Archive for the ‘Real Theft Reports’ Category

The U.S. Department of Veteran Affairs (VA), which suffered a data breach affecting 26.5 million people in 2006, has agreed to pay $20 million to veterans affected by the breach.

The VA data breach of 2006, which was listed as one of the 10 largest data breaches since 2000 and as one of the worst breaches ever, was the result of computer going missing from the home of an employee, who had taken the computer home without permission. The computer contained insurance claim data (including Social Security Numbers and insurance information) for 26.5 million active duty troops and veterans, leaving them open to to identity theft and fraud.

The FBI was able to recover the equipment and apprehended the thieves; the VA found no evidence that data had been compromised. The VA Inspector General faulted the data analyst and his supervisors for putting veterans at unreasonable risk. A series of delays after the employee notified his superiors meant that affected veterans were not told about the breach until 3 weeks later.

Five veteran groups filed a class-action lawsuit against the VA alleging invasion of privacy. The lawsuit sought $1000 in damages for violations of privacy for each military personnel affected. This would have amounted to $26.5 billion in damages.

In court filings on Tuesday, lawyers for the VA and the veterans represented in the suit agreed to settle the lawsuit for $20 million. VA spokesman Phil Budahn made a statement, after the settlement, that:

“We want to assure veterans there is no evidence that the information involved in this incident was used to harm a single veteran.”

The money for the settlement will come from the U.S. Treasury and will go to veterans who can show they suffered “actual harm” (physical symptoms of emotional distress or expenses) as the result of the breach. I’ll be curious to see how they determine the ‘proof’ of these items. Each veteran will receive $75 – $1500 upon proving their suffering. Any remainder of funds will be donated to veterans’ charities. U.S. District Judge James Robertson must approve the terms of this settlement before it becomes final.

In November of 2007, the VA suffered a smaller breach, affecting 12,000, after 3 computers were stolen. They have suffered other data breaches, affecting up to 1.8 million, several times since 2006. Let’s hope this settlement means that the VA is truly accepting responsibility for the data breach suffered in 2006.

Via Yahoo, SC Magazine

Who Breached: Heartland Payment Systems
Number Affected: As many as 100 Million+
Information breached: Credit Card Data
How: Network compromised

In a breach to rival those of TJX (~45 – 94 million) in the US and HMRC (25 million) in the UK, Heartland Payment Systems announced on January 20th that they have uncovered malicious software in their processing system. Cyber criminals gained access to their network and to the 100 million credit card transactions it handles each month.

Although no merchant information or Social Security Numbers were compromised, data that was improperly accessed included the information on a card’s magnetic strip (card number, expiration date, bank codes), which could be used to duplicate the cards. Heartland says that it cannot estimate the number of records that may have been accessed.

Avivah Litan, analyst at Gartner, calls the Heartland Payment Systems breach the “largest card-data breach ever“. Heartland’s president says it’s too early for such a “speculative” statement.

Heartland has set up a breach website with a statement of the incident:

“After being alerted by Visa® and MasterCard® of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter. Last week, the investigation uncovered malicious software that compromised data that crossed Heartland’s network.”

At the time of this breach, Heartland did not have real-time monitoring of network activities that would have detected the access. The company recommends that customers examine their monthly statements closely and to report any suspicious activity.

Earlier this month, CheckFree Corporation also notified more than 5 million customers that criminals took control of several of their domains and redirected customers to malicious websites.

Via FOX, Computerworld, WSJ

According to The Local, the German government has admitted to losing 332 top secret files over the past 10 years. Problem is, the files were so top secret that nobody knows what was in them.

The German Interior Ministry was forced to admit to the loss of files during a parliamentary session when they were questioned by the Free Democrats (FDP). The government admits that the 332 files are still missing, and that the files were of “considerable significance.”

The questioning also revealed that nearly 3,200 top secret files were destroyed rather than archived during the last legislature period. These files covered topics such as organized crime, surveillance, and ‘research’ of other states. This, as well as the breach / loss of the 332 files, points to issues with having a firm data retention policy. Although the two issues may not be related, given that the top secret files may have been destroyed in order to avoid any 30 year information release rule that may be created, it’s clear that governments all around the world are struggling to stay on top of information security.

In other Government data loss news, a FOX reporter was able to buy a McCain campaign Blackberry loaded up with confidential information – Computrace Mobile would have erased all of it. And Fergie, Duchess of York, is the victim of laptop theft and worries about private photos leaking – see what Absolute’s Bill Pound had to say about it.

Who Breached: Starbucks
Number Affected: 97,000
Information breached: Social Security Numbers
How: stolen laptop

Starbucks Corp. confirmed this week that a laptop containing the information of 97,000 employees was stolen.

A Starbucks laptop containing names, addresses and Social Security Numbers was stolen on October 29th. It is not clear if the laptop was protected in any way, or how it was stolen.

In 2006, Starbucks reported the theft of four laptop computers, so it is sad that such an issue would again come to light. In 2006, the breach affected 60,000 Starbucks employees / partners. Although the Starbucks statement to employees, after this most recent breach, indicates that the company is taking step to protect data, including encryption, one would hope that those steps would have occurred in the 2-year period since the last breach. A copy of the letter sent to affected Starbucks employees can be found here.

You can help prevent data breaches such as these, or recover from them more easily, with strong computer security policies, enforcement and training and software such as Computrace from Absolute.

Other major data breaches for November, 2008:

• Luxottica Group, 59,000+ affected, hacker [read more]
• University of Florida College of Dentistry, 344,000+, compromised server [read more]
• Christus Health Care, thousands, stolen backup tapes [read more]
• Harvard Law School, 21,000, lost backup tapes [read more]
• North Carolina Division of Aging and Adult Services, 85,000+, lost laptop [read more]
• Baylor Health Care System Inc., 100,000, stolen laptop [read more]
• Arizona Department of Economic Security, 40,000, stolen hard drives [read more]

And in other news…

And in a very strong statement by Canada’s Privacy Commissioner Jennifer Stoddart, Canada was called to shame for inaction on cybercrime. Stoddart called it an “embarrassment” that Canada does not protect the rights of individuals with provisions such as anti-spam legislation, strong identity theft legislation, or mandatory data breach provisions. Read more about this here.

Via datalossdb

31Consumerist has published an insider report that gives a disturbing look into the data security threats present when call centers are outsourced.

The insider, a former Chase call center rep, tells the story of a thief able to repeatedly commit credit card fraud by calling an outsourced security department. All he needed to know was a name, Social Security number and a mother’s maiden name.

The Chase call center employee, who worked in the US, flagged the caller as a potential thief. He had called repeatedly trying to sleuth out all the security questions that come up when attempting to access an account. As a result, the Chase employee forwarded the call to security – which had been outsourced to the Philippines.

The US security department had access to LexisNexis to verify more personal information, while the Philippine security department did not. As a result, for weeks the thief would be bumped to security, only to be approved and cleared back to the call center to complete his transactions. Some employees knew enough of the situation to block the transaction, but enough “newbies” did not so that the account holder (the same one each time) was stripped of more than $40,000 over time.

Although the account was repeatedly locked, the thief was able to unlock it with these details over and over again. Why? Because the handbook that the call center went by, the how-to guide that was followed word-for-word, was not set up to deal with this scenario. Although the US security department flagged the account and put on blocks and notes, the outsourced security department would unblock the account. The fraud only ended when the thief was caught.

This is just one example of the issues that arise when security is outsourced. Cultural issues, such as the gender associated with a name, could also come into play. Security is not a cut and dry issue, so many clever thieves are taking advantage of black-and-white security manuals in the hands of outsourced security departments to commit fraud.

Here are some additional stories I was able to dig up on outsourced call centers:

• Security Karma – Outsourced Call Centers + Security = !Sleep
• Paid article – Outsourced or Outsmarted?
• Tech Republic – Outsourcing, good and bad.
• Dark Reading – Hacking the Call Center

Image: milica sekulic

Who Breached: Deutsche Telekom’s T-Mobile
Number Affected: 17 million
Information breached: Social Security Numbers
How: laptop

T-Mobile, subsidiary of Deutsche Telekom, has issued notice that a major data breach from 2006, affecting 17 million customers, has resurfaced as an issue. The information included names, addresses and phone numbers. No banking details were lost.

The data loss occurred in 2006, but details of the breach event became public on October 4th, 2008 in this statement. The company published this report publicly after a German news magazine reported that the data was up for sale on the Internet.

Deutsche Telekom says that a data storage medium with records for 17 million people was found, and that there was no record of unauthorized use of the data. However, the German news magazine found the data online for sale. The data includes home address and unlisted phone numbers for celebrities, business leaders, government ministers and more.

Here is an excerpt from Duetsche Telekom’s response:

In spring 2006, Deutsche Telekom immediately reported the theft to the responsible public prosecutors’ office. Within the scope of their investigations, the public prosecutors’ office was able to recover storage media. Extensive research conducted over several months on the Internet and in data trading places could not reveal any clues indicating that the data had been offered or disseminated on the black market. Owing to this, Deutsche Telekom assumed that there would be no dissemination of the data. However, Der Spiegel was apparently able to access the data in question via third parties.

The company expresses concern that the breach incident is relevant once again, being previously under the assumption that the matter had been closed. They “regret to say that [they] have not been able to protect… customer data in line with [their] standards.”

Deutsche Telekom says that security measures have been significantly tightened since 2006. These measures include: complex passwords, access authorization, and access monitoring, among other measures. They have set up a FAQ on the data breach here.

Other recent notable data breaches:

• University of North Dakota – Stolen Laptop, 84,554 affected [more]
• University of Indianapolis – Hacker, 11,000 affected [more]
• The Whittington Hospital NHS Trust – lost CDs, 17,990 affected [more]
• CCN – hacker, 98,930 affected [more]

Via datalossdb.org, vnunet, NY Times

Who Breached: GS Caltex
Number Affected: 11,000,000
Information breached: Social Security Numbers
How: Insider stealing data

Four people have been arrested in connection with a major data breach at GS Caltex, a Total Energy Service provider based out of South Korea. This is being called the country’s largest data breach to date.

Earlier this month, CDs and DVDs containing the names, Social Security numbers and email addresses of 11 million GS Caltex customers were found in the garbage in Seoul. The data included information on government officials, lawmakers and politicians.

Investigators on the case say one of the suspects exposed the leak to the media in a publicity campaign aimed at boosting the market value of the data! This is the first time I’ve heard of such a tactic.

The four people arrested on Sunday included two employees of a GS Caltex subsidiary. One suspect is alleged to have copied the data base while working at a call center.

The data was copied onto several CDs and DVDs, which presents several issues: that sensitive data could be accessed by a call center employee, that data could be copied to external devices, and that none of this was being tracked internally.

Other recent large data breaches:

• National Technical Institute for the Deaf, 13,800 Affected, Stolen Laptop – more here
• Louisiana Real Estate Commission, 13,000 Affected, Insider Accident – more here
• InterActive Financial Marketing Group (IFMG), 92,095 Affected, Hacker – more here

Via datalossdb.org, AFB

Who Breached: Countrywide Financial Corporation
Number Affected: 2,000,000
Information breached: Social Security Numbers
How: Insider theft

It’s not very often we hear about intentional insider breaches of information, particularly on this scale. The FBI arrested a former Countrywide Financial Corporation employee and another man in connection with the alleged theft and sale of the information of as many as 2 million mortgage applicants. The personal information of the mortgage applicants included Social Security Numbers.

The breach occurred over a two-year period until it was discovered this July. The insider arrested worked as a senior financial analyst at the lending division of Countrywide, Full Spectrum Lending. The second man arrested is the alleged reseller of the stolen data.

US Attorney spokesman Thom Mrozek says most, or all, of the names were being sold to people within the mortgage industry in order to make new pitches. The insider, who volunteered details to the FBI, would sell batches of about 20,000 customers as “leads” to outside loan agents at approximately 2.5 cents per name, a very low amount on the black market. It is unknown if any of the information was used for fraud or identity theft.

“It’s the potential for new-account fraud that arises when Social Security accounts are compromised,” said Beth Givens, director of the nonprofit Privacy Rights Clearinghouse. “That’s the most serious kind of financial identity theft,” because large amounts can be involved and the fraud is more difficult to detect than it is on preexisting accounts.

“This guy obviously didn’t do his homework. He doesn’t know the value of these on the black market,” she said.

The theft was perpetrated via an unsecured external hard drive. He was able to use one computer in the Spectrum Lending office that he knew to be insecure, missing the security feature that disabled the use of external drives. There was no process of detection in place that would prevent this unsecured computer from accessing network data, nor any procedure in place to prevent unauthorized copying of data.

To learn from this breach:

1. Audit user access to data, to ensure users have only necessary access to data
2. Monitor data access – what is accessed and by whom
3. Restrict copying of data
4. Add real-time detection – be able to detect unauthorized attempts to access data, insecure computer connections, and unusual user activity

Via LA Times, Computer World Tags: data breach, breach, it security, data security, countrywide, countrywide financial, spectrum lending, arrested, fraud

In the week since I last checked Attrition.org, there have been some notable data breaches. Rather than detail them in individual articles, here are the fast facts for some of the larger breaches:

Who Breached: Tinley Park Village Hall
Number Affected: 20,400
Information breached: Social Security Numbers
Details: Backup tapes with data up to 15 years old lost during transport. More info…

Who Breached: Saint Mary’s Regional Medical Center
Number Affected: 128,000
Information breached: Some health information / SSNs
Details: A database may have been accessed in April, affected individuals are being mailed according to the information stored. More info…

Who Breached: Blue Cross and Blue Shield of Georgia
Number Affected: 202,000
Information breached: Medical information & some SSNs
Details: The health insurer sent letters with personal information to the wrong addresses. Information included patient ID number and some SSNs. More info…

Anheuser-Busch suffered a breach as a result of a lost laptop, but it is as yet unknown how many people were affected. And lastly, both the Ohio University and the University of Houston accidentally posted Social Security Numbers online. An increasingly common source of breach, perhaps the result of some of the obstacles to Higher Education Data Security we talked about here?

Tags: data breach, data breaches, security breach, breach

The Scottish Ambulance Service in the UK has lost a data disk containing personal information for nearly 900,000 people, but has avoided a serious data breach incident. Unlike many other incidents of a similar kind, the computer disc was both password protected and encrypted.

A computer disc was being transported from the Paisley Emergency Medical Dispatch Centre (EMDC) by the courier TNT when it was misplaced on June 9th. The information included phone records – numbers and patient names – from patients calling in to the ambulance service. None of the information could be used to commit fraud or identity theft.

Given that the disc was well protected and the information not sensitive, it is unclear if the Scottish Ambulance Service will be contacting affected individuals. That said, there is public pressure to understand why a courier was used for patient information and how it could be lost by TNT.

Although there has been some public criticism of the incident, I think it should be applauded that the Scottish Ambulance Service went public with the incident, which was not required in this instance. It appears they followed strict data procedures but that, as this example shows, some data loss incidents happen anyway.

Via Schneier, BBC Tags: scottish ambulance service, data breach, data loss, data security, encryption