A recap of breaches newly reported or updated last week on the main news site, PogoWasRight.org.  For those looking for annual statistics: as of their last update on August 22, the Identity Theft Resource Center shows 449 breaches reported in the U.S. for this year, surpassing last year’s total record.

Newly reported incidents in the U.S.:

• Promotion selection lists containing the names and Social Security numbers of more than 50,000 active-component noncommissioned officers were compromised earlier this year and in 2005, according to officials familiar with an ongoing Army investigation.
• Rochester Institute of Technology officials say that a laptop with personal information on 12,700 people who have applied to enroll at NTID since 1968 was recently stolen from the National Technical Institute for the Deaf.
• The Washington Trust Co. has notified about 1,000 customers that their debit and credit card accounts might have been compromised in a suspected security breach at an unidentified national MasterCard merchant.
• A glitch during a computer upgrade at the Louisiana Real Estate Commission caused the names, addresses and Social Security numbers of more than 13,000 licensed agents to be exposed on the Internet.
• Nye Lubricants notified the New Hampshire Attorney General that an employee “may have accessed electronic personal information stored in certain of the Company’s databases without proper authority and/or for improper purposes” on or about August 15.
• Confidential information for more than 2,500 students, employees and volunteers in Prince William County was put in the public domain for more than a month this summer after an employee working at home released the data through a file-sharing program.
• A laptop containing the personal information of at least 4,000 students in the Reynoldsburg City School district was stolen.
• Heavenly Ham alerted 600 customers of a credit card identity theft that may have occurred.
• Paper jams in a mail-inserting machine caused 2,845 Pennsylvania Department of Public Welfare renewal packets to go to the wrong Pennsylvania welfare clients’ homes.
• A database that contains the names, addresses and Social Security numbers of 13,000 retired Ohio police officers was improperly transmitted by email to his own home by a retired Ohio Police & Fire Pension Fund employee.
• Customers who paid for items at a YMCA fund-raiser with checks or credit cards are being warned about a burglary at which credit and debit card numbers were taken.
• Eighty-six Kansas State University students are receiving letters from the Division of Continuing Education advising them that papers with their names and Social Security numbers on them were stolen from a parked vehicle last week.
• If you have used an ATM at the Camelot branch of Wachovia Bank in Cape Coral recently, you may want to check on your account.
• Thousands of personal records were briefly at risk this summer when an intruder placed a malicious link on the Web site of St. Joseph’s Academy in Baton Rouge.

Newly reported incidents elsewhere:

In the U.K.:

• A computer containing banking security details of more than one million people has been sold on eBay for $64. It belonged to MailSource UK - an arm of Graphic Data, an archiving company that holds financial information for Royal Bank of Scotland, NatWest and American Express.
• Self-service systems in UK supermarkets are being sought by hi-tech criminals with stolen credit card details.
• Confidential files were lost by North-East NHS trusts in the past three years by North Tees and Hartlepool, South Tees, Newcastle and York.
• New controls on computerized data storage have been introduced at a Scottish health authority after equipment containing patients’ sensitive details were lost by staff at NHS Dumfries and Galloway.
• Other revelations of losses by NHS trusts were revealed in Scotland on Sunday.
• Police have made an arrest over the sale on eBay of a computer said to contain the personal details of thousands of Charnwood Borough Council tax payers. This is the second computer reportedly sold on eBay this week containing personal information.

Elsewhere:

• In Taiwan: six people are currently being held in custody for what is believed to be the biggest personal data hacking enterprise undertaken in Taiwan’s internet history. They are believed to have stolen more than 50 million records of personal data including information about President Ma Ying-jeou, his predecessor Chen Shui-bian and police chief Wang Cho-chiun.
• In New Zealand: tax documents showing the salary of a Christchurch medical professional have been mistakenly sent to a 25-year-old student. The personal details included name, address, workplace, Inland Revenue (IRD) number, phone number, salary and taxation.
• In Shanghai: three Chinese men will soon be charged with transporting fake credit cards that could have cost global banks US$20 million had the scheme not been disrupted, Shanghai Railway police said yesterday.  The cards were to use stolen customer identity information.
• In Canada: a former contract cleaner at Tetherwood Spa recorded 60-65 customers’ credit card numbers and misused them.

In the courts or legal proceedings here and abroad:

• Londie Bowman. who used another person’s identity to get a $20,000 breast lift and tummy tuck at Plastic Surgery Specialists in Greenbrae., was sentenced Wednesday to nine months in the Marin County Jail.
• Indictments were returned against three Jackson women accused of stealing from a nursing home resident.
• Ex-Countrywide analyst Rene L. Rebollo, Jr., and Wahid Siddiqi were arraigned for their parts in the Countrywide breach.
• Six people accused of stealing personal information from UCI student health forms and using it to get bogus tax refunds have been indicted by a federal grand jury in Texas.

Updates on previously reported breaches from here and abroad:

• Best Western responded to media reports of a huge breach by claiming that although there was a breach, it only affected one branch and 10 customers.
• Bank of New York Mellon Corp said on Thursday that a security breach involving the loss of personal information, including Social Security numbers, now affects about 12.5 million customers, up from an earlier 4.5 million.
• TrustCo Bank Corp is resorting to litigation to recoup costs it incurred after reissuing thousands of credit cards to customers affected by the security breach at the parent company of the T.J. Maxx and Marshalls chains.

To get all breach news reports, updates, and articles discussing breaches as they’re posted, subscribe to the Breaches RSS feed from PogoWasRight.org. To get this blog by RSS, subscribe to Dissent’s feed.

When Scotland’s Sunday Herald proclaimed “Revealed: 8 million victims in the world’s biggest cyber heist,” they appeared to be wrong on a few counts.  Even if  they had been correct that every Best Western hotel guest’s data  had been stolen, that would not have made the breach the world’s biggest cyber heist.  Had they consulted any one of a number of online sources, they would have discovered that 8,000,000 records or people might have barely qualified for the Top 10 list in terms of breaches where we have numbers reported. As it turns out, Best Western disputes the numbers and claims that the numbers are in the dozens, not millions.

But what does it take to make the top 10 list in terms of breaches?  After two breach reports from this week changed the rankings, it looks like it takes over 8,500,000 records or people just to stand a chance of becoming a cautionary tale.  A breach reported from Taiwan moves right to the head of the list — depending on how you ‘count’ the TJX breach.  If you count it as 94,000,000 as banks claimed in their court filings, TJX currently retains the dubious distinction of worst breach ever in terms of number of records compromised.  If you use the 46,500,000 figure that had been previously cited and that seems to synch with recent federal indictments, the TJX breach falls to second place behind the 50,000,000-record hack in Taiwan orchestrated by at least 6 people who hacked into government databases, state-run firms, telecom companies and a television shopping network.

BNY Mellon and Archive Systems Inc. also joined the Top 10 list this week when BNY revealed that missing unencrypted backup tapes contained data on 12.5 million people — not the 4.5 million originally reported.  To their shame, BNY Mellon did not discover the additional 8 million people on their own initiative — the extent of the breach was only discovered when they responded to a probe by Connecticut.

So what does the Top 10 list currently look like?  Based on available information, it might look like this:

* 94,000,000 or 46,500,000 depending on source.

Given the fact that entities are still amassing tremendous amounts of data, one can only wonder what the list will look like by the end of this year.

August is usually a more relaxed month for me as patients are off to summer camp and schools are closed.  This August, however, turned out to be less than relaxing. Apart from simultaneous patient emergencies and trying to get ready for upcoming conferences and courses I’m teaching, events of the month have left me muttering to myself…..

“We’ve capped your spending limit”

The beginning of the month brought a letter from American Express that they were capping my monthly spending.  Why?  Apparently — and although there was never anything in arrears with my AmEx account –  there was a questionable credit report.  When I investigated, I discovered that my bank had made some humongous mistakes. My bank immediately corrected their errors and notified Experian, who in about a week (and to my pleasant surprise), corrected their error.   But AmEx said that they could not restore my account to its previous terms for 3 months because that’s when they automatically check credit reports.  So even with the corrected report in hand, they refused to restore my account.  Furious calls to Customer Relations at corporate headquarters received a sympathetic ear, but even then, I got nowhere for a while.  The FTC suggested that I file complaints with them, OTS, and my state consumer protection board.   AmEx’s position is that their “suits” advised them that there is no law that requires them to fix their errors quickly and that since it is their plastic and their terms, the customer has no legal redress.  My account is now sorted out due to intervention by Customer Relations, but if AmEx’s lawyers are right, then we need another consumer law revision.

“They stole my pocketbook”

As a nonagenarian, it is all my mother can do to keep her balance while she walks and continues to try to live independently.  So some sleazebag in NYC took advantage and stole her pocketbook while she was out on errands.   My sibling and niece immediately started cancelling her accounts, my mother filed a police report, and arranged for a locksmith to come change the locks on her door within 24 hours.  Within a few days, we had the bulk of notifications and mess sorted out — until we see what happens, of course.

But the experience endangered her life as her blood pressure went through the roof and her heart condition kicked in and made it difficult for her to breathe. While my sibling handled the notifications, I focused on calming our mother down so she did not suffer a stroke or heart attack.

When we talk about the risk of ID theft, let’s never forget the emotional and physical toll it can take on its victims.

And if they ever catch the thief, I just want 5 minutes alone with him or her.

As I post news to PogoWasRight.org, I have often questioned why they call some charges “aggravated identity theft.”  Is there any ID theft that doesn’t cause aggravation? They really should find another term for enhanced charges for that crime, and they should consider the physical and emotional impact.  Not everything is money.

“They’re taking me to the emergency room”

My son’s work has some element of risk of injury and we’ve all gotten fairly matter-of-fact about some of it.  This month, though, seemed to have more than its usual share of injuries, the most recent requiring a plastic surgeon. I tend to stay very calm in emergencies due to my training, but I know of no mother who can stay totally calm when you pick up the phone to  hear, “OK, they’ve got a blanket wrapped around my head to stem all of the bleeding….”

“Did I ever have hepatitis?”

Something’s wrong with my son, and they can’t figure out what despite the tests they’ve already run.  Could those medications he was on years ago that the FDA told us were safe have caused his current liver problems?  The FDA has done a terrible job of protecting the safety of children and teens when it comes to assessing the safety of medications.  While the big pharmaceuticals continue to rake in profits, how many studies showing adverse events have been swept under the rug?

Hopefully, this will turn out to be just some viral thing, but for a kid who never gets sick to have such long-lasting fatigue, pain, and abnormal labs, something’s not right….

So… hopefully you all had an enjoyable summer.  For me, I’m glad August is about over.

With slightly more than four months left to go for 2008, the Identity Theft Resource Center (ITRC) has sent out a press release saying that it has already compiled 449 breaches– more than its total for all of 2007.

As they note, the 449 is an underestimate of the actual number of reported breaches, due in part to ITRC’s system of reporting breaches that affect multiple businesses as one incident. This year we have seen a number of such incidents, including Administrative Systems, Inc., two BNY Mellon incidents, SunGard Higher Education, Colt Express Outsourcing, Willis, and the missing GE Money backup tape that  reportedly affected 230 companies. Linda Foley, ITRC Founder, informs this site that contractor breaches represent 11% of the 449 breaches reported on their site this year.

Reiterating its emphasis in earlier press releases on the number of breaches rather than the number of records or individuals, ITRC notes, “in more than 40% of breach events, the number of records exposed is not reported or fully disclosed. This means the number of affected records is grossly incomplete and unusable for any statistic or research purpose. The use of potentially affected records generally causes more concern and is ‘news-sexy’.”

While this site concurs that the “total number of records or people” has been plagued by a number of problems and I have blogged about these issues before,  the usability of any statistic is ultimately the decision of individual researchers.  And the numbers do matter, of course. As a consumer, I want to know if an employee thought so little of privacy and security that he left unencrypted data on 100,000 people in his car. I want to know why a visiting nurse is carrying around sensitive information on tens of thousands of patients when her case load is less than 100. The numbers tell me something about how proactive the entity was.  And if big numbers are “news-sexy” and that’s what it takes to keep these issues in the public eye, then I suppose there is some value in them.

More important than the individual numbers, perhaps, are the details of a breach, something that is often lacking or glossed over in reports. As one example, when third party benefits administrator Administrative Systems, Inc., disclosed that its office had been burgled in December 2007, it did not reveal the total number of clients affected, nor the total number of individuals whose unencrypted data were on the stolen computer. Given that just one of the dozens of clients informed this site that it had to notify 250,000 of its customers, the numbers for that breach might be staggering. But more importantly, perhaps, ASI’s notification letter did not tell those affected that ASI suspected that the computer had been stolen by an employee, nor that in the course of the burglary, the thieves walked past newer computers and only took the one computer that had all the client data on it. That information was never publicly revealed and only came to light when this site obtained the police reports in response to a Freedom of Information request. Although we can be somewhat understanding of the need for discretion during an ongoing investigation (in this case, the police were not able to determine the identity of the thieves and the case is on inactive status), if you were one of those affected, would knowing that the firm suspected one of its own employees and that the thieves had ignored closer and newer computers and only taken the one with personal information influenced your level of concern or any steps you might take to protect yourself?  ASI did nothing wrong as far as the laws on disclosure and notification go.  But are we requiring too little?

PogoWasRight.org has repeatedly called for a national full disclosure law. Even with such a law, there are still many breaches we will not know about in a timely fashion. But without any law, we will continue to remain in the dark and at risk. And as part of any dialogue, we need to take a hard look at why the federal government is not notifying businesses or individuals that their data has been exposed or accessed.  When 11 people were recently indicted for hacking TJX and other businesses, some of those businesses stated that they had no evidence that there had been a breach and had therefore not notified customers.  If the federal prosecutors had such evidence, what, if anything, did they tell these businesses?  And if federal investigators find that 230 people had their identities stolen by illegal immigrants, who is responsible for ensuring that those individuals are notified?  What are the government’s responsibilities in these situations?

As crime grows and any one crime can potentially impact millions of people — as this week’s Best Western Hotels (Europe) incident demonstrates yet again — the need for better protection, better monitoring, and better and faster notification and disclosure increases exponentially.  Investigating cybercrimes is important, of course, but Washington needs to do a lot more, and we still do not have a national disclosure and notification law.

Correction: it seems reports concerning Best Western may not have been accurate. Best Western disputes the original reports and claims that 10 customers were affected from one hotel.

A recap of breaches newly reported or updated last week on the main news site, PogoWasRight.org.  There were so many arrests, convictions, fines, and sentencings this week that I’ve broken them out in a separate section.

Newly reported incidents in the U.S.:

• Wells Fargo was back in the news for the second week in a row. This time, five of their new banks are notifying customers that a tape with their personal data was lost in transit by an unnamed courier. The tape included information on customers of Jackson State Bank, Shoshone First Bank, Sheridan State Bank, First State Bank of Pinedale and United Bank of Idaho.
• The Princeton Review accidentally published the personal data of 34,000 students in the public schools in Sarasota, Florida and 74,000 students in the school system of Fairfax County, Virginia.
• Kingston Tax Service computers containing clients’ personal information were stolen.
• InterActive Financial Marketing Group (IFMG), a division of Dominion Enterprises, was hacked into and illegally accessed by an unknown and unauthorized third party between November 2007 and February 2008, potentially exposing personal information, including the names, addresses, birth dates, and social security numbers of 92,095 applicants who submitted credit applications to IFMG.
• Alaska Airlines discovered that one of their employees had been misusing payment card information provided by customers of Alaska Airlines and Horizon Air when they made reservation changes. The employee reportedly processed the reservation changes but diverted the payments to his personal account.
• Case Western Reserve University said the personal information and social security numbers of 1,160 undergraduates was inadvertently disclosed on the school’s web site.
• Cost Plus World Market were informed of a spate of fraudulent debit card transactions linked to at least 11 of the Oakland-based company’s Southern California stores, including three in San Diego after debit card PIN pads at select stores had been tampered with between February and April.
• The details have yet to be clarified, but reports indicate hundreds of people across the country could be victims of an identity theft scheme that somehow involves Allen Stoudemire, a Midland City Council candidate
• The HR department at Aflac disclosed 623 people’s information to each other when it neglected to put their addresses in the bcc field of an email.
• The Social Security numbers used to employ illegal immigrants at Agriprocessors Inc. meatpacking plant were stolen from people in at least 25 states, including two people from Iowa, and from 38 people who are dead. The private information of more than 230 citizens and lawful immigrants whose Social Security or resident alien numbers were used by the illegal workers.

Continue Reading »

A recap of breaches newly reported or updated last week on the main news site, PogoWasRight.org. For those looking for annual statistics: as of their last update on August 12, the Identity Theft Resource Center shows 431 breaches reported in the U.S. for this year.

Newly reported incidents in the U.S.:

• Wells Fargo Bank NA is notifying some 7,000 individuals that a thief may have accessed their Social Security numbers and other personal information by illegally using the financial services firm’s access codes. The code was used to access information from MicroBilt,  and the companies suspended their dealings by mutual agreement following the breach.
• Cable television operator Charter Communications Inc. had a dozen employee laptops stolen from an office, affecting  about 9,000 current and former employees.
• Names, social security numbers and even personal medical information of more than 500 patients at Wuesthoff Medical Center were posted on the internet.
• Keller High School mistakenly mailed personal information on students and their families to the wrong students.  At least 45 families  received other families’ paperwork.
• A number of dumpster stories in the news this week:  Police are investigating after a folder belonging to Obra Homes that contains the personal information of hundreds of people was found in a dumpster.  Hundreds of check stubs containing personal information on Labor for Hire Pompano workers was found scattered across a field . The names and social security numbers of more than 200 workers has been compromised.  This is the second incident in recent months involving Labor for Hire.  Thousands of files containing personal and medical information were thrown in a dumpster by an unnamed personal injury law firm in Atlanta. And hundreds of private, personal records containing sensitive medical information and some Social Security numbers were thrown out with the trash by Treatment Associates.
• Raymond L. Clayton Sr.,  former minister of a now-defunct church in Northumberland County, was sentenced to prison and told not to have any contact with congregation members whose personal information he misused.
• Hackers gained access to the University of Otago staff email server after tricking four staff members into revealing their login details.

Newly reported incidents elsewhere:

In the UK:

• The Ministry of Justice (MoJ) has lost the  personal, criminal, and/or bank records of 45,000 people due to a number of incidents since 2007.
• The Home Office lost the names, nationalities, passport numbers and dates of birth of 3,000 seasonal agricultural workers on two CDs in transit to the UK Borders Authority.
• Buy As You View has launched an investigation after the personal details of hundreds of customers were found dumped on the ground.
• A diary containing contact details of 350 midwife patients at Rochdale Infirmary was lost.

In Ireland:

• Personal details of 380,000 social welfare recipients were stored on a laptop which went missing in April 2007 from the Department of Social and Family Affairs.
• A computer memory stick belonging to a Probation Board employee that containedinformation on a prisoner was found in a pub in the North.

In New Zealand:

• The Accident Compensation Corporation (ACC) apologized to a Westport woman for requesting her medical files without her consent, but she wants to know why the West Coast District Health Board (WCDHB) gave them her files without her consent.
• Internet service provider Slingshot reportedly had some glitch that allowed users to obtain others’ information.

And in Germany, an investigation has been launched in after a CD containing the personal and bank details of 17,000 individuals was anonymously handed to the Schleswig-Holstein Consumer Association. According to the Association the data, which was sold to a number of call centres, appears to have originated from the lottery operator Süddeutsche Klassenlotterie (SKL).

Updates on previously reported breaches from here and abroad:

• The laptop stolen from an AT&T employee’s vehicle in San Antonio in May contained personal and salary or bonus information on 113,595 employees.
• Rachael Rivas Dumbrique, a former Department of Consumer Affairs employee who e-mailed herself a confidential personnel roster containing 5,000 state worker names and Social Security numbers was arrested and charged with five felony counts.
• Hundreds of Valley birth certificate applications from six area hospitals that went missing en route to the Department of Public Health in Sacramento earlier this year have now been found and shredded.
• Authorities believe the Clear(R) laptop that went missing from a locked office at San Francisco International Airport last month then reappeared more than a week later was stolen, not misplaced.
• A senior hospital manager from Colchester Hospital University NHS Foundation Trust who lost a laptop containing the unencrypted records of more than 20,000 patients while he was on holiday, has been dismissed from his position.

To get all breach news reports, updates, and articles discussing breaches as they’re posted, subscribe to the Breaches RSS feed from PogoWasRight.org. To get this blog by RSS, subscribe to Dissent’s feed.