Archive for December, 2007

Who Breached: Memorial Blood Centers
Number Affected: 268,000
Information breached: Social Security Numbers
How: laptop theft

268,000 blood donors in Minnesota and Wisconsin are at risk for identity theft after a laptop was stolen on November 28 from a Memorial Blood Center blood drive. The data represents about half of the Memorial donor base and dates back to the opening of the center in 1948. The laptop was password protected and had unspecified ’security devices’ installed.

Letters have been sent to the affected donors, who are cautioned to look for unusual activity in their banking and to watch their credit reports carefully. The crime was caught on camera and the police are investigating. Without laptop recovery software, the chances of recovering the laptop are very slim.

Starting this week, Memorial Blood Centers will no longer ask for Social Security Numbers.

Via SC Magazine’s Breach Blog, Star Tribune Tags: memorial blood center, data breach, data theft, laptop theft, laptop security, identity theft, health security

Who Breached: Passport Canada
Number Affected: unknown
Information breached: Social Insurance Numbers
How: data available online

An Ontario man discovered, while applying for a new Canadian passport, that applicant data was being breached online.

The man discovered that by changing the URL of the page he was on (changing a single character in the URL), he could see the data of other applicants, including social insurance numbers, driver’s license, addresses, phone numbers and other pieces of ID.

“I was expecting the site to tell me that I couldn’t do that,” said Jamie Laning of Huntsville. “I’m just curious about these things so I tried it, and boom, there was somebody else’s name and somebody else’s data.”

This information breach puts an unknown number of people at risk for identity theft. The information breached is sufficient for anybody to take out a new line of credit.

Passport Canada spokesman Fabien Lengelle acknowledges the breach but reports it to be an “isolated anomaly.” Passport Canada took down the website temporarily to fix the issue – however, when it went back online, the problem had not been resolved and was clearly not an isolated incident.

Colin McKay, a spokesman for the office of the federal Privacy Commissioner of Canada, is troubled that all security measures have not been taken to protect these basic documents (the passport being a basic identifying document).

Canada does not have any breach notification laws, and is lagging behind the regulations being created in other countries.

“I think it’s very clear that a strong, mandatory security-breach law is long overdue in this country and it’s cases like these that highlight it,” said Michael Geist, a law professor at the University of Ottawa.

Via nowpublic, globe and mail Tags: data breach, passport canada, security breach, identity theft, government security

Earlier we reported some of the interesting findings from the Absolute Software data security survey. The results showed that 62% of companies believe missing computers go unnoticed and 20% believe that breaches go unnoticed. We continue by looking at a smaller survey of 185 member companies of NetworkWorld’s Technology Opinion Panel. This survey indicates that companies are not well prepared to deter data breaches.

Key findings from the survey include:

• 81% of organizations ranked computer and data security as a high priority
• 53% of organizations do not have policies in place for transporting sensitive data
• 42% do not have data security policies which include mobile computing devices
• For those companies with data security policies, only one out of 100 (1%) employees are thought to adhere consistently to these policies
• 27% of companies have suffered a data breach at an average cost of $137,000
• 55% of companies have experienced laptop theft
• 33% of IT managers believe that data breaches and computer thefts have occurred and gone undetected

The survey results solidify the importance of training in IT security, and that a security policy should more fully address the issues of mobile computing. Such a comprehensive security policy would include a way to supplement employee training by providing protection for all computers in the form of encryption and theft recovery software.

Tags: data security, absolute software, it security, busienss security, laptop theft, mobile security, security policy

Who Breached: Forrester Research
Number Affected: undisclosed
Information breached: Social Security Numbers
How: laptop stolen

Forrester Research has exposed the personal data, including Social Security Numbers, of an undisclosed number of current and former employees as the result of a laptop theft.

During the week of November 26, a laptop was stolen from the home of a Forrester employee. The laptop contained personal information for those who have received grants of Forrester stock or have participated in the employee stock plan, as well as information on contractors who have worked with Forrester. The laptop was password-protected, but it is unknown if further security measures were in place.

Forrester specializes in research for Technology and IT professionals, and publish on their website the following:

“Run IT like a business with our best practices, business acumen, technology expertise, assessments and advice.”

Unfortunately, Forrester does not appear to have heeded their own advice, and have not adopted best practices in IT security. Password protection provides no protection for computers in the hands of anyone with access to the Internet – they are easy to crack or bypass. Much more aggressive security practices would include encryption and laptop recovery / remote data wipe software (such as that provided by Absolute).

Forrester “Chief People Officer” Elizabeth Lemons sent out a letter to those affected on December 3, but did not brief the firm’s media staff about the incident. The staff were thus unprepared to handle calls about the breach. As a result, the tier one research firm is the subject of negative publicty this week.

Via eweek Tags: forrester, forrester research, data breach, laptop security, laptop theft, identity theft, it security, business security

The BBC has published an investigative report suggesting that confidential National Health Service (NHS) records are being regularly accessed by people with no right to them.

Patients’ confidential medical records should have access restricted to doctors and nurses, but figures obtained under the Freedom of Information Act found that several security breaches have resulted from inappropriate data access.

These breaches in patient confidentiality have been the result of staff sharing passwords and giving unauthorized people access to the information.

The UK government has £13bn set aside to digitize the medical records of all 50 million patients in Britain by 2010. The records have a built-in audit trail to see who accessed what record, how and why, and for how long. Unusual patterns of activity can be flagged.

Small instances of inappropriate use could lead to large-scale data breach incidents. The data of all 50 million patients would be accessible from a single computer terminal. Although an audit trail is important in identifying the source of a breach, it is not a prevention for it.

Activist groups are suggesting that patients opt out of the database, and that the government reconsider the safeguards put in place for access to confidential patient information.

Via BBC, PogoWasRight Tags: nhs, national health services, data breach, health security, data security

The Ponemon Institute has released a new study which indicates that the cost of a data breach has gone up 30% over 2006. Interestingly, the costs associated with breach notification have gone down by nearly half; lost business opportunity represents the largest, and fastest growing, element of cost.

The Ponemon Institute runs an annual study on the cost of a data breach – the 2007 study, which looked at 35 breaches in the US in 16 industries including financial services, retail, health care, and software industries, shows that the cost per breached record has gone up from $182 to $197. Over 215 million records have been breached since 2005 – that is a cost, in the 2007 value, of over 42 billion dollars.

The costs associated are highest for the lost business opportunity (churn, acquisition), a factor that relies greatly on trust. The cost factors included are: legal, investigative, administrative, customer defections, opportunity loss, reputation management and customer support.

“The data from 2007 suggests that although companies are responding to data breaches more efficiently, consumers seem to be less forgiving when their personal information is compromised,” said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. “The bigger problem, however, remains the persistent underlying issue of data security. Of course, the easiest way for companies to avoid the costs associated with a data breach would be to avoid a breach in the first place.”

Highlights from the study:

• Average total per-incident costs in 2007 were $6.3 million (up from $4.8)
• The cost of lost business increased by 30% to $4.1 million
• The cost of lost business represents nearly two thirds of the full cost associated with a data breach
• Breaches by third-parties were up to 40%, from 29%, and are more costly per record ($231 vs $171 on an internal breach)
• Notification costs are down by 40%

Post breach, companies most often enacted the following protocols: encryption, data loss prevention solutions, identity and access management solutions, endpoint security controls, security event management solutions, and perimeter controls.

Via marketwire, pc world Tags: data breach, data breach costs, business security, it security, data security, breach costs, ponemon

Who Breached: Manitoba Justice Department
Number Affected: unknown
Information breached: unknown
How: 7 laptops, 2 BlackBerries stolen

The Manitoba Justice Department has breached information in two separate theft incidents over the last two months. Seven laptops and two BlackBerries containing confidential information were stolen from the prosecution and corrections offices in the Woodsworth Building in Winnipeg.

Although the information breached is acknowledged to be sensitive, Assistant Deputy Attorney General Don Slough would not provide details. The information may be password-protected.

Those affected by the breach incidents have been contacted. The security of the offices has been increased. No word if similar precautions have been erected to safeguard the data. Tory justice critic Gerald Hawranik said that the justice department should place more importance on safeguarding sensitive information.

“There has to be greater security. They have to be protective of that type of information because it can affect the safety of victims, the safety of witnesses,”

In the case of the Department of Justice, the issue with safeguarding information is not restricted to identity theft alone. As Hawranik notes, the theft of sensitive Justice information can place people in danger.

Via cbc, winnipeg sun Tags: manitoba, manitoba justice department, justice department, data theft, data security, data breach, government data