Data Breach - Laptop Security Blog

Data Breach Roundup

Related entries in Data Breach, Real Theft Reports, Security Breach

In the week since I last checked Attrition.org, there have been some notable data breaches. Rather than detail them in individual articles, here are the fast facts for some of the larger breaches:

Who Breached: Tinley Park Village Hall
Number Affected: 20,400
Information breached: Social Security Numbers
Details: Backup tapes with data up to 15 years old lost during transport. More info…

Who Breached: Saint Mary’s Regional Medical Center
Number Affected: 128,000
Information breached: Some health information / SSNs
Details: A database may have been accessed in April, affected individuals are being mailed according to the information stored. More info…

Who Breached: Blue Cross and Blue Shield of Georgia
Number Affected: 202,000
Information breached: Medical information & some SSNs
Details: The health insurer sent letters with personal information to the wrong addresses. Information included patient ID number and some SSNs. More info…

Anheuser-Busch suffered a breach as a result of a lost laptop, but it is as yet unknown how many people were affected. And lastly, both the Ohio University and the University of Houston accidentally posted Social Security Numbers online. An increasingly common source of breach, perhaps the result of some of the obstacles to Higher Education Data Security we talked about here?

Tags: , , ,

Posted by Arieanna | July 31, 2008 | 0 Comments

Data Breaches Up 69% in 2008

Related entries in Data Breach, Surveys & Reports

The Identity Theft Resource Center (ITRC) has compiled records of data breaches for the past 3 years. According to the data, 2008 has seen 69% more reported data breaches than the same period in 2007 (Jane 1-June 27). The breaches in 2008 involved almost 17 million consumer records, with another 40% of the breaches not reporting affected numbers. Lost laptops continue to be the top security issue.

Highlights from the 2008 Data Breach Report:

  • 2008 has seen 342 data breaches reported this year
  • One third of the breaches come from businesses (27% increase from 2007)
  • Full breach stats breakdown: 36.8% general businesses, 21.3% educational institutions, 17.0% government / military agencies, 14.9% health care facilities / companies, 10% banking / credit / financial services entities
  • Lost or stolen laptops / digital storage media are the most frequent cited cause of data breaches (>20%)
  • After data storage devices, data posted online & insider theft are the next two most reported causes of breaches
  • Nearly 40% of reported breaches did not disclose how many consumer records were affected

Though it is very likely that the actual number of breaches is higher due to underreporting, part of the increase in 2008 breaches may be due to an increase in reporting. Companies may be doing better audits to their own security measures as a result of better laws on data breach notification. Linda Foley, co-founder of ITRC, said it is difficult to say whether the numbers show an increase in breaches, an increase in reporting, or both. She said better state laws on data breach notification also might be encouraging more companies to audit their own security measures.

“Part of this may be that organizations are finding out about more breaches because they’re really starting to look for them,” Foley said. “The other part is that companies are coming forward because they want to control the flow and spin of the disclosure.

Download the 2-part report here:

A number of other 2008 reports are available, breaking down this information. Examples include reports on Accidental Exposure and Insider Theft.

Via washington post Tags: , , , , , , ,

Posted by Arieanna | July 18, 2008 | 0 Comments

Scottish Ambulance Service Avoids Serious Breach

Related entries in Data Breach, Real Theft Reports, Security Breach

The Scottish Ambulance Service in the UK has lost a data disk containing personal information for nearly 900,000 people, but has avoided a serious data breach incident. Unlike many other incidents of a similar kind, the computer disc was both password protected and encrypted.

A computer disc was being transported from the Paisley Emergency Medical Dispatch Centre (EMDC) by the courier TNT when it was misplaced on June 9th. The information included phone records - numbers and patient names - from patients calling in to the ambulance service. None of the information could be used to commit fraud or identity theft.

Given that the disc was well protected and the information not sensitive, it is unclear if the Scottish Ambulance Service will be contacting affected individuals. That said, there is public pressure to understand why a courier was used for patient information and how it could be lost by TNT.

Although there has been some public criticism of the incident, I think it should be applauded that the Scottish Ambulance Service went public with the incident, which was not required in this instance. It appears they followed strict data procedures but that, as this example shows, some data loss incidents happen anyway.

Via Schneier, BBC Tags: , , , ,

Posted by Arieanna | July 17, 2008 | 0 Comments

AHCA Database Security Flaw & Potential Breach

Related entries in Data Breach, Real Theft Reports

Who Breached: The Agency for Health Care Administration
Number Affected: 55,000
Information breached: Social Security Numbers
How: Database security flaw

The Agency for Health Care Administration may have breached the personal information for 55,000 Organ and Tissue Donors listed in their registry. The information in the registry includes Social Security Numbers.

On June 20th, the Agency learned of a security flaw in the Organ and Tissue Registry and immediately took it offline. The system was fixed, and the 55,000 affected individuals will be contacted by mail.

The Florida-based agency has set up a breach FAQ for the public on their website here. A press release can be found here (PDF).

Via attrition, AP Tags: , , , ,

Posted by Arieanna | July 16, 2008 | 0 Comments

Montgomery Ward Fails to Notify Consumers of Breach

Related entries in Data Breach, Real Theft Reports

Who Breached: Montgomery Ward
Number Affected: 51,000+
Information breached: Credit card information
How: hackers

Montgomery Ward (a furniture retailer) has failed to notify more than 51,000 customers that their credit card numbers were breached in December, 2007.

Montgomery Ward, a brick & mortar institution that went bankrupt in 2001 and came back as an online retailer at Wards.com, is owned by Direct Marketing Services.

According to the reports, hackers stole 51,000 to 200,000 credit card records in December 2007. While the major credit cards were notified of the breach, customers were not. This clearly goes against various breach notification laws, and Montgomery Ward could face legal suits.

CardCops, a group that tracks payment-card theft for financial institutions, spotted hackers mentioning the sale of the cards in June, bringing this story to the public. Since the story broke, Direct Marketing Services first said they had met their obligations, but later announced that victims of the breach would be contacted.

Likely, without public pressure, consumers would not have been notified of this breach. Wards.com has yet to release information about the breach.

Via attrition, sc magazine, consumerist, AP Tags: , , , , , , , ,

Posted by Arieanna | July 7, 2008 | 0 Comments

2.2 Million Affected by University of Utah Hospitals Breach

Related entries in Data Breach, Real Theft Reports

Who Breached: University of Utah Hospitals and Clinics
Number Affected: 2.2 million
Information breached: Social Security Numbers & billing records
How: backup tapes stolen from vehicle

2.2 million patients have been affected by a breach at the University of Utah Hospitals and Clinics.

A courier delivering billing records on backup tapes to a storage center, failed to immediately drop off the records. Instead, he went to work a second job and then went home. The records were stolen from the vehicle, a Ford Explorer, some time that night on June 1st. The driver, who worked for Perpetual Storage for the past 18 years, has been fired.

The billing records included Social Security Numbers for 1.3 million people treated in the University in the past 16 years.

It will take over $500,000, just in stamps and envelopes, for the University to notify affected people. The hospital is offering free credit monitoring to the 2.2 million affected. The University of Utah Hospitals and Clinics is also offering a $1000 reward for any information related to the theft.

There was also another major breach this week by Stanford University - 72,000 employees were affected after a laptop was stolen. You can read more here.

Via attrition, kutv ; image: deanjenkins @morguefile ; Tags: , , , , , , , , ,

Posted by Arieanna | July 2, 2008 | 0 Comments

Data Breaches & Carding

Related entries in Data Breach, Surveys & Reports

The Department of Justice (DoJ) has put out a report in May entitled “Data Breaches: What the Underground World of ‘Carding’ Reveals” [PDF].

Carding, defined as “a process to verify the validity of stolen card data” is used by thieves to determine if the stolen card is still active. [Wikipedia] The term “carding” has also been expanded to include the theft and fraudulent use of credit & debit card numbers via other schemes such as hacking and phishing. The report looks to large scale data breaches and the organized “carding” organizations that exploit the stolen data.

The new DoJ report indicates that the trading of individual pieces of sensitive information is being overshadowed by “identity packages” with multiple types of sensitive information. In addition, criminals are aiming for large scale breaches affecting thousands or millions of people. Given that stolen information can disseminate quickly over the Internet, criminals can profit quickly from the fraud - often before the theft is even detected.

Pricing for Sensitive Information (first half of 2007):

  • Credit card information: $0.50 to $5.00 per card
  • Bank account information: $30.00 to $400.00
  • Full identity information: $10 to $150.79

The report gives examples of some of the well-known carding forums, about legislation, and about challenges & solutions to the issue. You can download the report here [PDF].

Via: emergent chaos, network world ; Image credit: cohdra @ morguefile ; Tags: , , , , , , , , , ,

Posted by Arieanna | June 27, 2008 | 0 Comments

OIPC Investigates Data Breach

Related entries in Data Breach, Government Security, Health Security

The Office of the Information & Privacy Commissioner (OIPC) of British Columbia published an investigation report concerning the Ministry of Health earlier this month.

On October 3, 2007 an employee of X-Wave, a contractor for health insurance billing in New Brunswick, packaged four unencrypted computer tapes into an envelope. The tapes, which contained personal information of residents of British Columbia and New Brunswick, were being sent to Health Insurance BC (HIBC). These tapes did not arrive.

The investigation reveals that this method of transferring personal information did not meet the security measures required under the Freedom of Information and Protection of Privacy Act. In addition to this, the existing policies at the Ministry of Health delayed the timely detection of the lost data tapes. Notification to affected individuals and to the OIPC was also delayed by nearly two months.

OIPC reports that the Ministry breached the Act in the following ways:

  • Sending data on unencrypted magnetic tapes
  • Not requiring the sender to notify the receiver of when the package would be received
  • Not requiring the sender to use a courier with a tracking service
  • Not instructing the sender to refrain from sending more unencrypted tapes while the issue was under investigation
  • Taking 41 days to notify affected individuals of the breach

New Ministry procedures are aimed to counter these issues, and to ensure that personal information is no longer transferred in this way. You can read more here.

Via Dan Michaluk image: wikipedia ; Tags: , , , , , ,

Posted by Arieanna | May 30, 2008 | 0 Comments

Canadian Minister Resigns After Breach

Related entries in Data Breach, Government Security

Foreign Affairs Minister Maxime Bernier resigned on May 26th after admitting he left classified NATO documents at the apartment of his ex-girlfriend, Julie Couillard, a former model with past links to members of the Hells Angels.

The NATO documents included information from last April’s summit in Romania, including NATO’s military strategy in Afghanistan. Bernier did not realize he had forgotten the papers until they were returned by lawyers Sunday night, more than a month later, and delayed telling Prime Minister Stephen Harper until Monday afternoon. Bernier then resigned from his post.

“Mr. Bernier has learned and informed me that he left classified government documents in a non-secure location,” said Harper. “This is a serious error and the minister has accepted his responsibility.”

Stephen Harper called a news conference just hours before Julie Couillard made claims that Mr. Bernier had been careless with government papers. The government has received a lot of public criticism for Mr. Bernier’s relationship with Ms. Couillard, though Harper has been defending Bernier’s right to privacy.

“Let me be very clear: this is not to do with the minister’s life or the life of a private citizen, 99 percent of which I think is completely off bounds,” said Harper.

Maxime Bernier’s ministry position was replaced by David Emerson, and Bernier’s bio has been completely wiped from the Stephen Harper website. The police are looking into allegations raised about this and other matters, as described here, and to whether this will be considered a criminal offense in breach of national security.

hat tip: flyinghamster, via globe and mail, ctv Tags: , , , , , , , , , ,

Posted by Arieanna | May 27, 2008 | 1 Comment

Bank of New York Mellon Breach Affects 4.5 Million

Related entries in Data Breach, Real Theft Reports, Security Breach

Who Breached: Bank of New York Mellon
Number Affected: 4.5 Million
Information breached: Social Security Numbers
How: backup tape lost

The Bank of New York Mellon has breached the data of 4.5 million people after an unencrypted backup tape disappeared three months ago from a third party storage company, Archive Systems. The company was to transport ten tapes to a data storage facility, but one went missing.

The missing data tape includes Social Security Numbers and bank account information for 4.5 million people (consumers, investors) went missing on February 27, 2008. The lock on the transportation truck was damaged, so it is possible the tape was stolen. The Bank of New York Mellon has not addressed concerns about why the backup tapes were not encrypted. No information about the breach is available on the bank website.

Attorney General Richard Blumenthal says that the breach “seems highly dangerous” and potentially devastating with the threat of identity theft. Blumenthal is demanding that Bank of New York Mellon provide affected customers with more than just credit monitoring (suggestions include identity theft insurance and free credit freezes).

“I am especially concerned by the delay in informing consumers, possibly heightening the risks of wrongdoing. Neither People’s nor its customers were promptly notified. Even now, many may be in the dark.” - Blumenthal

Although the data breach occurred three months ago, consumers only began to be notified six weeks ago. The second half of affected consumers are being notified this week.

You can read more from Richard Blumenthal’s letter here. [PDF]

Via attrition, norwalk plus, sc magazine, reuters, informationweek ; image: clarita @morguefile ; Tags: , , , , , , , ,

Posted by Arieanna | May 23, 2008 | 0 Comments
Next in category