Security Breach - Laptop Security Blog

Data Breach Roundup

Related entries in Data Breach, Real Theft Reports, Security Breach

In the week since I last checked Attrition.org, there have been some notable data breaches. Rather than detail them in individual articles, here are the fast facts for some of the larger breaches:

Who Breached: Tinley Park Village Hall
Number Affected: 20,400
Information breached: Social Security Numbers
Details: Backup tapes with data up to 15 years old lost during transport. More info…

Who Breached: Saint Mary’s Regional Medical Center
Number Affected: 128,000
Information breached: Some health information / SSNs
Details: A database may have been accessed in April, affected individuals are being mailed according to the information stored. More info…

Who Breached: Blue Cross and Blue Shield of Georgia
Number Affected: 202,000
Information breached: Medical information & some SSNs
Details: The health insurer sent letters with personal information to the wrong addresses. Information included patient ID number and some SSNs. More info…

Anheuser-Busch suffered a breach as a result of a lost laptop, but it is as yet unknown how many people were affected. And lastly, both the Ohio University and the University of Houston accidentally posted Social Security Numbers online. An increasingly common source of breach, perhaps the result of some of the obstacles to Higher Education Data Security we talked about here?

Tags: , , ,

Scottish Ambulance Service Avoids Serious Breach

Related entries in Data Breach, Real Theft Reports, Security Breach

The Scottish Ambulance Service in the UK has lost a data disk containing personal information for nearly 900,000 people, but has avoided a serious data breach incident. Unlike many other incidents of a similar kind, the computer disc was both password protected and encrypted.

A computer disc was being transported from the Paisley Emergency Medical Dispatch Centre (EMDC) by the courier TNT when it was misplaced on June 9th. The information included phone records - numbers and patient names - from patients calling in to the ambulance service. None of the information could be used to commit fraud or identity theft.

Given that the disc was well protected and the information not sensitive, it is unclear if the Scottish Ambulance Service will be contacting affected individuals. That said, there is public pressure to understand why a courier was used for patient information and how it could be lost by TNT.

Although there has been some public criticism of the incident, I think it should be applauded that the Scottish Ambulance Service went public with the incident, which was not required in this instance. It appears they followed strict data procedures but that, as this example shows, some data loss incidents happen anyway.

Via Schneier, BBC Tags: , , , ,

Celebrity Passports Repeatedly Breached

Related entries in Government Security, Security Breach, Surveys & Reports

According to a report by the State Department Inspector General, and the subsequent press briefing, a number of high profile celebrities have had their passport information breached.

In March, it was reported that the passport records for Barack Obama, Hillary Clinton and John McCain were breached in the same way. This announcement prompted an investigation by the Inspector General into passport security.

The report tested the prevalence of snooping by looking at 150 famous Americans and how many times their files were accessed in a 5.5 year period. The new report found that 127 celebrities, including Beyonce Knowles, have had their personal details illegally accessed by federal employees or contractors. One celebrity record has been breached 356 times by more than 6 dozen people.

Currently, over 20,500 employees and contractors have access to 127 million passport files, which include data such as Social Security Numbers. The report is critical of the lack of security surrounding passports and who has access to them, stating there were many “weaknesses, including a general lack of policies, procedures, guidance and training.” Five contractors have been fired and dozens are under investigation for alleged snooping.

The Inspector General laid out 22 recommendations for improving security, but much of the report has been redacted because officials fear it could provide a road map to further abuse. State Department officials plan to implement most of the recommendations, including adding random audits of passport files and reducing by half the number of people who can view records.

Here’s a video report on that story:

In other passport news, the Identity and Passport Service published its annual report (PDF) recently, announcing that there were 9382 fraudulent attempts to get a British passport, representing 0.25% of all applications.

Via computer weekly, cbs, privacy lives Tags: , , , , , ,

Top Secret al-Qaeda Info Left on Train

Related entries in Government Security, Security Breach

A senior intelligence official in the Cabinet office in the UK is responsible for a serious breach of security after leaving Top Secret documents with the latest al-Qaeda intelligence on a London commuter train. The Cabinet Official has been suspended from his job.

A fellow passenger on the June 10 train found the documents and handed them to the BBC, who then passed them to the police. The envelope contained several pages, stamped “UK Top Secret”, with the latest government intelligence on al-Qaeda and Iraq’s security forces. The documents were also stamped “for UK/US/Canadian and Australian eyes only” and were dated June 5th. The documents were entitled “Al-Qaeda: Constraints and Vulnerabilities” and “Iraqi Security Forces: More or Less Challenged?”

An official investigation is being requested of Home Secretary Jacqui Smith. In light of the events, people are asking:

  • Why were top secret documents allowed outside the office?
  • Why were top secret documents printed (ie not encrypted in a data file)?
  • Why were top secret documents read in a public place?

Given the string of serious security breaches by the UK government over the past several months, this only increases the public pressure to understand why security policies are being overlooked repeatedly. The employee in question here had the security authority to remove sensitive documents from the secure office environment if strict protocols were followed - perhaps it is time to ban such document removal altogether.

Via BBC, CNN, Reuters, Times Online Tags: , , , , , , , , ,

Bank of New York Mellon Breach Affects 4.5 Million

Related entries in Data Breach, Real Theft Reports, Security Breach

Who Breached: Bank of New York Mellon
Number Affected: 4.5 Million
Information breached: Social Security Numbers
How: backup tape lost

The Bank of New York Mellon has breached the data of 4.5 million people after an unencrypted backup tape disappeared three months ago from a third party storage company, Archive Systems. The company was to transport ten tapes to a data storage facility, but one went missing.

The missing data tape includes Social Security Numbers and bank account information for 4.5 million people (consumers, investors) went missing on February 27, 2008. The lock on the transportation truck was damaged, so it is possible the tape was stolen. The Bank of New York Mellon has not addressed concerns about why the backup tapes were not encrypted. No information about the breach is available on the bank website.

Attorney General Richard Blumenthal says that the breach “seems highly dangerous” and potentially devastating with the threat of identity theft. Blumenthal is demanding that Bank of New York Mellon provide affected customers with more than just credit monitoring (suggestions include identity theft insurance and free credit freezes).

“I am especially concerned by the delay in informing consumers, possibly heightening the risks of wrongdoing. Neither People’s nor its customers were promptly notified. Even now, many may be in the dark.” - Blumenthal

Although the data breach occurred three months ago, consumers only began to be notified six weeks ago. The second half of affected consumers are being notified this week.

You can read more from Richard Blumenthal’s letter here. [PDF]

Via attrition, norwalk plus, sc magazine, reuters, informationweek ; image: clarita @morguefile ; Tags: , , , , , , , ,

Connecting the Data Breach Dots

Related entries in Data Breach, Real Theft Reports, Security Breach

Kudos to the writer over at Chronicles of Dissent for connecting the dots between two data breaches related to the loss of a single laptop.

The two data breaches were reported separately - one by SavaSeniorCare Administrative Services and one by Mariner Health Care. Both reported that employee 401k data was compromised from a computer stolen from Windham Brannon, P.C., a firm that provides audit services.

The single computer apparently held data for both companies, affecting exactly 2199 Maryland residents for both breaches. Kind of an odd figure to have in common, questioning the accuracy of the data reported.

The computer, which was stolen on December 31, 2007 and recovered on January 7, 2008, had been reformatted a few hours after it was stolen and consultants were unable to determine if files had been accessed before they were destroyed. The details about it all are a little fuzzy, however. It is not clear how many “other clients” were affected, as mentioned in the report.

You can read about the breaches here and here [PDF].

Tags: , , , , ,

US Department of State Missing Hundreds of Laptops

Related entries in Government Security, Laptop Security, Security Breach

I love audits, don’t you? What an eye opener they can be. Like, when an audit exposes that the U.S. Department of State has hundreds of employee laptops unaccounted for. The U.S. Department of State. No sensitive data there. Just all US foreign relations.

According to officials, as many as 400 of the unaccounted for laptops belong to the Anti-Terrorism Assistance Program, administered by the Bureau of Diplomatic Security (DS), that provides counter-terrorism training and equipment (including laptops) to foreign police, intelligence and security forces. The DS is responsible for securing the US Department of State computer networks and equipment, in addition to protecting foreign diplomats when visiting the US.

So, it would seem there is a flaw in the DS security policy regarding laptops. Currently, DS officials are going around the Washington-area offices to register employee laptops. The laptops are not officially lost until the current searches are completed.

The Inspector General’s audit is still ongoing, but it is clear from this early news that the State Department does not have good records of its inventory.

So, do you consider this to be a data breach at this stage? Or, is it a data breach only when the laptops are officially considered lost?

Via CQ Politics ; Image: click @ morguefile Tags: , , , , , , , , ,

University of Miami Breach

Related entries in Data Breach, Real Theft Reports, Security Breach

Who Breached: University of Miami
Number Affected: 2.1 million
Information breached: Social Security Numbers, some financial data
How: laptop

The University of Miami has lost a case of computer tapes containing the confidential information of 2.1 million patients. The case was stolen from a van used by a private off-site storage company.

Anyone who was a patient of a University of Miami physician since 1999 has been affected by the breach. The University will be notifying only those customers whose financial data may have been included (credit card or other billing information), which affects 47,000 patients. The data included Social Security Numbers or health information in all instances, so it’s not clear why the breach notification is being restricted.

The University of Miami hired an security expert from Terremark Worldwide to determine if the data on similar tapes could be accessed. The expert believes, after a week of trying, that the proprietary compression and encoding would make the data difficult to access.

More information from the University of Miami about this breach can be found here.

Other sizable data breaches this week:

Via attrition.org, miami herald Tags: , , , , , , , , , ,

Oklahoma Department of Corrections Data Leak

Related entries in Data Breach, Government Security, Security Breach

Who Breached: Oklahoma Department of Corrections
Number Affected: Tens of thousands
Information breached: Social Security Numbers
How: Unsecured website

Another security breach caught my attention today. Some very bad website programming left a huge hole in the Oklahoma Department of Corrections website for at least three years - a hole that would allow anyone with very basic SQL knowledge to access the names, addresses and Social Security Numbers of tens of thousands of Oklahoma residents.

Not only was this data freely available to anyone with basic SQL knowledge, but the data could be possibly be changed. All of the databases for the Department of Corrections could be accessed and possibly changed. That means that public records could be tampered with. You could turn your neighbor into a sex offender or wipe clean your criminal record.

The writer for “thedailywtf” is the one to discover the breach. In a routine search of a site, he stumbled across information that led him to believe it could be hacked. Which he proved in mere seconds.

So, how was this possible? Well, the search function on the Sexual and Violent Offender Registry gave you a little link to “list all results in a printer-friendly format.” That link contained a very long URL containing the SQL statement that created the search results (something it shouldn’t show), and the link could be modified (also bad). So, by changing that URL, you could bring up all the “hidden” information, like SSNs.

Although this “hack” was brought to the attention of the Department of Corrections, the “fix” also was hack-able easily. The author of “thedailywtf” then gave them specific instructions to take down the roster pages completely to make the site secure. This fix has now been put in place. You can read the full details here.

Still, it is unknown if the data was accessed, since it was very easily available. Identity thieves have long been exploiting security issues of this kind. What is known is that it is a scary breach to happen, and one that definitely could make you concerned about the security of important public records.

hat tip to schneier Tags: , , , , , , , , , , , , ,

Saskatchewan Finds Second Set of Abandoned Medical Files

Related entries in Data Breach, Health Security, Real Theft Reports, Security Breach

Who Breached: Various doctors in Saskatchewan
Number Affected: Unknown
Information breached: Medical records
How: Abandoned Files

79 boxes of personal medical files were found in a vacant, unlocked office in the city of Moose Jaw in Saskatchewan. The files were found from a telephone tip left after a breach of medical files in Yorkton was made public at the end of March. Officials believe there is a connection between the two finds.

In late March, five boxes of abandoned medical files for as many as 900 patients were found in a vacant office. The boxes were found via an anonymous tip in the city of Yorkton in a building that was not associated with any past medical offices.

Saskatchewan’s Information and Privacy Commissioner Gary Dickson said the announcement of the first breach generated telephone tip, one of which led to the second find. Details about the second find are still coming to light:

“It appears to involve a number of different physicians,” Dickson said. “We think some of these physicians may in fact still be practicing in the province.”

Physicians and licensed professionals are required by provincial law to safeguard personal health information. Violations come with a hefty price tag up to $50,000 per person or $500,000 per organization. Such fines have never been issued in Saskatchewan. The College of Physicians and Surgeons of Saskatchewan will participate in the privacy commission’s inquiry.

Via upi, upi2 Tags: , , , , , , , , , ,