Archive for March, 2008

Today’s oddball piece of security news: house identity theft! What is ‘house identity theft’? The FBI say it’s the result of combining identity theft with mortgage fraud – the result of which is house stealing. How the criminals do it:

1. Pick your house to steal
2. Assume your identity & create fake IDs
3. Purchase property tranfer forms from any office supply store
4. Forge your signature and use your IDs to sign YOUR house over to THEM

Scary, isn’t it? It’s that easy.

The FBI say that mortgage fraud is growing, and its combination with identity theft could grow as well.

Via network world Image credit: melodi2 @ morguefile Tags: identity theft, house stealing, house identity theft, fraud, mortgage fraud

VirtualHosting has put together a very well-researched and extensive list of resources to keep your personal information safe. The resources explain how you can prevent credit fraud, identity theft, and the myriad of other ways your personal information can be used against you.

In addition to listing articles, the post also lists a number of blogs that specialize in providing information about identity theft and data security. A number of applications are recommended to keep hackers and phishers at bay, a list of public and private organizations related to ID theft is available, and several books are recommended.

The resources cover areas such as:

• the importance of shredding documents
• what you should know about bank errors
• protecting your information online
• how to use a credit freeze
• how to opt out of offers
• what identity theft is, and how it works
• protecting your information when online shopping

Visit the site to read more.

Tags: identity theft, id theft, data security, data protection, identity scams, fraud, prevention

FlowingData has published an excellent graphic timeline representation of the 10 largest data breaches since 2000.

The 10 largest breaches are, ordered by year:

1. March 6, 2003 – Data Processors International. 5 million.
2. June 24, 2004 – America Online. 30 million.
3. June 6, 2005 – Citigroup. 30 million.
4. June 19, 2005 – Visa, Mastercard, American Express. 40 million.
5. May 22, 2006 – US Department of Veterans Affairs. 28.5 million.
6. January 17, 2007 – TJC Companies. 94 million.
7. March 23, 2007 – Dai Nippon Printing Company. 8.6 million.
8. July 3, 2007 – Fidelity National Information Services. 8.5 million.
9. September 14, 2007 – TD Ameritrade. 6.3 million.
10. November 20, 2007 – HM Revenue and Customs. 25 million.

Posted in the timeline as they are, it is interesting to note that the number of large data breaches became more frequent with time. Other data from 2007 indicated that the number of records breached per incident had gone up versus in 2006 or years past. The figures above are a staggering, and frightening, example of the state of data security today.

Tags: data breaches, largest data breaches, data security, timeline

Who Breached: Agilent Technologies
Number Affected: 51,000
Information breached: Social Security Numbers
How: laptop theft

Another case of a laptop being stolen from the trunk of a car has resulted in another data breach incident. This seems to be an all-too common incident that businesses, and employees, are not learning from. Simple procedures could have avoided the laptop being in the car, and as shown below, ensured the laptop was encrypted and that private information was stored on it only if absolutely necessary.

The laptop contained personal information, including Social Security Numbers and stock option information, of 51,000 current and former Agilent Technologies employees. In a notification to affected individuals, Agilent laid blame for the incident on a contractor, Stock & Option Solutions, for not encrypting information as per their contract. However, this seems to be shifting the blame.

Agilent, which spun off from HP in 1999, is not unfamiliar with data breaches. HP employees were affected by a 2006 laptop theft. Unfortunately, it does not look like security measures were improved significantly enough to safeguard the data in this case. Although data breaches can happen even to the most prepared company, much can be done to protect (and recover or delete) the sensitive information.

Absolute Software recently published a whitepaper indicating that 50% of data breaches are the result of a lost laptop. You can download this whitepaper from the homepage here.

Via San Jose Mercury News Tags: agilent, agilent technologies, data breach, breach, laptop theft, laptop security

Who Breached: National Institutes of Health
Number Affected: 2500
Information breached: clinical trial information
How: laptop stolen

A laptop containing medical information for 2500 people enrolled in a National Institutes of Health (NIH) clinical trial has been stolen, putting these patients at risk for medical identity fraud. The laptop was stolen from the trunk of a car on February 23rd.

The laptop contained clinical trial data going back 7 years, including names, medical diagnoses, and heart scans. The data was not encrypted, despite government policies that require this precaution. According to the NIH, the first attempt to encrypt the laptop failed, and the laboratory chief named Andrew Arai, who used the laptop, did not follow-up with IT.

You can spot here several errors in procedure: that IT released the laptop despite a failed encryption procedure, that IT records did not trigger a new encryption attempt (this should not be the responsibility of any outside employee to remind the IT personnel to do), and that the security policy failed to train the laboratory chief about proper data handling procedures, such as taking data offsite, and storing it responsibly.

This is particularly surprising in this example, given the added security and privacy precautions put in place to protect the patients who participate in clinical trials:

“The shocking part here is we now have personally identifiable information — name and age — linked to clinical data,” said Leslie Harris, executive director of the Center for Democracy & Technology. “If somebody does not want to share the fact that they’re in a clinical trial or the fact they’ve got a heart disease, this is very, very serious. The risk of identity theft and of revealing highly personal information about your health are closely linked here.”

Patients were notified of the breach last Thursday, almost a month after the laptop went missing (reportedly to minimize ‘undue alarm’).

Here again, a flaw in the security policy becomes apparent. The reporting chain for the incident was incredibly inefficient. After the laptop was reported as stolen (within 3 days), officials in charge of information security at the NIH did not relay the breach to the NHLBI Institutional Review Board (who oversee the well-being of patients in research) until 6 days after the theft. The next step was to review the matter at a board meeting, which was several days later. After voting at said board meeting to send a letter to patients, the matter was not approved until the next board meeting 2 weeks later.

Unfortunately, it has taken a data breach for the NIH to state they will encrypt all computers, require staff security training and no longer store personal information on portable data devices. All of which are existing security policies that the NIH was not compliant with, so their forward-looking statements are not quite as comforting.

Via washington post Tags: nih, national institutes of health, nih data breach, data breach, clininical trial, medical identity theft, medical identity fraud, id theft, fraud, compliance, government security, health security

Who Breached: Hannaford Brothers
Number Affected: 4.2 million
Information breached: Credit, Debit Card Numbers
How: network intrusion

Hannaford Bros. CEO Ron Hodge has issued a statement this week that 4.2 million of its customers have been exposed to fraud due to a security breach. Fraud has been detected already in 1800 cases.

The Maine-based supermarket chain reported an intrusion into its computer network that put 4.2 million customer credit and debit card accounts at risk. The breach affects all 165 of its stores in the Northeast and 106 Sweetbay stores in Florida, as well as a number of independent grocers who sell Hannaford products. The card numbers were stolen during the card authorization transmission processes dating back as early as December 7th. The breach was only contained on March 10th.

Unlike many data breach reporting incidents, the Hannaford Bros. data breach has already been connected with 1800 cases of reported fraud. The fraudulent credit card activity came to light on February 27th. Despite reported fraud incidents, the notification to affected consumers only began on Monday, after the breach had been contained.

Do you think it was socially responsible for Hannaford to wait until after the breach had been contained to warn consumers of their fraud risk?

Via attrition, wmur, cnet Tags: hannaford, data breach, fraud, breach, breach notification, hannaford bros., business security, hacking

According to the 5th annual Global State of Information Security report published by PriceWaterhouseCoopers and several IDG magazines, organizations are improving their IT security programs, but there is a continued disconnect between security and the line-of-business teams they support.

7200 organizations across all industries and more than 100 countries were surveyed for the study. Highlights from the study include:

• 57% say an overall security strategy is in place (up from 37% in 2006)
• 60% employ either a Chief Information Security Officer or a Chief Security Officer
• 52% report that the company engages both business and IT in information security issues
• 57% have a security strategy – of those left, only 13% consider putting a strategy in place a top priority
• Over 70% of security managers, administrators and technicians believe the security policies and spending can be improved
• Over 50% do not encrypt information on laptop computers
• 22% have hired a Chief Privacy Officer

The first three results of the survey indicate a positive growing trend that organizations are embracing a strategic approach to protecting information. Companies are taking business continuity, reputation, and compliance strongly into consideration for security spending, versus the ‘defending the perimeter’ approach seen in years before.

However, the other results show why so many companies are still struggling to turn security investments to have measurable business value. Some companies still are not investing in security, or taking the creation of security policies as seriously as need be.

The report indicates that security departments do not communicate well with the business people they interact with. A common lack of understanding of security goals cuts into the ability to get support for stronger data protection and for more funding.

“This idea of misalignment and opportunity for better [communication] between security and business workers is one of the top themes coming out of the data,” Lobel said. “If senior executives don’t understand where funding is coming from, if they don’t know who is in charge, that’s going to hurt your efforts in the long run.”

The report looks at much more about information security, including another indication that the perceived threats have shifted from outside influences (hacking) to insider issues. The survey points out that people have not become worse, but the ability to track and monitor activities has given light to issues that previously went unnoticed.

Download the whitepaper here [PDF]

Via infoworld Tags: it security, business security, information security, study, pwc, it spending, security, data security

Who Breached: US Department of State
Number Affected: 3
Information breached: Passport records (including SSNs)
How: insider breach

The passport records for three presidential candidates (Obama, Clinton and McCain) has been breached.

Thursday, the US Department of State admitted that three or four contract workers illegally accessed the passport records of Senators Barack Obama, Hillary Clinton and John McCain. The breaches affecting Barack Obama occurred on January 9, February 12 and March 14, but were not reported to higher-level State employees. The Clinton and McCain files were accessed once each.

Passport records include date and place of birth, physical health, birth certificates, medical records and financial reports. Any investigative reports compiled during the passport approval process would also be available. Social Security Numbers are also included in the files.

The US Department of State has characterized the incident as that of "imprudent curiosity." The information was kept in secured file cabinets or in restricted areas, or in databases that are password-protected. An audit trail of all data accessed is kept.

Two of the curious employees worked for Stanley Inc, a government contractor, and have been fired as a result of the breach. The other contracting company has not been disclosed – it is known, however, that the curious employee at that company has been disciplined (not fired).

Here is a video report of the incident by the Associated Press:

Via computerworld, newsweek Tags: obama, clinton, mccain, breach, data breach, presidential data breach, presidential race, id theft, government breach, passport records

Absolute Software, after an analysis of the 42 data breaches affecting the healthcare industry in 2007 affecting nearly 5 million records, have put together the Top Five Healthcare Computer Security Risks. They are:

1. Failure to Protect Sensitive Data Beyond Encryption – 72% of IT managers believe employees are responsible for data breaches (despite encryption)
2. Inability to Accurately Manage Mobile Computer Assets – how many computers do you have, where are they, who has access to them, and what is installed on them?
3. Sensitive Information on Public Terminals – public terminals can breach private data
4. Difficulty Implementing a Comprehensive Data Security Plan – from cable locks and encryption to asset tracking and recovery. The plan should be reviewed and updated consistently.
5. Reluctance to Create a Data Breach Policy – many companies fear creating a ‘nightmare scenario’, but a simple series of procedures must be in place for effective reaction and notification to incidents

You can read further details – and solutions – here.

Tags: absolute, absolute software, computrace, healthcare, security, computer security risks, healthcare security, it security, data security, data breach

HSBC is being hit by a wave of fraudulent activity this week. A savvy customer noticed that his account had been emptied by someone in Bulgaria, and another customer was hit from California and Canada.

Keith, the first customer to notice the fraud, found that money was being taken out of an ATM in Bulgaria and that, after some difficulty accessing any information at all, his money would be credited back in 11-15 business days. No alert was sent to Keith that his credit card was being used outside the country, nor was he called to verify if that was ok.

Emily, the second customer, was informed by the HSBC Fraud Investigator whom she called that:

“their fraud department was so overwhelmed, it was ’still in the developing stage of how we’re going to handle’ it. I asked if she knew how many customers were affected and she stated ‘We don’t even know.’”

The investigator said all customers would be notified by letter, not by phone, due to the magnitude of the fraud. Unfortunately for both these customers, there was no direct way to escalate the call to the fraud investigators without several block attempts from the call center overseas.

Via the consumerist Tags: hsbc, fraud, bank fraud, atm fraud, banks