Data “Dysprotection:†Weekend Roundup (update 3)
A recap of some of the breaches and follow-ups reported in the news section this week. This roundup may be updated over the weekend.
FEMA notified 2,300 people that due to “an unfortunate administrative processing error” their Social Security numbers were printed on the outside address labels of Disaster Assistance Employee (DAE) reappointment letters.
Data tapes containing the names and Social Security numbers of former IBM Corp. employees were reported lost during transport, and company officials weren’t saying how many people were affected.
60 students from school districts in Lancaster and Lebanon Counties in Pennsylvania had their personal information stolen when their teacher’s briefcase was stolen from his car while he was inside a hotel attending a seminar.
Computer equipment containing files with sensitive information of nearly 160,000 current and former employees of the Neiman Marcus Group was reported stolen. The files were owned by an unnamed pension consultant and included each person’s name, address, social security number, date of birth, period of employment and salary information. Included are current and former employees of Neiman Marcus Stores, Neiman Marcus Direct, Bergdorf Goodman, Horchow, Horchow Finale, Last Call and individuals receiving a Neiman Marcus Group pension. It also includes information for employees of Chefs Catalog and Contempo Casuals when they were part of Neiman Marcus.
The names and Social Security numbers of 175 individuals who were Purdue University students in 2001 were exposed on a Purdue College of Engineering Web page that was accessible on the Internet.
A laptop containing the personal information of about 6,000 people who were seen at the clinic between Jan. 1, 2004, and April 12 of this year was stolen from a Baltimore County Health facility, the Woodlawn Health Center. The laptop did not contain medical information but did have names, dates of birth, Social Security numbers, telephone numbers and emergency contact information.
A worker broke the rules and took files home of 19 clients of the Department of Social and Health Services in Seattle. And — you guessed it –the files – full of personal information – were stolen from his car.
Payroll processing firm Ceridian Corp. accidentally leaked data including ID and bank-account data on 150 employees of Innovation Interactive, a New York advertising firm, on a web site. But in a slight twist on the usual accidental exposure, in this case it appears that a former employee “accidentally posted the information on a personal web site” and that the employee had taken the data “by accident” after leaving Ceridian’s employ in March 2006.
A 17-year old has been charged with hacking into AOL. He is accused of accessing systems containing customer billing records, addresses and credit card information, infecting machines at an AOL customer support call centre in India, with a program to funnel information back to his PC, logging in without permission into 49 AIM instant message accounts of AOL customer support employees, attempting to break into an AOL customer support system containing sensitive customer information, and engaging in a phishing attack against AOL staff, through which he gained access to over 60 accounts from AOL employees and subcontractors. AOL is not notifying customers at this time as they do not believe he was able to access any customer billing data.
Couriers On Demand, a North Texas company, accidentally posted the private information of hundreds of job applicants online. Details included names, addresses, phone numbers, Social Security numbers and drivers license numbers on its web site .
A man reported finding hundreds of pages of personal financial information in a dumpster behind a Texas shopping center that contained the names of two investment companies – Raymond James Financial Services and Gunn Allen Financial Services. The documents contained social security numbers, addresses, telephone numbers and personal investment account information. Now he’s under arrest after turning the papers in to the Garland police, who want to know how he found those papers and why he waited a week to turn them over to the police.
Caterpillar Inc. said late Friday that a laptop computer containing personal data on employees was stolen from a benefits consultant that works with the company. Caterpillar spokesman Rusty Dunn declined to provide many details Friday
Private academic records of hundreds of students at Montreal’s McGill University were exposed on the school’s website. Officials later said the computer problem was a glitch caused by a switch to a new search engine on the site.
Dr. John Sommers, who runs Healing Hands Chiropractic in Sterling, Colorado admitted to dumping hundreds of patients’ records — complete with patients’ social security numbers, birth dates, addresses and, in some cases, credit card information — in a dumpster behind a 7-Eleven because he “didn’t have space in the office for the old paper records that came with the purchase of the business.” No criminal charges are being considered at this time.
More confidential medical records exposed: Ray Collins was shopping for furniture at Palm Beach County’s monthly surplus sale when he came across a metal file cabinet with a sticker that read “Communicable Disease Reports.”When he pulled out the bottom drawer he was startled to find a 2-inch thick file from the Palm Beach County Health Department filled with confidential test results of patients who tested positive for various diseases.
University of New Mexico officials said personal information for 3,000 employees may have been stored on a laptop computer that was stolen from a consultant’s office in San Francisco. The university says the laptop is believed to have names, e-mail and home addresses, UNM ID numbers and net pay for a pay period for staff, faculty and a few graduate students. UNM ID numbers are not SSN.
Updates on Breaches Reported in the Past:
The USDA again revised its figures on the breach reported last week. Originally estimated as up to 150,000 people, then it was 63,000. Now it’s “only” 38,700. And of course…. wait for it….. “USDA takes seriously its responsibility to protect private information and after learning of the potential exposure, immediately took action to remove the information from the website. USDA is also offering credit monitoring services to protect the personal accounts of affected individuals, due to the potential that information was downloaded prior to removal. There is no evidence that this information has been misused.”
More than 250,000 people’s names and addresses were exposed in the Astroglide breach. According to Threat Level, the files indexed by Google contain a total of 263,822 listings, each of which included a name and mailing addresses. Michael Hampton also has more on follow-up and on BioFilm’s response, which was to essentially blame Google.
A former claims processor pleaded guilty for her role in ID theft using patient information obtained from Hospital Billing & Collection Service Ltd while she was employed there. She faces up to 12 years in prison.
CS Stars, an independent brokerage firm that lost track of a computer containing the personal information of 540,000 New Yorkers but didn’t tell the state about it for five weeks has agreed to promptly notify people if security is breached again. They will also put new precautions in place to safeguard consumer information and pay the state $60,000 in costs for its investigation. The computer was found in July 2006; investigators determined that the information had not been accessed.
Meanwhile, Elsewhere:
Another Winny file-sharing “oops” in Japan resulted in sensitive information on police investigations being leaked after an assistant inspector gave his kid a computer that he used to use at work after reportedly deleting sensitive data.
A “technical stuff-up” on reality show Big Brother’s web site is said to have exposed the personal details of fans who signed up for its special features.
In and update on a previously reported breach, Bulldog reported that only three customers have been contacted by third parties after 100,000 people’s personal details were stolen two years ago.
The Medical Training Application Service or MTAS is a computer system where 32,000 student and junior doctors apply for jobs – a system they were repeatedly assured was secure. Yet a Channel 4 news reporter was able to access applicants’ confidential personal details including their addresses, telephone numbers, criminal convictions, sexual orientation and religion. Despite assurances that the problem was resolved within hours, a follow-up investigation by Channel 4 revealed that the problem still existed the next day.
The dental records of 1000 Hamilton patients in NZ have vanished after a laptop storing the data was stolen from the dentist’s locked car while he was attending a game at Waikato Stadium. Thieves got the computer and backup tapes.
The Inland Revenue Department of New Zealand also acknowledged that its missing computers were not encrypted.
The sad part about this bountiful list of data loss, is this may only have been reported as required by law. Also, businesses may have felt compelled to disclose up front rather than be found out.
But, consider the ones that choose to not disclose.
There is also the multitude of businesses that do not even know it is going on in their organizations, by good intentioned, poorly trained employees.
Worst yest, most was preventable.
I wish there were some reliable stats on what percent of reported breaches were first detected by the businesses and agencies and what percent were first detected by web surfers googling their own name or affected individuals. The recent USDA, Astroglide, and some uni breach reports come to mind. So yes, some disclosures may be because of attempts at damage control before the breach was publicized by others.