Tuesday, March 06, 2007
Computer Taken from State Auditor's Home
Computer Taken from State Auditor's Home
(5 February 2007)
A laptop computer stolen from the Glens Falls home of a New York Department of Labor unemployment auditor holds personally identifiable information of more than 500 individuals employed by 13 businesses in and around the Albany area. The state Department of Labor has sent notification letters to people affected by the breach and is reviewing its policies regarding employees taking work home.
(5 February 2007)
A laptop computer stolen from the Glens Falls home of a New York Department of Labor unemployment auditor holds personally identifiable information of more than 500 individuals employed by 13 businesses in and around the Albany area. The state Department of Labor has sent notification letters to people affected by the breach and is reviewing its policies regarding employees taking work home.
Labels: New York Det. of Labor
Univ. of Nebraska-Lincoln Data Exposed
--Univ. of Nebraska-Lincoln Data Exposed
(7 February 2007)
The SSNs of 72 University of Nebraska-Lincoln (UNL) students, faculty and staff were inadvertently posted on the university's public web site; the information had been accessible for more than two years when the problem was discovered earlier this week. The university sent notification letters to those affected by the data security breach. A similar incident occurred at UNL less than a year ago. In March 2006, the university discovered that the SSNs, email addresses and GPAs of nearly 350 engineering students had been accidentally posted to the web.
The university periodically scans its web site for SSNs; the numbers exposed in the latest incident were not caught because they did not contain the usual two dashes that normally appear in the numbers.
(7 February 2007)
The SSNs of 72 University of Nebraska-Lincoln (UNL) students, faculty and staff were inadvertently posted on the university's public web site; the information had been accessible for more than two years when the problem was discovered earlier this week. The university sent notification letters to those affected by the data security breach. A similar incident occurred at UNL less than a year ago. In March 2006, the university discovered that the SSNs, email addresses and GPAs of nearly 350 engineering students had been accidentally posted to the web.
The university periodically scans its web site for SSNs; the numbers exposed in the latest incident were not caught because they did not contain the usual two dashes that normally appear in the numbers.
Labels: Univ. of Nebraska
--Missing Backup Tapes Hold Johns Hopkins Employee and Patient Data
--Missing Backup Tapes Hold Johns Hopkins Employee and Patient Data
(7 February 2007)
Nine computer backup tapes are missing from Johns Hopkins University and Johns Hopkins Hospital. The tapes were supposed to be returned by a contractor who performs data backups. The tapes hold payroll data, including Social Security numbers (SSNs) and some bank account numbers for 52,000 current and former Johns Hopkins employees, as well as less sensitive data about 83,000 hospital patients. Officials say there is no evidence that the tapes were stolen; it is likely they were delivered to the wrong location or mistaken for trash and destroyed. The university is notifying people affected by the data security breach by letter and email.
(7 February 2007)
Nine computer backup tapes are missing from Johns Hopkins University and Johns Hopkins Hospital. The tapes were supposed to be returned by a contractor who performs data backups. The tapes hold payroll data, including Social Security numbers (SSNs) and some bank account numbers for 52,000 current and former Johns Hopkins employees, as well as less sensitive data about 83,000 hospital patients. Officials say there is no evidence that the tapes were stolen; it is likely they were delivered to the wrong location or mistaken for trash and destroyed. The university is notifying people affected by the data security breach by letter and email.
Labels: John Hopkins
Sunday, March 04, 2007
Something Vishy: Be Aware of a New Online Scam
Something Vishy: Be Aware of a New Online Scam
By News Release
Feb 23, 2007
It's one of the latest breakthroughs in telecommunications -- Voice Over Internet Protocol, or VoIP, which enables telephone calls over the Web. Criminals are hopping on the VoIP bandwagon along with millions of legitimate customers. They're using the technology to hijack identities and steal money. It already has a name: "vishing."
Vishing is really just a new take on an old scam -- phishing. You know the drill: you get an e-mail that claims to be from your bank or credit card company asking you to update your account information and passwords (perhaps, it says cleverly, because of fraudulent activity) by clicking on a link to what appears to be a legit Web site. Don't do it, of course. It's just a ruse, nothing more than an illegal identity theft collection system.
Vishing schemes are slightly different, with a couple of variations:
In one version, you get the typical e-mail, like a traditional phishing scam. But instead of being directed to an Internet site, you're asked to provide the information over the phone and given a number to call. Those who call the "customer service" number (a VoIP account, not a real financial institution) are led through a series of voice-prompted menus that ask for account numbers, passwords, and other critical information.
In another version you're contacted over the phone instead of by e-mail. The call could either be a "live" person or a recorded message directing you to take action to protect your account. Often, the criminal already has some personal information on you, including your account or credit card numbers. That can create a false sense of security. The call came from a VoIP account as well.
Vishing has some advantages over traditional phishing tricks. First, VoIP service is fairly inexpensive, especially for long distance, making it cheap to make fake calls. Second, because it's Web-based, criminals can use software programs to create phony automated customer service lines.
But if the thieves are giving out their phone numbers, they should be easy to track, right? Wrong. Criminals can mask the number they are calling from, thwarting caller ID. And in some cases, the VoIP number belongs to a legitimate subscriber whose service is being hacked.
The prevalence of vishing is unknown, due to reporting difficulties. "A lot of would-be victims are reporting this as spam or phishing," says Dan Larkin, chief of the FBI's Cyber Initiative and Resource Fusion Unit. "But we know it's out there. It's happening."
Don't let it happen to you. Larkin recommends greeting a phone call or e-mail seeking personal information with a healthy dose of skepticism. If you think the call is legit, you can always hang up and call back using the customer service number provided by the financial institution when the account was opened. Or contact the Internet Crime Complaint Center if you think you were either a vishing victim or received a suspicious call or e-mail.
By News Release
Feb 23, 2007
It's one of the latest breakthroughs in telecommunications -- Voice Over Internet Protocol, or VoIP, which enables telephone calls over the Web. Criminals are hopping on the VoIP bandwagon along with millions of legitimate customers. They're using the technology to hijack identities and steal money. It already has a name: "vishing."
Vishing is really just a new take on an old scam -- phishing. You know the drill: you get an e-mail that claims to be from your bank or credit card company asking you to update your account information and passwords (perhaps, it says cleverly, because of fraudulent activity) by clicking on a link to what appears to be a legit Web site. Don't do it, of course. It's just a ruse, nothing more than an illegal identity theft collection system.
Vishing schemes are slightly different, with a couple of variations:
In one version, you get the typical e-mail, like a traditional phishing scam. But instead of being directed to an Internet site, you're asked to provide the information over the phone and given a number to call. Those who call the "customer service" number (a VoIP account, not a real financial institution) are led through a series of voice-prompted menus that ask for account numbers, passwords, and other critical information.
In another version you're contacted over the phone instead of by e-mail. The call could either be a "live" person or a recorded message directing you to take action to protect your account. Often, the criminal already has some personal information on you, including your account or credit card numbers. That can create a false sense of security. The call came from a VoIP account as well.
Vishing has some advantages over traditional phishing tricks. First, VoIP service is fairly inexpensive, especially for long distance, making it cheap to make fake calls. Second, because it's Web-based, criminals can use software programs to create phony automated customer service lines.
But if the thieves are giving out their phone numbers, they should be easy to track, right? Wrong. Criminals can mask the number they are calling from, thwarting caller ID. And in some cases, the VoIP number belongs to a legitimate subscriber whose service is being hacked.
The prevalence of vishing is unknown, due to reporting difficulties. "A lot of would-be victims are reporting this as spam or phishing," says Dan Larkin, chief of the FBI's Cyber Initiative and Resource Fusion Unit. "But we know it's out there. It's happening."
Don't let it happen to you. Larkin recommends greeting a phone call or e-mail seeking personal information with a healthy dose of skepticism. If you think the call is legit, you can always hang up and call back using the customer service number provided by the financial institution when the account was opened. Or contact the Internet Crime Complaint Center if you think you were either a vishing victim or received a suspicious call or e-mail.
Internet cafes found to be havens for dubious computing
Internet cafes found to be havens for dubious computing
The Yomiuri Shimbun
More than half of all illegal computer access in 2005 was made using computers at Internet cafes, and about 70 percent of such cases in which suspects have not been identified were from cafe computers, according to the National Police Agency.
The anonymity provided by Internet cafes helps impede the process of criminal investigations, and the NPA says it will ask for stricter identity confirmations on users.
Such self-imposed regulations, however, may not be easy to implement as some cafes are reluctant to follow such requests, fearing strict identity checks could drive away customers.
There were 946 documented violations of the Unauthorized Computer Access Law in 2006, up 60 percent from 2005. Phishing is one of the popular methods in such illegal accesses, in which bogus Web sites are used to trick computer users into giving up their passwords and other confidential information, such as personal identification numbers.
The NPA looked at the servers used in 483 illegal access cases from 2005 and the confessions, communication records and other information from suspects. In 271 cases, or 56 percent, computers at Internet cafes were used.
In the 212 cases in which suspects have not been identified, 139 cases, or 66 percent, were accessed from computers at Internet cafes.
In many cases, the NPA could not track down people because some cafes did not confirm user identities or because they did not keep communication records.
An man arrested by police on suspicion of fraud last year illegally obtained the passwords of 500 users by using computers at an Internet cafe that did not require identity checks. He allegedly bilked coupons or DVDs, equivalent to 5.5 million yen, via Internet auctions by using a false identity. Investigators found the man by tracking down the destination of items and other means.
Damage in such cases often snowballs because it takes time to find suspects.
The Japan Complex Cafe Association has been calling for the introduction of a membership system requiring the submission of identification, or setting up security cameras.
However, only 1,380 of the nation's 3,000 Internet cafes were members of the association as of February, and 70 percent of them have introduced a membership system.
A spokesman of a major Internet cafe operating company said: "Although we understand the point of the system, we also need to think about how to manage personal information on users. So, unless the preparation is well made, we can't introduce because there is a risk information could be leaked."
(Mar. 4, 2007)
The Yomiuri Shimbun
More than half of all illegal computer access in 2005 was made using computers at Internet cafes, and about 70 percent of such cases in which suspects have not been identified were from cafe computers, according to the National Police Agency.
The anonymity provided by Internet cafes helps impede the process of criminal investigations, and the NPA says it will ask for stricter identity confirmations on users.
Such self-imposed regulations, however, may not be easy to implement as some cafes are reluctant to follow such requests, fearing strict identity checks could drive away customers.
There were 946 documented violations of the Unauthorized Computer Access Law in 2006, up 60 percent from 2005. Phishing is one of the popular methods in such illegal accesses, in which bogus Web sites are used to trick computer users into giving up their passwords and other confidential information, such as personal identification numbers.
The NPA looked at the servers used in 483 illegal access cases from 2005 and the confessions, communication records and other information from suspects. In 271 cases, or 56 percent, computers at Internet cafes were used.
In the 212 cases in which suspects have not been identified, 139 cases, or 66 percent, were accessed from computers at Internet cafes.
In many cases, the NPA could not track down people because some cafes did not confirm user identities or because they did not keep communication records.
An man arrested by police on suspicion of fraud last year illegally obtained the passwords of 500 users by using computers at an Internet cafe that did not require identity checks. He allegedly bilked coupons or DVDs, equivalent to 5.5 million yen, via Internet auctions by using a false identity. Investigators found the man by tracking down the destination of items and other means.
Damage in such cases often snowballs because it takes time to find suspects.
The Japan Complex Cafe Association has been calling for the introduction of a membership system requiring the submission of identification, or setting up security cameras.
However, only 1,380 of the nation's 3,000 Internet cafes were members of the association as of February, and 70 percent of them have introduced a membership system.
A spokesman of a major Internet cafe operating company said: "Although we understand the point of the system, we also need to think about how to manage personal information on users. So, unless the preparation is well made, we can't introduce because there is a risk information could be leaked."
(Mar. 4, 2007)
BBB warns of phishing e-mails
BBB warns of phishing e-mails
TUCSON CITIZEN
For the second time in less than a month a phishing attack has been launched nationwide using the Better Business Bureau name.
The BBB of Southern Arizona is taking calls from Tucson businesses that have received what appears to be a complaint from the e-mail address consumer-complaints@bbb.org.
Kim States, a local BBB spokeswoman said two weeks ago a different phishing attack used the e-mail address operations@bbb.org. The U.S. Secret Service Electronic Crimes Task Force is investigating.
Phishing e-mails attempt to prompt replies containing personal details such as names, addresses and financial information. Phishers generally generate e-mails that appear to originate with legitimate businesses and organizations.
Tucson businesses that are unsure whether an e-mail they have received is legitimate should contact the BBB on its member hotline at 888-6161.
TUCSON CITIZEN
For the second time in less than a month a phishing attack has been launched nationwide using the Better Business Bureau name.
The BBB of Southern Arizona is taking calls from Tucson businesses that have received what appears to be a complaint from the e-mail address consumer-complaints@bbb.org.
Kim States, a local BBB spokeswoman said two weeks ago a different phishing attack used the e-mail address operations@bbb.org. The U.S. Secret Service Electronic Crimes Task Force is investigating.
Phishing e-mails attempt to prompt replies containing personal details such as names, addresses and financial information. Phishers generally generate e-mails that appear to originate with legitimate businesses and organizations.
Tucson businesses that are unsure whether an e-mail they have received is legitimate should contact the BBB on its member hotline at 888-6161.
Labels: BBB
Alabama Guard sergeant brings class action suit on VA
Alabama Guard sergeant brings class action suit on VA
Posted by Birmingham News staff March 01, 2007 11:34AM
WASHINGTON -- A staff sergeant in the Alabama National Guard has sued the U.S. Department of Veterans Affairs on behalf of the 535,000 veterans whose personal data were contained on a computer hard drive missing from the Birmingham VA Medical Center since late January.
The case, filed in federal court in Birmingham as a class action, alleges the VA knew or should have known about long-standing security problems that threatened the privacy of veterans.
The VA still has not found the hard drive, which contains data on the veterans plus 1.3 million health-care providers. "With each passing day the chance increases for the plaintiff and those similarly situated to become victims of identity theft," the lawsuit states.
The plaintiff, Greg Fanin, was on active military duty twice in Iraq and once each in Jordan and Qatar, and he has received medical services at VA hospitals between 10 and 15 times since Nov. 2001, the lawsuit states.
The case was filed against the VA, VA Secretary Jim Nicholson and VA Assistant Secretary for Information and Technology Robert Howard.
Posted by Birmingham News staff March 01, 2007 11:34AM
WASHINGTON -- A staff sergeant in the Alabama National Guard has sued the U.S. Department of Veterans Affairs on behalf of the 535,000 veterans whose personal data were contained on a computer hard drive missing from the Birmingham VA Medical Center since late January.
The case, filed in federal court in Birmingham as a class action, alleges the VA knew or should have known about long-standing security problems that threatened the privacy of veterans.
The VA still has not found the hard drive, which contains data on the veterans plus 1.3 million health-care providers. "With each passing day the chance increases for the plaintiff and those similarly situated to become victims of identity theft," the lawsuit states.
The plaintiff, Greg Fanin, was on active military duty twice in Iraq and once each in Jordan and Qatar, and he has received medical services at VA hospitals between 10 and 15 times since Nov. 2001, the lawsuit states.
The case was filed against the VA, VA Secretary Jim Nicholson and VA Assistant Secretary for Information and Technology Robert Howard.
Labels: Birmingham VA Hospital
Stolen Laptops Contained Hospital Patient Information
WFTV.com
Stolen Laptops Contained Hospital Patient Information
POSTED: 7:44 am EST March 1, 2007
PANAMA CITY, Fla. -- Four laptop computers with personal information on nearly 10,000 Gulf Coast Medical Center patients were stolen recently in two separate incidents, a company official said.
Three laptop computers were stolen from a car in Texas in November, Gulf Coast Medical Center spokesman Rod Whiting said. Those laptops contained the names and personal information of 1,900 patients.
Another laptop was taken from a car in Tallahassee in February. That computer contained the names and personal information of 8,086 patients, Whiting said.
"The information is password-protected, so it is highly unlikely that any data was accessed," Whiting said.
"It is believed that the thefts were random and were more for the hardware on the laptops. At this time, there have been no reports of any identity thefts."
The company has already issued letters to patients whose information was taken in the November theft, while letters to patients affected by the February theft should be mailed within three weeks, Whiting said.
Stolen Laptops Contained Hospital Patient Information
POSTED: 7:44 am EST March 1, 2007
PANAMA CITY, Fla. -- Four laptop computers with personal information on nearly 10,000 Gulf Coast Medical Center patients were stolen recently in two separate incidents, a company official said.
Three laptop computers were stolen from a car in Texas in November, Gulf Coast Medical Center spokesman Rod Whiting said. Those laptops contained the names and personal information of 1,900 patients.
Another laptop was taken from a car in Tallahassee in February. That computer contained the names and personal information of 8,086 patients, Whiting said.
"The information is password-protected, so it is highly unlikely that any data was accessed," Whiting said.
"It is believed that the thefts were random and were more for the hardware on the laptops. At this time, there have been no reports of any identity thefts."
The company has already issued letters to patients whose information was taken in the November theft, while letters to patients affected by the February theft should be mailed within three weeks, Whiting said.
Labels: Gulf Coast Med Center
Hackers swipe seed company's customers' data
Hackers swipe seed company's customers' data
By DOUG HARLOW
Staff Writer
Saturday, March 03, 2007
WINSLOW -- The Web site of Johnny's Selected Seeds has been hacked by an intruder, resulting in the theft of thousands of private records and credit card numbers, a company official said Friday.
Bruce Harrington, the company's director of sales and marketing, said 11,500 credit card accounts were stolen electronically in February.
"This is a violation, this is a criminal act and it's on us," Harrington said. "We are a victim here; it wasn't like we had credit card information ready for the taking."
He said the FBI was immediately notified and the case is under investigation.
Todd Difede of the FBI's Portland office said it is not bureau practice to discuss criminal cases before the cases are adjudicated.
Of the total number of accounts that were breached, about 20 of the credit cards were used fraudulently, Harrington said.
He said the last known Internet Service Provider to register action involving the Johnny's case was somewhere in the United Kingdom.
Harrington said the security system was hacked in a very sophisticated, methodical way.
"Essentially what happened is that criminals gained access to our internal systems and gathered enough information to allow them to then gain access to our Web site," Harrington said.
The company's "server farm" in Kentucky was the target, he said.
"They hack in there with the information they have, then they can get into information that's stored on the Web, which included credit card information," he said. "Since then, emergency measures have been implemented and the site is being monitored around the clock to ensure this doesn't happen going forward."
Letters have been sent to each of the account holders who then contacted their banking institutions and credit card companies to prevent further breaches and additional fraud.
Harrington said the breach was noticed on Feb. 18, when two customers called and said their credit cards had been compromised with fraudulent charges.
"They had shopped here as well as other locations," Harrington said. "As a security precaution, we immediately notified our Web vendor that handles our Web site, as well as our (information technology) department internally, and started hunting for any breaches in security."
The investigation by the company's emergency response team determined that the original illegal entry happened Feb. 4. The system was locked down, passwords were changed, hard drives were removed and multiple new security layers and software were put in place to make sure something like this does not happen again, he said.
Harrington said he has no idea why a relatively small seed company in rural Maine would become the target of an Internet sting. He said the Johnny's security system was no easier and no harder to access than any other private business.
"We asked the same question -- why us?" he said.
Harrington said the company had installed "hacker safe" software before the breach, but the system was compromised anyway.
"It wasn't a Web site hack," he said. "It was a breach of security from outside, into our internal security system's network here in Winslow, from which they were able to gather enough information from looking at screens and passwords, to then get into the Web site undetected, grab that information and leave."
Harrington said Internet fraud is nothing new. He pointed to recent breaches at T.J. Maxx and Bank of America systems as two examples.
Johnny's Selected Seeds is a mail-order seed producer located in Albion and Winslow. The company was established in 1973 by Chairman Rob Johnston, Jr.
Harrington said 70 percent of the company's customers are commercial growers. The company exceeded $13 million in sales last year.
The company's export department ships seeds internationally and throughout the United States, both in retail and wholesale, and in small and large quantities.
Harrington said the company employs about 130 people this time of year in anticipation of the spring and growing season.
He said the breach and subsequent investigation, mailings to affected customers and software corrections have cost the company tens of thousands of dollars. "This has really put a financial burden on us in the short term," he said.
Harrington said he thinks the company's quick discovery of the breach and its quick action to alert customers prevented the additional use of the stolen credit card data.
"I think we prevented a lot of things by early detection," he said.
By DOUG HARLOW
Staff Writer
Saturday, March 03, 2007
WINSLOW -- The Web site of Johnny's Selected Seeds has been hacked by an intruder, resulting in the theft of thousands of private records and credit card numbers, a company official said Friday.
Bruce Harrington, the company's director of sales and marketing, said 11,500 credit card accounts were stolen electronically in February.
"This is a violation, this is a criminal act and it's on us," Harrington said. "We are a victim here; it wasn't like we had credit card information ready for the taking."
He said the FBI was immediately notified and the case is under investigation.
Todd Difede of the FBI's Portland office said it is not bureau practice to discuss criminal cases before the cases are adjudicated.
Of the total number of accounts that were breached, about 20 of the credit cards were used fraudulently, Harrington said.
He said the last known Internet Service Provider to register action involving the Johnny's case was somewhere in the United Kingdom.
Harrington said the security system was hacked in a very sophisticated, methodical way.
"Essentially what happened is that criminals gained access to our internal systems and gathered enough information to allow them to then gain access to our Web site," Harrington said.
The company's "server farm" in Kentucky was the target, he said.
"They hack in there with the information they have, then they can get into information that's stored on the Web, which included credit card information," he said. "Since then, emergency measures have been implemented and the site is being monitored around the clock to ensure this doesn't happen going forward."
Letters have been sent to each of the account holders who then contacted their banking institutions and credit card companies to prevent further breaches and additional fraud.
Harrington said the breach was noticed on Feb. 18, when two customers called and said their credit cards had been compromised with fraudulent charges.
"They had shopped here as well as other locations," Harrington said. "As a security precaution, we immediately notified our Web vendor that handles our Web site, as well as our (information technology) department internally, and started hunting for any breaches in security."
The investigation by the company's emergency response team determined that the original illegal entry happened Feb. 4. The system was locked down, passwords were changed, hard drives were removed and multiple new security layers and software were put in place to make sure something like this does not happen again, he said.
Harrington said he has no idea why a relatively small seed company in rural Maine would become the target of an Internet sting. He said the Johnny's security system was no easier and no harder to access than any other private business.
"We asked the same question -- why us?" he said.
Harrington said the company had installed "hacker safe" software before the breach, but the system was compromised anyway.
"It wasn't a Web site hack," he said. "It was a breach of security from outside, into our internal security system's network here in Winslow, from which they were able to gather enough information from looking at screens and passwords, to then get into the Web site undetected, grab that information and leave."
Harrington said Internet fraud is nothing new. He pointed to recent breaches at T.J. Maxx and Bank of America systems as two examples.
Johnny's Selected Seeds is a mail-order seed producer located in Albion and Winslow. The company was established in 1973 by Chairman Rob Johnston, Jr.
Harrington said 70 percent of the company's customers are commercial growers. The company exceeded $13 million in sales last year.
The company's export department ships seeds internationally and throughout the United States, both in retail and wholesale, and in small and large quantities.
Harrington said the company employs about 130 people this time of year in anticipation of the spring and growing season.
He said the breach and subsequent investigation, mailings to affected customers and software corrections have cost the company tens of thousands of dollars. "This has really put a financial burden on us in the short term," he said.
Harrington said he thinks the company's quick discovery of the breach and its quick action to alert customers prevented the additional use of the stolen credit card data.
"I think we prevented a lot of things by early detection," he said.
Labels: Johnny's Selected Seeds
Metro says 988 students at risk of identity theft
Metro says 988 students at risk of identity theft
written by: Jeffrey Wolf , Web Producer created: 3/2/2007 3:54:44 PM
Last updated: 3/2/2007 4:01:49 PM
DENVER – Metropolitan State College says a laptop computer with the names and Social Security numbers of nearly 1,000 former students.
Metro State says it is working with both Denver and Auraria Campus Police after the computer was stolen on the afternoon of February 28th from a faculty member’s office on campus.
The computer contained roster information of 988 students enrolled in the faculty member’s classes from the beginning of the 1999 fall semester to the end of the 2002 fall semester. The computer was password protected, but Social Security numbers were used to identify each student.
Metro State says there is no evidence that personal data was actually taken off the computer or misused. However, the school is notifying each person whose name and Social Security number was on the computer and recommending they put a fraud alert on their credit reports.
There is also a special Web site for people concerned their information is at risk: www.mscd.edu/securityalert/.
written by: Jeffrey Wolf , Web Producer created: 3/2/2007 3:54:44 PM
Last updated: 3/2/2007 4:01:49 PM
DENVER – Metropolitan State College says a laptop computer with the names and Social Security numbers of nearly 1,000 former students.
Metro State says it is working with both Denver and Auraria Campus Police after the computer was stolen on the afternoon of February 28th from a faculty member’s office on campus.
The computer contained roster information of 988 students enrolled in the faculty member’s classes from the beginning of the 1999 fall semester to the end of the 2002 fall semester. The computer was password protected, but Social Security numbers were used to identify each student.
Metro State says there is no evidence that personal data was actually taken off the computer or misused. However, the school is notifying each person whose name and Social Security number was on the computer and recommending they put a fraud alert on their credit reports.
There is also a special Web site for people concerned their information is at risk: www.mscd.edu/securityalert/.
Labels: Metropolitan State College
Arrests made in Stop & Shop data theft
Arrests made in Stop & Shop data theft
Jaikumar Vijayan
February 27, 2007 (Computerworld) Police in Rhode Island have arrested four people in connection with a recent security breach at Stop & Shop Supermarket Cos.
The Monday night arrests followed a complaint by employees at a Coventry, R.I., Stop & Shop store of suspicious activity involving four individuals near its cash registers.
"These arrests stem from an ongoing investigation of the recent theft of credit and debit card account data through illegal tampering of Stop & Shop's electronic card transaction pin pad units," the company said in a statement today. "We are hopeful that these arrests will bring those responsible for these crimes to justice."
The Associated Press identified the four men as Arutyun Shatarevyan, Mikael Stepanian, Gevork Baltadjian and Arman Ter-Esayan, all in their 20s. They were scheduled to be arraigned today in Kent County District Court on charges of computer theft and fraud.
Quincy, Mass.-based retailer Stop & Shop earlier this month said that PIN pads -- the devices customers use to swipe credit and debit cards to pay for purchases -- had been tampered with at six of the company's stores in Rhode Island and Massachusetts. The electronic funds transfer (EFT) devices had been removed from their supporting brackets, opened up, modified and then reinstalled.
As a result of the tampering, account and PIN numbers associated with some credit and debit cards were stolen in early February, the company said.
Following the incident, Stop & Shop installed "heavy duty silver bolts" on thousands of EFT terminals in all the company's stores to make it more difficult for thieves to remove the devices from their support brackets.
Jaikumar Vijayan
February 27, 2007 (Computerworld) Police in Rhode Island have arrested four people in connection with a recent security breach at Stop & Shop Supermarket Cos.
The Monday night arrests followed a complaint by employees at a Coventry, R.I., Stop & Shop store of suspicious activity involving four individuals near its cash registers.
"These arrests stem from an ongoing investigation of the recent theft of credit and debit card account data through illegal tampering of Stop & Shop's electronic card transaction pin pad units," the company said in a statement today. "We are hopeful that these arrests will bring those responsible for these crimes to justice."
The Associated Press identified the four men as Arutyun Shatarevyan, Mikael Stepanian, Gevork Baltadjian and Arman Ter-Esayan, all in their 20s. They were scheduled to be arraigned today in Kent County District Court on charges of computer theft and fraud.
Quincy, Mass.-based retailer Stop & Shop earlier this month said that PIN pads -- the devices customers use to swipe credit and debit cards to pay for purchases -- had been tampered with at six of the company's stores in Rhode Island and Massachusetts. The electronic funds transfer (EFT) devices had been removed from their supporting brackets, opened up, modified and then reinstalled.
As a result of the tampering, account and PIN numbers associated with some credit and debit cards were stolen in early February, the company said.
Following the incident, Stop & Shop installed "heavy duty silver bolts" on thousands of EFT terminals in all the company's stores to make it more difficult for thieves to remove the devices from their support brackets.
Labels: Stop and Shop Supermarket Cos.
TJX Data Breach Worse Than Initially Reported
TJX Data Breach Worse Than Initially Reported
Jaikumar Vijayan
February 26, 2007 (Computerworld)
The massive data breach disclosed last month by The TJX Companies Inc. was far worse than first reported, the company said last week.
An ongoing internal investigation into the breach has shown that intruders gained access to TJX’s systems in July 2005, almost a full year earlier than first thought.
The investigation has also found that card transaction data from TJX-owned stores in the U.K and Ireland were affected by the intrusion, the company acknowledged. Previously, TJX had said only that it was “concerned” that the breach may have extended to those countries.
“We are dedicating substantial resources to investigating and evaluating the intrusion,” TJX CEO Carol Meyrowitz said in a statement. More than 50 experts from IBM and General Dynamics Corp., hired by TJX to shore up security in the wake of the breach, are investigating the incident, Meyrowitz said.
TJX, owner of retail chains TJ Maxx, Marshalls and Bob’s Stores, last month revealed that someone had illegally accessed a payment system and made off with card data belonging to customers in the U.S., Canada and Puerto Rico and possibly in the U.K. and Ireland. At the time, the company said the breach had occurred in May 2006.
TJX hasn’t disclosed how many shoppers may have been affected by the breach. Some analysts believe the number could be in the millions.
Avivah Litan, an analyst at Gartner Inc., said the latest update by TJX could mean that officials are getting closer to finding the perpetrators.
“I think they have pinpointed [the intruders] to a large degree and may have found files indicating that 2005 [card] data was stolen,” she said.
TJX’s latest disclosure is not all that surprising and points to a broad lack of internal data controls at many large companies, security analysts said.
“When it comes right down to it, very few companies have effective controls to monitor internal systems closely and follow the movement of data” on their networks, said Alex Bakman, CEO of Ecora Software Corp., a Portsmouth, N.H.-based maker of compliance software. Therefore, such breaches can go unnoticed for a long time, he said.
“The underlying problem is that companies are treating security as a ‘nice to have’ as opposed to a ‘must have,’” Bakman said.
“TJX is just the tip of the iceberg. I think we are going to see many more” such disclosures, he added. “It’s going to get a lot uglier before it gets any better.”
Joel Rosen, CEO of security vendor Tizor Systems Inc. in Maynard, Mass., said, “Many companies that relied on traditional security are just coming to terms with the fact that beefing up existing systems is not the answer.”
The fallout from the breach has been widespread as U.S. and Canadian banks and credit unions have been forced to block and reissue thousands of cards. The New Hampshire Bankers Association has estimated that 20% to 30% of New England residents may have been affected by the breach.
Jaikumar Vijayan
February 26, 2007 (Computerworld)
The massive data breach disclosed last month by The TJX Companies Inc. was far worse than first reported, the company said last week.
An ongoing internal investigation into the breach has shown that intruders gained access to TJX’s systems in July 2005, almost a full year earlier than first thought.
The investigation has also found that card transaction data from TJX-owned stores in the U.K and Ireland were affected by the intrusion, the company acknowledged. Previously, TJX had said only that it was “concerned” that the breach may have extended to those countries.
“We are dedicating substantial resources to investigating and evaluating the intrusion,” TJX CEO Carol Meyrowitz said in a statement. More than 50 experts from IBM and General Dynamics Corp., hired by TJX to shore up security in the wake of the breach, are investigating the incident, Meyrowitz said.
TJX, owner of retail chains TJ Maxx, Marshalls and Bob’s Stores, last month revealed that someone had illegally accessed a payment system and made off with card data belonging to customers in the U.S., Canada and Puerto Rico and possibly in the U.K. and Ireland. At the time, the company said the breach had occurred in May 2006.
TJX hasn’t disclosed how many shoppers may have been affected by the breach. Some analysts believe the number could be in the millions.
Avivah Litan, an analyst at Gartner Inc., said the latest update by TJX could mean that officials are getting closer to finding the perpetrators.
“I think they have pinpointed [the intruders] to a large degree and may have found files indicating that 2005 [card] data was stolen,” she said.
TJX’s latest disclosure is not all that surprising and points to a broad lack of internal data controls at many large companies, security analysts said.
“When it comes right down to it, very few companies have effective controls to monitor internal systems closely and follow the movement of data” on their networks, said Alex Bakman, CEO of Ecora Software Corp., a Portsmouth, N.H.-based maker of compliance software. Therefore, such breaches can go unnoticed for a long time, he said.
“The underlying problem is that companies are treating security as a ‘nice to have’ as opposed to a ‘must have,’” Bakman said.
“TJX is just the tip of the iceberg. I think we are going to see many more” such disclosures, he added. “It’s going to get a lot uglier before it gets any better.”
Joel Rosen, CEO of security vendor Tizor Systems Inc. in Maynard, Mass., said, “Many companies that relied on traditional security are just coming to terms with the fact that beefing up existing systems is not the answer.”
The fallout from the breach has been widespread as U.S. and Canadian banks and credit unions have been forced to block and reissue thousands of cards. The New Hampshire Bankers Association has estimated that 20% to 30% of New England residents may have been affected by the breach.
Labels: TJX Companies Inc.
Massive Insider Breach At DuPont
Massive Insider Breach At DuPont
(URL: http://www.crn.com/sections/breakingnews/breakingnews.jhtml?articleId=197006655)
By Larry Greenemeier,
3:00 PM EST Thu. Feb. 15, 2007
The Delaware U.S. attorney on Thursday revealed a massive insider data breach at chemicals company DuPont where a former scientist late last year pleaded guilty to trying to steal $400 million worth of company trade secrets. He now faces up to a decade in prison, a fine of $250,000, and restitution when sentenced in March.
Gary Min worked as a research chemist for DuPont for 10 years before accepting a job with DuPont competitor Victrex in Asia in October 2005. Between August and December of that year, Min downloaded 22,000 sensitive documents and viewed 16,706 more in DuPont's electronic library, making him the most active user of that database in the company, according to prosecutors.
It's unclear whether Min's frequent access to that database tipped off an automatic alert to DuPont officials or whether his behavior was discovered by studying database access logs. Regardless, Min left DuPont in December 2005, and after starting work for Victrex in February 2006, transferred 180 DuPont documents to a Victrex-owned laptop computer.
After DuPont discovered that Min had helped himself to a large volume of confidential and proprietary DuPont technical information, it notified the FBI and the Commerce Department. Min's Victrex computer was seized on Feb. 8, 2006, while he was at a meeting with Victrex officials in Geneva. The confiscated computer was turned over to DuPont, which in turn gave it to the FBI, according to prosecutors.
Investigators told DuPont that they haven't found any evidence that Min had actually turned the stolen information over to any of his new colleagues, DuPont senior VP and general counsel Stacey Mobley said in a statement.
Min's actions have landed him in a lot of trouble, but his case is hardly unique. "I've researched a bunch of cases where designers and scientists tend to view their company's intellectual property as their own, something they've created and something they want to take with them," says Dr. Eric Shaw, a clinical psychologist and former CIA intelligence officer who for the past two decades has studied insider threats. "As a result, they'll often ignore nondisclosure agreements and other intellectual-property mechanisms."
While many companies worry about departed employees stealing intellectual property through some sort of back door planted in their IT systems, 75% of the 40 proprietary and confidential information thefts studied between 1996 and 2002 by Carnegie Mellon's CERT program in a July 2006 study were committed by current employees, says Dawn Cappelli, a senior member of the technical staff at the CERT program at Carnegie Mellon's Software Engineering Institute. Of those current employees committing intellectual property thefts, 45% had already accepted a job offer with another company. "In between the time they have another offer and the time they leave is when they take the information," she says.
The best way to guard against insider breaches is for companies to monitor database and network access for unusual activity and set thresholds that represent acceptable use for different users. If an employee starts downloading thousands of documents, and this is unusual for the job designation, this should automatically trip red flags to an administrator or manager.
Another important measure is for companies to do account audits to make sure there aren't accounts for employees who don't exist or who no longer work for the company, Cappelli says, adding, "Companies should know all of the accounts their employees have access to."
(URL: http://www.crn.com/sections/breakingnews/breakingnews.jhtml?articleId=197006655)
By Larry Greenemeier,
3:00 PM EST Thu. Feb. 15, 2007
The Delaware U.S. attorney on Thursday revealed a massive insider data breach at chemicals company DuPont where a former scientist late last year pleaded guilty to trying to steal $400 million worth of company trade secrets. He now faces up to a decade in prison, a fine of $250,000, and restitution when sentenced in March.
Gary Min worked as a research chemist for DuPont for 10 years before accepting a job with DuPont competitor Victrex in Asia in October 2005. Between August and December of that year, Min downloaded 22,000 sensitive documents and viewed 16,706 more in DuPont's electronic library, making him the most active user of that database in the company, according to prosecutors.
It's unclear whether Min's frequent access to that database tipped off an automatic alert to DuPont officials or whether his behavior was discovered by studying database access logs. Regardless, Min left DuPont in December 2005, and after starting work for Victrex in February 2006, transferred 180 DuPont documents to a Victrex-owned laptop computer.
After DuPont discovered that Min had helped himself to a large volume of confidential and proprietary DuPont technical information, it notified the FBI and the Commerce Department. Min's Victrex computer was seized on Feb. 8, 2006, while he was at a meeting with Victrex officials in Geneva. The confiscated computer was turned over to DuPont, which in turn gave it to the FBI, according to prosecutors.
Investigators told DuPont that they haven't found any evidence that Min had actually turned the stolen information over to any of his new colleagues, DuPont senior VP and general counsel Stacey Mobley said in a statement.
Min's actions have landed him in a lot of trouble, but his case is hardly unique. "I've researched a bunch of cases where designers and scientists tend to view their company's intellectual property as their own, something they've created and something they want to take with them," says Dr. Eric Shaw, a clinical psychologist and former CIA intelligence officer who for the past two decades has studied insider threats. "As a result, they'll often ignore nondisclosure agreements and other intellectual-property mechanisms."
While many companies worry about departed employees stealing intellectual property through some sort of back door planted in their IT systems, 75% of the 40 proprietary and confidential information thefts studied between 1996 and 2002 by Carnegie Mellon's CERT program in a July 2006 study were committed by current employees, says Dawn Cappelli, a senior member of the technical staff at the CERT program at Carnegie Mellon's Software Engineering Institute. Of those current employees committing intellectual property thefts, 45% had already accepted a job offer with another company. "In between the time they have another offer and the time they leave is when they take the information," she says.
The best way to guard against insider breaches is for companies to monitor database and network access for unusual activity and set thresholds that represent acceptable use for different users. If an employee starts downloading thousands of documents, and this is unusual for the job designation, this should automatically trip red flags to an administrator or manager.
Another important measure is for companies to do account audits to make sure there aren't accounts for employees who don't exist or who no longer work for the company, Cappelli says, adding, "Companies should know all of the accounts their employees have access to."
Labels: DuPont
