Data “Dysprotection:” breaches reported last week

By , December 17, 2007 7:53 am

A recap of breaches reported or updated last week in the news section.

Newly reported incidents in the U.S.:

  • A laptop containing the personal information of an undisclosed number of Deloitte & Touche partners, principals and other employees was stolen while in possession of a contractor responsible for scanning the accounting firm’s pension fund documents. The computer contained confidential data, including names, Social Security numbers, birth dates, and other personnel information, such as hire and termination dates. Some of the information belonged to people working at Deloitte subsidiaries.
  • Sutter Lakeside Hospital reported that a laptop computer containing personal and medical information of approximately 45,000 former patients, employees and physicians has been stolen from the residence of a contractor. The unnamed contractor violated procedure by downloading the information onto his hard drive.
  • A contractor working for the Iowa Department of Natural Resources reported a lost jump drive containing the names and social security numbers of 7000 people who work in wastewater and drinking water systems.
  • Roman’s Café in Louisiana became the focus of an investigation after hundreds of customers had their credit card data stolen. The case is still under investigation by the Secret Service. Chase Bank is among roughly 15 banks that have “taken a hit” in the case. The stealing took place from February 2006 to last October, and involved several hundred cardholders with multiple institutions.
  • A letter sent to Cameron County (Texas) employees informed them that their names, Social Security numbers and salaries were sent by e-mail by an employee to a reporter. The email was discovered during an investigation of the former employee’s computer.
  • Approximately two dozen students at Clark College have been warned of the potential for ID theft after college documents with student information were discovered in an off-campus trash bin last month.
  • A house demolition in Durand has uncovered a mountain of medical records filled with personal information, and in full view of anyone digging around. That house used to belong to Dr. Jason Hollady, who stored his patients’ records in the house, but he defaulted on property taxes and the property eventually became city property.
  • An Illinois Secretary of State employee was placed on unpaid leave while investigators unravel why uncashed checks, car titles and other documents were found in a storage locker she owned. An auctioneer who bought the unit found the items, which included 33 car titles, death certificates, addresses, telephone numbers, medical histories, Social Security numbers and more.
  • A security alert on the University of Michigan-Flint campus has been issued after someone hacked several servers, perhaps putting personal information at risk. The university told the campus community that it’s working to determine the scope of the breach, but for now, can’t say what type of information may have been jeopardized.

Newly reported incidents in the U.K.:

  • In Northern Ireland, the Driver and Vehicle Licensing Agency has lost the personal details of 6,000 people. The unencrypted data were on two discs that went missing after being sent to the agency’s headquarters in Swansea. This was the second incident involving the DVLA in a month.
  • The Leeds Building Society has warned its staff of 1,000 to be vigilant after admitting to losing their personal details including bank and salary details when the company’s human resources department was moved during a refurbishment of its head office.
  • In the UK: government officials mistakenly sent confidential personal details consisting of names, dates of birth and criminal histories of dozens of inmates set to be released; the data were sent to a private business. The personal details also reveal the addresses the prisoners will move to after leaving jail.
  • Hundreds of people have had personal pension details sent to the wrong addresses after an error by a Herts County Council contractor, Serco. Serco sent 1,400 statements for staff, former staff and councillors to the wrong destinations because of an “administrative error”. The statements included the person’s name, date of birth, national insurance number, and pensionable pay. So far, only 400 of the statements have been returned to the county council leaving 1,000 still missing.
  • A laptop with the names, addresses, phone numbers and dates of birth of 950 diabetes patients of NHS patients was stolen from the St Julian’s GP surgery. Data on the stolen laptop also include a link to a picture of patients’ retinas — already they have a problem with the security of biometric data before they have implemented any ID system, it seems — Dissent.
  • Sefton Primary Care Trust has accidentally sent about 1800 of its staff’s records to four organisations it is refusing to name. Staff details including dates of birth, national insurance numbers, pensions and salary details. The four companies were bidding for work with the trust. The Trust is reportedly not revealing the names of the four companies because of “commercial confidentiality”. They seem to take “commercial confidentiality” more seriously than employee confidentiality — Dissent.

Elsewhere:

  • The office of the Canadian Information and Privacy Commissioner is investigating the B.C. Ministry of Health over a breach of privacy involving the loss of unencrypted magnetic tapes containing the personal information of over 100 B.C. residents. The four tapes, which contained medicare billing information for 485 New Brunswick residents who received care in British Columbia, and for 133 British Columbia residents who accessed services in New Brunswick, has been missing for about two months.
  • The Dutch Data Protection Authority is investigating claims that a medical database set up by health insurance companies reveals details about nearly every Dutch citizen. Birth dates, social security numbers, health insurance information, and addresses of Dutch celebrities, MPs, and even well-known criminals can be easily traced by doctors, dentists, or suppliers of health care aids who use the Vecozo medical database. At least 80,000 people are able to search the database.

Updates:

  • Lawyers for the banks that are suing TJX formally declared their intent to appeal to a federal appellate panel a Nov. 29 decision by U.S. District Court Judge William Young to deny class certification for their case. This week’s episode of As TJX Turns also revealed that TJX learned of its massive data breach on Oct 3, 2006, more than two months earlier than they reported to the government.
  • Since disclosing in July that an employee stole financial records of 8.5-million Americans, Certegy Check Services has said that at worst, some affected consumers might have gotten a little more junk mail than usual, or maybe a few extra telemarketing calls. Not so, says the Florida Attorney General, who is investigating Strategia Marketing‘s purchase of Certegy’s data. A criminal investigation by the U.S. attorney in Tampa also is continuing, and the FTC has already filed a lawsuit against Strategia Marketing. According to that lawsuit, Strategia telemarketers would trick consumers into providing their bank account numbers to sign up for great (fraudulent) offers, after which the company would make unauthorized debits from the consumers’ bank accounts.

Update of Dec. 18th: corrected one breach to read “Northern Ireland.” Sorry, folks…

2 Responses to “Data “Dysprotection:” breaches reported last week”

  1. Antonomasia says:

    “the U.K. and Northern Ireland” is wrong because NI is part of the UK (but not part of GB).

  2. dissent says:

    Thank you. I really wonder if it’s too late for me sue my old geography teacher for not making me learn geography properly. Or maybe I should make myself type out 100 times UK= GB+NI… sheesh.

Panorama Theme by Themocracy