Archive for the ‘Data Breach’ Category

According to The Local, the German government has admitted to losing 332 top secret files over the past 10 years. Problem is, the files were so top secret that nobody knows what was in them.

The German Interior Ministry was forced to admit to the loss of files during a parliamentary session when they were questioned by the Free Democrats (FDP). The government admits that the 332 files are still missing, and that the files were of “considerable significance.”

The questioning also revealed that nearly 3,200 top secret files were destroyed rather than archived during the last legislature period. These files covered topics such as organized crime, surveillance, and ‘research’ of other states. This, as well as the breach / loss of the 332 files, points to issues with having a firm data retention policy. Although the two issues may not be related, given that the top secret files may have been destroyed in order to avoid any 30 year information release rule that may be created, it’s clear that governments all around the world are struggling to stay on top of information security.

In other Government data loss news, a FOX reporter was able to buy a McCain campaign Blackberry loaded up with confidential information – Computrace Mobile would have erased all of it. And Fergie, Duchess of York, is the victim of laptop theft and worries about private photos leaking – see what Absolute’s Bill Pound had to say about it.

Who Breached: Starbucks
Number Affected: 97,000
Information breached: Social Security Numbers
How: stolen laptop

Starbucks Corp. confirmed this week that a laptop containing the information of 97,000 employees was stolen.

A Starbucks laptop containing names, addresses and Social Security Numbers was stolen on October 29th. It is not clear if the laptop was protected in any way, or how it was stolen.

In 2006, Starbucks reported the theft of four laptop computers, so it is sad that such an issue would again come to light. In 2006, the breach affected 60,000 Starbucks employees / partners. Although the Starbucks statement to employees, after this most recent breach, indicates that the company is taking step to protect data, including encryption, one would hope that those steps would have occurred in the 2-year period since the last breach. A copy of the letter sent to affected Starbucks employees can be found here.

You can help prevent data breaches such as these, or recover from them more easily, with strong computer security policies, enforcement and training and software such as Computrace from Absolute.

Other major data breaches for November, 2008:

• Luxottica Group, 59,000+ affected, hacker [read more]
• University of Florida College of Dentistry, 344,000+, compromised server [read more]
• Christus Health Care, thousands, stolen backup tapes [read more]
• Harvard Law School, 21,000, lost backup tapes [read more]
• North Carolina Division of Aging and Adult Services, 85,000+, lost laptop [read more]
• Baylor Health Care System Inc., 100,000, stolen laptop [read more]
• Arizona Department of Economic Security, 40,000, stolen hard drives [read more]

And in other news…

And in a very strong statement by Canada’s Privacy Commissioner Jennifer Stoddart, Canada was called to shame for inaction on cybercrime. Stoddart called it an “embarrassment” that Canada does not protect the rights of individuals with provisions such as anti-spam legislation, strong identity theft legislation, or mandatory data breach provisions. Read more about this here.

Via datalossdb

Who Breached: Deutsche Telekom’s T-Mobile
Number Affected: 17 million
Information breached: Social Security Numbers
How: laptop

T-Mobile, subsidiary of Deutsche Telekom, has issued notice that a major data breach from 2006, affecting 17 million customers, has resurfaced as an issue. The information included names, addresses and phone numbers. No banking details were lost.

The data loss occurred in 2006, but details of the breach event became public on October 4th, 2008 in this statement. The company published this report publicly after a German news magazine reported that the data was up for sale on the Internet.

Deutsche Telekom says that a data storage medium with records for 17 million people was found, and that there was no record of unauthorized use of the data. However, the German news magazine found the data online for sale. The data includes home address and unlisted phone numbers for celebrities, business leaders, government ministers and more.

Here is an excerpt from Duetsche Telekom’s response:

In spring 2006, Deutsche Telekom immediately reported the theft to the responsible public prosecutors’ office. Within the scope of their investigations, the public prosecutors’ office was able to recover storage media. Extensive research conducted over several months on the Internet and in data trading places could not reveal any clues indicating that the data had been offered or disseminated on the black market. Owing to this, Deutsche Telekom assumed that there would be no dissemination of the data. However, Der Spiegel was apparently able to access the data in question via third parties.

The company expresses concern that the breach incident is relevant once again, being previously under the assumption that the matter had been closed. They “regret to say that [they] have not been able to protect… customer data in line with [their] standards.”

Deutsche Telekom says that security measures have been significantly tightened since 2006. These measures include: complex passwords, access authorization, and access monitoring, among other measures. They have set up a FAQ on the data breach here.

Other recent notable data breaches:

• University of North Dakota – Stolen Laptop, 84,554 affected [more]
• University of Indianapolis – Hacker, 11,000 affected [more]
• The Whittington Hospital NHS Trust – lost CDs, 17,990 affected [more]
• CCN – hacker, 98,930 affected [more]

Via datalossdb.org, vnunet, NY Times

The Identity Theft Resource Center (ITRC) has issued a press release indicating that the number of breach incidents in 2008 already surpass those in all of 2007.

The ITRC had recorded, as of August 22nd, 449 data breaches in 2008. The total number of breaches for 2007, for the entire year, was 446. In both cases, the actual number of breaches are likely higher due to under-reporting and lack of detection. These breach figures speak to incidents, not the number of entities involved in each event or the number of people affected by them.

Linda Foley, founder of ITRC, attributes part of the growth of the breach list to the ability to access Attorney General notification lists in three states, which outline data breaches that don’t always make it to the mainstream media. Linda also believes that more companies are pro-activiely auditing their systems and identifying breaches that were previously undetected.

The current breach list at the ITRC, which reflects more than 22 million compromised records, is also only a partial list of the problem. In more than 40% of breach events, the number of records exposed is not disclosed or known. Although figures of records breached are often more newsworthy, breach events themselves are a more usable statistic for research purposes, ITRC notes.

Of the 449 breaches in 2008, 11% of them have been the result of contractor breaches. That’s an obvious huge area of concern for businesses to identify, and for security policies to step up.

PogoWasRight asks some very pointed questions about the need for a full disclosure law, the role of the federal government in breach situations, and who exactly is responsible to ensure affected individuals in any case are notified of a breach. The same author also talks about the correlation between breach notification, types of breaches, and fraud.

Via emergent chaos ; image ppdigital @morguefile

Who Breached: GS Caltex
Number Affected: 11,000,000
Information breached: Social Security Numbers
How: Insider stealing data

Four people have been arrested in connection with a major data breach at GS Caltex, a Total Energy Service provider based out of South Korea. This is being called the country’s largest data breach to date.

Earlier this month, CDs and DVDs containing the names, Social Security numbers and email addresses of 11 million GS Caltex customers were found in the garbage in Seoul. The data included information on government officials, lawmakers and politicians.

Investigators on the case say one of the suspects exposed the leak to the media in a publicity campaign aimed at boosting the market value of the data! This is the first time I’ve heard of such a tactic.

The four people arrested on Sunday included two employees of a GS Caltex subsidiary. One suspect is alleged to have copied the data base while working at a call center.

The data was copied onto several CDs and DVDs, which presents several issues: that sensitive data could be accessed by a call center employee, that data could be copied to external devices, and that none of this was being tracked internally.

Other recent large data breaches:

• National Technical Institute for the Deaf, 13,800 Affected, Stolen Laptop – more here
• Louisiana Real Estate Commission, 13,000 Affected, Insider Accident – more here
• InterActive Financial Marketing Group (IFMG), 92,095 Affected, Hacker – more here

Via datalossdb.org, AFB

Who Breached: Graphic Data (holding 3rd party data)
Number Affected: Millions
Information breached: Financial records
How: Computer sold on eBay

Several million people have been affected after a computer was sold “inappropriately to a third party” via eBay. The computer contained sensitive information on customers from the Royal Bank of Scotland, American Express and NatWest.

A former employee of the archiving company Graphic Data (owned by MailSource UK) sold a machine that contained the banking information. Information included account numbers, passwords, phone numbers and signatures. The computer was sold on eBay for £35 to an IT manager, Andrew Chapman, who came forward after noticing the data on the hard drive.

Click here for a video of Andrew Chapman being interviewed about buying the computer & its data.

A Information Commissioner’s Office (ICO) has launched an investigation into how this mistake happened and what steps will be taken to avoid a similar incident from happening. According to MailSource UK, the computer was sold without authorization.

“The IT equipment that appeared on eBay was neither planned nor instructed by the company to be disposed” – Nicole Morgan, MailSource UK

The data on the hard drive was not wiped prior to the computer being sold (although wiped data can be recovered).

Via daily mail, forbes, bbc Tags: banking breach, financial breach, ico, graphic data, data breach, data loss, breach, ebay, data sold, it security, data security

Who Breached: Countrywide Financial Corporation
Number Affected: 2,000,000
Information breached: Social Security Numbers
How: Insider theft

It’s not very often we hear about intentional insider breaches of information, particularly on this scale. The FBI arrested a former Countrywide Financial Corporation employee and another man in connection with the alleged theft and sale of the information of as many as 2 million mortgage applicants. The personal information of the mortgage applicants included Social Security Numbers.

The breach occurred over a two-year period until it was discovered this July. The insider arrested worked as a senior financial analyst at the lending division of Countrywide, Full Spectrum Lending. The second man arrested is the alleged reseller of the stolen data.

US Attorney spokesman Thom Mrozek says most, or all, of the names were being sold to people within the mortgage industry in order to make new pitches. The insider, who volunteered details to the FBI, would sell batches of about 20,000 customers as “leads” to outside loan agents at approximately 2.5 cents per name, a very low amount on the black market. It is unknown if any of the information was used for fraud or identity theft.

“It’s the potential for new-account fraud that arises when Social Security accounts are compromised,” said Beth Givens, director of the nonprofit Privacy Rights Clearinghouse. “That’s the most serious kind of financial identity theft,” because large amounts can be involved and the fraud is more difficult to detect than it is on preexisting accounts.

“This guy obviously didn’t do his homework. He doesn’t know the value of these on the black market,” she said.

The theft was perpetrated via an unsecured external hard drive. He was able to use one computer in the Spectrum Lending office that he knew to be insecure, missing the security feature that disabled the use of external drives. There was no process of detection in place that would prevent this unsecured computer from accessing network data, nor any procedure in place to prevent unauthorized copying of data.

To learn from this breach:

1. Audit user access to data, to ensure users have only necessary access to data
2. Monitor data access – what is accessed and by whom
3. Restrict copying of data
4. Add real-time detection – be able to detect unauthorized attempts to access data, insecure computer connections, and unusual user activity

Via LA Times, Computer World Tags: data breach, breach, it security, data security, countrywide, countrywide financial, spectrum lending, arrested, fraud

In the week since I last checked Attrition.org, there have been some notable data breaches. Rather than detail them in individual articles, here are the fast facts for some of the larger breaches:

Who Breached: Tinley Park Village Hall
Number Affected: 20,400
Information breached: Social Security Numbers
Details: Backup tapes with data up to 15 years old lost during transport. More info…

Who Breached: Saint Mary’s Regional Medical Center
Number Affected: 128,000
Information breached: Some health information / SSNs
Details: A database may have been accessed in April, affected individuals are being mailed according to the information stored. More info…

Who Breached: Blue Cross and Blue Shield of Georgia
Number Affected: 202,000
Information breached: Medical information & some SSNs
Details: The health insurer sent letters with personal information to the wrong addresses. Information included patient ID number and some SSNs. More info…

Anheuser-Busch suffered a breach as a result of a lost laptop, but it is as yet unknown how many people were affected. And lastly, both the Ohio University and the University of Houston accidentally posted Social Security Numbers online. An increasingly common source of breach, perhaps the result of some of the obstacles to Higher Education Data Security we talked about here?

Tags: data breach, data breaches, security breach, breach

The Identity Theft Resource Center (ITRC) has compiled records of data breaches for the past 3 years. According to the data, 2008 has seen 69% more reported data breaches than the same period in 2007 (Jane 1-June 27). The breaches in 2008 involved almost 17 million consumer records, with another 40% of the breaches not reporting affected numbers. Lost laptops continue to be the top security issue.

Highlights from the 2008 Data Breach Report:

• 2008 has seen 342 data breaches reported this year
• One third of the breaches come from businesses (27% increase from 2007)
• Full breach stats breakdown: 36.8% general businesses, 21.3% educational institutions, 17.0% government / military agencies, 14.9% health care facilities / companies, 10% banking / credit / financial services entities
• Lost or stolen laptops / digital storage media are the most frequent cited cause of data breaches (>20%)
• After data storage devices, data posted online & insider theft are the next two most reported causes of breaches
• Nearly 40% of reported breaches did not disclose how many consumer records were affected

Though it is very likely that the actual number of breaches is higher due to underreporting, part of the increase in 2008 breaches may be due to an increase in reporting. Companies may be doing better audits to their own security measures as a result of better laws on data breach notification. Linda Foley, co-founder of ITRC, said it is difficult to say whether the numbers show an increase in breaches, an increase in reporting, or both. She said better state laws on data breach notification also might be encouraging more companies to audit their own security measures.

“Part of this may be that organizations are finding out about more breaches because they’re really starting to look for them,” Foley said. “The other part is that companies are coming forward because they want to control the flow and spin of the disclosure.

Download the 2-part report here:

• 2008 ITRC Breach Report [PDF]
• 2008 ITRC Breach Stats Report [PDF]

A number of other 2008 reports are available, breaking down this information. Examples include reports on Accidental Exposure and Insider Theft.

Via washington post Tags: data breaches, data breach, breach, breach report, 2008 data breaches, security breaches, it security, laptop security

The Scottish Ambulance Service in the UK has lost a data disk containing personal information for nearly 900,000 people, but has avoided a serious data breach incident. Unlike many other incidents of a similar kind, the computer disc was both password protected and encrypted.

A computer disc was being transported from the Paisley Emergency Medical Dispatch Centre (EMDC) by the courier TNT when it was misplaced on June 9th. The information included phone records – numbers and patient names – from patients calling in to the ambulance service. None of the information could be used to commit fraud or identity theft.

Given that the disc was well protected and the information not sensitive, it is unclear if the Scottish Ambulance Service will be contacting affected individuals. That said, there is public pressure to understand why a courier was used for patient information and how it could be lost by TNT.

Although there has been some public criticism of the incident, I think it should be applauded that the Scottish Ambulance Service went public with the incident, which was not required in this instance. It appears they followed strict data procedures but that, as this example shows, some data loss incidents happen anyway.

Via Schneier, BBC Tags: scottish ambulance service, data breach, data loss, data security, encryption