Houghton Mifflin Harcourt server breach leads to notification
Technorati Tag: Security Breach
Date Reported:
7/1/08
Organization:
Houghton Mifflin Harcourt ("HMH")
Contractor/Consultant/Branch:
None
Victims:
"individuals affiliated with Harcourt Trade"
Number Affected:
194
Types of Data:
Social Security numbers
Breach Description:
"Houghton Mifflin Harcourt (HMH), a publishing company based in Boston, will begin notifying individuals whose information may have been compromised by a worldwide Internet-based attack that affected one of its websites."
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
Houghton Mifflin Harcourt (HMH), a publishing company based in Boston, will begin notifying individuals whose information may have been compromised by a worldwide Internet-based attack that affected one of its websites.
[Evan] A "worldwide Internet-based attack" sounds impressive. In order for an attack to be successful, a vulnerability must be exploited. I wonder what the vulnerability was.
On April 25, 2008, HMH's Information Security group learned of a worldwide Internet-based attack that affected one of its non-e-commerce websites.
Within minutes, HMH took steps to secure the affected databases.
HMH has reported this matter to the U.S. Secret Service and state law enforcement, who are actively investigating the incident.
[Evan] I question how "actively" the U.S. Secret Service is investigating this incident. The incident doesn't seem to be significant enough. Sad but usually true. The Secret Service has to prioritize just like everyone else.
As part of its internal investigation, which is still ongoing, HMH retained digital forensics experts to collect and analyze data from the relevant computer systems.
[Evan] The attack was detected on April 25th (not necessarily originated on this date), and the notification went out to the New Hampshire State Attorney General on June 1st. This is a long forensic investigation! I also noticed that this statement mentions "computer systems". Does this mean that more than one server was compromised?
They have determined that social security numbers of approximately 194 individuals affiliated with Harcourt Trade, 2 of whom are New Hampshire residents, were in a company database on the affected computer server, and may have been compromised as a result.
[Evan] I don't like the "may have been" portion of this statement. My definition of compromise probably differs though.
HMH has no evidence to date to suggest that the data has been misused.
Although we do not know whether any of your information has been misused, we are committed to doing what we can to make sure support is available to you
Since learning of the incident, HHM [sic] has:
HMH is continuing to work with information security professionals to review current policies and procedures to identify steps that can be taken to better protect against incidents of this kind.
We apologize and deeply regret that this happened.
I have asked our editors to reach out directly to everyone affected by this matter and I hope they will be or already have been able to answer your questions.
[Evan] This is a nice touch. The letter to the affected persons was signed by Gary Gentel, President or Houghton Mifflin Harcourt Publishing Company, Trade and Reference Division.
Commentary:
There aren't many publicly available details available other than those outlined in the breach notification, so we are left to speculate. Why was a server that contained a database of Social Security numbers available to this "worldwide Internet-based attack"?
Past Breaches:
Unknown
Date Reported:7/1/08
Organization:
Houghton Mifflin Harcourt ("HMH")
Contractor/Consultant/Branch:
None
Victims:
"individuals affiliated with Harcourt Trade"
Number Affected:
194
Types of Data:
Social Security numbers
Breach Description:
"Houghton Mifflin Harcourt (HMH), a publishing company based in Boston, will begin notifying individuals whose information may have been compromised by a worldwide Internet-based attack that affected one of its websites."
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
Houghton Mifflin Harcourt (HMH), a publishing company based in Boston, will begin notifying individuals whose information may have been compromised by a worldwide Internet-based attack that affected one of its websites.
[Evan] A "worldwide Internet-based attack" sounds impressive. In order for an attack to be successful, a vulnerability must be exploited. I wonder what the vulnerability was.
On April 25, 2008, HMH's Information Security group learned of a worldwide Internet-based attack that affected one of its non-e-commerce websites.
Within minutes, HMH took steps to secure the affected databases.
HMH has reported this matter to the U.S. Secret Service and state law enforcement, who are actively investigating the incident.
[Evan] I question how "actively" the U.S. Secret Service is investigating this incident. The incident doesn't seem to be significant enough. Sad but usually true. The Secret Service has to prioritize just like everyone else.
As part of its internal investigation, which is still ongoing, HMH retained digital forensics experts to collect and analyze data from the relevant computer systems.
[Evan] The attack was detected on April 25th (not necessarily originated on this date), and the notification went out to the New Hampshire State Attorney General on June 1st. This is a long forensic investigation! I also noticed that this statement mentions "computer systems". Does this mean that more than one server was compromised?
They have determined that social security numbers of approximately 194 individuals affiliated with Harcourt Trade, 2 of whom are New Hampshire residents, were in a company database on the affected computer server, and may have been compromised as a result.
[Evan] I don't like the "may have been" portion of this statement. My definition of compromise probably differs though.
HMH has no evidence to date to suggest that the data has been misused.
Although we do not know whether any of your information has been misused, we are committed to doing what we can to make sure support is available to you
Since learning of the incident, HHM [sic] has:
- Reported this matter to the U.S. Secret Service and state law enforcement;
- Cooperated with law enforcement, which is actively investigating the incident;
- Conducted a thorough investigation of the incident, including an assessment of whether or not the theft created any prospective data security risk;
- Identified the sensitive personal information about individuals stored on the affected server; and
- Made arrangements to notify affected individuals about the incident in accordance with state laws, offer premium credit monitoring, ID theft insurance, and ID theft resolution services, and provide additional information about prevention and detection of ID theft including information about credit alerts and credit freezes.
HMH is continuing to work with information security professionals to review current policies and procedures to identify steps that can be taken to better protect against incidents of this kind.
We apologize and deeply regret that this happened.
I have asked our editors to reach out directly to everyone affected by this matter and I hope they will be or already have been able to answer your questions.
[Evan] This is a nice touch. The letter to the affected persons was signed by Gary Gentel, President or Houghton Mifflin Harcourt Publishing Company, Trade and Reference Division.
Commentary:
There aren't many publicly available details available other than those outlined in the breach notification, so we are left to speculate. Why was a server that contained a database of Social Security numbers available to this "worldwide Internet-based attack"?
Past Breaches:
Unknown
Posts Atom 1.0
Comments