Potential Breach Affects 128,000 Saint Mary Patients and Clients

Saint Mary’s Regional Medical Center has recently released information about a potential data breach involving one of its databases. The database in question was used Saint Mary’s health education classes and wellness programs contained private records of about 128,000 patients and clients.

The personal information contained details such as names and addresses, limited health information and some Social Security numbers. According to a statement made by Gary Aldax, marketing manager for Saint Mary’s and quoted by RGJ.com, the database did not contain medical records or credit card information.

“What happened was that an unauthorized person may have accessed the database,” Aldax said. “We’re currently working with Equifax, which is one of the three major credit agencies, to help handle this for us.

“In some cases, there were people who had their Social Security numbers (in the database) as well, so we’re sending different letters to people depending on their situation.”

Saint Mary’s has emailed all those potentially affected this month, warning them about the threats they might be exposed to.

Secuirty Threat Caused by Lost USB Sticks

Yet another data breach caused by lost hardware has been reported by a governmental institution. The U.K.’s Ministry of Defence (MoD) has released information on 121 USB sticks, including five containing classified information that have been lost or stolen since 2004.

As reported by DarkReading, these troubling figures became public four years later in response to an official question from Sarah Teather, a Liberal Democrat Member of Parliament. They are the latest yet not the only embarrassing breach involving the UK government. The MoD’s missing USBs come after the loss of two disks containing welfare private data on 25 million U.K. citizens and loss of an extensive number of laptops and mobile phones.

“Far from the problem getting better, it seems actually to be getting worse at the moment,” said Teather. “I think that the government has a duty to come clean and say whether or not anyone has been put at risk as a result of this – we need reassuring, for example, that none of our troops have been put at risk.”

The British government’s latest storage snafu comes less than a year after Her Majesty Revenue and Customs (HMRC), which is the U.K’s equivalent of the IRS was at the center of the country’s largest ever data loss.

This recent events begs a mind blowing question: how many such breaches actually happened but were never released to the public? And how long would it have taken until UK authorities informed the public on these national security breaches if there hadn’t been a formal inquiry?

Brand New Security Breach Reported by the US Army

Ever since 2006, several cases of exposed sensitive data surrounding the US Army have kept the newspapers busy. A new such case has recently hit the papers, when a laptop computer was reported stolen from an Ary employee’s truck. The laptop contained personal information on about 900 soldiers from Fort Lewis. The information was released by Lacey police officials and quoted by The New Tribune.

As the theft might expose the Army employees to identity theft risks, the involved soldiers have been notified of the breach, said a post spokeswoman. According to Army officials, the employee, a civilian military personnel specialist, from whom the laptop has been stolen appears to have violeted Army standards and policies for protecting personal information and government property.

The Army is assisting Lacey police with the theft investigation and conducting its own review, said Catherine Caruso, a Fort Lewis spokeswoman.

“We’re not releasing anything more about what information was inappropriately compromised or about the soldiers whose information was involved,” Caruso said. “Clearly it was personal information regarding 800 to 900 soldiers from Fort Lewis. Beyond that, we’d rather not specify.”

UK SMEs Warned To Improve Security

The Economic and Social Research Council (ESRC) warned that small and medium sized enterprises (SMEs) are most likely to fail at effectively securing their data, which could subsequently lead to compromising a large portion of the UK economy.

Based on figures provided by the Department for Business, Enterprise and Regulatory Reform and quoted by Computing.co.uk, SMEs make up 51.9 per cent of annual turnover in the UK and over 99.3 per cent of businesses of existing businesses.

Meanwhile reported fraud cost UK businesses over £705m in the last six months, 74 per cent up on the same period last year and hitting £317m in April 2008 alone, says research from accountant BDO Stoy Hayward.

Banks and insurance firms saw suffered costs of more than £636m, or 90 per cent of the total cost of fraud in the first half of 2008 and management fraud accounts for 46 per cent of fraud cases, third party fraud accounts for 32 per cent, costing businesses a total of £541m.

HMRC Breach Caused By Poor Security

A formal inquiry on the now notorious security breach reported last October at HM Revenue & Customs (HMRC) has recently been published. The breach exposed 25 million personal records and has been proved to be caused by “major institutional deficiencies”, reports SearchSecurity UK.

The inquiry extensively details the operation procedures implemented at HMRC before the data breach. It also describes the circumstanced that have led to the loss of two CDs holidng personal and financial information on Child Benefit recipients.

The inquiry, led by Kieran Poynter of management consultants Pricewaterhousecoopers (PwC), concluded that “information security simply wasn’t a management priority as it should have been, and HMRC had an organizational design which was unnecessarily complex and crucially, did not clearly focus on management accountability.”

The report of the investigation provides a detailed blow-by-blow account of events leading up to the data loss, with extracts of emails showing who said what to whom. However, since the blame for the breach is attributed to cultural and organizational weaknesses, the staff members involved are given anonymity, and referred to only as employee A, B, C and so on.

DPS-contracted Company Breached

Private records of 826 state employees were recently stolen from a home office from Wichita Falls, Texas. An employee of L-1 Identity Solution was keeping the information in a lockbox, pending to do fingerprinting, as agreed with the Department of Public Safety.

All the affected individuals are being notified by mail that their names, home addresses, dates of birth, driver’s license and Social Security numbers are missing and they are exposed to identity theft and fraud. According to KXAN.com, about 100 of those affected work for the State Board of Education. The incident comes less than a year after the Texas Legislature mandated that all education employees submit their fingerprints for criminal background checks.

Montgomery Ward Kept Customers in the Dark on Data Theft

In a security breach not yet reported to its customers, Montgomery Ward, an old-line merchant now operating as an internet retailer had 51,000 credit card numbers stolen. The private records have been stolen in December from an online database containing credit card account information.

According to SC Magazine, the furniture retailer operates on the internet on the Wards.com site and is actually owned b Direct Marketing Services.

Direct Marketing Services notified the major credit card brands of the incident but failed to alert customers. Now that the breach has been exposed, they’ve had a change of hart and are planning on letting all those affected know of the breach.

New PCI Standards Disregard Inside Threats

Starting June 30, new measures inserted in the Payment Card Industry (PCI) standard will be inforced. However, representatives of a database security firm point out that the new additions do nothing to address inside threats.

As Vnunet.com shows in a recent article, the new measures require that companies dealing with stored credit card and other consumer financial data either install firewalls around all internet-facing applications or have all customer application code reviewed for common vulnerabilities.

Secerno representatives showed that the new and “improved” standard does not address real threats effectively:

“The PCI Data Security Standard has the best intentions but, as is the case with many compliance directives, it barely addresses the most immediate and upcoming threats to consumer data,” said Paul Davie, founder of Secerno.

“It is generally inadequate for addressing the sort of internal threat that can be exploited easily, such as by general or privileged users.”

Other than completely ignoring ill willed insiders, the PCI standard also fails to regulate data encryption requirements, database security policies, measures of protecting data on private networks.

Virgin Media Loses Unencrypted CD with Customer Data

Virgin Media, the branch of Richard Branson’s empire operating in the entertainment and communications fields, has recently disclosed the loss of an unencrypted computer disc containing bank account details of 3000 UK customers.

The data loss was discovered on May 29th, and according to Virgin Media, the CD also contained names and addresses of customers. According to Finextra.com, the breach affects customers that signed up to Virgin Media services in Carphone Warehouse stores from January this year. Company representatives don’t know why the data was burned onto a CD to begin with, as the company policy stated that secure FTP transfers should be used instead of CDs.

In a statement a Virgin Media spokesperson says: “We have been working with the Information Commissioners’ Office on this matter and we are in the process of contacting all of the affected customers to ensure we meet our responsibilities and fully support them through this process.”

Virgin Media says it is now conducting a review of its data protection policies and practices.

Sensitive Data of Healthcare and Airline Companies found in Argentina and Malaysia

Researchers at Finjan have recently discovered 500 megabytes of confidential data on servers located in Argentina and Malaysia. The private records contained Citrix single sign-on credentials for accessing patient and financial data at a major U.S. hospital and major healthcare organization and also credentials for accessing a large U.S. airline carrier’s passenger and cargo lists, flight schedules, security measures, and financial data.

According to DarkReading quoting Yuval Ben-Itzhak, CTO of Finjan, the Finjan research findings shows criminals are shifting focus to different data that they can easily steal and effectively sell to the highest bidder.

“It’s supply and demand. The fact is these people are now going after data that’s different from [the standard] credit card and SSN,” Ben-Itzhak says. “A year ago, a [stolen] credit card was $100. Now you can get one for $10-$20 a card.”

But that doesn’t mean cybercriminals still aren’t pilfering credit card data, other security experts argue. “I don’t think there is a shift in cybercriminals stealing data other than credit card numbers. The stolen data from popular and mainstream Trojans is mainly grabbed via keylogging — everything is captured, [and] then the wheat is separated from the chaff,” says Guillaume Lovet, senior manager for Fortinet’s Threat Response Team.