Archive for April, 2008

Who Breached: Various doctors in Saskatchewan
Number Affected: Unknown
Information breached: Medical records
How: Abandoned Files

79 boxes of personal medical files were found in a vacant, unlocked office in the city of Moose Jaw in Saskatchewan. The files were found from a telephone tip left after a breach of medical files in Yorkton was made public at the end of March. Officials believe there is a connection between the two finds.

In late March, five boxes of abandoned medical files for as many as 900 patients were found in a vacant office. The boxes were found via an anonymous tip in the city of Yorkton in a building that was not associated with any past medical offices.

Saskatchewan’s Information and Privacy Commissioner Gary Dickson said the announcement of the first breach generated telephone tip, one of which led to the second find. Details about the second find are still coming to light:

“It appears to involve a number of different physicians,” Dickson said. “We think some of these physicians may in fact still be practicing in the province.”

Physicians and licensed professionals are required by provincial law to safeguard personal health information. Violations come with a hefty price tag up to $50,000 per person or $500,000 per organization. Such fines have never been issued in Saskatchewan. The College of Physicians and Surgeons of Saskatchewan will participate in the privacy commission’s inquiry.

Via upi, upi2 Tags: medical files, saskatchewan, medical, health records, health files, id theft, medical id theft, medical identity theft, breach, medical breach, data breach

AirDefense, an Atlanta-based network security company, tested the government wireless networks in San Francisco and has given them a failing grade.

On April 4th, AirDefense released its San Francisco Wireless Security Vulnerability Survey which gives San Francisco Government offices a “D” for wireless security. Other sectors fared slightly better, but all could use improvement.

The survey looked at five sectors for wireless security: finance, government, retail, transportation and major corporations. 4,606 access points (APs) were used to connect to these various wireless networks. The survey looked to the encryption of wireless APs, the strength of the Wireless Equivalent Privacy (WEP) encryption used, the presence of probing laptops, rogue APs set up by employees or hackers (very dangerous), any data leakage present, and the number of APs set in default mode.

The wireless security grades per-sector were:

The government in San Francisco has questioned the validity of the report, asking how an access point was identified as government vs. any other industry or consumer access point. The survey does not provide results for all of their tests (for the number of APs in default mode, for example), nor does it differentiate between any levels of government agencies.

The point of this survey was to prove, with relatively little resources, how much about wireless networks could be determined by connecting to APs by a single laptop computer. There are many areas of wireless security that can put companies at serious risk for data breaches. An employee who knowingly or unknowingly connects a cheap AP to the company LAN can circumvent network security and put information assets at risk. And the risks associated with default settings and unencrypted wireless networks are well documented. Regardless of how the survey was defined, it clearly pointed to many holes in existing wireless security practices across all industries within San Francisco.

Tags: wireless security, security, data security, it security, survey, wireless security survey, san francisco, failing grade

Via govtech, business wire

Who Breached: WellPoint Inc.
Number Affected: 128,000
Information breached: Social Security Numbers (maybe)
How: exposed online over the past year

The personal information of 128,000 WellPoint customers in 7 states was exposed online over a one-year period. The information may have included Social Security Numbers and pharmacy or medical data.

Two WellPoint servers maintained by an outside data management vendor, unidentified, were the source of the security breach. Early last year, it was known that a server was improperly secured and that information for 1350 customers may have appeared online. That breach was fixed. However, a second server was recently found to be insecure, putting an additional 128,000 customers at risk for the period of about a year. The information appeared online, but had ‘code protection’ to prevent it from being found via a search engine.

WellPoint spokeswoman Shannon Troughton says that the problem has been fixed and that customers are being notified. Credit-monitoring services are being offered for one year. It is not clear why an investigation into the security of all servers with the vendor was not conducted after the first error was found.

WellPoint is not new to security issues. In October 2006, stolen back-up computer tapes exposed the data of 200,000 members and in 2007, data for 75,000 members went missing during a shipment between vendors.

Via business week Tags: wellpoint, data breach, data security, it security, online, breach

Well, this is a troubling piece of news. IT Governance in the UK has released a survey this month in Data Breaches: Trends, Costs and Best Practices which will show that two-thirds of employees bypass data security in order to do their work.

The Best Practice Report looks at the global trends in corporate data breaches concerning personally identifiable information. It also considers best practices in avoiding business, regulatory and brand damage as the result of a data breach.

The survey found that 68% of employees admit to bypassing information security controls in order to do their jobs. This is a troubling statistic, perhaps pointing to a failure to understand how to implement security controls: how to balance confidentiality with availability of information. The survey indicates that security controls are being undermined and that employees are putting organizations at risk. This startling information should serve as a wake-up call to the importance of planning in information security.

The survey indicated that 82% of organizations had policies for protecting personal data, but with such a high incidence of employees deliberately circumventing the policies and procedures put in place, it would appear that the security precautions taken were unduly obstructive in design or implementation.

Other interesting findings:

• 55% of employees handling personal data have been trained in their legal responsibilities in respect of the information
• 89% of organizations cover access to personal data in security regimes
• 56% of organizations have policies to detect or report data losses
• 39% of organizations have policies to correct data loss incidents

You can see from the degradation in the above stats that companies are less prepared for data breaches in their security regimes and that, if such a data breach were to occur, they would not have policies to govern the fallout, nor in some cases to detect the breach in the first place. Both the earlier information and the above statistics show a dire need for security training at all levels of the company. To understand the importance, and legal requirements, to safeguard personal information, and to do so in such a way that is manageable for employees.

Via cambridge network Tags: security, it security, data security, security policy, security policies, security training, data management, compliance, breach, data breach, breach prevention

Absolute Software has announced a new service to add to their comprehensive data security Computrace suite. Post-theft forensic auditing services will now be offered through the online customer center IT asset management portal. Organizations will be able to determine if sensitive information on lost or stolen computers has been accessed. It will also be able to determine if an encrypted volume or password has been compromised.

John Livingston, CEO of Absolute Software, notes:

“The ability to track computers off the network, physically recover missing computers and remotely delete sensitive information with the assurance that the data has not been accessed by criminals is essential for true compliance with data protection regulations.’

The ability to determine if information has been accessed provides visibility and accountability in the event of a data breach. Organizations will be able to prove that they have removed sensitive information from lost computers (via the remote data delete) and will also be able to prove that the lost information is safe.

This new service helps companies confirm compliance with data privacy regulations, and can also aid in the breach fallout with stakeholders. By demonstrating that data is safe, an element sorely missing from most breach notification announcements, companies can retain the trust and security of their valued stakeholders.

Tags: absolute software, computrace, it security, data security, compliance, forensic auditing, auditing, data breach, it asset management, it security, business security, laptop security

Absolute Software has announced some big news during the course of this week. In the first announcement, Absolute Software will be working with Qualcomm’s Gobi to provide increased security to enterprise customers in the mobile environment. In the second announcement, Absolute Software has paired with Intel to provide strong anti-theft technology for Centrino laptops.

Yesterday, Absolute Software announced at the CTIA Wireless Show in Las Vegas that they will be adapting Computrace to work with Qualcomm’s Gobi mobile Internet and GPS platform. This will allow for real-time communication between laptops and the asset management and security services in the Computrace suite. This would mean that IT audits and remote data delete commands can be carried out in real time, no matter where the laptop is. You can visit Absolute software at Qualcomm’s booth number 1948, Mobile Enterprise Partner Pod, during the CTIA Wireless Show on April 1, 2 & 3.

Announced today, Absolute Software and Intel are to collaborate to provide integrated anti-theft technology for next generation notebook computers. Absolute Software’s Computrace will be integrated into the Intel Anti-Theft Technology suite later this year. Absolute’s core expertise in IT asset management, data protection and computer theft recovery services will enhance a whole suite of new Intel Centrino laptops.

You can read more about these releases here:

• Absolute Software to Integrate Computrace with Qualcomm’s Gobi Global Mobile Internet Solution
• Absolute Software Announces Collaboration and Support for Intel® Anti-Theft Technology for Next Generation Notebooks

Tags: computrace, absolute software, intel, qualcomm, gobi, mobile internet, wireless, laptop security, data security, mobile security, notebook security, laptop recovery, anti theft, theft prevention, compliance

Who Breached: The Dental Network
Number Affected: 75,000
Information breached: Social Security Numbers
How: posted online

The Dental Network, owned by CareFirst BlueCross BlueShield, has notified 75,000 members that their information was accidentally posted online.

The personal information, including Social Security Numbers, were posted to a public website last month for a period of two weeks. The breach was discovered on February 20th and members were notified on March 10th.

Michael Sullivan, spokesman for CareFirst, was quoted as saying that the company “moved in a timely fashion to secure the data and notify the members.” This leads me to ask, what is a “timely fashion”? How long is too long?

Other data breaches from the past week:

• Advance Auto Parts – 56,000
• Antioch University – 70,000
• BNY Mellon Shareowner Services – 3,500

Via attrition.org, The Baltimore Sun Tags: data breach, breach, breach notification, dental network, bluecross, blueshield, security breach

This small piece of news just goes to show you that identity theft can come from anyone, anywhere.

The former pastor of a Grace Fellowship Church in Pennsylvania, Rev. Raymond Clayton, was charged with bank and wire fraud and aggravated identity theft back in October. Last week, Clayton pleaded guilty in federal court to a count of access device fraud.

Clayton has admitted to using parishioners’ personal information to apply for credit cards. He would then use those credit cards to obtain cash advances and make purchases. In a six month period, Clayton defrauded parishioners of $30,000. He had changed the church’s mailing address to a post office box to cover his scheme.

Since the incident came to light, the 25-year old church community has disbanded. Sadly, this shows just how much of an impact fraud and identity theft can have on not just individuals, but also on communities.

hat tip to schneier, via pennlive Tags: identity theft, id theft, fraud, credit card fraud, pastor

Matt Hines has posted The top 10 security land mines to InfoWorld. These are mistakes that undermine the security precautions that companies put in place.

1. “Slip of the finger” mistakes - e.g. using email address autofill, mistakes in encryption
2. Giving away passwords - phishing and spyware are still prevalent because people are not careful about where they hand out their data.
3. Third-parties - you have a security policy, but are your partners following your policy? Employees may assume it is ok to send sensitive information to business partners. Unencrypted data can easily end up in the wrong hands.
4. Web-based applications - webmail, file-sharing services that bypass security filters. Allowing data to be taken home increases these risks.
5. Not planning for a breach - being prepared will make things easier, not harder. You can lessen the breach impact with good response strategies.
6. Lack of leadership - if a single leader or small team is not appointed to respond to the breach, the breach response becomes diluted. Large teams can also hinder the process.
7. Mishandling investigations - in the case of a data breach, the “need to know” approach should be established in order that investigations are not compromised, particularly if it’s an inside job.
8. Trusting technology - technology is not the end to security preparedness. Look at things from a risk management perspective and do more than compliance requires.
9. Not planning spending - know what is important to your company, know your risks, and let that define your spending. Security issues have varying levels of threat to you, so your spending should correspond to high risk areas.
10. Storing information - only save what information you need to do business – delete anything you don’t need. For data retained, protect it.

You can read more details here.

Along similar lines, refer to these past posts:

• 10 Mistakes in Enterprise Security
• 5 Basic Mistakes of Security Policies
• Top 10 Tips for Business Data Breach Prevention & Response

Tags: data breach, breach, breach avoidance, it security, security, data security, business security, security planning, security policy

A new research report from Blue Coat on security threats for 2008 indicates that laptops containing corporate data will continue to be attractive targets for thieves. The report, which also indicates that web-based malware attacks will flourish in 2008, estimates that a computer holding 10,000 records can be worth as much as $140,000 on the black market. Blue Coat estimates that more companies will move away from storing Social Security Numbers, to limit the threat of identity theft. Network security will be, however, a persistent issue. More info on this topic:

• 5 most stolen gadgets – laptop is #1
• Absolute Software survey – average cost of a data breach is $137,000
• iBahn survey – average value of personal information on a laptop is $330,000

Click here to read more about how Absolute Software’s Computrace can help to secure your corporate laptops (and data). Via infoworld Tags: laptops, laptop security, laptop theft, identity theft, black market, data resale, data breach