Daily Mail Loses Laptop With Staff’s Private Info
The latest security breach involving a stolen laptop has recently been reported by Northcliffe Media, owner of the Daily Mail. The lost computer contained sensitive information on the company’s employees, such as names, addresses, bank accounts and sort codes of Mail and General Trust staff.
According to company representatives quoted by the Register, the said laptop was password protected but most likely not encrypted. Northcliffe Media warned its staff of the risk they were exposed to advised them to contact their bank in order to prevent future problems.
The letter, signed by group finance director M J Hindley, said:
The likelihood is that this theft was carried out in an opportunistic manner by a thief who will not realise that there is any personal data on the laptop and who may just erase what is on the hard disk in order to disguise the fact that the laptop is stolen.
Insider Attacks Double in the First Half of 2008
Security attacks caused by insiders have doubled in the last year, according to the latest report released by the Identity Theft Resource Center (ITRC). The Center found that almost 16 percent of breaches reported so far in 2008 were insider-born and went up from 6 percent in 2007. 11.7 percent of the attacks came from individuals outside the company, down from 14.1 percent in 2007.
According to Dark Reading, the ITRC’s data is consistent with other reports on insider incidents showing an increase of such attacks. Additionally, many experts believe that disclosure of all incidents is also on the rise, mostly due to the legal requirements put in place by many states over the last year.
Data stolen from laptops, thumb drives, and PDAs accounted for 20.2 percent of this year’s breaches so far, followed by accidental exposure by the organization (15.2 percent), and loss or theft by a subcontractor (13.5 percent).
Public Access vs. Private Records Protection
The European Data Protections Supervisor Peter Hustinx stated he was unhappy with the proposed law aimed at improving public access to EU documents. The European Commission proposed the law as a means to improve European government transparency.
Yet according to Computing.co.uk, Hustinx is concerned the security measures to protect personal data from public documents are inefficient. His concern was trigger when a reference to possible harm to “the privacy and the integrity” of the individual was deleted from the initial proposal.
“Public access on the one hand and privacy and data protection on the other are fundamental rights which represent key elements of good governance,” said Hustinx.
We’ll just have to wait and see what the will happen, and if the right to right to public access will win the battle, we could recommend some DLP solutions :).
UK SMEs Warned To Improve Security
The Economic and Social Research Council (ESRC) warned that small and medium sized enterprises (SMEs) are most likely to fail at effectively securing their data, which could subsequently lead to compromising a large portion of the UK economy.
Based on figures provided by the Department for Business, Enterprise and Regulatory Reform and quoted by Computing.co.uk, SMEs make up 51.9 per cent of annual turnover in the UK and over 99.3 per cent of businesses of existing businesses.
Meanwhile reported fraud cost UK businesses over £705m in the last six months, 74 per cent up on the same period last year and hitting £317m in April 2008 alone, says research from accountant BDO Stoy Hayward.
Banks and insurance firms saw suffered costs of more than £636m, or 90 per cent of the total cost of fraud in the first half of 2008 and management fraud accounts for 46 per cent of fraud cases, third party fraud accounts for 32 per cent, costing businesses a total of £541m.
Stockbrokers Get Fine for Poor Security
The Financial Services Authority (FSA) has recently fined a firm of stockbrokers for failing to adequately protect their customers from the risk of identity fraud. FSA, quoted by the Register, said the company’s poor security included failing to manage, among others, the risks posed by staff using instant messaging and web-based email.
London-based Merchant Securities Group Limited also failed to verify the identities of customers contacting the firm by telephone. They instead relied on being able to recognize customers’ voices and informally asking them about personal matters such as holidays or hobbies. The firm also had the habit of including private account numbers in routine letters which could then lead to fraud or identity theft.
The FSA also found that back-up tapes containing unencrypted customer information were stored overnight in a bag at the home of a member of staff.
The London-based firm also failed to implement adequate controls “to mitigate the risk of customers’ personal data being transmitted outside the firm by failing to prevent the use of instant messaging and web-based email,” according to the penalty notice (pdf) served by the FSA.
DPS-contracted Company Breached
Private records of 826 state employees were recently stolen from a home office from Wichita Falls, Texas. An employee of L-1 Identity Solution was keeping the information in a lockbox, pending to do fingerprinting, as agreed with the Department of Public Safety.
All the affected individuals are being notified by mail that their names, home addresses, dates of birth, driver’s license and Social Security numbers are missing and they are exposed to identity theft and fraud. According to KXAN.com, about 100 of those affected work for the State Board of Education. The incident comes less than a year after the Texas Legislature mandated that all education employees submit their fingerprints for criminal background checks.
Montgomery Ward Kept Customers in the Dark on Data Theft
In a security breach not yet reported to its customers, Montgomery Ward, an old-line merchant now operating as an internet retailer had 51,000 credit card numbers stolen. The private records have been stolen in December from an online database containing credit card account information.
According to SC Magazine, the furniture retailer operates on the internet on the Wards.com site and is actually owned b Direct Marketing Services.
Direct Marketing Services notified the major credit card brands of the incident but failed to alert customers. Now that the breach has been exposed, they’ve had a change of hart and are planning on letting all those affected know of the breach.
Former Employee Charged in Southeast Security Breach
A former Southeast Missouri State University employee has been charged in a security breach exposing 800 student names and social security numbers. The man has been indicted on charges of identity fraud and one charge of computer trespass after being found in possession of the private records in question.
According to the SouthEast Missourian, William Elum was the hall director of Dearmont during the 2006 to 2007 school year and was arrested May 27 in Atlanta. While no students have reported credit fraud as a result of the leak, Elum is accused of trying to access two student accounts.
“I haven’t seen any evidence that these data have been misused beyond the attempt the employee used to log on to our system in other students’ names,” said Dr. Dennis Holt, vice president for administration and enrollment management.
Nevertheless, university administrators are recommending students place a fraud alert on their consumer credit file and also a security freeze on accounts at credit bureaus.
DCA Security Breach Exposes Private Records of 5,000
The state Department of Consumer Affairs has recently discovered a security breach exposing employees, contractors and board members to identity fraud. DCA has in response sent 5,000 letters warning those affected that the breach has compromised their names and social security numbers.
According to DCA spokesman Russ Heimerich quoted by Capitol Weekly, the breach occurred on June 5 or 6 when a Microsoft Word document was improperly transmitted electronically outside of the department. The document also contained the salaries and titles of everyone on the list, but Heimerich pointed out these additional details were public information.
Heimerich said the incident is still being investigated, and that he could not disclose who had received the document. He said that so far there is no evidence that any information has been used. It was not even clear the recipient had opened the document.
6,500 CNET Networks Employees Exposed in Data Theft
Over 6,500 CNET Networks employees and relatives will soon receive notifications of a possible data breach as CNET has recently discovered the theft of computer systems from the offices used by the company to administer its benefit plans.
The information was handled by Colt Express Outsourcing Services in its Walnut Creek, California offices where the burglars broke in. According to PC Worlds’ coverage of the story, CNET was not the only company affected by the theft. While it’s not really clear which are the other companies exposed to the data theft, the Colt Express’ other customers include companies such as BroadVision, JDS Uniphase and 24 Hour Fitness.
The stolen equipment “contains the human resources data of several of their clients including CNET networks,” CNET Senior Vice President of Human Resources Jose Martin said in a June letter notifying employees of the incident.
The computers contained names, birth dates, Social Security numbers and employment information of the beneficiaries of CNET’s health insurance plans.
