Archive for the ‘Security Breach’ Category

Who Breached: Heartland Payment Systems
Number Affected: As many as 100 Million+
Information breached: Credit Card Data
How: Network compromised

In a breach to rival those of TJX (~45 – 94 million) in the US and HMRC (25 million) in the UK, Heartland Payment Systems announced on January 20th that they have uncovered malicious software in their processing system. Cyber criminals gained access to their network and to the 100 million credit card transactions it handles each month.

Although no merchant information or Social Security Numbers were compromised, data that was improperly accessed included the information on a card’s magnetic strip (card number, expiration date, bank codes), which could be used to duplicate the cards. Heartland says that it cannot estimate the number of records that may have been accessed.

Avivah Litan, analyst at Gartner, calls the Heartland Payment Systems breach the “largest card-data breach ever“. Heartland’s president says it’s too early for such a “speculative” statement.

Heartland has set up a breach website with a statement of the incident:

“After being alerted by Visa® and MasterCard® of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter. Last week, the investigation uncovered malicious software that compromised data that crossed Heartland’s network.”

At the time of this breach, Heartland did not have real-time monitoring of network activities that would have detected the access. The company recommends that customers examine their monthly statements closely and to report any suspicious activity.

Earlier this month, CheckFree Corporation also notified more than 5 million customers that criminals took control of several of their domains and redirected customers to malicious websites.

Via FOX, Computerworld, WSJ

According to The Local, the German government has admitted to losing 332 top secret files over the past 10 years. Problem is, the files were so top secret that nobody knows what was in them.

The German Interior Ministry was forced to admit to the loss of files during a parliamentary session when they were questioned by the Free Democrats (FDP). The government admits that the 332 files are still missing, and that the files were of “considerable significance.”

The questioning also revealed that nearly 3,200 top secret files were destroyed rather than archived during the last legislature period. These files covered topics such as organized crime, surveillance, and ‘research’ of other states. This, as well as the breach / loss of the 332 files, points to issues with having a firm data retention policy. Although the two issues may not be related, given that the top secret files may have been destroyed in order to avoid any 30 year information release rule that may be created, it’s clear that governments all around the world are struggling to stay on top of information security.

In other Government data loss news, a FOX reporter was able to buy a McCain campaign Blackberry loaded up with confidential information – Computrace Mobile would have erased all of it. And Fergie, Duchess of York, is the victim of laptop theft and worries about private photos leaking – see what Absolute’s Bill Pound had to say about it.

Who Breached: Starbucks
Number Affected: 97,000
Information breached: Social Security Numbers
How: stolen laptop

Starbucks Corp. confirmed this week that a laptop containing the information of 97,000 employees was stolen.

A Starbucks laptop containing names, addresses and Social Security Numbers was stolen on October 29th. It is not clear if the laptop was protected in any way, or how it was stolen.

In 2006, Starbucks reported the theft of four laptop computers, so it is sad that such an issue would again come to light. In 2006, the breach affected 60,000 Starbucks employees / partners. Although the Starbucks statement to employees, after this most recent breach, indicates that the company is taking step to protect data, including encryption, one would hope that those steps would have occurred in the 2-year period since the last breach. A copy of the letter sent to affected Starbucks employees can be found here.

You can help prevent data breaches such as these, or recover from them more easily, with strong computer security policies, enforcement and training and software such as Computrace from Absolute.

Other major data breaches for November, 2008:

• Luxottica Group, 59,000+ affected, hacker [read more]
• University of Florida College of Dentistry, 344,000+, compromised server [read more]
• Christus Health Care, thousands, stolen backup tapes [read more]
• Harvard Law School, 21,000, lost backup tapes [read more]
• North Carolina Division of Aging and Adult Services, 85,000+, lost laptop [read more]
• Baylor Health Care System Inc., 100,000, stolen laptop [read more]
• Arizona Department of Economic Security, 40,000, stolen hard drives [read more]

And in other news…

And in a very strong statement by Canada’s Privacy Commissioner Jennifer Stoddart, Canada was called to shame for inaction on cybercrime. Stoddart called it an “embarrassment” that Canada does not protect the rights of individuals with provisions such as anti-spam legislation, strong identity theft legislation, or mandatory data breach provisions. Read more about this here.

Via datalossdb

The Financial Times reports that Chinese hackers penetrated the White House computer network on multiple occasions, obtaining emails between government officials. On each hacking incident, the cyber criminals were able to steal information before the White House security systems and professionals could patch the security holes.

The new insight comes on the heels of another report that the presidential campaigns of Barack Obama and John McCain were hacked over the summer. The FBI and Secret Service revealed to each Obama and McCain that large amounts of files had been stolen as related to policy positions – information that may be useful in future negotiations with the U.S. administration. The hack came from a “foreign entity”, either Russian or Chinese.

Subsequent reports indicated that the attacks on the Obama and McCain systems came from China, and that other cyber attacks have been made on the White House from the same source. E-mail archives were attacked several times in recent months, a constant “cat and mouse” game with defenses going up each time a new attack was detected.

It is difficult to trace the exact source of the attacks. It is reported that, as far as the White House attacks go, only the unclassified network was breached. That doesn’t mean the information was not valuable or sensitive, nor that classified information was not present.

Also in Government related news:

• Google shares health searches with government (CNet)
• Inmate hacked prison network, broke into employee database (Register)
• Hackers buy their way into Obama search results, seed malware (Times Online)
• FTC grants delay in enforcement of ‘red flags’ identity theft program (TFC)
• IRS rolls out system with known security issues [PDF] (.Gov)
• Nevada, Massachusetts roll out new data privacy laws (WSJ)

For more information on Absolute’s services for the Government sector, read here.

Via CNet image: barackobama.com

Who Breached: Deutsche Telekom’s T-Mobile
Number Affected: 17 million
Information breached: Social Security Numbers
How: laptop

T-Mobile, subsidiary of Deutsche Telekom, has issued notice that a major data breach from 2006, affecting 17 million customers, has resurfaced as an issue. The information included names, addresses and phone numbers. No banking details were lost.

The data loss occurred in 2006, but details of the breach event became public on October 4th, 2008 in this statement. The company published this report publicly after a German news magazine reported that the data was up for sale on the Internet.

Deutsche Telekom says that a data storage medium with records for 17 million people was found, and that there was no record of unauthorized use of the data. However, the German news magazine found the data online for sale. The data includes home address and unlisted phone numbers for celebrities, business leaders, government ministers and more.

Here is an excerpt from Duetsche Telekom’s response:

In spring 2006, Deutsche Telekom immediately reported the theft to the responsible public prosecutors’ office. Within the scope of their investigations, the public prosecutors’ office was able to recover storage media. Extensive research conducted over several months on the Internet and in data trading places could not reveal any clues indicating that the data had been offered or disseminated on the black market. Owing to this, Deutsche Telekom assumed that there would be no dissemination of the data. However, Der Spiegel was apparently able to access the data in question via third parties.

The company expresses concern that the breach incident is relevant once again, being previously under the assumption that the matter had been closed. They “regret to say that [they] have not been able to protect… customer data in line with [their] standards.”

Deutsche Telekom says that security measures have been significantly tightened since 2006. These measures include: complex passwords, access authorization, and access monitoring, among other measures. They have set up a FAQ on the data breach here.

Other recent notable data breaches:

• University of North Dakota – Stolen Laptop, 84,554 affected [more]
• University of Indianapolis – Hacker, 11,000 affected [more]
• The Whittington Hospital NHS Trust – lost CDs, 17,990 affected [more]
• CCN – hacker, 98,930 affected [more]

Via datalossdb.org, vnunet, NY Times

Who Breached: GS Caltex
Number Affected: 11,000,000
Information breached: Social Security Numbers
How: Insider stealing data

Four people have been arrested in connection with a major data breach at GS Caltex, a Total Energy Service provider based out of South Korea. This is being called the country’s largest data breach to date.

Earlier this month, CDs and DVDs containing the names, Social Security numbers and email addresses of 11 million GS Caltex customers were found in the garbage in Seoul. The data included information on government officials, lawmakers and politicians.

Investigators on the case say one of the suspects exposed the leak to the media in a publicity campaign aimed at boosting the market value of the data! This is the first time I’ve heard of such a tactic.

The four people arrested on Sunday included two employees of a GS Caltex subsidiary. One suspect is alleged to have copied the data base while working at a call center.

The data was copied onto several CDs and DVDs, which presents several issues: that sensitive data could be accessed by a call center employee, that data could be copied to external devices, and that none of this was being tracked internally.

Other recent large data breaches:

• National Technical Institute for the Deaf, 13,800 Affected, Stolen Laptop – more here
• Louisiana Real Estate Commission, 13,000 Affected, Insider Accident – more here
• InterActive Financial Marketing Group (IFMG), 92,095 Affected, Hacker – more here

Via datalossdb.org, AFB

This is just a common sense business tip: do not use shredded checks as packing material.

The WHH Ranch Company has been using shredded paper from a Texas-based bank for 20 years. Some of that paper came in the form of shredded checks.

When Michelle McBride ordered some food from WHH Ranch, she found it packed in shredded checks. The shredded paper was in wider strips (it was not cross-shredded) that could be easily pieced together. In fact, that’s what Michelle McBride did – she was able to easily re-assemble some checks and plainly read off account numbers and routing information for hospitals, medicare, schools, businesses and personal accounts.

After learning of the problem, WHH Ranch says they’ll ensure it doesn’t happen again.

So, two things to learn from this:

• If you are shredding sensitive information, use a good cross-shredder or confetti shredder. Particularly if you’re a business.
• If you are using shredded paper as packaging material, ensure it’s finely shredded material that contains only non-sensitive papers.

After the jump is a video of the CNN report about this incident (the video auto-plays): (more…)

Who Breached: Graphic Data (holding 3rd party data)
Number Affected: Millions
Information breached: Financial records
How: Computer sold on eBay

Several million people have been affected after a computer was sold “inappropriately to a third party” via eBay. The computer contained sensitive information on customers from the Royal Bank of Scotland, American Express and NatWest.

A former employee of the archiving company Graphic Data (owned by MailSource UK) sold a machine that contained the banking information. Information included account numbers, passwords, phone numbers and signatures. The computer was sold on eBay for £35 to an IT manager, Andrew Chapman, who came forward after noticing the data on the hard drive.

Click here for a video of Andrew Chapman being interviewed about buying the computer & its data.

A Information Commissioner’s Office (ICO) has launched an investigation into how this mistake happened and what steps will be taken to avoid a similar incident from happening. According to MailSource UK, the computer was sold without authorization.

“The IT equipment that appeared on eBay was neither planned nor instructed by the company to be disposed” – Nicole Morgan, MailSource UK

The data on the hard drive was not wiped prior to the computer being sold (although wiped data can be recovered).

Via daily mail, forbes, bbc Tags: banking breach, financial breach, ico, graphic data, data breach, data loss, breach, ebay, data sold, it security, data security

Who Breached: Countrywide Financial Corporation
Number Affected: 2,000,000
Information breached: Social Security Numbers
How: Insider theft

It’s not very often we hear about intentional insider breaches of information, particularly on this scale. The FBI arrested a former Countrywide Financial Corporation employee and another man in connection with the alleged theft and sale of the information of as many as 2 million mortgage applicants. The personal information of the mortgage applicants included Social Security Numbers.

The breach occurred over a two-year period until it was discovered this July. The insider arrested worked as a senior financial analyst at the lending division of Countrywide, Full Spectrum Lending. The second man arrested is the alleged reseller of the stolen data.

US Attorney spokesman Thom Mrozek says most, or all, of the names were being sold to people within the mortgage industry in order to make new pitches. The insider, who volunteered details to the FBI, would sell batches of about 20,000 customers as “leads” to outside loan agents at approximately 2.5 cents per name, a very low amount on the black market. It is unknown if any of the information was used for fraud or identity theft.

“It’s the potential for new-account fraud that arises when Social Security accounts are compromised,” said Beth Givens, director of the nonprofit Privacy Rights Clearinghouse. “That’s the most serious kind of financial identity theft,” because large amounts can be involved and the fraud is more difficult to detect than it is on preexisting accounts.

“This guy obviously didn’t do his homework. He doesn’t know the value of these on the black market,” she said.

The theft was perpetrated via an unsecured external hard drive. He was able to use one computer in the Spectrum Lending office that he knew to be insecure, missing the security feature that disabled the use of external drives. There was no process of detection in place that would prevent this unsecured computer from accessing network data, nor any procedure in place to prevent unauthorized copying of data.

To learn from this breach:

1. Audit user access to data, to ensure users have only necessary access to data
2. Monitor data access – what is accessed and by whom
3. Restrict copying of data
4. Add real-time detection – be able to detect unauthorized attempts to access data, insecure computer connections, and unusual user activity

Via LA Times, Computer World Tags: data breach, breach, it security, data security, countrywide, countrywide financial, spectrum lending, arrested, fraud

In the week since I last checked Attrition.org, there have been some notable data breaches. Rather than detail them in individual articles, here are the fast facts for some of the larger breaches:

Who Breached: Tinley Park Village Hall
Number Affected: 20,400
Information breached: Social Security Numbers
Details: Backup tapes with data up to 15 years old lost during transport. More info…

Who Breached: Saint Mary’s Regional Medical Center
Number Affected: 128,000
Information breached: Some health information / SSNs
Details: A database may have been accessed in April, affected individuals are being mailed according to the information stored. More info…

Who Breached: Blue Cross and Blue Shield of Georgia
Number Affected: 202,000
Information breached: Medical information & some SSNs
Details: The health insurer sent letters with personal information to the wrong addresses. Information included patient ID number and some SSNs. More info…

Anheuser-Busch suffered a breach as a result of a lost laptop, but it is as yet unknown how many people were affected. And lastly, both the Ohio University and the University of Houston accidentally posted Social Security Numbers online. An increasingly common source of breach, perhaps the result of some of the obstacles to Higher Education Data Security we talked about here?

Tags: data breach, data breaches, security breach, breach