The security breach case we’re about to talk about is both troubling and funny. Missing data found after a few days after the disclosure of the breach, or, in other words, playing hide and seek with personal records is what’s been happening at the Tennessee State University.
After spreading the news that a flash drive containing the financial information and Social Security numbers of more than 9,000 students, TSU thoroughly proceeded to notify their students of the security breach. They also backed their announcement with credit protection for those affected.
TSU has a policy about keeping Social Security numbers in protected files, yet the reality was that the missing flash drive wasn’t believed to be encrypted or password-protected. Pretty standard case up to now, as hardware is lost and leads to significant data loss, security policies are not complied with, etc.
But! Yes, there’s a “but”, a few days after the announcement, a student turned the flash drive in and TSU released the good news. No one really knows why the student had the drive or how he got it; let’s hope the internal audit will clear this mystery.
The fact that security policies are not really complied with no longer surprises any of us. But finding out that any student can get their hands on private records that easily is a bit troubling. And the position of TSU is a bit weird as well: ooouups, we’ve lost some pretty important data on our students! Oh, no, our bad, one of our students had it because we have protocol and policies just to show off!
It has recently been discovered that the people behind the largest security breach in history, TJX, a heist affecting 46.5 million cards, have also breached US retailer Forever 21, lifting about 99,000 debit and credit cards.
As the Register reported, Forever 21 discolesed the breach on their site, letting everyone know they found out about the heist about a month ago from law enforcement officers. There where 9 specific dates when the payment card system was breached, spread from March 2004 to August 2007. The breach exposed card numbers and expiration dates, along with other details stored but not disclosed by Forever 21.
If you’re looking for the Forever 21 official statement, read the explanation on how to get to it on the Register, apparently it cannot be linked to… So much for transparency and caring more about your customers finding out and being protected than your image, which will be affected anyway…
We’ve written before about what’s going on in the TJX case, also known as the biggest security breach and data theft incident ever. Keeping our good habit, here are some details on what’s happening to those arrested in this case.
The first one to plead guilty of credit card fraud of those arrested was Damon Patrick Toey, 23, from Miami. Seems his actions have inspired one of his partners in crime, Christopher Scott, 25, again from Miami, Florida. I have to wonder if the rest will follow the lead or stick to their previous statements.
In case you’ve forgotten, this credit card fraud exposed 45.7 million card records at TJX alone last year.
Speaking of inside threats, while they might have fun stealing from customers and shaking their employers’ credibility and making them loose money, some of them actually get caught. This happened to a former employee of an internet-based gambling website who has recently pleaded guilty of having stolen the identities of 150 customers of the site in question.
According to the Register, Canadian Patrick Kalonji stole the victims’ names, birth dates, addresses, mothers’ maiden names, social security numbers, and other personal details between July 2002 and August 2004 while working for BetOnSports.com. Using two Yahoo personal email accounts, he shared the information with others who booked no more and no less than roundtrip plane tickets from Nigeria to New York!
We’ve been talking a lot about security breaches, data loss or theft and identity theft here on Endpoint-Security.Info. What I think we lacked to stress enough is how those whose records are lost, exposed or stolen feel after it’s all happened. Luckily, quite a few victims of the CountriWide data theft have shared their experiences and fear with us on the first post we’ve published on the matter.
What they feel is frustration, fear, anger, they are worried sick and hardly know what to do now to 1. get CountryWide to talk to them, 2. better protect themselves and 3. stop the calls they keep receiving from those who actually bought the stolen info.
Please take a moment to read their comments and join the conversation here or on the original post.
Lost hardware is the cause of another data loss that has affected 5000 employees of the National Offender Management Service in England and Wales. The hard drive containing the personal records of the employees, including prison staff, was lost by a private firm, EDS.
Although detail on EDS and the circumstances in which the hard drive was lost are not yet very clear, the BBC article announcing the breach is rich in statements from Secretary of State Jack Straw and a couple of justice minister, as well as critiques of the British government.
Justice Minister David Hanson is the one who most surprised me. He stated he did not believe the safety of those working in the Justice system would be threatened. No wonder the British government and authorities are hit so hard by data losses or thefts if they have no idea what to consequences are. Of course their safety, identity and money will be threatened, a justice minister who’s at the second data breach in a few weeks, after loosing private info on thousands of criminals, should at least know that and not be taken by surprise ;).
Do you remember the Bank of New York Mellon’s lost backup tapes? Initially, it was said they contained private records on 4.2 million customers. Yet according to new info from DarkReading, the count has just rose to 12 million.
“When we announced [the lost tapes] back in May, we said we were going to do a top to bottom review across the company and go back and review it again,” a Bank of New York Mellon spokesperson said. “When we discovered [there was] this additional data that may have non-public personal data on it, we brought in a third party” to help investigate it, the spokesperson said.
The unencrypted tapes were lost by a courier earlier this year and according to data released in May, those whose private data was stored on them where clients of BNY Mellon Shareholder Services. The newly discovered clients that have been affected by the breach are currently being notified by the bank.
The year is not even close to being over and the data breaches reported in the US have surpassed exceeded the number of such incidents reported for 2007, says San-Dieg based Identity Theft Resource Center. And while these numbers amaze and worry us, we should keep in mind the same ITRC admits the number might be higher as some breaches are never reported.
In the first 8 months of 2008, 449 US businesses and government agencies have reported either lost or stolen data. These breaches resulted in compromised data on over 22 million individuals. Wonder what the real numbers are, considering the unreported or half-disclosed breaches. ITRC estimates that about 40% of such cases are somehow beautified or kept quiet.
In a statement quoted by the Register, ITRC founder Linda Foley thinks the large numbers reported are also due to companies being more open about admitting data breaches rather than to an increase in data thefts and losses.
“If more states would publish breach notification lists, there would be more information to study and to help us understand this growing concern,” she said. “At this time, only three states publish such information. Additionally, more companies are starting to audit their security and network systems and use readily available security measures. This pro-active approach means that breaches are being identified that might otherwise have gone undetected.”
Be it openness or more frequent breaches, the real numbers are scary. I for one am really not looking forward for next year’s reports