PogoWasRight - Breaches and Data Loss

Statement from Dave & Buster's (follow-up)

Tue, 13 May 2008 13:21:50 -0400

Dave & Buster's has learned that theUnited States Department of Justice has charged and will prosecute theindividuals responsible for the theft of credit and debit card numbers from11 of our locations. These thefts occurred on an intermittent basis fromMay through August of 2007. Although the stolen data was never retained orstored by Dave & Buster's, the data was illegally accessed from the Dave &Buster's computer systems during the card verification and transmissionprocess. No personal information such as names, addresses, phone numbers,bank account numbers, pin numbers, or social security numbers was stolen.The data that was captured consists of "track 2" data that includes thecredit or debit card number and expiration date, but no other identifyingdata.

Dave & Buster's was alerted to the potential data intrusion in lateAugust 2007, and immediately contacted the United States Secret Service.Dave & Buster's worked closely with both the Secret Service and Departmentof Justice and assisted them in their investigation. In addition, Dave &Buster's immediately retained outside security experts who identified thesource of the data compromise. As a result the Company has implementedadditional security measures to prevent any such incident from occurring inthe future. The stores that were compromised were: Westminster, CO;Islandia and West Nyack, NY; Utica, MI; Downtown Chicago, IL; Columbus, OH;Jacksonville, FL; Frisco, Dallas (2) and Austin, TX.

Source - PR Newswire

Reddit It | Digg This | Add to del.icio.us

NY: Upstate jail inmate charged with identity theft scam

Tue, 13 May 2008 13:10:46 -0400

... Cayuga County authorities are charging 24-year-old Eddie Camacho with conspiracy, criminal impersonation and unlawful possession of personal identification information.

.Camacho is accused of telephoning people from the jail and impersonating members of the district attorney�s office to obtain personal information, including Social Security numbers. Deputies say Camacho used the information to obtain credit and services in the names of six victims.

Source - pressconnects.com

Reddit It | Digg This | Add to del.icio.us

TJX credit card heist suspect, 2 others, accused of new scam

Mon, 12 May 2008 20:12:34 -0400

Three men - one of them suspected of playing a role in the heist of 45.6 million credit cards from retailer TJX Companies - have been accused of hacking into cash register terminals belonging to a restaurant chain and installing software that sniffed credit card numbers.

According to a 27-count indictment unsealed Monday, the scheme was carried out in part by Maksym Yastremskiy. In July, the Ukrainian was arrested in a Turkish resort town for allegedly selling large quantities of credit card numbers, many of which were siphoned out of TJX's rather porous network. He remains incarcerated in Turkey, where an application for extradition to the US is pending. Yastremskiy also went by the name Maksik.

Source - The Register

Reddit It | Digg This | Add to del.icio.us

Hackers Indicted for Stealing Credit and Debit Card Numbers From National Restaurant Chain

Mon, 12 May 2008 14:25:09 -0400

Three defendants havebeen charged in a federal grand jury indictment and complaint withillegally accessing the computer systems of a national restaurant chain andstealing credit and debit card numbers from that system, Assistant AttorneyGeneral Alice S. Fisher of the Criminal Division and U.S. Attorney for theEastern District of New York Benton J. Campbell announced today.

According to the indictment and complaint, Maksym Yastremskiy, a/k/a"Maksik," Aleksandr Suvorov, a/k/a "JonnyHell," and Albert Gonzales, a/k/a"Segvec," engaged in a scheme in which they hacked into cash registerterminals at 11 Dave & Buster's Inc. (D&B) restaurants at various locationsaround the United States in order to acquire "track 2" credit and debitcard information. The defendants then sold the stolen data to others whoused it to make fraudulent purchases or re-sold it to make such purchases,causing losses to financial institutions that issued the credit and debitcards. Track 2 data includes the customer's account number and expirationdate, but not the cardholder's name or other personally identifiableinformation.

The indictment alleges that in or about May 2007, Yastremskiy andSuvorov gained unauthorized access to the cash register terminals andinstalled at each restaurant a "packet sniffer," a malicious piece ofcomputer code designed to capture communications between two or morecomputer systems on a single network. The packet sniffer was configured tocapture track 2 data as it moved from the restaurant's point-of-sale serverthrough the computer system at the company's corporate headquarters to thedata processor's computer system. At one restaurant location the packetsniffer captured track 2 data for approximately 5,000 credit and debitcards, eventually causing losses of at least $600,000 to the financialinstitutions that issued the credit and debit cards.

Source - PR Newswire

Reddit It | Digg This | Add to del.icio.us

UK companies: Leaking like a sieve?

Mon, 12 May 2008 13:11:57 -0400

Most UK companies are losing data every month a survey has found.

The majority of UK businesses, 79 per cent, are losing data at least once per month, according to the survey of 250 senior IT staff at businesses larger than 1,000 staff.

More than a quarter, 28 per cent, suffered data loss on a weekly or more frequent basis the report by IT management company CA found.

Source - Silicon.com

Reddit It | Digg This | Add to del.icio.us

'Bonnie and Clyde' Jet-Setters Sign Plea Deal in Massive ID Theft Case

Mon, 12 May 2008 13:08:17 -0400

A young couple accused of stealing the identities of more than 16 people to live expensively and travel the world in style have agreed to plead guilty to federal charges, an attorney said Monday.

Jocelyn Kirsch, 22, will plead guilty to six counts, including two counts of aggravated identity theft, one count of bank fraud and one count of money laundering, the lawyer, Ronald Greenblatt, told The Associated Press.

Source - FOXNews

Reddit It | Digg This | Add to del.icio.us

Another Laptop Stolen from Pfizer, Employee Information Compromised (updated)

Mon, 12 May 2008 12:59:21 -0400

About 13,000 employees at Pfizer Inc., including about 5,000 from Connecticut, had their personal information compromised when a company laptop and flash drive were stolen, the pharmaceutical giant confirmed today.

The data breach, which occurred about a month ago, was the second this year affecting Pfizer Inc. employees and the sixth made public in a one-year span dating back to May 2007. More than 65,000 data-breach notifications have been sent out by Pfizer over the past year, including more than 10,000 to employees from Connecticut

Source - The Day

Updated 5-13-08: The Day

Reddit It | Digg This | Add to del.icio.us

UK: Crooks access NHS database

Mon, 12 May 2008 12:20:27 -0400

THE �12billion NHS computer system lay in tatters last night � as it emerged CROOKS may have accessed patient records.

A security card flaw has left the system open to abuse for two years.

Sensitive medical details, addresses and National Insurance numbers of every patient in the country could have been seen by ANYONE in a GP surgery or hospital without using the special swipe card.

.... the controversial Choose and Book system allows GPs to view patient records online, book appointments and order medicines through their computer.

But a GP in Hornchurch, Essex, found he could log on to the system without inserting his "smart card" into the reader device.

Source - The Sun

Reddit It | Digg This | Add to del.icio.us

Ie: Another BoI laptop was stolen in 2001

Mon, 12 May 2008 12:13:32 -0400

... Bank of Ireland says it is investigating an allegation that a laptop was stolen. The development comes as the bank faces two separate investigations following the disclosure that laptops with details of 31,000 customers were stolen last year.

The theft happened in Bank of Ireland's Newbridge branch in 2001. The laptop was used by an official from Bank of Ireland's life assurance division, but the computer contained details of life assurance customers from branches in Newbridge, Kilcullen and Athy.

The laptop was not encrypted - so the information could be easily accessed by hackers. Its theft was reported to line management in the bank, sources have told RT� News. But customers were not informed.

The laptop had details of up to 4,000 Bank of Ireland customers. These included dates of birth addresses, bank account details, medical histories and investments held by customers.

Source - RT� News

Reddit It | Digg This | Add to del.icio.us

Six million Chileans' data leaked

Mon, 12 May 2008 05:50:07 -0400

A hacker in Chile calling himself the 'Anonymous Coward' published confidential data belonging to six million people on the internet.

Authorities are investigating the theft of the leaked data, which includes identity card numbers, addresses, telephone numbers, emails and academic records.

Information about the president's daughters was reportedly included in the leaked data. The information was obtained by the surreptitious hacker from government, military and Ministry of Education servers and posted on FayerWayer, a Chilean technology blog.

Source - WebUser

Related - BBC
Related- FayerWayer

Reddit It | Digg This | Add to del.icio.us

Dahlgren mails ID warning (Naval Surface Warfare Center at Dahlgren update)

Mon, 12 May 2008 05:49:28 -0400

The Naval Surface Warfare Center at Dahlgren is mailing 7,200 more letters to former employees through the Internal Revenue Service warning them about potential identity fraud.

In January, four people arrested in Pennsylvania had pages from a Navy report dated July 7, 1994, listing names, Social Security numbers and birth dates for 100 current and former employees.

... Naval Surface Warfare Center spokeswoman Stacia Courtney said 2,000 letters were sent out earlier to those who worked for the Navy on or before July 7, 1994. The latest batch is going to people whose addresses were not available for the first mailing.

Courtney said it's not clear how many people have suffered from fraudulent attempts to use their names to obtain credit. However, she said those with fraud concerns have been referred to Naval Criminal Investigative Services as the investigation continues.

Source - Fredericksburg.com

Reddit It | Digg This | Add to del.icio.us

Data �Dysprotection:� breaches reported last week

Mon, 12 May 2008 05:44:21 -0400

A recap of incidents or privacy breaches reported last week for those who enjoy shaking their head and muttering to themselves with their morning coffee.

Source - Chronicles of Dissent

Reddit It | Digg This | Add to del.icio.us

UK: Outlawed: Reckless loss of data

Mon, 12 May 2008 05:42:22 -0400

Anyone who recklessly loses personal data will face a "substantial" fine after the government created a new civil offence.

In a victory for data loss law campaigners, MPs backed the amendment to the Criminal Justice and Immigration Act to make it an offence for anyone to "intentionally or recklessly disclose information" or "repeatedly and negligently" allow information to be disclosed.

The Information Commissioner's Office welcomed the powers and said it would be a strong deterrent against companies losing personal data.

Source - Silicon.com

Reddit It | Digg This | Add to del.icio.us

Police get break in ID theft case (Lunardi's update)

Sat, 10 May 2008 17:46:27 -0400

Police say two men arrested Thursday in Southern California are connected to last month's massive identity theft scam at the Lunardi's Supermarket in Los Gatos.

Just how deeply they are involved remains a mystery. The men were in possession of two of the 222 stolen bank account numbers from Lunardi's and $70,000 in cash when they were arrested by Orange County sheriff's deputies.

But the two men posted bail and were freed before Los Gatos-Monte Sereno police found out about the arrest.

Source - Mercury News

Reddit It | Digg This | Add to del.icio.us

Bank cannot find six backup tapes (BNY Mellon update)

Sat, 10 May 2008 13:40:18 -0400

More than 1,300 SAIC stockholders are at risk of identity theft after a box of magnetic backup tapes went missing in New Jersey earlier this year.

The tapes owned by Bank of New York Mellon, which acts as stock transfer agent for SAIC, contained names, addresses, Social Security numbers, stock account information, transaction activity and possibly bank account numbers for 1,376 current or former shareholders, said the San Diego company also known as Science Applications International Corp.

.... Laura Luke, a spokeswoman for SAIC, said the tapes included information from a �very long list of clients� of Mellon in addition to those of SAIC.

Source - SignOnSanDiego

Thanks to a reader for sending this link.

Reddit It | Digg This | Add to del.icio.us

Boarding Passes and Identity Theft

Sat, 10 May 2008 13:39:31 -0400

After reading this article, I'll be more careful about throwing out boarding pass stubs -- Dissent

Can a simple airline stub, plucked out of a bin near Heathrow lead to a breach of security and possible identity theft? The answer might surprise you.

The traveler�s name was on the discarded British Airways boarding-pass stub. Its just a small section of the pass that displays your name and seat number. Very similar to the stub you probably throw away as soon as you leave your flight.

It said the traveler had flown from Brussels to London on March 15 at 7.10am on BA flight 389 in seat 03C. It said the man was �Gold� standard passenger and gave his frequent-flyer number. I picked up the stub, mindful of a report by a computer security expert two months earlier, and put it in my pocket.

.... We logged on to the BA website, bought a ticket in the travelers name and entered the frequent flyer number on his boarding pass stub, without typing in a password. We were given full access to all his personal details - including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information.

Source - Carrentals.co.uk

Reddit It | Digg This | Add to del.icio.us

Park National vendor loses laptop with employees' personal info

Sat, 10 May 2008 10:07:19 -0400

About 2,000 past and present employees of Park National Corp. are keeping their fingers crossed that they don't become identity theft victims after their pension administrator lost a laptop computer containing their personal information.

Aon Consulting Inc., which provides administration services for Newark-based Park's pension plan, lost the laptop in March. The bank has received no reports that data on the computer has been accessed and used by thieves, said Park spokeswoman Bethany White.

Source - Columbus Business First

Reddit It | Digg This | Add to del.icio.us

FL: Rental firm's customer info thrown in trash

Sat, 10 May 2008 07:31:39 -0400

In dress slacks and business shirts, Rent-A-Center employees crawled in a Dumpster on Friday afternoon.

The employees had been called out to clean up pieces of furniture and scattered personal records from the former RentWay in a shopping plaza in the 800 block of Cortez Road West.

Source - Bradenton Herald

Reddit It | Digg This | Add to del.icio.us

SC: Prisoners' ID Theft Scheme Grabs Lawmaker's Attention

Fri, 09 May 2008 18:12:26 -0400

A credit card scheme linked to Lee Correctional Facility stretches all the way to California and back. While authorities in Dyer, Indiana investigate one case, SC lawmakers are expressing their concerns.

News 19 continues its investigation into a credit card scheme involving some South Carolina prisoners. The inmates were granted access to the personal information of dozens of Citibank customers.

Source - WLTX

Reddit It | Digg This | Add to del.icio.us

McAfee Uncovers Web Site For Stolen Bank Accounts

Fri, 09 May 2008 18:10:31 -0400

Most users these days will only have to look on the Web to find the going cost of a stolen bank account. Researchers at McAfee Avert Labs uncovered yet another Web site from the criminal underground -- this time listing bank account numbers and identities, advertised for sale on the blackmarket.

The effort was part of an ongoing effort to shut down illicit Web sites marketing stolen credentials.

Altogether, the Web site listed the name of the financial institutions, along with the dollar figure contained in the account, and the requested prices for each account.

On average, the going price appeared to be anywhere between 8 and 10 percent of the balance in the account.

... In addition to bank accounts, the site also offered credit card identities and numbers, including expiration dates and SSN numbers, from the U.S., Australia and Spain.

"Depending on the price, you can choose your bank among various lists; more than 900 choices for North America or European countries," said Paget, who first detected the illicit Web site. "And to convince prospective clients, the site offers free data to demonstrate their know-how."

Source - ChannelWeb

Reddit It | Digg This | Add to del.icio.us

Bryant & Stratton students told that their data was on stolen laptop (SunGard update)

Fri, 09 May 2008 15:23:49 -0400

Bryant & Stratton College in New York reports that its students were among those who had personal information on a laptop stolen from an employee of SunGard HE.

As numbers become available, this entry will be updated.

Reddit It | Digg This | Add to del.icio.us

Camp Starfish application data available online

Fri, 09 May 2008 15:17:20 -0400

Camp Starfish in Massachusetts has notified the Maryland Attorney General's office that a "glitch" in their online system left applicants' personal information accessible on the internet. The personal information included name, address, phone number, email address, and Social Security number. At least 3 Maryland residents were affected, but the total number of applicants whose data were exposed was not indicated.

In the notification letter to those affected, Emily Golinsky, the Executive Director of the camp merely says that "We have taken steps to rectify this situation." There was no indication of how long the personal information was inadequately secured online, nor whether the camp even attempted to determine whether those files had been accessed by anyone outside of Camp Starfish personnel.

Reddit It | Digg This | Add to del.icio.us

Customers in Maryland also affected by laptops stolen from Saks Fifth Avenue (update)

Fri, 09 May 2008 15:09:16 -0400

Saks Fifth Avenue, who had previously reported that 163 customers in New Hampshire had been affected by stolen laptops, has notified the Maryland Attorney General's office that 2,391 residents of Maryland had personal information on the stolen laptops.

The personal details included customer names, addresses, Saks Fifth Avenue credit card account numbers, and/or Saks Fifth venue/MasterCard co-branded credit card account numbers.

Reddit It | Digg This | Add to del.icio.us

Former St. John's University students' personal info on stolen laptop (SunGard update)

Fri, 09 May 2008 14:58:26 -0400

St. John's University has notified the Maryland Attorney General's office that some of their former students had personal information on the laptop stolen in March from an employee of SunGard Higher Education.

Although the laptop was stolen on March 13, St. John's reports that they were not notified until April 10.

In their notification letter to former students, Joseph J. Tufano, the Vice President of Information Technology, notes that although the university cannot be certain, the laptop appears to have contained data on students who were enrolled in 2001, including their name, address, and Social Security number.

The university has offered to reimburse affected students for both one year of credit monitoring from Experian for the cost of freezing and unfreezing their credit report (once each) during the next 12 months if the individual submits an invoice from the three major credit bureaus.

Reddit It | Digg This | Add to del.icio.us

Some of Merrill's corporate customers find out their data was accessible online

Fri, 09 May 2008 14:48:55 -0400

Through their attorneys, the Merrill Corporation has notified the Maryland Attorney General's office that a "limited number" of customer purchases from one of its online stationery stores for Merrill's Fine Arts Engraving business was accessible over the internet for "limited time period." Customer information included names, business addresses, and corporate credit card number.

The company is offering affected customers a year of free credit monitoring.

Reddit It | Digg This | Add to del.icio.us

Ex-911 operator accused of illegal database searches

Fri, 09 May 2008 14:42:43 -0400

A former city 911 operator faces multiple felony counts for illegally searching state driving records and state police databases that included the FBI's terrorist watch list, officials said Wednesday.

The fired employee, Nadire P. Zenelaj, 32, of Rochester insists she did nothing wrong and is being singled out because she is Muslim.

... Richard Vega, director of the city's Office of Public Integrity, said Zenelaj was "running personal information on herself, on her family and on friends. I think it went beyond curiosity. ... We think she was accessing this information to pass it on to others."

At least one of the 227 names that Zenelaj searched for was on the terrorist watch list, according to police. She was fired in December, arrested Tuesday and pleaded not guilty Wednesday to misdemeanor official misconduct and 232 felony counts of computer trespass � one for each allegedly illegal search.

Source - Democrat and Chronicle

hat-tip, The Jawa Report

Reddit It | Digg This | Add to del.icio.us

CORRECTED: Software Vendor Has Agreed to Pay for Credit Monitoring for Students (SunGard update)

Fri, 09 May 2008 14:37:00 -0400

Richard Blumenthal, Connecticut�s attorney general, said he is encouraged by SunGard�s response this week to his questions regarding the steps the software company has taken to protect students� personal data.

... In a phone conversation Thursday, Mr. Blumenthal said SunGard has agreed to pay for two years of credit monitoring and $2,500 in identity-theft insurance for each of the affected students in Connecticut. However, SunGard has declined to pay for students to freeze and unfreeze their credit reports, as the attorney general requested. He said officials from his office will be meeting with those from SunGard to discuss the issue.

Source - Chronicle of Higher Education

CORRECTION 5-10-08: SunGard informs us that the Chronicle of Higher Ed erred in reporting $2,500 in identity theft insurance. The correct amount is $25,000. The Chronicle subsequently silently corrected their story.

Reddit It | Digg This | Add to del.icio.us

Miami man arrested after Collier traffic stop accused of identity theft

Fri, 09 May 2008 12:24:31 -0400

An east coast man was arrested Thursday after Collier County Sheriff's deputies found credit cards, checkbooks and other personal information that didn't belong to him in his car during a traffic stop in Golden Gate.

Odlen Pierre-Louis, 33, of Miami, was charged with identity theft.

Arrest reports say Pierre-Louis was driving a 1998 Chevrolet Monte Carlo west on Interstate 75 near the 96 mile marker about 12:50 a.m. when deputies stopped him for having illegal window tint. Pierre-Louis� brake lights were not working when he pulled over, reports said.

A search of the Monte Carlo turned up credit cards, photocopies of driver�s licenses, credit card applications, utility bills and bank statements with the names of various individuals, reports said.

Deputies also found a handwritten form that contained the names of about 20 individuals, along with dates of birth and Social Security numbers, reports said.

Pierre-Louis told deputies he did not know any of the individuals and was not sure how their IDs and personal information got inside his car, reports said.

Source - Naples Daily News

Reddit It | Digg This | Add to del.icio.us

Tower Club leaks alumni members' social security numbers

Fri, 09 May 2008 12:20:43 -0400

Tower Club is taking steps to protect 103 of its alumni in the classes of 2006 and 2007 after a spreadsheet listing their names and social security numbers was e-mailed to current club members early Wednesday morning.

The document was attached to an apparently unrelated e-mail that informed current members about a club event. The spreadsheet was attached unintentionally because of �a technical glitch,� Tower graduate board chair Greg Berzolla �87 said in an interview.

The e-mail was sent by Tower officers from the tower@princeton.edu account to the roughly 200 current club members.

Source - The Daily Princetonian

Reddit It | Digg This | Add to del.icio.us

OR: Deschutes County notifies mental health clients of missing records

Fri, 09 May 2008 11:52:56 -0400

On Saturday, May 3, the Deschutes County Mental Health Department sent certified letters to 50 individuals who received services from the Department during 2005-06. The letters inform the clients that the location of their copied service documents, mailed through the U.S. Postal Service to the State, is unknown. The letter also offers assistance from Department staff and a free credit monitoring service to each person for the next 12 months.

Source - Bend Weekly

Reddit It | Digg This | Add to del.icio.us