Imagine the anxiety of discovering that the information you divulged to one of the city’s leading bankruptcy firms was not kept confidential.

Last month, hundreds of pieces of sensitive documents that were provided to the law firm of Robert J. Semrad & Associates, also known as DebtStoppers USA, ended up in a trash bin in an area the firm shares with other businesses.

The “Client Information Sheets” contained Social Security numbers, full names and addresses, driver’s license numbers and signed debit card authorizations.

[...]

Although there are tougher state and federal laws covering data security, there’s no real watchdog.

Neither the Department of Streets and Sanitation nor the Department of Business Affairs and Consumer Protection has ever written a violation for the improper disposal of sensitive documents.

Read more in the Chicago Sun-Times.

A 27-year-old man who stole credit cards and electronics at the University of Virginia will avoid prison time and instead be enrolled in a diversion program in Harrisonburg.

Joshua Alan Lafferty pleaded guilty in June 2009 to five counts of breaking and entering, five counts of grand larceny, four counts of credit card theft and one count each of credit card fraud and petit larceny.

Read more in The Daily Progress.

Three people are charged in an alleged identity theft ring, skimming credit and debit card information from fast food customers at a Tukwila Wendy’s restaurant.

Maria Elena DeHoyos-Ortiz, 33, Linzy Jerome Hopkins, 27, and Ricardo Ricky Ramacho, II, 28, are charged with multiple counts of conspiracy to commit identity theft. King County Sheriff’s Detectives say they compromised at least 135 accounts to the tune of approximately $75,000, and that number could grow.

Read more on NWCN.

Fifteen people charged with selling computer programs offering illegally acquired identity information on nearly the country’s entire population were released Wednesday pending trial in Istanbul.

Police announced Tuesday the cracking of the ring that had been stealing Turks’ identity information, including their names, addresses and telephone numbers.

[...]

The Hürriyet reporter wrote that had he first gotten wind of the identification theft a few days previously, by coincidence, during a conversation in a lawyer’s office, and later learned that the data had allegedly come from inside sources at the Central Population Administration System, or MERNİS, project, which is establishing a nationwide system of electronic data collection.

“A 20-year-old young man entered the office and started touting a computer program. He opened the program on a laptop and searched for the people we wanted by name and surname. Of course, we demanded our names be searched first,” Atilla wrote. “After he wrote my name and surname, the search produced a result in 25 seconds. My Turkish identity number, my mother’s and father’s names, my birthplace and birth date and my address details were all of a sudden disclosed.”

Read more on the Hurriyet Daily News.

Photo credit: DHA

The security of personal information held by the state government is inadequate, leaving it at a heightened risk of being stolen and misused by frauds, a report has found.

An Auditor-General’s report into government departments, released yesterday, said access to confidential personal data was too widespread and increased the risk of identity theft and fraud.

Three departments did not even identify confidentiality of personal information as a risk.

In one case, the report found that actual personal data from the human resource system and payroll system was used to develop and test an application.

Read more in The Age.

Related: the full Victorian Auditor-General’s report, “Portfolio Departments: Interim Results of the 2009–10 Audits,” can be obtained here (PDF, 1.3MB)

A Ukrainian carder who earned more than $11 million selling credit and debit card data stolen from top U.S. retailers was lured to a meeting in Turkey in 2007 where he was arrested by local authorities, according to a new report released Wednesday.

Maksym Yastremskiy, alleged to be the underground carding kingpin known as “Maksik,” was sentenced to 30 years in a Turkish prison. He was a key player in the criminal ring of TJX hacker Albert Gonzalez.

Read more on Threat Level.

Imagine your most private information falling into the wrong hands. That’s what some people dealt with after nearly 75 legal files were found in a dumpster off Interstate 10 near Boerne.

It only took a few minutes to realize the paperwork was no trash. Rather, it included information like peoples’ lives, names, addresses, bank accounts, social security numbers, driver license numbers, and birth dates.

The people these files belong to have no clue their information was sitting in a trash bin Monday evening.

But Attorney David Naworski told us he knew about them. We asked him if the folders came from his office, and if he threw them away. Naworski replied yes to both questions.

[...]

In 2005, the Texas Legislature passed the Identity Theft Enforcement and Protection Act. It requires businesses to erase or shred sensitive information that belongs to customers.

Naworski told us he’s not familiar with that law and says “I don’t shred anything.”

Read more on KENS5.

The 2010 Verizon Data Breach Investigations Report, based on a first-of-its kind collaboration with the U.S. Secret Service, has found that breaches of electronic records last year involved more insider threats, greater use of social engineering and the continued strong involvement of organized criminal groups.

The study, released Wednesday (July 28), also noted that the overall number of breaches investigated last year declined from the total for the previous year – “a promising” indication, the study said.

The report cited stolen credentials as the most common way of gaining unauthorized access into organizations in 2009, pointing once again to the importance of strong security practices both for individuals and organizations.  Organized criminal groups were responsible for 85 percent of all stolen data last year, the report said.

[...]

The collaboration with the Secret Service, announced in May, enabled this year’s Data Breach Investigations Report to provide an expanded view of data breaches over the last six years. With the addition of Verizon’s 2009 caseload and data contributed by the Secret Service — which investigates financial crimes — the report covers 900-plus breaches involving more than 900 million compromised records.

[...]

Key Findings of the 2010 Report

This year’s key findings both reinforce prior conclusions and offer new insights. These include:

• Most data breaches investigated were caused by external sources. Sixty-nine percent of breaches resulted from these sources, while only 11 percent were linked to business partners.  Forty-nine percent were caused by insiders, which is an increase over previous report findings, primarily due in part to an expanded dataset and the types of cases studied by the Secret Service.
• Many breaches involved privilege misuse. Forty-eight percent of breaches were attributed to users who, for malicious purposes, abused their right to access corporate information.  An additional 40 percent of breaches were the result of hacking, while 28 percent were due to social tactics and 14 percent to physical attacks.
• Commonalities continue across breaches. As in previous years, nearly all data was breached from servers and online applications. Eight-five percent of the breaches were not considered highly difficult, and 87 percent of victims had evidence of the breach in their log files, yet missed it.
• Meeting PCI-DSS compliance still critically important. Seventy-nine percent of victims subject to the PCI-DSS standard hadn’t achieved compliance prior to the breach.  

The State of Cybercrime: 2010

[...]

Data breaches continue to occur within all types of organizations. Financial services, hospitality and retail still comprise the “Big Three” of industries affected (33 percent, 23 percent and 15 percent, respectively) in the merged Verizon-Secret Service dataset, though tech services edged out retail in Verizon’s caseload.  A growing percentage of cases and an astounding 94 percent of all compromised records in 2009 were attributable to financial services.

More than half of the breaches investigated by Verizon in 2009 occurred outside the U.S., while the bulk of the breaches investigated by the Secret Service occurred in the U.S.  The report finds no correlation between an organization’s size and its chances of suffering a data breach.

“Thieves are more likely to select targets based on the perceived value of the data and cost of attack than victim characteristics such as size,” Verizon researchers noted.

Recommendations for Enterprises

The 2010 study once again shows that simple actions, when done diligently and continually, can reap big benefits. These actions include:

• Restrict and monitor privileged users. The data from the Secret Service showed that there were more insider breaches than ever before. Insiders, especially highly privileged ones, can be difficult to control. The best strategies are to trust but verify by using pre-employment screening; limit user privileges; and employ separation of duties. Privileged use should be logged and messages detailing activity generated to management.
• Watch for ‘Minor’ Policy Violations. The study finds a correlation between seemingly minor policy violations and more serious abuse. This suggests that organizations should be wary of and adequately respond to all violations of an organization’s policies.  Based on case data, the presence of illegal content on user systems or other inappropriate behavior is a reasonable indicator of a future breach. Actively searching for such indicators may prove even more effective.
• Implement Measures to Thwart Stolen Credentials. Keeping credential-capturing malware off systems is priority No. 1. Consider two-factor authentication where appropriate. If possible, implement time-of-use rules, IP blacklisting and restricting administrative connections.
• Monitor and Filter  Outbound Traffic. At some point during the sequence of events in many breaches, something (data, communications, connections) goes out externally via an organization’s network that, if prevented, could break the chain and stop the breach. By monitoring, understanding and controlling outbound traffic, an organization can greatly increase its chances of mitigating malicious activity.
• Change Your Approach to Event Monitoring and Log Analysis. Almost all victims have evidence of the breach in their logs. It doesn’t take much to figure out that something is amiss and make needed changes.  Organizations should make time to review more thoroughly batch-processed data and analysis of logs. Make sure there are enough people, adequate tools and sufficient processes in place to recognize and respond to anomalies.
• Share Incident Information. An organization’s ability to fully protect itself is based on the information available to do so.  Verizon believes the availability and sharing of information are crucial in the fight against cybercrime.  We commend all those organizations that take part in this effort, through such data-sharing programs as the Verizon VERIS Framework.

A complete copy of the “2010 Data Breach Investigations Report” is available at http://www.verizonbusiness.com/go/2010databreachreport/.

Their findings on the percentage of cases involving insiders is lower than that reported earlier this week in a different study by ArcSight and Ponemon. The ArcSight  study, which focused on the costs of cybercrime, was  conducted over a four-week period with 45 companies (as compared to the 900 cases in the Verizon report), and found that 62% of breaches involved insiders.  Other findings from that study included:

• The median annualized cost of the 45 organizations in was $3.8 million per year, but one firm in the study spent over $52 million per year.
• Cyber crimes are intrusive and common occurrences. The companies in the study experienced 50 successful attacks per week and more than one successful attack per company per week.
• The most costly cyber crimes are those caused by web attacks, malicious code and malicious insiders. These account for more than 90 percent of all cyber crime costs per organization on an annual basis.
• In this benchmark study sample, the average number of days to resolve a cyber attack was 14 days with an average cost to the organization of $17,696 per day. The survey revealed that malicious insider attacks can take up to 42 days or more to resolve.

A Time Warner Cable (“TWC”) technician, who illegally installed a spyware program on three of his employers’ computers to enable him to gain unauthorized access to TWC’s customer database and billing system, was convicted on all eight counts against him.  The jury convicted Louis Puesan, 45, of multiple counts, including computer trespass, computer tampering in the third degree, unlawful duplication of computer related material, and unlawful possession of computer related material.

As proven at trial, Puesan, a TWC technician for more than 20 years, committed several computer crimes against his employer in February 2008, by installing unauthorized spyware on three of TWC’s network computers at its Northern Manhattan office at 401 West 219th Street.

[...]

The defendant is expected to be sentenced on September 13, and faces up to four years in prison on the most serious of the felony charges.

Read more on Empire State News

International authorities have arrested a computer hacker believed responsible for creating the malicious computer code that infected as many as 12 million computers, invading major banks and corporations around the world, FBI officials said

A 23-year-old Slovenian known as Iserdo was snagged in Maribor, Slovenia, after a lengthy investigation by Slovenian Criminal Police there along with FBI and Spanish authorities.

His arrest comes about five months after Spanish police broke up the massive cyber scam, arresting three of the alleged ringleaders who operated the so-called Mariposa botnet, stealing credit cards and online banking credentials.

Read more in the Sydney Morning Herald.

The BBC also covers the arrest, as does The Register.

A thumb drive that contained personal data about current and past graduate medical education residents and fellows at Cooper University Hospital has gone missing. Hospital sources tell Action News the thumb drive went missing on July 8th.

[...]

Stolen or lost, both scenarios are cause for concern according to Drexel University’s Robert D’Ovidio, Ph.D. because you cannot be absolutely certain the information won’t fall in the wrong hands, information hospital sources say includes social security numbers, addresses, and phone numbers.

“That data is a goldmine for lines of credit in your name,” said D’Ovidio.

Making matters worse, the hospital source tells Action News the data on the thumb drive was not secure.

Read more on ABC.

Think of it as one more reason not to write checks.

Hackers believed to be operating out of Russia have figured out a high-tech way to carry out the decidedly low-tech crime of check fraud, a computer security company says — writing at least $9 million in fakes against more than 1,200 legitimate accounts.

But these hackers got the account information in an unusual way: They broke into three websites that specialize in a little-known type of business — archiving check images online.

[...]

Stewart uncovered the scam while investigating malicious software that steals banking passwords. In eavesdropping on one criminal group’s communications, which he was able to do by infecting his own computer with the malicious program the group was using, he noticed they were doing something unexpected: collecting massive amounts of images of checks.

He found a file logging all of their transactions, which revealed that 3,285 checks were written against 1,280 accounts since June 2009. Most checks were written for less than $3,000 to evade banks’ anti-fraud measures. Overall, he saw about 200,000 stolen check images — suggesting the criminals have exploited only a fraction of the accounts on which they have information.

SecureWorks isn’t identifying the hacked sites.

Read more in the Portland Press Herald.

Rite Aid Corporation and its 40 affiliated entities (RAC) have agreed to pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, the U.S. Department of Health and Human Services (HHS) announced today. In a coordinated action, RAC also signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act.

Rite Aid, one of the nation’s largest drug store chains, has also agreed to take corrective action to improve policies and procedures to safeguard the privacy of its customers when disposing of identifying information on pill bottle labels and other health information. The settlements apply to all of Rite Aid’s nearly 4,800 retail pharmacies and follow an extensive joint investigation by the HHS Office for Civil Rights (OCR) and the FTC.

The OCR, which enforces the HIPAA Privacy and Security Rules, opened its investigation of RAC after television media videotaped incidents in which pharmacies were shown to have disposed of prescriptions and labeled pill bottles containing individuals’ identifiable information in industrial trash containers that were accessible to the public. These incidents were reported as occurring in a variety of cities across the United States.  Rite Aid pharmacy stores in several of the cities were highlighted in media reports.

Disposing of individuals’ health information in an industrial trash container accessible to unauthorized persons is not compliant with several requirements of the HIPAA Privacy Rule and exposes the individuals’ information to the risk of identity theft and other crimes.  This is the second joint investigation and settlement conducted by OCR and FTC. OCR and FTC settled a similar case involving another national drug store chain in February 2009.

“It is critical that companies, large and small, build a culture of compliance to protect consumers’ right to privacy and safeguard health information. OCR is committed to strong enforcement of HIPAA,” said Georgina Verdugo, director of OCR. “We hope that this agreement will spur other health organizations to examine and improve their policies and procedures for protecting patient information during the disposal process.”

The HIPAA Privacy Rule requires health plans, health care clearinghouses and most health care providers (covered entities), including most pharmacies, to safeguard the privacy of patient information, including such information during its disposal.

Among other issues, the reviews by OCR and the FTC indicate that:

• Rite Aid failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process;
• Rite Aid failed to adequately train employees on how to dispose of such information properly; and
• Rite Aid did not maintain a sanctions policy for members of its workforce who failed to properly dispose of patient information.

Under the HHS resolution agreement, RAC agreed to pay a $1 million resolution amount to HHS and must implement a strong corrective action program that includes:

• Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;
• Training workforce members on these new requirements;
• Conducting internal monitoring; and
• Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS.

Rite Aid has also agreed to external, independent assessments of its pharmacy stores’ compliance with the FTC consent order. The HHS corrective action plan will be in place for three years; the FTC order will be in place for 20 years.

The HHS Resolution Agreement and Corrective Action Plan can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

OCR has FAQs that address the HIPAA Privacy Rule requirements for disposal of protected health information.  They can be found on the OCR website at http://www.hhs.gov/ocr/privacy/index.html.

Source:  U.S. Department of Health and Human Services

Rite Aid Corporation has agreed to settle Federal Trade Commission charges that it failed to protect the sensitive financial and medical information of its customers and employees, in violation of federal law. In a separate but related action, the company’s pharmacy chain also has agreed to pay $1 million to resolve Department of Health and Human Services allegations that it failed to protect customers’ sensitive health information.

“Companies that say they will protect personal information shouldn’t be tossing patient prescriptions and employment applications in an open dumpster,” said Jon Leibowitz, Chairman of the Federal Trade Commission. “We hope other organizations will learn from the FTC’s action against Rite Aid to take their obligation to protect consumers’ personal information
seriously.”

Rite Aid operates the third largest pharmacy chain in the United States, with about 4,900 retail pharmacies and an online pharmacy business.

The FTC began its investigation following news reports about Rite Aid pharmacies using open dumpsters to discard trash that contained consumers’ personal information such as pharmacy labels and job applications. At the same time, HHS began investigating the pharmacies’ disposal of health information protected by the Health Insurance Portability and Accountability Act (HIPAA). This is the second case in which the FTC and HHS coordinated their investigations and settlements. The agencies resolved similar allegations with CVS Caremark in February 2009.

According to the FTC’s complaint, Rite Aid failed to use appropriate procedures in the following areas:

* disposing of personal information,
* adequately training employees,
* assessing compliance with its disposal policies and procedures, and
* employing a reasonable process for discovering and remedying risks to personal information.

Rite Aid made claims such as, “Rite Aid takes its responsibility for maintaining your protected health information in confidence very seriously. . . Although you have the right not to disclose your medical history, Rite Aid would like to assure you that we respect and protect your privacy.” The FTC alleged that the claim was deceptive and that Rite Aid’s security practices were unfair.

The FTC settlement order requires Rite Aid to establish a comprehensive information security program designed to protect the security, confidentiality, and integrity of the personal information it collects from consumers and employees. It also requires the company to obtain,every two years for the next 20 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order. In addition, the order bars future misrepresentations of the company’s security practices.

The HHS settlement requires Rite Aid pharmacies to establish policies and procedures for disposing of protected health information, create a training program for handling and disposing of patient information, conduct internal monitoring, and get an independent assessment of its compliance for three years. Rite Aid also will pay HHS $1 million to settle the matter. (http://www.hhs.gov/ocr/privacy/)

The FTC vote to approve the complaint and proposed consent agreement was 5-0. The agreement will be subject to public comment for 30 days, until August 27, 2010, after which the Commission will decide whether to make it final. Comments should be sent to: FTC, Office of the Secretary, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. To submit a comment electronically, please click on: https://ftcpublic.commentworks.com/ftc/riteaid/.

Copies of the complaint, proposed consent agreement, and an analysis of the agreement to aid in public comment are available from the FTC’s Web site at http://www.ftc.gov and its Consumer Response Center, Room 130, 600 Pennsylvania Avenue, NW, Washington, D.C. 20580.

Source: Federal Trade Commission

A Pennsylvania company hired by South Shore Hospital to dispose of patient records outsourced the work to a second company, contributing to delays announcing the disappearance of 800,000 patients’ files.

Phoenixville, Pa.-based Archive Data Solutions was notified in early May by the outside vendor that 800,000 individuals’ records removed from the hospital on Feb. 26 were lost, spokeswoman Jill Fallon said Monday. Fallon declined to name the other vendor.

Read more in the Patriot Ledger.

Why do these firms continue to try to protect the identities of those who have been involved in breaches? This all usually becomes a matter of public record anyway and it makes them look like they care more about the reputation of their business partners than they do the individuals whose lives have been affected.

Faced with a looming, $3 billion budget deficit, North Carolina is eyeing a major shakeup of its tech operations that could see the state outsource the bulk of its IT work to the private sector while consolidating other operations internally.

The state has launched a search for an outside consulting firm to help guide the reorganization, according to a memo Democratic governor Bev Perdue sent to state cabinet secretaries and agency heads. “The Office of Information Technology Services (ITS) issued a Request for Information to seek input and ideas from the vendor community for improving the delivery of IT in state government,” Perdue said in the memo, dated July 21st.

Read more on InformationWeek.

Citibank has fixed a flaw in its iPhone app that was inadvertently storing customer account data on the mobile devices, the company said on Monday.

“During a recent review, we discovered that our U.S. Citi Mobile iPhone banking app was accidentally saving information related to customer accounts in a hidden file on their iPhones,” the company said in a statement. “This information may also have been saved on their computer if they had been synchronizing their iPhone with their computer via iTunes.”

Read more on cnet. Spencer E. Ante has more on the background of the problem in the Wall Street Journal.

The United States Post Office is responding to a story aired on WLTX where two women say they were delivered employees’ personal information.

Friday, Anne Clarkson and Sam Ruskin told us they had received a receipt in the mail last week for an outgoing package. On the back of the receipt was what looks like an old time card dated 2004 from the Post Office. Two people’s names are provided along with their social security numbers. Original Story: Women Say Post Office Made Huge Error

News 19 spoke with one of the women whose name and Social Security number was on that time card Monday. She wasn’t interested in talking about the matter.

Here is a statement we’ve received from Greater South Carolina District Communications Director Harry Spratlin:

We sincerely regret this error and any concern it may cause the public.

However, since document in question was an internal form that affected two Postal employees, the public should not be affected. The initiative to re-use paper in this manner is not a part of Postal operations, but rather, was a temporary initiative used only at the Batesburg-Leesville Post Office.

Read more on WLTX.

An investigation into the incident reportedly indicated that the breach did not result in any client files being accessed or downloaded, and the firm notes that its security measures prevent downloading of any files. Based on an investigation by their IT service provider, the firm believes that the motive was not to access, alter, or acquire any client records but to use Resnick’s corporate identity to launch a malicious attack on another entity.

The firm began sending out notifications to its clients last week and offered them free credit monitoring services for a year.

During her plea, Wilson acknowledged that on May 23, 2009, her cousin arranged a meeting and gave Wilson a credit card, which she believed he had stolen. The police officer, who appeared to be holding a second credit card in his hand, asked Wilson to buy beer for an upcoming party he was throwing. The police officer also informed Wilson that the credit card had a $3,000 credit limit and told Wilson she could also use the stolen credit card to buy something for herself. Wilson took the credit card to a retail store in Vidalia, La., where she attempted to make a purchase, but the credit card, which had been reported as stolen, was declined. The information to which Wilson pleaded guilty also charges that the police officer made or caused to be made several other charges with the stolen credit and debit cards at retail stores, restaurants, and a gas station in Natchez, Miss., and Vidalia, La.

Wilson faces a maximum penalty of up to five years in prison. Her sentencing date has not yet been scheduled.

The case was investigated by the Federal Bureau of Investigation. The case is being prosecuted by Trial Attorney Erin Aslan of the Justice Department’s Civil Rights Division and Assistant U.S. Attorney Glenda Haynes of the U.S. Attorney’s Office for the Southern District of Mississippi.

Source:  Department of Justice

Note: The press release does not reveal the police officer’s name, whether he’s still on the police force, or if he has been prosecuted or even charged with any crime.

John David Woody, 35, of Los Angeles, Calif., formerly of Kansas City, was sentenced by U.S. Chief District Judge Fernando J. Gaitan to three years in federal prison without parole.

On Jan. 22, 2010, Woody pleaded guilty to aggravated identity theft, credit card fraud and mail fraud. Woody admitted that in July and August 2008 he gained access to the credit card numbers of 20 customers at the Brio Tuscan Grille in the County Club Plaza while he was employed as a waiter at the restaurant. Woody used an electronic device to skim the magnetic strip on the back of credit cards to capture all the credit and identity information necessary to effect financial transactions without the knowledge and authority of the cardholder. The credit cards were then returned to the customers.

Woody used customers’ identity information and credit card numbers to place online orders, including thousands of dollars worth of boxed sets of DVDs.

This case was prosecuted by Assistant U.S. Attorney John E. Cowles. It was investigated by the U.S. Postal Inspection Service.

Source:  United States Attorney for the Western District of Missouri

Pounds and pounds of trash are dumped each year in the state in places they shouldn’t be…..  That isn’t always the biggest problem. Sometimes, it’s what is found.

[...]

What the couple had found was three small file boxes full of personal records. Although more than a decade old and visibly damaged from the weather, the information on many of the records was still fully intact.

“It had a bank name on it,” the man said. “This might be some information that shouldn’t have gotten out.”

The name on the records: First Federal Savings Bank.

We decided to track the records back to the original owners to find out how such private information ended up near this public street in Bryan.

According to public documents, First Federal Savings Bank had locations in Bryan, but apparently closed its doors under that name around 2002, and has been acquired by several banks since then, Prosperity Bank most recently.

We contacted officials with Prosperity who declined an on-camera interview, but did take a look at the records. They tell News 3 they never assumed ownership of these banking records, and that all of their records are destroyed by a professional company on-site.

How they ended up on a residential street in Bryan for now remains a dangerous mystery for those whose information was compromised.

Read more on KBTX.  The Attorney General’s office reportedly declined to get involved absent proof that the records were intentionally dumped.

Schools are putting children at risk of identity fraud by obtaining their Social Security numbers when it is not required by law and often unnecessary, the Social Security Administration’s Office of Inspector General has concluded.

Some school systems in at least 26 states collect the nine-digit identifiers when students from kindergarten through high school register for classes, even though the respective state does not require it as a matter of law, according to a report released last week.

Read more in the Washington Times.

Related: The Inspector General’s report can be found here:
A-08-10-11057 – 7/22/10 – Kindergarten Through 12th Grade Schools’ Collection and Use of Social Security Numbers (pdf)

Cross-posted from PogoWasRight.org

An alleged computer hacker has confirmed guilty pleas to charges of theft of personal information.

South Australian police alleged Anthony Scott Harrison, 21, infected more than 3,000 computers worldwide with software designed to capture bank and credit card details and had potential to infect up to 74,000 computers.

Harrison has pleaded guilty to seven charges in the District Court in Adelaide, including four counts of modifying computer data to cause harm or inconvenience, two of illegally possessing or controlling data and one of dishonestly manipulating a machine.

The court will hear sentencing submissions in September.

The scammer posed as both a local and federal police officer.

The incidents began last Friday when a man called several restaurants along the Carlisle Pike in Hampden Township. In one instance, he said his name was Officer Miller and that he was doing a fraud investigation.

For the investigation, he needed all of the credit card information from cards used that day.

At least two restaurant employees bought the scam.

So far, police have identified at least 80 compromised accounts, including five that were used to make illegal purchases in New Jersey.

Read more on WHP-TV.

Via CreditNet.