The Breach Blog

Thank You and Moving On

evan@frsecure.com (Evan Francen) — Wed, 11 Feb 2009 15:50:00 GMT

First, I want to sincerely thank all of the readers of the Breach Blog. I have been blessed with the opportunity to meet some very genuine and talented people during my time writing here.

Now is the time for me to move on. I am moving on to other information security related projects. I am moving on to projects that play more into my strengths as an information security practitioner and give more value to a greater number of people. The project taking up most of my time right now is the creation of a series of information security training classes and seminars. It is just one way that I think I can contribute more.

The Breach Blog will still remain active, it just won't be updated on a regular basis anymore. Sometime within the next few weeks, I will post links to one or more of my new projects in a hope that you will find me and my work there.

The Breach Blog started out 18 months ago as a place where I could jot down my thoughts about breaches. It was a place that allowed me to read about current breaches, learn from mistakes, and make comments about my thoughts. What started out small, grew over time and I was (and continue to be) glad to share. In the end, I just want to help people do a better job securing the information assets that they are responsible for.

There are many sites that do a great job of staying current with today's breaches. These sites are maintained by talented and passionate information security professionals. True patriots. Check them out at the links below.

PogoWasRight
Inside ID Theft
Emergent Chaos
Personal Health Information Privacy
Office of Inadequate Security
Merchant 911
Identity Theft Resource Center
Open Security Foundation Dataloss db
National ID Watch
Streetwise Security Zone

If I forgot a site, my apologies in advance.

I still have plenty of opinions, I will just be voicing them in a different manner in a different place.

Again, a sincere thank you to everyone who read and participated. I hope to run into you all again soon!

Evan Francen
P.S. The "Contact Me" link on the right sidebar will remain active for anyone who wishes to use it.

Kaiser Permanente personnel files found after arrest

evan@frsecure.com (Evan Francen) — Mon, 09 Feb 2009 17:42:00 GMT

Technorati Tag: Security Breach

Date Reported:
2/6/09

Organization:
Kaiser Permanente

Contractor/Consultant/Branch:
None

Location:
Sacramento, California

Victims:
Employees

Number Affected:
"nearly 30,000"

Types of Data:
Personal information, including "names, social security numbers and birthdates"

Breach Description:
"SACRAMENTO, Calif. - Personal information from about 29,500 employees of Kaiser Permanente might have been stolen by someone who took a computer file, the company said Friday."

Reference URL:
CBS13/CW 31 News
The Mercury News
MSNBC

Report Credit:
CBS13/CW31 News

Response:
From the online sources cited above:

SACRAMENTO, Calif. - Personal information from about 29,500 employees of Kaiser Permanente might have been stolen by someone who took a computer file, the company said Friday.
[Evan] The obvious question is how did this person come into possession of the sensitive information?

Some employees told KCRA 3 that they received an automated voicemail message from Atlanta, Ga., about the information breach.

Kaiser set up a toll-free number for workers to get answers to their questions at 1-877-281-3573.
[Evan] When you call, you get a recorded message.

The information included employee names, social security numbers and birthdates.

The person who took the computer file was not a Kaiser employee, the company said, and that the file was found in their possession after being put under arrest.
[Evan] What was this mystery person arrested for in the first place?

"We immediately launched an internal investigation and are working to determine the source of this breach, and we are working closely with law enforcement in their investigation," representative Gerri Ginsburg said in a statement.

"To our knowledge, only a handful of employees have reported identity theft."
[Evan] This is troubling because we know that some of the information was actually used to commit fraud.

Kaiser said no patient information or health files were involved.

Ginsburg said the file appears to contain Human Resources-type data, and that Kaiser Permanente member information and personal health information was not included on the file.

We regret that this unfortunate incident occurred," said Gay Westfall, Senior Vice President Human Resources, Kaiser Foundation Health Plan/Hospitals, Northern California.

Kaiser says it is notifying affected employees in three ways: by automated phone call, by letter to their home and by email at their work email address if they have one.

Kaiser is also offering to pay for a year of credit monitoring for the employees.

Commentary:
There are many questions remaining that should be answered in the coming weeks or months. If I were to guess, I would guess that the breach source is (or was) an insider, but this is only a guess.

Past Breaches:
Unknown

Purdue mailing error hits temporary workers

evan@frsecure.com (Evan Francen) — Mon, 09 Feb 2009 05:27:00 GMT

Technorati Tag: Security Breach

Date Reported:
2/3/09

Organization:
Purdue University

Contractor/Consultant/Branch:
None

Location:
West Lafayette, Indiana

Victims:
"individuals or organizations who were employed on a temporary basis by Purdue University in 2008"

Number Affected:
"248 companies and 962 individuals"

Types of Data:
Personal information, including that found on IRS 1099 forms (Names, addresses, employer identification numbers, Social Security numbers, etc.)

Breach Description:
"WEST LAFAYETTE, Ind. - A potential problem involving 1099 forms may affect individuals or organizations who were employed on a temporary basis by Purdue University in 2008. Due to a mailing error, some of these forms were inadvertently sent to the wrong individual or organization."

Reference URL:
Purdue University News Service
The Exponent (original)
The Exponent (update)

Report Credit:
Purdue University

Response:
From the online sources cited above:

WEST LAFAYETTE, Ind. - A potential problem involving 1099 forms may affect individuals or organizations who were employed on a temporary basis by Purdue University in 2008.

Due to a mailing error, some of these forms were inadvertently sent to the wrong individual or organization.

The incident affected 248 companies and 962 individuals, said John R. Shipley, interim vice president for business services and assistant treasurer.

The forms were printed two per page.

Instead of separating the forms and sending them out individually, the two forms were sent to the taxpayer at the top of the page.
[Evan] I have never worked in a mail room before, nor have I been involved in a large mailing operation, but shouldn't there be some kind of test run? It seems like you would really have to be inattentive to have this happen.

Purdue is contacting each recipient to ask that the forms sent in error be returned to the university.

Purdue and its payroll department are committed to protecting the information and privacy of our students, faculty and staff.
[Evan] Just not temps and/or contractors. ;)

If you would like more information, please call toll free at (866) 248-1178.

"While the incident was unfortunate," Shipley said, "I'm thankful that our staff acted promptly to ensure that all the affected parties were notified in a timely fashion."

How do I guard against identify theft?
Watch your financial statements and credit reports to check for entries that you don't recognize or any new accounts opened in your name.
[Evan] This tip won't guard you against identity theft, this tip only alerts you after the fact.

What action is Purdue taking to prevent illegal access of confidential information in the future?
Purdue has directed all units on all campuses to discontinue the use of Social Security numbers in all records except those that are absolutely necessary or required by law.
[Evan] This is a good idea, but Social Security numbers are required by the payroll department and the information is required on 1099 forms (for individuals).

Purdue also has a large-scale program to improve its security under way called SecurePurdue, available online at www.purdue.edu/securePurdue/theft.cfm
[Evan] I like it!

Purdue is centralizing records that must contain Social Security numbers as well as conforming to a high level of computer authentication, authorization and encryption for access to these records.

Jessica Berger, a high school teacher who leads workshops for Purdue, received someone else’s form in addition to her own.

“I got it on Friday so I had it a whole weekend before I could contact Purdue,” she said. “It was up in the air; it could have been bad, but it worked out OK for us.”

Berger’s husband, Mikel, did not fair so well.

“My husband didn’t know about it because he hadn’t received his form,” she said. “He wouldn’t have known someone else had his form or that this even happened if it wasn’t for my form and me getting someone else’s.”

Commentary:
Errors happen, right?

Past Breaches:
Purdue University:
September, 2007 - Identity Details on 111 Purdue Students Exposed on Internet Server

Credit card skimming may affect 4,000 Best Buy customers

evan@frsecure.com (Evan Francen) — Mon, 09 Feb 2009 04:23:00 GMT

Technorati Tag: Security Breach

Date Reported:
2/6/09

Organization:
Best Buy Co., Inc.

Contractor/Consultant/Branch:
West Palm Beach, Florida store

Location:
West Palm Beach, Florida

Victims:
Customers during November and December, 2008

Number Affected:
"approximately 4,000"

Types of Data:
"credit card information"

Breach Description:
"An employee at Best Buy’s 1880 Palm Beach Lakes Blvd in West Palm Beach, Florida allegedly stole credit card information during November and December 2008 using an unauthorized personal device."

Reference URL:
Best Buy Customer Alert
WPEC NEWS 12
Orlando Sentinel
Sun Sentinel

Report Credit:
Best Buy

Response:
From the online sources cited above:

An employee at Best Buy’s 1880 Palm Beach Lakes Blvd in West Palm Beach, Florida allegedly stole credit card information during November and December 2008 using an unauthorized personal device.

Best Buy learned of the theft on Jan. 5, 2009.
[Evan] I'm wondering how Best Buy learned of the theft.

With the cooperation and assistance of store management, the employee was identified and taken into federal custody by the Secret Service on Jan. 7, 2009.

Federal authorities arrested Brittany Johnson, 22, of West Palm Beach, formerly a cashier at the Best Buy store at 1880 Palm Beach Lakes Blvd.
[Evan] Brittany, Brittany, Brittany, what were you thinking? What do you suppose Ms. Johnson's future employment prospects look like?

They charged her in the theft of thousands of credit cards numbers from customers, according to a criminal complaint by the U.S. attorney's office in Miami.

She sold the credit card numbers to Marius Tyree Harden, 28, of Tamarac, authorities said. Johnson and Harden were arrested on Jan. 15 and Jan. 30, respectively.

Both were charged with possession of a skimming device with the intent to defraud.
[Evan] I am no lawyer, but I assume that just having a "skimming device" or hand-held magnetic stripe reader in your possession is illegal. I suppose it depends on your location and your "intent".

A skimmer (or hand-held card reader)

Johnson told U.S. Secret Service agents that Harden approached her in November and gave her the skimming device, or card reader, to copy credit cards from customers as they make purchases.

Johnson copied the cards from customers and met with Harden weekly in November and December, and sold him the card numbers for $17 per number. She made about $1,000.
[Evan] Ms. Johnson ended up selling a good part of her future for $1,000. I suppose most people have a "tipping point", but for most people it is substantially higher than this! The math is off somewhere; $17/card x 4,000 = $68,000.

Harden resold them to third parties for hundreds of dollars, authorities said.

That person is no longer employed by Best Buy.
[Evan] Why?!?! ;)

Although none of Best Buy’s electronic systems were compromised by this former employee’s actions, Best Buy believes that approximately 4,000 people could have been affected by this former employee’s unlawful skimming of customer credit card information.

State and federal law enforcement authorities and all relevant payment card brands have been notified of the incident and Best Buy is fully cooperating with all investigations.

In addition, Best Buy is sending letters to customers who may have been affected by this
fraudulent activity, notifying them of the situation and encouraging them to review their account statements and monitor their credit reports.

Customers who shopped the West Palm Beach Store in November and December 2008 and believe they may have been affected by this situation should call Best Buy Customer Care at 1-866-792-6391, and review the full text of the Substitute Notice Letter

“The security and privacy of our customers is very important to Best Buy and regret any
inconvenience this situation may have caused our customers,” said Todd Hartman, vice president and chief compliance officer, Best Buy.

“What this person did was unlawful and in violation of clearly established Best Buy policy and procedure. While we have measures in place to prevent this type of situation from happening, we are carefully reviewing our processes to minimize the chance that it could happen again, including issuing special advisories to store management.”

We apologize for any inconvenience this situation may have caused you. Please do not hesitate to call Best Buy’s Customer Care at 1-888 BEST BUY if you have questions or concerns.

Commentary:
I'm surprised that we don't read about more of these types of incidents. Logic tells me that card skimming is much more prevalent than the number of news stories indicate. It is such an easy crime to commit and get away with (for a time). Credit card information can either be sold to others (there is a thriving market) or used directly (written to cards or used online w/CVV). This type of fraud is certainly not new and may spike in frequency given current economic conditions.

How do we prevent this? For one, the system is broken. When I refer to the system, I am referring to the entire credit/debit card system. Not much we can do to change an industry (yet), so we are left to secure our own people, processes and technologies ("ppt").

Some ideas for our "ppt" can include secure hiring practices, strict credit card and/or other sensitive information collection, storage, transmission, and destruction procedures, surveillance, and management training. Of course, everything in security needs to start with a (management) commitment.

Past Breaches:
Unknown

Laptop stolen from Educational Testing Service office

evan@frsecure.com (Evan Francen) — Fri, 06 Feb 2009 19:17:00 GMT

Technorati Tag: Security Breach

Date Reported:
1/29/09

Organization:
Educational Testing Service ("ETS")

Contractor/Consultant/Branch:
None

Location:
Unknown

Victims:
Readers

Number Affected:
Unknown

Types of Data:
Personal information, including names and Social Security numbers

Breach Description:
"Overnight on December 15, 2008, a laptop went missing from the desk of an employee at the offices of Educational Testing Service (ETS). The laptop contained sensitive information belonging to people serving in the "role as a reader for ETS."

Reference URL:
Maryland Attorney General breach notification

Report Credit:
The Maryland Attorney General

Response:
From the online source cited above:

This letter is to notify you of a potential compromise of your personal information, including your name and social security number.

We collected this information from you as part of our record keeping relating to your role as a reader for ETS.
[Evan] I can understand the potential need to collect Social Security numbers; maybe for tax purposes, but I don't understand the practice of storing this information on a laptop computer (even if it's kept in the office).

Overnight on December 15, 2008, a laptop went missing from the desk of an employee at the offices of Educational Testing Service (ETS).

The laptop had been locked into its docking station.
[Evan] Was the docking station stolen too?

On December 16, the fact that the laptop was missing was reported to ETS IT Security and ETS physical security.

IT Security examined the hard drive backup for the laptop and discovered that some personally identifiable Information (PII) about you was present on the hard drive of the missing laptop, including your name and social security number.
[Evan] I am surprised to read that there was a "hard drive backup" of a user's laptop. This just isn't feasible in many organizations. I wonder if ETS is referring to folder synchronization as a "hard drive backup".

We have contacted local law enforcement authorities regarding this incident.

We have no reason to believe that the laptop was taken because of the PII on its hard drive.

As there is a potential that it could be accessed, we recommend that you take precautionary measures
[Evan] Sometimes it doesn't matter what "precautionary measures" you take when the organizations who store your personal information do so insecurely.

ETS is making efforts to recover the missing hardware.

ETS is taking steps to prevent a recurrence of this incident.

First, ETS has enhanced its physical security measures at all offices.

Second, ETS has begun deploying comprehensive military-grade encryption to all of its laptops; this project is scheduled for completion in the second quarter of 2009.
[Evan] Amen to this. It often takes an incident before changes are made. Obviously, it's too bad that this decision wasn't made before this incident.

In addition, all ETS computers, including laptops, can be accessed only via enforced strong passwords which must be changed regularly.
[Evan] If we increase the strength of passwords AND enforce regular changes, there is an increase in the number of incidents where people write passwords down. Nobody likes passwords. Users don't like them because they can be a pain in the rear and information security personnel don't like them because they can be a very weak form of authentication. A conundrum.

We apologize for any inconvenience and concern that this situation may cause.

Should you have any questions regarding this notice, including questions regarding your particular record, please do not hesitate to contact a PASS representative, by phone at 1-800-301-7286, or by mail at Educational Testing Service, PASS, 225 Phillips Boulevard, Ewing, NJ 08628.

ETS is offering one year of credit monitoring to the affected people.

Commentary:
Laptops aren't just stolen from cars.

Past Breaches:
Unknown

Successful social engineering attack leads to 45 vitcims

evan@frsecure.com (Evan Francen) — Fri, 06 Feb 2009 15:14:00 GMT

Technorati Tag: Security Breach

Date Reported:
1/30/09

Organization:
State of Oregon

Contractor/Consultant/Branch:
Department of Human Services

Location:
Salem, Oregon

Victims:
"Coos County residents applying for assistance"

Number Affected:
45

Types of Data:
Personal information, including Social Security numbers

Breach Description:
"COOS BAY, Ore. (AP) — An online scam resulted in the theft of 45 Social Security numbers at the Oregon Department of Human Services office in Coos Bay last week."

Reference URL:
The World
Associated Press via The Oregonian

Report Credit:
Alexander Rich, The World

Response:
From the online sources cited above:

An online scammer made off with 45 Social Security numbers after sending a virus to a computer at the Department of Human Services office in Coos Bay last week.

The virus arrived in the form of a bogus e-mail with a link on it Jan. 23.

When an employee clicked on the link, it downloaded an application that recorded keystrokes and sent them to an external address.
[Evan] Huh? Was this just a momentary lapse in judgment, or is this employee an idiot?

Department officials discovered the virus later in the day and shut down the computer immediately.
[Evan] The department deserves some credit for detecting and responding on the same day.

E-mails were sent to other computers but no one else opened the application.
[Evan] How would it feel to be the only person to fall for the scam?

Gene Evans, a DHS spokesman, said the information was taken from Coos County residents applying for assistance through the Self-sufficiency Program.

All of those affected were notified of their lost information Monday and provided information about how to limit their risk of identity theft.

Evans said the department is constantly updating its virus scans, firewalls and staff training to identify scam e-mails that could contain viruses.

Commentary:
Human beings pose a great risk to the security of information, and social engineering is by far the easiest way to exploit the weakness. Social engineering may come in the form of an email such as the one in this incident, it may come in the form of a phishing email, it may come in the form of a telephone call or chat session, etc. Combating social engineering largely relies of employee education and constant awareness.

Past Breaches:
State of Oregon:
January, 2009 - Laptop stolen from University of Oregon affects youth with disabilities

Georgia parolee information lost on stolen computer

evan@frsecure.com (Evan Francen) — Thu, 05 Feb 2009 19:48:00 GMT

Technorati Tag: Security Breach

Date Reported:
2/3/09

Organization:
State of Georgia

Contractor/Consultant/Branch:
State Board of Pardons and Paroles

Location:
Roswell, Georgia

Victims:
"current and past parolees supervised by the agency since 1998"

Number Affected:
Unknown

Types of Data:
"names, dates of birth and social security numbers"

Breach Description:
The Georgia State Board of Pardons and Paroles has issued a News Release announcing the theft of a computer from a contractor working on behalf of the agency. The computer contained sensitive information belonging to certain current and former parolees.

Reference URL:
State Board of Pardons and Paroles News Release
The Daily Citizen

Report Credit:
The State Board of Pardons and Paroles

Response:
From the online sources cited above:

Atlanta, GA – Late last week, the offices of a state contractor in Roswell, Georgia, were burglarized and a computer was stolen.
[Evan] Should the State Board of Pardons and Paroles require sensitive information encryption from their contractors and other third-party partners?

The contractor was working with the agency to convert its Case Management System to a newer technology.

Although the stolen computer was the property of the contractor, it did contain state information on current and past parolees supervised by the agency since 1998.
[Evan] I assume that some of these current and past parolees are trying to live within the law now, and I would think that they have enough going against them as it is.

Information regarding current and past parolees that was lost in the burglary includes names, dates of birth and social security numbers.

Persons who have solely been supervised as probationers were not a part of this database.

The information was secured by multiple levels of passwords, and there is no evidence that it has been accessed or compromised.
[Evan] Multiple levels of passwords? It's harder to manage (create, store, remember, etc.) multiple passwords than it would be to just encrypt the hard drive, don't you think? Do you think there is a chance that the passwords were written down nearby?

Local authorities and the Georgia Bureau of Investigation are actively investigating the burglary.

As a precaution, current and former parolees should check banking and credit accounts for any indication that someone else is using their personal information, and remember to monitor the use of their personal information by regularly requesting a credit report.

Anyone who believes that they have experienced identity theft or unauthorized use of their personal information should inform their local law enforcement officials.
[Evan] Yeah, call local law enforcement. Don't bother the board!

Commentary:
It seems as though hard drive and/or data encryption is still sorely lacking globally. I wouldn't be surprised if we start to see more laws and regulations that will require data-at-rest and data-in-transit encryption. Unfortunately there are too many organizations that don't do the right thing, so they have to be told and sometime forced to.

Past Breaches:
State of Georgia:
March, 2008 -

Personal information stolen from Georgia DHR

Virus hits SRA International and leads to potential compromise

evan@frsecure.com (Evan Francen) — Thu, 05 Feb 2009 16:15:00 GMT

Technorati Tag: Security Breach

Date Reported:
1/20/09

Organization:
SRA International, Inc.

Contractor/Consultant/Branch:
None

Location:
Fairfax, Virginia*

*SRA International headquarters are in Fairfax, but this incident may be global

Victims:
Employees, former employees, and dependents of employees who may be enrolled in the SRA benefits program

Number Affected:
Unknown (1,397 Maryland residents mentioned)

Types of Data:
"personal information such as name, address, date of birth, health information and Social Security Number"

Breach Description:
"The SRA Information Technology Services (ITS) team recently discovered a virus on the SRA network that may have allowed the compromise of data."

Reference URL:
Maryland Attorney General

Report Credit:
The Maryland Attorney General

Response:
From the online source cited above:

The SRA Information Technology Services (ITS) team recently discovered a virus on the SRA network that may have allowed the compromise of data.
[Evan] For years virus infections and outbreaks have been the most costly information security threats for organizations large and small. In my opinion, this is still very much true in today's environments. Viruses and other malware have been around almost as long as computers have, and there are no signs to indicate that infections will subside.

We immediately launched an investigation into this incident and informed law enforcement and other U.S. governmental authorities.

Our investigation into the source of the virus and potential data compromise continues, and SRA's ITS team, supported by SRA cyber security experts, is swiftly implementing mitigation and remediation actions to eradicate the virus.
[Evan] There are literally thousands of ways for a virus to get into an enterprise. Tracing a source can often be hindered by containment efforts.

At this time, we have not determined that any personnel data has been compromised but we believe it is appropriate to notify all employees, former employees and consumers that personal information may have been subject to unauthorized access.

The personnel data maintained by the company includes personal information such as name, address, date of birth, health information and Social Security Number, including those of any dependents that are enrolled in SRA benefits programs, as well as personal information stored on a company computer (and which in select cases might include personal data reflected in security position questionnaires) for approximately on thousand three hundred ninety-seven (1,397) residents of the State of Maryland.
[Evan] Was there any indication of this infection affecting the systems used to store sensitive information, or has the company decided to consider all systems and information at risk? Is sensitive information storage and processing contained to a small number of isolated systems? If so, then you only need to notify people with information on those systems. I am guessing that this virus propagated throughout SRA's network and systems AND that sensitive information is available throughout the enterprise rather than on a small number of isolated systems.

As a precautionary measure to help detect any possible misuse of personal information, SRA is offering to its current employees the services of credit monitoring.

In addition, SRA has created a dedicated information page on the internal company Web portal.
[Evan] This doesn't help former employees or consumers that may be affected.

SRA takes the security of personal data very seriously and is committed to minimizing the risks associated with the exposure of personal information.

Security is of paramount importance to SRA, and there are numerous safeguards in place to protect information.
[Evan] Security should be "of paramount importance" to everyone!

SRA is implementing additional safeguards intended to prevent a similar incident from occurring in the future.

You should be aware that the information you are receiving today is company proprietary and should not be discussed externally.
[Evan] This "proprietary" information has already been disclosed externally ;) Why does SRA not want this information to reach the public? You can probably come up with this answer yourself.

Commentary:
As I stated earlier, the threats posed by viruses are not going away. The risks of unauthorized disclosure, modification, and destruction of sensitive information are real, but can be minimized through a mix or good information security practices. Technical controls might include (depending on your environment) patch management, ingress/egress filtering and management, network segmentation, anti-virus management, IDS/IPS management, Network Access Control,

etc. Administrative controls might include policy development and improvement, segregation of duties, and employee training and awareness. You get the picture. Information security doesn't fit into a nice, neat, little box, does it?

Past Breaches:
Unknown

Beaumont city worker information posted online by mistake

evan@frsecure.com (Evan Francen) — Thu, 05 Feb 2009 04:37:00 GMT

Technorati Tag: Security Breach

Date Reported:
1/26/09

Organization:
City of Beaumont (TX)

Contractor/Consultant/Branch:
None

Location:
Beaumont, Texas

Victims:
"current and former city employees"

Number Affected:
"about 500"

Types of Data:
"personal information including birth dates and social security numbers"

Breach Description:
"BEAUMONT, Texas — Personal information of about 500 current and former Beaumont city workers accidentally was posted online."

Reference URL:
KBMT Channel 12 News
Associated Press via the Houston Chronicle

Report Credit:
KBMT Channel 12 News

Response:
From the online sources cited above:

City of Beaumont officials tell KBMT 12 News they have notified about 500 current and former city employees that their personal information may have been compromised last week.

City Manager Kyle Hayes says the information was posted on the city's website at about noon January 14 and was finally taken down at about 8 a.m. January 15.
[Evan] If the city has adequate logging enabled on the web server, they should be able to determine (with some certainty) if the file was accessed by unauthorized persons. 20 hours may be long enough to have allowed for crawler visits.

Officials say it happened accidentally after the information was exchanged with a third party.
[Evan] Accidents are more common in cases where the employees are poorly educated (in information security) and unaware.

Hayes says the city sent a letter to the current and former employees late last week.

All were people who filed worker's compensation claims over the last five years.

The letter states the incident occurred "during the course of the city's request for proposals for a Third Party Administrator for Worker's Compensation claims." It goes on to say the information also included a 5-year claims' history.
[Evan] Why would sensitive information get posted to the city's web site during this process? The city issuing an RFP and posting sensitive information seem like two unrelated tasks.

He says while he was concerned about the leak, the information was "buried" in the site and was hard to find.
[Evan] Don't count on "hard to find" as any kind of adequate control. Security through obscurity ain't security.

KBMT obtained a copy of the letter from a concerned city employee. The letter states personal information including birth dates and social security numbers were accidentally posted on the web.

Beaumont City Attorney Tyrone Cooper says city officials are looking into how this happened and are working on "damage control."

One of the employees who was affected refused to go on camera, but said many of the 500 who are affected feel the city made the mess and should assist those affected in cleaning it up help monitor their credit.

Commentary:
The root cause of many breaches is poor information security training and awareness. Annual training (including assessments) are required in every information security program that I have established and/or managed, and awareness campaigns fill t

he gaps in between. What does your information security training and awareness program look like? Is it effective?

Past Breaches:
Unknown

Innodata Isogen employee data stolen from car

evan@frsecure.com (Evan Francen) — Wed, 04 Feb 2009 16:54:00 GMT

Technorati Tag: Security Breach

Date Reported:
1/5/09

Organization:
Innodata Isogen, Inc.

Contractor/Consultant/Branch:
None

Location:
Hackensack, New Jersey

Victims:
"current and certain former Innodata Isogen employees"

Number Affected:
"as many as 141"

Types of Data:
"personal information, such as Social Security number, date of birth and home address"

Breach Description:
"On December 23, 2008, an Innodata Isogen employee's car was broken into in New Jersey and her laptop case with the laptop inside, along with benefit plan enrollment sheets, and some of her personal information, was stolen.

Reference URL:
Maryland Attorney General breach notification

Report Credit:
Maryland Attorney General

Response:
From the online source cited above:

Innodata Isogen, Inc. (Innodata Isogen), experienced a data breach when an Innodata Isogen laptop and other Innodata Isogen information was stolen.

It appears that as many as 141 individuals could have been affected

Innodata Isogen plans to begin notifying the affected individuals in the next several days.

On December 23, 2008, an Innodata Isogen employee's car was broken into in New Jersey and her laptop case with the laptop inside, along with 15 benefit plan enrollment sheets, and some of her personal information, was stolen.
[Evan] This incident concerns sensitive information stored electronically on a poorly secured laptop AND information found on paper. It is not common to read about a single breach involving multiple forms of information.

The laptop, which was password-protected, contained personal information, such as Social Security number, date of birth, and home address of current and certain former Innodata Isogen employees.
[Evan] Who is buying into the concept that operating system password-protection provides adequate access control? The fact that organizations even mention it is frustrating to me. It seems misleading in some respects. People know that an operating system password (in most cases) can be bypassed in a matter of seconds, right?

The benefit plan enrollment sheets contained similar information in respect to certain Innodata Isogen employees.
[Evan] No password needed to access this information, eh?

Immediately upon discovering the theft, the employee filed an incident report with the Wayne Police Department, and reported the theft to the General Counsel at Innodata Isogen.

To date, none of these items have been recovered by authorities.

The Company is not aware of any improper access or use of the personal information contained on the stolen items.
[Evan] And we wouldn't expect the company to be aware of any improper access at this point. How would Innodata know if data was improperly accessed on a stolen laptop?

Innodata Isogen has taken numerous steps to protect the security of personal information of the affected individuals, including providing a full package of credit protection services.
[Evan] Let's hope that this is just a misuse of words and not a misunderstanding of information security. Any steps taken by Innodata to "protect the security of personal information" on the laptop (and on the benefit enrollment sheets) is fruitless. They no longer have any control over this information, and thus they cannot do anything to protect against unauthorized disclosure.

Also, in addition to continuing to monitor the situation, Innodata Isogen is reexamining it [sic] current data privacy and security policies and procedures to find ways of reducing the risk of future data breaches.
[Evan] This should be a included in the ongoing management of every good information security program everywhere, regardless of a breach.

While we believe that there is little likelihood your information will be misused as a result of this incident, as a precaution we have arranged for First Advantage Corporation to provide you with 12 months of credit monitoring and related services at no cost to you.
[Evan] There is little likelihood? How does Innodata come to this conclusion? IF someone were to misuse the information, Innodata would be hard pressed (in this incident) to make it any easier.

We are committed to treating sensitive employee information in a confidential manner and are proactive in the careful handling of such information.
[Evan] I agree that Innodata probably is proactive in many respects, but in regards to this incident, I see very little evidence of proactive information security. Encrypting the laptop would be proactive. Prohibiting written sensitive information to be brought home would be proactive. Training and keeping employees aware of good information security practices is proactive. Writing a breach notification claiming to be proactive is NOT proactive.

We apologize sincerely for any inconvenience of discomfort this incident may cause you

Commentary:
According to Innodata Isogen's Corporate Fact Sheet; "Innodata Isogen helps many of the world's leading media, publishing and information services firms create and manage content more efficiently and economically." Efficiency and economy are good things, but security is equally (and in some cases) more important.

To be fair, this is one incident at a fairly large organization (~5,000 employees). One incident does not give us anywhere near enough information to conclude anything about Innodata Isogen's information security across the enterprise. However, we DO know that this incident was the result of following some very poor information security practices.

Past Breaches:
Unknown

45 Kansas State students' information sat exposed since 2001

evan@frsecure.com (Evan Francen) — Tue, 03 Feb 2009 15:18:00 GMT

Technorati Tag: Security Breach

Date Reported:
1/30/09

Organization:
Kansas State University

Contractor/Consultant/Branch:
College of Agriculture

Location:
Manhattan, Kansas

Victims:
Students who "were enrolled in AGEC 490 "Computer Applications in Agricultural Economics and Agribusiness" during the spring semester of 2001"

Number Affected:
45

Types of Data:
"Names, Social Security numbers and grades"

Breach Description:
"Kansas State University is notifying 45 students who were enrolled in an agricultural economics class in spring 2001 that some personal information was inadvertently exposed on the Internet through a K-State departmental Web site."

Reference URL:
Presswire via Comtex and Trading Markets
Kansas City Star

Report Credit:
Kansas State University

Response:
From the online sources cited above:

Kansas State University is notifying 45 students who were enrolled in an agricultural economics class in spring 2001 that some personal information was inadvertently exposed on the Internet through a K-State departmental Web site.
[Evan] This breach is small in terms of the number of people affected, but it gives us a pretty good example of poor information (security) management. This information has been sitting (exposed) on a departmental web server for 7+ years!

The students whose information was affected were enrolled in AGEC 490 "Computer Applications in Agricultural Economics and Agribusiness" during the spring semester of 2001.

Names, Social Security numbers and grades of those students have been inadvertently exposed since 2001.

University information security staff were made aware of the problem last week.
[Evan] How were information security staff "made aware of the problem"?

All data has been removed from the Web site and steps are being taken to prevent a repeat of this situation.
[Evan] Like what? I would cut the school a little more slack if this wasn't their 3rd breach (that I know of) since November, 2007.

Although there is no evidence that anyone's personal information has been misused by identity thieves, the university is notifying the affected individuals of the situation and the steps they can take to protect themselves.
[Evan] If the information were misused, what evidence would Kansas State have? The information sat on the server for more than seven years without school officials or victims ever knowing. Think about it, if you were a student back in 2001 and you were a victim of identity theft at some point in the last seven years, how would you know that the information was obtained from Kansas State?

In addition to supporting the affected persons, the university continues implementing even more stringent network and server access controls and taking steps to increase faculty and staff awareness of personal information security issues.
[Evan] This all sounds good.

"Most importantly, we want to increase awareness among faculty and staff of the need to be vigilant protecting personal information, including Social Security numbers, in accordance with K-State policy," said Harvard Townsend, chief information security officer.

"We deeply regret this incident," Townsend said. "K-State takes the protection of the personal information of our students very seriously."

K-State has been phasing out the use of Social Security numbers as student identification, beginning with the elimination of these numbers from university ID cards in 2006.
[Evan] Has "phasing out" been completed? Is the process of going through information resources to identify and secure (or destroy) legacy Social Security numbers part of "phasing out"?

With the implementation of a new student system in fall 2008, the university eliminated the Social Security number as the student ID.

Fred Cholick, dean of Agriculture, said personnel in the department of agricultural economics have contacted students involved and will assist with any questions.

Information on preventing identity theft is available at www.k-state.edu/infotech/security/topics/idtheft.html

CONTACT: Allen Featherstone, K-State Tel: +1 785 532 4441 e-mail: afeather@k-state.edu Cheryl May, K-State Tel: +1 785 532 6415 e-mail: may@k-state.edu

Commentary:
This breach is very similar to one that was announced in November, 2007 at Kansas State (See: "128 international students exposed on K-State web site"). The November, 2007 breach was also a product of a poorly secured departmental web site that went unnoticed for many months. I chalked the November, 2007 breach up to a simple mistake, but here we are again.

Past Breaches:
Kansas State University:
August, 2008 - Documents are stolen from K-State instructor's car
November, 2007 - 128 international students exposed on K-State web site

CityStage gift card customer information exposed

evan@frsecure.com (Evan Francen) — Mon, 02 Feb 2009 21:31:00 GMT

Technorati Tag: Security Breach

Date Reported:
1/28/09

Organization:
Springfield Performing Arts Development Corporation

Contractor/Consultant/Branch:
CityStage

Location:
Springfield, Massachusetts

Victims:
Customers

Number Affected:
60

Types of Data:
"credit card information"

Breach Description:
"SPRINGFIELD - A security breach involving CityStage's computer system might have exposed credit card information of 60 customers on the Internet, theater officials acknowledged Tuesday."

Reference URL:
The Republican

Report Credit:
Jack Flynn, The Republican

Response:
From the online sources cited above:

SPRINGFIELD - A security breach involving CityStage's computer system might have exposed credit card information of 60 customers on the Internet, theater officials acknowledged Tuesday.

Cynthia J. Anzalotti, president of the Springfield Performing Arts Development Corp., which oversees CityStage, said the breach was limited to customers purchasing holiday gift cards, and not patrons buying tickets to plays on the theater's Web site.

"We can't emphasize that enough," said Anzalotti, who said gift card purchases represent a very small percentage of the CityStage's overall business.
[Evan] Do you see the motive behind this statement?

The theater sent letters to customers who purchased gift cards online during December, stating the usual security measures to protect credit card numbers might have been compromised, Anzalotti said.
[Evan] It appears to me that sensitive information requires more than just the "usual security measures".

The theater also notified its lawyer, various credit card companies and the state attorney general's office, Anzalotti said.

An audit is also under way of the CityStage computer system to determine exactly what happened, though Anzalotti said the breakdown probably occurred in December while the theater's Web contractor was changing servers.

"We never had anything like this before," Anzalotti said.
[Evan] As far as you know.

The only complaint received by CityStage came from Chicopee lawyer John M. Corridan, who called after receiving the letter last week.

Corridan said hundreds of dollars in toys were fraudulently charged to his card in late December.

Forced to cancel the card, Corridan endured a week of financial havoc, he said.

"I was running around for a week like a chicken without a head," Corridan said. "Both my wife and I have businesses; when we canceled the card, we had to deal with vendors and advertisers who though we had cut them off."

The response by CityStage also left something to be desired, Corridan said.

"They were entirely indifferent," Corridan said. "They offered to have their lawyer call me."
[Evan] It's not unusual for organizations to act indifferent to breaches. Too many do.

Anzalotti and Tina M. D'Agostino, the marketing director, said Corridan was the only gift card customer who was claiming fraudulent charges on his card.

In addition, Corridan wanted to be reimbursed for his trouble, but would not provide proof that any illegal charges had been made on his card, Anzalotti said.

Corridan said nobody at the theater specifically asked to see his credit card records and offered only a vague explanation about what had happened.

"I figured at least they might say 'Sorry. See a couple of plays on us'," he said. "But no such luck."

Commentary:
I think Mr. Corridan was right on in his comment about CityStage being indi

fferent about this breach. I get little sense that they care, and more of a sense that this is a nuisance to the company.

Past Breaches:
Unknown

Citi Habitats client information strewn across four city blocks

evan@frsecure.com (Evan Francen) — Thu, 29 Jan 2009 20:09:00 GMT

Technorati Tag: Security Breach

Date Reported:
1/27/09

Organization:
Citi Habitats

Contractor/Consultant/Branch:
None

Location:
New York, New York*

*465 Columbus Ave.

Victims:
Clients

Number Affected:
Unknown

Types of Data:
"bank statements, 401k statements, credit reports, tax returns and more driver's licenses than we could count"

Breach Description:
"Thousands of pages of bank statements, credit reports, tax returns and driver's licenses were discovered along Columbus Avenue afternoon yesterday, just waiting to be picked up by would-be identity thieves"

Reference URL:
WABC-TV Eyewitness News
Cityfile

Report Credit:
WABC-TV Eyewitness News

Response:
From the online sources cited above:

UPPER WEST SIDE (WABC) -- Eyewitness News made a stunning discovery on the streets of the Upper West Side Monday night. Scores of documents were found strewn on the street for anyone to pick up.
[Evan] No need to fear, the people who live in the Upper West Side are all good people, right? Nobody is going to take the stolen information and supplement their income. ;)

The paper trail stretched for blocks, billowing in the cold breeze on Columbus Avenue. It was not litter, but bits and pieces of people's lives.

There were copies of bank statements, 401k statements, credit reports, tax returns and more driver's licenses than we could count.

Elyssa Shapiro was on her way to work and couldn't believe what she was seeing.

"Just all kinds of information. Things that you never want anyone to know about yourself," she said.

"It was four blocks worth of personal information and it was identity theft waiting to happen."

The documents belonged to the local office of Citi Habitats, one of New York's best-known real estate firms.
[Evan] The documents belonged to Citi Habitats, but the information belongs to their clients. It is the responsibility of Citi Habitats to treat the information with respect and protect it. Affected clients should view this incident as disrespectful. As disrespectful as if a Citi Habitat employee spit on your face, but you can clean your face.

Their clients, whose personal information we found amid the trash, were appalled.
[Evan] The clients may be appalled, but what are the real consequences for Citi Habitats? Companies know that they are rarely held accountable for their actions and often escape with little or no consequence. Sad, but true.

"I feel kind of sick to be honest," former client Laura Dannen said.

Dannen used the firm to find an apartment in 2006. We found her name, phone number and annual income on a registration form.

"Just in the gutter? My life was in the gutter. That's nice," she said.

Paul Addessi is a doctor in Arizona. We found a portion of his 2006 tax return, listing his income and his social security number.

"They're getting the information, all this tax information, driver's license and everything, and they're not shredding the documents. They have a responsibility to shred the documents that they don't need," he said.

New York State law requires businesses to destroy or delete personal information before disposing of it.
[Evan] What happens to the average business that fails to abide by this law?

Citi Habitat's president released a statement that read, in part, "We believe that during a refurbishing of our 465 Columbus Avenue office, paper that should have been shredded was improperly placed as trash.

"We took immediate steps," he insisted, "to investigate and remediate this isolated incident, and are notifying those customers whose information may have been compromised."
[Evan] Unless Citi Habitats retrieved ALL of the documents (including those picked up by Eyewitness News), how will they be able to notify the affected customers? How do you remediate compromised information? You can't un-compromise it.

The firm did, in fact, send workers to clean up the mess. But we were still finding documents a block away a full eight hours after the clean up was over.

The documents that we saw appeared to pertain to real estate transactions that took place in 2006 and 2007.

The firm insists its policy is to destroy all documents that they no longer need, but they could not explain why that did not happen in this case.
[Evan] A policy don't mean squat if it isn't communicated and enforced. Too many policies are just pieces of paper that go unread.

Commentary:
These types of incidents happen all of the time. If you don't believe me, put on some dirty clothes and check out some of your local dumpsters. I was just called last week by a friend who told me that his mortgage company lost his mortgage application along with all of his supporting information. Lost could easily mean that it was simple thrown away, on accident.

What can you do?

We hope that companies will do the right thing, but too many aren't. Unfortunately, there are many companies being run by poor management. Because of this poor management, changes will only come with consequences (more law, more regulation, etc.).

Past Breaches:
Unknown

Jobseekers at risk after another Monster breach

evan@frsecure.com (Evan Francen) — Thu, 29 Jan 2009 15:59:00 GMT

Technorati Tag: Security Breach

Date Reported:
1/23/09

Organization:
Monster Worldwide, Inc

Contractor/Consultant/Branch:
Monster's online job seeking communities (Monster.com, Monster.co.uk, etc.)

Location:
New York, New York*

*The Monster Worldwide, Inc. headquarters is located in New York, New York. This incident was an online breach, so physical location is difficult to determine.

Victims:
Job seekers and other customers

Number Affected:
Unknown**

**BBC News reports "Users around the world have been affected, including the 4.5 million users of the UK site."

Types of Data:
"user names, passwords, telephone numbers and e-mail addresses, alongside demographic data, birth dates, gender and ethnicity"

Breach Description:
"Hackers are believed to have stolen the personal details of millions of people using the online job site Monster."

Reference URL:
BBC News
The Times (UK)
Monster.com Security Notice

Report Credit:
Monster Worldwide, Inc.

Response:
From the online sources cited above:

FROM NEWS SOURCES:
Hackers are believed to have stolen the personal details of millions of people using the online job site Monster.
[Evan] Not cool! This does reflect well on Monster's information security effectiveness, does it? According to various sources, this is the third breach (publicly disclosed) involving jobseeker information.

Users around the world have been affected, including the 4.5 million users of the UK site.
[Evan] Monster has not disclosed how many people might be affected worldwide, citing the "need to protect the integrity of our security systems and our ongoing inquiry into this situation". I don't see how disclosing the number of users affected will compromise the investigation or security system integrity. It's not like the bad guys don't know already! Disclosing the number of affected users would certainly end some speculation.

The recruitment giant has advised people to change their passwords and be on the lookout for phishing e-mails.
[Evan] This is especially true if you use the same password for multiple (and potentially more sensitive) accounts. My wife was using the same password for PayPal that she used for Monster.com! Obviously, we put an end to that. Check out the "Commentary" section below for a couple of password tips.

Recruitment sites have proved rich pickings for criminally-minded hackers in the past and it is not the first time Monster has fallen foul of cyber thieves.

In August 2007 Monster.com’s data-base was infected by a virus called infostealer.monstres, which siphoned off more than 1.6 million records, mostly of customers based in the US.

A Russian gang called Phreak was said to be responsible. It was found to be selling “identity harvesting services” to fraudsters, charging £300 for data.

Monster first revealed that its database had been attacked again on 23 January but has remained tight-lipped about the scale of the attack.

"We recently learned our database was illegally accessed and certain contact and account data were taken," said Monster senior vice president Patrick Manzo in a statement.

He went on to admit that hackers had stolen user names, passwords, telephone numbers and e-mail addresses, alongside demographic data, birth dates, gender and ethnicity.
[Evan] This is everything needed for a targeted phishing attack, and then some.

CVs had not been accessed, he said.

The statement warned people to be on the look-out for phishing e-mails built around the details surrendered to Monster.

"Monster will never send an unsolicited e-mail asking you to confirm your username and password, nor will Monster ask you to download any software tool or access agreement in order to use your Monster account," it read.

Graham Cluley, a senior consultant with security firm Sophos, said hackers armed with details from Monster accounts, could target other online information.

"It is surprising just how many people use the same password for a variety of sites. They need to change all passwords that are the same as that for their Monster login," he said.

About four out of ten people use the same password to access multiple websites, Mr Cluley said, meaning that criminals could use the Monster.co.uk data to obtain far more sensitive information. “These hackers could now use the passwords to access e-mail and online bank accounts.”
[Evan] I am surprised that the number is as low as 40%. I would guess that this number is actually much higher. Passwords are a very weak form of authentication.

FROM THE MONSTER SECURITY NOTICE:

As is the case with many companies that maintain large databases of information, Monster is the target of illegal attempts to access and extract information from its database.
[Evan] This may be true, many of these companies are not reporting continued online breaches totaling millions of affected persons.

We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data.
[Evan] We will likely never know, but I am very interested in knowing how this breach occurred technically.

Monster does not generally collect – and the accessed information does not include - sensitive data such as social security numbers or personal financial data.

Immediately upon learning about this, Monster initiated an investigation and took corrective steps.
[Evan] Like what? Hopefully these aren't the same "corrective steps" taken in response to past breaches.

It is important to know the company continually monitors for any illicit use of information in our database, and so far, we have not detected the misuse of this information.

we want to remind you that an email address could be used to target “phishing” emails. Monster will never send an unsolicited email asking you to confirm your username and password, nor will Monster ask you to download any software, “tool” or “access agreement” in order to use your Monster account

The protection of your data is a high priority for Monster.

Our newly redesigned Web site has, and will continue to add, safety and security features to protect your information and we want you to feel confident using it.
[Evan] In order for your users to feel confident, they need to trust you and trust must be earned.

We continue to devote significant resources to ensure Monster has appropriate security controls in place to protect our infrastructure, and while no company can completely prevent unauthorized access to data, Monster believes that by reaching out to job seekers, the company can help users better defend themselves against similar attacks.

Monster has a full-time worldwide security team, which constantly monitors for both suspicious behavior on our site and illicit use of information in our database. To maintain the integrity of these security and monitoring systems, we cannot provide further details.
[Evan] Cop out. I am a practicing information security professional myself, and I often feel comfortable sharing information about the (administrative, technical, and physical) protections I employ in my job. I don't disclose details such as configurations, procedures, personnel, etc., but I fail to see the harm in sharing general practices with other information security professionals. We learn from each other only if we share with each other.

Commentary:
You really have nothing to worry about if ALL of the following are true:

You gave no sensitive information given to Monster.
You are very well-versed in spotting phishing attacks
Your Monster password is unique among all of your other passwords

If any of the three above are true, you need to react appropriately.

As is true with most breach notifications, I am not at all impressed with this one. Monster has been through this exercise before and I wonder how much time will pass before the next one. I have little doubt that there will be a significant number of phishing victims, recipients with increased spam, and fraud resulting from this breach. There are very few consequences for Monster, aren't there? People who need a job will still go there.

Password tips (as promised, and not all-inclusive):

Use a different password for each login, even if you only change one character.
Use strong passwords. There are plenty of tips on the internet to help you create a strong password. You can use these general rules; use at least 10 characters (longer is stronger), use upper and lower case letters, use at least one number and special character (preferably in the middle portion of the password), don't use a word in the dictionary (without modification).
Use a password management program, this way you only have to remember one password (the one used to access the others).
If you must write down your passwords, write them down on a piece of paper and put it in your wallet.

Past Breaches:
Multiple

MSU foreign students at risk after errant email

evan@frsecure.com (Evan Francen) — Wed, 28 Jan 2009 16:46:00 GMT

Technorati Tag: Security Breach

Date Reported:
1/21/09

Organization:
Missouri State University ("MSU")

Contractor/Consultant/Branch:
International Student Services

Location:
Springfield, Missouri

Victims:
"foreign students"

Number Affected:
565

Types of Data:
"Sensitive personal information -- including Social Security numbers"

Breach Description:
"Sensitive personal information -- including Social Security numbers -- for 565 foreign students at MSU was leaked this month when a university office sent an e-mail message with the data inadvertently attached."

Reference URL:
Springfield News-Leader

Report Credit:
Didi Tang, Springfield News-Leader

Response:
From the online source cited above:

Sensitive personal information -- including Social Security numbers -- for 565 foreign students at MSU was leaked this month when a university office sent an e-mail message with the data inadvertently attached.

The school is investigating the incident and will contact all international students, offering answers and options to guard against identity theft, university officials said Tuesday.

The leak occurred Jan. 14 when Jody Pritt, director of international student services, contacted 179 international students via e-mail, soliciting their help with language tutoring

Only those who speak Bosnian, Arabic, Czech, Estonian, Romanian, Turkish, Hebrew, Lithuanian or the Indian dialect of Punjabi were contacted, said Clif Smart, MSU's legal counsel.
[Evan] I am amazed that there are 565 people at MSU who speak these languages!

The message they got from Pritt, however, had a spreadsheet attachment that contains names and Social Security numbers for international students, Smart said.
[Evan] Why does the Director of International Student Services need or have access to Social Security numbers?

It doesn't have the students' dates of birth.

The university realized the misstep within minutes and recalled some messages
[Evan] Have you ever tried to recall an email before?! Good luck with that.

The university contacted all recipients of the message and asked them to delete the message

Jeff Morrissey, the university's chief information officer, said the consequences may be mitigated somewhat by the fact that not all foreign students have Social Security numbers.

Foreign students only obtain the numbers when they have permission from the U.S. Department of Homeland Security to work.

Many international students have on-campus employment such as research and teaching assistantships that make them eligible for the numbers.

Social Security numbers for foreign students usually are only valid with work permission, and university officials say they hope that limitation will make the leaked numbers less prone to abuse.

On Friday, Pritt sent out another e-mail message, in which she apologized for the mistake, urged those who have the spreadsheet to purge the document, and offered some suggestions to prevent identify theft.

On Tuesday, Earle Doman, acting vice president for student affairs, wrote to the entire foreign student body on the Springfield campus, offering his apology and telling the students the university will soon call a meeting to answer questions and provide help.

Said Smart: "We want to let them know we're available to help them in any way we can."

MSU is looking into the feasibility of obtaining insurance for the students, he said.

"We can't commit to that now, but that's one of the top priorities," Smart said.

The incident is under an internal investigation, he said, and the school would work with an on-campus compliance officer to determine whether the school has complied with the Federal Education Rights and Privacy Act, he said.
[Evan] Today, I think there is something like a 4+ year backlog in FERPA case investigations. What do you expect from the federal government?

Asked if anyone could lose his or her job, Smart said: "It's too early to talk about this. Clearly this was a mistake."

Commentary:
Obviously, this was an employee mistake. Mistakes will happen, but there are things we (information security professionals) can do to minimize the impact and frequency of employee mistakes. In my experience, some environments are more apt to be breeding grounds for mistakes than others

.

Past Breaches:
Unknown

Pflugerville ISD students charged with intrusion

evan@frsecure.com (Evan Francen) — Tue, 27 Jan 2009 19:46:00 GMT

Technorati Tag: Security Breach

Date Reported:
1/26/09

Organization:
Pflugerville Independent School District

Contractor/Consultant/Branch:
None

Location:
Pflugerville, Texas

Victims:
Staff and students

Number Affected:
Unknown

Types of Data:
"all of the Pflugerville Independent School District security files which contained passwords, alarm codes, staff personal information, school tests etc."

Breach Description:
"Two Pflugerville teenagers are charged with hacking into their school districts computer system. Investigators say they gained access to personal information, alarm codes, tests, even grades."

Reference URL:
KEYE Channel 42 News
KVUE TV News

Report Credit:
KEYE Channel 42 News

Response:
From the online sources cited above:

Two students admit they hacked into Pflugerville ISD school computers and got access to sensitive information, according to an arrest affidavit.
[Evan] How much "hacking" do you think was really involved in this incident? It's more likely that one of the two students found a username and password somewhere. Maybe an admin or teacher wrote their username and password down on a Post-It note. Wait! That could never happen!

Two Pflugerville teenagers are charged with hacking into their school districts computer system. Investigators say they gained access to personal information, alarm codes, tests, even grades.
[Evan] Should personal information be segregated from tests and grades?

Police say the student hackers, both 18, broke into the Pflugerville Independent School District's security system back in early December.

neither the district nor investigators would go into the specifics of how the students managed to hack their way in
[Evan] It might be embarrassing.

we're told that within 24 hours of the unauthorized break-in, the district's technology staff recognized what had happened and notified police
[Evan] I wonder how staff detected the intrusion. Later on, we read that the students created a "ghost account". Maybe the staff noticed the new account.

On Dec. 4, Nelson Coulter, principal of Hendrickson High school, notified Pflugerville police school district employees discovered a computer breach and traced it back to the students.

Students at Hendrickson High School were stunned to learn that fellow students Kelton Gilmore and Joshua Cook have been arrested

"I thought he got in there just to change a few grades or something, I didn't know about this," said Brett Caswell, a senior at Hendrickson.

According to the arrest affidavit, Kelton and Josha gained access to all of the Pflugerville Independent School District security files which contained passwords, alarm codes, staff personal information, school tests etc.
[Evan] One account, all the keys to the kingdom? Domain admin account?

"I'm not exactly sure what their intent was by establishing that, from something as innocent as boredom to something that could be even more destructive to the school district, but the bottom line is they did not have access or authorization to access that particular area and there was confidential information that has to be safeguarded," said William Edwards, the Pflugerville ISD Police Chief.
[Evan] Kids and teens with time on their hands are going to find something to do and usually its something meant to gain some excitement. How do we challenge kids in a fun way?

Cook and Gilmore told school leaders they created the “ghost account” but didn’t say if they used the information, the affidavit said.

Edwards says one of the reasons the school district decided to press charges was the more than 45-hundred dollars it cost to repair the security damage caused by the student hackers.

"Just by having that sheer access to the administrative account, they had to go in and put safeguards back in, to change security codes and alarm codes throughout the district were changed, that was a fairly large undertaking," Edwards said.
[Evan] Let's hope that the ISD didn't put the same safeguards back in. The old ones didn't work.

The state felony charge means Gilmore and Cook could receive anywhere from 3-months to 2-years in prison and a $10,000 fine.

Investigators say it's important to point out that even though the student hackers could have changed any of their grades or test scores as well as those of other students, they did not.

Commentary:
Every time I read about a breach involving teens who gain unauthorized access to their school's information resources, I feel a little torn.

Think about this for a second. I have kids and I keep a pretty close eye on them. I know that they do some dumb things when they are bored. The things they do when they are bored aren't the same things they do when they have something to occupy their time. Boredom may be part of the problem in this incident.

A second part of the problem might be what and how our kids learn. We can all agree that we live in a different time from when we were kids. Technology seems to drive everything. Where do our kids learn good (and ethical) computing habits? School? The only class taught in our high school is HTML. Parents? Most of the parents I know are less tech-savvy than their kids, and many of the parents that are tech-savvy are too busy. Self-taught? Maybe. Friends? Probably. Teaching yourself information technology without a mentor can go either way (good or bad), and teenage friends may have their own motives.

I present two factors that I think contribute to the problem. One solution that I support and for which I am trying to help is teaching kids good (and ethical) computing habits. What classes does your school teach? Is there an opportunity for you to get involved?

Past Breaches:
Unknown

Laptop stolen from the City of Madison is recovered

evan@frsecure.com (Evan Francen) — Tue, 27 Jan 2009 18:11:00 GMT

Technorati Tag: Security Breach

Date Reported:
1/26/09

Organization:
City of Madison (WI)

Contractor/Consultant/Branch:
Human Resources

Location:
Madison, Wisconsin

Victims:
Employees

Number Affected:
"300 to 500"

Types of Data:
"names, photos, and Social Security numbers"

Breach Description:
"An oversight by the city of Madison's personnel office is the reason Social Security numbers of 300 to 500 city employees were stored on a laptop computer stolen from a city office Friday."

Reference URL:
Wisconsin State Journal
The Badger Herald

Report Credit:
Dean Mosiman, Wisconsin State Journal

Response:
From the online sources cited above:

An oversight by the city of Madison's personnel office is the reason Social Security numbers of 300 to 500 city employees were stored on a laptop computer stolen from a city office Friday.
[Evan] How many times have we seen this? We will assume that the laptop was not encrypted.

The laptop was found somewhere on South Hamiliton Street and turned over to police this morning, but it's unclear if sensitive information was stolen over the weekend.

The laptop was taken from a "relatively secure location" in the Human Resources offices of the City-County Building, Human Resources Director Brad Wirtz said.
[Evan] What is a "relatively secure location"? Relative to what?

The room is in an area marked off as being for authorized personnel only and behind a set of doors, he said.

The room, however, does see a lot of foot traffic, because it is used for job applicant testing, employee orientation sessions and for taking photo IDs
[Evan] This wouldn't even qualify as a slightly secure location in any of my assessments.

"There's not much more that I can do than apologize," Wirtz said. "We're hoping nothing will happen to any of these employees."

From 2004 through 2007, the city recorded employees' names, photos and Social Security numbers on the laptop for use when employees lost their identification cards and needed replacements

Shortly after he became the director of personnel in September 2007, Wirtz himself got a new ID card and recognized the security threat.
[Evan] Mr. Wirtz recognized the security threat, but chose to only address half of the problem.

He said he stopped what he believed was a "bad practice" of recording sensitive information on a portable computer in a room accessible by so many people.

The city began to use email addresses to identify employees, but the information recorded on the laptop from 2004 to 2007 was never deleted, he said, adding that it was thought the sensitive information would be removed over time as employees renewed IDs under the new system.
[Evan] If this were your information, would this be acceptable? Changing data collection procedures was a good call, but choosing to do nothing about the data already collected was ignorant.

"We just didn't think the computer was going to be stolen," he said. "We thought it would be eventually phased out."
[Evan] Most people who lose laptops or have them stolen say this. The fact of the matter is that laptops are stolen every single day. What makes your laptop so special to think that it's immune?

Any official or employee — except those in the police, fire and transit departments — who was issued a new or replacement city identification card from the start of 2004 through 2007 may be at risk of identity theft, Wirtz said.

The information is password protected but that may not provide enough protection to prevent identity theft, he said.

The laptop was found on South Hamilton Street and turned into police, Wirtz said. The city is now checking to see if the information was accessed, he said.
[Evan] It is almost impossible to be 100% sure that data wasn't accessed.

The Madison Police Department announced Monday that no sensitive information was accessed
[Evan] I don't like this statement much. I can accept something like "based upon our detailed forensic analysis and years of investigation experience, we have been unable to detect any unauthorized access to the data". I know words are only words, but one statement is much different than the other.

The results of forensic tests performed on the recovered laptop showed multiple unsuccessful attempts were made to log into the computer
[Evan] The thief is an idiot.

“We had the computer analyzed by police computer forensic staff, and it was determined that the information had not be accessed,” said Human Resources Director Brad Wirtz.

In letters to employees this morning, Wirtz apologized for the incident and said the department is working with Information Technology and the police to protect private information.

Rachel Strauch-Nelson, spokesperson for Mayor Dave Cieslewicz, said, "We're obviously concerned. We're going to work with IT and HR to make sure all necessary precautions are taken.
[Evan] Let's hope that the city undertakes a detailed information security (and risk) assessment. This is the only way you can "make sure all necessary precautions are taken."

Ald. Thuy Pham-Remmele, 20th District, fired a scathing e-mail to Wirtz on Monday morning, saying the initial apology is insufficient and calling the incident "an unacceptable breach of all basic rules of internal control."

Pham-Remmele also pressed to know if there are other laptops that contain sensitive personal information.

Ald. Michael Schumacher, 18th District, in an e-mail to Wirtz, said there is no reason sensitive human resources data should be stored on laptops given known vulnerabilities.

Schumacher asked if Wirtz intends an inventory of laptops, data they contain and data storage related to personal information, a review of security protocols and checking other security measures.
[Evan] Sound like an assessment is in order.

The incident was an isolated situation, Wirtz said.
[Evan] Even isolated incidents have causes, and sometimes the causes aren't so isolated. What caused this isolated incident was one or more poor information security practices.

The incident doesn't represent a threat for other sensitive information, Wirtz said, noting that the stolen laptop was not a network computer. The rest of the city's sensitive information is encrypted and on the mainframe, he said The information will be deleted from the computer after it is analyzed, he said.

City staff members have since been urged to check the encryption of departmental computers and to ensure that their personal computers are protected.

“One thing that has been done today is our IT staff is doing full review of encryption software on all of the laptops that are used for the city,” said Rachel Strauch-Nelson, spokesperson for Mayor Cieslewicz. “This means if you’re not on network, you can’t access information.”

“At this point, we can say with certainty that none of your personal information was compromised as a result of the theft,” he said in the apology. “Again, I want you all to know how sorry I am that this occurred, I accept full responsibility and I will do everything in my power to make sure that this does not happen again.”

Commentary:
Although it appears likely that the confidentiality of the information on the laptop was not compromised, there is serious cause for concern.

Past Breaches:
Unknown

Southwestern Oregon Community College announces stolen laptop

evan@frsecure.com (Evan Francen) — Mon, 26 Jan 2009 22:39:00 GMT

Technorati Tag: Security Breach

Date Reported:
1/16/09

Organization:
Southwestern Oregon Community College

Contractor/Consultant/Branch:
None

Location:
Coos Bay, Oregon

Victims:
"current and former students"

Number Affected:
"approximately 200"

Types of Data:
"student record information"

Breach Description:
"COOS BAY, ORE - The privacy of hundreds of community college students is put at risk, after someone steals a laptop computer from the campus at Southwestern Oregon Community College."

Reference URL:
Southwestern Oregon Community College press release
KCBY Channel 11 News

Report Credit:
Southwestern Oregon Community College

Response:
From the online sources cited above:

On Thursday, a Southwestern Oregon Community College laptop was stolen from an office on the Coos Bay campus.

The new computer contained select categories of student record information for approximately 200 current and former students.
[Evan] I'm not sure how pertinent the "new computer" reference is and I don't know what data are included in "select categories of student record information". Hopefully the affected students get more detail.

Following our procedure, affected students have been contacted and their student records at SOCC have been put on a privacy hold to prevent unauthorized access.
[Evan] A privacy hold will only work if the information is used at SOCC, but won't do much at all if Social Security numbers and/or financial information is included in "select categories of student record information".

Extra measures of security are being put in place at the college, both to protect the affected students and to be proactive in preventing future thefts.
[Evan] Like what? Why do people use the word proactive when they do something reactive?

Staff and faculty have been emailed reminders regarding policies for handling information and computers.

Other technological security methods are being considered and pursued.

Press Release Date: January 16, 2009

Commentary:
I don't even know why SOCC decided to issue a press release if this is all of the information that they intend to disclose. This press release tells us little more than nothing.

Was the "new computer" encrypted? What personal information is included in "select categories of student record information"? What are the extra measures being put in place to protect against future thefts? What are the other technological security methods are being considered? Are there any administrative and/or physical controls being considered?

This press release is useless.

Past Breaches:
Unknown

Kanawha-Charleston Health Department warns 11,000

evan@frsecure.com (Evan Francen) — Fri, 23 Jan 2009 20:18:00 GMT

Technorati Tag: Security Breach

Date Reported:
1/21/09

Organization:
Kanawha-Charleston Health Department

Contractor/Consultant/Branch:
Express Personnel Services

Location:
Charleston, West Virginia

Victims:
Patients receiving flu shots between October 1, 2008 and December 31, 2008

Number Affected:
"approximately 11,000"

Types of Data:
"names, address, Social Security, numbers, dates of birth, marital status, employment
information, insurance information and telephone numbers"

Breach Description:
"Kanawha-Charleston Health Department officials today announced that a temporary worker who was assigned the task of performing medical billing for Department’s influenza shot campaign has been identified as a suspect in an identity theft crime that is currently under investigation by the Kanawha County Sheriff’s Office."

Reference URL:
Kanawha-Charleston Health Department Press Release
The Charleston Gazette

Report Credit:
Kanawha-Charleston Health Department

Response:
From the online sources cited above:

Kanawha-Charleston Health Department officials today announced that a temporary worker who was assigned the task of performing medical billing for Department’s influenza shot campaign has been identified as a suspect in an identity theft crime that is currently under investigation by the Kanawha County Sheriff’s Office.

The worker, who is no longer with the Health Department, is accused of using patient data for the purpose of identity theft and to obtain credit and/or credit cards.
[Evan] Temporary workers pose a certain amount of additional risk to information security. Typically these workers' backgrounds are checked by the temp agency instead of the hiring company and there is a slight conflict of interest. The faster that a temp agency places a worker, the faster they get paid. Temporary workers that need access to sensitive information require increased scrutiny.

Jameelah Jossiah, 24, a former flu clinic medical billing clerk, was charged with computer fraud after allegedly making a $400 purchase at the South Charleston Wal-Mart with a credit card obtained illegally under the name of a woman who received a flu shot from the Health Department last fall.

Sheriff's Detective L.S. Deitz identified Jossiah after reviewing Wal-Mart surveillance video.

After searching Jossiah's home, Kanawha County Sheriff's Department detectives found a handwritten list of about 14 flu-shot recipients, including their names, Social Security numbers, birth dates, addresses and other personal information, Health Board President Brenda Isaac said Tuesday.
[Evan] Good police work.

"I don't believe [Jossiah] had the ability to copy down a lot of information because she was being closely supervised," Isaac said. "We feel this is limited, but we don't want to take any chances, so we're alerting all people who had flu shots."
[Evan] You can't monitor a crook closely enough at work.

The department hired her through Express Personnel Services, a temporary jobs agency in South Charleston, health officials said.

Isaac said Health Department administrators were told that Jossiah underwent a criminal background check through the temp agency, but it was unclear Tuesday why the check didn't flag Jossiah's previous arrest record.
[Evan] It's not a terrible idea to ask the temp agency to provide copies of background check information pertaining to temporary workers, is it?

Jossiah was arrested on trespassing and battery charges in 2007, according to Kanawha County Magistrate Court records.

Letters are being mailed to approximately 11,000 individuals that received their influenza shot from the Health Department between October 1, 2008 and December 31, 2008.

Information that may have been compromised includes names, address, Social Security, numbers, dates of birth, marital status, employment information, insurance information and telephone numbers.

Patients who may be affected by this incident will be notified by written correspondence to their last known address.

A call center has been established and will be operational, from 8:00 a.m. – 4:00 p.m. Monday through Friday beginning January 21st, to address questions relating to his incident. The call center’s telephone number is (304) 348-0700.

Isaac said the department would no longer require people who receive flu shots to provide Social Security numbers and other personal information that could be used as part of an identity theft scheme.
[Evan] Excellent idea! This addresses a primary concern. Why would a Social Security number ever be required to get a flu shot?

Also, future temporary workers at the Health Department won't have access to patients' medical information, Isaac said.
[Evan] Also a good idea. People requiring access to sensitive information should receive additional scrutiny and specialized training.

Commentary:
If you collect it, you must protect it.

Past Breaches:
Unknown

Laptop used in background checks stolen from Continental Airlines

evan@frsecure.com (Evan Francen) — Thu, 22 Jan 2009 17:17:00 GMT

Technorati Tag: Security Breach

Date Reported:
1/12/09

Organization:
Continental Airlines, Inc.

Contractor/Consultant/Branch:
None

Location:
Newark, New Jersey

Victims:
Some employees, vendors, and "new hire candidates"

Number Affected:
230

Types of Data:
"name, Social Security number, fingerprint images, date of birth, address and other information"

Breach Description:
"Unfortunately, sometime between December 31 and January 2, 2009, a Continental laptop computer was stolen from a locked Newark office. This laptop was used for certain background checks, and it contained confidential data files on 230 individuals."

Reference URL:
The New Hampshire Attorney General breach notification

Report Credit:
The New Hampshire Attorney General

Response:
From the online source cited above:

We are writing to notify you about a recent information security incident.

Continental Airlines is committed to protecting the privacy and security of personal data collected from co-workers, vendors and new hire candidates.
[Evan] How does a commitment translate into action? Most of us are committed, but too few of us act.

Unfortunately, sometime between December 31 and January 2, 2009, a Continental laptop computer was stolen from a locked Newark office.
[Evan] Can we assume that the laptop and/or sensitive data was unencrypted? Can we further assume that the laptop's only access control was the operating system username and password? For the rest of this post, we will make these assumptions because they are likely true, based on past experiences.

The theft was discovered on 01/02/2009.

This laptop was used for certain background checks, and it contained confidential data files on 230 individuals.

Your name, Social Security number, fingerprint images, date of birth, address, and other information may have been on the stolen computer.
[Evan] This is not the kind of information that should be allowed on a poorly secured laptop.

we have no indication at this time that the personal information has been or will be misused.
[Evan] Less than 2 weeks had passed between the time the theft occurred and this statement made. Hardly enough time for Continental to receive word that this information was misused.

We are strengthening our already tight security measures to provide greater protection for the information we maintain in order to minimize future risks.
[Evan] How?

A police report has been filed with the Port Authority police, and Continental's Corporate Security Department is working closely with the law enforcement investigation.

We are doing everything possible to recover the stolen property and to minimize the impact of this unfortunate situation.
[Evan] Who gives a *&%$ about the stolen property (laptop)? Recovery of the laptop does not ensure that the data it contained wasn't accessed, copied and/or used.

We will be sending out written notification through the U.S. mail to affected individuals during the week of January 12th.

Continental Airlines is offering 12 months of Kroll Inc.'s ID TheftSmart service.

Please know that we recognize and understand how important your privacy is.
[Evan] Recognition and understanding are good things, but without action they are nothing more than recognition and understanding.

We are truly sorry that you personal information may have been compromised due to the theft and are currently evaluating steps we can take to prevent any similar occurrence in the future.

Commentary:
I'm fairly sure that Continental Airlines uses quite a few laptop computers and other mobile devices. These technologies can be good for business and improve productivity, but risks must be taken into account. Honestly, I don't know if Continental Airlines mandates encryption of mobile data or not. Maybe this was a laptop that was somehow missed. If Continental Airlines does not mandate and enforce encryption on mobile devices AND there is a significant (i

nterpret) chance that they may access AND/OR store sensitive information, then shame on them.

Past Breaches:
Unknown