A recap of breaches reported or updated last week in the news section. You’ll need a refill on your coffee to get through the list this week, although some of the updates are more interesting than the newly reported incidents, I think…

Newly reported incidents:

• MediaDefender, an anti-piracy group, suffered an embarrassing security breach in which numerous emails — some containing Social Security numbers — were taken and even some phone calls recorded. The emails and call were posted on web sites despite MediaDefender’s lawyers running around trying to get them taken down.
• In an attempt to tell 623 students about a financial aid opportunity, a Queens University of Charlotte employee accidentally sent an e-mail with all the students’ addresses, telephone and Social Security numbers.
• The U.S. Equal Employment Opportunity Commission is suing 7-Eleven of Hawaii Inc. and its parent company, 7-Eleven Japan Co. Ltd., alleging it disclosed an employee’s confidential medical information. Note that this is not a HIPAA or Privacy Act suit, but is filed under Title I of the Americans with Disabilities Act and Title I of the Civil Rights Act of 1991.
• A former employee in the administration department of Albert Einstein Medical Center was arrested for stealing patient details and using them to obtain false driver’s licenses and fraudulent purchases. She had acquired over 300 patient profiles.
• Hundreds of files containing personal financial information were discovered in a dumpster behind a Century 21 real estate office in Las Vegas.
• A former employee of Chester County Hospital’s billing department is charged with stealing personal and credit card information of more than 150 people who recently paid for services at the hospital and using their details for fraudulent purposes.
• A laptop computer containing personal information on the families of abducted Japanese people and their supporters has been stolen from the home of a worker at the secretariat of the government’s abduction problem countermeasure headquarters. The lists contained the telephone and fax numbers of dozens of abductees’ family members and their supporters.
• Vertical Web Media, the publisher of Internet Retailer magazine said its network was breached in August and hackers made off with customers’ names, addresses, phone numbers and e-mail addresses, along with credit card numbers and expiration dates.
• The University of Kansas is investigating an allegation that personal student information including graded student exams, student ID numbers, health insurance information, Social Security numbers, cell phone numbers, and home addresses has been mishandled for years. The Lawrence Journal-World notified the university that it received information in an unsigned manila envelope which reportedly originated in the mathematics department that was retrieved from trash and recycling bins. The anonymous letter went on to say that the writers had repeatedly tried to persuade the math department to better safeguard personal information.
• Layered Technologies has been targeted by malicious hackers who may have stolen passwords and other personal details on as many as 6,000 of its clients. It is advising customers to change login credentials for all host details submitted in the past two years.
• Officials with Connecticut’s Department of Children and Families say a laptop computer with private information on 41 cases has been stolen from a consultant’s car.
• Is there anyone left in Ohio who has not had their details stolen by now? Now the city of Columbus is offering identity-theft protection services to more than 3,500 people whose Social Security numbers were on three computers stolen from a warehouse. The theft affected people who had signed up for the city’s Mobile Tool Library, which lends power tools, lawn mowers and supplies.
• Presbyterian Hospital in Dallas, owned by Texas Health Resources, is warning about 8,000 recent patients that they might be potential victims of an identity thief who stole credit card numbers of patients while he was employed in the billing department.
• Citgroup has confirmed that it’s investigating a data breach involving the names, Social Security numbers and credit information of 5,208 customers leaked by an employee of its ABN Amro Mortgage Group unit onto the LimeWire peer-to-peer file-sharing network. Did they learn nothing from Pfizer?
• A possible security breach at Central Piedmont Community College has officials there taking precautions, as a former employee of the college may have accessed private employee information like social security numbers, birth dates and addresses. Nearly 2,600 employees have been notified.
• An employee of Lingo VoIP in New Zealand sent out an email that revealed over 14,000 clients’ email addresses in the To: field.
• A 1997 Houston ISD security glitch could be linked to the theft of a Brazosport ISD employee’s identity. The Houston school district’s records apparently were compromised in October 1997. One case of ID theft related to the incident was investigated last year and three arrests were made in that case. A 10-year-old incident having an impact now? We’re doomed, doomed, I tell you…
  
• The West Mifflin Area School District has advised teachers and bus drivers that a laptop computer containing their names, Social Security numbers and driver-license numbers was stolen from the car of an auditor with the state Auditor General’s office. The laptop also had information on Steel Valley School District employees.
  

Updates:

• The TJX Companies, Inc. announced Friday it has settled class action lawsuits in the United States, Canada and Puerto Rico related to a massive security breach of customer data that affected at least 45 million credit and debit cards. The announcement did not specify the amount, but noted that its estimated costs were included in a $107 million reserve included in its second-quarter report for fiscal 2008 and its estimate of $21 million in future costs expected in fiscal 2009.
• A pending class action lawsuit against TD Ameritrade alleges that the brokerage firm had evidence of the security breach that it disclosed last week nearly a year ago but failed to report it, despite the firm’s claim that it uncovered the malicious code “recently.” E-mails obtained by Network World show that Ameritrade received explicit and repeated warnings from an IT security expert starting Jan. 9, 2006 that its customer data had apparently been compromised, placing the start of the breach much earlier than previously reported and likely pushing it into 2005. Nevertheless, the company insisted for the next 20 months that a flood of stock-related spam being received by numerous clients was not indicative of a more serious problem.
• Connecticut is planning to sue Accenture over its role in providing confidential state data to a similar system in Ohio. But it was not just Connecticut residents who found themselves affected by the Ohio stolen tape mess that affected over 1.3 million people in Ohio. By the end of the week, we also discovered that almost 600 residents of Minnesota had data on the stolen tape, also due to Accenture using their data as it did with some CT residents’ data. CT is waiting for an answer from Accenture as to whether CT data may have gone to other states as well.
• Following up on an investigation by WHTR, Indiana Attorney General Steve Carter filed 28 complaints with the Indiana State Board of Pharmacy against pharmacies who had improperly disposed of prescription information on customers. Seven of the complaints name CVS drug stores, five have been filed against Walgreens pharmacies, and two name locally-owned independent pharmacies for violating state and federal privacy laws. The remaining complaints have been filed against the pharmacists in charge of the drug stores at the time of WTHR’s reports.
• In response to a query from PogoWasRight.org, Kraft indicated that the tape lost or accidentally destroyed by Affiliated Computer Services contained data on 32,000 Kraft employees and less than 500 dependents.
• Gander Mountain Company announced the recovery of computer equipment containing certain customer transaction information relating to a single store in Greensburg, Pennsylvania.
• Indicted: Max Ray Butler, who allegedly ran CardersMarket, an online forum for people who steal, share or use others’ credit card information illegally. Butler, who used the online names “Iceman,” “Aphex,” “Digits” and “Darkest,” allegedly used a high-powered antenna to intercept wireless communications to hack into financial institutions .
• Gary, Indiana has secured a cache of city records containing private citizens’ information that The Times discovered were wide open to thieves.
• Farmers Insurance has been cleaning up the mess created when a terminated agent dumped files containing personal information such as SSN, canceled checks, copies of driver’s licenses and more.
• Essent-Paris Regional Medical Center won a court decision in its battle against an unknown blogger the hospital says has done damage to its reputation: 62nd District Court Judge Scott McDowell ordered SuddenLink, the internet search provider, to reveal the name and address of the blogger. One of the issues in the case is violation of confidentiality of patient information (HIPAA).

Possibly Related Posts

• No Related Post

2 Responses to “Data Dysprotection: breaches reported last week”

1. Adam says:

   September 24, 2007 at 10:49 pm

   why is your feed incomplete? Do you hate travellers who read on the plane?
2. dissent says:

   September 25, 2007 at 9:11 am

   OK, checked into it… see that you did get it the second attempt. Not sure why it didn’t all show up on your first attempt, but let’s just blame TSA anyway….