Who Breached: Georgetown University
Number Affected: 38,000
Information breached: personal information (unspecified) from billing data
How: hard drive theft

38,000 Georgetown University students, alumni and staff have been exposed to potential identity theft after an unencrypted hard drive (used for back-ups) was stolen from the Student Affairs office during the winter holiday break. The theft was realized on January 3rd, but students were not notified until this week. They claim this delay was the result of determining the nature of the information stolen from the original files on the desktop computer.

“That system contained an enormous amount of detailed information, all of which had to be reviewed in an attempt to determine what kind of information might have been on there. That process is very staff-heavy and takes a significant amount of time.” - David Lambert, VP and CIO for University Information Services

Students are having a difficult time rationalizing why this assessment would take as long as it did. The hard drive contained billing information for various student services. The breach affected 55% of current students at Georgetown as well as alumni who were enrolled between 1998 and 2006.

Georgetown experienced a large data breach in 2006 that affected 41,000 people. Lambert says that the University Information Services has been “developing an information security program… to protect confidential information.” It is interesting that this program is still in the development phase after two years.

The letter to students indicates that Georgetown is “actively reducing” the use of Social Security Numbers as student identifiers, assigning GoCard and NetIDs instead. However, it is unclear if SSNs were purged from the data files dating back to 1998.

If you scroll down the comments here, you can have a read at the email sent to all students. The comments are quite heated on this news article, nearly all critical of the way that the University has handled the situation. They would like to know how the situation came to be if the University was following the “best practices” it was claiming to uphold.

Via the hoya Tags: data breach, education, data security, it security, identity theft, security policy, breach, georgetown, georgetown university

A new study conducted by Websense has determined that most websites offering up attack code (malware) are legitimate domains that have been hacked. This is the first time legitimate sites have outnumbered malicious sites (sites intentionally built to seed malware) in malware attacks.

51% of malicious sites in the latter half of 2007 were compromised (hacked) and seeded with malware that would infect unpatched computers visiting those sites. There are many attractive reasons inviting this change in tactics. Legitimate sites have existing traffic, free hosting, are trusted by consumers, and offer a level of anonymity for the source of the malware (ownership cannot be traced).

Dan Hubbard, vice president of Websense, says:

“More and more, attackers are compromising legitimate Web sites to infect visitors with information-stealing code or to add users’ machines to botnets. Additionally, they are increasing the sophistication of their attack methods and building resilient infrastructures… Organizations need to ensure their Web, messaging and data security solutions can protect the avenues hackers seek to exploit for financial gain.”

The report indicates that this trend of infecting legitimate sites is accelerating. The previous report indicated legitimate sites hosting malware were in the mid-30% range. Sites are now being hacked en masse - with anywhere from 10,000 to 90,000 sites being compromised at once. Exploit tool kits (do-it-yourself malware creation kits) account for 19% of malicious sites created or compromised.

Continue reading the report at Websense.

Via computerworld Tags: malware, it security, security, hacking, scripts, malicious website, web attack, security

MySpace is undergoing scrutiny for a series of recent security breaches and oversights. The sequence of events, as reported on Wired.com, is as follows:

• January 15 reported - MySpace issues press release announcing new safety measures after a year of looking at safety issues on the site 
  • 49 states joined with MySpace to help eliminate online predators
  • MySpace profiles for those under age 16 will be set to private
• January 17 reported - ‘private’ MySpace teen photos leaked  
  • A bug allowed anyone access to see photos of users with private profiles, including users under the age of 16
  • Photos made their way to message boards, including those of pedophiles
  • Knowledge of the bug, and how to exploit it, circulated on message boards for months
  • Websites were created to automatically exploit the bug for anyone who entered a Friend ID into a search field
  • This is not the first time a bug of this sort has exploited private photos
• January 18 reported - MySpace fixed the bug  
  • No public acknowledgement of the bug or the fix
• January 24 reported - more than half a million images from private MySpace profiles leaked to BitTorrent 
  • 17-gigabyte file of images lifted from MySpace profiles during the period of the access bug was uploaded to BitTorrent (peer-to-peer file sharing)

The appearance of the file on BitTorrent signals this as one of the largest privacy breaches MySpace has had so far. MySpace has yet to acknowledge this issue.

In 2006, MySpace had to react to privacy issues surrounding registered sex offenders using MySpace to prey on minors.

We used special software to expose hundreds of registered sex offenders with accounts on MySpace. That prompted the social network to run its own computerized search, which turned up at least 29,000 registered sex offenders.

Wired was partly responsible for triggering a year-long investigation into safety issues on MySpace - but this photo-hack was missed. A bug that should have been found through testing or online monitoring of MySpace privacy issues. The January 17 Wired.com story triggered the fix of this bug that either went unnoticed or was ignored by MySpace. However, the privacy concern has not gone away. That file has made its way online in a permanent way.

Particularly for youth, and their parents & teachers, it should be cautioned not to trust the privacy settings of social networking sites like MySpace and Facebook. If there is a photo or video you don’t want anyone to see, don’t put it online. Period.

Via CNet, Wired (1, 2, 3)Tags: myspace, privacy, online information, online privacy, social networking, facebook, myspace profiles

Who Breached: Fallon Community Health Plan
Number Affected: 29,800
Information breached: Social Security Numbers, medical information
How: laptop theft

29,800 patients have been affected by the loss of a laptop by a vendor hired by Fallon Community Health Plan (FCHP). Fallon made the announcement on Thursday that members of its Fallon Senior Plan and its Summit EdlerCare program have been affected by a data breach.

The laptop was stolen from the offices of an un-named vendor working with FCHP on medical claims management. The theft was discovered earlier in January, but it was not immediately apparent what information may have been on the laptop.

The FCHP announcement included the standard apology and statement of belief that the data was not targeted. Separate statements to the media indicate that the data breached included names, diagnostic information and medical ID numbers (some of which are based on Social Security Numbers). This puts members at risk for both financial and medical identity theft.

The nearly 30,000 affected members were notified of the breach and offered free credit monitoring for a year. No such services exist to aid in the prevention or detection of medical identity theft.

Via Boston Business Journal Tags: fchp, data breach, fallon, medical information, medical identity theft, identity theft

California’s data breach notification law has now expanded to cover medical information. AB1298, which took effect on Tuesday, extends notification requirements from financial information to include unencrypted medical histories or information, as well as unencrypted insurance policy information.

The information must include the name of the resident, but it does not require a Social Insurance Number in order to trigger the notification. The law will be applied to the government and any business within California (including those with headquarters outside the state).

Robert Herrell, a legislative assistant to Assemblyman Dave Jones, D-Sacramento, who wrote the bill, says:

“We may be as unpleasantly surprised with this becoming law as (with) the data-breach notification law in 2003.”

Essentially, this law will be showing us just how many breaches have been happening without any public knowledge. This is a step forward in addressing the growing issue of medical identity theft.

Via sfgate ; Tags: data breach, california, medical, medical information, data breach notification, law

Following a wave of data breaches at the government level in the UK, including the newest Ministry of Defence breach affecting 600,000, a new laptop ban has been introduced for all civil servants.

The Ministry of Defence conducted an internal investigation and found that 69 laptops and 7 PC’s have gone missing in the past year. This new ban is to enforce standards to prevent such losses from resulting in a data breach.

Cabinet Secretary Sir Gus O’Donnell, sent an email to all senior government officials on Monday night stating that “no unencrypted laptops or drives containing personal data should be taken outside secured office premises.” This ban took effect immediately.

Provided this ban can be enforced, which is the most difficult part of this, a large amount of currently unencrypted data will get this base level of protection. A large operation is underway to encrypt data on laptops, and to brief employees on tougher regulations. Compliance will be ‘monitored.’

Via finance week, zdnet Tags: laptop ban, uk, whitehall, data breach, mod, ministry of defence

Jamie Reid has published an insightful article entitled “Finding a Cure for Data Loss” on SecurityFocus. Citing several major data breaches, Jamie highlights the underlying issue: “the demand for privacy has lagged behind the rate at which data has been collected.” But a backlash is on its way.

Currently, people are providing a lot of personal information to a lot of companies. Companies could track customers by Social Insurance Number because customers provided that information. The backlash of customers not providing this information has started. There has been a decline in rewards programs and other services that trade in customer information. These people become an unreachable market. Therefore, even a gradual change in public attitudes towards privacy may have profound economic consequences for many companies.

For companies to assess their data security plans in response to these changing attitudes. Jamie recommends:

1. Acquire consent to use personal information. If withdrawn, the information should be flagged as non-shareable.
2. Conduct a privacy impact assessment on your business to understand the impact of changing attitudes
3. Reduce the amount of personal information collected, stored and shared. In terms of storage, have a cutoff for how long data is stored.

Tags: data storage, data breaches, privacy, information privacy, consent

Who Breached: Ministry of Defence (UK)
Number Affected: 600,000
Information breached: National Insurance Numbers, Passport details
How: laptop theft

Britain’s Ministry of Defence has announced that a stolen laptop has put the personal details of 600,000 at risk. Not just for identity theft - potentially for far worse.

The laptop of a Royal Navy officer was stolen from a car parked overnight on January 9/10. This laptop contained personal information for 600,000 people interested in joining the armed forces. Members of the armed forces have been targets for terrorist attacks, so the loss of this information adds another level of concern.

The information on the laptop included passport details, National Insurance numbers, family details and medical records. There were also bank records for at least 3,500 people.

The Government is, as expected, receiving even more criticism for the continued string of data breaches.

In other news, a lost computer tape at JC Penney has exposed another 650,000 to the threat of identity theft. Read more about that here.

Via attrition.org Tags: ministry of defence, data breach, uk, uk government, data loss, laptop theft, armed forces

Yoggie Security Systems was awarded the CES Best of Innovations 2008 award for computer accessories for its USB security product: Pico Gatekeeper. A data security product that takes out one of the most volatile components of the practice: people. Once plugged in, it takes care of everything, and never needs IT attention.

Pico Gatekeeper came out in October of 2007. It is a “set it and forget it” type of security device. The USB flash drive is working linux computer that filters all incoming traffic to attack viruses, spyware, phishing, spam and other threats. It hides your computer from potential hackers, even on unprotected wireless connections. And it checks for security updates every five minutes.

All of this happens without intervention. All this security does not bog down any running applications.

Paired with a strong security policy, encryption and strong passwords, and a laptop recovery / data wipe product (Computrace), the Pico Gatekeeper could strongly enhance the security of mobile computers.

Via sfgate Tags: pico gatekeeper, usb, usb security, laptop security, data security

This is a personal example of just how easy identity theft could be. One year ago, I moved to a new house. Our mail was forwarded and all our addresses were changed.

The same cannot be said of previous owners. Although most mail has slowly stopped coming in, we are still, after one year, receiving the American Express statement for the twice-removed owner.

The owner pays his bills online, so perhaps does not care about the statement, or realize its missing. We have, after a few months of this, even called American Express about it. They told us they would stop mailing them to us. That was more than 6 months ago. A little disturbing, considering the increased fraud risk this poses for American Express.

The point of this example: we could easily open up that mail and use the information. Credit card fraud and identity theft is just that easy. We have no way to stop receiving the mail - the ownership goes too far back for us to contact the person in question. The owner is lucky we are honest - but not all people are.

Do not make identity theft easy. Forward all your mail, and change all your addresses. Pay particular attention to the bills you pay online, and make sure those are changed too.

Image via dancerinthedark of morguefile ; Tags: mail forwarding, identity theft, credit card fraud