Archive for the ‘Theft News’ Category

Who Breached: Hannaford Brothers
Number Affected: 4.2 million
Information breached: Credit, Debit Card Numbers
How: network intrusion

Hannaford Bros. CEO Ron Hodge has issued a statement this week that 4.2 million of its customers have been exposed to fraud due to a security breach. Fraud has been detected already in 1800 cases.

The Maine-based supermarket chain reported an intrusion into its computer network that put 4.2 million customer credit and debit card accounts at risk. The breach affects all 165 of its stores in the Northeast and 106 Sweetbay stores in Florida, as well as a number of independent grocers who sell Hannaford products. The card numbers were stolen during the card authorization transmission processes dating back as early as December 7th. The breach was only contained on March 10th.

Unlike many data breach reporting incidents, the Hannaford Bros. data breach has already been connected with 1800 cases of reported fraud. The fraudulent credit card activity came to light on February 27th. Despite reported fraud incidents, the notification to affected consumers only began on Monday, after the breach had been contained.

Do you think it was socially responsible for Hannaford to wait until after the breach had been contained to warn consumers of their fraud risk?

Via attrition, wmur, cnet Tags: hannaford, data breach, fraud, breach, breach notification, hannaford bros., business security, hacking

HSBC is being hit by a wave of fraudulent activity this week. A savvy customer noticed that his account had been emptied by someone in Bulgaria, and another customer was hit from California and Canada.

Keith, the first customer to notice the fraud, found that money was being taken out of an ATM in Bulgaria and that, after some difficulty accessing any information at all, his money would be credited back in 11-15 business days. No alert was sent to Keith that his credit card was being used outside the country, nor was he called to verify if that was ok.

Emily, the second customer, was informed by the HSBC Fraud Investigator whom she called that:

“their fraud department was so overwhelmed, it was ’still in the developing stage of how we’re going to handle’ it. I asked if she knew how many customers were affected and she stated ‘We don’t even know.’”

The investigator said all customers would be notified by letter, not by phone, due to the magnitude of the fraud. Unfortunately for both these customers, there was no direct way to escalate the call to the fraud investigators without several block attempts from the call center overseas.

Via the consumerist Tags: hsbc, fraud, bank fraud, atm fraud, banks

New Zealand’s Owen Thorn Walker, 18, has been accused of unleashing a mega-botnet that infected more than 1.3 million computers and, as a result, stole more than $20 million.

The teen was said to have been the leader of a group of programmers who created the botnet designed to steal credit cards and manipulate stock trades. Walker now faces up to 10 years in jail, if found guilty under New Zealand law.

Arrests such as this one, and another teen hacker arrest in the US (who infected hundreds of thousands of PCs with adware), remind us that not all cybercrime originates from organized crime syndicates, and that individuals, even teens, can cause significant damage. Botnets have surpassed spam as the largest Internet security issue.

“We worked closely with U.S. and Dutch authorities on this investigation. This arrest is significant not just to New Zealand but the international community as well,” said Detective Inspector Peter Devoy of the New Zealand police, underlining the degree of cooperation now being employed to bring in these individuals.

“Very few people who carry out this sort of offending are ever prosecuted, so the resolution of this case has huge international implications,” he added.

A botnet is a collection of software robots – “bots” – that run autonomously and automatically. This is not always malevolent, but in the case of most botnets, it means that “zombie computers” – compromised endpoints – run programs such as worms and Trojan horses. The BBC estimated in 2007 that up to a quarter of all Internet-enabled computers may be an unknowing part of these botnets.

Via pc world, wikipedia Tags: botnet, hacker, hackers, teen hacker, arrest, zombie computers, bots, internet security, cybercrime, worms, trojans

A hacked laptop is destroying the career of a pop / film star in China. Edison Chen, a pop star in China, took his laptop in for repairs – but, while it was there, its contents were downloaded without his knowledge. Unfortunately for Edison Chen, the worst was yet to come. Very explicit images of Edison and other pop icons were uploaded to the web.

The photos show Canadian-born Edison Chen in bed with eight of Hong Kong’s 10 top actresses and singers. Thousands of photos of this nature were leaked from the laptop. It has become the biggest celebrity sex scandal in the history of the Chinese internet.

The person responsible for copying and uploading the photos is doing so incrementally. For the past two weeks, a few dozen photos have been uploaded each day. Each day creating more scandal for Edison and other celebrities. Images go up on various servers, through various services, over email, and are passed around on memory devices.

Edison Chen made a statement to the press today about the situation. Chen has said he will be removing himself from the entertainment industry – he has quit his job.

“The lives of many innocent people have been affected by this malicious and criminal conduct. And in this regard, I’m filled with pain, hurt and frustration. I hereby use this opportunity to apologise to anyone who has been affected by this strange, strange ordeal,” he said in a short video statement.

Chen admits to taking the photos himself in private. The laptop or its files were not encrypted. Hong Kong police are arresting people suspected of sharing the images, although none of the suspects have been identified as the original uploader. Protests have erupted in China against the ‘crackdown’ going this far.

Via guardian.co.uk, reuters, shanghaidaily Tags: data, data breach, data leak, hacked, edison chen, china, pop star, scandal, encryption

A woman is suing Best Buy for $54 million after her laptop was lost while in for repairs.

Raelyn Campbell brought her damaged computer to Best Buy for repairs on a faulty on/off switch and, after 3 months, the firm admitted to losing the laptop. Campbell has filed a lawsuit with the Superior Court in the amount of $54 million, her valuation for the personal information, lost time and frustration from the laptop loss.

Campbell says her demands escalated in response to stalling from the company. Campbell is claiming to have been misled by information about her laptop’s whereabouts, was concerned when she was not notified about the potential for identity theft, and was ‘insulted’ by the $900 gift card she was offered as compensation.

Raelyn Campbell claims to have thousands of dollars of music and irreplaceable photos on her laptop, contributing to her valuation of its loss. However, I would consider more of that blame to lie with Ms. Campbell for not backing up or otherwise protecting her data.

Ms. Cambell admits to choosing a high lawsuit figure in order to gain media attention. She is not being represented by a lawyer in this case. Offers to settle have been rejected until such time as she feels the loss of the laptop has been explained.

Via red tape chronicles Tags: best buy, lost laptop, identity theft, laptop security, lawsuit

A new study conducted by Websense has determined that most websites offering up attack code (malware) are legitimate domains that have been hacked. This is the first time legitimate sites have outnumbered malicious sites (sites intentionally built to seed malware) in malware attacks.

51% of malicious sites in the latter half of 2007 were compromised (hacked) and seeded with malware that would infect unpatched computers visiting those sites. There are many attractive reasons inviting this change in tactics. Legitimate sites have existing traffic, free hosting, are trusted by consumers, and offer a level of anonymity for the source of the malware (ownership cannot be traced).

Dan Hubbard, vice president of Websense, says:

“More and more, attackers are compromising legitimate Web sites to infect visitors with information-stealing code or to add users’ machines to botnets. Additionally, they are increasing the sophistication of their attack methods and building resilient infrastructures… Organizations need to ensure their Web, messaging and data security solutions can protect the avenues hackers seek to exploit for financial gain.”

The report indicates that this trend of infecting legitimate sites is accelerating. The previous report indicated legitimate sites hosting malware were in the mid-30% range. Sites are now being hacked en masse – with anywhere from 10,000 to 90,000 sites being compromised at once. Exploit tool kits (do-it-yourself malware creation kits) account for 19% of malicious sites created or compromised.

Continue reading the report at Websense.

Via computerworld Tags: malware, it security, security, hacking, scripts, malicious website, web attack, security

Who Breached: U.S. Department of Veterans Affairs (VA)
Number Affected: 12,000
Information breached: Social Security Numbers
How: theft of 3 computers (2 desktop, 1 laptop)

The U.S. Department of Veterans Affairs is investigating another potential data breach after 3 computers (two desktop, one laptop) were stolen on November 11 from the Roudebush Veterans Affairs Medical Center. The computers contained Social Security numbers for as many as 12,000 medical patients and were protected only by password.

An Indiana congressman Steve Buyer says that the hospital failed to follow new safety protocols:

“The information that was accessed should have never been portable,” Buyer said in an interview Thursday from Washington. “That information should have been secure on a server in a data storage system in a remote location.”

The VA department has a long history of data breaches, including the May 2006 breach of information for 26.5 million veterans following the theft of a laptop and hard disk. Since this major breach, the VA has had other incidents of scale 1.8 million, 250,000, 16,000 and 16,5000 individuals affected. This is the third data breach related to the theft of computers.

Regulations on data security were reportedly strengthened after the May 2006 breach. Congressman Buyer lays the blame for the ongoing issues with poor security training and consistent security standards:

“I recognize that we’re dealing with human vices — theft — and we’re dealing with human negligence,” Buyer said. “That’s why it’s so important that information be encrypted and that we limit people’s access to certain information.”

This new breach just adds to the very troubling pattern of poor security standards that continue to plague the VA. A stronger security policy (including security software) and training scheme at all levels of the VA could help prevent such accidents from happening.

Arrest for theft of 1.8 million

An arrest has recently been made in relation to the theft of 1.8 million Social Security numbers in January of this year. Tae Kim was arrested after a month long-investigation when he was caught using fraudulent credit cards at a jewelry store. Kim was an auditor for Veterans Affairs from 2003 to February 2007 – his home computer contained 1.8 million Social Security numbers.

Via OC Register, ComputerWorld, Computer Weekly, IndyStar ; Tags: veterans affairs, data breach, data security, laptop security, laptop theft, fraud, identity theft, va

Who Breached: HM Revenue & Customs (HMRC), UK
Number Affected: 25 million
Information breached: Bank details, National Insurance Numbers
The HM Revenue & Customs (HMRC) department in the UK has breached the personal details of 25 million people.

Following 2 breaches affecting thousands of people earlier in the autumn (from a laptop theft and a lost CD), this latest data breach affects a record 25 million child benefit claimants in the UK. The breach is tied to the loss of two CDs in the mail.

The disc contained the names, National Insurance Numbers, bank details, full addresses, child benefit numbers and date of birth for 25 million individuals.

“The lost bank account numbers, names and addresses represents a gold mine for thieves and is much more valuable than credit card numbers or taxpayer ID numbers,” said Avivah Litan, vice president at Gartner Research.

Ironically, the previous breach associated with the laptop was applauded by the media. Given that the data on the laptop was protected, notification was not required. HMRC was commended for their responsibility towards data security.

However, in this incident, responsibility is not something that HMRC will be applauded for. According to the opposition party, senior officials were aware about the decision to put the personal information of millions onto computer discs.

Citing an internal e-mail, members of the Conservative party said blame for the scandal went higher than just the junior civil servant so far blamed by the government for violating security rules.

The National Audit Office (NAO) released a series of emails with the HMRC. The NAO, the intended recipient of the data, requested that personal information such as bank accounts be removed from the data request, as not needed. However, the HMRC did not want to incur the costs of filtering the data. The discs were sent by internal mail, and were not protected.

Ironically, this mistake could cost many millions of dollars more than filtering the data, or protecting it, would have. The cost of closing 15 million bank accounts would be enormous. The scope of this data breach is prompting the UK to look closely at security procedures and consider new regulations.

The emails implicate senior officials in knowingly passing on personal information despite earlier statements pinning the blame on a junior official. The head of HMRC has resigned since the breach went public. An investigation is now taking place.

You can read a timeline of events here.

Via Guardian Unlimited (2), Canada.com, vnunet (2), ZDnet Tags: hmrc, data breach, data loss, uk data breach, nao, identity theft, business security, it security, government security

Who Breached: City University of New York (CUNY)
Number Affected: 23,000
Information breached: Social Security Numbers
How: laptop theft

The City University of New York (CUNY) has notified 23,000 current and former students that their personal data has been breached following a laptop theft from a locked financial-aid office in Midtown.

CUNY sent letters to affected students on October 19th indicating the laptop was stolen around October 15th; representatives are not sure how access was gained to the secured room. Harvey Shifter, a spokesperson for CUNY’s Financial Aid office, said the laptop was non-functioning (a blue screen at activation) and password-protected. Despite this assurance, it is still possible to access the data via an external hard disk and to break the password.

Students were urged to contact their credit card companies and take other steps to protect their identities by initiating a fraud alert. No compensation is being offered in the form of credit monitoring services.

With no leads, the police have closed the case.

What is most worrying about this data breach is the response of school officials. It seems as though officials assume the data was safeguarded with a password.

Students have been unhappy with the response time of school officials in notifying them of the breach and in subsequent queries. Students have placed calls to the official noted in the breach notification that have gone unanswered.

Via SCMagazine, NY Post, the ticker Tags: cuny, data breach, city university of new york, data loss, identity theft, stolen laptop, laptop security

As of November 1, 2007, the Privacy Rights Clearinghouse has estimated that 167,706,372 million records containing sensitive personal information have been breached since January 10, 2005. Averaged per day during this time period, 163,776 records are breached every day.

A table of data breaches:

The largest data breach on record is that of TJX (45.7 million records), but such large figures are not as common as the continuous smaller data breaches happening daily around the world. We become desensitized to the news unless it reaches such record numbers, but if you look at the total data breach tally and the daily average, you can gain some valuable perspective on how large the issue really is.

According to the Privacy Rights Clearinghouse stats as analyzed by etiolated.org, some industries are faring better than others. The Education field is still on an upward trend regarding number of data breach incidents (not records), while Government appears to have made some improvements. However, if you consider the table above, its the records stolen that form the most alarming figures. The data shows that, on average, more data is being breached per breach incident than ever before.

2007 is going to be a record year for data breaches. And this is one record you don’t want to win.

Tags: data breach, data breaches, records lost, stolen, identity theft, id theft, security breach