Archive for the ‘Real Theft Reports’ Category

The Scottish Ambulance Service in the UK has lost a data disk containing personal information for nearly 900,000 people, but has avoided a serious data breach incident. Unlike many other incidents of a similar kind, the computer disc was both password protected and encrypted.

A computer disc was being transported from the Paisley Emergency Medical Dispatch Centre (EMDC) by the courier TNT when it was misplaced on June 9th. The information included phone records – numbers and patient names – from patients calling in to the ambulance service. None of the information could be used to commit fraud or identity theft.

Given that the disc was well protected and the information not sensitive, it is unclear if the Scottish Ambulance Service will be contacting affected individuals. That said, there is public pressure to understand why a courier was used for patient information and how it could be lost by TNT.

Although there has been some public criticism of the incident, I think it should be applauded that the Scottish Ambulance Service went public with the incident, which was not required in this instance. It appears they followed strict data procedures but that, as this example shows, some data loss incidents happen anyway.

Via Schneier, BBC Tags: scottish ambulance service, data breach, data loss, data security, encryption

Who Breached: The Agency for Health Care Administration
Number Affected: 55,000
Information breached: Social Security Numbers
How: Database security flaw

The Agency for Health Care Administration may have breached the personal information for 55,000 Organ and Tissue Donors listed in their registry. The information in the registry includes Social Security Numbers.

On June 20th, the Agency learned of a security flaw in the Organ and Tissue Registry and immediately took it offline. The system was fixed, and the 55,000 affected individuals will be contacted by mail.

The Florida-based agency has set up a breach FAQ for the public on their website here. A press release can be found here (PDF).

Via attrition, AP Tags: data breach, security flaw, database, ahca, florida

Who Breached: Montgomery Ward
Number Affected: 51,000+
Information breached: Credit card information
How: hackers

Montgomery Ward (a furniture retailer) has failed to notify more than 51,000 customers that their credit card numbers were breached in December, 2007.

Montgomery Ward, a brick & mortar institution that went bankrupt in 2001 and came back as an online retailer at Wards.com, is owned by Direct Marketing Services.

According to the reports, hackers stole 51,000 to 200,000 credit card records in December 2007. While the major credit cards were notified of the breach, customers were not. This clearly goes against various breach notification laws, and Montgomery Ward could face legal suits.

CardCops, a group that tracks payment-card theft for financial institutions, spotted hackers mentioning the sale of the cards in June, bringing this story to the public. Since the story broke, Direct Marketing Services first said they had met their obligations, but later announced that victims of the breach would be contacted.

Likely, without public pressure, consumers would not have been notified of this breach. Wards.com has yet to release information about the breach.

Via attrition, sc magazine, consumerist, AP Tags: montgomery ward, wards.com, cardcops, direct marketing services, breach, data breach, hackers, hacking, credit card information

Who Breached: University of Utah Hospitals and Clinics
Number Affected: 2.2 million
Information breached: Social Security Numbers & billing records
How: backup tapes stolen from vehicle

2.2 million patients have been affected by a breach at the University of Utah Hospitals and Clinics.

A courier delivering billing records on backup tapes to a storage center, failed to immediately drop off the records. Instead, he went to work a second job and then went home. The records were stolen from the vehicle, a Ford Explorer, some time that night on June 1st. The driver, who worked for Perpetual Storage for the past 18 years, has been fired.

The billing records included Social Security Numbers for 1.3 million people treated in the University in the past 16 years.

It will take over $500,000, just in stamps and envelopes, for the University to notify affected people. The hospital is offering free credit monitoring to the 2.2 million affected. The University of Utah Hospitals and Clinics is also offering a $1000 reward for any information related to the theft.

There was also another major breach this week by Stanford University – 72,000 employees were affected after a laptop was stolen. You can read more here.

Via attrition, kutv ; image: deanjenkins @morguefile ; Tags: data breach, university of utah, breach, security breach, information security, it security, data security, courier, hospital, perpetual storage

Who Breached: Bank of New York Mellon
Number Affected: 4.5 Million
Information breached: Social Security Numbers
How: backup tape lost

The Bank of New York Mellon has breached the data of 4.5 million people after an unencrypted backup tape disappeared three months ago from a third party storage company, Archive Systems. The company was to transport ten tapes to a data storage facility, but one went missing.

The missing data tape includes Social Security Numbers and bank account information for 4.5 million people (consumers, investors) went missing on February 27, 2008. The lock on the transportation truck was damaged, so it is possible the tape was stolen. The Bank of New York Mellon has not addressed concerns about why the backup tapes were not encrypted. No information about the breach is available on the bank website.

Attorney General Richard Blumenthal says that the breach “seems highly dangerous” and potentially devastating with the threat of identity theft. Blumenthal is demanding that Bank of New York Mellon provide affected customers with more than just credit monitoring (suggestions include identity theft insurance and free credit freezes).

“I am especially concerned by the delay in informing consumers, possibly heightening the risks of wrongdoing. Neither People’s nor its customers were promptly notified. Even now, many may be in the dark.” – Blumenthal

Although the data breach occurred three months ago, consumers only began to be notified six weeks ago. The second half of affected consumers are being notified this week.

You can read more from Richard Blumenthal’s letter here. [PDF]

Via attrition, norwalk plus, sc magazine, reuters, informationweek ; image: clarita @morguefile ; Tags: data breach, breach, bank of new york mellon, 4.5 million, identity theft, data tapes, backup tapes, encryption, data security

Kudos to the writer over at Chronicles of Dissent for connecting the dots between two data breaches related to the loss of a single laptop.

The two data breaches were reported separately – one by SavaSeniorCare Administrative Services and one by Mariner Health Care. Both reported that employee 401k data was compromised from a computer stolen from Windham Brannon, P.C., a firm that provides audit services.

The single computer apparently held data for both companies, affecting exactly 2199 Maryland residents for both breaches. Kind of an odd figure to have in common, questioning the accuracy of the data reported.

The computer, which was stolen on December 31, 2007 and recovered on January 7, 2008, had been reformatted a few hours after it was stolen and consultants were unable to determine if files had been accessed before they were destroyed. The details about it all are a little fuzzy, however. It is not clear how many “other clients” were affected, as mentioned in the report.

You can read about the breaches here and here [PDF].

Tags: data breach, data breaches, id theft, breach, breaches, breach notification

Who Breached: University of Miami
Number Affected: 2.1 million
Information breached: Social Security Numbers, some financial data
How: laptop

The University of Miami has lost a case of computer tapes containing the confidential information of 2.1 million patients. The case was stolen from a van used by a private off-site storage company.

Anyone who was a patient of a University of Miami physician since 1999 has been affected by the breach. The University will be notifying only those customers whose financial data may have been included (credit card or other billing information), which affects 47,000 patients. The data included Social Security Numbers or health information in all instances, so it’s not clear why the breach notification is being restricted.

The University of Miami hired an security expert from Terremark Worldwide to determine if the data on similar tapes could be accessed. The expert believes, after a week of trying, that the proprietary compression and encoding would make the data difficult to access.

More information from the University of Miami about this breach can be found here.

Other sizable data breaches this week:

• Central Collection Bureau - 700,000 affected after computer server stolen
• Boots Dental Plan in the UK – 34,000 affected after data tapes stolen from a courier car
• Connecticut State University System - 3,400 affected after laptop stolen
• LendingTree – unknown number affected, three lending companies being sued for the breach
• Bank of Ireland – 10,000 affected in breach the result of 4 laptops stolen last year

Via attrition.org, miami herald Tags: data breach, breach, security breach, um, university of miami, financial data, identity theft, it security, offsite storage, data tapes, data backup

Who Breached: University of Virginia (UVa)
Number Affected: 7,000
Information breached: Social Security Numbers
How: laptop theft

Daily Progress is reporting that the University of Virginia (UVa) has breached the information of 7,000 students, staff and faculty members as the result of a laptop theft. The laptop contained personally identifiable information including names and Social Security Numbers.

The laptop was stolen from an employee at an “undisclosed location” off-campus in Albemarle County. Carol Wood, UVa spokeswoman, said that letters have been mailed to those affected by the data breach.

Students have been expressing their concern and frustration that their personal data would be left on an unsecured laptop despite the myriad of data breaches caused by such negligence.

The University of Virginia experienced a data breach in June, 2007 that was the result of a hacker accessing 5,735 faculty records over a two-year period. The University claims that the use of Social Security Numbers as a personal identification number was being phased out. Obviously, not soon enough.

Other notable data breaches this week:

• Joliet West High School hacked, breaches data for “about every student”
• New York-Presbyterian Hospital/Weill Cornell Medical Center finds 40,000 person breach in audit, likely stolen by an employee

hat tip to Attrition.org ; Tags: laptop theft, laptop security, data breach, breach, security breach, education breach, identity theft, id theft, breach notification

Who Breached: Various doctors in Saskatchewan
Number Affected: Unknown
Information breached: Medical records
How: Abandoned Files

79 boxes of personal medical files were found in a vacant, unlocked office in the city of Moose Jaw in Saskatchewan. The files were found from a telephone tip left after a breach of medical files in Yorkton was made public at the end of March. Officials believe there is a connection between the two finds.

In late March, five boxes of abandoned medical files for as many as 900 patients were found in a vacant office. The boxes were found via an anonymous tip in the city of Yorkton in a building that was not associated with any past medical offices.

Saskatchewan’s Information and Privacy Commissioner Gary Dickson said the announcement of the first breach generated telephone tip, one of which led to the second find. Details about the second find are still coming to light:

“It appears to involve a number of different physicians,” Dickson said. “We think some of these physicians may in fact still be practicing in the province.”

Physicians and licensed professionals are required by provincial law to safeguard personal health information. Violations come with a hefty price tag up to $50,000 per person or $500,000 per organization. Such fines have never been issued in Saskatchewan. The College of Physicians and Surgeons of Saskatchewan will participate in the privacy commission’s inquiry.

Via upi, upi2 Tags: medical files, saskatchewan, medical, health records, health files, id theft, medical id theft, medical identity theft, breach, medical breach, data breach

Who Breached: WellPoint Inc.
Number Affected: 128,000
Information breached: Social Security Numbers (maybe)
How: exposed online over the past year

The personal information of 128,000 WellPoint customers in 7 states was exposed online over a one-year period. The information may have included Social Security Numbers and pharmacy or medical data.

Two WellPoint servers maintained by an outside data management vendor, unidentified, were the source of the security breach. Early last year, it was known that a server was improperly secured and that information for 1350 customers may have appeared online. That breach was fixed. However, a second server was recently found to be insecure, putting an additional 128,000 customers at risk for the period of about a year. The information appeared online, but had ‘code protection’ to prevent it from being found via a search engine.

WellPoint spokeswoman Shannon Troughton says that the problem has been fixed and that customers are being notified. Credit-monitoring services are being offered for one year. It is not clear why an investigation into the security of all servers with the vendor was not conducted after the first error was found.

WellPoint is not new to security issues. In October 2006, stolen back-up computer tapes exposed the data of 200,000 members and in 2007, data for 75,000 members went missing during a shipment between vendors.

Via business week Tags: wellpoint, data breach, data security, it security, online, breach