Archive for the ‘Theft News’ Category

Who Breached: Virgina Prescription Monitoring Program

Number Affected: 8 million +

Information breached: Prescription records

How: hacker

This isn’t an April Fool’s Joke, though it may seem like it. Hackers allegedly broke into a Virginia state website used by pharmacists to track prescription drug abuse. The hackers then deleted records on more than 8 million patients and 35 million prescription records.

Not satisfied just with the data, the alleged hackers replaced the site’s homepage with a ransom note demanding $10 million for the return of the records. The site is now completely unavailable (the state shut down access after they detected the breach), though the message was recorded.

“I have your [expletive] In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password.”

Director of Virginia’s Department of Health Professions, Sandra Whitley Ryals, declined to discuss the reported hack, saying [PDF] only that an investigation is underway by federal and state authorities. She said that they are working with experts to restore systems and ensure they’re safe. The Virginia Department of Health Professions says that all data has been backed up and those files remain secure. There is no word yet if affected patients will be contacted about this breach.

Via consumerist, washington post, computerworld

Normally we hear about the massive data breaches that happen due to some loss of electronic data – whether it’s a lost data storage device or laptop or from hacking. However, we can’t forget that paper too is at risk for breaching data. This week there were 4 reports of data breaches the result of incidents with paper.

1. Dozens of files with Social Security Numbers for public housing residents were dumped on the street in New York. People were seen picking up the loose papers, raising concerns of identity theft. The New York Housing Authority has policies to shred documents for disposal, but that policy was overlooked. [read more]
2. Medical records were found discarded in a trash bin at a convenience store in Shreveport; Social Security Numbers were included. A Doctor has admitted to his mistake in improperly disposing of the files. [read more]
3. Files about seriously ill patients at a New York hospital were found 2 miles away on the pavement. The files contained name, age and medical history, breaching confidentiality though not risking identity theft. [read more]
4. A Dallas man found a box of medical records, including Social Security Numbers, the the parking lot at a storage business. The storage unit belonging to a doctor was broken into and the records left out. [read more]

I think we can learn some important things from these breaches of trust and data. Most indicate a lack of awareness about the data and how it should be treated for storage and disposal. Policies to restrict how data moves about – whether paper or electronic – should be considered. The data retention policy should define how information is disposed of, which can include policies on shredding or purging electronic devices. In terms of data storage for physical papers, standard consumer storage facilities may not have enough security; try looking for companies that specialize in business data storage.

As we shared in a report earlier this month, data breaches at small companies often go unreported. There’s a great deal of education that needs to be done to small business owners – including those practicing in the medical fields – about how to securely handle confidential data in all stages of its life cycle.

Hat tip to databreaches.net ; image: clarita @morguefile

Following on the heels of the Heartland Payment Systems breach that affected as many as 100 million credit cards, 3 arrests were made. The arrests followed the 3-month investigation into a stolen credit card ring. The arrests were for men caught using stolen credit card numbers at local WalMart stores. Apparently the Secret Service has a suspect in the Heartland data breach, someone outside North America.

With more than 580 institutions affected by this data breach, it should be no surprise that lawsuits would follow. A PA-based law firm filed a class action lawsuit against Heartland in January, accusing Heartland of belated and inaccurate notifications of the breach and inadequate security precautions. In addition, this week 8 banks and credit unions filed lawsuits against Heartland over its failure to protect credit and debit card data. The lawsuits seek compensation for the costs of breach notification and re-issue of cards by the financial institutions. Where fraud has occurred, the banks also seek recompense.

Other large breaches: the Arkansas Department of Information Systems lost a data tape from storage (807,000 affected), and it appears that information about the communications, navigation and management electronics on Marine One (the Presidential helicopter) were accidentally leaked onto a peer-to-peer file sharing network. It was thought for a week that there was a new large payment processing breach, but Visa has issued a statement that clarifies that breach notifications pertain to existing, not new, issues.

It also caught my eye that the Berkeley Center for Law & Technology and the Berkeley Technology Law Journal are holding their 13th annual Security Breach Notification seminar on March 6th. The seminar talks about identity theft and changes coming in the future. You can learn more here. If you can’t make it, check out some resources here.

Image: Clipart

It was Data Privacy Day on January 28th and Canada’s Privacy Commissioner put together The Top 10 Ways Your Privacy Is Threatened in order to commemorate the occasion.

Data Privacy Day was marked on January 28th in Canada, the United States and in 27 European countries. It is a day meant to remind us that data privacy is important and that we should all be better advocates for it. As the Canadian government notes:

“Every day, we see headlines about sophisticated phishing attacks, enormous data breaches, in both the public and private sectors, and the proliferation of identity theft. It is no coincidence that as businesses began to recognize the immense potential of personal data in their efforts to connect with customers, so too did criminals begin to realize its value.”

Here is what the Canadian government suggests are the 10 ways your privacy is threatened:

1. People need to stand up for their privacy as a right
2. Information flows too freely with privacy protection laws being unequal around the world
3. Identity theft is a lucrative business
4. Cybercrime and physical data theft (laptop theft, unshredded documents)
5. Data breaches in all sectors and a lack of reporting requirements – so you may never know
6. Businesses collecting, but not protecting, data
7. Governments collecting data for national security and public safety
8. Information posted on social networking sites without reviewing privacy policies or privacy settings
9. Information you submit to new applications, online games or online shopping
10. Surveillance cameras, swipe cards, Internet searches

The U.S. Department of Veteran Affairs (VA), which suffered a data breach affecting 26.5 million people in 2006, has agreed to pay $20 million to veterans affected by the breach.

The VA data breach of 2006, which was listed as one of the 10 largest data breaches since 2000 and as one of the worst breaches ever, was the result of computer going missing from the home of an employee, who had taken the computer home without permission. The computer contained insurance claim data (including Social Security Numbers and insurance information) for 26.5 million active duty troops and veterans, leaving them open to to identity theft and fraud.

The FBI was able to recover the equipment and apprehended the thieves; the VA found no evidence that data had been compromised. The VA Inspector General faulted the data analyst and his supervisors for putting veterans at unreasonable risk. A series of delays after the employee notified his superiors meant that affected veterans were not told about the breach until 3 weeks later.

Five veteran groups filed a class-action lawsuit against the VA alleging invasion of privacy. The lawsuit sought $1000 in damages for violations of privacy for each military personnel affected. This would have amounted to $26.5 billion in damages.

In court filings on Tuesday, lawyers for the VA and the veterans represented in the suit agreed to settle the lawsuit for $20 million. VA spokesman Phil Budahn made a statement, after the settlement, that:

“We want to assure veterans there is no evidence that the information involved in this incident was used to harm a single veteran.”

The money for the settlement will come from the U.S. Treasury and will go to veterans who can show they suffered “actual harm” (physical symptoms of emotional distress or expenses) as the result of the breach. I’ll be curious to see how they determine the ‘proof’ of these items. Each veteran will receive $75 – $1500 upon proving their suffering. Any remainder of funds will be donated to veterans’ charities. U.S. District Judge James Robertson must approve the terms of this settlement before it becomes final.

In November of 2007, the VA suffered a smaller breach, affecting 12,000, after 3 computers were stolen. They have suffered other data breaches, affecting up to 1.8 million, several times since 2006. Let’s hope this settlement means that the VA is truly accepting responsibility for the data breach suffered in 2006.

Via Yahoo, SC Magazine

The Department of Justice (DoJ) has charged 11 people in connection with the hacking of 9 major retailers and the theft & sale of more than 41 million credit & debit card numbers (the breach figure many times more than this). This is the largest hacking and identity theft ring that the DoJ has prosecuted and is the result of 3 years worth of undercover investigations.

The eleven people being prosecuted, including the US Secret Service informant, have been charged with conspiracy, computer intrusion, fraud and identity theft. Three of those charged are US citizens, while the others are from Estonia, Ukraine, China, and Belarus.

The indictment returned on August 5th by a federal grand jury in Boston alleges that the suspects hacked into the networks of TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. Once there, the indictment alleges they installed “sniffer” programs to capture card numbers, passwords and account information. Some of the numbers were used for personal gain, while others were sold and then used to cash out large sums of money. The total dollar amount of the theft is “impossible to quantify”, but is in the multi-million-dollar range. The TJX breach alone has caused severe losses to the company.

“So far as we know, this is the single largest and most complex identity theft case ever charged in this country,” said Attorney General Mukasey. “It highlights the efforts of the Justice Department to fight this pernicious crime and shows that, with the cooperation of our law enforcement partners around the world, we can identify, charge and apprehend even the most sophisticated international computer hackers.”

The United States Secret Service and the Department of Justice has worked with the governments and police forces in Estonia, Ukraine, China, and Belarus to investigate, apprehend and prosecute the individuals allegedly associated with these crimes.

Read more from the DoJ release here.

Via huffington post, CNN, PC World (2) Tags: department of justice, doj, identity theft, id theft, tjx, tjx breach, fraud, hacking, prosecution

The black market for data is much more sophisticated than most people realize. It’s not a “one price fits all” scenario. There are price points, just like in any advanced market. And, just like the same markets, there are services provided to prospective customers.

Francois Paget of McAfee’s Avert Labs blog has shared a discovery about the prices going on different “quality” levels of data on the black market.

Avert Labs has discovered a “price list” for everything from credit card numbers to bank account logins and other personal data that is sold in the underground economy. A tip led them to a website that was auctioning off data, including bank logons and credit card information, with prices such as:

• Washington Mutual (US), balance $14,400 (sell price 600 euros/$924)
• Citibank (UK), balance 10,044 pounds/$19,626 (sell price 850 euros/$1,310)

If you buy a bank account login, and the data owner has cancelled the account within 24 hours, they’ll even give you a replacement stolen account.

So, the black market is an organized system with value for quality, and even customer service. The same website sold information in “bundle prices” and offers free data only a daily basis, as “goodies” to entice their sale.

Visit the Avert Labs site for more information and screen shots of the system in question.

Via CNet Tags: black market, data, data resale, underground economy, data breach, personal data, data resale, identity theft, fraud

Who Breached: University of Virginia (UVa)
Number Affected: 7,000
Information breached: Social Security Numbers
How: laptop theft

Daily Progress is reporting that the University of Virginia (UVa) has breached the information of 7,000 students, staff and faculty members as the result of a laptop theft. The laptop contained personally identifiable information including names and Social Security Numbers.

The laptop was stolen from an employee at an “undisclosed location” off-campus in Albemarle County. Carol Wood, UVa spokeswoman, said that letters have been mailed to those affected by the data breach.

Students have been expressing their concern and frustration that their personal data would be left on an unsecured laptop despite the myriad of data breaches caused by such negligence.

The University of Virginia experienced a data breach in June, 2007 that was the result of a hacker accessing 5,735 faculty records over a two-year period. The University claims that the use of Social Security Numbers as a personal identification number was being phased out. Obviously, not soon enough.

Other notable data breaches this week:

• Joliet West High School hacked, breaches data for “about every student”
• New York-Presbyterian Hospital/Weill Cornell Medical Center finds 40,000 person breach in audit, likely stolen by an employee

hat tip to Attrition.org ; Tags: laptop theft, laptop security, data breach, breach, security breach, education breach, identity theft, id theft, breach notification

Today’s oddball piece of security news: house identity theft! What is ‘house identity theft’? The FBI say it’s the result of combining identity theft with mortgage fraud – the result of which is house stealing. How the criminals do it:

1. Pick your house to steal
2. Assume your identity & create fake IDs
3. Purchase property tranfer forms from any office supply store
4. Forge your signature and use your IDs to sign YOUR house over to THEM

Scary, isn’t it? It’s that easy.

The FBI say that mortgage fraud is growing, and its combination with identity theft could grow as well.

Via network world Image credit: melodi2 @ morguefile Tags: identity theft, house stealing, house identity theft, fraud, mortgage fraud

Who Breached: Hannaford Brothers
Number Affected: 4.2 million
Information breached: Credit, Debit Card Numbers
How: network intrusion

Hannaford Bros. CEO Ron Hodge has issued a statement this week that 4.2 million of its customers have been exposed to fraud due to a security breach. Fraud has been detected already in 1800 cases.

The Maine-based supermarket chain reported an intrusion into its computer network that put 4.2 million customer credit and debit card accounts at risk. The breach affects all 165 of its stores in the Northeast and 106 Sweetbay stores in Florida, as well as a number of independent grocers who sell Hannaford products. The card numbers were stolen during the card authorization transmission processes dating back as early as December 7th. The breach was only contained on March 10th.

Unlike many data breach reporting incidents, the Hannaford Bros. data breach has already been connected with 1800 cases of reported fraud. The fraudulent credit card activity came to light on February 27th. Despite reported fraud incidents, the notification to affected consumers only began on Monday, after the breach had been contained.

Do you think it was socially responsible for Hannaford to wait until after the breach had been contained to warn consumers of their fraud risk?

Via attrition, wmur, cnet Tags: hannaford, data breach, fraud, breach, breach notification, hannaford bros., business security, hacking