Information Security Incidents

13 people indicted in $3 million credit card fraud
POSTED: 9:14 a.m. EDT, April 21, 2007

• Waiters in 40 restaurants in 5 states stole diner's credit card information
• Ringleaders paid waiters $35 to $50 for information from each credit card
• Suspects then created high-quality counterfeit credit cards
• Credit card fraud ring operated from November 2005 until this week


NEW YORK (AP) -- The diners didn't know it, but their credit cards were going to pay for more than their meals, prosecutors said.

Waiters in about 40 restaurants, in New York and elsewhere, quietly recorded customers' credit card information and passed it on to people who used the information to make more than $3 million worth of worth of illegal purchases, according to prosecutors.

Thirteen people were indicted Friday on charges stemming from their roles in the credit card fraud, prosecutors said.

The credit card account information was stolen from customers who visited restaurants in Manhattan's Chinatown and other parts of the New York metropolitan area, as well eateries in Florida, New Hampshire, New Jersey and Connecticut.

Some members of the group stole customers' information; some made the counterfeit cards; others shopped for merchandise; and finally someone bought the goods for cash, Manhattan District Attorney Robert Morgenthau said.

Morgenthau said 12 of the 13 people indicted are in custody and are expected to be arraigned Monday. All the defendants are being charged with fourth-degree conspiracy, punishable by up to four years in prison. Seven are also being charged with second-degree grand larceny, which carries a penalty of up to 15 years.

Authorities were still seeking one suspect, identified by prosecutors only as "John Doe."

When the 35-year-old ringleader was arrested Wednesday, Morgenthau said, police found 296 fake credit cards, $200,000 in cash, numerous Rolex watches and expensive handbags in his Brooklyn home.

The district attorney said conspiracy leaders recruited and managed people who worked as waiters and provided them with small, hand-held "skimmers" that read and recorded information on the magnetic strips of patrons' credit cards.

The leaders, some of whom worked in the restaurants with their recruits, then collected the skimming devices and paid the waiters $35 to $50 for information from each credit card stored in the devices, Morgenthau said.

He said the conspirators operated from November 2005 until this week.

The suspects used the stolen information to create counterfeit credit cards by encoding the information on high-quality credit card blanks, Morgenthau said.

Wi-Fi Bug Found in Linux Driver
A major Linux Wi-Fi driver contains a bug that can allow an attacker to take control of a laptop--even when it is not on a Wi-Fi network.
Peter Judge, Techworld.com
Friday, April 13, 2007 01:00 PM PDT
A bug has been found in a major Linux Wi-Fi driver that can allow an attacker to take control of a laptop -- even when it is not on a Wi-Fi network.

There have not been many Linux Wi-Fi device drivers, and this is apparently the first remotely executable Wi-Fi bug. It affects the widely used MadWi-Fi Linux kernel device driver for Atheros-based Wi-Fi chipsets, according to Laurent Butti, a researcher from France Telecom Orange, who found the flaw and released the information in a presentation at last month's Black Hat conference in Amsterdam.

"You may be vulnerable if you do not manually patch your MadWi-Fi driver," said Butti. Before making it public, he shared the flaw with the MadWi-Fi development team, who have released a patch. However, not all Linux distributions have yet built the patch into their code, said Butti.

The kernel stack-overflow bug lets an attacker run malicious code, and can be used even if the machine is not actively on a Wi-Fi network, according to Butti, who used "fuzzing" techniques which had been shown by David Maynor and "Johnny Cache" Jon Ellch, at last year's Black Hat USA conference, and previously exploited on Windows and Macintosh systems.

Linux users have previously suffered from a shortage of Linux drivers, and have campaigned to get wireless networks supported in the Linux kernel. With fewer Linux laptops on Wi-Fi networks, security experts -- and presumably hackers -- have taken longer to get round to Linux drivers, but issue of handling remote data at the kernel level can cause trouble on the open source OS just as easily as any other.

Butti has previously developed the RAW series of proof-of-concept hacker tools. He also found the Windows Wi-Fi flaw by fuzzing, during the Month of Kernel Bugs last year.

Fuzzing is a blessing, according to Butti, because it is a low-cost way for security researchers to uncover obvious bugs that may get overlooked, and exploited by hackers. In future, he expects fuzzing to reveal bugs in other wireless technologies like WiMax, and wireless USB, as well as many more bugs in the extensions that are regularly added to Wi-Fi.

Labels: Linux Wi-Fi driver

DNS Hole Puts E-Mail at Risk
A compromised DNS server could send browsers to malicious Web sites and cause problems with directory services and e-mail.
John Fontana, Network World
Sunday, April 15, 2007 09:00 AM PDT
A DNS server compromised by a hacker could be used to funnel Web surfers to all sorts of phishing attacks and malicious Web sites and even cause havoc with directory services and e-mail in some cases, according to the father of the technology, Paul Mockapetris.

"Once you control the DNS server, you have license to do phishing and farming attacks and mislead all the users of that DNS server," says Mockapetris, who in 1983 proposed the Domain Name System (DNS) architecture and is acknowledged, along with the late Jon Postel , as the technology's inventor.

The issue is a timely topic after Microsoft announced late Thursday that a vulnerability exists in its DNS server that could allow a hacker to take over the service.

Mockapetris says users with the Microsoft DNS server also should be concerned about Active Directory because the DNS holds start-up configuration data for the directory.

"I don't know the details of the Active Directory protocol, but there are obvious opportunities for mischief," he says, including denial-of-service attacks.

"E-mail is routed via DNS, so if you took over DNS you could misdirect e-mail. There is a lot of opportunity there," Mockapetris says.

The key is that DNS holds a trusted relationship with users because it is the node that directs them to Web sites based on the URLs that are typed into a browser's address bar or clicked on from a "Favorites" menu.

"The trust relationship is hierarchical. So what you get to do if you take over a DNS server is you get to confuse all of the clients that depend on that DNS server," Mockapetris says.

He says attacks to try and add bogus information to DNS servers or completely take them over have been around for quite some time. Microsoft's DNS vulnerability just opens up another avenue that is likely more of a danger to corporate users.

Large ISPs typically run their DNS servers on Unix or Linux running Bind, Nominum or other software and not on Microsoft DNS services, so consumers would likely not be those most at risk, says Mockapetris, who is now the chief scientist for Nominum .

Corporations, on the other hand, do use Microsoft DNS either internally on intranets or as a pipeline to the Web.

A hacker controlling a DNS server would have access to DNS logs to determine sites users go to, such as a bank, and they could alter DNS records to redirect users to a bogus site that looks like the bank and then record password and other sensitive data. Users also could be redirected to hacker Web sites that would install malicious code on end-user PCs.

"If you take over the box, you can tell users whatever you like in response to their DNS queries," says Mockapetris. "You can see where people want to go and decide the most effective way to attack those users based on their patterns."

The attacks can go on relatively unnoticed given the trust inherent in DNS and the fact that it works behind the scenes.

"If a DNS server misdirects a request, a sophisticated user might notice but the vast majority of users won't," he says.

How much do security breaches cost anyway?
By John Leyden
Published Thursday 12th April 2007 18:12 GMT
Information security breaches cost anywhere between $90 to $305 per lost record, according to a new study by Forrester Research.

Forrester bases its figures, which it has the good grace to say are difficult to be sure about, on a survey of 28 companies who had some sort of data breach. The estimate covers the cost of legal fees, call centers costs, lost employee productivity, regulatory fines, loss of investor confidence and customer losses. Senior analyst Khalid Kark describes its figures from costs as an "educated estimate (http://www.forrester.com/Research/Document/Excerpt/0,7211,42082,00.html)". He admitted the auditing costs associated with security breaches is an inexact science (much like working out the damages resulting from malware infestations, we'd add).


Information security breach laws passed by many US states over the last two years or so have lead to multiple reports of data loses which might have gone unreported in the past. Last month, in the most high profile breach to date, TJX admitted details of up to 45.6m credit card numbers left exposed by a security breach to its database systems that lasted for over 17 months.

Excluding details of 30m expired credit cards that would be more difficult to use fraudulently, the lower end of Forrester's estimates yields a figure of $1.35bn for TJX's losses. Kark told (http://www.boston.com/business/personalfinance/articles/2007/04/12/analysts_tjx_case_may_cost_over_1b) the Boston Glode that $1.35bn was a "realistic minimum estimate" of TJX's costs over several years, though he admitted it might be lower.

A similar study by Michigan-based data privacy researcher Larry Ponemon estimated breaches cost $182 per compromised record. None of the 31 incidents cost the affected firm more than $22m. Ponemon told the Boston Globe that remediation costs, such as improving security, cost the same no matter how big the breach. TJX costs would only exceed $1bn if widespread incidents of identity theft associated with the breach forced the retail giant to slash costs and mount a costly marketing drive in a bid to woo punters back into stores.

Both the Ponemon and Forrester estimates represent a fraction of the $5bn+ loss guesstimates we've heard bandied about by security firms, with a clear axe to grind this week. TJX said it had spent just $5m up to the end of January on costs such as technical and legal fees and customer communications related to the breach. Tellingly investors haven't marked down its share price significantly in the expectation of major losses down the road.

TJX spokeswoman Sherry Lang described the $1bn cost estimates as "pure speculation by people who are outside the company". Many variables are involved in costs associated with breaches making comparisons difficult, she added

It's 'too late' to assure security of patient data
Saturday, April 14, 2007

By Steve Twedt, Pittsburgh Post-Gazette



A Web site containing Social Security numbers and other personal information for nearly 80 UPMC patients was still accessible on the Internet yesterday -- and computer security experts say the patients can never be entirely assured the content will be gone.

"It is too late. Once something is on the public Web, the only fundamentally safe security assumption you can make is that it is in the public domain forever," said Art Manion, a computer security expert at CERT, part of Carnegie Mellon University's Software Engineering Institute.

If a site is posted only a short time, if it's not popular, the chances are lower, Mr. Manion said.

"But, fundamentally, once it is posted, you have lost control forever."

Yesterday, the Pittsburgh Post-Gazette was again able to view confidential patient information included in former UPMC radiologist Dr. Paul J. Chang's 2002 PowerPoint presentation on managing multimedia electronic records.

The information -- now blocked -- was on a site operated by The Internet Archive, a California-based nonprofit that operates as an Internet library, archiving public Web sites that people can view for free.

"We've been collecting a snapshot of the World Wide Web every two months since 1996," said Brewster Kahle, digital librarian for the Archive. "It basically allows you to search the Web as it was."

Yesterday, UPMC officials said they already had contacted Internet Archive about removing the information, an accommodation Mr. Kahle said they were happy to make.

"We don't want sites in the archive that people don't want there. We're not that type of organization."

On Thursday, the Post-Gazette first reported that personal information -- which, in a few cases, included abdominal and chest scans, clinical notes, and medical screenings as well as social security numbers -- had been posted on the UPMC's Radiology Department Web site for about two years.

UPMC officials quickly disabled the site, which had been reachable in four mouse clicks from the department's home page. While still investigating how the patient confidentiality breach happened, John Houston, UPMC's privacy officer, said he thinks the file was restored to the site after the department got a new server for its computers.

When contacted earlier this week, Dr. Chang, now at the University of Chicago, expressed surprise the information had been posted. He speculated that someone inadvertently had downloaded it without checking to see if it contained confidential patient information.

The medical center said it was notifying each of the patients by letter, plus they are offering to pay a year's worth of credit protection services.

Mr. Houston said UPMC has contacted the major archive sites to remove the information, as well as any other site where it might appear.

"It's not entirely perfect. Unfortunately, whether we like it or not, it's the best solution we have."

As the Internet Archive example shows, however, the privileged patient information may never be completely recovered and deleted.

The concern is that while established sites such as The Internet Archive are willing to remove sensitive information, others with ill intent may have been actively looking for it, say security experts.

"The level of interest in malicious hacking will depend on what kind of information is there. If that information includes Social Security numbers, or anything that is truly sensitive, then that information is probably valuable to them," said Adriel Desautels, chief technology officer for Netragard, a New Jersey-based information security company.

With the information being posted for up to two years, he said, "the chance of it being harvested is nearly 100 percent."

Mr. Houston acknowledged that "the damage can never be completely undone," and others may have downloaded the information before the sites they've identified were taken down.

"You hope that, over time, the information becomes staler and staler, and eventually they throw it away."

Labels: UPMC Hospital

Ex-Social Security worker faces ID charge
LOS ANGELES (AP) - A former Social Security Administration employee faces federal charges of allegedly passing along confidential information mined from a government computer to identity thieves who racked up some $2.5 million in illegal credit card purchases, prosecutors said.

Jennifer Batiste, 45, surrendered to authorities Wednesday and was indicted on charges of conspiracy, accessing a protected computer to conduct fraud and disclosure of a Social Security number, according to a statement from the U.S. attorney's office. If convicted on all counts, Batiste could face up to 15 years in prison.

Authorities said she took $20 bribes each time she provided accomplices with information taken from a government database that lists Social Security numbers, mothers' maiden names and birthdays. The accomplices used the data to open new credit card accounts, according to the statement.

One alleged accomplice, Craig Harris, 50, pleaded guilty in September and is awaiting sentencing.

Batiste's arrest is part of an ongoing investigation, federal officials said.

''The American public not only deserves, but demands the highest standards of integrity from government employees that are paid with their tax dollars,'' said David F. Butler, special agent in charge of the Social Security Administration's Office of Inspector General.

Security breached at UCSF
David Lazarus

Sunday, April 15, 2007

It was March 27, a Tuesday, around 7 p.m., that technicians at UCSF accessed a remote server at the UC president's office in Oakland and noticed something peculiar.

The server, which contained sensitive data for about 46,000 UCSF faculty members, staff and students, was operating slower than usual.

"It was struggling more than we were asking it to do," recalled Randy Lopez, co-chief information officer for the campus. "We got suspicious and took a closer look. There was a program running that we didn't know anything about."

It's rare that a hacker is actually caught in the act. But that's apparently what happened as UCSF's tech crew realized they were experiencing, right at that moment, potentially the largest security breach in the school's history.

There's no evidence to date that any info on the server was compromised. But UCSF's recent experience highlights yet again the vulnerability of people's personal data and how we're all seemingly only a few keystrokes from having our identities stolen or bank accounts defrauded.

"Most breaches could be avoided," said Linda Foley, founder of the Identity Theft Resource Center, a San Diego advocacy group. "The problem is that proper security is not being established or maintained."

Her organization has counted 69 security breaches this year, affecting more than 51 million records. A separate tally by the Privacy Rights Clearinghouse, another watchdog group, says more than 150 million records of U.S. residents have been endangered by breaches since January 2005.

Data and security breaches have become so ubiquitous, they hardly seem to be news anymore. In fact, so many disclosure letters get mailed out from breached entities these days -- and I know because disgruntled readers send copies my way -- that there's almost nothing new to report.

But we shouldn't grow jaded. The day we routinely shrug off data breaches is the day we kiss our privacy goodbye once and for all. We're not there yet.

UCSF gets points for moving quickly to notify thousands of potential breach victims of the incident. All too often, companies and organizations with security issues wait a month or two before coming clean, ostensibly because they don't want to hamper an ongoing investigation.

Cynics -- not me, of course -- might instead suspect that the company just wants to forestall any negative publicity for as long as possible.

UCSF sent out letters dated April 4 to potential victims warning that "Social Security numbers and other personal information for most current and recent UCSF campus and medical center faculty staff and students" may be endangered.

The school included four pages and questions and answers related to the incident, and explained to recipients how they can place a fraud alert on their credit files.

"There is no specific evidence that data on this server were accessed inappropriately, but we cannot rule out such access," the letters say.

In fact, if recipients knew all the facts, they'd probably be even more alarmed.

UCSF's Lopez said the server in question contained payroll information for about 43,000 campus employees and additional records, including financial-aid files, for roughly 3,000 students.

This means the names, addresses, Social Security numbers and bank account numbers of thousands of people were potentially accessed by hackers -- an ID theft bonanza.

Worse, the info wasn't encrypted. Lopez said this was a deliberate decision by the UC president's office, which also required access to the server. He said officials believed the data would be sufficiently protected by firewalls and other barriers to hacking.

"That decision is being revisited," Lopez said.

He said an analysis of the breach is continuing, but "a clue" has surfaced indicating that the hacker may have been more interested in disrupting or misusing UCSF's server rather than in accessing confidential data.

Lopez declined to elaborate. But if he's correct, this would suggest that the incident may either have been a denial-of-service attack, in which a hacker maliciously swamps a server with traffic to bring operations to a halt, or a hijacking of the system to serve as a temporary conduit for spam.

Still, that doesn't mitigate the seriousness of the fact that someone managed to get past all the electronic safeguards set in place by the UC president's office and gain access to a system containing reams of unencrypted and highly sensitive files.

"It doesn't make me feel good about the incident," Lopez said. "But it does make me feel better."

As for what's next, he said UC in general and UCSF in particular are studying what steps can be taken to prevent such breaches from happening again. Lopez declined to say whether all stored data will be encrypted -- a requirement that state lawmakers may want to look into if the university won't do it on its own.

"It's a constant war," he acknowledged. "We improve security and the hackers improve their methods. We raise the fences and the hackers learn to jump higher."

On Friday, I wrote about former Intel Chairman Andy Grove's idea for inexpensively placing everyone's medical records on ostensibly secure Web pages. "There are going to be breaches," he told me. "You will either learn to live with those breaches or you will retreat behind a wall of paper records."

My response, to Grove and to the UCSF incident, is that we shouldn't have to live with breaches -- ever. With the almost limitless promise of this technology comes a nonnegotiable responsibility to protect electronic data.

Any company or organization that can't live up to that responsibility has no business possessing anyone's personal info.

Labels: UCSF

Second set of UPMC data found on Internet
Sunday, April 15, 2007

By Steve Twedt, Pittsburgh Post-Gazette

A second set of UPMC patient names, Social Security numbers, X-rays and other personal medical information has surfaced on a Web site maintained by a California archival company.

The data and related medical scans came from a PowerPoint presentation by Dr. Paul J. Chang to the Radiological Society of North America in 2002.






Preious story
It's 'too late' to assure security of patient data (04/12/07)







In December 2003, the California company, The Internet Archive, retrieved the presentation from the UPMC radiology department's Web site and posted it on its own Web site. That made it available to anyone searching the Archive site.

At some point, the presentation was deleted from the UPMC Web site, but it remained on The Internet Archive site until Friday.

On Thursday, the Pittsburgh Post-Gazette reported that another old PowerPoint presentation by Dr. Chang containing UPMC patient data was still accessible on the UPMC site, with identifying personal information for nearly 80 patients.

UPMC removed the item from its Web site Wednesday, but a copy was still available from The Internet Archive through Friday morning.

The latest presentation contains information on eight additional patients, including X-ray scans. At least two of the patients have since died. But other slides clearly show valid Social Security numbers for still-living patients.

Both sites were taken down Friday afternoon after the Post-Gazette inquired about them, and Internet Archive access to UPMC radiology sites now has been blocked.

But information security experts say it's impossible to know whether other copies of the presentations have been downloaded or are still on the Internet.

UPMC officials are contacting patients whose data were disclosed, and they have offered to pay for credit monitoring services for one year to guard against identity theft.

"We want to have this purged as soon as possible," said John Houston, privacy officer for UPMC.

The federal government set up strict patient-privacy restrictions in 2003 under Title II of the Health Insurance Portability and Accountability Act, or HIPAA.

A spokesman for the Office of Civil Rights in the U.S. Department of Health and Human Services said that even if medical records predate the enactment of HIPAA, the law covers all identifiable information in both active and stored medical records. Office of Civil Rights officials were unavailable last week to discuss what happened at UPMC, according to spokesman Mike Robinson.

Reached by phone Friday, Dr. Chang said he remained puzzled about how the patient information got posted.

Mr. Houston said the first site was flagged for removal two years ago, but somehow reappeared, perhaps when the radiology department changed its Internet server.

"When you delete a file, it goes away, right?" said Dr. Chang.

While acknowledging that he doesn't know what happened, Dr. Chang said the only plausible explanation was that an old backup must have been used when the new server was installed. Then he asked rhetorically, "But why would they use an old backup?"

Dr. Chang, educated at Harvard and Stanford, was once named one of the 20 most influential people in radiology by Diagnostic Imaging magazine. While at UPMC, he developed software that allowed doctors to view X-rays on personal computers.

Using that technology, Dr. Chang and UPMC started a medical imaging and information management company called Stentor Inc., which was sold to Royal Philips Electronics in July 2005 for $280 million.

On the two presentations, Dr. Chang lists grants from the National Institutes of Health and the Defense Advanced Research Projects Agency, part of the U.S. Department of Defense.

"I thought I understood security," Dr. Chang said. "But you can only fix what you know. I confess this never, ever entered my mind."

Dr. Chang said he believes that someone at UPMC may have inadvertently posted an early version of his PowerPoint presentations, before he had masked the patient information. He speculated that multiple versions of the presentation were on the department's server, and someone accidentally picked the wrong version to post. One lesson he has taken from all this, he said, is to keep early versions in a separate directory from finished work that will be presented publicly.

The benefits of having medical records in digital form still "far outweigh" the liabilities, including accidental postings that "show that we are still pretty young and pretty inexperienced at this," Dr. Chang said.

"I can guarantee this will never happen at UPMC again, but something else will. It's more than the Internet. It's being digital. If I burn a piece of paper, it's gone. If I shred a record, it's gone. But if I have an electronic version, it doesn't ever go away."

Labels: UPMC Hospital

Invasion of the identity snatchers
American companies are getting proactive in the identity- theft battle
By Steve Alexander - McClatchy Newspapers
Updated: 04/16/07 7:26 AM


MINNEAPOLIS — In February, Hank and Roma Gerbus received an odd phone call. Last year, the Cincinnati couple had had their computer hard drive replaced at a local Best Buy store and were assured that the old drive would be destroyed. But in February, the couple heard from a Chicago man who said that he had bought their old hard drive at a flea market and that their Social Security numbers were still intact.

Such corporate and government security breakdowns that could lead to identity theft have become almost routine. Since early last year, personal information has been put at risk by 138 security breaches at private companies and government agencies, according to the Privacy Rights Clearinghouse, a San Diego nonprofit. Recently, in the largest known threat to date, a Department of Veterans Affairs laptop computer was stolen, exposing 28.6 million current and former military personnel to potential identity theft.

While consumers obviously worry about such breaches, corporations are probably even more concerned. Richfield, Minn.-based Best Buy Co., which admits that the Gerbus incident occurred but says it is still investigating, is beefing up security spending by $15.5 million this year, the first of a two-year effort to tighten computer security.

It also is in the third year of training employees at its stores about data security under the slogan, “Customer privacy: Know it, respect it, protect it.” The company hires pseudo-hackers to try to break into its networks before real hackers might. Last year, it gave its government relations director an additional title: director of privacy.

Other corporations also are taking action, beefing up computer security budgets and hiring outside specialists to test just how secure their systems are, said Avivah Litan, a computer security analyst at Gartner Research in Stamford, Conn. “Corporations are in a state of panic,” Litan said. “It’s a public relations nightmare.”

Best Buy describes a sweeping computer security project that touches nearly every aspect of data-handling by hundreds of computer systems. And it described 50 “control points” where Best Buy has appointed “data stewards” to strictly monitor which employees can access credit card and other sensitive personal information about the company’s customers.

These efforts come at a time when the potential threat of identity theft looms larger than the reality. A survey last year by Javelin Strategy and Research of Pleasanton, Calif., found that the number of identitytheft victims didn’t increase in 2005, despite a growing list of corporate security breaches that could create future victims.

An American citizen has about a 4 percent chance of being an identity-theft victim, said James Van Dyke, Javelin’s president. The total cost of identity theft in the United States was $56.6 billion in 2005.

“Identity theft is like terrorism — you have to plan for the worst case, because there are so many different attempts being made,” Van Dyke said. “If anything, corporations need to invest more in security all the time.”

Enforcement has fallen mostly on the states. Most have enacted laws that require corporations to disclose security breaches of consumers’ personal information.

The Federal Trade Commission can’t require companies to disclose breaches, but it can recommend federal lawsuits against corporations that have violated consumers’ privacy rights, spokeswoman Claudia Bourne Farrell said. The FTC itself became a victim when two laptops containing personal information on about 110 people was stolen from an employee’s car.

The impact of identify theft on consumer behavior is hard to measure. A Gartner survey last year found that 42 percent of online shoppers worried about security, causing them to spend less.

Best Buy and other big retailers are trying to comply with demanding new credit card security standards backed by Visa and MasterCard. One of the toughest provisions requires corporations to encrypt credit card data at all times, which slows computer systems.

For a corporation as large as Best Buy — the nation’s largest consumer electronics retailer, with 120,000 employees — overhauling computer security is an immense task because of the network’s complexity. One computer system tracks daily sales, while another logs cash-register transactions for later auditing. One system handles credit card transactions, while another keeps track of extended product warranties.

“Our network architecture contains hundreds of computer systems, 50 of which contain customer information for some period of time,” said Brian Martin, Best Buy’s director of system strategy. The latter systems are the focus of a continual review of who can access the information they contain.

Employee laptops pose another challenge. Besides encrypting data on the laptops — which is designed to keep data from being read if the computer is stolen — Best Buy limits how much customer information an employee can carry out of the company on a laptop by making the downloading process laborious.

“You might be able to download 1,000 customer transactions,” Martin said. “You couldn’t download 100,000 transactions.”

Best Buy also is increasing security at the store level, from training employees not to print out a credit card application and leave it on the printer to getting credit card information quickly out of the store.

Best Buy’s stores haven’t always been so security-conscious. In a highly publicized 2002 incident, a computer security firm intercepted non-encrypted Wi-Fi signals from its electronic cash registers, revealing customer information involved in purchases.

Best Buy hired external experts to review security at its stores, which now use encrypted wireless signals, and for greater security use separate wireless networks for sales and inventory data.

Hacker, thieves get OSU ID data
About 14,000 faculty and staff and 3,500 students affected
Monday, April 16, 2007 11:43 PM
By Bill Bush

The Columbus Dispatch
A hacker broke into an Ohio State University computer two weekends ago and stole the names, Social Security numbers, employee ID numbers and birth dates of more than 14,000 current and former faculty and staff members, the university said today.

And in a separate incident, the same information about 3,500 OSU chemistry students dating back a decade — including Social Security numbers and grades — were on two laptops stolen from the home of a professor in late February, the university said.

Ohio State apologized in letters sent Saturday to the staff and students whose information was stolen, university spokesman Jim Lynch said. Those affected will be offered a year of free credit protection from a private company to help them guard against the criminal misuse of their identities, he said.

In the case of the staff's information, Lynch said, someone using a foreign Internet address broke through a computer firewall the weekend of March 31-April 1 and accessed more than 14,000 records from an Office of Research database of about 190,000 current and former university employees.

Allan Silverman, chairman of the Faculty Council that represents OSU faculty members, said he will start looking into the matter. One of the first questions he wants answered is why the Office of Research, which works to obtain research grants, had that database.

Silverman said he doesn't know yet if his name and personal information were accessed.

"It's a surprise," he said. "It's unfortunate."

The breach was discovered on Monday, April 2, and steps were immediately taken to block access to the data. The office discovered the intrusion involving 7,160 former and 6,934 current faculty and staff members during a routine review of daily activity logs, the university said.

"This was a malicious attack," Lynch said.

The breach involving chemistry students took place Feb. 24, when the home of professor Robert Coleman was burglarized. Coleman said he had transferred the contents of one laptop onto a new laptop just before they were both stolen, along with jewelry, watches, a shotgun and other items from his house.

"They stole a lot more than the computers," Coleman said. "We called 911 as soon as we got home."

The information on the laptops didn't just concern students, Coleman said. They also contained federal grant reports that list the names and Social Security numbers of post-doctoral students and a few undergraduate students working under the grants, Coleman said.

"All of those forms are electronic and would be stored in annual reports," Coleman said.

Also, "in a couple of cases, they were staff evaluations of people I was the supervisor for," Coleman said.

But the vast majority of the information on the laptops was class rosters, including the students' Social Security numbers, Coleman said.

Lynch said university officials worked as quickly as they could to get to the point of being able to notify the victims. Ohio law requires state agencies to notify the victims of computer security breaches within 45 days of the discovery, he said.

"It took us several weeks to identify what records were on (Coleman's) computer," Lynch said.

The university is currently reviewing which records available to staff should use Social Security numbers as personal identifiers, Lynch said.

Universities have been the targets of thieves seeking to steal identities because the schools commonly use Social Security numbers as identifiers, experts have said.

Last year, Ohio University in Athens discovered three major breaches in a matter of months. In one, hackers accessed the Social Security numbers of 137,000 alumni.

In December, UCLA announced that a database containing 800,000 files of personal information, including Social Security numbers, had been accessed.

Labels: Ohio State Univ.

UK Fraud Victims Must Now Report Crimes to Banks (March 30, 31 & April 2, 2007) As of April 1, 2007, the UK's Fraud Act 2006 directs that, "in most cases, consumers will be required to report check, plastic card and online fraud offenses to their" financial institutions rather than to police. Those institutions will then forward the information to the authorities as they see fit. The change was made "to reduce the level of bureaucracy involved in fraud recording and to streamline reporting and the initial investigation of such crimes." There is concern that the banks will use this new position of authority to hide the actual incidence of fraud. Furthermore, banks lack the "knowledge, expertise
and powers" to handle the cases. The rules affect England, Wales and
Northern Ireland.

IRS Still Has Security Weaknesses to Address, Says GAO (April 4, 2007) According to a report from the Government Accountability Office (GAO), the IRS "has made limited progress toward correcting or mitigating previously reported information security weaknesses at two data processing sites." Two-thirds of previously identified weaknesses are still present. Areas of progress include improving password controls on servers and "enhanced audit and monitoring efforts for mainframe and Windows user activity." Problems yet to be addressed include inadequate access controls, inadequate segregation of duties and the lack of an implemented agency-wide information security program, which is required by the Federal Information Security Management Act (FISMA). GAO developed two sets of recommendations - one for the Commissioner of Internal Revenue "to take several actions to fully implement a comprehensive agency-wide information security program," and another set, limited in its scope of distribution, with recommendations for "actions to be taken to correct ... specific information security weaknesses."

Labels: IRS

--IRS Data Not Adequately Protected, Says IG (April 5, 2007) According to a March 23, 2007 report from Treasury Inspector General for Tax Administration J. Russell George, "the IRS is not adequately protecting taxpayer data on laptop computers and other portable electronic media devices." In the three-and-a-half year period from January 2003 through June 2006, nearly 500 IRS laptops were lost or stolen. Many of the incidents were not reported to the IRS computer security office. While there is "limited definitive information" about the data on the missing and stolen computers, the IG's office tested 100 laptops currently in use at the IRS and found 44 with "unencrypted sensitive data, including taxpayer data and employee personnel data."
IRS Commissioner Mark Everson says the agency has installed automatic encryption software on almost all laptops currently in use and all laptops have been issued locks.

Labels: IRS

The personal information of as many as 70,000 current and former Vermont residents may have been compromised by hackers using a trojan to breach state PCs last month.
The hackers may have accessed a server containing the names, Social Security numbers, birth dates and financial records of 12,000 Green Mountain State residents who are at least three months behind on child support payments.

However, the New England Credit Union supplied the state's server with the personal information of 58,000 people who did not owe child support, state officials said in press reports.

Cynthia LaWare, secretary of the state Agency of Human Services, told the Associated Press that the state has no evidence that the personal information has been used illegally.

The state will send letters to affected individuals this week, she said.

The Vermont State Police and the FBI have been notified of the breach, LaWare has said in published reports, adding that the affected server has been taken offline.

MessageLabs: Junior sales employees commit most breaches

Junior sales workers commit more security breaches than other employees, according to new research from MessageLabs.


The study, which sought the views of almost 1,000 IT decision makers in the United Kingdom and United States, found that junior sales workers between the ages of 26 and 35 who are multi-taskers and technology savvy are the worst security violation culprits. This group is also likely to use many applications such as email, instant messenger, VoIP and surf the web, the report claimed.

Conversely, those members of staff who are knowledgeable on security issues and work in technology middle-management roles across the same age group are the least likely to break security rules, according to the research.

"Today’s businesses need to be vigilant about both external and internal security threats," said Mark Sunner, chief security analyst at MessageLabs. "With almost half of all businesses not providing adequate training regarding online threats, employees are likely to be oblivious to the dangers to hand and need protecting by other means."

Akonix: Instant messaging attacks up 200 percent in a year
Mar 29 2007 17:00
The growing adoption of instant messaging (IM) platforms in corporate environments has made the technology more attractive to hackers, who have, in turn, attacked IM 200 percent more often than this time last year.


Researchers at Akonix’s IM Security Center reported today that they’ve seen 31 new malicious code attacks on messaging platforms this month, including worms such as IMspam, QQpass and TrigXF.

Of all IM-based malware, Maniccum and Hotmatom were the most common, according to Akonix.

Attacks on peer-to-peer (p2p) networks also increased by nearly a third (32 percent) since last month, with 25 new attacks in March.

Last week, researchers at Websense discovered a variant of the Stration worm using the Skype messaging network. That malware sends infected PCs a message asking them to click on a hyperlink, which directs them to a malicious file downloader.

Don Montgomery, vice president of marketing at Akonix, told SCMagazine.com today that every month this year has seen a marked increase in IM attacks over the year before.

"The first three months of the year have all been up from the first three months of last year, so this is more the routine than an anomaly," he said.

Montgomery added that MSN Messenger is the most attacked platform his firm has seen.

"MSN seems to be the most targeted. I think there’s a continuing anti-Microsoft movement in the underground, and I think the anti-Microsoft sentiment has gone on for many years," he said.

State Web site had Social Security numbers, other data for sale


ASSOCIATED PRESS

1:37 p.m. March 23, 2007

SACRAMENTO – The Social Security numbers, addresses and signatures of more than 650,000 Californians have been available for purchase since 2004 – for about $6 each on a Web site operated by the secretary of state's office.
The revelation was disclosed Thursday by Secretary of State Debra Bowen, who said the Web site had been removed. It was unclear whether the information had ever been tapped to perpetrate identity-theft crimes.

The Web site had been used to post bank lending and collateral statements – so-called Uniform Commercial Code filings – that were frequently purchased by financial institutions conducting loan research.

The site contained about 2 million records, a third of which contained individual borrowers' information. The rest had information about business loans.

Lenders had to establish accounts with the state to buy the information, but there were no restrictions preventing others from doing the same. The Web site was viewed about 300 times a day and had more than 28,000 registered users, according to Bowen's office.

The staff of Assemblyman Dave Jones, D-Sacramento, discovered the breach while researching a bill the lawmaker has authored to try to combat identity theft.

Jones called the data on the secretary of state's Web site “potentially the longest running government Internet breach in California's history.”

One record alone purchased by Jones' office contained the names, Social Security numbers, addresses and signatures of seven small business owners who had put up property as collateral for loans.

Bowen, elected last fall, has worked to combat identity theft as a state senator. She said the breach highlighted the balance the state must strike in providing public records, but also protecting personal privacy. Meeting both requirements, she said, “isn't always easy to do.”

The documents will not be put back on line until they have been stripped of identifying information, Bowen said.

Labels: The State of California

Unknown number of victims in Hortica Insurance backup tape loss; laptops stolen from Chicago Public Schools
Apr 9 2007 18:24
An unknown number of clients of the Florists' Mutual Insurance Company had their personal information lost when a locked shipping case containing magnetic backup tapes was misplaced in transit.


The tapes were lost while being transported by UPS from an off-site facility to the headquarters of Hortica Insurance, the parent company of Florists’ Mutual Insurance Company, according to a statement released Friday by Hortica.

The tapes likely contain the names, Social Security numbers, drivers’ license numbers and bank account numbers of the agency’s claimholders, according to a company statement.

UPS notified the Edwardsville, Ill.-based organization on Thursday that it had exhausted its internal recovery process, according to Hortica, which had been working with the shipping giant to locate the tapes.

Robert McClellan, Hortica president and CEO, said in a press release that there is no indication that any personal information has been accessed.

"UPS and law enforcement agencies have no evidence to indicate an unauthorized individual has possession of the tapes," he said. "It is important for customers to note that these tapes cannot be read without specific computer equipment and software."

Peter H. Fornof, Hortica senior vice president, told SCMagazine.com today that there was no update on the tapes’ status.

McClellan added that Hortica has changed its procedures to avoid shipment by common carrier.

The company also advised clients to review account statements, report any suspicious activity and place a fraud alert on credit files.

Paul Stephens, policy analyst at the Privacy Rights Clearinghouse, told SCMagazine.com that many companies aren’t sure how much personal information they have in their possession.

"In some situations, you just have companies that don’t have a handle on it," he said. "With TJX, you have a company where they still don’t know how many people have been impacted."

Meanwhile, the Chicago Public Schools announced today that two laptops owned by an accounting firm conducting a review of contributions to the Chicago Teacher Pension Fund were stolen on Friday.

The laptops contain the names and Social Security numbers of employees who contributed to the pension fund between 2003 and 2006, according to a district statement.

The data does not include addresses, dates of birth or other personal information, according to the district, which has released a videotape of a suspect to the Chicago Police Department and local media.

Public school officials have offered a $10,000 reward for information leading to an arrest or the recovery of stolen data, as well as a year of credit protection for any current or former employee affected by the theft.

Last month, Magellan Behavioral Health Services located a CD containing the personal and medical information of 75,000 customers of Empire Blue Cross and Blue Shield.

Health Data Management Solutions, a third-party vendor to Magellan, had lost the data when it was sent via UPS.

The CD contained the Social Security numbers, health plan ID numbers and descriptions of medical services rendered.

Posted on Fri, Jan. 19, 2007



Banks assess data breach

By Garrison Wells
The Sun News

Coastal Federal Bank is the local bank hardest hit by a security breach of Visa debit cards at TJX Cos. Inc.

The bank had to fire out 3,000 letters to customers who may have been affected by the breach, and each will receive a new debit card.

Other local banks were also hit, but not as heavily as Coastal Federal. That's because Coastal Federal has the largest local market share and more local Visa debit cardholders than other banks.

"This is a pretty sizable [national] breach," said Steve Sherry, executive vice president and chief marketing officer at Coastal Federal.

TJX is "not sure what data and how much data was taken," he said. "They just know some data was taken. They don't know to what extent."

TJX in a news release said its computer systems were hacked late last year. The intruder got into the company's network that handles credit card, debit card, check and merchandise return transactions for customers of its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S.

T.J. Maxx, Marshalls and HomeGoods all have presences on the Grand Strand.

The company said the full extent of the intrusion is not yet known, but it is conducting a full investigation.

"Our first concern is the potential impact of this crime on our customers, and we strongly recommend that they carefully review their credit card and debit card statements and other account information for unauthorized use," TJX Chairman Ben Cammarata said in a statement.

The break-in was discovered in mid-December but kept confidential upon the request of law enforcement officials.

TJX said it has hired General Dynamics Corp. and IBM Corp. to upgrade its security system.

Some Beach First National Bank cardholders were affected, but not many, said Barbara Marshall, the bank's marketing director.

"We had a limited number of customers affected by it, and we notified them," Marshall said.

Crescent Bank customers were not affected because the bank uses MasterCard.

Customers of Plantation Federal also were unaffected for the same reason, said Mary Kathryn Aldridge, branch operations manager for the Pawleys branch.

Conway National Bank was also not hit, said Pat Catoe, vice president of credit cards and merchant area.

"Visa is really on top of things like this as far as fraud goes or anything like that," Catoe said. "At this time it hasn't greatly affected us. The more cards you have out there, the more likely you are to be breached."

Visa cardholders who are affected won't be liable for fraud, Sherry said.

"They have what's called Zero Liability fraud protection," he said. "In today's world, you have to have that."

Sherry added that customers should peruse their statements for irregularities.

"If there are any issues, they can call the customer service number on the back of the card or go online," he said.

Labels: Coastal Federal Bank

Vt. College Mistakenly Posts Student Data
Source: ABC News | Priority: Managing Compliance Standards | Topic: Customer Privacy
Date Published: 10/20/2005 | Date Reviewed: 11/3/2005

TAKEAWAY: A former student of Vermont Technical College who plugged his own name into the Google search engine discovered that his alma mater had mistakenly posted every student's Social Security number on the Internet for almost two years. Besides the SSNs, other private data, such as addresses, SAT scores and student ethnicities, were removed after the gaffe was discovered. College officials say there is no indication that identity thieves stumbled upon the treasure trove. The mistake happened when a college administrator intended to direct the information to a secure server drive but instead posted it to a public Web site.

MoneyGram Customer Information Hacked
About 79,000 MoneyGram customers are being notified that their personal information may have been accessed last month.

The company said that it had not been able to determine if any information was actually stolen, but the company was notifying customers that someone may have viewed their personal data.

The information involved did not include Social Security or driver’s license numbers. It did include the names, addresses, phone numbers — and in some cases — the bank account numbers of MoneyGram customers.

Affected customers are being offered one year’s subscription to a credit monitoring service.

Hopkins Loses Data on 135,000 Workers and Patients
Tuesday, February 13th, 2007
Data Loss Source: Backup computer tapes containing personal information about workers and patients - some of it sensitive – have gone missing.
Date Reported: February 12, 2006
Size of Loss: Information on 135,000 workers and patients
Affected Individuals:
Geographic Focus: Massachusetts
Data contained: Eight university computer tapes, routinely sent to a contractor that makes microfiche archives of the data, held Social Security numbers, addresses and direct-deposit bank account information for 52,567 former and current employees. A separate tape from the hospital had names, dates of birth, sex, race and medical record numbers for 83,000 new hospital patients seen between July 4 and Dec. 18, 2006, or those who updated their information during that period.
Additional Notes: Hopkins officials said they believe the data, which did not include patient medical information, was not compromised.

Kaiser Laptop Stolen
Wednesday, February 21st, 2007
Data Loss Source: A doctor’s laptop was stolen from the Kaiser Medical Center containing medical information of 22,000 patients.
Date of Loss: February 14, 2007
Size of Loss: 22,000 patient files
Affected Individuals: Information on 20,000 patients
Geographic Focus: US
Data contained: Personal information on 20,000 patients; only 500 records included Social Security numbers
Additional Notes: Kaiser Permanente is in the process of notifying as many as 22,000 patients of a possible breach of their private medical information. There were no details provided about where or how the laptop was taken, but a Kaiser spokesman said it was likely a random and isolated crime of opportunity.

Labels: Kaiser Medical Center

Mystery Shopping Company Suffers Mysterious Data Breach
Wednesday, February 28th, 2007
Data Loss Source: Thieves stole several computers containing shoppers’ personal data from Speedmark’s Woodlands, Texas office. Speedmark is a marketing services firm that employs “mystery shoppers” to observe employee behavior for clients.
Date of Loss: December 16, 2006.
Size of Loss: Unknown
Affected Individuals: Mystery shoppers working for Speedmark
Geographic Focus: US
Data contained: The stolen information included names, addresses, e-mail accounts, and Social Security numbers of Speedmark employees and contractors.
Additional Notes: The theft was discovered on Dec. 16, 2006, but many shoppers contracted to Speedmark did not receive letters notifying them of the breach until mid-February, 2007.
Additional Information: Consumer Affairs

Ohio State Auditor Files Stolen
Data Loss Source: A laptop containing personal information of current and former employees of Springfield City Schools, including their names and Social Security numbers, was stolen from a state auditor employee’s vehicle (which was parked in his garage).
Date of Loss: February 22, 2007
Size of Loss: 1,950 records
Affected Individuals: Current and former employees of Springfield City Schools
Geographic Focus: US
Data contained: Access to the files was password-protected.
Additional Information: Springfield City Schools

Tax Records Stolen
March 26th, 2007
Data Loss Source: Thieves stole three years’ worth of tax returns from Tax Service Plus, a Santa Rosa accounting firm.
Date of Loss: March 7, 2007
Size of Loss: 4,000 client records
Affected Individuals: California residents
Geographic Focus: US
Data contained: The records contained Social Security numbers, addresses, credit card information, and documents with signatures.
Additional Notes: The thieves used a sledgehammer to break through the steel back door of the tax preparer’s offices. They stole the company’s backup computer, which contained financial data on thousands of tax returns dating back three years. Tax Service Plus’ files were apparently not encrypted.
Additional Information: CBS 5

RadioShack Records Found in Dumpster
April 2nd, 2007
Data Loss Source: Thousands of records containing customer names, addresses, telephone numbers and other data were found in a trash can in an alley behind a RadioShack store located in Portland, Texas.
Date of Loss: March 28, 2007
Size of Loss: Thousands of customer and employee records
Affected Individuals: RadioShack customers and employees
Geographic Focus: Corpus Christi, TX
Data contained: According to investigators, the records contained sensitive consumer information, including Social Security numbers, credit and debit card information, names, addresses, and telephone numbers.
Additional Notes: A complaint posted on the state attorney general’s Web site says that RadioShack “failed to safeguard the information by shredding, erasing or other means, to make it unreadable or undecipherable before disposing of its business records”.

Fort Monroe Stolen Laptop Contains SS#s
Data Loss Source: *A laptop computer containing the names, Social Security numbers and payroll information for more than 16,000 employees was stolen from an employee’s personal vehicle.
Date of Loss: March 26, 2007
Size of Loss: 16,000 employee records
Affected Individuals: Employees of U.S. Army Training and Doctrine Command, which has its headquarters at Fort Monroe.
Geographic Focus: Fort Monroe, VA
Data contained: The records contained names, Social Security numbers and payroll information.
Additional Notes: The computer was password protected and did not contain bank account or bank routing information, Army officials said.
Additional Information: Associated Press

Labels: Fort Monroe

Data Breaches 2007
From Brian Koerner,
Your Guide to Identity Theft.
FREE Newsletter. Sign Up Now!
A Record of Incidents
As the crime of identity theft occurs every 79 seconds, it is the fastest growing crime in United States. Consumers' personal information is exposed on a daily basis and because of tougher legislation, organizations are now required to report that a breach has occurred if it meets certain criteria.
The following is a list of data breaches that have occurred in 2007. Much like the Data Breaches in 2006 article, the data that was compromised was of such a nature that it could potentially lead to identity theft and other crimes of fraud. For those breaches that affect thousands of people and may be of particular interest to my readers, more detail on the breach is provided.


Fruit of the Loom Data Breach - Reported February 28, 2007. 2,000 present and former employees of five Fruit of the Loom facilities were affected in this breach as their names and SSNs were posted to a company Web site.RISK = MEDIUM

SpeedMark (Mystery Shopping Company), Woodland Texas - Reported February 10, 2007. 35,000 employees and contractors of this mystery shopping company were affected after computers were stolen that contained the names, addresses and SSNs RISK = MEDIUM

East Carolina University, Greenville NC - Reported February 10, 2007. 65,000 students, staff and alumni affected in this breach as the names, addresses, SSNs and in some instances, banking information (credit card numbers) was displayed on a Web site due to a programming error.past RISK = MEDIUM

Johns Hopkins University and Johns Hopkins Hospital - Reported February 7, 2007. Approximately 135,000 past and present employees and patients affected in this data breach.

The university reports that 9 backup tapes are missing including payroll information, SSN's and in some instances banking information. There was also one tape that contained patient information, though it is not clear just how sensitive that information really is. RISK = HIGH

U.S. Department of Veteran's Affairs- Reported February 3, 2007. They are at it again, this time with approximately 500,000 veterans and 1 million non-va physicians having their personal, or otherwise sensitive, information compromised. This information consisted of SSNs of veterans and medical billing information of these physicians that occured as the result of a hard drive of a VA employee at a Department facility in Birmingham, Alabama, is either lost or stolen. RISK = HIGH

Vanguard University- Reported January 27, 2007. Approximately 5,000 financial aid students have their personal information such as names, addresses, drivers license and date of birth compromised as (2) computers are stolen from the universities financial aid office. RISK = HIGH

Washiawa WIC program, Honolulu, HI- Reported January 25, 2007. Approximately 11,000 current and former clients had their personal information such as names, addresses and SSNs stolen by an agency employee. The employee then went on victimize three of those clients perpetrating identity theft and other crimes of fraud. RISK = HIGH

Ohio Board of Nursing- Reported January 25, 2007. Approximately 3,000 recently license nurses had their names and SSNs posted to a Web site. This is the second time that this has occurred. As normal practice the newly licensed nurses are posted to a Web site however personal information such as SSN should have been removed prior to being posted.RISK = MEDIUM

KB Home - Charleston South Carolina- Reported January 17, 2007. Approximately 3,000 people had their personal information such as names, addresses, phone numbers, social security numbers and other identifying information stolen when a computer was stolen from the sales office of this home builder. Those affected were those that had visited the sales office for Foxbank Plantation near the Charleston area. The system was not protected with ay encryption technology.RISK = MEDIUM

Department of Revenue - North Carolina- Reported January 14, 2007. Approximately 30,000 people had their personal information tax payer information which included names, SSNs, federal tax information compromised whe a laptop was stolen from an employee of the NC Department of Revenue. RISK = HIGH

MoneyGram International- Reported January 12, 2007. Approximately 79,000 people had their personal information such as names, addresses, phone numbers and in a few cases--bank account information. The breach occurred as it was discovered that the data was illegally accessed over the Internet. The matter is under investigation.RISK = HIGH

University of Idaho- Reported January 11, 2007. The names, addresses and SSN's of at least 70,000 alumni, donors, employees and students of the University was exposed as (3) computer systems were stolen.

Altria- Reported January 09, 2007. When a former employee (allegedly) stole (5) laptops that contained personally identifiable information approximately 18,000 people were affected. The personal information on the computers consisted of names, SSN's and other benefit related data.

UIC worker charged in security breach
By Ravi Baichwal
March 29, 2007 - A Chicago hospital worker is charged with stealing patient information. An emergency medical technician is accused of using his job to access the sensitive data of at least eight patients at UIC Medical Center for his own use. The EMT has been fired from the hospital.

A criminal investigation is underway as the UIC hospital warns other patients about the security breach.
Officials at UIC Medical Center, an award-winning institution in the field of computerized patient medical records, tell ABC7 the criminal investigation was launched last month. They say they discovered an EMT had improperly accessed patient records. That EMT is 28-year-old Leslie Langford. He faces several charges including identity theft.

"We do take this very, very seriously and immediately responded as soon as we were alerted to the investigation by UIC police," said Sherri McGinnis Gonzalez, UIC spokesperson.

UIC says an EMT was fired last month as soon as it came to light that eight patient medical records were inappropriately accessed by someone with privileged access to those records.

The hospital has sent out letters to over 240 patients saying their records may have been similarly breached and they should take steps to avoid becoming victims of identity theft.

"The information that the employee had access to was demographic, personal medical information, and we believe that person used that information in an inappropriate manner," said McGinnis Gonzalez.

Exactly what that is the hospital would not explain, citing the criminal investigation, but the hospital stressed this was not a case of a breach of the system to the outside world.

"Administrators were able to look at the electronic medical records system and actually track what records this employee had access to and it actually helped in the investigation," said McGinnis Gonzalez.

But patient information is now out there. And one expert in identity theft suggests UIC could be doing a lot more -- such as buying identity and credit monitoring services for victims -- as one way to make up for the fact that it is nearly impossible to insure those with access to information don't succumb to the temptation to sell it.

"There is you know a clear exchange out there, almost like a stock exchange in ideates, and the more information you have the more the identities are worth, and in fact, if you go out there to the right places looking for it, there is almost like a bid-ask situation out there where there is a floating set of prices out there, 'I have this many names, and this type of information, what can I get for it?' " said Garnet Steen, RelyData.com.

"The nightmare scenario isn't just the consumer has some credit cards opened up in their name, but somebody obtains medical services in their name and that that medical information gets co-mingled with their own," said Steen. Leslie Langford is the son of Chicago Fire Department Spokesman Larry Langford. Larry Langford told ABC7 this is a private family matter and they are working with Leslie concerning this issue.

School District Alleges Senator Took Advantage Of Situation

POSTED: 3:34 pm EDT March 28, 2007
UPDATED: 10:01 am EDT March 29, 2007

GREENVILLE, S.C. -- The Greenville County School District alleges that a South Carolina senator misused his office when he didn't tell the district about school computers that were auctioned off while they still contained personal information.

VIDEO: Thomas Responds To School District's Charges

The district said that Sen. David Thomas took advantage of his elected office and used the situation for his own personal gain.

Wednesday, Thomas denied those claims, and said that he was acting as a public servant, trying to protect students.

WYFF News 4 first learned about the computer in question last year when Kenneth Holbert and Scott Mann claimed they bought school computers and found thousands of private student records

Thomas later showed News 4 those computers in his Greenville office.

The school district sued Hobert and Mann to get the data back. The men then filed a counter-suit against the district.

Hobert and Mann said that they would settle for an apology and reimbursement for their costs.

On Tuesday, the district rejected that offer to settle, and in their response, made the allegations against Thomas that he used the situation for his personal gain.

There are some things everyone involved has publicly admitted: the computer was owned by the district and it does contain confidential information about thousands of Greenville County students.

But now in question is the motivation of the two men who bought the computer, and why is Thomas involved?

WYFF News 4's Gordon Dill spoke with Thomas in Columbia.

Thomas said, "... They then came to me because they knew I was an attorney and I had a lot of interest in the issue of identity theft"

Mann's sister was a teacher for the district. She was fired and sued.

In their court documents, the district said: "The school district believes evidence will show that Mann (and Senator Thomas) had an ulterior purpose for acquiring and retaining possession of the confidential information ... personal use by Mann as leverage for his sister in obtaining a settlement … in which she is represented by Senator Thomas."

But Thomas said the men showed him the computers and then at a later date, he took on Mann's sister as a client.

Thomas said, "After he and a friend brought me the computers that they had bought at auction. He then sent his sister later on. Completely different matter -- she had lost her job with the school district. The two issues have nothing to do with each other."

The district also said that Thomas misused his position as state senator. Specifically, they said that while he was holding the information, he introduced an identity theft bill in the Senate.

The district court document said, "He was attempting to persuade the South Carolina General Assembly to pass a personal identity theft bill. As proposed, that bill would allow a plaintiff to recover statutory per se damages even if that plaintiff had no actual damages. Senator Thomas, his firm, and even Holbert also conducted research into bringing a class action against the school district."

Thomas said, "This was not retroactive legislation. It would have been prospective and it would have applied to state entities and it would have applied to businesses. So this was an attempt to try and close a loophole that the school district has not accepted responsibility for."

But it is now clear that the district will not settle its suit against Holbert and Mann. And Dill said there is likely more to come in regards to that confidential information that everyone agrees ended up in the wrong hands.

Students’ personal information stolen from UM-Western office



(Created: Friday, March 30, 2007)


DILLON (AP)

Between 400 and 500 current and former University of Montana-Western students are at risk of identity theft after a computer disk containing their Social Security numbers and other personal information was stolen from a professor’s office this week, school officials said. The stolen information belonged to students enrolled in the TRIO Student Support Services program, which offers financial and personal counseling and other assistance. The school is trying to notify all affected students that their personal information could be used fraudulently, Montana- Western spokesman Kent Ord said Thursday. “There’s no evidence at this point in time that anything has been used, but it pays to be careful and take precautionary measures,” he said. Two professors’ offices in the university’s Main Hall were broken into sometime after 11:30 p. m. Monday, when the last university employee did a sweep of the building. The theft was discovered Tuesday morning, and Dillon police were notified. Some cash, the disk, and other university and personal items were stolen, school officials and police said. The investigation is still in the “early stages,” and no arrests have been made, Police Chief John Gutcheck said. “Anybody that had been in Main Hall that night is a suspect,” he said. In addition to Social Security numbers, the disk contained students’ names, birth dates, addresses and other information. University officials have sent a letter informing all affected students of the break-in and proViding information on how to safeguard against fraudulent use of the data, Chancellor Dick Storey said. “We treat this matter very seriously and are carefully reviewing procedures to ensure that a similar incident doesn’t happen in the future,” Storey said in a news release. “The university is working diligently to address problems caused by this incident and any further implications it might have on students.” Montana-Western also has set up a Web site to provide additional information and assist affected students.

Veterans: Stolen info could still pose a risk

By Dylan T. Lovan
Associated Press



LOUISVILLE - Data thieves could have swiped personal information on millions of veterans from a stolen laptop and be waiting for the right time to use it, according to a court filing from veterans who sued last year over the highly publicized theft.

Federal officials say they are confident that no sensitive information was copied from the laptop, which was taken from a Veterans Affairs analyst's Maryland home on May 3 and recovered on June 29. The computer contained sensitive information on 26.5 million veterans in the VA's system.

The VA has asked a federal judge to throw out three suits related to the theft, including one filed in Kentucky by Paul Hackett, a Cincinnati attorney and Iraq War veteran. That suit, along with another filed in New York, has since been transferred to the federal court district in Washington. The third suit was filed in Washington by a group of Vietnam veterans.

The veterans said in a court filing Wednesday that the suits should go forward because, among other reasons, the data could have been accessed and copied by thieves without leaving any evidence of tampering. The information on the laptop included the names, birth dates and social security numbers of veterans discharged since 1975, which identity thieves could use to apply for credit cards or loans.

"The 26.5 million affected persons remain at grave risk of identity theft," attorneys wrote in the filing, which was a response to the government's motion to dismiss the suit.

Attorneys for the government said the suit should be thrown out because, among other reasons, the plaintiffs lack standing to sue under the federal Privacy Act. Charles Miller, a Justice Department spokesman, declined to comment further, saying the government's argument is contained in the 86-page motion.

"Other than the specific incident of theft that is described in the complaints, plaintiffs have failed to identify an event that has caused them harm," the motion said.

Worker arrested in Baptist privacy breach
BY JOHN DORSCHNER
Thousands of patients at Baptist Hospital appear to have had their credit card information stolen by an employee, Adrian Green, who was arrested late last week.
Green was caught after using Baptist telephone extensions to give various names in purchasing $3,000 worth of fancy watches, according to an affidavit filed by U.S. Secret Service Agent Shannon Jayroe.

The purchases were made by phone to Bacario.com, a Brooklyn, N.Y., watch merchant. The merchant became suspicious because orders using different persons' names were coming from the same phone number, as identified by the company's caller ID service.

The Secret Service, which handles credit card fraud, was alerted, and agents found that Green kept calling the merchant from different extensions at the hospital, Jayroe stated.

Green's job, which he had held for almost two years, was registering patients, giving him access to all their personal information, including Social Security and credit card numbers.

While agents monitored his actions at Baptist, Green was discovered accessing a patient's name and credit card information at 3:45 p.m. on March 19 and then placing an order with the merchant seven minutes later, the affidavit said.

Agents later went to Green's house in Homestead, where they saw a 46-inch flat-screen Samsung TV and a Sony Blue Ray Disc Player, according to the affidavit, which stated that Green admitted the items were bought with stolen card numbers after being read his Miranda rights.

Baptist has fired Green, the hospital said in a news release. The institution didn't know ``the extent of the problem, but it appears to involve a single employee who, we believe, accessed the financial records of several thousand patients at Baptist Hospital. We expect to know more in the next few days.''

The hospital said it was ''working diligently'' to uncover what happened and would notify those affected as soon as they could be identified.

''We deeply regret this has happened. It has never happened in the nearly 50-year history of this faith-based organization,'' the release said.

Theft of identities and credit card information has been rampant recently. Last week, The Miami Herald reported six Miami residents were arrested as part of a group that is alleged to have used credit card information from T.J. Maxx.

The company admitted earlier this week that a hacker or hackers had stolen information from at least 45 million credit card transactions at Marshalls and T.J. Maxx stores.

Miami Herald news partner CBS4 contributed to this report.

Texas AG accuses RadioShack of exposing customer data

By Bob Sechler
Last Update: 7:56 PM ET Apr 2, 2007


AUSTIN, Texas (MarketWatch) -- RadioShack Corp. (RSHradioshack corp com
News , chart , profile , more

Delayed quote dataAdd to portfolio
Analyst
Create alertInsider
Discuss
Financials
Sponsored by:
RSH ) exposed "thousands" of its customers to identity theft when a store near Corpus Christi failed to properly protect sensitive data, according to the Texas attorney general.
Attorney General Greg Abbott has accused the company of violating Texas laws requiring businesses to protect customers' sensitive data and to develop procedures for doing so.
According to Abbott, investigators discovered that employees at the RadioShack outlet in Portland, near Corpus, "dumped bulk customer records in garbage containers behind the store."
The records included Social Security numbers and credit and debit card information, along with other personal data, Abbott said in a prepared statement.
The penalty for failing to properly protect and dispose of confidential data is up to $50,000 for each violation. The penalty for failing to develop appropriate procedures for doing so is up to $500 per violation.
-Contact: 201-938-5400

Labels: Radio Shack

Supermarket Checkout Keypads Compromised
Posted on Feb 20, 2007 by Tom Fragala
In a bold scam similar to what happens to ATM cash machines (see this video), data thieves setup skimming devices on the keypads in the checkout lanes at some Shop & Stop supermarket stores in New England. That really takes some guts to pull off. And it means you have to be vigilant anywhere you swipe your cards. Be careful.

Boston Herald reports,

Data thieves tampered with the checkout lane keypads through which customers swipe their debit and credit cards at several Stop & Shop stores in Rhode Island and one in Massachusetts. Fraudulent charges stemming from stores in Coventry and Cranston, R.I., were reported to the chain. Evidence of tampering was found in four other supermarkets, including one in Seekonk.

CA State Website Publishing Social Security Numbers
Posted on Mar 23, 2007 by Tom Fragala
California, which prides itself on being the most privacy-friendly state, gave its residents an unpleasant surprise today.

It was discovered that a California state web site had been exposing people’s Social Security numbers for years. The SSNs were including on bank lender statements and lien documents. Not only that but the state sells these documents for, apparently, $8 a pop.

Is it shocking news that the state was selling “identity theft starter kits” to potential thieves? Hardly, there are many data brokers and background check companies that acquire this public data and resell it to anyone that wants it.

More from the SacBee

Citing fears of identity theft, Secretary of State Debra Bowen on Thursday announced she is shutting down part of a state Web site that made available individuals' Social Security numbers.

Bowen said in a statement that she was shutting down Web access to copies of thousands of bank lender statements and lien documents.

Many of the Uniform Commercial Code documents contain Social Security numbers -- potential targets for identity thieves.

Credit Card Industry Says Restaurants are Data Sieve
Mar 24, 2007 by Tom Fragala

Electronic payment processors, including Visa and Mastercard, say that restaurants are the biggest source of credit card data breaches and security leaks. In a way, no surprise since there are millions of restaurants, many of which are small operations, that clearly can’t handle or don’t care about payment card industry standards.

According to an article in the Wall Street Journal,

Since January 2005, restaurants represented about 40% of incidents in which intruders gained unauthorized access to credit-card information, according to data tracked by Visa. That is the largest percentage of incidents among merchant groups.

Meanwhile, Chicago-based AmbironTrustWave, which conducts security audits for merchants, says that 62% of the security breaches it has seen over the past 18 months came from the restaurant industry.

The problem outlined in this article is not about skimming, where an employee uses a clandestine device to steal the data from the magnetic strip. Rather it’s about the lack of security around the transmission and storage of credit card (and even more risky, debit card) data. Think about it how many point of sale systems at restaurants are storing credit/debit card data. How secure do you think those systems are (not very). Even the largest point of sale (POS) vendor in the world, Micros, is punting on the issue:

says Peter Rogers of Micros Systems Inc., which makes restaurant software. "It's not really our job to tell the restaurateurs what they need to do to be compliant with credit-card regulations."

Authorities: Dead targeted in identity theft case

SLIDELL, La. -- A hospital employee here sent her son text messages with the personal information of dying patients in a scheme to obtain credit cards in the patients' names once those patients died, authorities said.


"This is about as low as you can stoop for a dollar," Sheriff Jack Strain said.

Rebecca Stockdale and her son Robert Ezell were arrested earlier this month and booked on 124 counts of identity theft and other charges, including obtaining a credit card by fraud and stealing business records. Ezell's wife, Charlotte Cooper-Ezell, was accused of helping fill out fraudulent credit card applications and booked on identity theft counts.

The three were being held at the parish jail in Covington. It was not immediately clear whether they had attorneys.

Authorities said they did not publicize the case until they realized its magnitude.

Stockdale and her son are accused of stealing the identities of more than 100 dead people and obtaining at least 17 credit cards fraudulently, sheriff's deputies said. Ezell used the cards to make at least 23 purchases at local businesses, detectives said, but the declined to say what was purchased.

Strain said Stockdale, an emergency room clerk, allegedly sent her son text messages with names, birth dates and Social Security numbers of patients who were near death or had recently died. Ezell then used that information to submit credit card applications in the dead patients' names, using addresses of hurricane-damaged, unoccupied homes near his house in Slidell, authorities said.

Ezell also browsed newspaper obituaries and gave names to Stockdale, who searched the hospital database for personal information on the dead, Strain said.

A spokesman for Slidell Memorial hospital, Sam Caruso Jr., said Stockdale worked for the hospital for 12 years and that hospital officials were shocked by the allegations against her. She has since been fired, he said.

"This is an extremely serious breach of patient confidentiality and a breach of all the training we give our employees on how to handle sensitive information," he said.

___

The FTC Investigates Mystery Shopping Complaints
Posted on Apr 2, 2007 by Michelle Pastor
A while back I blogged about mystery shopping and all the scams that go along with it. It looks like the FTC is also leery of the scams associated with the industry. According to this FTC announcement, the FTC is charging multiple companies with misrepresenting available jobs and potential income.

The FTC alleged that in exchange for the $99.95 fee for one year of service, consumers thought they would be trained and certified as mystery shoppers, and would gain access to job postings available through the company, with enough paid assignments available to ensure a steady part-time or full-time income. Instead, consumers received a worthless certification and access to re-postings of other mystery shopping assignments posted by other companies, who were unrelated to the defendants. Consumers still had to apply for these jobs, most of them low-paying, and had no advantage over anyone else who found the postings elsewhere for free.

Beware of any company that asks for money upfront or one that offers to train and certify you as a mystery shopper. Believe me, you don’t need a certification to do it, anyone can do it.

A Mistake From The White House May Lead to Identity Theft
Posted on Apr 2, 2007 by Michelle Pastor
You can only do so much to prevent identity theft. Take this article from US News and World Report, for example.

A mundane trip manifest of reporters who traveled to Latin America with President Bush has turned colossally controversial because the White House included personal ID info on the E-mail sent to news bureaus. The key ingredients of identity theft-Social Security and passport numbers and dates of birth-were listed in the E-mail that the White House Travel Office sent out in what's typically the first stage of billing.
The reporters' vital information was emailed to a list of media billing offices and bureau officials. Within a second, this mistake could have undermined any and all of the reporters' previous efforts to prevent identity theft.

With all that is known about identity theft and its link to social security numbers, it amazes me that incidences like this still happen.

What I thought was especially alarming is that some news organizations completely missed the boat.

Some news organizations aren't taking chances. They are warning correspondents to check their charge accounts.
Fraudulent charges on credit cards are the least of the reporters' worries, it's the social security numbers that can be used to create new accounts and so on and so on and so on!

Labels: White House

ID theft threats have surged 200% since Jan. 1
Gregg Keizer
March 28, 2007 () Identity theft threats jumped 200% in the first two months of 2007, a security company said today, noting that fraudsters have shifted to simpler, more effective tactics.

Cyveillance Inc. of Arlington, Va., compiled data from its Internet sweeps to report that the average daily count of URLs hosting malicious downloads climbed to 60,000 in February, 200% over the December 2006 figure. A single-day spike in midmonth came close to 140,000 such sites.

"The traditional phishing technique is being replaced by putting a URL in the e-mail," said Manoj Srivastava, Cyveillance's CTO. "The trend now is to use the browser as the attack vector."

Phishing attacks have shifted from the usual e-mails that try to con users into visiting reproductions of legitimate pages, then duping them into entering their personal information. Instead, thieves simply stick a link in an e-mail message and count on users' gullibility.

"It works," Todd Bransford, vice president of marketing for Cyveillance, said when asked what might be behind the rise. "It's proved to be a highly effective way of taking control of someone's PC."

Malicious sites typically exploit browser vulnerabilities to conduct "drive-by" downloads, installing bot Trojans that let a hacker control the machine or password-stealing keyloggers on compromised systems.

Srivastava speculated that another reason for the rapid rise in malicious sites is, ironically, the effectiveness of antiphishing software. "The phishing detection business has gotten good -- ours included -- and [so] it's far easier to detect conventional phishing techniques" than to gauge the potential for harm from a Web site.

The quick climb might also be a result of the increasing ease with which identity thefts are crafted. "[Phishing] kits have become common. It's so simple to launch attacks now that there's something of a geometric progression going on with the numbers," said Srivastava. "The economics and risks involved being what they are, more people are learning about identity theft and how to make money from it. This looks like an inflection point."

Cyveillance also uncovered hundreds of thousands of credit and debit card account numbers in its sweeps of IRC channels and server logs of botnet operators. In the first two months of the year, the company's monitoring technology found more than 320,000 credit and debit card numbers, more than 1.4 million potential Social Security numbers and approximately 1.3 million account log-on credentials.

"We're pretty solid on those numbers," said Srivastava. Although the Social Security numbers were not actually verified, he said, they match the nine-digit criteria and the algorithm used to construct the numerical strings.

An Identity Theft Waiting to Happen?
A mundane trip manifest of reporters who traveled to Latin America with President Bush has turned colossally controversial because the White House included personal ID info on the E-mail sent to news bureaus. The key ingredients of identity theft-Social Security and passport numbers and dates of birth-were listed in the E-mail that the White House Travel Office sent out in what's typically the first stage of billing.
"A lot of us went crazy," says one reporter, "because it's an identify theft waiting to happen."
Among those on the trip were CBS's Bill Plante, Fox's Bret Baier, CNN's Ed Henry, NBC's Kelly O'Donnell. The manifest usually includes just the names of those on the trip and what they owe.
The E-mail went to media billing offices and bureau officials. "I don't know everyone on that list. It could have been taken by somebody shady," frets one TV reporter.
"It was an honest mistake," says C-SPAN's Steve Scully, president of the White House Correspondents' Association. He said that a day after the E-mail went out, the travel office apologized and tried to retrieve them. The event prompted the White House to speed up plans to institute a new and more secure system. Some news organizations aren't taking chances. They are warning correspondents to check their charge accounts.

Security Gap at TIAA-CREF Was Huge, Critics Say

Former employees accuse company of not revealing extent of client data at risk

By ANDREA L. FOSTER

Sonia Radencovich did not raise any particular interest at TIAA-CREF when she began a temporary job at the giant pension company in September 2004 to help upgrade software that counselors there use to advise clients.

But two months later, company officials discovered that she was really a convict named Sonia Howe. She had just been sentenced to four years in prison for helping her lover, Martin Frankel, loot insurance companies of more than $202-million in a fraud scheme. The federal Securities and Exchange Commission had banned her from ever working again for a securities broker or dealer. Her sentencing, in U.S. District Court in New Haven, had taken place just 11 days before she started her job as a consultant at the Teachers Insurance and Annuity Association-College Retirement Equities Fund, and she had three months of freedom, on bail, before her prison term began.

Labels: TIAA-CREF