The Security Blog » Security Incidents

Data Theft Creates Notification Nightmare For BlueCross

Joshua Scott — Tue, 02 Mar 2010 19:19:08 +0000

IDG News Service – A break-in one evening last October at a shopping mall in Chattanooga, Tennessee, is proving expensive for BlueCross BlueShield of Tennessee.

Over the past five months, the company has employed a small army of workers to sort through the aftermath of what has proved to be a large and complex breach. Late last year, BlueCross and forensics company Kroll OnTrack employed 500 full-time workers and 300 part-time employees, working in two shifts, six days a week, to piece together what happened, the company said in a letter posted to the Maryland attorney general’s Web site over the weekend.

As with many data breaches, this one can be traced back to a burglary involving unencrypted data.

On Oct. 2, someone stole 57 hard drives from a closet at the health insurance company’s training center in Chattanooga’s Eastgate Town Center mall. The drives contained recordings of more than 1 million [...]

SQL injection attacks and malware led to most data breaches

Joshua Scott — Thu, 11 Feb 2010 20:22:25 +0000

Posted by Dancho Danchev @ 5:27 pm

With millions of personal records and payment card information stolen on a regular basis, several recently released reports independently confirm some of the main sources of breaches. Not surprisingly, that.s not zero day flaws, not even insiders, but good old fashioned SQL injections next to malware infections.

With companies investing more resources into ensuring their networks and employees are protected against the very latest threats, some are clearly overlooking the most basic threats, usually requiring simple or average attack sophistication on behalf of the cybercriminal.

Let’s review the reports detailing the true impact of SQL injections and malware in the context of data breaches.

- UK Security Breach Investigations Report – An Analysis of Data Compromise Cases – 2010

7Safe.s recently released Breach Report for 2010, states that based on the analysis performed by their forensic investigations, 40% of all the attacks relied on SQL injections, [...]

UTMB warns 1,200 of identity theft threat

Joshua Scott — Thu, 11 Feb 2010 18:14:23 +0000

The University of Texas Medical Branch has mailed letters notifying 1,200 patients that sensitive information about them had been available to a woman charged with identity theft in an unrelated case.

Officials sent out the letters this week after MedAssets, which the medical branch hired to assist with billing from third-party payers, warned of a security breach by one of its employees.

On Dec. 15, law enforcement officials notified MedAssets that a former employee had been arrested and charged with identity theft. The person also was alleged to have used a stolen identity to misrepresent herself and gain employment at Georgia-based MedAssets and had been involved in other instances of identity theft. None of the charges, however, are related to information she obtained during her employment with MedAssets, medical branch officials say.

Read entire article…

http://www.galvnews.com/story.lasso?ewcd=710b7dd80a0d2263

West Virginia Student’s info leaked through routine update

Joshua Scott — Wed, 03 Feb 2010 16:57:54 +0000

Around 53 West Virginia University students’ personal information was available to others following an "operational error" during a routine update of tax information Jan. 15.

The students’ 1098-T forms, which include their Social Security number and tax identification numbers, among others, were uploaded to the University’s 1098-T Web site. The forms are distributed to WVU students who are U.S. citizens who paid tuition during the 2009 calendar year. They can be used to claim federal tax credit.

Students can typically access their forms on the site for tax purposes, but the error made the information viewable to any WVU student on the site.

University Spokesman John Bolt said the information was visible for less than 90 minutes.

Read entire article…

http://www.thedaonline.com/news/student-info-leaked-through-routine-update-1.1108709

HSU employee info possibly compromised after computer virus

Joshua Scott — Sat, 30 Jan 2010 20:16:29 +0000

A Humboldt State University computer infected with a virus may have exposed the personal information of 3,500 people employed by the school between 2002 and 2006.

HSU spokesman Paul Mann said no employees or former employees have yet reported having their information — like Social Security numbers — being used or stolen. Notifications are being sent out to current and former employees.

"We’re erring on the side of conservatism," Mann said.

Read entire article…

http://www.times-standard.com/localnews/ci_14300813

Records With Personal Data Found Blowing in the Wind in Illinois

Joshua Scott — Sat, 30 Jan 2010 03:49:41 +0000

Having worked in the banking industry for years, Elida Cruz routinely assured her clients that their personal information would remain confidential.

So she was understandably horrified Thursday to learn that paperwork carrying her own Social Security number, birth date, phone number and job history was found literally floating down Touhy Avenue in Des Plaines.

Hundreds of documents, including 2009 W-2 forms, investment account balances and job applications — many with Social Security numbers — were found blowing in the wind around Touhy and Eastview Drive.

[..]

"I am pretty much disgusted with this," said Cruz, 47, of Chicago, who was notified by the Tribune that at least 17 documents with her Social Security number had been retrieved. She identified the paperwork as part of a job application with Rabjohns Financial Group/New England Financial in Chicago, which included a completed U4 form required in the industry.

Cruz, a former bank officer who is currently unemployed, said [...]

Personal details of millions of Ladbrokes gamblers for sale

Joshua Scott — Fri, 29 Jan 2010 19:25:47 +0000

The confidential records of millions of British gamblers who bet with top bookmaker Ladbrokes have been offered for sale to The Mail on Sunday.

The huge data theft is now at the centre of a criminal investigation after this newspaper was given the personal information of 10,000 Ladbrokes customers and offered access to its database of 4.5 million people in the UK and abroad.

Last night we alerted Ladbrokes to the damaging security breach and handed the customer files to the Information Commissioner’s Office (ICO), Britain’s data watchdog, which immediately began to investigate.

The records include customers’ home addresses, details of their gambling history, customer account numbers, dates of birth, phone numbers and email addresses.

Ladbrokes last night also called in the police and began contacting customers to reassure them that their credit card details, passwords and other financial information were safe.

The database was offered for sale by a mysterious Australian. He claimed to [...]

Private Data of 8,600 Canadian Teachers Compromised

Joshua Scott — Fri, 29 Jan 2010 04:42:15 +0000

Laptops containing sensitive records belonging to thousands of Ontario teachers have been stolen, CBC News has learned.

The three laptops contained names, addresses, birth dates and social insurance numbers of some 8,600 teachers, most of whom work at elementary schools for the Toronto District School Board.

The computers were stolen from the Waterloo, Ontario, offices of the Ontario Teachers Insurance Plan on Dec. 3.

Read entire article…

http://www.cbc.ca/canada/windsor/story/2010/01/27/teachers-laptop-data494.html#ixzz0dr8O0LeP

Texas Hospital Laptop Stolen. Puts Patient Data At Risk

Joshua Scott — Fri, 29 Jan 2010 04:40:31 +0000

The theft of a laptop computer from a medical office has put hundreds of people at a greater risk of identity theft.

On Friday, the Methodist Hospital notified 689 people that someone stole a laptop from an office at the Smith Tower in the Texas Medical Center. Hospital spokeswoman Stephanie Acin told Eyewitness News a thief took the laptop on January 18. The computer was attached to a medical device that tests pulmonary function and contained private health information and Social Security numbers.

Read entire article…

http://abclocal.go.com/ktrk/story?section=news/local&id=7240553

Commerce Dept. slow to notify employees of security breach

Joshua Scott — Fri, 29 Jan 2010 04:38:38 +0000

Why did it take the Commerce Department so long to notify employees that their personal information, including Social Security numbers, had been let loose on the Internet?

On Monday, employees were informed by letters mailed to their homes about "a breach of protocol involving your Personally Identifiable Information (PII), including your Social Security number (SSN) and name."

The breach occurred on Dec. 4 — more than seven weeks before workers were told. It took Commerce nearly four weeks to prepare the letter, which was dated Dec. 31.

According to the letter, "a Department of Commerce employee inadvertently transmitted over the Internet a file containing the PII of Commerce employees to other Department employees. Although the Department employees were authorized to send and receive the PII, the transmission of the PII over the Internet in unencrypted form may have compromised your name and SSN."

Read entire article…

http://www.washingtonpost.com/wp-dyn/content/article/2010/01/26/AR2010012603509.html?hpid=news-col-blog

UCSF says laptop with 4,400 patient records stolen, then recovered

Joshua Scott — Fri, 29 Jan 2010 04:36:59 +0000

UC San Francisco said Wednesday that a laptop containing files with information on 4,400 patients was stolen from a UCSF School of Medicine employee on or about November 30.

The university said Jan. 27 that it is in the process of alerting affected patients that their health information “is vulnerable to access as a result of the incident.”

Information “potentially exposed” included name, medical record number, age and clinical information, but the stolen laptop did not contain any Social Security numbers or other financial data, officials said.

“Although there is no indication that unauthorized access to the files or the laptop actually took place,” UCSF said, both UCSF and another affected medical center began sending out notifications to patients this month.

Read entire article…

http://sanfrancisco.bizjournals.com/sanfrancisco/stories/2010/01/25/daily54.html

Alaska Breach May Affect 77 Thousand Public Employees

Joshua Scott — Fri, 29 Jan 2010 04:35:42 +0000

One of the immediate questions about the security leak the state announced today is why did the accounting firm learn about it in early December and reveal it to the state last week?

PricewaterhouseCoopers should have acted sooner when it learned that the names, birth dates and Social Security numbers of 77,000 people were lost in its Chicago office and the information could have fallen into the wrong hands.

The people at risk for identify theft are those who were in the PERS and TRS system in 2003-04 as active or inactive employees or retirees.

A reader notes the irony about the state announcement, which occurred on “Data Privacy Day,” an international observance about the need to safeguard private information.

The attorney general said the state was first informed last week it had a “problem,” but it took a few days to determine the potential extent of the problem. Attorney General Dan Sullivan said [...]

National Archives Warns Former Clinton Staff of Major Data Breach

Joshua Scott — Wed, 27 Jan 2010 18:37:17 +0000

Personal information for 250,000 Clinton administration staff and White House visitors sent to the National Archives was compromised after a computer hard drive containing confidential material disappeared nearly a year ago, RollCall.com reported Wednesday.

The National Archives and Record Administration sent letters to former White House staff members and visitors during the Clinton era, informing them of the data breach and warning that highly sensitive information, like Social Security numbers, has been put in jeopardy, according to the newspaper.

Read the entire article…

http://www.foxnews.com/politics/2010/01/27/national-archives-warns-clinton-staff-visitors-major-data-breach/?test=latestnews

Data Breaches Get Costlier

Joshua Scott — Mon, 25 Jan 2010 18:21:19 +0000

The cost of a data breach increased last year to $204 per compromised customer record, according to the Ponemon Institute’s annual study. The average total cost of a data breach rose from $6.65 million in 2008 to $6.75 million in 2009.

Ponemon Institute based its estimates on data from 45 companies that publicly acknowledged a breach of sensitive customer data last year and were willing to discuss it.

Breach costs increased just $2 per compromised customer record, as compared to 2008 costs. However in the five years that Ponemon Institute has conducted its study, costs have increased from $138 per compromised customer record.

Read the entire story…

http://www.pcworld.com/businesscenter/article/187611/data_breaches_get_costlier.html

ID Thief Tries to Get Witnesses Whacked

Larry Seltzer — Sat, 12 Dec 2009 20:37:26 +0000

From transferring funds from bank accounts to PayPal, to paying to get heads cut off, it's a slippery slope.

Oregon State Mistake Puts Personal Data at Risk

Joshua Scott — Sun, 29 Nov 2009 19:30:27 +0000

Sloppy handling of confidential records by a state agency in Salem, Oregon left people’s names, Social Security numbers, ages and addresses exposed in an open recycling bin outdoors.

The blunder by the Housing and Community Services agency put low-income, elderly and disabled residents at risk of becoming targets of identity theft or other abuses.

In a separate security lapse by another state agency, confidential records with the names and Social Security numbers of former state parks and recreation employees landed in the same recycling bin.

Acting on information provided to the newspaper by a concerned citizen, the Statesman Journal reported the security breaches to state officials at the two agencies last week.

In response, agency leaders launched internal reviews to determine how the records were mishandled and took steps to notify people whose personal information was left unprotected

Laptop With Personal Information Stolen From Aurora St. Luke’s

Joshua Scott — Sat, 28 Nov 2009 21:45:58 +0000

A Milwaukee hospital is warning thousands of its patients that personal information about them may have been stolen.

The theft happened last month at Aurora St. Luke’s Medical Center on Milwaukee’s south side.

More than 6,000 people who were in-patients at St. Luke’s will be getting a letter in the mail. It warns them that their name, Social Security number and other information may have landed in the hands of thieves.

Stolen laptop contained data on 110,000 people

Joshua Scott — Sat, 28 Nov 2009 21:26:32 +0000

Verity Trustees has had its wrist slapped by the Information Commissioner’s Office (ICO) after a laptop was stolen containing data on 110,000 people.

The laptop was taken from the locked server room of Northgate Arinso, which supplies pension management software to Verity.

The laptop held names, addresses, salaries, national insurance numbers and dates of birth of 110,000 people, as well as 18,000 banking details.

The data wasn’t supposed to be on the laptop, but had been downloaded for training – contrary to Northgate Arinso’s normal policy of using anonymized data of 50 to 100 people.

Mick Gorrill, Assistant Information Commissioner at the ICO, said: “This is a stark reminder of how easy it can be to put so many people’s details at risk. Failure to follow security policies and downloading such a vast amount of information has resulted in thousands of individuals’ personal details being compromised.”

The ICO has made [...]

Penn State Students Social Security Numbers Compromised

Joshua Scott — Sat, 28 Nov 2009 20:21:44 +0000

A Penn State professor’s grade book from 2001 to 2004 that contained 303 students’ social security numbers, among other personal information, was found to be compromised by a computer virus in the last couple of months.

Penn State Security Operations and Services (SOS) discovered the incident and immediately took the personal information offline, Penn State spokeswoman Annemarie Mountz said.

“We have no reason to believe that this information was accessed by anyone,” Mountz said.

But as a precaution, the 303 individuals were notified via e-mail, Mountz said.

http://www.collegian.psu.edu/archive/2009/11/26/students_social_security_numbe.aspx

Secret Service Investigation & Class Action Lawsuit, Cast Shadow Over Radiant Systems and Distributor

Joshua Scott — Wed, 25 Nov 2009 14:10:36 +0000

FOR IMMEDIATE RELEASE

PR Log (Press Release) Nov 23, 2009 Secret Service Investigation and Class Action Lawsuit Cast Shadow Over Radiant Systems and Louisiana Distributor

Atlanta Company and Distributor Accused of Negligence in Widespread Identity Theft at Restaurants

ATLANTA, November 23, 2009 Forensic audit investigations conducted by credit company-approved experts concluded that the Louisiana-based distributor for Radiant Systems, Inc. (http://www.radiantsystems.com/) products violated data protocols that directly contributed to security breaches at restaurants in Louisiana and Mississippi. This finding of alleged negligence is at the heart of a collective action lawsuit filed by seven restaurants claiming that hundreds of customers had their identities stolen as a result of poor business practices and faulty software from Radiant and Computer World (the distributor).

The restaurants are seeking millions of dollars in damages from Radiant and Computer World.

Our clients are restaurants. They are food experts, not technologists. When major players in the hospitality industry such as Radiant [...]