Data “Dysprotection:” Weekend Roundup (update2)
A quick recap of some of the breaches and follow-ups we reported in the news section this week:
At least 60 customers of Albertson’s Supermarket in San Lorenzo had their identities stolen and bank accounts raided by thieves who used a credit card skimmer. By the end of the week, authorities reported that another Albertson’s had also been compromised the same way.
The University of Pittsburgh Medical Center disclosed that a second set of patient data containing patient names, Social Security numbers, X-rays and other personal medical information had been found on UPMC’s web site and in the Internet Archives. This was in addition to the 80 patients previously reported to have been found on both the web and in the Internet Archives. Not a great week for UPMC.
When the Washington Post exposed the fact that student loan companies were improperly accessing a national database with confidential information on tens of millions of students, the lenders were blocked from access.
New Horizons Community Credit Union (NHCCU) is notifying members of a potential breach of confidential member loan information after the theft of a laptop computer from Protiviti, “a consultant employed by Bellco Credit Union conducting due diligence to prepare a possible acquisition bid.” Anybody else see any irony in the firm doing due diligence managing to get their laptop stolen or am I just in a weird mood?
Ohio State University reported a “two-fer” on breaches this week: a hack compromised the personal information of 14,000 current and former faculty and staff members. Additionally, two laptop computers stolen from a professor’s home contained the SSN and grades of about 3500 chemistry students. And in case one set of the data wasn’t enough, the professor had just finished copying over all of the data from one laptop to the other.
A Los Angeles County laptop computer that contained names and SSN of 28 people enrolled in the Department of Social Services’ Refugee Employment Program was stolen.
An employee of Gerald Champion Regional Medical Center was found to be in possession of confidential employee information, including SSN and bank account information, even though he was not authorized to have that information. Hey, at least they know where their data are, unlike some of these other folks…
The Texas Attorney General filed suit against CVS/Caremark Corp. for putting as many as 1000 customers’ records in a dumpster behind one of its stores. This was the second such suit as the AG also filed against Radio Shack recently.
A man who stole hundreds of identities from patients whose accounts were handled by Hospital Billing & Collection Service Inc. was sentenced to six years and three months in prison today.
A man in prison for identity theft is accused of running a similar operation from behind bars. Gimme that good old-fashioned American ingenuity…
A computer file server containing research subject information, SSN, and medical details on 3000 cancer research participants was stolen from the University of California at San Francisco.
Valve Software, the company behind Counter Strike and Half Life, has been accused of covering up a hack of its servers which allegedly exposed the credit card details of thousands of its customers.
The names and SSN of more than 5,600 New Mexico State University students were accidentally posted on the school’s Web site for a few hours.
Los Alamos National Laboratory was back in the news this week: 550 lab employees were notified that their names and in some cases, SSN, had been on a web site for what appears to be at least two years.
The SSN of up to 150,000 people who received loans or other financial assistance from two Agriculture Department programs were disclosed for 26 years in a publicly available database. Officials at the Agriculture Department and the Census Bureau, which maintains the database, were notified last week by a farmer from Illinois, who stumbled across the database on the Internet. (Update 1: subsequent reports put the number at 63,000)
(Update 1): Homeland Stupidity reported that as many as tens of thousands of consumers who received Astroglide free samples had their names, email addresses, and shipping addresses revealed on the web.
(Update 2): WinCo Foods has reported that employees found evidence of electronic card readers attached to ATM devices in three of their grocery stores in California.
Elsewhere:
Major mail-order Japanese retailer Japanet Takata Co. has filed a 110 million yen damages suit against a former employee who allegedly copied personal information on over half a million customers and then leaked it to outsiders.
In the UK, Lime Pictures exposed about 20,000 individuals’ personal details on its website in the form of completed job applications.
Also in the UK, about 100,000 customers of the broadband provider Bulldog appear to have had private details stolen.
(Update 1) And in the UK yet again: East Anglia Sportspark apologized after an employee accidentally sent out every one of their customers’ email addresses to more than a thousand people.
(Update 2) New Zealand’s Inland Revenue audit can’t account for the whereabouts of 106 computers. They’re confident that no personal data has gone missing – even though they don’t know what was on the computers – because they have a policy that no sensitive data should be stored on computer hard drives.
But on a positive note:
Other than the Albertson’s reports, not one agency or business reporting a breach suggested that there was any chance that the information had been or even might be misused. (Note that I am struggling valiantly to type this with a straight face…)
Although the U.S. Dept. of Commerce reported that 33 computers were infected with data-stealing Trojans and other malware last year, no information is believed to have been stolen. Gotta stop opening those porn links at work, guys…
We like your Friday Roundup, as well as all your other reporting. Disturbing information, but very helpful to be aware of. Please keep it up. Thank you very much!
Digital Integration Group – 858-550-7959
Thanks. I think it’s even more disturbing when you then look at what’s going on in Congress and see no real progress there in addressing some of these issues. I’m tempted to ask them all why they just don’t propose a new postage stamp in memory of all those who have had their personal information compromised. Then they can tell themselves they’ve done something and go home happy. Feh.
Can I quote you on that?
Sure, Michael.