Posts Tagged ‘Data Breach’

Many of us think about protecting our data against the strangers of the world who might be trying to find a way to use our information to their benefit.  It can be surprising, therefore, when the breach occurs within our company (or circle of friends, family, etc…).  Unfortunately, DuPont is learning that insider theft is becoming more and more common.

The industrial manufacturing company discovered that one of their employees, a senior research chemist, transferred confidential files containing trade secrets from his company-issued laptop to an external hard drive.

Immediately, I couldn’t help but wonder why DuPont wouldn’t have some sort of alert in place in case someone tried to attach a hard drive to company computers.  I was further baffled when I learned that this isn’t the first time they’ve been through this. 

After 10 years with DuPont, an employee gathered information from thousands of documents and scientific abstracts.  His mission?  To sell the information to rival company, Victrex.  He ended up being sentenced to 18 months of jail time.

Aside from setting up some sort of alert system for when data breaches occur and using laptop security products like Computrace, DuPont (and other companies) has to find a way to work around the fact that even people with legitimate access to their information need to be considered potential threats. 

image: www.sxc.hu

Earlier this year, we posted about one of the largest data breaches to ever come to light: the Heartland Payment Systems breach that affected as many as 100 million and cost the company $12.6 million in legal costs and fines from MasterCard and Visa.

Heartland CEO, Robert Carr, is now opening up about the security breach, hoping other companies can learn from their experiences.

Carr believes that PCI compliance auditors failed the company, that they believe it was right to inform customers of the breach before the media, and how other companies can learn from all these issues.

Essentially, Carr says the QSA (Quality Security Assessor) audits of their systems were of no value, since they were unable to detect the security holes that were exploited.

“To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn’t even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware.”

Carr was surprised to learn that others knew of this attack vector and that the information had not been shared. Carr says he now understands the “limitations of PCI” and the assessment process. The problem with any set of standards, in any industry, is that it can lead companies to a false sense of security, meeting those compliance measures, if those measures are not kept up to date. Heartland learned the hard way that “PCI compliance doesn’t mean secure.”

In the rest of the interview, Carr shares how Heartland has spent $32 million to upgrade their security at all levels, making sure that data is secure and encrypted wherever it resides. Heartland shares that their best advice to other companies experiencing a breach is to be up front with customers. After their breach, all Heartland employees were advised to tell customers what the breach meant for them, to be the point of contact for customers (vs the press). “Being candid has been key.”

Image: clipart

Who Breached: Network Solutions
Number Affected: 500,000+
Information breached: Credit card information
How: hacked

As the result of a hacker penetrating their e-commerce system, Network Solutions has determined that approximately 573,938 credit card holders may have had their data transfered. The company detected that hackers had placed unauthorized code on servers for some e-commerce merchants’ websites, and that this code may have been used to transfer data on some transactions. The credit card data was encrypted and PCI-compliant, and it is currently unknown how the malicious code entered the system.

From their news report:

The unauthorized code may have been used to transfer data on certain transactions for approximately 4,343 of our more than 10,000 merchant websites to servers outside the company. On July 13, 2009, we were informed by our outside forensic experts that the data being transferred may have included credit card information. The code may have captured transaction data from approximately 573,928 cardholders for certain periods this spring.

Merchants and their customers are currently being notified. Network Solutions has additionally put together an informational website for their merchants at careandprotect.com. Consumer information is also included there for reference. They have included a blog in the website to answer questions that have arisen in the last week.

The quick and forthright response by Network Solutions has been quite impressive. They seem very keen to answer questions and be public with their responses. In addition, they have offered to foot the bill for customer notification, rather than those costs falling to the merchants affected.

Other notable data breaches from July:

• HSBC Life, Lost Media, 180,000 affected (read more)
• University of California San Diego Moores Cancer Center, Hack, 30,000 affected (read more)
• LexisNexis, possible organized crime, >13,000 (read more)
• Alberta Health Services Edmonton, Virus, >11,000 (read more)

Via datalossdb, the register,

Earlier this year, we posted about one of the largest data breaches to ever come to light: the Heartland Payment Systems breach that affected as many as 100 million people after their network was compromised. News this month indicates that the breach has cost the company $12.6 million in legal costs and fines from MasterCard and Visa.

In a conference call with investors, Heartland’s CEO, Robert Carr, shared the financial damage that was the result of the Q1 breach. They say that of the $12.6 million charge, less than $1 million is related to fines by Visa, but more than 50% of the cost is associated with a fine from MasterCard. The company is contesting the fines, which allege a failure by Heartland to take appropriate action upon learning of the network compromise.

Carr has been frank about talking about the data breach, and lays some blame on the payment industry itself for not having stringent enough best practices. Though I think it’s great that Heartland is encouraging new best practices, those best practices are a baseline of efforts in any industry. Companies should always be considering their particular risk factors and taking any added measures necessary to mitigate those.

Heartland was recently re-certified as PCI DSS compliant by Visa, MasterCard and Discover. However, much damage has been done to their reputation and, fines aside, the costs of this breach have been severe.

Image: Clipart

Who Breached: Virgina Prescription Monitoring Program

Number Affected: 8 million +

Information breached: Prescription records

How: hacker

This isn’t an April Fool’s Joke, though it may seem like it. Hackers allegedly broke into a Virginia state website used by pharmacists to track prescription drug abuse. The hackers then deleted records on more than 8 million patients and 35 million prescription records.

Not satisfied just with the data, the alleged hackers replaced the site’s homepage with a ransom note demanding $10 million for the return of the records. The site is now completely unavailable (the state shut down access after they detected the breach), though the message was recorded.

“I have your [expletive] In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password.”

Director of Virginia’s Department of Health Professions, Sandra Whitley Ryals, declined to discuss the reported hack, saying [PDF] only that an investigation is underway by federal and state authorities. She said that they are working with experts to restore systems and ensure they’re safe. The Virginia Department of Health Professions says that all data has been backed up and those files remain secure. There is no word yet if affected patients will be contacted about this breach.

Via consumerist, washington post, computerworld

Who Breached: Oklahoma Department of Human Services
Number Affected: 1 Million+
Information breached: Social Security Numbers
How: laptop stolen from car

It’s been a while since I’ve done a major highlight of any recent data breaches. They keep happening, to be sure, but the details often start to look the same. However, this one caught my eye from it’s magnitude. The Oklahoma Department of Human Services (OKDHS) is notifying more than 1 million residents of the state that their data has been breached as the result of a stolen, unencrypted, laptop.

According to their press release, a password-protected OKDHS laptop was stolen from an employee vehicle (a far too common theft location). The laptop contained names, Social Security Numbers, dates of birth and home addresses for clients who received Medicaid, Child Care assistance, and other program assistance. The laptop was stolen on April 3rd with a press release going out from OKDHS on April 23rd. Letters to affected clients started to go out in the same week.

OKDHS Director Howard H. Hendrick believes the “risk of the data being accessed is low because the computer uses a password protected system,” which is only a very minor security protocol. There’s no guarantee the password was strong and, even with strong password-protection, systems with no additional security precautions pose a high risk for being easily accessed. It is believed that the employee was not violating any policy in place, indicating that the current information security policy does not deal with taking data home or with proper data asset handling.

According to the Security Incident FAQ, OKDHS believes they have “numerous security measures” in place already to ensure client data is safeguarded, but plan to review all policy, procedures and training methods. Let’s hope this sheds some light through the entire organization about how much more can – and should – be done to protect sensitive information.

You can help prevent data breaches such as these, or recover from them more easily, with strong computer security policies, enforcement and training and software such as Computrace from Absolute, which offers many layers of security protection.

Via SC Magazine

Verizon has released its 2009 Business Data Breach Investigations Report, following similar reports earlier this year from the ITRC and Ponemon. The report indicates that 285 million records were breached in 2008. This figure is much higher than the 35.7 million records that the ITRC estimated based on notification letters.

Highlights from the study include:

• 91% of all compromised records were attributed to organized criminal groups
• 99.6% of records were compromised from servers and applications
• 74% resulted from external sources
• 20% resulted from insiders
• 69% were discovered by a 3rd party
• 67% were aided by significant errors
• 32% implicated business partners
• 95% of data breaches were rated as high difficulty requiring advanced skills, significant customization, and/or extensive resources

The most successful breaches involved an attacker exploiting some mistake made by the victim, allowing them to hack into a network and collect data. Hacking and malware were the top single causes of breaches, both up from the figures for 2007.

Although much of the response to this survey has been on the thread of insider threats being lower than expected, I have to argue that the data seems in line with previous data. Although there is an indication that insider threats will go up for 2009, the 20% insider data breach figure quoted here is actually higher than the previously estimated 15.7%. I think fear of future insider threats has simply muddled our perspective of the past year.

The data about insiders, however, has been more revealing. On a per breach basis, insiders were responsible for more records lost, on average, per breach than other causes, such as external sources or partners.

The report suggests that mitigation efforts be focused on ensuring essential controls are met; finding, tracking & assessing data; collecting and monitoring event logs; auditing user accounts and credentials; and testing and reviewing web applications.

Download the breach report here [PDF].

Normally we hear about the massive data breaches that happen due to some loss of electronic data – whether it’s a lost data storage device or laptop or from hacking. However, we can’t forget that paper too is at risk for breaching data. This week there were 4 reports of data breaches the result of incidents with paper.

1. Dozens of files with Social Security Numbers for public housing residents were dumped on the street in New York. People were seen picking up the loose papers, raising concerns of identity theft. The New York Housing Authority has policies to shred documents for disposal, but that policy was overlooked. [read more]
2. Medical records were found discarded in a trash bin at a convenience store in Shreveport; Social Security Numbers were included. A Doctor has admitted to his mistake in improperly disposing of the files. [read more]
3. Files about seriously ill patients at a New York hospital were found 2 miles away on the pavement. The files contained name, age and medical history, breaching confidentiality though not risking identity theft. [read more]
4. A Dallas man found a box of medical records, including Social Security Numbers, the the parking lot at a storage business. The storage unit belonging to a doctor was broken into and the records left out. [read more]

I think we can learn some important things from these breaches of trust and data. Most indicate a lack of awareness about the data and how it should be treated for storage and disposal. Policies to restrict how data moves about – whether paper or electronic – should be considered. The data retention policy should define how information is disposed of, which can include policies on shredding or purging electronic devices. In terms of data storage for physical papers, standard consumer storage facilities may not have enough security; try looking for companies that specialize in business data storage.

As we shared in a report earlier this month, data breaches at small companies often go unreported. There’s a great deal of education that needs to be done to small business owners – including those practicing in the medical fields – about how to securely handle confidential data in all stages of its life cycle.

Hat tip to databreaches.net ; image: clarita @morguefile

Dartmouth College’s Center for Digital Strategies recently released a study about “Data Hemorrhages in the Health-Care Sector“. The study examines the consequences of data breaches, from privacy violations to medical fraud to identity theft (financial and medical). The analysis demonstrates substantial vulnerability for the healthcare sector.

The report indicates that data breaches are coming from all sides of the healthcare sector: hospitals, physicians, laboratories, and outsourced service providers. The paper looks in particular at medical identity theft, a dangerous outcome we’ve discussed previously.

The report pays special attention to inadvertent data losses over peer-to-peer (P2P) networks. The analysis uncovered thousands of files containing medical information on publicly available file sharing networks. That data may have gotten there inadvertently – from malware or from a bad filesystem that had confidential files with music files.

“We found multiple files from major health-care firms that contained private employee and patient information for literally tens of thousands of individuals, including addresses, Social Security Numbers, birth dates, and treatment billing information. Disturbingly, we also found private patient information including medical diagnoses and psychiatric evaluations.”

The report indicates that the risk of patient information disclosures on P2P networks is higher than if a laptop or data device is lost. The report found that tracking and stopping medical data breaches is more complex given the fragmented nature of the US healthcare system.

This report reminds us of the importance of a strong data access policy. Who can access what data and where – can data be transfered to other devices? Computrace can help in that, with our Secure Asset Tracking® telling you where your devices are and what software/hardware is installed on them. Like with other aspects of data security, choose a layered process containing the right technology, processes and policies to help protect confidential information.

Hat tip to the privacy commissioner, SC Magazine ; Image: Clipart

Following on the heels of the Heartland Payment Systems breach that affected as many as 100 million credit cards, 3 arrests were made. The arrests followed the 3-month investigation into a stolen credit card ring. The arrests were for men caught using stolen credit card numbers at local WalMart stores. Apparently the Secret Service has a suspect in the Heartland data breach, someone outside North America.

With more than 580 institutions affected by this data breach, it should be no surprise that lawsuits would follow. A PA-based law firm filed a class action lawsuit against Heartland in January, accusing Heartland of belated and inaccurate notifications of the breach and inadequate security precautions. In addition, this week 8 banks and credit unions filed lawsuits against Heartland over its failure to protect credit and debit card data. The lawsuits seek compensation for the costs of breach notification and re-issue of cards by the financial institutions. Where fraud has occurred, the banks also seek recompense.

Other large breaches: the Arkansas Department of Information Systems lost a data tape from storage (807,000 affected), and it appears that information about the communications, navigation and management electronics on Marine One (the Presidential helicopter) were accidentally leaked onto a peer-to-peer file sharing network. It was thought for a week that there was a new large payment processing breach, but Visa has issued a statement that clarifies that breach notifications pertain to existing, not new, issues.

It also caught my eye that the Berkeley Center for Law & Technology and the Berkeley Technology Law Journal are holding their 13th annual Security Breach Notification seminar on March 6th. The seminar talks about identity theft and changes coming in the future. You can learn more here. If you can’t make it, check out some resources here.

Image: Clipart