The theft of laptops doesn’t stop, organizations don’t learn their lesson
A whole lot was written on loss/theft of hardware (laptops, USB sticks, external hard drives, etc.) and we had thought that organizations would learn their lesson and encrypt sensitive data on such supports. Apparently, things aren’t quite like that and two recent incidents come to prove it.
A resident student at Vancouver Coastal Health lost a laptop and a USB stick (there is a high probability that the hardware was stolen) at the Toronto Airport. The information stored on the drives was password protected but it wasn’t encrypted.
A Vancouver Coastal Health official calls the incident ‘unfortunate’ and says that ‘This is the way physicians and other health care workers need to do their job. They need to use these devices.’ He admits that many professionals use laptops and that the agency has some issues handling mobile technologies.
Another mishap took place in the United Kingdom and the theft of a laptop that stored personal information of 100 young people who participated in inclusion programs. This laptop was in the house of a contractor of the Newcastle Youth Offending Team organization. The ICO (Information Commissioner’s Office) has established a fine for this organization for not encrypting the data. According to Sally-Anne Poole ‘Encryption is a basic procedure and an inexpensive way to ensure that information is kept secure.’ She underlines the fact that organizations working with contractors must make sure that the latter ones align to their security policies.
It’s so simple and cheap to track the use of portable devices and encrypt sensitive data stored on them, that we really ask ourselves why don’t organizations do it?
Let’s hope that at least legal constraints will force private data handlers to implement solutions and politics to maintain their data safe and secure.
2011 Brings Major Changes in the Biggest Data Breaches of All Times Top
While data breaches are as common as any other daily occurrence in the business and individual worlds, the large security incidents don’t happen as often, especially if you think that one of the breaches in the top ten all time largest data exposures dates back to 1984. 2011 is not yet over and it already is the poster child of this top we all want to see unchanged.
2011 is the only year with three major data loss incidents in the top ten: Sony Corporation with 77 million records exposed, SK Communications, Nate, Cyworld with 35 million and again Sony Corporation through their Sony Online Entertainment division with close to 25 million records exposed. Luckily for us, although it featured large incidents, 2011 did not create as many victims as 2009 with its two incidents, Heartland Payment Systems, Tower Federal Credit Union, Beverly National Bank which share the number one position in the infamous top with 130 million records exposed and RockYou Inc. with another 32 million. Read more
Israeli Ministry Falls Pray to Insider Theft of 9 Million Records
No one is safe from inside threats, not even state departments and ministry, as a very recent incident at Israel’s Ministry of Labor and Welfare. A contract worker has stolen personal information of over 9 million Israelis from the country’s Population Registry. The Jerusalem Post quoted by Dark Reading states that the perpetrator copied the ID numbers, full names, addresses, dates of birth, information on family connection as well as other details and used it to create a searchable database which was going to be sold to a private buyer.
As the contract worker lacked the tech skills needed to create the database, he shared the 9 million stolen records to another individual who did the actual design of the software program that exploited the existing database of Israeli citizens and called his creation “Agron 2006″. Read more
Spectrum Health Client Data Stolen With Hard Drive
Health systems company Spectrum has been the victim of a data breach affecting confidential health information of some of their clients. The breach was the result of an electronic device theft, the perpetrators also taking a hard drive that included the medical details. According to Spectrum representatives, the stolen information was not encrypted, but it was double password protected.
The thieves took three electronic devices when breaking in the offices located at 484 Main St. in Worcester in late August, but only one was used to temporarily store personal and protected health information. Read more
Hardware loss in a hospital endangers data of 1.6 million people
Nemours, an American organization for children’s health announces through a press release the loss of three unencrypted backup tapes that contained information such as the name, address, date of birth, social security number, insurance and medical treatment information and bank account information of 1.600.000 patients and employees.
The three backup tapes were stored in a cabinet that might have disappeared during a facility modernization project.
So far, there is no evidence that the tapes were stolen, accessed or used for fraudulent purposes.
Nemours offers free credit monitoring, identity theft protection and call center support.
Find their press release here: http://www.nemours.org/mediaroom/news/2011/missingtapes.html
US Postal Services misplaced CD with data on 4000 people
A CD, as always not encrypted, but this time password protected, was lost in the mail in a US Postal Services mishap. The storage device in question contained personal details on over 4000 US Steel Mining retirees and their dependents. The resulting data breach exposed their names, Social Security numbers and birthdays.
Benefits Administration Services had mailed the CD in question back in August and by mid September it had not arrived at its destination, which led them to make the data loss public. The affected provider of benefits administration services for the United States Steel and Carnegie Pension Fund is currently working with the US postal services to locate the missing CD, but hasn’t had much luck as of yet.
Of the 4000 affected individuals, about 1,700 retirees and dependents were from West Virginia. BAS had some good news to share, meaning that they have no evidence of any of the lost private records being misused up to now. Let’s hope it stays that way!
Data breach exposes 40,000 credit and debit cards
A data breach occurring at the Vacationland Vendors arcade games in Wisconsin Dells effected 40,000 credic and debit cards. The incident was caused by hackers who gained access to the card processing systems of the Wilderness Waterpark Resort in the Dells and Wilderness at the Smokies in Sevierville. The breach only affected the arcade systems, those using their credit cards for other services, such as reservations, eating at the resort restaurants or shopping for gifts have not been affected.
According to Vacationland Vendors, the hack was discovered on March 22, but it is believed that all cards used between December 12, 2008, to May 25, 2011. The good news is that the 40,000 cards exposed, company officials believe only 20 were actually impacted by the breach. Read more
Data breach roundup: Missing hardware
As data storage devices get smaller and easier to carry, the chance of them being stolen or lost goes higher. Thumb drives, laptops, computers, everything shrinks, while storage capacity grows exponentially, great for productivity, awful for unencrypted data. While laptops and USB sticks have always been the easiest to steal or lose, it does not mean that the old fashioned desktop computers cannot share in the same fate.
The result of the following incidents? Exposed data affecting hundreds or thousands, making them perfect targets for identity theft or fraud. Another thing they have in common? You guessed it, they are all part of the healthcare industry! Most of these data breaches can be prevented and it’s a rather simple process. But let’s move on to our list of incidents! Read more
Are Hackers Going to Be This Year’s Top News Item?
We have recently written quite a few pieces on hacking, hacker-caused data breaches, and other such incidents. As we kick off the week and this first month of fall, more pieces of news along the same line come to our attention.
Two students hacked into the Birdville Independent School District’s servers and ran across a file containing 14,500 student names, ID numbers as well as social security numbers.
Borlas.net was also the playground of hackers. After managing to access their files, the hackers responsible for the security breach also leaked names, passwords, emails and phone numbers of nearly 15,000 registered users. Read more
A virus exposes private data of 3000 patients of an american clinic
An investigation inside the Living Healthy Clinic of Wisconsin, US has revealed the existence of a virus on a computer in the network that exposed 3000 patient records.
The experts have concluded that the attack was not targeted, as it was reported that the same type of virus was found on other computers in the US that had nothing to do with the clinic.
The information exposed after the attack included names, addresses, social security numbers and medical records of some patients.
The officials will announce the affected persons on the security breach and they will inform them on the measures to take to protect themselves.
