The Breach Blog

Department of Business & Professional Regulation is notifying 150 people

Evan Francen — Wed, 23 Jul 2008 13:18:37 GMT

Technorati Tag: Security Breach

Date Reported:
7/18/08

Organization:
State of Florida

Contractor/Consultant/Branch:
Department of Business and Professional Regulation ("DBPR")

Victims:
Complainants

Number Affected:
150

Types of Data:
"personal information"

Breach Description:
"TALLAHASSEE, Fla. - The Department of Business and Professional Regulation is notifying 150 people that they should check their credit reports.

A department employee is accused of unsuccessfully trying to get credit cards with personal information the agency received on complaint forms."

Reference URL:
Fort Mill Times
Associated Press via WCTV Channel 4 News

Report Credit:
Fort Mill Times

Response:
From the online sources cited above:

TALLAHASSEE, Fla. - The Department of Business and Professional Regulation is notifying 150 people that they should check their credit reports.

A department employee is accused of unsuccessfully trying to get credit cards with personal information the agency received on complaint forms.
[Evan] At least the employee was not successful in getting these credit cards. I suppose she might have been successful in other attempts (if they were made).

Casselberry police told the department that the woman used three people's names and information to apply for the cards.
[Evan] Good job by the Casselberry police.

The employee was fired.

The department would not provide her name.

Officials say the employee abused the access to personal information that her position granted her.
[Evan] Privilege escalation. I wonder if she had to manipulate her technical privileges in order to obtain access or if access was just there to begin with and she went outside of her implied boundaries.

Department spokeswoman Jenn Meale said people filing the complaints provided more personal information than the department normally requests.
[Evan] Two problems here. One is the tendency for people to provide more information than they should without questioning. The second is the department’s decision to collect and store more information than what is needed. If a person provides too much information and some of that information is sensitive, discard it (securely).

Anyone who filed a complaint form that could have been reviewed by the woman is being contacted by the department.

"In an abundance of caution the Secretary took it upon himself to inform about 150 or so customers who she had access to their personal information so that they can be on the lookout for any misuse in their personal financial accounts," says Jenn Meale, Communications Director at DBPR.
[Evan] There's the "abundance of caution" phrase again. Ugh. What's with "the Secretary took it upon himself"? Is someone trying butter up?

Commentary:
A bad apple is a bad apple. We try to pick them out before we plant them with background checks and other hiring procedures, but some will inevitably get through or turn bad after the fact. The question then becomes what mitigating controls can we put in place to limit risk?

Past Breaches:
State of Florida:
July, 2008 - Florida's Agency for Health Care Administration reports a breach
January, 2008 - Five stolen Florida Department of Children and Families laptops

San Francisco Department of Human Services information found in dumpster

Evan Francen — Wed, 23 Jul 2008 10:08:06 GMT

Technorati Tag: Security Breach

Date Reported:
7/23/08

Organization:
City and County of San Francisco

Contractor/Consultant/Branch:
Department of Human Services

Victims:
Clients

Number Affected:
"Potentially thousands of people"

Types of Data:
Case files and other confidential information including names, Social Security card copies, drivers license copies, passport copies, bank statements, and "other sensitive personal information"

Breach Description:
A local San Francisco television station (KTVU) has uncovered a breach involving confidential personal information thrown in the curbside garbage. The sensitive information is from the San Francisco Department of Human Services.

Reference URL:
KTVU Channel 2 News

Report Credit:
KTVU Channel 2 News

Response:
From the online source cited above:

A KTVU investigation has uncovered a potentially serious security breach from San Francisco city agency that has put some people's most private personal data literally out on the street.
[Evan] We expect our corporations and non-profits to abide by the law and provide adequate protection for confidential information, but we should be able to hold our government to a higher standard, shouldn't we?

Potentially thousands of people's personal information was exposed after a San Francisco agency left confidential files in unsecured curbside garbage and recycling bins.

A KTVU cameraman caught two individuals with pick-up trucks stopping briefly before hauling away armloads of paper.
[Evan] It's one thing to expose the information; it's another to know that it has been taken.

No one challenges them as they steal from the unsecured blue bins.
[Evan] If you take something out of the garbage, something that has been thrown away, is it stealing?

A closer look shows some of what they left behind: confidential documents from the San Francisco Human Services Department.

"Someone grabbed their hand in there and pulled out someone's social security card and an i.d. I think that's probably all you need to go places. And just seeing that sent it home that I could not leave anything out," - Lance Williams, a local resident

Peering into one of the bins, Williams illustrated how easily someone would be able to commit identity theft. "Well, already I have a first and last name. And unfortunately I see someone's social security number. I don't think I need to see any more than that."

The agency handles the case loads of 8,000 San Franciscans

"Oh my god! People's information. They're supposed to have a lock on it. It's supposed to be shredded," Okorie exclaimed. "Don't they have a paper shredder? I have a paper shredder at home myself!" - Cati Okorie, a recent agency client

In some cases entire case files were discarded.

Blown up copies of social security cards, driver's licenses, passports, bank statements and other sensitive personal information were all left in these unlocked bins.

"Who's the supervisor of this whole place? I want to know. Can you explain how these are in an alley in an unlocked box?" asked Okorie.

Trent Rohrer is the head of San Francisco Human Services. Rohrer showed KTVU how the personal information is supposed to be disposed of, placed in locked bins.

"We do have a whole set of policies and procedures to prevent this stuff from happening, and clearly there are flaws in that," said Rohrer
[Evan] Policy and procedure don't prevent anything if they are not followed. Policy and procedure are not followed if they are not communicated well and there is no perceived sanction for non-compliance. There may not be a flaw in the policy and procedure as it pertains to disposal of confidential information. The flaw may be in the way they are communicated and enforced.

"We'll go from top to bottom to see if there's an internal identity theft ring going on or if there's something external going on. We'll get to the bottom of it," said Rohrer.
[Evan] I hope that someone will hold Mr. Roher accountable to this promise.

"It sounds like this would be an alley that would lead identity thieves to the good stuff that they're looking for. It's like cash. When you have hundred dollar bills, you're not going to leave them unattended" - Joanne McNabb is the chief of the California Office of Privacy Protection

Almost immediately after KTVU discovered the security breech, San Francisco officials imposed a number of reforms, including many more secure waste paper disposal sites, new training for employees, and a new policy of never placing any garbage cans out on the street at the Department of Human Services.
[Evan] How common is it to find an organization react only after something bad happens? Isn't it more effective to be proactive?

Commentary:
There is much more to this story than what has been reported.

What do you suppose was the cause of this breach? Was it something simple like a worker having a bad day? Maybe it's just an employee that is overworked? Is it something more sinister like someone who is disgruntled? Sometimes its a worker that is poorly trained, and just didn't know any better. Could the cause of this breach be something more significant like poor information security management in general? I did notice is that there is no information security department or position on the DHS organizational chart. Is this a sign?

We can only speculate. Either way, the end result is not good in this case.

Past Breaches:
Unknown

Heinemann-Raintree eCommerce site was breached 18 months ago

Evan Francen — Tue, 22 Jul 2008 13:09:34 GMT

Technorati Tag: Security Breach

Date Reported:
7/15/08

Organization:
Pearson Education, Inc.

Contractor/Consultant/Branch:
Heinemann-Raintree

Victims:
Customers

Number Affected:
Unknown

Types of Data:
"names, billing and shipping addresses, payment methods, and credit-card numbers"

Breach Description:
"Heinemann-Raintree, publishers of PreK-Secondary nonfiction books for the library and classroom, maintains websites where customers can learn about and purchase our products. We have learned of a breach of the security of those websites, and wanted to inform you about it because your credit card data may have been compromised"

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

Heinemann-Raintree, publishers of PreK-Secondary nonfiction books for the library and classroom, maintains websites where customers can learn about and purchase our products.
[Evan] Can we infer that most of the victims are teachers and/or parents?

We have learned of a breach of the security of those websites, and wanted to inform you about it because your credit card data may have been compromised
[Evan] Securing ecommerce sites requires specialized skills. The fact that credit card data was compromised brings up the natural question as to whether or not the company was/is PCI-compliant. Not that PCI-compliance guarantees security.

We recently learned that in January 2007, an unauthorized person was able to obtain access to the database that contains the product information used by the Heunemann-Raintree websites.
[Evan] An "unauthorized person" gained unauthorized access to customer order information in January, 2007 and it was only recently learned?! This fact does not reflect well upon the security of the ecommerce site(s). From the PCI-DSS, Requirement 10: Track and monitor all access to network resources and cardholder data, section 10.6 "Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS)." There is no excuse for a breach to go so long without detection.

This gave the person the ability to view information appearing on the websites, including information provided by our customers to buy Heinemann-Raintree products on the sites.
[Evan] It is not clear, but it seems as though the "unauthorized person" gained access in January, 2007 and maintained their access until it was "recently learned"!

As a result, this person may have been able to view our customers' names, billing and shipping addresses, payment methods, and credit-card numbers

When we learned of this unauthorized access, we immediately discontinued operation of the websites, on a temporary basis, and corrected the problem that was allowing the unauthorized access.
[Evan] Why rush now? Kidding.

The websites are now up and running, and we are safe and secure.

They can be reaches at www.heinemanraintree.com, www.heinemannlibrary.com, and www.heinemannclassroom.com
style="font-style: italic;">[Evan] I hope that most people click a link and are referred to these websites. There a pain in the rear to type.

As a result of this unauthorized access, it is possible that your credit card information could be misused, although at this time we have seen no evidence that this has occurred.

We have notified our credit card processor of this incident.

We also recommend that you contact your credit card issuer to advise them of this incident and to arrange for a new credit card.

Please know that we greatly regret that this incident occurred, and we have taken steps to correct the problem.

We are fully committed to protecting the privacy and confidentiality of our customers' personal information.

If you have any questions about this incident, about this letter, or about other issues raised here, please call the Heinemann-Raintree Customer Service Center at (888) 454-2279.

Commentary:
The letter to the affected customers was signed by Graham Shaw, the President of the company. I respect that.

The breach notification doesn't give us many details into how the site(s) was/were breached, in terms of the vulnerability(ies) that were exploited. The fact that the site was compromised for so long without detection is definitely cause for concern, but I presume that this has been corrected.

Past Breaches:
Unknown

Backup server is stolen from Minnesota Veterans Homes

Evan Francen — Mon, 21 Jul 2008 09:41:22 GMT

Technorati Tag: Security Breach

Date Reported:
7/18/08

Organization:
State of Minnesota

Contractor/Consultant/Branch:
Minnesota Department of Veterans Affairs
Minnesota Veterans Homes
Minneapolis

Victims:
Residents and some dependents

Number Affected:
336

Types of Data:
"telephone numbers, addresses, next-of-kin information, dates of birth, Social Security numbers and some medical information, including diagnoses"

Breach Description:
"A backup computer server stolen from the Minneapolis Veterans Home contained telephone numbers, addresses, next-of-kin information, dates of birth, Social Security numbers and some medical information, including diagnoses for the home's 336 residents, according to an official with the Minnesota Department of Veterans Affairs."

Reference URL:
Minnesota Department of Veterans Affairs News Release
StarTribune

Report Credit:
Minnesota Department of Veterans Affairs

Response:
From the online sources cited above:

St. Paul, Minn. – A back-up network server has been discovered among the items missing from the break-in that occurred at the Minneapolis Veterans Home early Sunday morning, July 13.

The server, stored in a locked room, did contain personal information on Minneapolis Veterans Home residents and some dependents.

contained telephone numbers, addresses, next-of-kin information, dates of birth, Social Security numbers and some medical information, including diagnoses

The data was password protected.

Although law enforcement officials do not know if the server was the target of the burglary, the Minnesota Department of Veterans Affairs is taking all steps possible to immediately inform employees, residents and families of this potential breach.

The department will also provide comprehensive information on protection from identify theft in the event that someone would use this data to commit fraud, and will alert any resident or family member if the department becomes aware of any unusual financial activity.

Other items taken in the break-in from Buildings six and 10 include a tool kit, two musical keyboards, a guitar, Nintendo Wii, and laptop computer that did not contain information about residents, employees, or financial data.

Building 6 houses residents and resident-support departments and Building 10 houses the personnel and finance departments.

No residents, employees, or other individuals reported direct contact with the perpetrators.

Minneapolis Veterans Home is in the process of evaluating current on-site security measures.

"It is very unfortunate the Minneapolis Veterans Home has experienced this deliberate criminal act. We will take every action necessary to continue to protect the safety and security of our residents and employees.", Deputy Commissioner Gil Acevedo

there is no indication that the thieves have used the data

"The building was locked, and the doors were locked," he said (Mr. Acevedo). "We do have 24-hour security on campus. We are going to review our security policy and see how we can improve that."

In addition to fully cooperating with law enforcement as they investigate the theft, MDVA is conducting an internal review of hardware storage and has asked the Minnesota Office of Enterprise Technology to review all data security systems.

Currently, all personal data stored on MDVA portable devices is encrypted.

Commentary:
As I read the news release and the report from the StarTribune, I was looking for something meaningful to comment about. I am not intimate with the security program at MDVA, but based on the content of the news release, it seems like they have a pretty good understanding of some information security concepts. The news release gives an adequate amount of information and I get the sense that MDVA knows what they are doing.

This breach brings to mind data-at-rest encryption. A data-centric information security program dictates the same controls around information, no matter where it is. In this model, the server housing the confidential data should employ encryption. Obviously there is a higher probability that portable devices will be lost or stolen, but this case proves that servers are not immune.

On a personal note, what kind of thief steals from an organization like Minnesota Veterans Homes? The people living in these homes and whose personal information has been put at increased risk of disclosure, are people who served in our military and sacrificed more than some of us ever will.

Past Breaches:
State of Minnesota:
December, 2007 - Laptop stolen from Minnesota Department of Commerce vendor

Suspected employee fraud at Huron Consulting Group

Evan Francen — Mon, 21 Jul 2008 08:15:20 GMT

Technorati Tag: Security Breach

Date Reported:
7/15/08

Organization:
Huron Consulting Group

Contractor/Consultant/Branch:
None

Victims:
Current and former employees

Number Affected:
Unknown

Types of Data:
"full set of employee W-2 forms"

Breach Description:
"On July 1, 2008, Huron discovered that an employee may have stolen paychecks and fraudulently endorsed and cashed/deposited them." "Huron has not been able to locate the employee, but the employee had an associate return the company laptop computer to Huron on Tuesday, July 8, 2008. Forensic review of the laptop computer revealed that the employee, who had authorized access in the course of employment to personal financial information of Huron current and former employees, had downloaded a full set of employee W-2 forms in a text file on to her laptop."

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

On July 1, 2008, Huron discovered that an employee may have stolen paychecks and fraudulently endorsed and cashed/deposited them.
[Evan] Stealing paychecks is bold.

Huron has terminated the employee.

Huron has not been able to locate the employee, but the employee had an associate return the company laptop computer to Huron on Tuesday, July 8, 2008.

Forensic review of the laptop computer revealed that the employee, who had authorized access in the course of employment to personal financial information of Huron current and former employees, had downloaded a full set of employee W-2 forms in a text file on to her laptop.
[Evan] I wonder if this authorized employee was also authorized to copy W-2 forms to her laptop. Are employees permitted to copy confidential information to company laptops and are company laptops encrypted?

this individual had access to your personal information, and may have downloaded or improperly removed it prior to termination.

We have no information of any use (malicious or otherwise) of this information by the employee.

While this is not necessarily a case of improper access, we intend to inform our employees that personal information may not have been fully secured so that they can take steps to protect their personal information and credit.

We do not have any evidence that your information has been misused, and we believe the likelihood of such misuse is low.

out of an abundance of caution, we are informing all current and former Huron employees who may be affected by this incident
[Evan] Ugh, there is the "abundance of caution" statement again!

We have reported this matter to local law enforcement (Chicago Police Department) and the FBI.

We have also engaged Consumerlnfo.com, Inc., an Experian® company, to provide you with one full year of credit monitoring, at no cost to you.

Commentary:
If the employee had not been so bold as to steal and cash paychecks, would the company have known that she copied confidential information to a laptop (authorized or not)? I have said this before, employee fraud can be very difficult to prevent and detect. It helps if the employee is an idiot.

Past Breaches:
Unknown

Baxter International reports a stolen HR laptop

Evan Francen — Mon, 21 Jul 2008 00:49:24 GMT

Technorati Tag: Security Breach

Date Reported:
7/11/07

Organization:
Baxter International Inc.

Contractor/Consultant/Branch:
None

Victims:
"current, former, and prospective U.S. employees"

Number Affected:
"roughly 6,900"

Types of Data:
"names, social security numbers, encoded information regarding background checks, and addresses"

Breach Description:
"Recently, a Baxter human resources employee based in the U.S. was attending a human resources conference in Chicago, Illinois. On June 24, 2008, a thief entered the hotel room of the employee while that employee was attending the conference, and stole a laptop computer belonging to Baxter." The laptop contained sensitive personal information belonging to current, former and prospective employees.

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

Recently, a Baxter human resources employee based in the U.S. was attending a human resources conference in Chicago, Illinois.
[Evan] Obviously, human resources personnel handle very sensitive information. Just a couple of weeks ago, the human resources department at a company I consult for sent a spreadsheet containing sensitive personal information to a group of unauthorized persons.

On June 24, 2008, a thief entered the hotel room of the employee while that employee was attending the conference, and stole a laptop computer belonging to Baxter.

Subsequently, we learned that two data files on the laptop contained personal information, including names, social security numbers, encoded information regarding background checks, and addresses of certain current, former, and prospective U.S. employees.
[Evan] Unencrypted, I presume.

No customer or patient data was included in these data files.

The data files included personal information of roughly 6,900 people

Baxter has notified and is working closely with local law enforcement officials to investigate this matter.

Additionally, we are developing policies and procedures to strengthen our data security policies to reduce, if not eliminate, the risk that data losses of this type ever occur again.
[Evan] Usually the best we can hope for is a reduction in risk. We (information security personnel) are in the risk reduction business, not the risk elimination business. We aim to bring residual risk to a level that is acceptable to the business. Do you suppose that a decision was made to not encrypt laptops at Baxter, or did they just not understand (or identify) the risk?

We are notifying our employees whose information may have been or may be compromised of this incident on Monday, July 14th by writing to them at their last known addresses.

I want to assure you that we are taking this incident seriously and taking steps to ensure that all of our data is as secure as possible.
[Evan] Ensuring that data "is as secure as possible" in the literal sense is not feasible. Can Baxter live up to this statement? I don't think any company can.

We deeply regret that this incident occurred.

On behalf of the entire Baxter organization and our dedicated human resources staff, I want to express our deepest regret for this unfortunate incident and let you know that we are doing everything we can to address the situation and assist you

We do not know that this information has been accessed and misused.

The stolen laptop required a user to enter certain user credentials, such as a correct username and password, in order to access the laptop computer.
[Evan] Anyone with little skill can easily access the laptop without the "certain user credentials" if the laptop is not protected with encryption (and pre-boot authentication)

We have retained Kroll Inc., a New-York based risk consulting firm and a global leader in data security, who has worked with other large corporations under similar circumstances, to provide its ID TheftSmart safeguards to you at no charge.
[Evan] It would have been a good proactive decision to have sought the advice of a good risk consulting firm before this incident. Other organizations should take heed.

You can reach the call center, toll-free, at 1-800-588-9839, anytime Monday through Friday from 8 a.m. to 5 p.m. central standard time.

We have formed an Information Security Assessment Team, which will assess our data security controls and recommend and implement steps to further strengthen those controls to appropriately reduce the risk of significant data loss, including restricting data access and requiring the use of encryption tools.
[Evan] Good! Let's hope that the Information Security Assessment Team is effective and remains an integral and regular part of Baxter's information security program long after this breach is forgotten.

Please be assured that we take this issue seriously.

Commentary:
A stolen laptop without encryption is the most common breach reported on The Breach Blog. The issues surrounding these types of breaches are very well-known risks that many organizations still seem willing to take. It’s a gamble and this time Baxter lost, who's next?

Past Breaches:
Unknown

Backup tape is stolen from Bristol-Myers Squibb

Evan Francen — Fri, 18 Jul 2008 11:26:26 GMT

Technorati Tag: Security Breach

Date Reported:
7/17/08

Organization:
Bristol-Myers Squibb Co. ("BMS")

Contractor/Consultant/Branch:
Unknown

Victims:
Current and former employees and some dependants

Number Affected:
Unknown*

*Bristol-Myers Squibb had "about 42,000 employees as of Dec. 31, the last date for which work force figures were available in regulatory filings.", Source: CNN Money

Types of Data:
"name, address, date of birth, Social Security number, marital status, gender, salary, hire date, termination date, retirement date, and, in some instances bank account information"

Breach Description:
"On June 4, 2008, Bristol-Myers Squibb Company ("BMS") learned that a back-up data tape containing BMS-related data was stolen while it was being transported for storage. Through subsequent forensic work, it was determined that the data tape included personal information of current and former BMS employees"

Reference URL:
Pharmalot (copy of notification letter)
Pharmalot
CNNMoney

Report Credit:
Ed Silverman, Pharmalot

Response:
From the online sources cited above:

The drugmaker sent letters over the past week saying a data tape containing reams of personal information was stolen several weeks ago

On June 4, 2008, Bristol-Myers Squibb Company ("BMS") learned that a back-up data tape containing BMS-related data was stolen while it was being transported for storage.
[Evan] This statement prompted me to list the contractor as "unknown" instead of "none". I presume that the data tape was being transported by a third-party vendor when it was stolen. I am looking for more information on this.

Through subsequent forensic work, it was determined that the data tape included personal information of current and former BMS employees, such as name, address, date of birth, Social Security number, marital status, gender, salary, hire date, termination date, retirement date, and, in some instances, bank account information.
[Evan] Ugh, this looks like very sensitive HR and benefits data.

The names, addresses, and Social Security numbers of some employee dependents also were included on the tape.

an untold number of current and former employees - and their dependents - could be affected

BMS has initiated an investigation of this incident.

To date, BMS has no reason to believe that any of your personal information has been inappropriately accessed from the data tape by an unauthorized party, or that any identity theft, fraud or misuse of your personal information has occurred.
[Evan] I agree with most of this statement except for the "misuse" part. There may be no evidence of misuse post stolen tape, but there may be an argument for misuse by BMS themselves. BMS is the data custodian in this scenario, not the data owner. If a data custodian does not care for the owner's information in a manner that is expected or communicated, does it constitute misuse?

In addition, there is no evidence that the data tape or the information contained on it was the target of the theft.
[Evan] I am interested in knowing more about who was transporting the tape and whether or not other items were taken.

As a precaution, to help you detect any possible misuse of your data, BMS has arranged for you to enroll in credit monitoring for one full year, at no cost to you.
[Evan] There is that "misuse" mention again. One year of free credit monitoring does nothing to protect a victim against fraud that occurs after one year, supposing the victim does not renew at his/her own expense. I wonder how many people renew on average.

If you have any questions, you may call the dedicated Privacy Help Line at 1-877-214-0689. Our representatives will be available to assist you Monday through Friday, between 8 a.m. and 5 p.m. ET.

the drugmaker is issuing this statement: "Bristol-Myers Squibb regrets that this incident occurred and is committed to providing appropriate assistance for affected individuals who had their personal information on the stolen data tape. We are committed to protecting the privacy and security of employee and dependent information. Maintaining the trust and confidence of our employees is paramount to Bristol-Myers Squibb."

Protecting the privacy and security of your information is extremely important to us.

In this regard, BMS wishes to reiterate that it does not have any evidence indicating that your personal information has been misused.
[Evan] Another "misuse" mention.

the company is taking appropriate remedial steps, including enhancing security protocols regarding the handling of personal information and our back-up data tapes.
[Evan] Like what? Encryption maybe?

On behalf of BMS, I apologize for any inconvenience or concern that this matter may cause for you.

Commentary:
I couldn't find any mention about encryption or whether or not police were called. You would think that a large, well-repected company like Bristol-Myers Squibb encrypts confidential data on tape, right?

Past Breaches:
Unknown

Mailing error at the University of Maryland exposes student information

Evan Francen — Fri, 18 Jul 2008 09:18:07 GMT

Technorati Tag: Security Breach

Date Reported:
7/17/08

Organization:
University of Maryland

Contractor/Consultant/Branch:
Department of Transportation Services

Victims:
All students registered for Fall 2008 classes

Number Affected:
23,727

Types of Data:
Names, addresses, and Social Security numbers

Breach Description:
On July 1st, 2008, the University of Maryland Department of Transportation Services mailed an on-campus parking brochure to all students registered for Fall 2008 classes as of June 15, 2008. Recipient Social Security numbers were inadvertently exposed on the mailing labels.

Reference URL:
University of Maryland
ABC Channel 7 News
WTOP FM 103.5 News

Report Credit:
University of Maryland

Response:
From the online sources cited above:

On July 1st, 2008, the University of Maryland’s Department of Transportation Services sent all students registered at the time, by U.S. mail, a brochure with on-campus parking information.

On July 8, 2008, the University discovered that the labels on that mailing included the addressees’ Social Security numbers.
[Evan] Sheesh, a fraudster doesn't even have to tamper with the mail if the Social Security number is on the label.

The error was discovered on the morning of July 8 when calls were made to the University.

This parking mailer was sent to all individuals registered for Fall 2008 classes at the University of Maryland as of June 15, 2008.

The mailing list numbered 23,727 individuals.

In our annual effort to provide parking and transportation information to the University community, the names and addresses of all registered students was requested internally at the Department of Transportation Services for the purpose of creating mailing labels for a brochure.

This information was generated by a computer query and included names, addresses and what was believed to be University identification numbers (UIDs).
[Evan] When writing and executing database queries, isn't it a good idea to check the results and see if the information displayed is the information you were looking for? I wonder if UIDs are also nine digits long like Social Security numbers are.

Our normal process is to remove the University ID numbers prior to mailing.
[Evan] Is it safe to assume that "normal process" was not followed in this instance? If so, then why not? There is no mention in the school's response.

It was not apparent to departmental staff that these numbers not only still existed within the file, but were Social Security numbers, and not University ID numbers.
[Evan] Not apparent? They were on the labels!

The numbers were not identified as Social Security numbers and did not show the normal spacing between digits.
[Evan] So it would be xxxxxxxxx instead of xxx-xx-xxxx. What percentage of people would recognize the first set of nine digits as a SSN?

This mailer was sent using third class, bulk mail delivery and may not have been delivered to you yet.

Currently, there is no evidence that anyone's Social Security number has been misused.

The University apologizes and deeply regrets this unfortunate mistake.

We are initiating immediate action to ensure that this error does not recur.
[Evan] Like what? Maybe train people to review their query results and follow "normal process"?

The University of Maryland values the critical importance of your personal information.

We strongly recommend that you take appropriate precautions to mask, black out or destroy this document after use.

In unfortunate situations like this, it is possible that dishonest people may contact you asking for personal information in the guise of offering assistance from the University.
[Evan] Equally unfortunate is the fact that there are a lot of dishonest people.

Please note that the University WILL NOT contact you by phone, e-mail or in any other way requesting personal information regarding this incident.

Please do not release any personal information in response to contacts claiming to be from the University.

In response to this incident, the University, and specifically the Department of Transportation Services, has moved to severely restrict access to sensitive student and faculty/staff information; we believe the fewer individuals who have access to this data will only increase our ability to protect sensitive information.

If individuals feel that they would like to take extra steps beyond the fraud alert, the University has arranged with Equifax to make available, at no cost to them, a 12-month service that includes credit monitoring, customer care, fraud expense reimbursement insurance and access to their credit report.

If you have not received this mailer and are unsure if you are included in the affected group, please call toll-free 1(877) 935-2428, Monday - Friday, 8:30 a.m. - 5 p.m. EST.

You may contact us in one of the following ways:
By telephone: Toll-free 1(877) 935-2428, Monday-Friday, 8:30 a.m. - 5 p.m. EST
Via e-mail: parkingmailer@umd.edu
Mailing address: Regents Drive Garage, Building #202, College Park, MD 20742

Commentary:
The lack of attention to detail coupled with lack of control leads to an increase of risk of confidential information disclosure. Not all that uncommon.

Past Breaches:
Unknown

Houston law firm threw confidential client information in the trash

Evan Francen — Fri, 18 Jul 2008 13:52:28 GMT

Technorati Tag: Security Breach

Date Reported:
7/15/08

UPDATE 7/18/08:
This breach has now gained the attention of Texas Attorney General Gregg Abbott, Source: KHOU-TV (props to PogoWasRight)

Organization:
Weber Law Firm

Contractor/Consultant/Branch:
"his wife"

Victims:
Clients

Number Affected:
"hundreds"

Types of Data:
"personal financial records, documents with Social Security numbers, people's medical files and more"

Breach Description:
"HOUSTON -- Harris County Sheriff's deputies uncovered hundreds of people's personal financial files that had been discarded in a dumpster in northwest Houston on Monday."

Reference URL:
KHOU-TV News (original)
KHOU-TV News (follow-up)

Report Credit:
Jeremy Desel, KHOU-TV

Response:
From the online sources cited above:

Harris County Sheriff's deputies uncovered hundreds of people's personal financial files that had been discarded in a dumpster in northwest Houston on Monday.

The records were mostly bankruptcy case files from a Houston attorney's office that found their way into a dumpster belonging to a Houston day care.
[Evan] There is little doubt about the sensitivity of the information found in a person's bankruptcy files. Don't you think that an attorney should know better?

The discovery came in a trash bin in the 9100 block of Jones Road, with box after box of records including personal financial records, documents with Social Security numbers, people's medical files and more.

When the sheriff's office first arrived, the responding deputies had no idea what to do with the records.

So, they called the law office from where the records had come from. 11 News called the law offices of William Weber as well.
[Evan] Mr. Weber's bio is pretty extensive.

Weber, who eventually arrived to pick up the discarded records, told both 11 News and the sheriff's office that it was "no big deal"
[Evan] Obviously, this answer probably doesn't go over very well. In hindsight, I am guessing that Mr. Weber wishes he could take these words back.

Still, at the insistence of the sheriff's office, Weber did arrive to pick the boxes up.

Weber had a different answer for 11 News when he showed up to retrieve the 32 boxes.

"It's a mistake," he said. "We regret it. We regret it. They weren't intended to be put here. I didn't put them here. It was a misunderstanding between me and my wife."
[Evan] Ugh. Blaming the wife would not be a good idea in my house, even if it were her fault.

He added it was a one-time problem.

But he also said his firm does not have a policy for disposing of sensitive documents.
"No, I do not. I don't think there is a formal disposal policy. Legally," he answered.

Don't tell that to Radio Shack or Select Medical Corporation. Both settled lawsuits with the Texas Attorney General's Office this week for violating the Texas ID Theft Law that was passed in 2005.

It requires businesses to destroy any documents that contain sensitive information. Select Medical dumped 4,000 documents in its own dumpster, but did not destroy them first.

Both companies settled this week with the state for hundreds of thousands of dollars in fines.
[Evan] Don't forget about EZMONEY, L.P. and EZPAWN L.P. They agreed to pay $660,000 to the Texas Attorney General. Don't mess with Texas!

However, it's not just a civil law question. It is also an ethics question.

"If a customer of Radio Shack had an interest in privacy and an interest to have their identity protected (and) not just tossed to the wind, I can assure you that a medical provider or a lawyer has a higher duty," said 11 News legal expert Gerald Treece.

The sheriff's office is looking into the possibility laws were broken by throwing away the records in that dumpster, but were unsure if anything illegal happened.

As a matter of fact, there's a good possibility no laws were broken.
[Evan] Not criminal. This case may be ripe for a civil proceeding, however.

Weber spent several minutes loading the boxes into his car, but he also spent a lot of time avoiding the 11 News cameras as he picked up the discarded records.

Eventually, he left the scene, leaving a few boxes behind when he was confronted by 11 News cameras.

In his rush to get away, a box was left on the trunk lid of his vehicle and some of the papers inside flew out as he sped off.
[Evan] Embarrassed?

Weber told 11 News that all the documents were shredded on Wednesday morning.
[Evan] Any thought given to notifying the affected individuals? If not, it is probably too late now.

Weber also said he has talked with an attorney at the attorney general's office and told them he would cooperate fully.

11 News also spoke with one of the clients whose file was found in the dumpster on Monday. She said she's angry and feels betrayed.

Commentary:
We have read about organizations dumping sensitive confidential information in dumpsters before, but this is the first time I have read about a lawyer being responsible (or his wife). Mistakes do happen, but I question how much of a mistake this actually was due to Mr. Weber's initial "no big deal" reaction.

Past Breaches:
Unknown

Indiana State University professor's laptop is stolen

Evan Francen — Thu, 17 Jul 2008 09:29:35 GMT

Technorati Tag: Security Breach

Date Reported:
7/15/08

Organization:
Indiana State University

Contractor/Consultant/Branch:
None

Victims:
"students who took economics classes from 1997 through the spring semester 2008"

Number Affected:
"more than 2,500"

Types of Data:
"names, grades, e-mail addresses and student identification numbers"*

*Until 2003, student identification numbers were the equivalent of each student’s Social Security number.

Breach Description:
"A password-protected laptop computer containing personal information for current and former Indiana State University students was stolen during the weekend, the university reported Tuesday."

Reference URL:
Indiana State University
Associated Press via WTHI Channel 10 News
Associated Press via Chicago Tribune

Report Credit:
Indiana State University

Response:
From the online sources cited above:

A password-protected laptop computer containing personal information for current and former Indiana State University students was stolen during the weekend, the university reported Tuesday.
[Evan] What do you suppose the purpose of the "password-protected" mention is? I hope it is not meant to reassure anyone that the information is safe. For those of you that do not know, password-protection is easily bypassed and in the opinion of many information security professionals (this one included), does NOT provide adequate protection for confidential information.

While there is no evidence to suggest that password security was breached, the university is taking the precaution of notifying all affected students for whom it has current contact information.
[Evan] If someone were to breach the "password security", what evidence would the school see? None. There would be no evidence (except locally on the laptop) if the local password store had been compromised. The school no longer has possession of the laptop, so the school would have no evidence.

The laptop contained data for students who took economics classes from 1997 through the spring semester 2008, estimated at more than 2,500 individuals.

If you took an economics class during this time period, but did not receive a letter, please call the Registrar’s Office to verify that you were on the list, and to update your address so that we may send you a letter.
[Evan] Contact information for the Registrar's Office, click here.

The information includes names, grades, e-mail addresses and student identification numbers.

Beginning in 2003, use of social security numbers as student ID numbers was discontinued in favor of university-specific identification numbers.
[Evan] A sound security decision by the university would have been to follow up with a project to identify and remove Social Security numbers already held as student IDs. Maybe it was, but the information on this laptop was missed.

The theft occurred Saturday while the professor was traveling in southern Indiana

the professor was traveling with his family and briefly left the computer unattended
[Evan] A laptop can grow legs in a flash. A person doesn't need to leave a laptop unattended for very long for it to disappear.

The incident occurred on July 12, 2008 and was reported to university officials on July 14, 2008.

The incident was reported immediately to the appropriate law enforcement agency and early Monday to university officials.

The extent of the information contained on the computer was not determined until Monday night.

Faculty and staff are being reminded that university policy prohibits the storage of private, sensitive data on portable computers.
[Evan] Excellent policy provision. Policy does little if it is not communicated, enforced, audited against, and improved. Where was the failure in the breach? Was the policy not communicated to this professor, and thus he/she was not aware?

In addition, laptops provided to faculty are equipped with several security measures including encryption and a bio-metric fingerprint reader to prevent access by anyone other than the assigned user.
[Evan] An excellent standard (or procedure).

Approximately 500 ISU faculty members have laptop computers.

The university is reviewing its procedures to ensure compliance with existing policies, said Interim President C. Jack Maynard, the university’s provost and vice president for academic affairs

From the FAQs:

Q: What can someone do with a stolen SSN?
A: "With just a SSN there is little anyone can do in the way of setting up a false identity or securing credit. Generally an identity thief would need more information and documentation to set up false credit.
[Evan] A SSN needs to be held in strict confidentiality in today's financial, employment, health, and other systems. It is often used for identification and authentication. Once an identity thief has a SSN, the owner of that SSN is now a prime target because the thief has the most confidential piece of information (ingredient) in the identity theft recipe. The rest of the information is typically easier to come by, i.e. name, address, employer, etc. It is true that an SSN alone is not enough information to commit identity theft, but it is an EXCELLENT start.

Commentary:
We can assume that the school knows the risks involved in storing confidential information on a poorly protected laptop. Otherwise, they probably wouldn't have policy and procedure against it. The school's statements that are meant to minimize the risk, seemingly without fact, are disappointing.

Past Breaches:
Unknown

A backup tape is stolen from Greensboro Gynecology Associates

Evan Francen — Mon, 21 Jul 2008 08:19:14 GMT

Technorati Tag: Security Breach

Date Reported:
7/15/08

UPDATE 7/17/08:
News & Record reports that "47,000 patients affected by theft"

Organization:
Greensboro Gynecology Associates

Contractor/Consultant/Branch:
None

Victims:
Physicians, staff members, and patients

Number Affected:
Unknown

Types of Data:
"names, addresses, Social Security numbers, employers, insurance companies, policy numbers and family members"

Breach Description:
"GREENSBORO - Patients at a Greensboro doctors’ office have been notified that their personal information - including Social Security numbers and addresses - was stolen in May."

Reference URL:
News & Record

Report Credit:
Ryan Seals, News & Record

Response:
From the online source cited above:

In a letter mailed to patients, Greensboro Gynecology Associates said a backup tape of their computer database was stolen.
[Evan] Does "their computer database" include billing information and other confidential information other than personally identifiable information?

The letter was dated June 16, but some letters weren't postmarked until July 9.

The medical practice said a backup tape of patient information was stolen on May 29 from an employee who was taking the tape to an off-site storage facility for safekeeping.
[Evan] I wonder what type of off-site storage facility. Some of the small businesses that I have encountered consider an employee's home to be an "off-site" storage facility.

The stolen information included patients' name, address, Social Security number, employer, insurance company, policy numbers and family members.

The tape did not include treatment or specific medical data.

"We are very concerned about this theft, as we too are victims," Pat Higgins, the practice's administrator, wrote in an e-mail Tuesday. "We are notifying our present and former patients. ..."

The practice at 719 Green Valley Road Suite 305 said personal information for its physicians and other staff members also was on the stolen tape.

the case is under investigation

did not respond to inquiries about how many patients were affected, how the theft occurred and whether anything else was taken

The practice's letter said the theft had been reported to police. However, officials with the Greensboro Police Department and the Guilford County Sheriff's Office said they had no such report on file.
[Evan] This is interesting news.

The data was not encrypted, but Greensboro Gynecology Associates said the stolen data isn't likely to be accessed.

"We have consulted with several computer security experts, and they have advised it is highly unlikely the tapes can be accessed because of the program used and the language (the information) is written in," according to a recording on a hotline set up to address patients' concerns.
[Evan] Who are these several computer security "experts'? I hate to disagree, but... The assessment is based on "the program used and the language" that the archived information is written in. Really? How hard is it to obtain the necessary hardware and software to access the information? Someone interested in accessing the tape could conceivably flip the data protection tab on the tape (to prevent data corruption through inadvertent writes), download some of the more popular backup software programs, buy a compatible drive (stolen or on eBay), and go to town. Couldn't they? Backup Exec is a very popular backup program. Anyone can download a 60-day trial for free. More talented professionals have even more sophisticated methods of accessing data on tape.

Greensboro Gynecology Associates said they are consulting with computer security experts to prevent similar thefts in the future.
[Evan] I kind of hope that they are not consulting with the same computer security "experts" referenced above.

"We sincerely regret and apologize that this incident occurred," the letter said

Commentary:
Many backup software solutions include the option to encrypt the written data built-in. Why not use it?

Greensboro Gynecology Associates has established a hotline for concerned patients. The phone number is (336) 544-4590. The hotline asks patients to leave their name and telephone number for a staff member to return their call.

Past Breaches:
Unknown

Very few details are available for Missouri National Guard breach

Evan Francen — Wed, 16 Jul 2008 15:34:08 GMT

Technorati Tag: Security Breach

Date Reported:
7/15/08

UPDATED ON 7/16/08:
The St. Louis Post-Dispatch reports that this breach was caused by a "laptop and other computer equipment", source: St. Louis Post-Dispatch

Organization:
National Guard Bureau

Contractor/Consultant/Branch:
Missouri National Guard ("MOGUARD")

Victims:
"Citizen-Soldier and employee"s

Number Affected:
"approximately 2,000"

Types of Data:
"some personal information"

Breach Description:
"The Missouri National Guard learned on Monday, July 14, 2008, that some personal information was compromised. Details of how this information was compromised are being withheld at this time, so as not to interfere with the ongoing law enforcement investigation."

Reference URL:
Missouri National Guard Press Release
St. Louis Post-Dispatch

Report Credit:
Missouri National Guard

Response:
From the online sources cited above:

The Missouri National Guard learned on Monday, July 14, 2008, that some personal information was compromised.

Details of how this information was compromised are being withheld at this time, so as not to interfere with the ongoing law enforcement investigation.
[Evan] Sounds like a good excuse to not reveal details.

It is important to note that we have no reason to believe that the information that was compromised was for the purpose of gaining Citizen-Soldier or employee information or that the information has been or will be used inappropriately.
[Evan] It's nice that MOGUARD can make this judgment call on behalf of the victims. Its too bad the victims are not allowed to make a determination themselves based on the facts surrounding this breach.

The Missouri National Guard has a list of those Citizen-Soldiers or employees whose information was compromised.
[Evan] Keyword is "was", and not the phrase "may have been".

Letters are being sent to these individuals and/or their Families.

The list includes approximately 2,000 individuals.

At this time we have no confirmation of misuse of Citizen-Soldier or employee information resulting from the loss.

"I am distressed that sensitive information has been compromised," Major General King Sidwell
[Evan] I am impressed when a leader of an organization steps forward and speaks about a breach. In my opinion it demonstrates strong leadership and the understanding that the "buck" ultimately stops with him.

"I am especially concerned about the problems and inconveniences this may cause for our Missouri National Guard Citizen-Soldiers and their families," King said.

Because Social Security Numbers may have been contained within the missing information, we advise individuals to monitor financial accounts continuously for suspicious activity as a matter of good practice.
[Evan] This statement provide a clue as to what "some personal information" may be.

The Missouri National Guard has safeguards in place to protect private information.

We provide ongoing privacy training to all employees.

The Missouri National Guard has taken action to rectify this unfortunate situation, and is working to insure our Citizen-Soldier’s or employee’s information receives the highest standard of security and privacy protection.

Any soldier or family member with questions should call a hotline number at 1-888-526-6664 extension 7888.

If the soldier is deployed overseas, the soldier may use the Defense Switching Network and call 312-555-9500 extension. 7888.

Commentary:
We have no idea as to what the cause of this breach may have been. Anyone want to guess? If so, post a comment.

It’s a little ironic. I was just typing an email response to an information security friend of mine about military breaches and the way the military has a completely different way of disclosing details (if any). This breach is proof positive. We'll have to see if further details emerge over time.

I sincerely hope that the owners of the "personal information" (the victims) get all of the answers that they require in order to evaluate risk themselves and make educated decisions on how they will proceed.

Past Breaches:
Unknown

"Metro" employee information mistakenly posted to Web

Evan Francen — Tue, 15 Jul 2008 10:39:14 GMT

Technorati Tag: Security Breach

Date Reported:
7/14/08

Organization:
Washington Metropolitan Area Transit Authority ("Metro")

Contractor/Consultant/Branch:
None

Victims:
"past and present employees"

Number Affected:
4,675

Types of Data:
Names and Social Security numbers

Breach Description:
"Metro has advised nearly 4,700 past and present employees that their social security numbers were published accidentally on the transit agency’s Web site last month."

Reference URL:
Metro Press Release
Associated Press via Forbes.com
NBC Channel 4 News
The Washington Post

Report Credit:
Washington Metropolitan Area Transit Authority

Response:
From the online sources cited above:

Metro has advised nearly 4,700 past and present employees that their social security numbers were published accidentally on the transit agency’s Web site last month.

The information was posted between June 9 and 25 as part of a solicitation from Metro to companies interested in providing worker’s compensation and risk management services.
[Evan] Rather than post this information to a public web site, why wasn't a more secure method of tranmission used such as VPN or secure FTP?

The document mistakenly included the social security numbers of 4,675 employees.
[Evan] According to Metro spokeswoman Candace Smith the sensitive information was supposed to be redacted. I wonder how well this mandate was communicated to the employee(s) responsible for compiling and posting the information.

A smaller group of employees had their names and social security numbers posted in the lengthy document. Metro officials continue to analyze the information for any other data breaches.

Three Metro employees have been disciplined

The three disciplined employees, including a manager, have been suspended for up to a month without pay, officials said.
[Evan] This implies that the employees responsible for the mistake should have known better. We can probably assume that they were informed of the proper procedure, but did not follow it.

Letters warning of the breach were sent out to the affected employees.

The letter urges employees to watch their credit reports for signs of identity theft.

Last week, the agency set up a separate Web site where employees can determine whether their numbers were among those posted.

The agency is offering the 4,700 employees one year of free credit report monitoring, $25,000 in identity theft insurance and counseling services.

"We deeply regret this incident, and believe the likelihood of misuse of the information is low," said Metro Chief Safety Officer Ronald Keele.

"However, we have taken additional steps to protect employee information by bolstering Internet security and requiring more checks and balances of materials before they are being released publicly."
[Evan] Checks and balances are typically lacking in these types of breaches, so I think it’s a good sign that Metro is addressing these.

Metro officials say they are not alone in this type of data breach.
[Evan] So what?

According to the Identity Theft Resource Center, data breaches at businesses, governments and universities were up 69 percent in the first half of 2008 compared with a similar period in 2007.

Commentary:
The end result of this oversight is three disciplined employees (with no pay for a month) and nearly 4,700 people with an increased risk of identity theft. Forethought is there for a reason, whether or not you use it is your choice.

Past Breaches:
Unknown