A recap of breaches reported or updated last week on the main news site, PogoWasRight.org. This week, my geography lesson was finding the Guernsey States as they have now joined the ranks of places reporting a breach.  As of their last update on Mar. 18, the Identity Theft Resource Center shows 141 breaches reported in the U.S. for this year so far.

Newly reported incidents in the U.S.:

• The Massachusetts Bankers Association reported on Monday that a third of its 200 member banks have been contacted by Visa and MasterCard because of a breach involving a major retailer. Shortly thereafter we learned that the retailer was theHannaford Bros. supermarket chain and that a breach of its computer system led to the theft of about 4.2 million credit and debit card numbers from its Hannaford and Sweetbay stores and other locations. The initial report said that there were about 1,800 cases of fraud, that no personal information was breached, and that the breach occurred between Dec. 7th and March 8, subsequent reports raised the estimate to 2000 cases of fraud. By Wednesday, two class-action lawsuits had been filed. Hannaford Bros. insist that they were PCI-compliant, raising a number of questions about how the hack occurred.
• A Rhode Island state computer disk containing the social security numbers of nearly 1,400 people has been reported missing by the Department of Administration.
• A man suddenly found himself the owner of hundreds of patients’ records from Atlantic Chiropractic Office when he bought the contents of a Fort Knox storage facility at auction, sight unseen, for $5.00.
• A laptop containing sensitive and unencrypted personal data on 51,000 current and former employees of Agilent Technologies was stolen from the car of an Agilent vendor, Stock & Option Solutions, March 1 in San Francisco. The data includes employee names, Social Security numbers, home addresses and details of stock options and other stock-related awards.
• A security breach of The Dental Network web site left access to member personal data, including names, Social Security numbers, address(es) and dates of birth unprotected for approximately two weeks.
• One of Lippincott Williams & Wilkins‘ web sites for online purchases, www.stedmans.com, was hacked, potentially compromising names, addresses, telephone numbers, email addresses, credit card numbers with expiration dates, and card verification numbers of customers who made online purchases between August 30, 2007 and February 27, 2008.
• Lasell College reports one of its employees has hacked its network, gaining access to personal information of 20,000 students, employees and alumni, including social security numbers.
• Western Carolina University reports that a Department of Business Computer Information Systems and Economics server was hacked several times, as long ago as 2006. The Social Security numbers of 555 graduates of who had signed up for a newsletter were on the server.
• The Inspector General reports that the Department of Energy had eight incidents in the past two years involving PII or other sensitive information which was improperly released through public websites, including names, social security numbers, and credit card information. In one instance, personal information for more than 60 individuals was inappropriately posted to a publicly accessible website.
• An e-mail containing the names, Social Security numbers and grade point averages of 338 Binghamton University School of Management students was mistakenly sent to an accounting Listserv instead of to an SOM faculty member.
• The Pennsylvania Department of State was forced to pull the plug on a voter registration web site after it was found to be exposing sensitive data about voters in the state.
• The Human Rights Campaign’s website had a bit of a glitch that exposed some personal information.
• UCLA’s Resnick Neuropsychiatric Hospital has banned all cellphones and laptop computers after a patient posted group photos of other patients on a social networking website. UCLA’s Rady Children’s Hospital in San Diego forbade employees from carrying cellphones in patient-care areas after investigators found images of children, taken at the hospital, on a respiratory therapist’s computer and cellphone.
• Social Security numbers and financial records of customers of Affordable Realty in Flint, Michigan have been found in a dumpster. The company had been evicted and all of its sensitive customer information ended up outside in a dumpster or on the ground nearby.
• The city of Minneola is being accused of violating federal, state and local laws because it posted firefighters’ personal information on the city’s web site for more than three days.
• Missouri state files with names, Social Security numbers and even birth certificates have been thrown away rather than shredded. A news station even found entire case files from the Department of Social Services in unsecured recycling bins.
• Two contract employees of the State Department were fired and a third person was disciplined for inappropriately looking at Democratic Sen. Barack Obama’s passport file. All hree people who had access to Obama’s passport records were contract employees of the department’s Bureau of Consular Affairs. We later learned that Senators Hillary Clinton and John McCain also had their files viewed by two employees of Stanley, Inc. A third contractor,The Analysis Corporation (TAC) disciplined its employee who accessed McCain’s file in addition to Obama’s.
• An employee at the Twin River slot parlor in Lincoln has been fired for allegedly copying the Social Security numbers and driver’s license data of winning customers.

Newly reported incidents in the U.K:

• Hundreds of customers of Naturally Thinking in Carshalton High Street had their credit card details and personal information stolen by hackers who gained access to customer details via the store’s 24 hour online shopping website in October 2007 .
• Tape recordings of patient phone calls were taken home by out-of-hours Urgent Care 24 (UC24) service staff. The Information Commissioner’s Office (ICO) said it will be asking UC24 about its compliance with the Data Protection Act.
• An NHS worker at Norfolk Primary Care Trust in Norfolk sent a patient’s medical records to Buckingham Palace by mistake when she she mistyped an email address.
• Four British men – including a man believed to be a lord – have been accused of trying to steal £220 million by hacking into the London offices of Sumitomo Matsui Banking Corporation. The alleged plot was uncovered before the money was moved.

Newly reported incidents elsewhere:

• A flaw in the Guernsey States internet system has put care records and bank details of Maison Maritaine residents at risk. Consistent with the shoot-the-messenger approach this site denigrated in another case, the government is now investigating the whistleblower to see if they can charge him under their computer misuse act.
• In Australia: the personal details of public servants, including their salaries, home addresses and tax file numbers are being released to the public when they buy second-hand State Government computers for as little as $2, a report by the Auditor-General.
• The German government said about 500 of its computers where either misplaced or stolen in various administrative departments over the last three years, prompting calls from the opposition for better data protection for citizens.
• In Canada: the Alberta Teachers’ Association (ATA) newsletter put out by the union was found to have violated the Personal Information Protection Act when it printed the names and employers of educators who had opted out of the association’s Code of Professional Conduct.
• Damien Mulley reports that if you use a certain url on the Aer Lingus site you can access the account details of whoever logged into some sections last.

Updates on previously reported incidents from here and abroad:

• A Speedway man has been arrested on suspicion of stealing computers containing information on more than 11,000 patients from the Roudebush VA Medical Center in Indianapolis. Joseph A. Radican, 50, is a former patient. The computers have not been recovered.
• A BlueCross BlueShield missing laptop with data on 40,000 customers affects BlueShield of Northeastern New York as well as BlueCross BlueShield of Western New York, as originally reported.
• Dr. A. Alberto Hodari could find out this week whether he’ll face fines after the Michigan Department of Environmental Quality (DEQ) searched dumpsters at his WomanCare clinics. Improper disposal of paper records are also being investigated; Lynch said last week that up to 50 patients could be identified in medical records, which were mostly created in February and included personal information and the types of procedures performed.
• Korea’s largest online shopping mall Auction with some 18 million subscribers could face class action suits from members in connection with a leak of their personal information.
• DeSoto County law enforcement officials say a hacker broke into a credit processing center, Cynergy, in New York and stole the credit and debit card numbers of people who used their cards in DeSoto County. Cynergy Data, LLC immediately denied that they had any involvement in the security problems or breach, so the mystery of the ongoing breach remains unsolved for now.

In the legal system:

• Online advertiser ValueClick, Inc., will pay a record $2.9 million to settle Federal Trade Commission charges that its advertising claims and e-mails were deceptive and violated federal law. The agency also charged that ValueClick and its subsidiaries, Hi-Speed Media and E-Babylon failed to secure consumers’ sensitive financial information, despite their claims to do so.
• James Real, a former computer programmer for the bank, stole a database from Compass Bank that contained names, account numbers and customer passwords for over 1 million accounts, while Laray Byrd bought a credit-card encoder and software to encode the information onto blank cards that they used for bank fraud using ATMs in Alabama, Mississippi, Georgia and Tennessee.
• A Chester County (PA) judge “reluctantly” agreed to sentence Adam V. Corbett, a former Chester County Hospital medical billing clerkm to a term in county prison for stealing the identities of dozens of former patients and using them to order items over the Internet. He also stole info from Pizza Hut customers when he was employed there.
• A former East Baton Rouge Sheriff’s Office employee was arrested Thursday morning for illegally accessing a Sheriff’s Office server and for stealing office equipment.
• Erica Mae Malston, who worked at H&R Block in Pace, Florida was arrested for stealing customer’s information and using it to get a prepaid Mastercard called the “Emerald Card”.
• Tina Marie Ryan pleaded not guilty in Sonoma County Superior Court Monday morning to 37 counts of identity theft that allegedly involves 152 victims in 33 states.
• Gregory Kopiloff has been sentenced in federal court to 51 months in prison and three years of supervised released for mail fraud, accessing a protected computer without authorization to further fraud and aggravated identity theft. Kopiloff used LimeWire to invade the computers of victims across the United States to get access to their personal information in tax returns, credit reports, bank statements and student financial aid applications. Kopiloff used the personal information of more than 50 people to commit his fraud.
• Clayton J. Deardorff and Erica Daniece Kelley (who was formerly employed by the Missouri Department of Revenue) were each sentenced in federal court for participating in a $160,000 fraud conspiracy that involved stealing the identities of other persons and using them to provide cell phone service to state prison inmates. Deardorff and Kelley are among seven co-defendants charged in a May 31, 2007, federal indictment, all of whom have pleaded guilty. Among the identity theft victims were mentally disabled and other residents of group homes in Jefferson City and Columbia, Mo., Sprint customers, and Missourians whose information was stolen by two employees of the state Department of Revenue.
• A grand jury indicted Candice Grace Smith, a bank employee, accused of stealing personal information from customers on 16 counts related to identity theft. Detectives said that Smith targeted at least six people while working for two bank branches in central Ohio. The bank was not named.
• Detectives from the Arizona Department of Public Safety Narcotics/Organized Crime Unit arrested 10 workers at a Tucson Panda Express restaurant for alleged identity theft.
• Robert Matthew Bentley could face up to 10 years in prison in the U.S. after pleading guilty to installing advertising software on PCs located around Europe without permission. His botnet was located within Newell Rubbermaid’s network.
• Isabel Rodriguez, the former director of Klamath County Veterans Services has pleaded guilty by reason of insanity to five counts of tampering with public records. She was arrested in January 2007 after missing files with personal information about local veterans were found at her home.
• Marsha Dailey, a Florida postal worker, faces federal charges after allegedly stealing the identity of someone on her mail route in order to pay her own bills.
• Jason Maclaren targeted tourists who were mostly staying at Disney resort hotels. He obtained tourists’ credit card numbers over the phone and used them to buy theme park tickets, which he would then sell to other people with a deep discount. There were about 45 victims.
• A judge dismissed a high-profile and hotly debated lawsuit against the California Highway Patrol over graphic accident photos leaked onto the Internet.
• Mark Mulcahy is accused of stealing an Army veteran’s identity and using it for 24 years to get married, obtain free medical treatment and even serve as president of a VFW post.

To get all breach news reports, updates, and articles discussing breaches as they’re posted, subscribe to the Breaches RSS feed from PogoWasRight.org. To get all privacy-related headlines from the main news site, subscribe to the All-Headlines RSS feed. To get this blog by RSS, subscribe to Dissent’s feed.

Possibly Related Posts

• No Related Post

Comments are closed