Real Theft Reports - Laptop Security Blog

Data Breach Roundup

Related entries in Data Breach, Real Theft Reports, Security Breach

In the week since I last checked Attrition.org, there have been some notable data breaches. Rather than detail them in individual articles, here are the fast facts for some of the larger breaches:

Who Breached: Tinley Park Village Hall
Number Affected: 20,400
Information breached: Social Security Numbers
Details: Backup tapes with data up to 15 years old lost during transport. More info…

Who Breached: Saint Mary’s Regional Medical Center
Number Affected: 128,000
Information breached: Some health information / SSNs
Details: A database may have been accessed in April, affected individuals are being mailed according to the information stored. More info…

Who Breached: Blue Cross and Blue Shield of Georgia
Number Affected: 202,000
Information breached: Medical information & some SSNs
Details: The health insurer sent letters with personal information to the wrong addresses. Information included patient ID number and some SSNs. More info…

Anheuser-Busch suffered a breach as a result of a lost laptop, but it is as yet unknown how many people were affected. And lastly, both the Ohio University and the University of Houston accidentally posted Social Security Numbers online. An increasingly common source of breach, perhaps the result of some of the obstacles to Higher Education Data Security we talked about here?

Tags: , , ,

Posted by Arieanna | July 31, 2008 | 0 Comments

Scottish Ambulance Service Avoids Serious Breach

Related entries in Data Breach, Real Theft Reports, Security Breach

The Scottish Ambulance Service in the UK has lost a data disk containing personal information for nearly 900,000 people, but has avoided a serious data breach incident. Unlike many other incidents of a similar kind, the computer disc was both password protected and encrypted.

A computer disc was being transported from the Paisley Emergency Medical Dispatch Centre (EMDC) by the courier TNT when it was misplaced on June 9th. The information included phone records - numbers and patient names - from patients calling in to the ambulance service. None of the information could be used to commit fraud or identity theft.

Given that the disc was well protected and the information not sensitive, it is unclear if the Scottish Ambulance Service will be contacting affected individuals. That said, there is public pressure to understand why a courier was used for patient information and how it could be lost by TNT.

Although there has been some public criticism of the incident, I think it should be applauded that the Scottish Ambulance Service went public with the incident, which was not required in this instance. It appears they followed strict data procedures but that, as this example shows, some data loss incidents happen anyway.

Via Schneier, BBC Tags: , , , ,

Posted by Arieanna | July 17, 2008 | 0 Comments

AHCA Database Security Flaw & Potential Breach

Related entries in Data Breach, Real Theft Reports

Who Breached: The Agency for Health Care Administration
Number Affected: 55,000
Information breached: Social Security Numbers
How: Database security flaw

The Agency for Health Care Administration may have breached the personal information for 55,000 Organ and Tissue Donors listed in their registry. The information in the registry includes Social Security Numbers.

On June 20th, the Agency learned of a security flaw in the Organ and Tissue Registry and immediately took it offline. The system was fixed, and the 55,000 affected individuals will be contacted by mail.

The Florida-based agency has set up a breach FAQ for the public on their website here. A press release can be found here (PDF).

Via attrition, AP Tags: , , , ,

Posted by Arieanna | July 16, 2008 | 0 Comments

Montgomery Ward Fails to Notify Consumers of Breach

Related entries in Data Breach, Real Theft Reports

Who Breached: Montgomery Ward
Number Affected: 51,000+
Information breached: Credit card information
How: hackers

Montgomery Ward (a furniture retailer) has failed to notify more than 51,000 customers that their credit card numbers were breached in December, 2007.

Montgomery Ward, a brick & mortar institution that went bankrupt in 2001 and came back as an online retailer at Wards.com, is owned by Direct Marketing Services.

According to the reports, hackers stole 51,000 to 200,000 credit card records in December 2007. While the major credit cards were notified of the breach, customers were not. This clearly goes against various breach notification laws, and Montgomery Ward could face legal suits.

CardCops, a group that tracks payment-card theft for financial institutions, spotted hackers mentioning the sale of the cards in June, bringing this story to the public. Since the story broke, Direct Marketing Services first said they had met their obligations, but later announced that victims of the breach would be contacted.

Likely, without public pressure, consumers would not have been notified of this breach. Wards.com has yet to release information about the breach.

Via attrition, sc magazine, consumerist, AP Tags: , , , , , , , ,

Posted by Arieanna | July 7, 2008 | 0 Comments

2.2 Million Affected by University of Utah Hospitals Breach

Related entries in Data Breach, Real Theft Reports

Who Breached: University of Utah Hospitals and Clinics
Number Affected: 2.2 million
Information breached: Social Security Numbers & billing records
How: backup tapes stolen from vehicle

2.2 million patients have been affected by a breach at the University of Utah Hospitals and Clinics.

A courier delivering billing records on backup tapes to a storage center, failed to immediately drop off the records. Instead, he went to work a second job and then went home. The records were stolen from the vehicle, a Ford Explorer, some time that night on June 1st. The driver, who worked for Perpetual Storage for the past 18 years, has been fired.

The billing records included Social Security Numbers for 1.3 million people treated in the University in the past 16 years.

It will take over $500,000, just in stamps and envelopes, for the University to notify affected people. The hospital is offering free credit monitoring to the 2.2 million affected. The University of Utah Hospitals and Clinics is also offering a $1000 reward for any information related to the theft.

There was also another major breach this week by Stanford University - 72,000 employees were affected after a laptop was stolen. You can read more here.

Via attrition, kutv ; image: deanjenkins @morguefile ; Tags: , , , , , , , , ,

Posted by Arieanna | July 2, 2008 | 0 Comments

Bank of New York Mellon Breach Affects 4.5 Million

Related entries in Data Breach, Real Theft Reports, Security Breach

Who Breached: Bank of New York Mellon
Number Affected: 4.5 Million
Information breached: Social Security Numbers
How: backup tape lost

The Bank of New York Mellon has breached the data of 4.5 million people after an unencrypted backup tape disappeared three months ago from a third party storage company, Archive Systems. The company was to transport ten tapes to a data storage facility, but one went missing.

The missing data tape includes Social Security Numbers and bank account information for 4.5 million people (consumers, investors) went missing on February 27, 2008. The lock on the transportation truck was damaged, so it is possible the tape was stolen. The Bank of New York Mellon has not addressed concerns about why the backup tapes were not encrypted. No information about the breach is available on the bank website.

Attorney General Richard Blumenthal says that the breach “seems highly dangerous” and potentially devastating with the threat of identity theft. Blumenthal is demanding that Bank of New York Mellon provide affected customers with more than just credit monitoring (suggestions include identity theft insurance and free credit freezes).

“I am especially concerned by the delay in informing consumers, possibly heightening the risks of wrongdoing. Neither People’s nor its customers were promptly notified. Even now, many may be in the dark.” - Blumenthal

Although the data breach occurred three months ago, consumers only began to be notified six weeks ago. The second half of affected consumers are being notified this week.

You can read more from Richard Blumenthal’s letter here. [PDF]

Via attrition, norwalk plus, sc magazine, reuters, informationweek ; image: clarita @morguefile ; Tags: , , , , , , , ,

Posted by Arieanna | May 23, 2008 | 0 Comments

Connecting the Data Breach Dots

Related entries in Data Breach, Real Theft Reports, Security Breach

Kudos to the writer over at Chronicles of Dissent for connecting the dots between two data breaches related to the loss of a single laptop.

The two data breaches were reported separately - one by SavaSeniorCare Administrative Services and one by Mariner Health Care. Both reported that employee 401k data was compromised from a computer stolen from Windham Brannon, P.C., a firm that provides audit services.

The single computer apparently held data for both companies, affecting exactly 2199 Maryland residents for both breaches. Kind of an odd figure to have in common, questioning the accuracy of the data reported.

The computer, which was stolen on December 31, 2007 and recovered on January 7, 2008, had been reformatted a few hours after it was stolen and consultants were unable to determine if files had been accessed before they were destroyed. The details about it all are a little fuzzy, however. It is not clear how many “other clients” were affected, as mentioned in the report.

You can read about the breaches here and here [PDF].

Tags: , , , , ,

Posted by Arieanna | May 13, 2008 | 0 Comments

University of Miami Breach

Related entries in Data Breach, Real Theft Reports, Security Breach

Who Breached: University of Miami
Number Affected: 2.1 million
Information breached: Social Security Numbers, some financial data
How: laptop

The University of Miami has lost a case of computer tapes containing the confidential information of 2.1 million patients. The case was stolen from a van used by a private off-site storage company.

Anyone who was a patient of a University of Miami physician since 1999 has been affected by the breach. The University will be notifying only those customers whose financial data may have been included (credit card or other billing information), which affects 47,000 patients. The data included Social Security Numbers or health information in all instances, so it’s not clear why the breach notification is being restricted.

The University of Miami hired an security expert from Terremark Worldwide to determine if the data on similar tapes could be accessed. The expert believes, after a week of trying, that the proprietary compression and encoding would make the data difficult to access.

More information from the University of Miami about this breach can be found here.

Other sizable data breaches this week:

Via attrition.org, miami herald Tags: , , , , , , , , , ,

Posted by Arieanna | April 23, 2008 | 1 Comment

University of Virginia Breaches 7,000 after laptop theft

Related entries in Data Breach, Education Security, Laptop Security, Real Theft Reports, Theft News

Who Breached: University of Virginia (UVa)
Number Affected: 7,000
Information breached: Social Security Numbers
How: laptop theft

Daily Progress is reporting that the University of Virginia (UVa) has breached the information of 7,000 students, staff and faculty members as the result of a laptop theft. The laptop contained personally identifiable information including names and Social Security Numbers.

The laptop was stolen from an employee at an “undisclosed location” off-campus in Albemarle County. Carol Wood, UVa spokeswoman, said that letters have been mailed to those affected by the data breach.

Students have been expressing their concern and frustration that their personal data would be left on an unsecured laptop despite the myriad of data breaches caused by such negligence.

The University of Virginia experienced a data breach in June, 2007 that was the result of a hacker accessing 5,735 faculty records over a two-year period. The University claims that the use of Social Security Numbers as a personal identification number was being phased out. Obviously, not soon enough.

Other notable data breaches this week:

hat tip to Attrition.org ; Tags: , , , , , , , ,

Posted by Arieanna | April 18, 2008 | 0 Comments

Saskatchewan Finds Second Set of Abandoned Medical Files

Related entries in Data Breach, Health Security, Real Theft Reports, Security Breach

Who Breached: Various doctors in Saskatchewan
Number Affected: Unknown
Information breached: Medical records
How: Abandoned Files

79 boxes of personal medical files were found in a vacant, unlocked office in the city of Moose Jaw in Saskatchewan. The files were found from a telephone tip left after a breach of medical files in Yorkton was made public at the end of March. Officials believe there is a connection between the two finds.

In late March, five boxes of abandoned medical files for as many as 900 patients were found in a vacant office. The boxes were found via an anonymous tip in the city of Yorkton in a building that was not associated with any past medical offices.

Saskatchewan’s Information and Privacy Commissioner Gary Dickson said the announcement of the first breach generated telephone tip, one of which led to the second find. Details about the second find are still coming to light:

“It appears to involve a number of different physicians,” Dickson said. “We think some of these physicians may in fact still be practicing in the province.”

Physicians and licensed professionals are required by provincial law to safeguard personal health information. Violations come with a hefty price tag up to $50,000 per person or $500,000 per organization. Such fines have never been issued in Saskatchewan. The College of Physicians and Surgeons of Saskatchewan will participate in the privacy commission’s inquiry.

Via upi, upi2 Tags: , , , , , , , , , ,

Posted by Arieanna | April 14, 2008 | 0 Comments
Next in category