Tuesday, September 05, 2006
Flurry of data breaches exposes personal data on thousands
Flurry of data breaches exposes personal data on thousands
Jaikumar Vijayan
August 29, 2006 (Computerworld) Personal data belonging to thousands of people has been exposed in several separate security breaches over the past few days.
Sovereign Bank laptops stolen
Reading, Pa.-based Sovereign Bank today confirmed that it has sent letters to thousands of its customers warning them that their personal information may have been compromised in two separate incidents in which a total of three laptops were stolen in early August.
Carl Brown, a bank spokesman, refused to disclose the number of people who may have been affected by the thefts but said it involved roughly 1% of the bank's total customer base.
The thefts were reported in "early August," but the company didn't start sending letters to the affected customers until Aug. 21, after completing a "thorough investigation" of the incidents, Brown said. All three laptops were stolen from undisclosed locations within Massachusetts. Two of the laptops were stolen from one location, while the third was reported stolen in a separate incident from a different location, he said. The company has 800 community banks and does business primarily in the Northeast.
The stolen laptops, all three of which were company-issued, are believed to have contained personally identifiable information such as the names, dates of birth and Social Security numbers of the bank's account holders, Brown said. Though the systems were password-protected, the data was not encrypted, he said.
At this point, there is no evidence that the compromised data has been misused, although customers are being advised to be on the alert for fraud, Brown said.
Accidental e-mail attachment at Verizon
In a separate incident on Aug. 21, an employee at Verizon Wireless accidentally sent an e-mail with an attachment containing the names, mobile numbers, equipment type and e-mail addresses of nearly 5,000 customers to about 1,800 other Verizon Wireless subscribers. The intended e-mail attachment was supposed to have been an electronic order form.
In an e-mailed comment, a Verizon spokesman said the errant e-mail was "quickly recalled," but he added that some of the recipients had viewed the contents of the file before the recall notice was sent.
The company said it had contacted the 5,000 affected customers and informed them about the breach and advised them of additional "quality control procedures and process improvement" measures that have been implemented to prevent similar lapses in the future.
"We also advised them that the four items accidentally disclosed would not give unauthorized persons access to their Verizon Wireless account, and it is highly unlikely that this information could be used to compromise any other account," the statement said.
U.S. DOT laptop stolen in Baltimore
Meanwhile, a government-issued laptop computer belonging to the Federal Motor Carrier Safety Administration (FMCSA) of the U.S. Department of Transportation was stolen from a vehicle in the Baltimore area on Aug. 22.
The laptop is believed to have contained personal information, including the names, dates of birth and Social Security numbers, of about 193 individuals who hold commercial driver's licenses across 14 states.
Ian Grossman, an FMCSA spokesman, said that the agency is not 100% sure whether the stolen laptop contained that information and that it had only come to that assumption based on the system's last interactions with the FMCSA network.
However, the agency notified 40 motor-carrier companies where the individuals worked and informed them about the potential security breach, Grossman said. He added that the laptop had been password-protected but none of the data had been encrypted. So far, there is no sign that the compromised data has been misused, he said.
Database breach at University of South Carolina
Some news media outlets also reported a database breach at the University of South Carolina that may have resulted in the compromise of personal information belonging to more than 5,000 current and former students.
University officials could not be reached for comment at deadline. According to published reports, the database may have been breached in September 2005, but the incident remained undiscovered until a routine security audit of the university's networks this summer. The data that may have been exposed included the names and Social Security numbers of students.
Jaikumar Vijayan
August 29, 2006 (Computerworld) Personal data belonging to thousands of people has been exposed in several separate security breaches over the past few days.
Sovereign Bank laptops stolen
Reading, Pa.-based Sovereign Bank today confirmed that it has sent letters to thousands of its customers warning them that their personal information may have been compromised in two separate incidents in which a total of three laptops were stolen in early August.
Carl Brown, a bank spokesman, refused to disclose the number of people who may have been affected by the thefts but said it involved roughly 1% of the bank's total customer base.
The thefts were reported in "early August," but the company didn't start sending letters to the affected customers until Aug. 21, after completing a "thorough investigation" of the incidents, Brown said. All three laptops were stolen from undisclosed locations within Massachusetts. Two of the laptops were stolen from one location, while the third was reported stolen in a separate incident from a different location, he said. The company has 800 community banks and does business primarily in the Northeast.
The stolen laptops, all three of which were company-issued, are believed to have contained personally identifiable information such as the names, dates of birth and Social Security numbers of the bank's account holders, Brown said. Though the systems were password-protected, the data was not encrypted, he said.
At this point, there is no evidence that the compromised data has been misused, although customers are being advised to be on the alert for fraud, Brown said.
Accidental e-mail attachment at Verizon
In a separate incident on Aug. 21, an employee at Verizon Wireless accidentally sent an e-mail with an attachment containing the names, mobile numbers, equipment type and e-mail addresses of nearly 5,000 customers to about 1,800 other Verizon Wireless subscribers. The intended e-mail attachment was supposed to have been an electronic order form.
In an e-mailed comment, a Verizon spokesman said the errant e-mail was "quickly recalled," but he added that some of the recipients had viewed the contents of the file before the recall notice was sent.
The company said it had contacted the 5,000 affected customers and informed them about the breach and advised them of additional "quality control procedures and process improvement" measures that have been implemented to prevent similar lapses in the future.
"We also advised them that the four items accidentally disclosed would not give unauthorized persons access to their Verizon Wireless account, and it is highly unlikely that this information could be used to compromise any other account," the statement said.
U.S. DOT laptop stolen in Baltimore
Meanwhile, a government-issued laptop computer belonging to the Federal Motor Carrier Safety Administration (FMCSA) of the U.S. Department of Transportation was stolen from a vehicle in the Baltimore area on Aug. 22.
The laptop is believed to have contained personal information, including the names, dates of birth and Social Security numbers, of about 193 individuals who hold commercial driver's licenses across 14 states.
Ian Grossman, an FMCSA spokesman, said that the agency is not 100% sure whether the stolen laptop contained that information and that it had only come to that assumption based on the system's last interactions with the FMCSA network.
However, the agency notified 40 motor-carrier companies where the individuals worked and informed them about the potential security breach, Grossman said. He added that the laptop had been password-protected but none of the data had been encrypted. So far, there is no sign that the compromised data has been misused, he said.
Database breach at University of South Carolina
Some news media outlets also reported a database breach at the University of South Carolina that may have resulted in the compromise of personal information belonging to more than 5,000 current and former students.
University officials could not be reached for comment at deadline. According to published reports, the database may have been breached in September 2005, but the incident remained undiscovered until a routine security audit of the university's networks this summer. The data that may have been exposed included the names and Social Security numbers of students.
Labels: Sovereign Bank
IT execs on firing line over security breaches
IT execs on firing line over security breaches
Jaikumar Vijayan
August 25, 2006 (Computerworld) The cost of data breaches may be getting a lot higher for IT professionals who are deemed to be responsible for failing to properly secure corporate information.
For example, AOL LLC's chief technology officer abruptly resigned this week in the aftermath of a disclosure that the company had publicly released data on searches done by about 650,000 of its online subscribers. AOL also fired two workers in its research division, which was responsible for the data release and had been overseen by now-former CTO Maureen Govern.
It was the second time this month that high-level technology managers lost their jobs because of data breaches. On Aug. 3, Ohio University announced that it had sacked two top IT managers for what it saw as their failure to prevent a series of breaches that were discovered at the Athens-based school during the spring.
In addition, university CIO William Sams announced in July that he would resign once someone is found to replace him, saying it had "become clear to me that a new energy level and skill set is going to be required in order to allow our IT organization to realize its potential." Sams is still on the job, though, and he wrote the termination letters to the two fired managers.
IT managers should expect firings and other harsh disciplinary actions to become more common as organizations face increasing public pressure to address data breaches that they suffer, said Robert Scott, managing partner at Dallas-based law firm Scott & Scott LLP.
"In order for companies to have a credible position in the marketplace, they're going to have to explain in a public way what they have done to address the issue," Scott said. "The risks that companies face from a liability and a reputation perspective are such that when breaches occur, people will not only need to be held accountable, but heads will have to roll."
Such "forced accountability" is at least partly the result of the intense media scrutiny that data breaches now receive, said Bob Hartland, director of IT, servers and networking systems at Baylor University in Waco, Texas. The attention has heightened public concerns and "made a lot of people nervous," he said.
Tim O'Pry, CTO at The Henssler Financial Group in Kennesaw, Ga., said accountability is necessary, and it's reasonable to expect that people will lose their jobs where negligence has occurred.
The problem is that many times, the workers responsible for a security breach are only following what until then had been accepted practices within their companies, O'Pry said. And they may not have had the responsibility or authority to change the practices, he noted.
As companies face pressure to "do something," the fallout often means demotions, firings or other personnel actions, said O'Pry. That approach is part of a wider tendency by corporate officials to deal with data security issues on a reactive basis, he added.
"This knee-jerk, after-the-fact mentality is pervasive with many aspects of security," O'Pry said.
"Somebody has to take 'the chop' for [breaches]," said Lloyd Hession, chief security officer at BT Radianz, a New York-based company that offers telecommunications services to the financial industry. "The real question, though, is whether it's the right guys' heads that are rolling."
Forging closer ties with IT audit teams is a key to survival in the new environment, Hession advised. "If you think you have an issue, go to audit and tell them about it," he said. If the audit group concurs that a security problem exists, it should be easier to get the resources needed to fix it, Hession added. And if the auditors agree that there's an issue "and nobody does anything about it, you probably don't need to be falling on your sword" if a data breach does occur, he said.
Companywide outreach and communication also are key, according to Scott. Managers who are responsible for IT security "need to do a better job of articulating a business case [that] suggests that ignoring data security and shuffling it to the bottom of the priority list is a recipe for disaster," he said.
In addition to the incidents at AOL and Ohio University, the massive security breach disclosed by the U.S. Department of Veterans Affairs in May resulted in a wide-ranging shake-up that included the resignation of the agency's chief information security officer. But the CISO's departure is thought to have been driven by his frustration over organizational issues within the VA, which traditionally has split most IT and security responsibilities among its three main operating divisions.
Jaikumar Vijayan
August 25, 2006 (Computerworld) The cost of data breaches may be getting a lot higher for IT professionals who are deemed to be responsible for failing to properly secure corporate information.
For example, AOL LLC's chief technology officer abruptly resigned this week in the aftermath of a disclosure that the company had publicly released data on searches done by about 650,000 of its online subscribers. AOL also fired two workers in its research division, which was responsible for the data release and had been overseen by now-former CTO Maureen Govern.
It was the second time this month that high-level technology managers lost their jobs because of data breaches. On Aug. 3, Ohio University announced that it had sacked two top IT managers for what it saw as their failure to prevent a series of breaches that were discovered at the Athens-based school during the spring.
In addition, university CIO William Sams announced in July that he would resign once someone is found to replace him, saying it had "become clear to me that a new energy level and skill set is going to be required in order to allow our IT organization to realize its potential." Sams is still on the job, though, and he wrote the termination letters to the two fired managers.
IT managers should expect firings and other harsh disciplinary actions to become more common as organizations face increasing public pressure to address data breaches that they suffer, said Robert Scott, managing partner at Dallas-based law firm Scott & Scott LLP.
"In order for companies to have a credible position in the marketplace, they're going to have to explain in a public way what they have done to address the issue," Scott said. "The risks that companies face from a liability and a reputation perspective are such that when breaches occur, people will not only need to be held accountable, but heads will have to roll."
Such "forced accountability" is at least partly the result of the intense media scrutiny that data breaches now receive, said Bob Hartland, director of IT, servers and networking systems at Baylor University in Waco, Texas. The attention has heightened public concerns and "made a lot of people nervous," he said.
Tim O'Pry, CTO at The Henssler Financial Group in Kennesaw, Ga., said accountability is necessary, and it's reasonable to expect that people will lose their jobs where negligence has occurred.
The problem is that many times, the workers responsible for a security breach are only following what until then had been accepted practices within their companies, O'Pry said. And they may not have had the responsibility or authority to change the practices, he noted.
As companies face pressure to "do something," the fallout often means demotions, firings or other personnel actions, said O'Pry. That approach is part of a wider tendency by corporate officials to deal with data security issues on a reactive basis, he added.
"This knee-jerk, after-the-fact mentality is pervasive with many aspects of security," O'Pry said.
"Somebody has to take 'the chop' for [breaches]," said Lloyd Hession, chief security officer at BT Radianz, a New York-based company that offers telecommunications services to the financial industry. "The real question, though, is whether it's the right guys' heads that are rolling."
Forging closer ties with IT audit teams is a key to survival in the new environment, Hession advised. "If you think you have an issue, go to audit and tell them about it," he said. If the audit group concurs that a security problem exists, it should be easier to get the resources needed to fix it, Hession added. And if the auditors agree that there's an issue "and nobody does anything about it, you probably don't need to be falling on your sword" if a data breach does occur, he said.
Companywide outreach and communication also are key, according to Scott. Managers who are responsible for IT security "need to do a better job of articulating a business case [that] suggests that ignoring data security and shuffling it to the bottom of the priority list is a recipe for disaster," he said.
In addition to the incidents at AOL and Ohio University, the massive security breach disclosed by the U.S. Department of Veterans Affairs in May resulted in a wide-ranging shake-up that included the resignation of the agency's chief information security officer. But the CISO's departure is thought to have been driven by his frustration over organizational issues within the VA, which traditionally has split most IT and security responsibilities among its three main operating divisions.
AT&T says hackers accessed customers' credit cards
AT&T says hackers accessed customers' credit cards
Reuters
August 30, 2006 (Reuters) Malicious hackers broke into one of AT&T Inc.'s computer networks and stole credit card data and other personal information from several thousand customers who shopped at the telecommunications giant's online store.
AT&T said it was notifying "fewer than 19,000" customers whose data was accessed during the weekend break-in, which it said was detected within hours.
The company said it immediately shut down the online store, notified credit card companies and was working with law enforcement agencies to track down the hackers.
"We recognize that there is an active market for illegally obtained personal information," Priscilla Hill-Ardoin, AT&T's chief privacy officer, said in a statement. "We will work closely with law enforcement to bring these data thieves to account," Hill-Ardoin said.
AT&T said it would also pay for credit-monitoring services to assist in protecting the customers involved. The data theft involved people who had bought Digital Subscriber Line equipment for high-speed Internet access.
Reuters
August 30, 2006 (Reuters) Malicious hackers broke into one of AT&T Inc.'s computer networks and stole credit card data and other personal information from several thousand customers who shopped at the telecommunications giant's online store.
AT&T said it was notifying "fewer than 19,000" customers whose data was accessed during the weekend break-in, which it said was detected within hours.
The company said it immediately shut down the online store, notified credit card companies and was working with law enforcement agencies to track down the hackers.
"We recognize that there is an active market for illegally obtained personal information," Priscilla Hill-Ardoin, AT&T's chief privacy officer, said in a statement. "We will work closely with law enforcement to bring these data thieves to account," Hill-Ardoin said.
AT&T said it would also pay for credit-monitoring services to assist in protecting the customers involved. The data theft involved people who had bought Digital Subscriber Line equipment for high-speed Internet access.
Labels: AT and T
List of Data Breach Notices Lengthening
List of Data Breach Notices Lengthening
Jaikumar Vijayan
September 04, 2006 (Computerworld) The steady stream of data compromises continued unabated last week, with several more companies disclosing security breaches.
One of the biggest snafus involved AT&T Inc., which said that malicious hackers had made off with credit card information and other personal data belonging to about 19,000 customers of the company's online store for Digital Subscriber Line equipment.
In a statement, AT&T said "unauthorized persons" had illegally hacked into one of its computer systems and accessed the customer data. The intrusion, which took place on the weekend of Aug. 26 and 27, was discovered "within hours," and the online DSL store was immediately shut down, according to AT&T.
If there's a continuing lesson to be learned from such incidents, it's that companies need to pay more attention to data security, not just network security, said Ron Ben-Natan, chief technology officer at Guardium Inc., a security tools vendor in Waltham, Mass.
"The bottom line is that the data is leaking and is not being contained in the way it should be," he said. Companies must pay more attention to measures such as activity monitoring and auditing, encryption, data classification and policy enforcement, he added.
Corporate users also need to adopt more "systemic security management" approaches, said Doug Graham, a partner at BusinessEdge Solutions Inc., an IT consulting firm in East Brunswick, N.J. "People want things to be secure, but too often they tend to see security as a problem for the security guys," he said. Instead, the goal should be to make security an integral part of all business processes, Graham said.
Among the companies reporting breaches last week was Philadelphia-based Sovereign Bancorp Inc., which said that three laptop PCs containing confidential information about bank customers had been stolen in two separate incidents in early August. Sovereign spokesman Carl Brown declined to disclose how many people were affected by the thefts, saying only that the number amounts to about 1% of the bank's customer base.
None of the data on the stolen laptops was encrypted, although the systems were password-protected, Brown said. That met corporate security policies, he added.
Mobile network operator Verizon Wireless disclosed that on Aug. 21, an employee accidentally sent an e-mail with an attachment containing the names, cell phone numbers, e-mail addresses and phone models of nearly 5,000 customers to about 1,800 other subscribers. The attachment was supposed to have been an electronic order form.
In an e-mailed comment, a spokesman for Verizon Wireless said the affected customers were informed of the breach but also were advised that the compromised data was unlikely to be of much use to identity thieves.
On Aug. 22, a laptop belonging to the Federal Motor Carrier Safety Administration was stolen. The FMCSA, which is part of the U.S. Department of Transportation, said last week that the laptop is believed to have contained the names, dates of birth, Social Security numbers and other personal data of about 193 people who hold commercial driver's licenses across 14 states.
An FMCSA spokesman said the agency isn't 100% sure that the laptop contained the personal information and only made that assumption based on the system's last interactions with its network.
Jaikumar Vijayan
September 04, 2006 (Computerworld) The steady stream of data compromises continued unabated last week, with several more companies disclosing security breaches.
One of the biggest snafus involved AT&T Inc., which said that malicious hackers had made off with credit card information and other personal data belonging to about 19,000 customers of the company's online store for Digital Subscriber Line equipment.
In a statement, AT&T said "unauthorized persons" had illegally hacked into one of its computer systems and accessed the customer data. The intrusion, which took place on the weekend of Aug. 26 and 27, was discovered "within hours," and the online DSL store was immediately shut down, according to AT&T.
If there's a continuing lesson to be learned from such incidents, it's that companies need to pay more attention to data security, not just network security, said Ron Ben-Natan, chief technology officer at Guardium Inc., a security tools vendor in Waltham, Mass.
"The bottom line is that the data is leaking and is not being contained in the way it should be," he said. Companies must pay more attention to measures such as activity monitoring and auditing, encryption, data classification and policy enforcement, he added.
Corporate users also need to adopt more "systemic security management" approaches, said Doug Graham, a partner at BusinessEdge Solutions Inc., an IT consulting firm in East Brunswick, N.J. "People want things to be secure, but too often they tend to see security as a problem for the security guys," he said. Instead, the goal should be to make security an integral part of all business processes, Graham said.
Among the companies reporting breaches last week was Philadelphia-based Sovereign Bancorp Inc., which said that three laptop PCs containing confidential information about bank customers had been stolen in two separate incidents in early August. Sovereign spokesman Carl Brown declined to disclose how many people were affected by the thefts, saying only that the number amounts to about 1% of the bank's customer base.
None of the data on the stolen laptops was encrypted, although the systems were password-protected, Brown said. That met corporate security policies, he added.
Mobile network operator Verizon Wireless disclosed that on Aug. 21, an employee accidentally sent an e-mail with an attachment containing the names, cell phone numbers, e-mail addresses and phone models of nearly 5,000 customers to about 1,800 other subscribers. The attachment was supposed to have been an electronic order form.
In an e-mailed comment, a spokesman for Verizon Wireless said the affected customers were informed of the breach but also were advised that the compromised data was unlikely to be of much use to identity thieves.
On Aug. 22, a laptop belonging to the Federal Motor Carrier Safety Administration was stolen. The FMCSA, which is part of the U.S. Department of Transportation, said last week that the laptop is believed to have contained the names, dates of birth, Social Security numbers and other personal data of about 193 people who hold commercial driver's licenses across 14 states.
An FMCSA spokesman said the agency isn't 100% sure that the laptop contained the personal information and only made that assumption based on the system's last interactions with its network.
