Chaos 365 » Protect Your Data

Citibank ATM Network Breach

Roland — Thu, 03 Jul 2008 04:02:13 +0000

Between October 2007 and March 2008, thieves stole millions from Citibank’s network of ATM machines in 7-Eleven retail stores. They successfully accessed PIN codes from an undetermined number of accounts. There are nearly 5,700 Citibank-branded ATMs inside 7-Eleven stores throughout the United States. The thieves were apprehended and allegedly made $2 million in illegal profits.

What’s more disturbing is that such data intrusions often go unreported.

When it comes to ATM cards, I strongly advise:

Do not tie multiple accounts to your PIN code.
Keep a limited amount in the account.
Use common sense to keep your PIN code safe (i.e. obscure code, don’t tell anyone)

Scottish Ambulance Service Loses 895,000 Patient Records

Roland — Tue, 01 Jul 2008 03:50:31 +0000

The ENCRYPTED disk contained 894,629 call records between February 2006 and June 2008, including the addresses of incidents, phone numbers and patient names.

Unlike so many other incidents, at least this company:

Encrypted their data before transporting it.
Immediately notified authorities.
Immediately admitted to the public what happened and disclosed details.
Doesn’t try to hide the incident from the public.

Related Links:

Scottish Ambulance Service loses nearly 900,000 records

Missing Disk Questions & Answers

More articles about careless organizations that allow data to be stolen…

June Bad Month For 411,000 U.K. Customers of Virgin Media, HSBC and Cotton Traders

Roland — Tue, 01 Jul 2008 03:39:52 +0000

Virgin Media lost an unencrypted computer disk containing data on 3,000 customers that signed up for services via Carphone Warehouse stores in the United Kingdom. Records contain bank details, names and addresses. No mention at all on VirginMedia.com or CarPhoneWarehouse.com.

HSBC lost a computer disk containing data on 370,000 customers. Records contain details such as name, date of birth, level of insurance coverage, and whether or not a customer is a smoker. I found no mention on HSBC.co.uk or HSBC.com.

The BBC reports that records for 38,000 credit card customers have been stolen from U.K. clothing firm Cotton Traders. The company disputes the number of affected customers. There is no mention of the incident on CottonTraders.co.uk.

Related Links:

Virgin Media loses 3,000 customer records

HSBC loses 370,000 customer details

Retailer loses thousands of card details in online hack

More articles about careless organizations that allow data to be stolen…

51,000 Wards Credit Card Records Exposed

Roland — Sat, 28 Jun 2008 19:56:51 +0000

This data loss was the result of specific attacks against their online network. The criminals proceeded to sell the credit card numbers online. Information included the card numbers, their three-digit “security codes”, expiration dates, as well as the cardholders’ names, addresses and phone numbers.

At least 51,000 records were exposed in the breach at the parent company of Montgomery Ward. The venerable Wards chain that began in 1872 went out of business in 2001, but in 2004 a catalog company, Direct Marketing Services Inc., bought the brand name out of bankruptcy. It now runs a Wards.com Web site along with six other sites, including three with Sears brands it has acquired: SearsHomeCenter.com, SearsShowplace.com and SearsRoomforKids.com.

Definitely read the whole article. The company tries to shift blame because the guidelines from Visa on how to respond to a security breach didn’t mention that the company should also inform the affected consumers.

It just illustrates the point that these type of events probably happen more frequently than most of us suspect and are often covered up to prevent a public relations crisis.

Related Links:

Wards didn’t tell consumers about credit card hack

More articles about careless organizations that allow data to be stolen…

Own Shares in Disney But Get Screwed By BNY Mellon

Roland — Thu, 05 Jun 2008 14:14:08 +0000

Dammit, we got one of those notification letters AGAIN that our personal financial information has been lost. At first we couldn’t figure out why because we don’t use Bank of New York. Took a little digging to figure out one of their customers is Walt Disney Co. We own shares in Walt Disney Co., hence the notification.

This year there have been two separate incidents (February and April) unencrypted data from BNY Melon never arrived at the intended destination. The names of the companies transporting the unencrypted data are not being disclosed to the public.

This affected: depositor and shareholders of People’s United Bank and also shareholders of 24 other companies, including Walt Disney Co., John Hancock Financial Services, a unit of Manulife Financial Corp., and Bank of New York Mellon itself.

That’s extremely frustrating. It is so easy to forget that while you think you’re doing business with one entity, there are an unknown number of other “partners” and “service providers” that get hold of your private information and turn out to be the weak links in the overall security chain.

Again we’re offered the obligatory offering of 12 months of credit monitoring — but honestly that seems grossly inadequate and does little to make us feel better — or forgiving.

Even more frustrating is who to blame. Certainly not Disney’s fault. BNY Mellon security procedures are obviously disturbing that they routinely send unencrypted data via third parties. I can’t even moan about the companies responsible for transportation because they’re names are being withheld. Meanwhile, our politicians sit on the side and do nothing – as usual. An occasional saber rattle but no companies are ever held accountable.

What are your thoughts?

Related Links:

Bank of New York Mellon Loses 4.5 Million Customer Records

Roland — Tue, 27 May 2008 03:58:33 +0000

Bank of New York Mellon has lost unencrypted back-up computer tapes containing the confidential details of around 4.5 million customers.

On February 27, 2008, a box containing unencrypted back-up tapes was lost during transit. The tapes are believed to have contained social security numbers, names, addresses, bank account numbers and balances of 4.5 million customers.

Affected customers are being notified and offered a year of credit monitoring.

88,000 Patients Had Info Stolen From Staten Island University Hospital

Roland — Tue, 13 May 2008 12:46:41 +0000

Staten Island University Hospital (New York) waits four months to inform patients that their personally identifiable information had been stolen from their financial office.

The data, including social security numbers and health insurance numbers, was stored on a desktop computer and backup hard drive stolen on December 29, 2008. No one has been arrested for the theft.

Incredibly, Staten Island University Hospital waited four months to inform the patients who had their information stolen. The hospital spent nine weeks identifying a credit monitoring service before informing the affected patients.

Related Links:

Hospital admits error in handling I.D. theft

88,000 patients at risk after computer theft

More articles about careless organizations that allow data to be stolen…

71,000 Georgia Patient Records Exposed For Seven Weeks

Roland — Sun, 13 Apr 2008 13:56:04 +0000

WellCare of Georgia exposed 71,000 Georgia Families membership patient records on an unsecured Website from February 12 to April 2, 2008.

According to WellCare, the exposed records included:

Personal identifying information, such as a member’s name, birth date, dates of eligibility, Medicaid or PeachCare for Kids member identification number, social security number or other health plan related information.

Incredibly, WellCare took five days to remove all the data after they learned of their huge mistake.

Not surprisingly, WellCare claims in it’s press release:

WellCare takes the privacy and security of personal information very seriously.

Unfortunately for some Medicaid and PeachCare for Kids participants in Georgia, it is the second time in a year that they’re records have been carelessly compromised. In April 2007, the Georgia Department of Community Health announced that Affiliated Computer Services had lost a computer disk in the mail containing data on 2.9 million people.

Related Links:

Data Intrusion of Advance Auto Parts Affects 56,000 customers

Roland — Wed, 02 Apr 2008 14:25:26 +0000

Advance Auto Parts, headquartered in Roanoke, Va., alerted customers of fourteen locations that their financial information may have been stolen as result of a network intrusion. 56,000 customers are believed to have been affected.

Advance Auto Parts reports that they are the second-largest retailer of automotive after market parts, accessories, batteries, and maintenance items in the United States, based on store count and sales.

The affected retail stores are located in the following states: Georgia, Ohio, Louisiana, Tennessee, Mississippi, Indiana, Virginia and New York.

Customers can contact the company for details at 1-800-704-1154.

CEO Goes Against His Own Advice

Roland — Fri, 29 Feb 2008 00:18:06 +0000

MousePrint.org has an interesting article about the CEO of LifeLock, who plastered his own social security number on a truck as an advertising gimmick.

One Minute How To Interview: Data Security Tips for Marketers and Consumers

Roland — Tue, 26 Feb 2008 17:00:49 +0000

I recently had the pleasure to once again speak with George from the One Minute How To podcast. We discussed tips for both marketers and consumers to keep in mind to help protect sensitive information.

Please check out the podcast episode. It’s only a minute.

Data Theft of 38,000 Georgetown University Students, Staff, Faculty Members

Roland — Thu, 31 Jan 2008 14:50:42 +0000

The theft of a computer disk from a locked room at Georgetown University in Washington has potentially exposed the Social Security numbers and other personally identifiable data of about 38,000 current and former students, faculty members and staffers between 1998 and 2006.

A university statement said the drive was stolen from an office within the university’s Office of Student Affairs on Jan. 3. The unencrypted disk apparently was used to back up a computer that contained billing information for various student services, according to a story in the campus newspaper The Hoya.

A letter sent to alumni affected by the theft said that since the files “related to a range of cross-campus student financial transactions processed through the Office of Student Affairs, it pertained to students enrolled at the main, medical and law school campuses.” No financial information was stored on the hard drive, the letter noted.

The university is also offering all affected individuals free credit monitoring for one year.

This is not the first time. In March 2006, another security breach at Georgetown University resulted in the names, dates of birth, and social security numbers of 41,000 people, many of which may be elderly. The university had been hosting the data on behalf of the District of Columbia’s Office on Aging (DCOA).

Related Links:

2008 incident: Data breaches probed at New Jersey Blue Cross, Georgetown
2008 incident: Data Thieves Hit Georgetown University Students, Faculty
2006 incident: Georgetown University Data Breach
More articles about careless organizations that allow data to be stolen…

Data Theft of 35,000 T. Rowe Price Group Customers

Roland — Thu, 31 Jan 2008 14:42:25 +0000

Baltimore-based investment management firm T. Rowe Price Group Inc. had to notify about 35,000 customers that their confidential data was exposed due to theft of a computer from the offices of a third-party service provider.

The hard drives contained the names and Social Security numbers of 35,000 people who are no longer employed by companies, but still enrolled in their retirement plans, T. Rowe spokesman Brian Lewbart told SCMagazineUS.com today. The ex-workers of hundreds of companies are affected.

John Geffert, associate counsel for parent company CBIZ Inc., told SCMagazineUS.com on Wednesday that workers are supposed to keep sensitive data off the hard drive and on the local network.

“In this case, the policy may not have been followed,” he said. “We’re working with people’s recollections on what they think they may have had on the hard drive.”

Related Links:

Data Theft of 29,000 Fallon Community Health Plan Members

Roland — Thu, 31 Jan 2008 14:38:49 +0000

A stolen laptop included the names, birth dates and some health care data on 29,800 members of Fallon Community Health Plan, a Worcester, Mass.-based medical provider and insurer. The laptop was stolen from the office of a third-party provider.

The data does not include any financial information such as bank account or credit card numbers or any home addresses. But it does include Medicare identification numbers, which usually consists of the person’s or his or her spouse’s Social Security number.

Related Links:

Horizon Blue Cross Blue Shield of NJ exposes 300,000 customers to fraud

Roland — Wed, 30 Jan 2008 03:03:18 +0000

I come home tonight to find multiple letters addressed to myself, my wife and young children informing us how Horizon Blue Cross Blue Shield of New Jersey lost our confidential personal information (name, address and social security number) and exposed my entire family to potential fraud and identity theft.

The letter also says: “We do not believe any of your medical data was on the computer.” That’s not definite. It’s possible, but they are not sure.

My wife and I are outraged. No explanation was given as to why an employee is taking home our confidential information on a laptop.

Careless procedures and a casual attitude have needlessly exposed my family to risk and extra burden now.

These large companies insist on collecting unnecessary information about you. A health insurance company has no need for any person’s social security number, period! The Social Security Number is for social security and tax reporting and is not a universal ID number. Now Horizon has carelessly lost the data and put 300,000+ people at risk.

This is exactly why I’ve been writing about this topic on this blog for nearly two years.

I’ve seen this kind of sloppy behavior repeatedly at the mega brand companies I’ve worked with. The PR department says one thing. The Privacy Dept says another thing. Then the line managers ignore the policies because they’re under pressure to get their work done.

The Health Insurance companies bully us around and all we do is bend over and take it. I really wish our politicians would start investigating these shenanigans.

Related Links:

Reader Feedback; Online Privacy Tips

Roland — Sat, 26 Jan 2008 21:27:27 +0000

Reader Normand from Canada writes:

Hi there!

I would like to know your opinion on the Ironkey USB Encryption and Anonymous Surfing claims.I deem it likely that such agencies as the US Homeland Security would have a backdoor to such a device or could monitor your surfing, given that they are listed in the list of contributors… Such a device could therefore become the eyes and ears of Bigbrother, under some Klingon Cloak. Tell me I’m not paranoid

Norm

Hi Norm,
Sorry, but I have no idea and can’t offer an educated opinion. Generally speaking, I do not believe that anyone can surf anonymously, at home and especially not in the workplace.

I also do not believe that it’s worth the effort and cost to use anonymizer services. I’ve also tried to setup email encryption between members of my family, only to be frustrated by how cumbersome it can be, especially to set up another person.

Therefore, as our privacy and rights are chipped away, I recommend the following defense:

Don’t send confidential information in emails or post on Web sites.
Don’t type any embarrassing keywords or incriminating phrases like “how to kill my spouse.”
Don’t trust that your Internet Service Provider (ISP) will defend your privacy rights.
Don’t trust that your friends wont (out of ignorance) post information about you online.

Thanks for writing.
-Roland

GE Money Loses Data on 650,000 Credit Customers

Roland — Thu, 24 Jan 2008 13:00:23 +0000

Reuters reports that GE Money Loses Data on 650,000 Credit Customers

A computer tape containing personal data of 650,000 customers of about 230 retailers including J.C. Penney Co is missing, credit card issuer GE Money. Social Security numbers of about 150,000 people were also included on the tape. The tape had been stored at an information protection and storage company. The company claims that there has been no evidence suggesting that the identity of any person had been compromised.

More articles about careless organizations that allow data to be stolen…

British Ministry of Defense Looses Data on 600,000 People

Roland — Thu, 24 Jan 2008 12:50:12 +0000

Earlier this month, the British Ministry of Defence had a laptop stolen containing the personal details of 600,000 people interested in joining the armed forces. The laptop was stolen from a Royal Navy officer’s car on January 9th.

The unencrypted data included family details, national insurance, passport and driving licence numbers and NHS numbers.

“In total 69 laptops and seven personal computers have been lost by the Ministry of Defence over the past year.”

Related Links:

Data loss prompts Whitehall laptop ban

Ministry of Defence Laptop Data Loss Dramas Worsen

More articles about careless organizations that allow data to be stolen…