A recap of breaches reported or updated last week in the news section of the main news site, PogoWasRight.org. Because we are seeing an increasing number of reports and news stories, the organization of this weekly round-up keeps changing. This week, the file includes a section on breach-related cases in the courts or other legal action. If readers have any preference as to how to organize the weekly roundup, feel free to drop me a note. To get all breach news reports as they’re posted, subscribe to the Breaches RSS Feed from PogoWasRight.org.

Newly reported incidents in the U.S.:

• It was not a good week for universities: Harvard University police and the Middlesex district attorney’s office are investigating a security breach at the school after an undergraduate allegedly manufactured phony driver’s licenses and university identification cards that can be used as debit cards and to enter residence halls. University of Georgia officials are trying to contact more than 4,000 current, former and perspective residents of a university housing complex after a hacker was able to access a server containing personal information, including Social Security numbers. The University of Akron is notifying more than 800 students and graduates of the College of Education that it’s lost a hard drive containing their names, addresses and Social Security numbers. The University of Iowa College of Engineering has notified some 216 of its former students that some of their personal information, including Social Security numbers, was inadvertently exposed on the Internet for several months. Some people using a bank or credit card at California State University, Stanislaus dining facilities within the past six months appear to have had their personal information stolen. Officials would not release how the personal information was stolen from the Sodexho server.
• Wisconsin had yet another mailing error. This time, over 260,000 Medicaid and BadgerCare recipients’ Social Security numbers were visible through the mailing window. The contractor, Electronic Data Systems, Corp., has agreed to pay for providing identity theft protection.
• The Suffolk Department of Social Services in Virginia mailed about 1,500 letters this past week to warn of a “potential security breach” involving a department computer that police suspect was used to commit fraud. An employee is accused of using her work computer while employed by Social Services last summer to apply for a credit card using her landlord’s information, according to a search warrant and criminal complaint. The letters were sent as a precaution to all the people who applied for or received tax relief in 2007, Horton said.
• Geeks.com sent out an email telling former customers that they “recently discovered on December 5, 2007 that customer information, including Visa credit card information, may have been compromised.”
• GE Money-Americas [pdf] reported that its vendor, Iron Mountain, lost a backup tape containing active account numbers and some Social Security numbers.
• Two former sales representatives for Amgen Inc. are suing the biotech company, alleging it pushed its sales force to search doctor’s confidential medical records for potential patients to boost sales of a drug used to treat psoriasis.
• A Umatilla, Florida fire chief, hired in October, resigned rather than get fired for e-mailing pictures of a 26-year-old female accident victim to other fire departments which showed the victim’s exposed breasts. Chief Richard Shirk was on suspension since November, when the incident occurred. He was offered a three-month severance package to resign. So he worked for one month and gets a three-month severance package? Does anyone else see that as rewarding wildly inappropriate behavior and invasion of privacy? — Dissent
• In response to a series of ATM robberies over the holidays, Citibank drastically reduced the daily amounts its customers are allowed to withdraw from ATMs. Citibank attributes the action to reports of “skimming.”
• More problems with improper disposal of documents this week: Nearly 30 employment applications and eligibility documents — many with Social Security numbers, names, driver’s license photos and dates of birth — were blowing about and stacked in a Mesa, Arizona alley. Several of the documents were headed AZ Management and Consulting. The company, related to U-Care Thrift Store, has been seized by the landlord due to the tenant’s failure to pay rent. Workers at at the College Point Bus Depot in Queens, New York bus depot are mad after reams of papers with “Social Security numbers, copies of driver’s licenses, grievance papers and disciplinary information” on more than 100 people were tossed into the trash. The Metropolitan Transportation Authority confirmed that incident.
• Hackers hijacked the Xbox Live account of a celebrity gamer. The significance is that because accounts contain credit card numbers, home addresses and credentials used to log in to Hotmail and MSN Messenger accounts, the breach goes beyond a mere affront to a gamer’s pride.
• News First Investigates found a list of hundreds of credit card numbers and personal information on a website hosted by Google Blogger, Rang-Rang’s Homepage (see screenshot). Paul Ferguson, who had posted about other problems with Google’s Blogger service followed up and discovered other pages on Google’s Blogger that contained (suspected) stolen credit & debit card numbers, names, addresses, ZIP codes, and CVV codes.
• Logabottle.com sent an email to registered users announcing new features — but put everyone’s name and email address in the To: line for everyone else to see. The company has apologized for its gaffe.

Newly reported incidents in the U.K.:

• A Devon and Cornwall Police document about a man charged with murdering a child was found in a street in Cornwall. The police log contained an account of a phone call to the police made by a woman who claims one of those in the house is a man previously charged with murdering a child. Full details, including names and addresses, are contained on the document.
• There were three more new incidents involving NHS Trust this week. Confidential patient records from Whipps Cross University Hospital NHS Trust, based in Leytonstone, and St Bartholomew’s Hospital in the City were found in a front garden in Coopers Lane, near Potters Bar. The documents fell off a lorry carrying the documents to a depot to be destroyed. The Oldham NHS Primary Care Trust says two data sticks containing highly personal medical records of 148 clients of the trust’s continuing care service have been reported missing. And 173 private medical documents, which were discovered in a motorbike bag near Kingston Hospital, contained HIV and cancer test results on patients. Many of the documents included information on those attending conception and addiction clinics, as well as sexual disease and hepatitis test results. A spokesman for the Met said: “I can confirm we are investigating an allegation of theft in relation to documents found in Kingston on January 3 and 4.”
• An investigation is under way after the theft of nine laptops used by staff in Middlesbrough Council’s Children, Families and Learning Department that contain case files on vulnerable young children. Up to 63 vulnerable youngsters and their families may be affected.
• The chairman of Barclays bank became a victim of ID theft after a fraudster stole £10,000 from his account. A conman duped call center staff into issuing a credit card in the name of banking boss Marcus Agius and then used it to withdraw funds at a high street branch.
• The DVLA has suffered a second breach. A fault in the online system meant the secure Internet connection for driver licensing was lost for 80 minutes on 6 December. It’s confirmed 528 people logged on during that time, and their data – including bank details in 153 cases – was not protected.

Newly reported incidents elsewhere:

• An audit of the Canadian Bar Association online web systems has revealed unauthorized third party access to the system during the recent holiday period. The notification letter indicated that information relating to online orders (name, address, phone, fax, member number and encrypted credit card information) were involved. Thankfully they encrypted the credit card information — Dissent.
• The security of the Dutch OV (public transport) card is at issue following the cracking of its secret code by German computer hackers. Because the card’s code has been hacked, it would be possible for travellers to journey for free and for their private data to be made public.

Updates on previously reported incidents:

• The theft of laptops containing SSN on 337,000 Davidson County voters in Tennessee continues to make news. The guard who was fired insists that the break-in didn’t occur on his watch and made the shocking revelation that it didn’t occur on anyone’s watch, because no one was assigned to watch. A security audit is investigating to see why the commission was billed for security services on Saturdays if no one was actually there. Voters will get identity-theft protection at no cost to them.
• One year after a hacker accessed a UCLA database containing names and SSN of over 800,000 current and former students, as well as faculty and staff members, the university continues to track the case. Subsequent investigation has determined that the hacker gained access to 28,600 Social Security numbers, and those people were sent additional notifications. Over 18,000 of those numbers came from students’ financial aid applications submitted between 2002 and 2006.
• A congressional report reveals that security flaws in a Transportation Security Administration (TSA) [pdf] web site put thousands of Americans at risk of identity theft. The site was supposed to help travelers whose names were erroneously listed on airline watch lists, but it had a number of security vulnerabilities: it was not hosted on a government domain, its home page was not encrypted, one of its data submission pages was not encrypted, and its encrypted pages were not properly certified. The investigation also revealed the no-bid contract to create the site was awarded to the outside firm by a TSA employee who had previously worked there.
• A nurse was responsible for a serious security breach at the Norfolk and Norwich University Hospital where hospital records of more than 30 patients were found dumped in a wheelie bin. Disciplinary action will begin later this month.

In the courts:

• Texas Attorney General Greg Abbott took legal action today against Select Physical Therapy Texas Limited Partnership (also known as HealthSouth Rehabilitation Center) and its parent company, Select Medical Corporation, for violating a 2005 law requiring them to protect any consumer records that contain sensitive information, including Social Security and bank account numbers. Investigators discovered that Select Physical Therapy Texas Limited Partnership exposed more than 4,000 pieces of its customers’ sensitive information, including Social Security numbers by dumping intact documents in garbage containers behind a local building.
• Jacquelin Florentin of Virginia was sentenced to 2 1/2 years in prison and ordered to pay $6,500.00 in restitution for bank fraud and aggravated identity theft charges for using other people’s social security numbers to open bank accounts, cash thousands of dollars worth of checks and take out a loan for a $28,000 car; 1st Advantage Credit Union, Newport News Shipbuilding Employees Credit Union, Citizens and Farmers Bank, and Langley Federal Credit Union were all victims in the scheme that ran between July 2006 through March of 2007.
• Three members of the Sri Lankan-based Tamil Tiger network accused of being part of a terrorist plot to steal $250,000 from city ATM machines with bogus credit cards and stolen identities were sentenced to one to three years in prison Monday.
• Robert Michael Stewart, 26, was sentenced today 5 1/2 years in prison and an additional three years of supervised release for his role in an identity theft scheme.
• Mario Alberto Simbaqueba Bonilla, 40, a Colombian engineer, pleaded guilty in federal court to illegally hacking into hotel computers in Miami, Las Vegas and other tourist cities to steal credit card numbers and other personal information to pocket more than $400,000 to finance his luxurious lifestyle. Between June 2004 and August 2007, he checked into major hotels around the United States, where he would install keylogging software on all of the computers at their business centers. The scheme affected over 600 people.

Possibly Related Posts

• No Related Post

One Response to “Data “Dysprotection:” breaches reported last week”

1. Aaron Wakling says:

   January 14, 2008 at 8:57 am

   I found your site on technorati and read a few of your other posts. Keep up the good work. I just added your RSS feed to my Google News Reader. Looking forward to reading more from you.

   Aaron Wakling