Remember last week when TripAdvisor let members know that their database of email addresses had been compromised?

Retailer New York & Company and TiVo sent nearly simultaneous, nearly identical emails to subscribers today conceding their email address databases too have been hacked. Subscribers of HSN, US Bank and Benefit Cosmetics also report similar email warnings- the breaches stem from a larger “massive breach” at permission-based email marketing provider Epsilon, and the list of affected companies so far is as follows:

• TiVo

• Marriott Rewards

• Ritz-Carlton Rewards

• US Bank

• JPMorgan Chase

•Capital One

• Citi

• McKinsey & Company

• New York & Company

• Brookstone

• Kroger

• Walgreens

In part, New York & Company explained:

Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties. We also want to remind you that we will never ask you for your personal information in an email.

We sincerely regret this has taken place, and we apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

Given the number of companies affected so far, it is likely at least a handful more will emerge and reach customers. Have you received a similar email from a company not on the list? Have you noticed an increase in spam following such notifications?

Massive Epsilon breach affects NY&CO, TiVO, others is a post from: The Inquisitr

Members of the travel site TripAdvisor received an email from the company’s CEO today warning of a data breach that occurred over the weekend.

Steve Kaufer, who signed off as co-founder and CEO, says the leak has since been patched, but that an unauthorized third-party was able to obtain an undisclosed number of email addresses belonging to the site’s 20 million members. The breach isn’t quite near the level of the one a few months back at Gawker, but could cause some minor headaches for the affected users, such as increased levels of spam.

Kaufer offered little in the way of details, but said:

How will this affect you? In many cases, it won’t. Only a portion of all member email addresses were taken, and all member passwords remain secure. You may receive some unsolicited emails (spam) as a result of this incident.

The reason we are going directly to you with this news is that we think it’s the right thing to do. As a TripAdvisor member, I would want to know. Unfortunately, this sort of data theft is becoming more common across many industries, and we take it extremely seriously.

Did you get the email from TripAdvisor about the hack? Does this kind of thing worry you at all?

TripAdvisor CEO admits minor security breach in email to members is a post from: The Inquisitr

A federal lawsuit filed Wednesday claims that popular App Store app developer Storm8 may have bypassed safeguards in order to obtain data such as phone numbers via games downloaded over 20 million times.

World War, iMobsters, Racing Live, Vampires, Kingdoms, Zombies Live, Rockstars Live and Ninjas Live are some of the iPod Touch and iPhone titles listed on Storm8′s website. Court documents point to “secret code” written into games to circumvent protections preventing apps from collecting data on unsuspecting users:

“…Storm8 makes use of the ‘backdoor’ method to access, collect, and transmit the wireless phone numbers of the iPhones on which its games are installed,” states the complaint, which was filed in US District Court in Northern California. “Storm8 does so or has done so in all of its games.”

The Register points to a column written back in August about privacy concerns and the iPhone. The columnist highlights data-gathering in Storm8′s Vampires Live mini MMORPG:

One of the best selling iPhone app is Vampires Live, a very cool game which is a take off from the current pop culture fascination with vampires. The app is built by Storm8 and is the 8th best selling iPhone app.

The game is essentially an massive multi-player online game which will use your 3G or WiFi connection. 3G is your data plan. So far so good. While playing vampires is fun, it does not involve exchanging phone numbers with other players. In fact, no one needs your phone number to play with you.

But guess what?

Without your permission, Storm8 harvests both your UDID, phone number, email and name (on registration).

(Examples of code.)

As you can see, the personally identifiable information which is the PNUM is being transmitted and I guess stored with Storm8′s servers. For non-technical types, PNUM is phone number and I changed the telephone number on the log to hide my personal number. I would not want just anyone to have my personal phone number. Worst of all, the information is transmitted unencrypted in plain text.

Storm8 is claiming that the data collection was unintentional and part of a “”a bug that has been fixed.” But the prosecution is skeptical, saying the developers used “very specific and specialized software code to do so.” The claimant in the case is hoping to obtain class action status.

[Source: The Register]

Lawsuit: iPhone app developer Storm8 stole phone numbers, user data is a post from: The Inquisitr

In a statement George Paz, the company president said

“We are cooperating with the FBI and are committed to doing what we can to protect our members’ personal information and to track down the person or persons responsible for this criminal act,”

The company came clean in light of the sentencing of three New Yorkers involved in the Citibank theft of account card numbers that I wrote about yesterday here at The Inquisitr. Express Script said it got the letter back in early October and while it isn’t aware of any misuse of the stolen data it has notified those affected as well as setting up a website to help their customers out.

Patient data threatened to be exposed in extortion attempt is a post from: The Inquisitr

A burglary at a third-party human resource company included computers with files of Google employees hired prior to 2006, according to a letter from Google to the New Hampshire Attorney General. The files were stored at a company called Colt Express Outsourcing Services and contained names, addresses, and social security numbers.

Some Google employees were notified of the breach as recently as Tuesday. The company is offering to pay for a year-long identity theft monitoring service for those affected.

CNET learned last month 6,500 of its own employee records were also stolen in the same burglary from the office. It is also offering an identity theft monitoring service free of charge to its affected employees.

Google Employee Data Stolen is a post from: The Inquisitr