Archive for the ‘Theft News’ Category

Who Breached: HM Revenue & Customs (HMRC), UK
Number Affected: 25 million
Information breached: Bank details, National Insurance Numbers
The HM Revenue & Customs (HMRC) department in the UK has breached the personal details of 25 million people.

Following 2 breaches affecting thousands of people earlier in the autumn (from a laptop theft and a lost CD), this latest data breach affects a record 25 million child benefit claimants in the UK. The breach is tied to the loss of two CDs in the mail.

The disc contained the names, National Insurance Numbers, bank details, full addresses, child benefit numbers and date of birth for 25 million individuals.

“The lost bank account numbers, names and addresses represents a gold mine for thieves and is much more valuable than credit card numbers or taxpayer ID numbers,” said Avivah Litan, vice president at Gartner Research.

Ironically, the previous breach associated with the laptop was applauded by the media. Given that the data on the laptop was protected, notification was not required. HMRC was commended for their responsibility towards data security.

However, in this incident, responsibility is not something that HMRC will be applauded for. According to the opposition party, senior officials were aware about the decision to put the personal information of millions onto computer discs.

Citing an internal e-mail, members of the Conservative party said blame for the scandal went higher than just the junior civil servant so far blamed by the government for violating security rules.

The National Audit Office (NAO) released a series of emails with the HMRC. The NAO, the intended recipient of the data, requested that personal information such as bank accounts be removed from the data request, as not needed. However, the HMRC did not want to incur the costs of filtering the data. The discs were sent by internal mail, and were not protected.

Ironically, this mistake could cost many millions of dollars more than filtering the data, or protecting it, would have. The cost of closing 15 million bank accounts would be enormous. The scope of this data breach is prompting the UK to look closely at security procedures and consider new regulations.

The emails implicate senior officials in knowingly passing on personal information despite earlier statements pinning the blame on a junior official. The head of HMRC has resigned since the breach went public. An investigation is now taking place.

You can read a timeline of events here.

Via Guardian Unlimited (2), Canada.com, vnunet (2), ZDnet Tags: hmrc, data breach, data loss, uk data breach, nao, identity theft, business security, it security, government security

Who Breached: City University of New York (CUNY)
Number Affected: 23,000
Information breached: Social Security Numbers
How: laptop theft

The City University of New York (CUNY) has notified 23,000 current and former students that their personal data has been breached following a laptop theft from a locked financial-aid office in Midtown.

CUNY sent letters to affected students on October 19th indicating the laptop was stolen around October 15th; representatives are not sure how access was gained to the secured room. Harvey Shifter, a spokesperson for CUNY’s Financial Aid office, said the laptop was non-functioning (a blue screen at activation) and password-protected. Despite this assurance, it is still possible to access the data via an external hard disk and to break the password.

Students were urged to contact their credit card companies and take other steps to protect their identities by initiating a fraud alert. No compensation is being offered in the form of credit monitoring services.

With no leads, the police have closed the case.

What is most worrying about this data breach is the response of school officials. It seems as though officials assume the data was safeguarded with a password.

Students have been unhappy with the response time of school officials in notifying them of the breach and in subsequent queries. Students have placed calls to the official noted in the breach notification that have gone unanswered.

Via SCMagazine, NY Post, the ticker Tags: cuny, data breach, city university of new york, data loss, identity theft, stolen laptop, laptop security

As of November 1, 2007, the Privacy Rights Clearinghouse has estimated that 167,706,372 million records containing sensitive personal information have been breached since January 10, 2005. Averaged per day during this time period, 163,776 records are breached every day.

A table of data breaches:

The largest data breach on record is that of TJX (45.7 million records), but such large figures are not as common as the continuous smaller data breaches happening daily around the world. We become desensitized to the news unless it reaches such record numbers, but if you look at the total data breach tally and the daily average, you can gain some valuable perspective on how large the issue really is.

According to the Privacy Rights Clearinghouse stats as analyzed by etiolated.org, some industries are faring better than others. The Education field is still on an upward trend regarding number of data breach incidents (not records), while Government appears to have made some improvements. However, if you consider the table above, its the records stolen that form the most alarming figures. The data shows that, on average, more data is being breached per breach incident than ever before.

2007 is going to be a record year for data breaches. And this is one record you don’t want to win.

Tags: data breach, data breaches, records lost, stolen, identity theft, id theft, security breach

The Gap has suffered a data breach as a result of a laptop theft, putting 800,000 job applicants at risk for identity theft.

The Gap issued a press release on September 28 to announce that a laptop containing Social Security numbers was stolen from the offices of a third-party vendor responsible for job applicant data. The Gap has an agreement with its vendors that states that laptops must be encrypted – the laptop that was stolen was not, however, following the outlined security policy.

800,000 job applicants from the US, Canada and Peurto Rico who applied to The Gap, Banana Republic or Old Navy were affected. Those affected applied online or by phone during July 2006 and June 2007. Those affected have been sent letters with information and the offer of free credit monitoring services for one year. Canadian job applicants are likely unaffected, as their Social Security Numbers were not included on the laptop.

“Gap Inc. deeply regrets that this incident occurred. We take our obligation to protect the data security of personal information very seriously,” said Gap Inc. Chairman and CEO Glenn Murphy. “What happened here is against everything we stand for as a company. We’re reviewing the facts and circumstances that led to this incident closely, and will take appropriate steps to help prevent something like this from happening again.”

It is an unfortunate incident for a company that appears to be taking its security quite seriously. A tight security policy extends to vendors, as it did in this case. Unfortunately, the laptop was not encrypted as required by the agreement. A stronger security policy, internally and with vendors, would include a laptop tracking and recovery solution such as Absolute’s ComputraceComplete.

The Gap has put up a website with more information at www.gapsecurityassistance.com and has a 24/7 help line at 1-866-237-4007

Via information week ; Tags: data breach, the gap, gap, job applicants, data loss, laptop theft

Pfizer reported a data breach in June affecting 17,000 current and former employees. The breach was the result of unauthorized file sharing software on a laptop.

Pfizer has now reported a second data breach, this time as a result of the theft of two laptops. This data breach occurred in May, but was only recently reported to Attorney General Richard Blumenthal’s office.

In May, two company laptops were stolen, containing personal information (including Social Security numbers) for 950 health care professionals. Axia Ltd., a management consulting firm working with Pfizer, is responsible for the data breach. On May 31, two laptops were stolen from a locked car. Pfizer was notified on June 14, and the Attorney General reportedly sent a letter the next week. The letter did not arrive until mid-August.

“I am deeply disturbed and troubled by these continuing security problems with information that should be closely safeguarded,” Blumenthal said Monday. “This kind of information should be treated as if it was cash, because it has the same value as cash to someone who might misuse it.”

This is not the first time Pfizer has delayed notification. Pfizer waited 6 weeks before notifying employees about the previous data breach, and 5 weeks have passed before public acknowledgement of this second data breach. Blumenthal has criticized Pfizer on both data breach accounts, and has requested information about their data security and data breach notification policies.

Pfizer has issued a statement indicating they are strengthening their data security practices:

“Pfizer and Axia take data security very seriously and we are both taking steps to enhance data security,” according to Goldman’s letter. “For example, Axia is adding stronger encryption features to all Axia laptops, as well as software that would be able to help Axia locate and retrieve any stolen or missing laptops. Pfizer is in the process of limiting the use of SSNs (Social Security numbers) whenever possible, and exploring a range of other data-security improvements.”

Pfizer and Axia will provide those affected with credit monitoring services, fraud resolution representatives, and $25,000 in identity theft insurance.

Read the letters between Pfizer and Attorney General Blumenthal here [PDF].

Via TheDay.com ; Tags: pfizer, pfizer data breach, axia, axia data breach, data breach, identity theft, laptop theft, laptop security, blumenthal

A suspect has now been arrested for the TJX data breach, the biggest data breach in corporate history.

Authorities arrested a Ukrainian man named Maksym Yastremskiy, who they think is the largest seller of the stolen credit card numbers. Greg Crabb, program manager in the global investigations division of the US Postal Inspection Service, hopes the arrest will be a breakthrough in the investigation. The suspect is being called:

“one of the world’s important and well-known computer pirates.”

Authorities believe that Yastremskiy sold credit card numbers via password-protected or overseas online forums. Cards were sold from $20-$100, and in batches up to 10,000. The suspect is associated with individuals charged with similar crimes. The TJX hackers have not yet been identified.

Yastremskiy was arrested several weeks ago in Turkey, although the information about his relation to the TJX data breach has just surfaced. As noted in a recent post, the expected cost of this data breach for TJX is over $100 million.

Via Boston.com ; Tags: data breach, tjx data breach, identity theft, data breach cost, arrest, hackers, stolen credit cards

The Connecticut Department of Revenue Services (DRS) has issued a statement that a laptop containing personal information for 106,000 people has been stolen.

An Agency laptop containing names and Social Security Numbers for 106,000 taxpayers was stolen earlier in August from the DRS office in Hartford. The laptop was password-protected, but no word on whether or not it was encrypted or protected in any other way.

The DRS will be contacting affected individuals. Those affected will get a free copy of their credit report. DRS Commissioner Pam Law noted:

“While there is no indication that any information has been compromised in this instance, I want to assure citizens that everything that can be done will be done to safeguard residents’ personal data”

One would hope that this means upgrading their security policies to include more stringent security technologies such as computer tracking and recovery software (like Absolute’s Computrace products) , and laptop locks within the office.

Via courant Tags: data breach, identity theft, connecticut department of revenue services, drs

The Idaho Army National Guard has suffered a data breach as a result of a stolen USB thumb drive.

A small computer drive containing the Social Security numbers & personal information for all Idaho National Guards (3,400 members) was stolen on Monday night from a soldier’s car. The soldier was traveling on official duty. Police believe the theft is part of a number of car burglaries in the area, and not a targeted attack.

“You name it, it was on there,” Dowling said of the so-called thumb drive. “Any time our soldiers’ personal data get compromised in any way, it’s a big concern for us. We want to make sure that all of our soldiers are informed and protect themselves.”

The National Guard is personally calling all Guard members and sending out notifications by mail. The day after the theft, the National Guard activated a phone tree normally used for natural disasters or state emergencies.

Although the Guard is in the process of encrypting all decides, this particular thumb drive had not not encrypted yet. There is no policy prohibiting soldiers from removing storage devices from office property.

Affected soldiers can go to www.idahoarmyguard.org for more information.

Via FOX & tg daily & Star Tribune Tags: national guard, data breach, idaho national guard, stolen data, identity theft

VeriSign, the company that operates an array of network infrastructure and provides a variety of security and telecom services, has suffered a data breach.

On July 12 or 13, a company laptop was stolen from an employee’s vehicle in a parking garage in California. The laptop contained data for an undisclosed number of current and former employee names.

The data breach included names, Social Security numbers, dates of birth, salary information, and home phone and addresses for VeriSign employees.

Here is an excerpt from the 5-page letter sent to VeriSign employees affected by the data breach:

VeriSign already has a strong Information Security Policy in place, which in this case was unfortunately not followed. VeriSign’s Information Security Department issues a quarterly publication to remind employees of this policy. For this incident, we disabled any access by the employee’s computer to the VeriSign network or any information located on the VeriSign network, going forward, and we are reviewing our security procedures to help prevent a recurrence of this type. Among other things, we plan to implement procedures to more strictly enforce our policy of encrypting sensitive data stored on company computers.

The employee responsible has left the company, and VeriSign is working to strengthen its data-protection policies, which were not followed in this case. Current policies state that data storage should be minimized & encrypted and that laptops should not be left in vehicles. In this case, the data was not encrypted; the laptop was password protected, although this offers little protection. VeriSign’s security policy does not include more stringent laptop security solutions above encryption, but probably should.

Local police believe the laptop theft to be tied to a number of local burglaries. No evidence of identity theft has yet appeared. VeriSign has sent a letter to victims notifying them of the breach and the risk for identity theft. VeriSign will provide credit monitoring services.

VeriSign may suffer a more prolonged consumer reaction to the breach. Seeing a security services provider subject to a data breach lowers consumer confidence in their abilities.

Via attrition.org, sc magazine, consumer affairs, wizbangblog ; image via cohdra on morguefile Tags: verisign, data breach, verisign data breach, laptop theft, laptop loss, laptop security, identity theft, theft, security, computer security

According to a recent news story, hackers are using fake job advertisements in order to steal corporate and government data.

The US Department of Transportation and a number of US corporations including Booz Allen, Unisys Corp, Hewlett-Packard and Hughes Network Systems, have been attacked by hackers.

Hackers stole information from these companies by baiting employees with fake job listings on ads and via email. Using malicious software programs that were able to bypass security, hackers targeted a limited number of personal computers to fly under the radar of security systems.

“What is most worrying is that this particular sample of malware wasn’t recognized by existing antivirus software. It was able to slip through enterprise defenses,” said Yankee Group security analyst Andrew Jaquith, who learned of the breach from Morris [CEO of security provider Prevx Ltd.].

As of yet, all companies are declining comment and the Department of Transportation says no security breach has been detected. Security software companies are releasing patches to address the new and very sophisticated threat.

Via FOX News Tags: malware, malicious software, hacker, hacking, data breach, security software