A security breach exposing the data of over 1,200 patients has recently been disclosed by the University of Miami. The Miller School of Medicine patient data was stolen back in November 2011, together with a flash drive, when someone broke into a pathologist’s car and took the briefcase where the portable device was stored.

The flash drive contained details such as age, sex, diagnosis and treatment information for patients treated from 2005 to 2011, the University of Miami disclosed in a press release. No financial information or Social Security numbers had been stored on the drive, according to the same press release.

Following federal law, UM is informing the patients involved, according to the press release, but “there is no indication that the information was accessed or misused in any way.”

The university promised to review and revise its physical and digital security policies to make sure patient data is safely stored and privacy is ensured. However, this is not the first incident they have had to deal with. Back in 2008, computer tapes with confidential information on 2.1 million patients was taken by a thief from a van transporting them. So when it comes to patient data kept in cars, the University of Miami has not changed anything in the past three years, but we can hope they will do better than empty promises next time.

Till the next data breach, we can surely hope so!

The Kansas Department on Aging has recently reported a hardware theft that caused a data breach affecting about 7,000 of its customers. A laptop, a flash drive and paper files were stolen out of an employee’s vehicle, putting thousands of senior customers at risk.

The stolen files contained personal and protected health information belonging mainly to customers located in Sedgwick, Harvey, and Butler counties. The theft was immediately reported to the Wichita Police Department. The Kansas Department on Aging says it is cooperating with the police, but the stolen hardware has not yet been recovered.

Fortunately, there is no evidence to indicate that the information has been accessed and misused. The stolen data and documents may include full customer names, complete addresses, dates of birth, social security numbers, gender, in home services program participation information, Medicaid identification numbers, case management location and case manager names and telephone numbers.  No banking, credit card, or driver license information was stored on the stolen devices.

The Kansas Department of Aging has confirmed that at least 100 customers have had their Social Security Numbers stolen and trying to inform those affected through phone calls. They will further notify everyone affected by the breach through letters explaining the situation.

“We are immediately reviewing policies and procedures relevant to information security, especially for those employees whose duties require travel off-site to prevent a similar situation from recurring,” stated Secretary Shawn Sullivan of the Department on Aging.

The Department of Aging also advised their customers to contact their banks and credit card companies and let them know they are victims of a data theft, prompting them to keep an eye on any suspicious activity in the following months.

A data breach affecting 1.8 million customers of two New York utilities companies has recently been made public by the  New York State Public Service Commission. The investigation into this data breach was initiated after an employee from a third party IT company contracted by New York State Electric & Gas (NYSEG) and Rochester Gas and Electric (RG&E) was given unauthorized access to the company’s databases.

It is not clear if accessing the customer databases had any malicious intent, both affected companies claiming there was no proof of any data having been misused as a consequence of the breach. But, to stay on the safe side, they have decided to send out notifications regarding the data access, as it exposed Social Security Numbers, dates of birth and financial account information, as shown in the official press release sent out by the NY Commission.

“This investigation will seek a complete understanding of the root causes for this security breach, and the measures in place to protect against such a breach,” said the Commission’s Chairman Garry Brown.

NYSEG and RG&E have  also partnered with credit service group Experian to offer free credit card monitoring to the 1.8 million customers affected by the data breach. They also promised their full cooperation to forensics experts and law enforcement.

The biggest challenge of securing modern IT infrastructures is to protect networks that mix different platforms and operating systems. CoSoSys has always considered this challenge when releasing a new version of their endpoint security and data loss prevention solutions, making them available for Windows, Mac and Linux. The same holds true for the freshly released EasyLock version 2, the software developer’s portable data protection solution.

This enhanced new version offers full support for cross-platform data encryption between Windows, Mac OS X and Linux openSUSE and Ubuntu. EasyLock 2 comes with military-grade protection for data stored on USB flash drives and other portable storage devices through its 256bit AES encryption. It also allows cross platform mobility by enabling users to protect their files when in transit and to easily access them on different operating systems. 

To make things simpler, everything is handled through an easy to use, intuitive interface. As the company CEO, Roman Foeckl explained, the main goal of this new version is to take a task that’s usually perceived as complicated and time consuming, data encryption, and turn it into a natural, seamless process. A big step into keeping confidential data safe is to integrate security policies into daily activities without burdening business or home users, and that’s exactly what EasyLock achieved with this new version.

The portable data encryption solution targets both home users that want to encrypt their private files, pictures or other personal information on a USB Flash Drive or external HDD and move them between a Windows PC in the office and a Mac at home, and  business users that need to ensure the privacy and protection of company and client confidential data.

EasyLock 2 can further enhance corporate data security when used with CoSoSys’  device control and data loss prevention solution Endpoint Protector, as it provides enforced encryption of data moved between endpoints of the corporate network. If you want to test it before you buy, EasyLock2 is available as a 30 day free trial at http://www.EndpointProtector.com.

When you are the lead artist of a security mishaps that ended up in a data breach affecting some 24 million people, consequences are bound to catch up with you. And they just have caught up with shoe retailer Zappos.com and the bigger online fish behind them, Amazon.com. The two companies are being sued by the customers affected by the data breach, being accused of negligence.

A woman from Texas seems to be the main promoter in this Kentucky lawsuit. She claims that she and millions of other customers were harmed by the exposure of their personal account information. Zappos and Amazon have not commented on the lawsuit as of earlier today. 

The Zappos data breach was made public on Sunday when the company emailed employees and customers to let them know that names, phone numbers and email addresses of customers might have been accessed in a hacker attack.  The same statement reassured them that credit card and payment information had not been stolen. Zappos also advised its customers to reset account passwords on their site and any other sites where similar passwords were being used.

The attorneys of the Texas woman are seeking class-action status on behalf of the 24 million affected customers, claiming the security breach was actually a violation of the federal Fair Credit Reporting Act. The sum the lawsuit seeks has not been specified, but it is in the range of millions of dollars in compensatory and exemplary damages for emotional distress and loss of privacy. It also seeks to have Zappos court-ordered to pay for credit monitoring and identity theft insurance, plus periodic audits, for all those affected by the data breach.

Security professionals fear cyber-attacks and warn ab0ut them every chance they get. Countries all over the world are trying to put up the best cyber defenses technology advancements can buy, but it does take a well established institution in the field of global economy to actually make us all tremble and finally believe cyber attacks pose a great threat to global stability.

The World Economic Forum’s (WEF) Global Risks for 2012 report places cyber-attacks against governments and businesses among the top five risks in the world to global stability, in terms of likelihood. Cyber-attacks come right after income disparity, fiscal imbalances, and the rising greenhouse gas emissions, shows the report released in WEF’s annual conference held in Davos, Switzerland. 

The report put together by the WEF’s Risk Response Network is based on assessments of the tech industry which pointed out cyber-attacks as the biggest threat of all, as they can lead to devastating malfunctions in power plants, water supplies and other critical systems. The likelihood of such a globally debilitating attack is still up for debate, and other economic threats to global stability, such as income disparity, are far more pressing. WEF however believes we are not even close to understanding the risks posed to and handled by internet security.

Steve Wilson, chief risk officer for general insurance at Zurich and a member of the project, said:  ”We don’t even really understand the risks yet.”

The old-news threat to tech experts is now becoming an issue making its way into all the political agendas that matter. The the report calls “urgently” for new mechanisms to get private investment into exploring system vulnerabilities. It also pointed out how information about cyber-attacks and cybercrime is hard to get to in an objective fashion:

Research into cyber threats against governments and the private sector has largely been funded by those who are in the business of selling internet security solutions – a potential bias that causes scepticism. Academic and policy papers are based largely on anecdotal case studies.

Vendors of online security products have an interest in talking up the threats of cybercrime, while victims of cybercrime often have an interest in remaining silent. It is therefore very difficult for firms and organisations to get a clear picture of the true levels of the risk and needs for investment. Correcting such information asymmetries should be at the centre of policies to improve global cyber security and to ensure an efficient market.

The full report is available online here.

The Ramnit worm, first discovered a year and a half ago, a malware that used to target online banking and FTP credentials, makes victims among UK and French Facebook users.

A new version of the worm managed to steal more than 45000 Facebook usernames and passwords and tried to attack the e-mail accounts and virtual private networks of affected persons. The worm has sent malicious links to victims’ friends, links that downloaded malware to the person’s computer, which helped spread the worm even faster.

It seems like the attackers are adapting to market tendencies, targeting social networks rather than traditional communication means (such as email).

For more details, you can read the techweekeurope.co.uk report.

The US Department of Taxation (DOTAX) decided to take a closer look at how their systems work this year. The process of evaluation included a security audit which lead to discovering internal security breaches dating back to 2008. DOTAX celebrated the three years of undiscovered breaches by putting employees of the Hawaii DOTAX on administrative leave without pay and starting a comprehensive investigation.

The breaches affected the Department’s computer tax database but no one knows when they occurred, it is suspected they happened at least as far back as 2008.The discovered incidents were immediately turned over to the Department of the Attorney General for review and investigation.

“Protecting the integrity of tax records is a serious matter,” said Fred Pablo, the state tax director, in a written statement. “The possibility of wrongful actions are extremely disturbing, which is why these matters were immediately reported to the Attorney General.”

Other than announcing some of their staff were put on administrative leave, DOTAX did not release any other details on the investigation, stating they would only do so after it had been completed.  We look forward to that moment to know how many people have been affected and what kind of protection they will receive.

Based on the many stories about data breaches reported by organizations in the healthcare industry, from hospitals to insurance companies and other third-party companies that deal with healthcare data, we could have guessed this is not even close to being a top sector when it comes to data security. A new report released by the Ponemon Institute now brings even further insight into the state of the healthcare industry, showing a spike in data breaches of over 30% and average annual costs of 6.5 billion US dollars.

The “2011 Benchmark Study on Patient Privacy and Data Security,” commissioned by IDExperts, idendified employee error to be one of the main cause for data breaches in hospitals and healthcare providers. These types of organizations in the healthcare industry suffered an average of four data breaches in the past year. Nearly 30 percent of healthcare companies said the breaches they suffered resulted in medical identity theft – an over 25 percent increase over 2010.

The jump is not entirely determined by a larger number of breaches happening in the past year compared to the previous one. It’s actually the effect of better detection capabilities by healthcare organizations, according to Larry Ponemon, chairman and founder of the Ponemon Institute.

“It was not too surprising that the rate of data loss increased … [But] we think that finding may not be as negative as it appears, and could be a discovery-rate increase with more control and governance practices and use of enabling technologies.”

The strong increase of mobile device usage in the healthcare segment is also a high-impact factor. About 80% use such devices to gather, transmit and store patient data, and a troubling 50% don’t secure their mobile devices. The help they provide in patient care is overshadowed by the major risks to data security the patients are exposed to.

Nearly half of the healthcare industry breached were caused by stolen or lost computing or data devices and another 46% were caused by errors by third-party providers. Moreover, the healthcare organizations are just unaware of where patient data is stored – 61% don’t really know where all their patient data is kept. If that’s not enough, over half of them aren’t sure they actually can detect incidents where patient data is exposed.

Hospitals don’t lack written policies when it comes to data breach reporting – about 80% have them. Too bad about 60% consider them ineffective.

A full copy of the report is available here for download.

Only 55 of the data loss breaches have actually been reported

If you can’t stop data breaches, at least cover them up! This seems to be the data security code British authorities go by. Too bad for them there is something called Freedom of Information Act requests… A new report issued by privacy campaign group Big Brother Watch showed that councils across the UK experienced over a thousand data loss cases over a three year period – August 2008 to August 2011.

To get the information, the group sent 433 FOIs to local authorities and councils across the Great Britain and showed s shocking discrepancy between the reported 50 something incidents and the harsh reality. Not only did BBW uncover the data mishandling cases, they also requested information on what happened to the employees of said councils – if they had been disciplined, fired or prosecuted over the data breaches -, and inquired about the council’s response to each incident. 

According to the 395 replies received,

“We have uncovered more than 1,000 incidents across 132 local authorities, including at least 35 councils who have lost information about children and those in care,” said BBW in a statement accompanying its report (PDF). ”Highly confidential information has been treated without the proper care and respect it deserves. At least 244 laptops and portable computers were lost, while a minimum of 98 memory sticks and more than 93 mobile devices went missing.”

Only 55 of the incidents were subsequently reported to the Information Commissioner’s Office, which handles data loss complaints. In only 9 cases, those involved in the data breach were fired.

“I welcome this research by Big Brother Watch,” local government minister Grant Shapps told the data protection advocates. ”This reinforces the need for steps to protect the privacy of law-abiding local residents. Civil liberties are under threat from the abuse of town hall surveillance powers, municipal nosy parkers rummaging through household bins and town hall officials losing sensitive personal data on children in care.”

For a list of some of the most important data incidents included in the report, read the story published by the Register.