Archive for the ‘Data Breach’ Category

Who Breached: GS Caltex
Number Affected: 11,000,000
Information breached: Social Security Numbers
How: Insider stealing data

Four people have been arrested in connection with a major data breach at GS Caltex, a Total Energy Service provider based out of South Korea. This is being called the country’s largest data breach to date.

Earlier this month, CDs and DVDs containing the names, Social Security numbers and email addresses of 11 million GS Caltex customers were found in the garbage in Seoul. The data included information on government officials, lawmakers and politicians.

Investigators on the case say one of the suspects exposed the leak to the media in a publicity campaign aimed at boosting the market value of the data! This is the first time I’ve heard of such a tactic.

The four people arrested on Sunday included two employees of a GS Caltex subsidiary. One suspect is alleged to have copied the data base while working at a call center.

The data was copied onto several CDs and DVDs, which presents several issues: that sensitive data could be accessed by a call center employee, that data could be copied to external devices, and that none of this was being tracked internally.

Other recent large data breaches:

• National Technical Institute for the Deaf, 13,800 Affected, Stolen Laptop – more here
• Louisiana Real Estate Commission, 13,000 Affected, Insider Accident – more here
• InterActive Financial Marketing Group (IFMG), 92,095 Affected, Hacker – more here

Via datalossdb.org, AFB

Who Breached: Graphic Data (holding 3rd party data)
Number Affected: Millions
Information breached: Financial records
How: Computer sold on eBay

Several million people have been affected after a computer was sold “inappropriately to a third party” via eBay. The computer contained sensitive information on customers from the Royal Bank of Scotland, American Express and NatWest.

A former employee of the archiving company Graphic Data (owned by MailSource UK) sold a machine that contained the banking information. Information included account numbers, passwords, phone numbers and signatures. The computer was sold on eBay for £35 to an IT manager, Andrew Chapman, who came forward after noticing the data on the hard drive.

Click here for a video of Andrew Chapman being interviewed about buying the computer & its data.

A Information Commissioner’s Office (ICO) has launched an investigation into how this mistake happened and what steps will be taken to avoid a similar incident from happening. According to MailSource UK, the computer was sold without authorization.

“The IT equipment that appeared on eBay was neither planned nor instructed by the company to be disposed” – Nicole Morgan, MailSource UK

The data on the hard drive was not wiped prior to the computer being sold (although wiped data can be recovered).

Via daily mail, forbes, bbc Tags: banking breach, financial breach, ico, graphic data, data breach, data loss, breach, ebay, data sold, it security, data security

Who Breached: Countrywide Financial Corporation
Number Affected: 2,000,000
Information breached: Social Security Numbers
How: Insider theft

It’s not very often we hear about intentional insider breaches of information, particularly on this scale. The FBI arrested a former Countrywide Financial Corporation employee and another man in connection with the alleged theft and sale of the information of as many as 2 million mortgage applicants. The personal information of the mortgage applicants included Social Security Numbers.

The breach occurred over a two-year period until it was discovered this July. The insider arrested worked as a senior financial analyst at the lending division of Countrywide, Full Spectrum Lending. The second man arrested is the alleged reseller of the stolen data.

US Attorney spokesman Thom Mrozek says most, or all, of the names were being sold to people within the mortgage industry in order to make new pitches. The insider, who volunteered details to the FBI, would sell batches of about 20,000 customers as “leads” to outside loan agents at approximately 2.5 cents per name, a very low amount on the black market. It is unknown if any of the information was used for fraud or identity theft.

“It’s the potential for new-account fraud that arises when Social Security accounts are compromised,” said Beth Givens, director of the nonprofit Privacy Rights Clearinghouse. “That’s the most serious kind of financial identity theft,” because large amounts can be involved and the fraud is more difficult to detect than it is on preexisting accounts.

“This guy obviously didn’t do his homework. He doesn’t know the value of these on the black market,” she said.

The theft was perpetrated via an unsecured external hard drive. He was able to use one computer in the Spectrum Lending office that he knew to be insecure, missing the security feature that disabled the use of external drives. There was no process of detection in place that would prevent this unsecured computer from accessing network data, nor any procedure in place to prevent unauthorized copying of data.

To learn from this breach:

1. Audit user access to data, to ensure users have only necessary access to data
2. Monitor data access – what is accessed and by whom
3. Restrict copying of data
4. Add real-time detection – be able to detect unauthorized attempts to access data, insecure computer connections, and unusual user activity

Via LA Times, Computer World Tags: data breach, breach, it security, data security, countrywide, countrywide financial, spectrum lending, arrested, fraud

In the week since I last checked Attrition.org, there have been some notable data breaches. Rather than detail them in individual articles, here are the fast facts for some of the larger breaches:

Who Breached: Tinley Park Village Hall
Number Affected: 20,400
Information breached: Social Security Numbers
Details: Backup tapes with data up to 15 years old lost during transport. More info…

Who Breached: Saint Mary’s Regional Medical Center
Number Affected: 128,000
Information breached: Some health information / SSNs
Details: A database may have been accessed in April, affected individuals are being mailed according to the information stored. More info…

Who Breached: Blue Cross and Blue Shield of Georgia
Number Affected: 202,000
Information breached: Medical information & some SSNs
Details: The health insurer sent letters with personal information to the wrong addresses. Information included patient ID number and some SSNs. More info…

Anheuser-Busch suffered a breach as a result of a lost laptop, but it is as yet unknown how many people were affected. And lastly, both the Ohio University and the University of Houston accidentally posted Social Security Numbers online. An increasingly common source of breach, perhaps the result of some of the obstacles to Higher Education Data Security we talked about here?

Tags: data breach, data breaches, security breach, breach

The Identity Theft Resource Center (ITRC) has compiled records of data breaches for the past 3 years. According to the data, 2008 has seen 69% more reported data breaches than the same period in 2007 (Jane 1-June 27). The breaches in 2008 involved almost 17 million consumer records, with another 40% of the breaches not reporting affected numbers. Lost laptops continue to be the top security issue.

Highlights from the 2008 Data Breach Report:

• 2008 has seen 342 data breaches reported this year
• One third of the breaches come from businesses (27% increase from 2007)
• Full breach stats breakdown: 36.8% general businesses, 21.3% educational institutions, 17.0% government / military agencies, 14.9% health care facilities / companies, 10% banking / credit / financial services entities
• Lost or stolen laptops / digital storage media are the most frequent cited cause of data breaches (>20%)
• After data storage devices, data posted online & insider theft are the next two most reported causes of breaches
• Nearly 40% of reported breaches did not disclose how many consumer records were affected

Though it is very likely that the actual number of breaches is higher due to underreporting, part of the increase in 2008 breaches may be due to an increase in reporting. Companies may be doing better audits to their own security measures as a result of better laws on data breach notification. Linda Foley, co-founder of ITRC, said it is difficult to say whether the numbers show an increase in breaches, an increase in reporting, or both. She said better state laws on data breach notification also might be encouraging more companies to audit their own security measures.

“Part of this may be that organizations are finding out about more breaches because they’re really starting to look for them,” Foley said. “The other part is that companies are coming forward because they want to control the flow and spin of the disclosure.

Download the 2-part report here:

• 2008 ITRC Breach Report [PDF]
• 2008 ITRC Breach Stats Report [PDF]

A number of other 2008 reports are available, breaking down this information. Examples include reports on Accidental Exposure and Insider Theft.

Via washington post Tags: data breaches, data breach, breach, breach report, 2008 data breaches, security breaches, it security, laptop security

The Scottish Ambulance Service in the UK has lost a data disk containing personal information for nearly 900,000 people, but has avoided a serious data breach incident. Unlike many other incidents of a similar kind, the computer disc was both password protected and encrypted.

A computer disc was being transported from the Paisley Emergency Medical Dispatch Centre (EMDC) by the courier TNT when it was misplaced on June 9th. The information included phone records – numbers and patient names – from patients calling in to the ambulance service. None of the information could be used to commit fraud or identity theft.

Given that the disc was well protected and the information not sensitive, it is unclear if the Scottish Ambulance Service will be contacting affected individuals. That said, there is public pressure to understand why a courier was used for patient information and how it could be lost by TNT.

Although there has been some public criticism of the incident, I think it should be applauded that the Scottish Ambulance Service went public with the incident, which was not required in this instance. It appears they followed strict data procedures but that, as this example shows, some data loss incidents happen anyway.

Via Schneier, BBC Tags: scottish ambulance service, data breach, data loss, data security, encryption

Who Breached: The Agency for Health Care Administration
Number Affected: 55,000
Information breached: Social Security Numbers
How: Database security flaw

The Agency for Health Care Administration may have breached the personal information for 55,000 Organ and Tissue Donors listed in their registry. The information in the registry includes Social Security Numbers.

On June 20th, the Agency learned of a security flaw in the Organ and Tissue Registry and immediately took it offline. The system was fixed, and the 55,000 affected individuals will be contacted by mail.

The Florida-based agency has set up a breach FAQ for the public on their website here. A press release can be found here (PDF).

Via attrition, AP Tags: data breach, security flaw, database, ahca, florida

Who Breached: Montgomery Ward
Number Affected: 51,000+
Information breached: Credit card information
How: hackers

Montgomery Ward (a furniture retailer) has failed to notify more than 51,000 customers that their credit card numbers were breached in December, 2007.

Montgomery Ward, a brick & mortar institution that went bankrupt in 2001 and came back as an online retailer at Wards.com, is owned by Direct Marketing Services.

According to the reports, hackers stole 51,000 to 200,000 credit card records in December 2007. While the major credit cards were notified of the breach, customers were not. This clearly goes against various breach notification laws, and Montgomery Ward could face legal suits.

CardCops, a group that tracks payment-card theft for financial institutions, spotted hackers mentioning the sale of the cards in June, bringing this story to the public. Since the story broke, Direct Marketing Services first said they had met their obligations, but later announced that victims of the breach would be contacted.

Likely, without public pressure, consumers would not have been notified of this breach. Wards.com has yet to release information about the breach.

Via attrition, sc magazine, consumerist, AP Tags: montgomery ward, wards.com, cardcops, direct marketing services, breach, data breach, hackers, hacking, credit card information

Who Breached: University of Utah Hospitals and Clinics
Number Affected: 2.2 million
Information breached: Social Security Numbers & billing records
How: backup tapes stolen from vehicle

2.2 million patients have been affected by a breach at the University of Utah Hospitals and Clinics.

A courier delivering billing records on backup tapes to a storage center, failed to immediately drop off the records. Instead, he went to work a second job and then went home. The records were stolen from the vehicle, a Ford Explorer, some time that night on June 1st. The driver, who worked for Perpetual Storage for the past 18 years, has been fired.

The billing records included Social Security Numbers for 1.3 million people treated in the University in the past 16 years.

It will take over $500,000, just in stamps and envelopes, for the University to notify affected people. The hospital is offering free credit monitoring to the 2.2 million affected. The University of Utah Hospitals and Clinics is also offering a $1000 reward for any information related to the theft.

There was also another major breach this week by Stanford University – 72,000 employees were affected after a laptop was stolen. You can read more here.

Via attrition, kutv ; image: deanjenkins @morguefile ; Tags: data breach, university of utah, breach, security breach, information security, it security, data security, courier, hospital, perpetual storage

The Department of Justice (DoJ) has put out a report in May entitled “Data Breaches: What the Underground World of ‘Carding’ Reveals” [PDF].

Carding, defined as “a process to verify the validity of stolen card data” is used by thieves to determine if the stolen card is still active. [Wikipedia] The term “carding” has also been expanded to include the theft and fraudulent use of credit & debit card numbers via other schemes such as hacking and phishing. The report looks to large scale data breaches and the organized “carding” organizations that exploit the stolen data.

The new DoJ report indicates that the trading of individual pieces of sensitive information is being overshadowed by “identity packages” with multiple types of sensitive information. In addition, criminals are aiming for large scale breaches affecting thousands or millions of people. Given that stolen information can disseminate quickly over the Internet, criminals can profit quickly from the fraud – often before the theft is even detected.

Pricing for Sensitive Information (first half of 2007):

• Credit card information: $0.50 to $5.00 per card
• Bank account information: $30.00 to $400.00
• Full identity information: $10 to $150.79

The report gives examples of some of the well-known carding forums, about legislation, and about challenges & solutions to the issue. You can download the report here [PDF].

Via: emergent chaos, network world ; Image credit: cohdra @ morguefile ; Tags: carding, carding organizations, card forums, carding forums, credit card fraud, fraud, breach, data breach, data breaches, identity theft, security