Wednesday, June 07, 2006
Hacker Said to Resell Internet Phone Service
June 7, 2006
By KEN BELSON and TOM ZELLER Jr.
Federal authorities arrested one man in Miami and another in Spokane, Wash., today in connection with what they said was a hacking scheme involving the resale of Internet telephone service.
The suspects were said to have illegally tapped into the lines of legitimate Internet phone companies, saddling them with the expense of extra traffic, while collecting more than $1 million in connection fees.
The case, one of the first involving this kind of elaborate Internet phone hacking, illustrated how Internet-based communications may be criminally exploited, and raised fresh questions about the security of phone traffic over largely unregulated networks.
Prosecutors say that starting in November 2004, the man arrested in Miami — Edwin Andres Pena, 23, a Venezuelan who has permanent residency in the United States — used two companies he created to offer wholesale phone connections at discounted rates to small Internet phone companies.
Instead of buying access to other networks to connect his clients' calls, Mr. Pena paid about $20,000 to Robert Moore, the man arrested in Spokane, to create "what amounted to 'free' routes by surreptitiously hacking into the computer networks" of unwitting Internet phone providers, and then routing his customers' calls over those providers' systems, according to the federal complaint.
To evade detection, Mr. Pena is said to have hacked into computers run by an unsuspecting investment company in Rye Brook, N.Y., commandeering its unprotected servers to re-route phone traffic through them. These steps made it appear as if this company was sending calls to more than 15 Internet phone companies.
In one three-week period, for instance, prosecutors say that one of the victimized Internet phone providers, based in Newark, received about 500,000 calls that were made to look as if they came from the company in Rye Brook.
In all, more than 15 Internet phone companies, including the one in Newark, were left having to pay as much as $300,000 each in connection fees for routing the phone traffic to other carriers, without receiving any revenue for the calls, prosecutors said.
"Emerging technologies and the Internet represent a sea of opportunity for business, but also for sophisticated criminals," Christopher J. Christie, the United States Attorney for New Jersey, said in a statement. "The challenge, which we and the F.B.I. continue to meet with investigations and prosecutions like this one, is to stay ahead of the cyber-criminal and protect legitimate commerce."
The companies in Newark and Rye Brook, and others said to have been victimized, were not identified by name in the complaint, which was filed with the United States District Court in Newark.
Mr. Pena, however, appears to have used the money he received from his customers to go on a spending spree, buying real estate in south Florida, a 40-foot Sea Ray Mercruiser motor boat, and luxury cars including a BMW and a Cadillac Escalade.
Mr. Pena appeared to be smitten with his possessions, frequently posting pictures of his cars on Web sites devoted to car enthusiasts.
So far, most of the concern about the safety of Internet-based communications has focused on the ability of criminals to eavesdrop on calls, to fake caller ID's and to steal long-distance phone service.
In this case, Mr. Pena is said to have mimicked legitimate telecommunications brokers, who typically help connect long distance calls by buying minutes from large carriers and reselling them for a profit to smaller phone companies.
By KEN BELSON and TOM ZELLER Jr.
Federal authorities arrested one man in Miami and another in Spokane, Wash., today in connection with what they said was a hacking scheme involving the resale of Internet telephone service.
The suspects were said to have illegally tapped into the lines of legitimate Internet phone companies, saddling them with the expense of extra traffic, while collecting more than $1 million in connection fees.
The case, one of the first involving this kind of elaborate Internet phone hacking, illustrated how Internet-based communications may be criminally exploited, and raised fresh questions about the security of phone traffic over largely unregulated networks.
Prosecutors say that starting in November 2004, the man arrested in Miami — Edwin Andres Pena, 23, a Venezuelan who has permanent residency in the United States — used two companies he created to offer wholesale phone connections at discounted rates to small Internet phone companies.
Instead of buying access to other networks to connect his clients' calls, Mr. Pena paid about $20,000 to Robert Moore, the man arrested in Spokane, to create "what amounted to 'free' routes by surreptitiously hacking into the computer networks" of unwitting Internet phone providers, and then routing his customers' calls over those providers' systems, according to the federal complaint.
To evade detection, Mr. Pena is said to have hacked into computers run by an unsuspecting investment company in Rye Brook, N.Y., commandeering its unprotected servers to re-route phone traffic through them. These steps made it appear as if this company was sending calls to more than 15 Internet phone companies.
In one three-week period, for instance, prosecutors say that one of the victimized Internet phone providers, based in Newark, received about 500,000 calls that were made to look as if they came from the company in Rye Brook.
In all, more than 15 Internet phone companies, including the one in Newark, were left having to pay as much as $300,000 each in connection fees for routing the phone traffic to other carriers, without receiving any revenue for the calls, prosecutors said.
"Emerging technologies and the Internet represent a sea of opportunity for business, but also for sophisticated criminals," Christopher J. Christie, the United States Attorney for New Jersey, said in a statement. "The challenge, which we and the F.B.I. continue to meet with investigations and prosecutions like this one, is to stay ahead of the cyber-criminal and protect legitimate commerce."
The companies in Newark and Rye Brook, and others said to have been victimized, were not identified by name in the complaint, which was filed with the United States District Court in Newark.
Mr. Pena, however, appears to have used the money he received from his customers to go on a spending spree, buying real estate in south Florida, a 40-foot Sea Ray Mercruiser motor boat, and luxury cars including a BMW and a Cadillac Escalade.
Mr. Pena appeared to be smitten with his possessions, frequently posting pictures of his cars on Web sites devoted to car enthusiasts.
So far, most of the concern about the safety of Internet-based communications has focused on the ability of criminals to eavesdrop on calls, to fake caller ID's and to steal long-distance phone service.
In this case, Mr. Pena is said to have mimicked legitimate telecommunications brokers, who typically help connect long distance calls by buying minutes from large carriers and reselling them for a profit to smaller phone companies.
Friday, June 02, 2006
Ohio sends 7.7 million Social Security numbers to campaign offices
April 28, 2006 (Computerworld) -- The Social Security numbers of potentially millions of registered voters in Ohio were included on CD-ROMs distributed to some 20 political campaign operations in recent months as campaigns geared up for spring primary election races.
The problem was discovered Tuesday when one of the political campaigns contacted the Ohio secretary of state’s office to say that the personal data was on the discs, even though it wasn’t requested, said James Lee, a spokesman for Secretary of State J. Kenneth Blackwell.
All of the political organizations that received the CDs were immediately contacted and have agreed to return the discs for replacements that won’t include the Social Security numbers, Lee said. The records of about 7.7 million registered voters in Ohio are listed on the CDs, but Lee said he didn't know how many voter records included Social Security numbers. The records show which elections a voter participated in since 2002, along with their names and addresses.
For many years, Ohio voter registration forms included a space where the voter could choose to include a Social Security number, but it was optional, he said. Earlier this year, the forms were changed to include only the last four digits of the number to better protect a voter’s private information.
The Social Security numbers were included when the CDs were created, Lee said. “When we did one of our data merges, some data included some Social Security numbers” accidentally, he said. “It’s just a data issue that can be fixed now by leaving out that column.”
Once the affected CDs are returned sometime in the next two weeks, updated discs will be issued. Asked if any printouts from the CDs will also be returned or destroyed, Lee said he doesn’t believe any printouts were made. “We consider the issue resolved,” he said.
Political campaigns use the voter registration lists to conduct phone canvassing, create mailing lists for brochures about candidates and to put together door-to-door efforts.
This is the second time since March that the issue of privacy has arisen in Ohio government agencies. Last month, an Ohio man sued the state for posting his and other residents’ Social Security numbers for years on state Web sites where publicly searchable records are stored, showing retail purchases made using credit cards or bank loans (see ”Ohio secretary of state sued over ID info posted online”).
Lee Tien, a senior staff attorney for the Electronic Frontier Foundation, a San Francisco-based, nonprofit digital rights and privacy group, said the Ohio incident is particularly egregious because there has been no public notification of the data disclosure by state officials.
"There was a foul-up by the state in sending the data out," Tien said. "They've got to make sure it never happens again."
Chris Hoofnagle, senior counsel for the Electronic Privacy Information Center, a Washington-based privacy group, said the incident underscores the importance of laws that would allow people to "freeze" their credit to prevent unauthorized persons from gaining their personal information and opening credit accounts in their names. Ohio does not have such laws, he said.
The state, however, does have a security breach notification law, Hoofnagle said, but it is unclear how it would apply in this case. The law, which went into effect Feb. 17, requires a state agency, person or business entity to contact residents "if unencrypted or unredacted personal information about those individuals ... [that is] included in computerized data owned or licensed by the agency, person, or business entity is accessed and acquired by unauthorized persons." The law states that such notification must be given if such release "causes or reasonably is believed will create a material risk of the commission of the offense of identity fraud or other fraud to the individual."
"The bill may apply," Hoofnagle said. "It seems like something should happen."
According to Ohio officials, Social Security numbers have been used for years to help state elections officials confirm voter identities by cross-referencing the information with data from the state’s Bureau of Motor Vehicles, according to BMV spokesman Fred Stratmann. The secretary of state’s office would send the voter registration databases to the BMV, which then compared it with another registration database maintained by the American Association of Motor Vehicle Administrators (AAMVA) in Arlington, Va., Stratmann said. By cross-referencing the data, election officials confirmed the identities of voters, he said.
AAMVA is a tax-exempt, nonprofit organization that assists U.S. and Canadian governments with motor vehicle administration, police traffic services and highway safety.
Under the Help America Vote Act of 2002, voters must include only the last four digits of their Social Security numbers as part of their registrations to help confirm their identities, Stratmann said. That information is then cross-referenced against the AAMVA database, he said.
That procedure has at least one Ohio resident very angry. Rosanna Miller, a 55-year-old musician and music teacher in Amanda, Ohio, said the use of Social Security numbers for identification purposes by government agencies is wrong. She said that information is supposed to be kept private, according to the Social Security Administration.
“Every time you turn around, the government’s telling you something that’s not the truth,” Miller said.
Last year, Miller said she was turned down for assistance from a state program to help pay her home heating bills because she refused to put her Social Security number on the form.
When Miller telephoned the state secretary of state’s office earlier this week to check to see if her Social Security number was listed in her voting registration records, she was told that the number was not on her records. “Now, do I believe that?” she said.
The problem is that many different government agencies have been using the information, including the secretary of state’s office, she said. “Now [the BMV] is passing it out. This just gets deeper and deeper and deeper.”
The problem was discovered Tuesday when one of the political campaigns contacted the Ohio secretary of state’s office to say that the personal data was on the discs, even though it wasn’t requested, said James Lee, a spokesman for Secretary of State J. Kenneth Blackwell.
All of the political organizations that received the CDs were immediately contacted and have agreed to return the discs for replacements that won’t include the Social Security numbers, Lee said. The records of about 7.7 million registered voters in Ohio are listed on the CDs, but Lee said he didn't know how many voter records included Social Security numbers. The records show which elections a voter participated in since 2002, along with their names and addresses.
For many years, Ohio voter registration forms included a space where the voter could choose to include a Social Security number, but it was optional, he said. Earlier this year, the forms were changed to include only the last four digits of the number to better protect a voter’s private information.
The Social Security numbers were included when the CDs were created, Lee said. “When we did one of our data merges, some data included some Social Security numbers” accidentally, he said. “It’s just a data issue that can be fixed now by leaving out that column.”
Once the affected CDs are returned sometime in the next two weeks, updated discs will be issued. Asked if any printouts from the CDs will also be returned or destroyed, Lee said he doesn’t believe any printouts were made. “We consider the issue resolved,” he said.
Political campaigns use the voter registration lists to conduct phone canvassing, create mailing lists for brochures about candidates and to put together door-to-door efforts.
This is the second time since March that the issue of privacy has arisen in Ohio government agencies. Last month, an Ohio man sued the state for posting his and other residents’ Social Security numbers for years on state Web sites where publicly searchable records are stored, showing retail purchases made using credit cards or bank loans (see ”Ohio secretary of state sued over ID info posted online”).
Lee Tien, a senior staff attorney for the Electronic Frontier Foundation, a San Francisco-based, nonprofit digital rights and privacy group, said the Ohio incident is particularly egregious because there has been no public notification of the data disclosure by state officials.
"There was a foul-up by the state in sending the data out," Tien said. "They've got to make sure it never happens again."
Chris Hoofnagle, senior counsel for the Electronic Privacy Information Center, a Washington-based privacy group, said the incident underscores the importance of laws that would allow people to "freeze" their credit to prevent unauthorized persons from gaining their personal information and opening credit accounts in their names. Ohio does not have such laws, he said.
The state, however, does have a security breach notification law, Hoofnagle said, but it is unclear how it would apply in this case. The law, which went into effect Feb. 17, requires a state agency, person or business entity to contact residents "if unencrypted or unredacted personal information about those individuals ... [that is] included in computerized data owned or licensed by the agency, person, or business entity is accessed and acquired by unauthorized persons." The law states that such notification must be given if such release "causes or reasonably is believed will create a material risk of the commission of the offense of identity fraud or other fraud to the individual."
"The bill may apply," Hoofnagle said. "It seems like something should happen."
According to Ohio officials, Social Security numbers have been used for years to help state elections officials confirm voter identities by cross-referencing the information with data from the state’s Bureau of Motor Vehicles, according to BMV spokesman Fred Stratmann. The secretary of state’s office would send the voter registration databases to the BMV, which then compared it with another registration database maintained by the American Association of Motor Vehicle Administrators (AAMVA) in Arlington, Va., Stratmann said. By cross-referencing the data, election officials confirmed the identities of voters, he said.
AAMVA is a tax-exempt, nonprofit organization that assists U.S. and Canadian governments with motor vehicle administration, police traffic services and highway safety.
Under the Help America Vote Act of 2002, voters must include only the last four digits of their Social Security numbers as part of their registrations to help confirm their identities, Stratmann said. That information is then cross-referenced against the AAMVA database, he said.
That procedure has at least one Ohio resident very angry. Rosanna Miller, a 55-year-old musician and music teacher in Amanda, Ohio, said the use of Social Security numbers for identification purposes by government agencies is wrong. She said that information is supposed to be kept private, according to the Social Security Administration.
“Every time you turn around, the government’s telling you something that’s not the truth,” Miller said.
Last year, Miller said she was turned down for assistance from a state program to help pay her home heating bills because she refused to put her Social Security number on the form.
When Miller telephoned the state secretary of state’s office earlier this week to check to see if her Social Security number was listed in her voting registration records, she was told that the number was not on her records. “Now, do I believe that?” she said.
The problem is that many different government agencies have been using the information, including the secretary of state’s office, she said. “Now [the BMV] is passing it out. This just gets deeper and deeper and deeper.”
Hacker accesses 135,000 records at Sacred Heart University
Rootkit detected at Sacred Heart University
On May 24, Sacred Heart University in Fairfield, Conn, announced that one of its computers had been hacked, resulting in the potential compromise of personal data belonging to 135,000 alumni and prospective students.
The breach was discovered May 8 when the university’s IT staff noticed "an anomaly during routine daily maintenance of our computer system," said Funda Alp, a university spokeswoman. A rootkit installed on the system, apparently by an outside attacker, caused it to crash one of the services running on a server containing the information, Alp said.
"When the breach was discovered, [the server] was taken off-line immediately," Alp said. She added that preliminary investigations appear to show that the hacker had the expertise to access the information stored on the server although it is not clear if that happened. Apart from the names, addresses and Social Security numbers of 135,000 people, the compromised server also contained credit-card information on 103 individuals, she said.
There is no indication that the information has been misused, Alp said, adding that the university began notifying affected individuals soon after the breach was discovered.
On May 24, Sacred Heart University in Fairfield, Conn, announced that one of its computers had been hacked, resulting in the potential compromise of personal data belonging to 135,000 alumni and prospective students.
The breach was discovered May 8 when the university’s IT staff noticed "an anomaly during routine daily maintenance of our computer system," said Funda Alp, a university spokeswoman. A rootkit installed on the system, apparently by an outside attacker, caused it to crash one of the services running on a server containing the information, Alp said.
"When the breach was discovered, [the server] was taken off-line immediately," Alp said. She added that preliminary investigations appear to show that the hacker had the expertise to access the information stored on the server although it is not clear if that happened. Apart from the names, addresses and Social Security numbers of 135,000 people, the compromised server also contained credit-card information on 103 individuals, she said.
There is no indication that the information has been misused, Alp said, adding that the university began notifying affected individuals soon after the breach was discovered.
Labels: Sacred Heart Univ.
Hummingbird Ltd. loses 1.3 million records of Texas Guaranteed Student Loan borrowers
June 01, 2006 (Computerworld) -- Advocates for strong data privacy laws are getting plenty of ammunition to support their cause these days.
In yet another large data breach, Texas Guaranteed (TG) a Round Rock, Texas-based nonprofit organization that administers student loans today announced that an outside contractor had lost an unspecified piece of equipment containing the names and Social Security numbers of approximately 1.3 million borrowers.
The loss was reported to the company on Friday by Hummingbird Ltd. a Toronto-based company that had been hired by TG to develop a document management system for TG. Kristin Boyer, a spokeswoman for TG said borrower files had been provided to Hummingbird as part of the contract.
According to Boyer, TG followed recommended security practices and encrypted all the information prior to transmitting it to Hummingbird. The data was then unencrypted by a Hummingbird employee and stored on equipment that later appears to have been lost, Boyer said.
"We don’t have any indications at this point if there was malicious intent," behind the disappearance of the data, she said.
In a statement, Hummingbird said there was no reason to believe that the piece of equipment had been stolen to gain access to confidential data. The statement also said that the data had been protected through unspecified "security measures," which would make it difficult for unauthorized people to access the data.
"Given the technology that would be required to retrieve the data, Hummingbird believes that any misuse of the data is extremely unlikely," the company said. The statement added that the company filed a lost property report with the police after having "exhausted every possibility to recover the stolen equipment."
TG has set up a call center at (800) 530-0626 to provide information to affected customers. The company also plans to start sending letters to all of the affected individuals in the next few weeks Boyer said.
The TG incident is the second one involving large amounts of personal data since the disaster at the Department of Veterans Affairs last week.
In yet another large data breach, Texas Guaranteed (TG) a Round Rock, Texas-based nonprofit organization that administers student loans today announced that an outside contractor had lost an unspecified piece of equipment containing the names and Social Security numbers of approximately 1.3 million borrowers.
The loss was reported to the company on Friday by Hummingbird Ltd. a Toronto-based company that had been hired by TG to develop a document management system for TG. Kristin Boyer, a spokeswoman for TG said borrower files had been provided to Hummingbird as part of the contract.
According to Boyer, TG followed recommended security practices and encrypted all the information prior to transmitting it to Hummingbird. The data was then unencrypted by a Hummingbird employee and stored on equipment that later appears to have been lost, Boyer said.
"We don’t have any indications at this point if there was malicious intent," behind the disappearance of the data, she said.
In a statement, Hummingbird said there was no reason to believe that the piece of equipment had been stolen to gain access to confidential data. The statement also said that the data had been protected through unspecified "security measures," which would make it difficult for unauthorized people to access the data.
"Given the technology that would be required to retrieve the data, Hummingbird believes that any misuse of the data is extremely unlikely," the company said. The statement added that the company filed a lost property report with the police after having "exhausted every possibility to recover the stolen equipment."
TG has set up a call center at (800) 530-0626 to provide information to affected customers. The company also plans to start sending letters to all of the affected individuals in the next few weeks Boyer said.
The TG incident is the second one involving large amounts of personal data since the disaster at the Department of Veterans Affairs last week.
Labels: Hummingbird Ltd.
Hackers access personal data at Ohio University over a period of 13 months
May 03, 2006 (Computerworld) -- Ohio University this week disclosed two separate but apparently unrelated incidents of data theft involving its computers.
On April 24, IT officials at the university noticed that someone had hacked into an alumni database server containing personal and biographical information for more than 300,000 individuals and organizations, said Bill Sams, the Athens-based university’s CIO. Faculty and staff members hired by the school before January 2004 were also affected.
The compromised files did not include credit card or bank information, but they did include Social Security numbers for 137,800 individuals, Sams said.
The breach was discovered after IT officials noticed the affected server was being used to launch a denial-of-service attack against an external target, Sams said.
“We immediately took it off-line and got into the logs. We discovered that it had been compromised as far back as 2005,” he said. In the 13 months since the server was breached, “we have found that people have accessed it from both domestic and international IP addresses,” he said.
The compromised server was supposed to have been decommissioned more than a year ago, and IT officials assumed the system had been taken off-line, Sams said. As a result, it had not received any security updates and patches for more than a year. He did not disclose how the server was breached or what operating system was running on it.
The second data compromise involved a server at the Technology Transfer Department, which is part of the University’s Innovation Center. FBI officials told the university about that breach on April 21. The server, which contained patent data and intellectual property files, was apparently involved in another incident that the FBI was investigating, Sams said, without providing further details. The university had no idea that the server had been broken into until the FBI pointed it out, he said.
The FBI is currently investigating both incidents, he said.
Ohio University today started sending out e-mails to those affected by the hack of the alumni database server. “We are sending them at the rate of 10,000 an hour,” Sams said. He added that the University has also set up a Web site providing details about the incident and instructing affected individuals on the steps they can take to mitigate the risk of ID theft.
On April 24, IT officials at the university noticed that someone had hacked into an alumni database server containing personal and biographical information for more than 300,000 individuals and organizations, said Bill Sams, the Athens-based university’s CIO. Faculty and staff members hired by the school before January 2004 were also affected.
The compromised files did not include credit card or bank information, but they did include Social Security numbers for 137,800 individuals, Sams said.
The breach was discovered after IT officials noticed the affected server was being used to launch a denial-of-service attack against an external target, Sams said.
“We immediately took it off-line and got into the logs. We discovered that it had been compromised as far back as 2005,” he said. In the 13 months since the server was breached, “we have found that people have accessed it from both domestic and international IP addresses,” he said.
The compromised server was supposed to have been decommissioned more than a year ago, and IT officials assumed the system had been taken off-line, Sams said. As a result, it had not received any security updates and patches for more than a year. He did not disclose how the server was breached or what operating system was running on it.
The second data compromise involved a server at the Technology Transfer Department, which is part of the University’s Innovation Center. FBI officials told the university about that breach on April 21. The server, which contained patent data and intellectual property files, was apparently involved in another incident that the FBI was investigating, Sams said, without providing further details. The university had no idea that the server had been broken into until the FBI pointed it out, he said.
The FBI is currently investigating both incidents, he said.
Ohio University today started sending out e-mails to those affected by the hack of the alumni database server. “We are sending them at the rate of 10,000 an hour,” Sams said. He added that the University has also set up a Web site providing details about the incident and instructing affected individuals on the steps they can take to mitigate the risk of ID theft.
Labels: Ohio Univ.
Repeated incidents at Ohio University
May 12, 2006 (Computerworld) -- University IT environments have gained considerable notoriety over the years for their relative lack of security. Recent incidents at Ohio University in Athens show just why.
Barely 10 days after disclosing two separate security breaches involving its computers, the university announced yet another incident in which sensitive data on one of its systems was illegally accessed by an unknown hacker. And there may be even more such disclosures to come as the university's IT department continues a sweeping security review of its networks and systems, warned CIO Bill Sams.
The latest incident involved a server supporting the university's Hudson Health Center. On May 4, the school's IT staff discovered that the system, which holds records of about 60,000 current and former students as well as some faculty and staff, had been infected with a virus.
Further investigation of the server showed that someone had hacked into the system and potentially accessed the data, Sams said. The compromised system contained data from the student health service, including information such as birth dates, Social Security numbers and clinical information. The system also contained data on individuals receiving counseling and psychological services, but in this case the data was restricted to Social Security numbers, dates of birth and dates of service.
Sams did not elaborate on how the hack occurred or whether it was perpetrated by an insider or an external attacker.
"The software vendor we are using felt the files were well protected" and didn't need any encryption, Sams said. The university's own IT staff had felt there was a "theoretical possibility" that unencrypted information on the system could be illegally accessed but decided to go with the vendor's recommendation and did not encrypt the data, he said.
Following the discovery of the breach, the server was taken off-line and will not be restored to service until all sensitive data on it is encrypted, he said. For the moment, the health center has reverted to a paper system, he added.
The discovery of the latest compromise follows two others over the past few weeks. On April 21, a server containing patent data and intellectual property files belonging to the university's Technology Transfer Department was compromised. The university learned of the breach only after the FBI informed it that the system was tied to another case that the agency was investigating.
Three days later, university IT officials discovered that someone had hacked into an alumni database server containing personal and biographical information for more than 300,000 individuals and organizations. That incident resulted in the university's sending out fraud alert letters to 137,800 people whose Social Security numbers were stored on the system. Both incidents were publicly disclosed the week of May 1 (See "Ohio University reports two separate security breaches ").
The incidents have prompted a sweeping audit of the university's security posture and will likely result in more breaches being found, Sams said.
"We have a 20-person team working on this seven days a week," Sams said. The university has signed on Atlanta-based Internet Security Systems to assist with the review, he said.
"We are going to be reviewing all of the issues and developing some corrective action plans," he said. "There will be substantial, significant and ongoing" changes to better secure its networks and systems, he said.
Barely 10 days after disclosing two separate security breaches involving its computers, the university announced yet another incident in which sensitive data on one of its systems was illegally accessed by an unknown hacker. And there may be even more such disclosures to come as the university's IT department continues a sweeping security review of its networks and systems, warned CIO Bill Sams.
The latest incident involved a server supporting the university's Hudson Health Center. On May 4, the school's IT staff discovered that the system, which holds records of about 60,000 current and former students as well as some faculty and staff, had been infected with a virus.
Further investigation of the server showed that someone had hacked into the system and potentially accessed the data, Sams said. The compromised system contained data from the student health service, including information such as birth dates, Social Security numbers and clinical information. The system also contained data on individuals receiving counseling and psychological services, but in this case the data was restricted to Social Security numbers, dates of birth and dates of service.
Sams did not elaborate on how the hack occurred or whether it was perpetrated by an insider or an external attacker.
"The software vendor we are using felt the files were well protected" and didn't need any encryption, Sams said. The university's own IT staff had felt there was a "theoretical possibility" that unencrypted information on the system could be illegally accessed but decided to go with the vendor's recommendation and did not encrypt the data, he said.
Following the discovery of the breach, the server was taken off-line and will not be restored to service until all sensitive data on it is encrypted, he said. For the moment, the health center has reverted to a paper system, he added.
The discovery of the latest compromise follows two others over the past few weeks. On April 21, a server containing patent data and intellectual property files belonging to the university's Technology Transfer Department was compromised. The university learned of the breach only after the FBI informed it that the system was tied to another case that the agency was investigating.
Three days later, university IT officials discovered that someone had hacked into an alumni database server containing personal and biographical information for more than 300,000 individuals and organizations. That incident resulted in the university's sending out fraud alert letters to 137,800 people whose Social Security numbers were stored on the system. Both incidents were publicly disclosed the week of May 1 (See "Ohio University reports two separate security breaches ").
The incidents have prompted a sweeping audit of the university's security posture and will likely result in more breaches being found, Sams said.
"We have a 20-person team working on this seven days a week," Sams said. The university has signed on Atlanta-based Internet Security Systems to assist with the review, he said.
"We are going to be reviewing all of the issues and developing some corrective action plans," he said. "There will be substantial, significant and ongoing" changes to better secure its networks and systems, he said.
Labels: Ohio Univ.
Former employee steals data from Red Cross
May 24, 2006 (Computerworld) -- About 1 million blood donors in the Missouri-Illinois Blood Services Region of the American Red Cross were warned last week that personal information about them could have been stolen earlier this year by a former employee and might have been used in identity thefts.
The former worker had access to 8,000 blood donors in a database she used in her job, all of whom were notified by mail of possible identity theft problems on March 17, according to the agency. But after the original warning letters went out, the Red Cross decided to expand the identity theft warnings to all 1 million donors in the Missouri-Illinois region because of concerns that she may have accidentally accessed other records in the larger group.
The warnings to the 1 million donors are being made through the media and the agency's Web site, not through individual letters.
At least four of the donors among the original 8,000 in the donor database were victims of the data-theft scheme, said Jim Williams, a spokesman for the regional agency. An investigation is continuing to determine if any other donors have been affected.
The thefts occurred when the former employee, a telephone blood-drive recruiter, entered random numbers of past donors into her 8,000-donor database, then was able to access the names, Social Security numbers, phone numbers and birth dates of potential victims. The database uses unique donor numbers to store records for each person, and by entering random numbers, the recruiter was able to access the records of the four victims.
The former employee, 20-year-old Lonnetta Shanell Medcalf of St. Louis, then allegedly opened credit card accounts at several stores using the stolen information and made purchases valued at more than $1,000, according to a statement by the U.S. attorney's office in the eastern district of Missouri.
Medcalf began working at the Red Cross branch in October and was fired on March 2, when the incidents were discovered, Williams said. Medcalf had 8,000 donor contacts in her database out of more than 1 million donors in the region who were not affected by the data thefts. Her case is scheduled for trial on June 19.
The Red Cross offices in the region last week changed the database software to strictly limit access to any Social Security numbers in the future, Williams said. Only names, phone numbers and birth dates are now accessible by blood drive recruiters.
Medcalf has been indicted on three felony counts of aggravated identity theft and one count of credit card fraud in connection with the incidents, according to the U.S. attorney's office.
The Red Cross sent written notifications of the data breach to all 8,000 potential victims on March 17, advising them to contact credit bureaus to check their credit reports for any irregular purchases or activities. The agency is reimbursing any of the affected 8,000 donors if the credit reports can't be obtained for free. The agency also set up a toll-free hot line to aid any identity-theft victims of the incident and said it's taking additional security steps to ensure that such an incident doesn't happen again. All staff members are being reminded, for instance, that donors don't have to put their Social Security numbers into their Red Cross donor records.
The Red Cross also apologized for the incident and said it is working to improve security for such information.
If convicted, Medcalf faces a maximum penalty of 10 years in prison and/or a fine of $250,000 for the charge of credit card fraud. Each count of aggravated identity theft also carries a mandatory two years in prison consecutive to the credit card fraud sentence.
"We feel like victims here as well, but the ultimate victims are our donors," said Williams.
The former worker had access to 8,000 blood donors in a database she used in her job, all of whom were notified by mail of possible identity theft problems on March 17, according to the agency. But after the original warning letters went out, the Red Cross decided to expand the identity theft warnings to all 1 million donors in the Missouri-Illinois region because of concerns that she may have accidentally accessed other records in the larger group.
The warnings to the 1 million donors are being made through the media and the agency's Web site, not through individual letters.
At least four of the donors among the original 8,000 in the donor database were victims of the data-theft scheme, said Jim Williams, a spokesman for the regional agency. An investigation is continuing to determine if any other donors have been affected.
The thefts occurred when the former employee, a telephone blood-drive recruiter, entered random numbers of past donors into her 8,000-donor database, then was able to access the names, Social Security numbers, phone numbers and birth dates of potential victims. The database uses unique donor numbers to store records for each person, and by entering random numbers, the recruiter was able to access the records of the four victims.
The former employee, 20-year-old Lonnetta Shanell Medcalf of St. Louis, then allegedly opened credit card accounts at several stores using the stolen information and made purchases valued at more than $1,000, according to a statement by the U.S. attorney's office in the eastern district of Missouri.
Medcalf began working at the Red Cross branch in October and was fired on March 2, when the incidents were discovered, Williams said. Medcalf had 8,000 donor contacts in her database out of more than 1 million donors in the region who were not affected by the data thefts. Her case is scheduled for trial on June 19.
The Red Cross offices in the region last week changed the database software to strictly limit access to any Social Security numbers in the future, Williams said. Only names, phone numbers and birth dates are now accessible by blood drive recruiters.
Medcalf has been indicted on three felony counts of aggravated identity theft and one count of credit card fraud in connection with the incidents, according to the U.S. attorney's office.
The Red Cross sent written notifications of the data breach to all 8,000 potential victims on March 17, advising them to contact credit bureaus to check their credit reports for any irregular purchases or activities. The agency is reimbursing any of the affected 8,000 donors if the credit reports can't be obtained for free. The agency also set up a toll-free hot line to aid any identity-theft victims of the incident and said it's taking additional security steps to ensure that such an incident doesn't happen again. All staff members are being reminded, for instance, that donors don't have to put their Social Security numbers into their Red Cross donor records.
The Red Cross also apologized for the incident and said it is working to improve security for such information.
If convicted, Medcalf faces a maximum penalty of 10 years in prison and/or a fine of $250,000 for the charge of credit card fraud. Each count of aggravated identity theft also carries a mandatory two years in prison consecutive to the credit card fraud sentence.
"We feel like victims here as well, but the ultimate victims are our donors," said Williams.
Labels: American Red Cross
7th computer in 30 months goes missing for Wells Fargo
May 08, 2006 (Computerworld) -- For the fourth time in the past 30 months, Wells Fargo & Co. has begun notifying customers about the potential compromise of confidential information following the theft of a company computer containing data on mortgage customers and prospective clients.
The San Francisco-based bank on Friday posted a statement on its Web site saying that a computer belonging to its mortgage group had been reported as missing while being transported between Wells Fargo facilities by a global express shipping company.
The stolen system contained information such as names, addresses, Social Security numbers and mortgage loan account numbers of Wells Fargo customers. "The computer has two layers of security, making it difficult to access the information," the bank said.
So far, at least, there is no indication that the information kept on the computer has been misused in any way, said Alejandro Hernandez, a company spokesman.
Wells Fargo has begun sending letters to affected individuals informing them of the incident and advising them what they can do to mitigate any exposure to identity theft. The company will also pay for a one-year subscription to a credit monitoring service for affected individuals.
Hernandez did not disclose how many customers were affected by the breach. Nor did he say when the theft might have occurred, citing an ongoing criminal investigation by law enforcement authorities.
According to the online statement from the bank, law enforcement authorities directed Wells Fargo to delay notifying affected customers because they were concerned that doing so would jeopardize the investigation. "At this point, law enforcement believes the equipment was stolen for the hardware," not for the data it contained, Hernandez said.
For Wells Fargo, the incident is only the latest in a series of embarrassing and nearly identical data breaches that have taken place over the past two and a half years.
In November 2003, the names, addresses and Social Security numbers of thousands of Wells Fargo customers were compromised when a burglar broke into the office of consultant working for the bank and stole a computer containing the data.
A year later, in November 2004, the company announced that three laptops and one desktop computer containing personal data on thousands of the bank’s borrowers were stolen from an Atlanta-based subcontractor that printed monthly statements for Wells Fargo. That incident prompted two of the affected individuals to sue the bank for negligence and breach of contract. The case was decided in the bank’s favor in March.
And in February 2004, a laptop containing confidential information on more than 35,000 Wells Fargo customers was lost by a company employee when it was left in a car that was stolen from a gas station.
The San Francisco-based bank on Friday posted a statement on its Web site saying that a computer belonging to its mortgage group had been reported as missing while being transported between Wells Fargo facilities by a global express shipping company.
The stolen system contained information such as names, addresses, Social Security numbers and mortgage loan account numbers of Wells Fargo customers. "The computer has two layers of security, making it difficult to access the information," the bank said.
So far, at least, there is no indication that the information kept on the computer has been misused in any way, said Alejandro Hernandez, a company spokesman.
Wells Fargo has begun sending letters to affected individuals informing them of the incident and advising them what they can do to mitigate any exposure to identity theft. The company will also pay for a one-year subscription to a credit monitoring service for affected individuals.
Hernandez did not disclose how many customers were affected by the breach. Nor did he say when the theft might have occurred, citing an ongoing criminal investigation by law enforcement authorities.
According to the online statement from the bank, law enforcement authorities directed Wells Fargo to delay notifying affected customers because they were concerned that doing so would jeopardize the investigation. "At this point, law enforcement believes the equipment was stolen for the hardware," not for the data it contained, Hernandez said.
For Wells Fargo, the incident is only the latest in a series of embarrassing and nearly identical data breaches that have taken place over the past two and a half years.
In November 2003, the names, addresses and Social Security numbers of thousands of Wells Fargo customers were compromised when a burglar broke into the office of consultant working for the bank and stole a computer containing the data.
A year later, in November 2004, the company announced that three laptops and one desktop computer containing personal data on thousands of the bank’s borrowers were stolen from an Atlanta-based subcontractor that printed monthly statements for Wells Fargo. That incident prompted two of the affected individuals to sue the bank for negligence and breach of contract. The case was decided in the bank’s favor in March.
And in February 2004, a laptop containing confidential information on more than 35,000 Wells Fargo customers was lost by a company employee when it was left in a car that was stolen from a gas station.
Labels: Wells Fargo
Data on 26.5 Veterans goes missing
May 22, 2006 (Reuters) -- Personal data on 26.5 million U.S. veterans was stolen from the residence of a U.S. Department of Veterans Affairs (VA) employee who was not authorized to take the material home, exposing them to possible identity theft, the department announced today.
The data included names, Social Security numbers and dates of birth for the military veterans and some spouses, the department said. There has been no indication that the data -- which is related to everyone discharged from the military since 1975 -- has been used for identity theft.
"We are going to send out an individual notification letter to every veteran to the extent possible" warning them of the risk of identity theft, said Veterans Affairs Secretary Jim Nicholson.
Nicholson said the theft of the data from the employee's home took place this month, but declined to identify the worker involved, the location of the burglary or how long the employee had the data at his home. The FBI said the theft occurred in the Maryland area and is being looked at by the FBI's Baltimore field office.
Officials said equipment containing the data was stolen, but Nicholson would not say whether a government laptop computer was involved.
"The employee has been placed on administrative leave pending the outcome of the investigation. We have a full-scale investigation going on in this," Nicholson told reporters by telephone. "We have a system of policies and controls that are in place and operating, and this person violated those."
He said the FBI, local law enforcement authorities and the VA's inspector general's office were investigating.
"They believe that this was a random burglary and not targeted at this data," Nicholson added, saying there had been a series of burglaries in the community where the employee lived. "It's highly probable that they do not know what they have."
Nicholson advised all military veterans to monitor their credit card and banking transactions and be alert for anything that might indicate identity theft.
The government is setting up a toll-free number, 1-800-333-4636, for veterans to call if they notice anything suspicious, as well as putting information on a government Web site www.firstgov.gov.
Nicholson identified the employee as a male career department worker, not a political appointee or senior official, who had legitimate access to the data at work as part of a project.
Nicholson said the employee "took home a considerable amount of electronic data from the VA, which he was not authorized to do. It was in violation of our rules and regulations and policies."
An FBI spokesman said that the matter was referred to the agency last week and it is investigating. The FBI was asked to get involved because it related to the theft of U.S. government property.
Nicholson said there is no indication that the employee intended to do anything wrong with the data beyond improperly taking it home.
The theft is another example of the continuing failure by government agencies to set the bar around cybersecurity, said Alan Paller, director of research at the SANS Institute in Bethesda, Md.
"The federal government should lead by example and they haven't been [doing that] in cybersecurity," Paller said. "They should have made it so easy and inexpensive for employees to encrypt data on their PC and have had such a high penalty for not doing it that everyone would have [complied]," he said.
The government also needs to use its enormous buying power to ensure that vendors build inexpensive and easy-to-use encryption capabilities into all PCs and client devices, he said. "The government buys $65 billion of IT every year," Paller said.
The government should use that spending leverage to push vendors to make changes that bolster security for all, he said.
According to Nicholson, it is possible that some people whose data was stolen are dead and that data on some veterans discharged before 1975 was included. No medical records and no financial information was compromised, Nicholson said.
But Nicholson said the data included information on some veterans' physical disabilities.
Identity theft, or obtaining the personal or financial information of another person in order to assume that person's name to make transactions, has mushroomed in recent years with the growth of the Internet and electronic business.
Computerworld's Jaikumar Vijayan and Reuters' Deborah Charles contributed to this report.
The data included names, Social Security numbers and dates of birth for the military veterans and some spouses, the department said. There has been no indication that the data -- which is related to everyone discharged from the military since 1975 -- has been used for identity theft.
"We are going to send out an individual notification letter to every veteran to the extent possible" warning them of the risk of identity theft, said Veterans Affairs Secretary Jim Nicholson.
Nicholson said the theft of the data from the employee's home took place this month, but declined to identify the worker involved, the location of the burglary or how long the employee had the data at his home. The FBI said the theft occurred in the Maryland area and is being looked at by the FBI's Baltimore field office.
Officials said equipment containing the data was stolen, but Nicholson would not say whether a government laptop computer was involved.
"The employee has been placed on administrative leave pending the outcome of the investigation. We have a full-scale investigation going on in this," Nicholson told reporters by telephone. "We have a system of policies and controls that are in place and operating, and this person violated those."
He said the FBI, local law enforcement authorities and the VA's inspector general's office were investigating.
"They believe that this was a random burglary and not targeted at this data," Nicholson added, saying there had been a series of burglaries in the community where the employee lived. "It's highly probable that they do not know what they have."
Nicholson advised all military veterans to monitor their credit card and banking transactions and be alert for anything that might indicate identity theft.
The government is setting up a toll-free number, 1-800-333-4636, for veterans to call if they notice anything suspicious, as well as putting information on a government Web site www.firstgov.gov.
Nicholson identified the employee as a male career department worker, not a political appointee or senior official, who had legitimate access to the data at work as part of a project.
Nicholson said the employee "took home a considerable amount of electronic data from the VA, which he was not authorized to do. It was in violation of our rules and regulations and policies."
An FBI spokesman said that the matter was referred to the agency last week and it is investigating. The FBI was asked to get involved because it related to the theft of U.S. government property.
Nicholson said there is no indication that the employee intended to do anything wrong with the data beyond improperly taking it home.
The theft is another example of the continuing failure by government agencies to set the bar around cybersecurity, said Alan Paller, director of research at the SANS Institute in Bethesda, Md.
"The federal government should lead by example and they haven't been [doing that] in cybersecurity," Paller said. "They should have made it so easy and inexpensive for employees to encrypt data on their PC and have had such a high penalty for not doing it that everyone would have [complied]," he said.
The government also needs to use its enormous buying power to ensure that vendors build inexpensive and easy-to-use encryption capabilities into all PCs and client devices, he said. "The government buys $65 billion of IT every year," Paller said.
The government should use that spending leverage to push vendors to make changes that bolster security for all, he said.
According to Nicholson, it is possible that some people whose data was stolen are dead and that data on some veterans discharged before 1975 was included. No medical records and no financial information was compromised, Nicholson said.
But Nicholson said the data included information on some veterans' physical disabilities.
Identity theft, or obtaining the personal or financial information of another person in order to assume that person's name to make transactions, has mushroomed in recent years with the growth of the Internet and electronic business.
Computerworld's Jaikumar Vijayan and Reuters' Deborah Charles contributed to this report.
Labels: US Dept. of Vetrans Affairs
University of KY posts employee data online
LEXINGTON, Ky. - The University of Kentucky inadvertently posted about 1,300 employee Social Security numbers on a Web site that was accessible to the public for several weeks last month.
"This is a regrettable incident, and the University considers any breach of privacy and confidentiality a serious matter," the school's general counsel wrote in a memo sent Wednesday to current and former employees who were affected.
The school learned late last week that a spreadsheet containing the personal data was available online. It immediately was removed from the school's server, the memo said.
University of Kentucky spokesman Jay Blanton said on Thursday that the site where the numbers were posted had received 41 hits while the information was available online.
"We don't know that the information of anyone has been compromised," Blanton said
"This is a regrettable incident, and the University considers any breach of privacy and confidentiality a serious matter," the school's general counsel wrote in a memo sent Wednesday to current and former employees who were affected.
The school learned late last week that a spreadsheet containing the personal data was available online. It immediately was removed from the school's server, the memo said.
University of Kentucky spokesman Jay Blanton said on Thursday that the site where the numbers were posted had received 41 hits while the information was available online.
"We don't know that the information of anyone has been compromised," Blanton said
Labels: Univ. of Kentucky
