Data “Dysprotection:” breaches reported last week

By , October 13, 2008 4:49 am

A recap of some of the breaches newly reported or updated last week on the main news site, PogoWasRight.org. This week, non-U.S. breaches topped the reports and we learned that credit and debit card data are now selling for $2.50.  How do they do this, you ask?  “Volume.”

Newly reported incidents in the U.S.:

  • Hackers were able to access name, credit card/debit card number, expiration date, address and the CVV codes of The Image Group‘s online customers.
  • The City of Coral Springs experienced a breach involving access to an unnamed data services provider’s database.
  • An AmeriCredit customer service employee at an unspecified facility accessed and misused the personal information of an unspecified number of customers.
  • A laptop containing personal information of 535 employees of the state Insurance Commission and 110 employees of the Department of Health and Human Resources’ Bureau of Medical Services and Child Support Enforcement Division in West Virginia was taken from a parked car belonging to an employee of auditing firm Suttle and Stalnaker and contains payroll and benefits information f.
  • More than 1,000 former Southwest Mississippi Community College students’ personal identities have been compromised because a security breach exposed personal information on the Internet.
  • A computer used to issue photo IDs that was stolen from Mt. Hood Community College’s Maywood Park Campus contained information including names, birthdates and MHCC identification numbers of former students. “According to the Oregon Identity Theft Protection Act of 2007, the information that was stored on the computer does not constitute personal information.”
  • Jermica Sykes and her boyfriend, Chad Knight, were arrested on charges of identity theft after their landlord became suspicious as to why they had rented two apartments and inspected the apartments. Police say there could be 4,500 victims.
  • James Bobletz has been arrested for identity theft after using other employees’ personal information to steal about $550 worth of gasoline within the space of two months from the John Jay High School fuel pumps, according to police.
  • A former Bath and Body Works employee in Dubuque faces charges of identity theft after police say she opened a credit card using a fellow employee’s confidential information that she obtained from personnel files.
  • George Cardenas, a former Huntington Beach Verizon Wireless worker who police said stole his customers’ identities, pleaded not guilty at his arraignment.
  • The Hollywood Video in Liberty, Mo. is now closed, but what was left in the trash included application papers that contained names, phone numbers, Social Security numbers and even credit card information.
  • A laptop computer containing encrypted sensitive personal and financial information on more than 84,000 University of North Dakota alumni, donors and others was stolen last month from a vehicle belonging to a software vendor retained by the UND Alumni Association.
  • A systems administrator, Victor Papagno, at the US Naval Research Laboratory pleaded guilty to stealing over 19,000 pieces of equipment. Private information from 14 employees and contractors was found on CDs or zip drives that had been stolen.
  • Four Broward County residents are accused of stealing personal data from victims in South Florida and using the information to buy more than $300,000 in computer equipment, the U.S. Attorney’s Office said today.
  • Shell was using a  third party agency to conduct a data indexing project for the company, when one of the employees of the contracted agency swiped the information of Shell employees and used the info of four to file false unemployment claims.
  • South Lake Tahoe police arrested a 17-year-old South Tahoe High School student on Wednesday for allegedly hacking into the school’s computer system last week. The boy may have accessed sensitive information regarding staff and students, the statement said.
  • The web site of the Colorado Secretary of State is making available the Social Security numbers and other personal data of numerous CEOs, company chairmen, presidents, board members and other senior executives at some of the country’s largest companies.
  • Memo to Verizon: when inviting 1,200 IT pros to a seminar about securing data and protecting personal information: Make sure you protect the personal information of the 1,200 professionals you’re trying to impress by using the :bcc field.  And if you screw up, don’t compound the problems….

Newly reported incidents elsewhere:

In the U.K.:

  • The Ministry of Defence has begun an investigation into its worst information security breach after a portable hard drive used by its IT contractor, EDS was reported missing. The drive, which is not thought to have been encrypted, contained details of about 100,000 servicemen and women and 800,000 applicants to join the Armed Services was found to be missing on Wednesday. Sensitive details of the family members of personnel were also among the data stored, including bank details and passport numbers.
  • A laptop containing data on around 100,000 pensioners was stolen last month, it was revealed today. The laptop stolen from a Deloitte employee contained data from Railways Pension Scheme, the Network Rail Defined Contribution Scheme, the British Transport Police Force Superannuation Fund, British Railways Superannuation Fund and the BR (1974) Fund as well as BSkyB‘s pension plan.
  • Payroll details of 49 Strathclyde Police officers and other staff have been lost by a data service provider, Document Outsourcing Ltd.
  • Three laptop computers with access to personal details of crime victims have been stolen from Thames Valley Police staff. Two were stolen from vehicles while a third was taken during a burglary at a police officer’s home.
  • Det Constable Bruce Nigel Bartlett of the Dyfed Powys police illegally accessed the police national computer to gain information about his next door neighbors.
  • The ringleader of a gang who stole credit card details and used them to buy £7,000 of goods and then sell them on internet auction site eBay has been jailed. Lee Goodchild stole the card details of eight customers who ordered takeaways from Domino’s Pizza in the Old Town where he worked.
  • Health chiefs apologized after admitting they don’t know what happened to the nursing records of thousands of Gospel Oak Health Centre patients stored on a computer database.
  • Confidential medical letters, documents and payroll information have been stored in an unguarded corridor open to the public at Basildon Hospital.

In Germany:

  • Deutsche Telekom admitted to retaining details of supervisory board members’ phone calls in a second data protection slip-up.
  • One day after assuring customers it was implementing new privacy protection measures, Deutsche Telekom admitted on Saturday, Oct. 11, that it was aware of holes in its security system that provided access to bank account numbers and other personal information of some 30 million Telekom mobile phone users.

Other:

  • The World Bank Group‘s computer network — one of the largest repositories of sensitive data about the economies of every nation — has been raided repeatedly by outsiders for more than a year, FOX News reports. The World Bank’s computer network has been repeatedly raided by hackers for over a year, according to a Fox News report. But a World Bank spokesperson insists the Fox report is inaccurate.
  • European law-enforcement officials uncovered a highly sophisticated credit-card fraud ring that funnels account data to Pakistan from hundreds of grocery-store card machines across Europe.In Ireland: private details of M50 motorists have been displayed on the eFlow website for anyone to see after an oversight by the National Road Authority.

Updates on previously reported breaches from here and abroad:

  • A federal grand jury has indicted David Kernell, the son of a Democratic Tennessee state lawmaker in connection with the hacking of the e-mail account of Republican vice presidential candidate Sarah Palin.
  • Jorge Luis Silva-Davalos pleaded guilty to aggravated identity theft and participating in a scheme to defraud Navy Federal Credit Union. According to court documents, between December 2007 and February 2008, Silva-Davalos, with others, created bogus car loans using stolen identities of patients from a local hospital and neighbors of a member of the scheme.
  • Health chiefs failed to remove confidential patient records from disused Strathmartine Hospital despite repeated warnings, an official report yesterday found. NHS Tayside took action only after media reports emerged about the data which had been left lying at  on the outskirts of Dundee.

To get all breach news reports, updates, and articles discussing breaches as they’re posted, subscribe to the Breaches RSS feed from PogoWasRight.org. To get this blog by RSS, subscribe to Dissent’s feed.

Comments are closed

Panorama Theme by Themocracy