounts that require answering an easily guessed "secret
| question"
|
| 3) Password "rules" that restrict both the length and special
| characters of your password
|
| 4) After all that, creating the account results in a
| "Congratulation!" NOT FROZEN account. You have to go through an
| extra step to actually feeze it.
|
| 5) "Sorry, we can't freeze your account right now!"
| vlod wrote:
| Yeah... it's a complete PITA. I also had the 'we can't freeze
| right now' and it took a few days of verification and
| eventually having to call them to get it all sorted.
|
| My reasoning is it's better to do this before a bad person
| has your account rather than during.
| vkou wrote:
| Why are you doing so much work to save some third party
| money when they get defrauded?
| vlod wrote:
| Because you'll have to deal with the repercussions. I'd
| rather not.
| wharvle wrote:
| One wonders, at times, how much modern "efficiency" is just
| shifting costs to places they're less well-observed.
| callalex wrote:
| It's super fun and cool that dentistry is controlled by a cartel
| and we just let it happen out in the open. It is NOT insurance,
| because there is no risk pooling or coverage for adverse events.
| It's just a payment plan that sets prices unilaterally.
| shnock wrote:
| Are acute and not universal dental operations like a root
| canal, crown, abscess op not adverse events for which there can
| be risk pooling?
| callalex wrote:
| They are, and that is not what Delta "insurance" covers.
| quacker wrote:
| I'm not sure why you say this. Maybe I don't understand
| what you mean.
|
| I have Delta Dental through my employer's benefits and it
| covers all the types of operations that I'd expect:
| preventive, endodontic, periodontic, orthodontic,
| prosthodontic, etc.
|
| If I need a root canal, it's covered by Delta Dental (up to
| a point, given the deductible). If I chip a tooth, and get
| an inlay or onlay, that is covered. Is this not insurance?
| Why not?
| calfuris wrote:
| Where I live, Delta offers a plan that essentially
| provides a set price list for various procedures as long
| as you are in network. Perhaps the person you're replying
| to has run into that plan and didn't realize that they
| also have more conventional plans.
| daft_pink wrote:
| As someone that used Dental Insurance heavily after I didn't
| take good care of my teeth in my 20's and previously negotiated
| many different Dental policies as an agent for a large employer
| this really isn't true.
|
| 1. I found that different Dental Insurance companies have
| wildly different negotiated rates and there is no real
| standard. Delta Dental tends to have better negotiated rates in
| my experience and United Healthcare's dental plans seem like
| they don't negotiate at all and using a specialized Dental
| company results in the lowest rates overall as the large health
| insurers are simply profiting off the insurance and don't seem
| to care how much they pay, which sucks when you pay a
| percentage for a procedure.
|
| 2. The totally covered population for dental insurance is not
| big enough to control the market. Generally, I found that when
| I wasn't covered by dental insurance, dental costs were a lot
| higher and you do generally receive a savings from dental
| insurance and they really don't have enough market share to
| control the market.
|
| 3. The coverage for adverse events is mostly just limited,
| because if you go to the dentist regularly, you generally don't
| have tons of adverse events within one year. I think most
| people will find a decent dental insurance plan will mostly
| cover them. Even if you exceed the negotiated rate,
|
| I just find that in general having dental insurance is
| beneficial to me as a person and not a scam like vision
| insurance where you are generally better off finding a coupon
| or deal, or ridiculous like health insurance where they have
| manipulated the networks and deductibles so that the average
| person has no idea what they are buying or how to evaluate it.
|
| My criticism of dental insurance would simply be that I think
| that policy holders should benefit from company negotiated
| rates under a policy even when a particular item isn't covered
| under their policy. I find that is the one area where dental
| insurance in general is lacking, because dental insurance takes
| the negotiation out of pricing and gives you the benefit of the
| companies negotiated rates.
| daft_pink wrote:
| Scary thing about this is that Delta Dental is multi-state
| entity, but Delta Dental of California is the entity that handles
| federal employee benefits, so it likely leaked sensitive details
| about many federal employees if it contained their entire
| subscriber base.
| thrillgore wrote:
| You know what will make this stop? Actual consequences for not
| preventing data breaches, like jail time.
| yieldcrv wrote:
| web2isgoinggreat
| pests wrote:
| Yall know not every lives in CA?
| markhahn wrote:
| we need to flip the conversation on this.
|
| journalists don't seem to grok the fact that breaches are totally
| the fault of the breached site. sure, the attackers are bad
| people, but that's a different crime.
|
| we need something close to a death sentence for sites that allow
| themselves to be breached. mandatory $10k per exposed SSN, $10
| per exposed email, that sort of thing.
|
| what would be the result? only good: sites should not be storing
| this data themselves. the real conversation-flip is that we need
| to put people in charge of their own data, and make it
| radioactive for data-users (like Delta Dental) to store it. this
| kind of data should only live in facilities that are solely run
| for the purpose, and which provide the data-subject with full
| control. who pays? not really that hard - some combination of the
| data-subject, data-users (transaction fees), perhaps just a
| governmental single payer (since we're talking tiny cost).
|
| imagine if you could look at your data (you can't today!) and
| could explicitly share out bits to particular data-users. all
| your records (dental, tax, CC, banking).
| toywinder wrote:
| MOVEit has been a vector for several high profile bank and
| government breaches in the last few months. I really have to
| wonder why anyone is still using their services after yet another
| security incident.
| ramesh31 wrote:
| Great example of why you should never ever ever give out a debit
| card number for anything. Just about every credit card company
| has virtual numbers now. And even still, there's a massive
| difference between disputing a credit charge and replacing lost
| funds in a checking account.
| purpleblue wrote:
| Delta Dental is one of the worst dental insurance companies out
| there. I hope it goes bankrupt. They have cut benefits so much
| that most dentists I know have dropped them completely and refuse
| to take them. It has caused a bunch of headaches for us and for
| most families I know.
| anonuser123456 wrote:
| My wife's dentist dropped them this year. My dentist is
| considering it in the near future.
| snakeyjake wrote:
| Yay.
|
| I can expect yet another $7.35 settlement check sent to my Venmo
| in 18 months...
| hedora wrote:
| People say that delta shouldn't have been storing CVC numbers
| (fair point), but note that the breach was upstream of them at
| MoveIT, which supplies an on-prem file transfer program and cloud
| offerings specifically for managing PCI environments.
|
| The real WTF is that the PCI compliance vendor's solution led to
| them storing that data.
|
| "It's your only job," and all that...
| 2OEH8eoCRo0 wrote:
| CL0P (Russia) is known to target MOVEit but I can't find any
| confirmation of which threat actor is believed to be implicated.
|
| https://en.wikipedia.org/wiki/Clop_(cyber_gang)
|
| https://www.cisa.gov/news-events/news/cisa-and-fbi-release-a...
| keep_reading wrote:
| Ahh ok I'll change my privacy.com card for Delta Dental then
| marcod wrote:
| If I say "this AC is on its last legs" I'm likely talking about
| acceptance criteria ;)
___________________________________________________________________
(page generated 2023-12-15 23:02 UTC)