Archive for 2007

Who Breached: Memorial Blood Centers
Number Affected: 268,000
Information breached: Social Security Numbers
How: laptop theft

268,000 blood donors in Minnesota and Wisconsin are at risk for identity theft after a laptop was stolen on November 28 from a Memorial Blood Center blood drive. The data represents about half of the Memorial donor base and dates back to the opening of the center in 1948. The laptop was password protected and had unspecified ’security devices’ installed.

Letters have been sent to the affected donors, who are cautioned to look for unusual activity in their banking and to watch their credit reports carefully. The crime was caught on camera and the police are investigating. Without laptop recovery software, the chances of recovering the laptop are very slim.

Starting this week, Memorial Blood Centers will no longer ask for Social Security Numbers.

Via SC Magazine’s Breach Blog, Star Tribune Tags: memorial blood center, data breach, data theft, laptop theft, laptop security, identity theft, health security

Who Breached: Passport Canada
Number Affected: unknown
Information breached: Social Insurance Numbers
How: data available online

An Ontario man discovered, while applying for a new Canadian passport, that applicant data was being breached online.

The man discovered that by changing the URL of the page he was on (changing a single character in the URL), he could see the data of other applicants, including social insurance numbers, driver’s license, addresses, phone numbers and other pieces of ID.

“I was expecting the site to tell me that I couldn’t do that,” said Jamie Laning of Huntsville. “I’m just curious about these things so I tried it, and boom, there was somebody else’s name and somebody else’s data.”

This information breach puts an unknown number of people at risk for identity theft. The information breached is sufficient for anybody to take out a new line of credit.

Passport Canada spokesman Fabien Lengelle acknowledges the breach but reports it to be an “isolated anomaly.” Passport Canada took down the website temporarily to fix the issue – however, when it went back online, the problem had not been resolved and was clearly not an isolated incident.

Colin McKay, a spokesman for the office of the federal Privacy Commissioner of Canada, is troubled that all security measures have not been taken to protect these basic documents (the passport being a basic identifying document).

Canada does not have any breach notification laws, and is lagging behind the regulations being created in other countries.

“I think it’s very clear that a strong, mandatory security-breach law is long overdue in this country and it’s cases like these that highlight it,” said Michael Geist, a law professor at the University of Ottawa.

Via nowpublic, globe and mail Tags: data breach, passport canada, security breach, identity theft, government security

Earlier we reported some of the interesting findings from the Absolute Software data security survey. The results showed that 62% of companies believe missing computers go unnoticed and 20% believe that breaches go unnoticed. We continue by looking at a smaller survey of 185 member companies of NetworkWorld’s Technology Opinion Panel. This survey indicates that companies are not well prepared to deter data breaches.

Key findings from the survey include:

• 81% of organizations ranked computer and data security as a high priority
• 53% of organizations do not have policies in place for transporting sensitive data
• 42% do not have data security policies which include mobile computing devices
• For those companies with data security policies, only one out of 100 (1%) employees are thought to adhere consistently to these policies
• 27% of companies have suffered a data breach at an average cost of $137,000
• 55% of companies have experienced laptop theft
• 33% of IT managers believe that data breaches and computer thefts have occurred and gone undetected

The survey results solidify the importance of training in IT security, and that a security policy should more fully address the issues of mobile computing. Such a comprehensive security policy would include a way to supplement employee training by providing protection for all computers in the form of encryption and theft recovery software.

Tags: data security, absolute software, it security, busienss security, laptop theft, mobile security, security policy

Who Breached: Forrester Research
Number Affected: undisclosed
Information breached: Social Security Numbers
How: laptop stolen

Forrester Research has exposed the personal data, including Social Security Numbers, of an undisclosed number of current and former employees as the result of a laptop theft.

During the week of November 26, a laptop was stolen from the home of a Forrester employee. The laptop contained personal information for those who have received grants of Forrester stock or have participated in the employee stock plan, as well as information on contractors who have worked with Forrester. The laptop was password-protected, but it is unknown if further security measures were in place.

Forrester specializes in research for Technology and IT professionals, and publish on their website the following:

“Run IT like a business with our best practices, business acumen, technology expertise, assessments and advice.”

Unfortunately, Forrester does not appear to have heeded their own advice, and have not adopted best practices in IT security. Password protection provides no protection for computers in the hands of anyone with access to the Internet – they are easy to crack or bypass. Much more aggressive security practices would include encryption and laptop recovery / remote data wipe software (such as that provided by Absolute).

Forrester “Chief People Officer” Elizabeth Lemons sent out a letter to those affected on December 3, but did not brief the firm’s media staff about the incident. The staff were thus unprepared to handle calls about the breach. As a result, the tier one research firm is the subject of negative publicty this week.

Via eweek Tags: forrester, forrester research, data breach, laptop security, laptop theft, identity theft, it security, business security

The BBC has published an investigative report suggesting that confidential National Health Service (NHS) records are being regularly accessed by people with no right to them.

Patients’ confidential medical records should have access restricted to doctors and nurses, but figures obtained under the Freedom of Information Act found that several security breaches have resulted from inappropriate data access.

These breaches in patient confidentiality have been the result of staff sharing passwords and giving unauthorized people access to the information.

The UK government has £13bn set aside to digitize the medical records of all 50 million patients in Britain by 2010. The records have a built-in audit trail to see who accessed what record, how and why, and for how long. Unusual patterns of activity can be flagged.

Small instances of inappropriate use could lead to large-scale data breach incidents. The data of all 50 million patients would be accessible from a single computer terminal. Although an audit trail is important in identifying the source of a breach, it is not a prevention for it.

Activist groups are suggesting that patients opt out of the database, and that the government reconsider the safeguards put in place for access to confidential patient information.

Via BBC, PogoWasRight Tags: nhs, national health services, data breach, health security, data security

The Ponemon Institute has released a new study which indicates that the cost of a data breach has gone up 30% over 2006. Interestingly, the costs associated with breach notification have gone down by nearly half; lost business opportunity represents the largest, and fastest growing, element of cost.

The Ponemon Institute runs an annual study on the cost of a data breach – the 2007 study, which looked at 35 breaches in the US in 16 industries including financial services, retail, health care, and software industries, shows that the cost per breached record has gone up from $182 to $197. Over 215 million records have been breached since 2005 – that is a cost, in the 2007 value, of over 42 billion dollars.

The costs associated are highest for the lost business opportunity (churn, acquisition), a factor that relies greatly on trust. The cost factors included are: legal, investigative, administrative, customer defections, opportunity loss, reputation management and customer support.

“The data from 2007 suggests that although companies are responding to data breaches more efficiently, consumers seem to be less forgiving when their personal information is compromised,” said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. “The bigger problem, however, remains the persistent underlying issue of data security. Of course, the easiest way for companies to avoid the costs associated with a data breach would be to avoid a breach in the first place.”

Highlights from the study:

• Average total per-incident costs in 2007 were $6.3 million (up from $4.8)
• The cost of lost business increased by 30% to $4.1 million
• The cost of lost business represents nearly two thirds of the full cost associated with a data breach
• Breaches by third-parties were up to 40%, from 29%, and are more costly per record ($231 vs $171 on an internal breach)
• Notification costs are down by 40%

Post breach, companies most often enacted the following protocols: encryption, data loss prevention solutions, identity and access management solutions, endpoint security controls, security event management solutions, and perimeter controls.

Via marketwire, pc world Tags: data breach, data breach costs, business security, it security, data security, breach costs, ponemon

Who Breached: Manitoba Justice Department
Number Affected: unknown
Information breached: unknown
How: 7 laptops, 2 BlackBerries stolen

The Manitoba Justice Department has breached information in two separate theft incidents over the last two months. Seven laptops and two BlackBerries containing confidential information were stolen from the prosecution and corrections offices in the Woodsworth Building in Winnipeg.

Although the information breached is acknowledged to be sensitive, Assistant Deputy Attorney General Don Slough would not provide details. The information may be password-protected.

Those affected by the breach incidents have been contacted. The security of the offices has been increased. No word if similar precautions have been erected to safeguard the data. Tory justice critic Gerald Hawranik said that the justice department should place more importance on safeguarding sensitive information.

“There has to be greater security. They have to be protective of that type of information because it can affect the safety of victims, the safety of witnesses,”

In the case of the Department of Justice, the issue with safeguarding information is not restricted to identity theft alone. As Hawranik notes, the theft of sensitive Justice information can place people in danger.

Via cbc, winnipeg sun Tags: manitoba, manitoba justice department, justice department, data theft, data security, data breach, government data

The Virtual Hosting Blog created a list of resources a while back that I’ve been meaning to share. They provide 12 Resources to test your PC weaknesses – a list of tools to help you identify (and sometimes fix) system vulnerabilities.

The list includes:

1. Audit My PC helps you find free security tests
2. Qualys FreeScan checks server weaknesses
3. Proxy Way looks at your privacy settings and how much of your information can be accessed online
4. Test My Firewall advice on web security
5. Hijack This searches your system for hackers
6. GFI Email Security Testing Zone tests your email security against viral threats
7. WindowSecurity.com works as per #6
8. The PCman Website Virus Test plants a fake virus to gauge your computer’s ability to notice real viruses
9. Sophos Threat Detection Test tests your anti-virus software strength
10. Symantec Security Check free security scan and virus detection test
11. Nmap (Network Mapper) audits security on large networks
12. PC Security Test 2007 scans for viruses, spyware, and hacking threats

Continue reading the details of this list here.

Tags: security, computer security, pc security, it security, vulnerability check

Who Breached: U.S. Department of Veterans Affairs (VA)
Number Affected: 12,000
Information breached: Social Security Numbers
How: theft of 3 computers (2 desktop, 1 laptop)

The U.S. Department of Veterans Affairs is investigating another potential data breach after 3 computers (two desktop, one laptop) were stolen on November 11 from the Roudebush Veterans Affairs Medical Center. The computers contained Social Security numbers for as many as 12,000 medical patients and were protected only by password.

An Indiana congressman Steve Buyer says that the hospital failed to follow new safety protocols:

“The information that was accessed should have never been portable,” Buyer said in an interview Thursday from Washington. “That information should have been secure on a server in a data storage system in a remote location.”

The VA department has a long history of data breaches, including the May 2006 breach of information for 26.5 million veterans following the theft of a laptop and hard disk. Since this major breach, the VA has had other incidents of scale 1.8 million, 250,000, 16,000 and 16,5000 individuals affected. This is the third data breach related to the theft of computers.

Regulations on data security were reportedly strengthened after the May 2006 breach. Congressman Buyer lays the blame for the ongoing issues with poor security training and consistent security standards:

“I recognize that we’re dealing with human vices — theft — and we’re dealing with human negligence,” Buyer said. “That’s why it’s so important that information be encrypted and that we limit people’s access to certain information.”

This new breach just adds to the very troubling pattern of poor security standards that continue to plague the VA. A stronger security policy (including security software) and training scheme at all levels of the VA could help prevent such accidents from happening.

Arrest for theft of 1.8 million

An arrest has recently been made in relation to the theft of 1.8 million Social Security numbers in January of this year. Tae Kim was arrested after a month long-investigation when he was caught using fraudulent credit cards at a jewelry store. Kim was an auditor for Veterans Affairs from 2003 to February 2007 – his home computer contained 1.8 million Social Security numbers.

Via OC Register, ComputerWorld, Computer Weekly, IndyStar ; Tags: veterans affairs, data breach, data security, laptop security, laptop theft, fraud, identity theft, va

The West Virginia Department of Education has received a $48,000 grant from the Verizon Foundation to provide training to teachers on how to use the free online education resources on Verizon’s Thinkfinity.org. The goal of the program is to impart 21st century learning skills to students.

The grant will be used for training and an awareness program. Educators across the State will receive training on how to use the free resources available to them – to make them comfortable integrating technology tools into their lesson plans. Thinkfinity.org is made up of 55,000 educational resources for all grades and was created in partnership with educational and literacy organizations across the US.

The program offers a range of resources for K-12 classes in eight academic disciplines. Materials include lesson plans, interactive tools and other materials to improve student achievement; the site also provides a professional development program.

“Teachers are often our unsung heroes” said B. Keith Fulton, president of Verizon West Virginia and a former member of the 21st Century Skills board. “They work many hours outside of the classroom to prepare the best possible lesson plans to engage their students. Through Thinkfinity.org, teachers can gain immediate access to quality educational resources to more efficiently develop their lesson plans, giving them more time to work directly with students.”

West Virginia has been a national leader in incorporating technology into the classroom. They were awarded by Education Week’s Technology Counts 2007 a grade of A for access to technology and a grade of A- for the use of technology.

Via webwire Tags: west virginia, doe, department of education, thinkfinity, thinkfinity.org, technology classroom, education technology