Data “Dysprotection:†breaches reported last week
The following is a recap of breaches reported last week. For current news coverage on breaches, check the Breaches news section or subscribe to the RSS feed on breaches.
A contractor employee accidentally sent an email to 39 recipients at NASA Ames Research Center with an attachment containing Personally Identifiable Information (PII) for 426 other Ames contractor employees. The affected employees work for seven organizations under contract to NASA Ames: QSS, Tessada, EASI, Eloret, Foothill Community College District, Weigel and Oak Ridge Associated Universities.
Pfizer reported a breach after an employee’s spouse installed file-sharing software onto the employee’s work laptop. Pfizer reports that 15,700 employees “had their data accessed and copied” and 1,250 “may have had their data copied” by thieves. You can also read their lawyer’s letter to the NH Attorney General and to their employees. The Connecticut Attorney General has responded to Pfizer with an investigation.
A flash drive containing about 3,000 social security numbers of current and former students some confidential information was stolen from Lake Huron Hall on Grand Valley State University’s Allendale Campus on May 24.
Japan continues to experience data breaches due to Winny. A huge amount of police investigation information — more than 1.6 gigs and about 10,000 files — including data on crimes such as rape and attempted murder has been leaked over computer networks. The information is believed to have been compromised when the file-swapping software Winny was installed on a police officer’s computer after his computer was infected by a virus. The officer belongs to the Community Police Affairs Section of the MPD’s Kitazawa Police Station.
Concord Hospital isn’t the only company in New Hampshire that has experienced problems this year with private information ending up in the wrong hands. More than 40 other companies – including Elliot Hospital in Manchester – have reported potential leaks in computerized information affecting New Hampshire residents since a state law requiring notification went into effect in January.
The operators of an X-rated Paris Hilton web site, parisexposed.com, exposed the credit card numbers and identities of about 750 subscribers A reporter was able to easily access the subscriber list by changing a few characters in the web address for the site’s sign-up page. Included in the lengthy list are a subscriber’s name, e-mail address, password, phone number, mailing address, and credit card number.
Lynchburg city employees were notified Wednesday that personal information such as prescription drug information and other personal data on 1,200 employees and retirees were erroneously posted on the city’s web site late last month. The file was only supposed to be viewable by vendors bidding on contracts. At the time of publication of the notice, the cached copy was still available via Google.
The theft of a laptop computer containing the names, addresses, bank details, National Insurance numbers and pay rates of 500 employees at Cornwall’s Eden Project is being investigated. The laptop was stolen from a car of an employee who works for Moorepay Ltd, who handle the attraction’s payroll.
The U.S. Secret Service has raided a D.C. schools administrative office as part of a criminal investigation into how dozens of employees had their personal information stolen for bogus credit-card accounts. Nobody has been charged in the investigation, but details about the probe emerged in at least three search-warrant affidavits filed in recent weeks in federal court in the District. According to the records, investigators are focusing on an employee in the school system’s professional development office at G Street in Northeast. The investigation has uncovered a list of 200 names and Social Security numbers, including about 50 school employees, according to one affidavit.
A federal indictment accuses seven individuals in Missouri of fraud and identity theft in an alleged scheme to set up a free phone service for prison inmates….. Among those indicted is Angie Roark of New Bloomfield, who was an employee of Sprint PCS and had access to customers’ names, Social Security numbers and dates of birth. She and Anna Stephens, also a Sprint employee, are accused of using their positions to access information about customers. Erica Kelley and Krystal Stephens, employees of the Department of Revenue allegedly accessed information of Motor Vehicle Bureau customers and delivered it to Robin Deardorff.
Personal and financial information of about 120,000 Coastal Community Credit Union members could be in jeopardy because computer backups were stolen from the courier company that transports them. The tapes contain files with selected personal and financial information, such as name, address, date of birth, social insurance number, member number, ATM/debit card number, credit card number, and/or balances.
Approximately 23,000 current and former Georgia Tech students have been notified that an electronic file containing their demographic data, such as birthdates, may have been exposed. While no Social Security or credit card numbers were included in this file, some of the potentially exposed information is protected under the Family Educational Rights and Privacy Act (FERPA).
SSN, DOB, and other information on 285 licensed psychologists in Arkansas were exposed on the Arkansas Board of Psychology’s web site.
An employee of University of Texas–Pan American recently lost a mobile drive device containing the names, Social Security numbers and salaries of about 1,500 full-time employees. The drive has since been found.
Justin Davis Enterprises requires pre-employment drug screening. But University Community Hospital not only sent the bill for the screening to an employee, but also included statements on 17 other employees who were also screened. The information included their SSN.
A backup of personal information on Ohio state employees was stolen from a state worker’s car. Under their security procedures, the employee — and intern — was supposed to take the disk home, but it was supposed to be taken into the house and not left in the car. More information about what was on the laptop continued to be released over the weekend. Here’s what we’ve been told so far: analysis of information stored on the device revealed that it contained:
_ Names and Social Security numbers of all 64,000 state employees.
_ Names and Social Security numbers on 53,797 participants enrolled in the state’s pharmacy benefits management program.
_ Names and Social Security numbers of 75,532 dependents of participants enrolled in the pharmacy benefits program.
_ 2,685 records of school district and local government names and bank account information.
_ 159,708 records of Medicaid providers and their bank account information.
_ Names and account numbers of 1,031 state employees who are teachers in the State Teachers Retirement System.
_ Banking information on 28,362 state employees and vendors who have received electronic funds transfers from the state.
_Names and case numbers of the state’s 84,000 welfare recipients.
_Names and federal tax identification number of vendors that receive payroll deduction payments from the state – about 1,200 records. Sixteen of those records contain banking information.
A flash drive holding information on about 8,000 current and former Texas A&M University-Corpus Christi students was lost by a mathematics professor while on vacation in Madagascar.
That’s almost 450,000 U.S. individuals or records exposed or compromised for the week.
