Medical data on about 700 children and teenagers with social and developmental problems from Hong Kong have recently been lost. The data loss was admitted to by the territory’s government at the end of last week.
The records were stored on a memory card which was stolen from a Child Assessment Centre in the city’s Tuen Mun district. The government’s Department of Health, quoted by M&C News, said the memory card had been kept in an unlocked room.
The lost data included detailed records of interviews with troubled youngsters including assessments and, in some cases, their photos, identity card numbers and addresses.
Sensitive personal data of 1,800 State Highway Administration (SHA) employees, including names and Social Security numbers, were compromised last week in Baltimore. An internal investigation quoted by WBALTV showed that the breach was done inadvertently and not with criminal intent.
“We had an incident where an employee transferred personnel transaction data from a secure drive to a SHA shared drive,” said SHA Deputy Administrator of Finance and I.T. Normetha Goodrum.
CoSoSys, the leading provider of Endpoint Security solutions, announced today that VIPdesk, a pioneer of premium home-based contact center solutions and concierge services, has selected their most recent released Secure it Easy software, version 2.0, to manage and enforce the company’s portable device security guidelines. Secure it Easy efficiently protects VIPdesk’s remote workstations and notebooks owned by its home-based agents against data loss, data theft and other forms of data leakage.
“Legislative requirements enforced by an increasing number of US states and the recent Federal Trade Commission rulings against companies who did not prevent sensitive data exposure are stipulating clear actions to be taken in case of data theft or private record exposure. Such laws call for proactive management of portable devices that are capable of storing private information,” said Roman Foeckl, Managing Director of CoSoSys. “This set of features within Secure it Easy enables organizations of all sizes to better comply with government regulations and industry standards regarding data breach management and IT governance.”
See the full press release here.
Researchers from many world renowned universities and research labs such as UCLA or Root Labs have been focusing for quite a while on data encryption. According to the Register, current research lead to an encryption scheme that has the potential to simplify the protection of sensitive information. This encryption scheme allows banks, hospitals and other organizations to lock files using keys that are based on specific attributes: an employee’s position or geographic location.
The method, which was unveiled last week, adds to the growing body of research known as functional, or attribute-based encryption. Functional encryption is designed to solve the hassle tied to traditional public-key encryption resulting from distributing and managing thousands or millions of private keys authorized people need to decrypt protected data. If 1,000 people in an organization need to securely share their public key with their co-workers, that requires close to one million separate exchanges.
Functional encryption tries to simplify things. It allows data to be encrypted using attributes directly tied to the recipients, such as their names or email addresses, without the need for the parties to have exchanged keys ahead of time. Rather than relying on a single key that unlocks all data, functional encryption envisions a more flexible sort of system where a personal key unlocks some doors but not others.
AirPatrol CEO Nicholas Miller said wireless vulnerabilities are the greatest Internet-related threat to all corporate networks. The statement was made within the Interop/CSI SX Conference from Las Vegas, at the Computer Security Institute’s CSI CX conference and was subsequently picked up by DarkReading. According to Miller, the rapid growth of wireless networking has generated an unprecedented increase in threats caused by wireless vulnerabilities.
“The problem is that wireless vulnerabilities don’t just expose the user who’s unaware of them, but the whole corporate network the user is attached to.”
A large number of companies are nowadays moving towards a wireless infrastructure to save money and reduce current infrastructure. But according to Miller, this move exposes them to greater risks, given that the wireless environment is known to harbor old vulnerabilities that are yet to be resolved.
Wireless infrastructure vendors offer some security capabilities, “but they are really looking for rogue access points, which is a tiny issue compared to the total problem associated with laptop security,” he said. “You really need to look at the entire network — you need to secure the endpoints.”
The problem with most wireless technologies is that they don’t account for the end user’s location, Miller said. “All of a sudden people can have access to the network as if they were in the building, which is why we need location-based access in wireless. Any wireless product you’re looking for should have that capability. If a hacker wants to break into the network, they should have to break into the building.”
UK companies have tripled their spendings on information security defenses in the past three years, fact that has caused reported security breaches to drop by a third. That means 300% more money spent gets you to 30% less breaches.
According to the most recent edition of the UK government-sponsored Information Security Breaches Survey, quoted by the Register, the number of companies reporting a security breach is now at roughly the same level as in 2002, after reaching a peak in 2004.
Expenditure on information security has increased from two per cent to seven per cent of the IT budget on average over the last six years. But this increase in spending is uneven with a significant minority (21 per cent) of companies spending less than one per cent of their IT budget on information security.
Nonetheless, the security landscape has improved markedly over that period with 94 per cent of wireless networks now encrypted, versus only 47 per cent in 2002. More than half (55 per cent) of UK companies have a documented security policy, versus 27 per cent in 2002. Two in five businesses provide ongoing security awareness training to staff – twice as many as six years ago.
After the second largest security breach in the history reported at Hannaford, another data exposure involving credit cards has just been covered by the press. The Canaton Police are investigating hundreds of reports of thefts of credit and debit card numbers belonging to customers who shopped at WiseBuys department store in December.
“We have had hundreds of victims and thousands of thefts. We have had amounts as high as $3,000 and as low as $10,” said Sgt. Lori A. McDougal of the village police department. “I would say at this point they total upwards of $100,000.”
Victims are all believed to have shopped at the Canton WiseBuys store between Dec. 5 and 20, Ms. McDougal said. Since then, stolen credit card numbers have been used to create fake cards in New York City.
A survey conducted by conference group Infosecurity Europe showed Europeans are getting smarter and better at protecting their passwords, but are still not making enough efforts to protect their personal data.
According to the survey quoted by SecurityFocus, only 21% of the nearly 600 people queried near the Liverpool Street Station in London gave up their password when offered an incentive (in this case, a chocolate bar), down from 64% last year. However, of those refusing to reveal their passwords, six in ten later identified the type of information, such as date of birth, pet’s name, or anniversary date , they had used to create their password.
Women appear to be more trusting with password information than men, giving up their secret code 45 percent of the time, compared with only 10 percent of the time for men. The result may indicate that computer-security training of female office workers is behind that of their male counterparts.
Another incentive used in the survey was a fictive drawing with a Paris trip as a prize. Seven out of ten people gave up their name and e-mail address or a phone number, while six out of ten people revealed their date of birth.
“This research shows that it’s pretty simple for a perpetrator to gain access to information that is restricted by having a chat around the coffee machine, getting a temporary job as a PA or pretending to be from the IT department,” Claire Sellick, event director for Infosecurity Europe said in a statement. “This type of social engineering technique is often used by hackers targeting a specific organization with valuable data or assets such as a government department or a bank.”
The University of Colorado at Boulder has recently announced the media that three computers in the Division of Continuing Education and Professional Studies were breached, exposing nearly 10,000 people to potential identity theft.
Bronson Hilliard, a spokesman for CU-Boulder, quoted by 9News, said one of the three computers had personal data, including names, Social Security numbers, addresses and grades, of about 9,000 students and approximately 500 instructors.
“The university and I are deeply troubled that this compromise occurred despite efforts under way across campus to address computer security,” stated Chancellor G.P. “Bud” Peterson in a news release. “We will continue and strengthen our security efforts and hold our departments accountable for their success.”
Approximately 2,000 medical bills have recently been posted to East Texas addresses with patients’ Social Security numbers visible on the envelope. The private record exposure was caused by a a technical glitch in the billing system used by the collection agency the University of Texas Health Science Center at Tyler had contracted.
Chief Operating Officer Rob Marshall at UTHSCT said to TylerPaper that the problem was quickly addressed and fixed, but that he was deeply disappointed in collection agency CBE Group Inc.
“We’re in negotiations … I can’t confirm or deny that we’ll be with (CBE) in the future,” he said Tuesday evening. “But we do have a different set of rules on handling issues like this and have already said how to safeguard this in the future.”