The State Street corporation has recently made public a security breach affecting 45,000 customers and employees. Five months ago, the company discovered computer equipment storing personal information had been stolen from one of its units. The records contained by the equipment in question included names, addresses and social security numbers.
According to CNBC, the company, a Boston-based provider of financial services to institutional investors, said 5,500 employees and 40,000 customers of Investors Financial Services, which it acquired last year, were affected.
State Street said there was no evidence the data had been misused, but it declined to say if the stolen equipment had been recovered. It is working with federal and local law enforcement agencies on the matter.
The University of California San Francisco decided to prevent a group of patients that it discovered a security breach involving a computer storing personal patient information. Although there is no proof any patient files were ever accessed, UCSF gave this incident high importance and responded with the highest level of caution and concern.
According to the UCSF news office, the breach was discovered during routine monitoring of the campus computer network that took place on January 11, 2008. At that time, IT personnel noticed unusual data traffic on one of the university’s computers and immediately removed it from the network to prevent all possible damage.
During the investigation, UCSF determined that an unauthorized movie-sharing program had been installed on this one computer on or about December 2, 2007, by an unknown individual. Installation of this program required high-level system access, which is why the incident is considered a security breach.
Duke University’s Fuqua School of Business has been notifying 273 former New York University students that some of their personal information could have been easily accessed trough specific Internet searcher for almost a year, July 2007 and April 2008.
According to the News&Observer, the data someone could have retrieved on those affected included names and Social Security numbers and was stored in the faculty member’s research records. The article also quotes Duke officials stating no form of unauthorized access or use of the personal information has been identified.
The personal information was removed from Fuqua’s public drives within 30 minutes of the school becoming aware of the problem on April 30. Within hours, all major search engines had cleared their caches and indexes of the student information, the press release states.
Research company Gartner is about to release it’s new forecast showing us what security threats we’ll be dealing with in the future. To raise interest in their soon to come data, they’ve given away some of the details, as a teaser that seems to be working great. Their statements have been also reported by Dark Reading.
What is really interesting here is their view on where new threats will emerge. Hackers and all types of wrong doers will target all things shared and social. While this will be mostly to facilitate the quick spread of malware, social networks will also be targeted to obtain credentials. So beware what personal data you post on your social profiles, make sure you find out how your email passwords are handled when you import contacts or send out invitations. Try these easy steps to make sure your identity isn’t then misused.
Our blog will fill you in with other interesting findings as soon as the official Gartner Forcast hits the market, so see you all soon!
One would expect security to be a major concern for those advertising at and attending security conference. But reality shows otherwise. Integrated telecommunication provider Telstra distributed malware-infected USB drives at the 2008 AusCERT security conference.
According to SerchSecurity, as soon as the security issue was discovered, the USB drives have been recalled. The AusCERT security conference was attended by up to 1200 delegates, all of them potentially exposed to a serious infection.
IT Security journalist Davey Winder states security problems at such conferences are no longer surprising. In a blog post published on DaniWeb, he provides insight on how potential breaches are facilitated at security events:
I have lost count of the number of such events where I have been able to quickly scan and detect numerous unsecured wireless networks and where ‘researchers’ attend with the express intention of finding such security holes and jumping in with both feet to see what resources can be compromised. Often it is the people who should know best who seem most liable to suffer from complacency, and security conferences are a great example of this genre of should have known better syndrome.[...]
So you could say I am not easily surprised, but what does surprise and rather shock me about this particular case in Australia is that the USB sticks being distributed by a large telco were apparently pre-owned, second-hand ones. I mean, how cheap do you have to be to use pre-owned USB sticks? These things are so cheap brand new that you will be finding them in Xmas crackers soon…
A recent audit at the US State Department has revealed the loss of over 1,000 laptops. Although an official statement has not been made regarding the content of the missing laptops, some are believed to be storing classified information. According to Vnunet, the problem has been reported since February, but apparently has not received the necessary attention.
Around $30m worth of computing hardware is “unaccounted for”, the bulk of it laptops. These include over 400 from the Anti-Terrorism Assistance Program, some containing security material.
The situation has been compared to the loss of a laptop by the Veterans Administration in 2006 which held personal details on 23 million veterans.
According to data recently released Attorney General Richard Blumenthal, a storage company for a New York bank lost an unencrypted backup tape containing Social Security numbers and bank account information belonging to hundreds of thousands of Connecticut consumers and personal information of millions more nationwide.
NorwalkPlus.com reports that the Connecticut consumers were depositors and investors of People’s United Bank of Bridgeport, which gave Bank of New York Mellon the information to allow it to offer those consumers an investment opportunity.
Blumenthal urged Bank of New York Mellon, which lost the information in February, to provide affected consumers with credit monitoring and other identity theft protections, and to also provide them with full details on how the loss occurred.
“I am alarmed and deeply concerned by a recent and serious data breach at The Bank of New York Mellon (‘BNY’) involving the loss of computer backup tapes containing sensitive information of some 4.5 million consumers, including People’s United Bank account holders and shareowners,” Blumenthal said in his letter. “Several hundred thousand Connecticut citizens may be affected, and possibly more, by this loss of highly significant personal information.
A 15 year old student living in Chester County has been accused of hacking into the computer system of the high-school he was attending and of stealing information from over 50,000 individuals. The information stolen by the Downingtown West High School student contained names, addresses and social security numbers.
The teenager, whose name has not been made public given he is a minor, is believed to have used a flash drive to store the private records belonging to about 40,000 taxpayers and 15,000 students, police said.
According to NBC10.com, this is not the first such incident in the area:
The incident marked the second time a student has hacked into the school’s system since December. The district said it had tightened up security since the late 2007 breach.
School officials sent a letter explaining the incident home with students and posted it to the district’s Web site.
The Experian credit reference agency has just released new data on identity fraud in the UK. According to their report, this phenomenon was marked by an incredible increase in 2007, affluent Londoners being particularly at risk.
Experian based this conclusion on the fact that it received identity fraud reports from over 6,000 victims in 2007, compared with only 3,500 in the previous year. Experian also pointed out that the reported frauds are only a small part of those actually happening. Experian actually used 10,000 identity fraud cases to define victim profiles and to identify ID crime hotspots.
The new data, quoted by the Register, shows London residents were twice as likely as others UK residents to be exposed to identity fraud. The Register also reproduced the most common profile of identity fraud victims:
The typical identity fraud victim is aged between 26 and 45, earns more than £50,000 a year and tends to be a homeowner. Higher income earners are three times as likely to fall victim to identity fraudsters. Many victims realized they had been swindled after spotting dodgy transactions on credit monitoring reports.
It looks like Romanians and US citizens are really great at teaming, regardless of their intentions. While a team of 22 Romanians and 9 Americans got together to create a credit and debit card fraud ring, the US and Romanian authorities, helped by other countries, collaborated on catching them. SecurityFocus covered the story, but their numbers are a bit blurry. They speak of 33 individuals being charged on this issue, but for the live of me I can’t tell who the other 2 are. Maths mistake or 2 more of different citizenship?
The members of the fraud gang allegedly used spam e-mail messages to get their victims to visit a fake website, where they were urged to enter in financial details. The U.S. members of the group used the gathered information to create counterfeit credit and debit cards, then stealing millions of dollars from thousands of cards.
“International organized crime poses a serious threat not only to the United States and Romania, but to all nations,” Deputy Attorney General Mark R. Filip said during a press conference in Romania, according to a statement announcing the indictment. “Criminals who exploit the power and convenience of the Internet do not recognize national borders; therefore our efforts to prevent their attacks cannot end at our borders either.”