A recap of breaches newly reported or updated last week on the main news site, PogoWasRight.org.  This week, there were some big non-U.S. breaches in the news.

Newly reported incidents in the U.S.:

• Thousands of medical charts, all listed to Southwest Medical Association, became the property of a man who bought the contents of a storage unit for just $25 dollars in an auction.
• Paperwork containing the names, birth dates, Social Security numbers and other personal information of more than 200 patients at Boulder Community Hospital have been stolen.
• A student intruder gained access to a restricted server at Clarkson University and promptly reported the vulnerability to campus authorities. Approximately 245 employees and former employees had personal information, including name, social security number, and date of birth, compromised during the security breach.
• For the past five years, East Burke High School’s website exposed 163 staff members’ Social Security numbers and other personal information on the Internet.
• U.S. Attorney Greg Brower says  Marilyn D. Millender, a front-line clerk at a Nevada DMV office, was arrested Friday on federal charges that she took cash payments of $5,000 or more in exchange for issuing state identification documents between June and December 2007, and of lying to the FBI during interviews last May and June.
• Thieves broke into the Oakland school district’s human resources offices and stole up to 12 computers containing the personal information of an estimated 100 new hires.
• A computer containing information for at least 350 HIV patients was stolen from the Ecumenical Ministries of Oregon’s HIV Day Center.
  
• The Erie County Executive’s office issued a statement about a laptop computer stolen from a county health facility.
• An employee of  Ivy Tech Community College using an internal file sharing system accidentally sent a file with personal information out to a list of all Indianapolis region employees.

Newly reported incidents elsewhere:

In Japan:

• The personal data of as many as 18,000 customers have been compromised after the server of Tokyo-based pet supply firm Hotta was accessed by a hacker in China.
• About 3,000 cases of identity theft have been found among users of Yahoo Japan Corp.‘s online auction site.  The total number of confirmed and suspected ID theft cases targeting the nation’s largest Internet auction site has reached about 10,000.

In Korea:

• Two multimedia discs containing the personal information of 11.1 million customers of GS Caltex, one of Korea`s largest oil refineries, were reportedly found on the street, but now it appears to have been an insider job and the story just a coverup.

In the U.K.:

• A disk containing the personal details of 5,000 prison staff was lost by EDS last year, but the prison service wasn’t notified until this July.
• A laptop containing the personal details of 100 bank customers was stolen from a Welsh branch of  Royal Bank of Scotland in May, but customers had not been informed of the theft because the details held on the laptop were encrypted.
• A memory stick containing information about the STI tests of 146 people has gone missing from the Chelsea and Westminster Hospital.
• Scottish newspaper The Aberdeen Press inadvertently made it easy to harvest sensitive information about registered users from its site as a result of a basic information security mistake.

In Canada:

• Ehud Tenenbaum, an Israeli hacker who broke into U.S. Department of Defense computers as a teenager is the alleged mastermind of a $1.8-million theft from Direct Cash Management Inc. in Calgary.

An international investigation is under way to find hackers believed to have stolen information from financial servers in the UAE to make fraudulent credit and debit card purchases in the US.

In the courts or legal proceedings here and abroad:

• Concord police arrested Ruthanne Bradley, a former Local Government Center employee, accusing her of removing computer backup tapes and manipulating computer information at the organization. The data in question had the potential to affect an estimated 190,000 current and former public employees.
• Woodburn police are warning employees and customers of Lowe’s to check their credit status after they found that  Isaac Joseph Folsom, an employee at the Keizer Lowe’s had Lowe’s employee lists in his home, containing current and former employee names, social security numbers, phone numbers and hire dates.
• Richard K. Ruminski, Special Agent-in-Charge of the Milwaukee Office of the Federal Bureau of Investigation (FBI), announced  the arrests of Michael B. Vorce and James C. Jett  for  their parts in a multi-state bank fraud and identity theft scheme.

Updates on previously reported breaches from here and abroad:

• A mailing processing error by Equifax affected notifications to 7,000 clients and patients of Saint Mary’s Regional Medical Center about a possible data breach.
• The Bank of New York Mellon is under subpoena to provide additional information after Connecticut learned that 135,000 additional Connecticut customers may be affected by the bank’s security breach last February. The breach also affected 38,000 people who owned or held options for SAIC stock.
• In Ireland: Bank details and in some cases PPS numbers and addresses of up to 10,000 public servants were contained on laptops stolen from the office of the Comptroller and Auditor General.
• A federal judge has approved a settlement in two class-action lawsuits filed against Certegy Check Services.

To get all breach news reports, updates, and articles discussing breaches as they’re posted, subscribe to the Breaches RSS feed from PogoWasRight.org. To get this blog by RSS, subscribe to Dissent’s feed.

A recap of breaches newly reported or updated last week on the main news site, PogoWasRight.org.  For those looking for annual statistics: as of their last update on August 22, the Identity Theft Resource Center shows 449 breaches reported in the U.S. for this year, surpassing last year’s total record.

Newly reported incidents in the U.S.:

• Promotion selection lists containing the names and Social Security numbers of more than 50,000 active-component noncommissioned officers were compromised earlier this year and in 2005, according to officials familiar with an ongoing Army investigation.
• Rochester Institute of Technology officials say that a laptop with personal information on 12,700 people who have applied to enroll at NTID since 1968 was recently stolen from the National Technical Institute for the Deaf.
• The Washington Trust Co. has notified about 1,000 customers that their debit and credit card accounts might have been compromised in a suspected security breach at an unidentified national MasterCard merchant.
• A glitch during a computer upgrade at the Louisiana Real Estate Commission caused the names, addresses and Social Security numbers of more than 13,000 licensed agents to be exposed on the Internet.
• Nye Lubricants notified the New Hampshire Attorney General that an employee “may have accessed electronic personal information stored in certain of the Company’s databases without proper authority and/or for improper purposes” on or about August 15.
• Confidential information for more than 2,500 students, employees and volunteers in Prince William County was put in the public domain for more than a month this summer after an employee working at home released the data through a file-sharing program.
• A laptop containing the personal information of at least 4,000 students in the Reynoldsburg City School district was stolen.
• Heavenly Ham alerted 600 customers of a credit card identity theft that may have occurred.
• Paper jams in a mail-inserting machine caused 2,845 Pennsylvania Department of Public Welfare renewal packets to go to the wrong Pennsylvania welfare clients’ homes.
• A database that contains the names, addresses and Social Security numbers of 13,000 retired Ohio police officers was improperly transmitted by email to his own home by a retired Ohio Police & Fire Pension Fund employee.
• Customers who paid for items at a YMCA fund-raiser with checks or credit cards are being warned about a burglary at which credit and debit card numbers were taken.
• Eighty-six Kansas State University students are receiving letters from the Division of Continuing Education advising them that papers with their names and Social Security numbers on them were stolen from a parked vehicle last week.
• If you have used an ATM at the Camelot branch of Wachovia Bank in Cape Coral recently, you may want to check on your account.
• Thousands of personal records were briefly at risk this summer when an intruder placed a malicious link on the Web site of St. Joseph’s Academy in Baton Rouge.

Newly reported incidents elsewhere:

In the U.K.:

• A computer containing banking security details of more than one million people has been sold on eBay for $64. It belonged to MailSource UK - an arm of Graphic Data, an archiving company that holds financial information for Royal Bank of Scotland, NatWest and American Express.
• Self-service systems in UK supermarkets are being sought by hi-tech criminals with stolen credit card details.
• Confidential files were lost by North-East NHS trusts in the past three years by North Tees and Hartlepool, South Tees, Newcastle and York.
• New controls on computerized data storage have been introduced at a Scottish health authority after equipment containing patients’ sensitive details were lost by staff at NHS Dumfries and Galloway.
• Other revelations of losses by NHS trusts were revealed in Scotland on Sunday.
• Police have made an arrest over the sale on eBay of a computer said to contain the personal details of thousands of Charnwood Borough Council tax payers. This is the second computer reportedly sold on eBay this week containing personal information.

Elsewhere:

• In Taiwan: six people are currently being held in custody for what is believed to be the biggest personal data hacking enterprise undertaken in Taiwan’s internet history. They are believed to have stolen more than 50 million records of personal data including information about President Ma Ying-jeou, his predecessor Chen Shui-bian and police chief Wang Cho-chiun.
• In New Zealand: tax documents showing the salary of a Christchurch medical professional have been mistakenly sent to a 25-year-old student. The personal details included name, address, workplace, Inland Revenue (IRD) number, phone number, salary and taxation.
• In Shanghai: three Chinese men will soon be charged with transporting fake credit cards that could have cost global banks US$20 million had the scheme not been disrupted, Shanghai Railway police said yesterday.  The cards were to use stolen customer identity information.
• In Canada: a former contract cleaner at Tetherwood Spa recorded 60-65 customers’ credit card numbers and misused them.

In the courts or legal proceedings here and abroad:

• Londie Bowman. who used another person’s identity to get a $20,000 breast lift and tummy tuck at Plastic Surgery Specialists in Greenbrae., was sentenced Wednesday to nine months in the Marin County Jail.
• Indictments were returned against three Jackson women accused of stealing from a nursing home resident.
• Ex-Countrywide analyst Rene L. Rebollo, Jr., and Wahid Siddiqi were arraigned for their parts in the Countrywide breach.
• Six people accused of stealing personal information from UCI student health forms and using it to get bogus tax refunds have been indicted by a federal grand jury in Texas.

Updates on previously reported breaches from here and abroad:

• Best Western responded to media reports of a huge breach by claiming that although there was a breach, it only affected one branch and 10 customers.
• Bank of New York Mellon Corp said on Thursday that a security breach involving the loss of personal information, including Social Security numbers, now affects about 12.5 million customers, up from an earlier 4.5 million.
• TrustCo Bank Corp is resorting to litigation to recoup costs it incurred after reissuing thousands of credit cards to customers affected by the security breach at the parent company of the T.J. Maxx and Marshalls chains.

To get all breach news reports, updates, and articles discussing breaches as they’re posted, subscribe to the Breaches RSS feed from PogoWasRight.org. To get this blog by RSS, subscribe to Dissent’s feed.

When Scotland’s Sunday Herald proclaimed “Revealed: 8 million victims in the world’s biggest cyber heist,” they appeared to be wrong on a few counts.  Even if  they had been correct that every Best Western hotel guest’s data  had been stolen, that would not have made the breach the world’s biggest cyber heist.  Had they consulted any one of a number of online sources, they would have discovered that 8,000,000 records or people might have barely qualified for the Top 10 list in terms of breaches where we have numbers reported. As it turns out, Best Western disputes the numbers and claims that the numbers are in the dozens, not millions.

But what does it take to make the top 10 list in terms of breaches?  After two breach reports from this week changed the rankings, it looks like it takes over 8,500,000 records or people just to stand a chance of becoming a cautionary tale.  A breach reported from Taiwan moves right to the head of the list — depending on how you ‘count’ the TJX breach.  If you count it as 94,000,000 as banks claimed in their court filings, TJX currently retains the dubious distinction of worst breach ever in terms of number of records compromised.  If you use the 46,500,000 figure that had been previously cited and that seems to synch with recent federal indictments, the TJX breach falls to second place behind the 50,000,000-record hack in Taiwan orchestrated by at least 6 people who hacked into government databases, state-run firms, telecom companies and a television shopping network.

BNY Mellon and Archive Systems Inc. also joined the Top 10 list this week when BNY revealed that missing unencrypted backup tapes contained data on 12.5 million people — not the 4.5 million originally reported.  To their shame, BNY Mellon did not discover the additional 8 million people on their own initiative — the extent of the breach was only discovered when they responded to a probe by Connecticut.

So what does the Top 10 list currently look like?  Based on available information, it might look like this:

* 94,000,000 or 46,500,000 depending on source.

Given the fact that entities are still amassing tremendous amounts of data, one can only wonder what the list will look like by the end of this year.

Update Sept. 6th: A breach involving 11.1 million GS Caltex customers reported today would move GS Caltex into the Top 10, bumping Certegy off of the list.

** Auction.co.kr breach said their number is 10.8 million and not 18 million as reported by other sources.

August is usually a more relaxed month for me as patients are off to summer camp and schools are closed.  This August, however, turned out to be less than relaxing. Apart from simultaneous patient emergencies and trying to get ready for upcoming conferences and courses I’m teaching, events of the month have left me muttering to myself…..

“We’ve capped your spending limit”

The beginning of the month brought a letter from American Express that they were capping my monthly spending.  Why?  Apparently — and although there was never anything in arrears with my AmEx account –  there was a questionable credit report.  When I investigated, I discovered that my bank had made some humongous mistakes. My bank immediately corrected their errors and notified Experian, who in about a week (and to my pleasant surprise), corrected their error.   But AmEx said that they could not restore my account to its previous terms for 3 months because that’s when they automatically check credit reports.  So even with the corrected report in hand, they refused to restore my account.  Furious calls to Customer Relations at corporate headquarters received a sympathetic ear, but even then, I got nowhere for a while.  The FTC suggested that I file complaints with them, OTS, and my state consumer protection board.   AmEx’s position is that their “suits” advised them that there is no law that requires them to fix their errors quickly and that since it is their plastic and their terms, the customer has no legal redress.  My account is now sorted out due to intervention by Customer Relations, but if AmEx’s lawyers are right, then we need another consumer law revision.

“They stole my pocketbook”

As a nonagenarian, it is all my mother can do to keep her balance while she walks and continues to try to live independently.  So some sleazebag in NYC took advantage and stole her pocketbook while she was out on errands.   My sibling and niece immediately started cancelling her accounts, my mother filed a police report, and arranged for a locksmith to come change the locks on her door within 24 hours.  Within a few days, we had the bulk of notifications and mess sorted out — until we see what happens, of course.

But the experience endangered her life as her blood pressure went through the roof and her heart condition kicked in and made it difficult for her to breathe. While my sibling handled the notifications, I focused on calming our mother down so she did not suffer a stroke or heart attack.

When we talk about the risk of ID theft, let’s never forget the emotional and physical toll it can take on its victims.

And if they ever catch the thief, I just want 5 minutes alone with him or her.

As I post news to PogoWasRight.org, I have often questioned why they call some charges “aggravated identity theft.”  Is there any ID theft that doesn’t cause aggravation? They really should find another term for enhanced charges for that crime, and they should consider the physical and emotional impact.  Not everything is money.

“They’re taking me to the emergency room”

My son’s work has some element of risk of injury and we’ve all gotten fairly matter-of-fact about some of it.  This month, though, seemed to have more than its usual share of injuries, the most recent requiring a plastic surgeon. I tend to stay very calm in emergencies due to my training, but I know of no mother who can stay totally calm when you pick up the phone to  hear, “OK, they’ve got a blanket wrapped around my head to stem all of the bleeding….”

“Did I ever have hepatitis?”

Something’s wrong with my son, and they can’t figure out what despite the tests they’ve already run.  Could those medications he was on years ago that the FDA told us were safe have caused his current liver problems?  The FDA has done a terrible job of protecting the safety of children and teens when it comes to assessing the safety of medications.  While the big pharmaceuticals continue to rake in profits, how many studies showing adverse events have been swept under the rug?

Hopefully, this will turn out to be just some viral thing, but for a kid who never gets sick to have such long-lasting fatigue, pain, and abnormal labs, something’s not right….

So… hopefully you all had an enjoyable summer.  For me, I’m glad August is about over.

With slightly more than four months left to go for 2008, the Identity Theft Resource Center (ITRC) has sent out a press release saying that it has already compiled 449 breaches– more than its total for all of 2007.

As they note, the 449 is an underestimate of the actual number of reported breaches, due in part to ITRC’s system of reporting breaches that affect multiple businesses as one incident. This year we have seen a number of such incidents, including Administrative Systems, Inc., two BNY Mellon incidents, SunGard Higher Education, Colt Express Outsourcing, Willis, and the missing GE Money backup tape that  reportedly affected 230 companies. Linda Foley, ITRC Founder, informs this site that contractor breaches represent 11% of the 449 breaches reported on their site this year.

Reiterating its emphasis in earlier press releases on the number of breaches rather than the number of records or individuals, ITRC notes, “in more than 40% of breach events, the number of records exposed is not reported or fully disclosed. This means the number of affected records is grossly incomplete and unusable for any statistic or research purpose. The use of potentially affected records generally causes more concern and is ‘news-sexy’.”

While this site concurs that the “total number of records or people” has been plagued by a number of problems and I have blogged about these issues before,  the usability of any statistic is ultimately the decision of individual researchers.  And the numbers do matter, of course. As a consumer, I want to know if an employee thought so little of privacy and security that he left unencrypted data on 100,000 people in his car. I want to know why a visiting nurse is carrying around sensitive information on tens of thousands of patients when her case load is less than 100. The numbers tell me something about how proactive the entity was.  And if big numbers are “news-sexy” and that’s what it takes to keep these issues in the public eye, then I suppose there is some value in them.

More important than the individual numbers, perhaps, are the details of a breach, something that is often lacking or glossed over in reports. As one example, when third party benefits administrator Administrative Systems, Inc., disclosed that its office had been burgled in December 2007, it did not reveal the total number of clients affected, nor the total number of individuals whose unencrypted data were on the stolen computer. Given that just one of the dozens of clients informed this site that it had to notify 250,000 of its customers, the numbers for that breach might be staggering. But more importantly, perhaps, ASI’s notification letter did not tell those affected that ASI suspected that the computer had been stolen by an employee, nor that in the course of the burglary, the thieves walked past newer computers and only took the one computer that had all the client data on it. That information was never publicly revealed and only came to light when this site obtained the police reports in response to a Freedom of Information request. Although we can be somewhat understanding of the need for discretion during an ongoing investigation (in this case, the police were not able to determine the identity of the thieves and the case is on inactive status), if you were one of those affected, would knowing that the firm suspected one of its own employees and that the thieves had ignored closer and newer computers and only taken the one with personal information influenced your level of concern or any steps you might take to protect yourself?  ASI did nothing wrong as far as the laws on disclosure and notification go.  But are we requiring too little?

PogoWasRight.org has repeatedly called for a national full disclosure law. Even with such a law, there are still many breaches we will not know about in a timely fashion. But without any law, we will continue to remain in the dark and at risk. And as part of any dialogue, we need to take a hard look at why the federal government is not notifying businesses or individuals that their data has been exposed or accessed.  When 11 people were recently indicted for hacking TJX and other businesses, some of those businesses stated that they had no evidence that there had been a breach and had therefore not notified customers.  If the federal prosecutors had such evidence, what, if anything, did they tell these businesses?  And if federal investigators find that 230 people had their identities stolen by illegal immigrants, who is responsible for ensuring that those individuals are notified?  What are the government’s responsibilities in these situations?

As crime grows and any one crime can potentially impact millions of people — as this week’s Best Western Hotels (Europe) incident demonstrates yet again — the need for better protection, better monitoring, and better and faster notification and disclosure increases exponentially.  Investigating cybercrimes is important, of course, but Washington needs to do a lot more, and we still do not have a national disclosure and notification law.

Correction: it seems reports concerning Best Western may not have been accurate. Best Western disputes the original reports and claims that 10 customers were affected from one hotel.

A recap of breaches newly reported or updated last week on the main news site, PogoWasRight.org.  There were so many arrests, convictions, fines, and sentencings this week that I’ve broken them out in a separate section.

Newly reported incidents in the U.S.:

• Wells Fargo was back in the news for the second week in a row. This time, five of their new banks are notifying customers that a tape with their personal data was lost in transit by an unnamed courier. The tape included information on customers of Jackson State Bank, Shoshone First Bank, Sheridan State Bank, First State Bank of Pinedale and United Bank of Idaho.
• The Princeton Review accidentally published the personal data of 34,000 students in the public schools in Sarasota, Florida and 74,000 students in the school system of Fairfax County, Virginia.
• Kingston Tax Service computers containing clients’ personal information were stolen.
• InterActive Financial Marketing Group (IFMG), a division of Dominion Enterprises, was hacked into and illegally accessed by an unknown and unauthorized third party between November 2007 and February 2008, potentially exposing personal information, including the names, addresses, birth dates, and social security numbers of 92,095 applicants who submitted credit applications to IFMG.
• Alaska Airlines discovered that one of their employees had been misusing payment card information provided by customers of Alaska Airlines and Horizon Air when they made reservation changes. The employee reportedly processed the reservation changes but diverted the payments to his personal account.
• Case Western Reserve University said the personal information and social security numbers of 1,160 undergraduates was inadvertently disclosed on the school’s web site.
• Cost Plus World Market were informed of a spate of fraudulent debit card transactions linked to at least 11 of the Oakland-based company’s Southern California stores, including three in San Diego after debit card PIN pads at select stores had been tampered with between February and April.
• The details have yet to be clarified, but reports indicate hundreds of people across the country could be victims of an identity theft scheme that somehow involves Allen Stoudemire, a Midland City Council candidate
• The HR department at Aflac disclosed 623 people’s information to each other when it neglected to put their addresses in the bcc field of an email.
• The Social Security numbers used to employ illegal immigrants at Agriprocessors Inc. meatpacking plant were stolen from people in at least 25 states, including two people from Iowa, and from 38 people who are dead. The private information of more than 230 citizens and lawful immigrants whose Social Security or resident alien numbers were used by the illegal workers.

Continue Reading »