A data breach affecting 1.8 million customers of two New York utilities companies has recently been made public by the  New York State Public Service Commission. The investigation into this data breach was initiated after an employee from a third party IT company contracted by New York State Electric & Gas (NYSEG) and Rochester Gas and Electric (RG&E) was given unauthorized access to the company’s databases.

It is not clear if accessing the customer databases had any malicious intent, both affected companies claiming there was no proof of any data having been misused as a consequence of the breach. But, to stay on the safe side, they have decided to send out notifications regarding the data access, as it exposed Social Security Numbers, dates of birth and financial account information, as shown in the official press release sent out by the NY Commission.

“This investigation will seek a complete understanding of the root causes for this security breach, and the measures in place to protect against such a breach,” said the Commission’s Chairman Garry Brown.

NYSEG and RG&E have  also partnered with credit service group Experian to offer free credit card monitoring to the 1.8 million customers affected by the data breach. They also promised their full cooperation to forensics experts and law enforcement.

A formal undertaking was signed by the Scottish Court Service, after the Information Commissioner’s Office (ICO) reveiled that sensitive court documents were accidentally disposed of at a Glasgow recycling bank.

This breach was brought to ICO’s attention when a Scottish newspaper published details of the files containing appeal documents in September 2010. The documents in question have been lost by the editor of a series of law reports and the court service has failed to specify the procedure of keeping the documents safe.

“People involved in court cases should be able to feel confident that their personal and sensitive information is going to be kept secure and not taken outside the courtroom,” said Ken Macdonald, ICO assistant commissioner for Scotland. “Had any of the papers in this case fallen into the wrong hands, the privacy of the individuals concerned might have been threatened.”

All The Scottish Court Service staff has been required to be aware of the policy of the storage, use and disclosure or sharing of personal data procedures. A Memorandum of Understanding with the court service mus be signed by all those involved in data sharing.

The Department of Defense seems to have quite some trouble handling threats in his own backyard. One of their officials with top-secret security clearance, as it happens, has allegedly been leaking classified department data and documents to an official working for the Chinese government.

According to a Department of Justice announcement quoted by Dark Reading,  James Wilbur Fondren Jr., deputy director for the U.S. Pacific Command (PACOM) Washington Liaison Office, has been charged with espionage conspiracy for providing classified information to an agent of a foreign government. Fondren is believed to have sold information to a Taiwanese-American man. The information was subsequently sold to a Chinese government official, but apparently Fondren was unaware of this secon sale.

How was the leak possible? Poor security: Fondren had both a classified DoD computer and an unclassified one on his desk. One would expect a little less trust in high level clearance staff. It’s espionage we’re talking about!

Fondren, 62, allegedly funneled the data to Tai Shen Kuo, who was one of his consulting clients, between November 2004 to Feb. 11, 2008, according to the affidavit. Kuo purchased reports from Fondren for anywhere between $350 to $800, eight of which included classified information. Among the classified data Fondren supplied Kuo was information about a joint U.S.-China naval exercise, U.S.-China military meetings, and a DoD draft report on China.

In his turn, Kuo got around 50,000 US dollars for certain documents he obtained from Fondren and other DoD officials. I wonder who the other officials are. Will they be charged soon?

Over 30 reports of data theft filed since January 2009 have lead investigators to a potential leak at Johns Hopkins Hospital. One of their employees is believed to have used her credentials to access and then leak data on more than 10,000 patients while working at the hospital. Law enforcement agencies also suspect that the thefts might be related to a fraudulent driver’s license scheme discovered in Virginia.

According to Dark Reading, Johns Hopkins representatives stressed the fact that the data leak was not a hacking incident, but that the suspected employee had access to the breached records as part of her job. They also stated the records contain no medical data, but do contain other sensitive details, such as Social Security numbers and addresses. As the Dark Reading article further explained, the hospital took comprehensive measures to balance the loss of data:

Johns Hopkins is offering credit monitoring and fraud resolution services, as well as $30,000 in identity theft reimbursements, to the 31 victims, as well as to any of the 526 Virginia residents in the database who report fraud. It also is notifying the other 10,000 patients whose records were in the database.

The British National Party (BNP) members’ list was posted online in mid November, causing quite a hassle for those exposed, especially since some of them were required by their job descriptions to have no political affiliation.

Apparently, a Nottinghamsire pair is responsible for the leak and they are currently in the custody of the Welsh. A Register article quoting the Guardian stated the police said the pair were held in connection with alleged offenses under the UK Data Protection Act.

“We can confirm that last night Nottinghamshire police arrested two people as part of a joint investigation with Dyfed Powys police and the information commissioner’s office in conjunction with alleged criminal offences under the Data Protection Act,” a Dyfed Powys police spokesman told The Guardian.

The investigation was lead by the Welsh police in collaboration with the information commissioner’s office. What I would like to know now is if those who were about to lose their jobs because of this data breach will actually be fired. Or will it all be let to rest?

If you are British and have been plotting to stalk a member of the British National Party (BNP) you might just have missed the opportunity. A list with all the party’s members, including names, addresses, and email addresses has recently shown up online. Some of those who just got exposed online are also underage (an extra “benefit” of the family plan BNP offers) and others had mentions of other personal details made public, such as job or hobbies.

As the Register puts it, “That’s how we know that that BNP members include receptionists, district nurses, amateur historians, pagans, line dancers and a male witch.” Members reacted pretty strongly, filing their comments with courses and outrage. As certain professions in the UK are expected to have no political color, they might even lose their job and according to several blog sources, some pretty powerful people in the BNP are to blame for the leak.

BNP spokespersons found out of the leak from the Register, but although completely unaware, they promised to treat whoever is responsible quite harshly!