Posts Tagged ‘breach report’

Who Breached: Network Solutions
Number Affected: 500,000+
Information breached: Credit card information
How: hacked

As the result of a hacker penetrating their e-commerce system, Network Solutions has determined that approximately 573,938 credit card holders may have had their data transfered. The company detected that hackers had placed unauthorized code on servers for some e-commerce merchants’ websites, and that this code may have been used to transfer data on some transactions. The credit card data was encrypted and PCI-compliant, and it is currently unknown how the malicious code entered the system.

From their news report:

The unauthorized code may have been used to transfer data on certain transactions for approximately 4,343 of our more than 10,000 merchant websites to servers outside the company. On July 13, 2009, we were informed by our outside forensic experts that the data being transferred may have included credit card information. The code may have captured transaction data from approximately 573,928 cardholders for certain periods this spring.

Merchants and their customers are currently being notified. Network Solutions has additionally put together an informational website for their merchants at careandprotect.com. Consumer information is also included there for reference. They have included a blog in the website to answer questions that have arisen in the last week.

The quick and forthright response by Network Solutions has been quite impressive. They seem very keen to answer questions and be public with their responses. In addition, they have offered to foot the bill for customer notification, rather than those costs falling to the merchants affected.

Other notable data breaches from July:

• HSBC Life, Lost Media, 180,000 affected (read more)
• University of California San Diego Moores Cancer Center, Hack, 30,000 affected (read more)
• LexisNexis, possible organized crime, >13,000 (read more)
• Alberta Health Services Edmonton, Virus, >11,000 (read more)

Via datalossdb, the register,

Who Breached: Virgina Prescription Monitoring Program

Number Affected: 8 million +

Information breached: Prescription records

How: hacker

This isn’t an April Fool’s Joke, though it may seem like it. Hackers allegedly broke into a Virginia state website used by pharmacists to track prescription drug abuse. The hackers then deleted records on more than 8 million patients and 35 million prescription records.

Not satisfied just with the data, the alleged hackers replaced the site’s homepage with a ransom note demanding $10 million for the return of the records. The site is now completely unavailable (the state shut down access after they detected the breach), though the message was recorded.

“I have your [expletive] In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password.”

Director of Virginia’s Department of Health Professions, Sandra Whitley Ryals, declined to discuss the reported hack, saying [PDF] only that an investigation is underway by federal and state authorities. She said that they are working with experts to restore systems and ensure they’re safe. The Virginia Department of Health Professions says that all data has been backed up and those files remain secure. There is no word yet if affected patients will be contacted about this breach.

Via consumerist, washington post, computerworld

Who Breached: Oklahoma Department of Human Services
Number Affected: 1 Million+
Information breached: Social Security Numbers
How: laptop stolen from car

It’s been a while since I’ve done a major highlight of any recent data breaches. They keep happening, to be sure, but the details often start to look the same. However, this one caught my eye from it’s magnitude. The Oklahoma Department of Human Services (OKDHS) is notifying more than 1 million residents of the state that their data has been breached as the result of a stolen, unencrypted, laptop.

According to their press release, a password-protected OKDHS laptop was stolen from an employee vehicle (a far too common theft location). The laptop contained names, Social Security Numbers, dates of birth and home addresses for clients who received Medicaid, Child Care assistance, and other program assistance. The laptop was stolen on April 3rd with a press release going out from OKDHS on April 23rd. Letters to affected clients started to go out in the same week.

OKDHS Director Howard H. Hendrick believes the “risk of the data being accessed is low because the computer uses a password protected system,” which is only a very minor security protocol. There’s no guarantee the password was strong and, even with strong password-protection, systems with no additional security precautions pose a high risk for being easily accessed. It is believed that the employee was not violating any policy in place, indicating that the current information security policy does not deal with taking data home or with proper data asset handling.

According to the Security Incident FAQ, OKDHS believes they have “numerous security measures” in place already to ensure client data is safeguarded, but plan to review all policy, procedures and training methods. Let’s hope this sheds some light through the entire organization about how much more can – and should – be done to protect sensitive information.

You can help prevent data breaches such as these, or recover from them more easily, with strong computer security policies, enforcement and training and software such as Computrace from Absolute, which offers many layers of security protection.

Via SC Magazine

Verizon has released its 2009 Business Data Breach Investigations Report, following similar reports earlier this year from the ITRC and Ponemon. The report indicates that 285 million records were breached in 2008. This figure is much higher than the 35.7 million records that the ITRC estimated based on notification letters.

Highlights from the study include:

• 91% of all compromised records were attributed to organized criminal groups
• 99.6% of records were compromised from servers and applications
• 74% resulted from external sources
• 20% resulted from insiders
• 69% were discovered by a 3rd party
• 67% were aided by significant errors
• 32% implicated business partners
• 95% of data breaches were rated as high difficulty requiring advanced skills, significant customization, and/or extensive resources

The most successful breaches involved an attacker exploiting some mistake made by the victim, allowing them to hack into a network and collect data. Hacking and malware were the top single causes of breaches, both up from the figures for 2007.

Although much of the response to this survey has been on the thread of insider threats being lower than expected, I have to argue that the data seems in line with previous data. Although there is an indication that insider threats will go up for 2009, the 20% insider data breach figure quoted here is actually higher than the previously estimated 15.7%. I think fear of future insider threats has simply muddled our perspective of the past year.

The data about insiders, however, has been more revealing. On a per breach basis, insiders were responsible for more records lost, on average, per breach than other causes, such as external sources or partners.

The report suggests that mitigation efforts be focused on ensuring essential controls are met; finding, tracking & assessing data; collecting and monitoring event logs; auditing user accounts and credentials; and testing and reviewing web applications.

Download the breach report here [PDF].

Following on the heels of the Heartland Payment Systems breach that affected as many as 100 million credit cards, 3 arrests were made. The arrests followed the 3-month investigation into a stolen credit card ring. The arrests were for men caught using stolen credit card numbers at local WalMart stores. Apparently the Secret Service has a suspect in the Heartland data breach, someone outside North America.

With more than 580 institutions affected by this data breach, it should be no surprise that lawsuits would follow. A PA-based law firm filed a class action lawsuit against Heartland in January, accusing Heartland of belated and inaccurate notifications of the breach and inadequate security precautions. In addition, this week 8 banks and credit unions filed lawsuits against Heartland over its failure to protect credit and debit card data. The lawsuits seek compensation for the costs of breach notification and re-issue of cards by the financial institutions. Where fraud has occurred, the banks also seek recompense.

Other large breaches: the Arkansas Department of Information Systems lost a data tape from storage (807,000 affected), and it appears that information about the communications, navigation and management electronics on Marine One (the Presidential helicopter) were accidentally leaked onto a peer-to-peer file sharing network. It was thought for a week that there was a new large payment processing breach, but Visa has issued a statement that clarifies that breach notifications pertain to existing, not new, issues.

It also caught my eye that the Berkeley Center for Law & Technology and the Berkeley Technology Law Journal are holding their 13th annual Security Breach Notification seminar on March 6th. The seminar talks about identity theft and changes coming in the future. You can learn more here. If you can’t make it, check out some resources here.

Image: Clipart

An email [PDF] obtained by the Project on Government Oversight earlier indicated that the Los Alamos National Laboratory (LANL) had lost 3 computers and a BlackBerry device during a 2-week period this year. After the news went public, further government response indicates that the nuclear weapons laboratory has a total of 67 “missing”, lost or stolen data devices.

The National Nuclear Security Administration (NNSA) wrote [PDF] to the LANL about the most recent computer theft expressing concern that the apparent “robustness of cyber security implementation” was not being vigilantly overseen. They say there are issues with individual security controls but also configuration management and accountability issues.

“In treating this initially as only a property management issue, my staff and I, and apparently the cyber security elements of the laboratory, were not engaged in a timely and proactive manner to assess and address potential loss of sensitive information.”

The quote above indicates a common misconception – that the loss of data devices is a property issue, not a data security issue. The memo advices LANL to treat all loss of equipment that can carry data – not just computers – as a cyber-security concern.

The letter revealed that 13 LANL computers have been stolen within the last year and that 67 are currently “missing.” Very little data was available – or collected – about what data has been compromised as the result of these breaches. Jeffrey Berger, director of communications at LANM, says that no classified data was held on any of the lost devices and thinks the leaked memos “distorted” the situation.

Los Alamos has suffered 3 major public breaches in the past, so none of this experience is ‘new’ to them. A system like Absolute Software’s Computrace could help with the asset tracking that appears to be a major problem for the lab – so they would know, in seconds, where every single computer is.

Via AFP, eweek, CNet, Computerworld, WSJ

Monster.com posted on January 23rd that their database had been hacked, this being the third time the company has experienced a breach of this sort.

The breached data includes contact information such as email addresses, phone numbers and usernames/passwords, but does not include personal data such as Social Security Numbers or financial data, as that is not data collected by the company. The breach affects USAJobs.gov (official job site for the US Federal Government) as well as Monster.com.

Despite the fact that SSNs and financial data was not breached, consumers should still be concerned about their lost data. Email addresses and other personal information can be used in various identity theft scams as a means to gain higher-level personal data. If consumers use the same access username & password for banking services, which is all too common (41% user the same password for everything, via Sophos), this information can be used directly in fraud or identity theft.

Here’s an opinion video from Sophos about the Monser.com breach and why it’s important:

In August 2007 Monster.com experienced a data breach that affected 1.3 million people, who then were targeted by phishers, and in October of the same year another a hacker hijacked job listings to infect visitors with malware.

Monster.com recommends that its users change their passwords (making it mandatory on the site), with a warning to not fall prey to phishing attacks based on that premise. Monster.com will not be contacting consumers about this breach, by email or by mail.

For tips about choosing a strong password, read here or here.

Via I’ve been mugged

The Identity Theft Resource Center (ITRC) has released their 2008 breach report showing a 47% increase in data breaches over 2007.

2008 Data Breaches Reported – 656

2007 Data Breaches Reported – 446

Keep in mind the key word in this data – reported. More data breaches go un-reported and/or undetected. However, this data still shows a troubling increase in data security issues.

Breaking down the data by sector, the figures are approximately the same as in previous years. The Business sector accounted for 240 breaches, 36.6% of all breaches. Following behind in terms of incidence are Education (20%), Government (16.8%), Medical (14.8%) and Financial (11.9%). The Government sector was the only sector to have a marked decrease in breach incidents over a 2 year period, dropping nearly 50% since 2006.

According to ITRC reports, only 2.4% of all breaches had encryption or other strong protection methods in use. 8.5% used password protection.

Five categories of data loss methods are tracked: data on the move, accidental exposure, insider theft, subcontractors, and hacking. Insider theft accounted for 15.7% of data breaches, more than doubling between 2007 and 2008. Most breaches, 35.2%, are accidental, falling into the ‘data on the move’ and ‘accidental exposure’ categories.

Based on data collected, 82.3% of breaches were electronic (vs paper) and at least 35.7 million records were potentially breached (based on notification letters / information supplied). Given that one breach alone in 2007 accounted for 25 million exposed records in 2007, it is likely that though the number of breaches went up in 2008, the number of records exposed may have gone down.

You can download the ITRC Stats & Reports here.

Fun read: Ever wonder what a month of spam looks like? Crazy, isn’t it, that one person can receive so much spam!

Who Breached: Starbucks
Number Affected: 97,000
Information breached: Social Security Numbers
How: stolen laptop

Starbucks Corp. confirmed this week that a laptop containing the information of 97,000 employees was stolen.

A Starbucks laptop containing names, addresses and Social Security Numbers was stolen on October 29th. It is not clear if the laptop was protected in any way, or how it was stolen.

In 2006, Starbucks reported the theft of four laptop computers, so it is sad that such an issue would again come to light. In 2006, the breach affected 60,000 Starbucks employees / partners. Although the Starbucks statement to employees, after this most recent breach, indicates that the company is taking step to protect data, including encryption, one would hope that those steps would have occurred in the 2-year period since the last breach. A copy of the letter sent to affected Starbucks employees can be found here.

You can help prevent data breaches such as these, or recover from them more easily, with strong computer security policies, enforcement and training and software such as Computrace from Absolute.

Other major data breaches for November, 2008:

• Luxottica Group, 59,000+ affected, hacker [read more]
• University of Florida College of Dentistry, 344,000+, compromised server [read more]
• Christus Health Care, thousands, stolen backup tapes [read more]
• Harvard Law School, 21,000, lost backup tapes [read more]
• North Carolina Division of Aging and Adult Services, 85,000+, lost laptop [read more]
• Baylor Health Care System Inc., 100,000, stolen laptop [read more]
• Arizona Department of Economic Security, 40,000, stolen hard drives [read more]

And in other news…

And in a very strong statement by Canada’s Privacy Commissioner Jennifer Stoddart, Canada was called to shame for inaction on cybercrime. Stoddart called it an “embarrassment” that Canada does not protect the rights of individuals with provisions such as anti-spam legislation, strong identity theft legislation, or mandatory data breach provisions. Read more about this here.

Via datalossdb

Who Breached: Deutsche Telekom’s T-Mobile
Number Affected: 17 million
Information breached: Social Security Numbers
How: laptop

T-Mobile, subsidiary of Deutsche Telekom, has issued notice that a major data breach from 2006, affecting 17 million customers, has resurfaced as an issue. The information included names, addresses and phone numbers. No banking details were lost.

The data loss occurred in 2006, but details of the breach event became public on October 4th, 2008 in this statement. The company published this report publicly after a German news magazine reported that the data was up for sale on the Internet.

Deutsche Telekom says that a data storage medium with records for 17 million people was found, and that there was no record of unauthorized use of the data. However, the German news magazine found the data online for sale. The data includes home address and unlisted phone numbers for celebrities, business leaders, government ministers and more.

Here is an excerpt from Duetsche Telekom’s response:

In spring 2006, Deutsche Telekom immediately reported the theft to the responsible public prosecutors’ office. Within the scope of their investigations, the public prosecutors’ office was able to recover storage media. Extensive research conducted over several months on the Internet and in data trading places could not reveal any clues indicating that the data had been offered or disseminated on the black market. Owing to this, Deutsche Telekom assumed that there would be no dissemination of the data. However, Der Spiegel was apparently able to access the data in question via third parties.

The company expresses concern that the breach incident is relevant once again, being previously under the assumption that the matter had been closed. They “regret to say that [they] have not been able to protect… customer data in line with [their] standards.”

Deutsche Telekom says that security measures have been significantly tightened since 2006. These measures include: complex passwords, access authorization, and access monitoring, among other measures. They have set up a FAQ on the data breach here.

Other recent notable data breaches:

• University of North Dakota – Stolen Laptop, 84,554 affected [more]
• University of Indianapolis – Hacker, 11,000 affected [more]
• The Whittington Hospital NHS Trust – lost CDs, 17,990 affected [more]
• CCN – hacker, 98,930 affected [more]

Via datalossdb.org, vnunet, NY Times