LifeLock Sued By Customers
LifeLock, vendor of a much contested fraud-prevention service has been sued by three very unhappy customers from three USA states. The customers are upset because they feel LifeLock fails to provide the comprehensive protection it adveritses.
As the Register reports, the lawsuits have been initiated by three customers from Mryland, New Jersey and West Virginia. They are targeted against LifeLock ads, in which CEO Todd Davis says he is so confident in the service that he volunteers his Social Security number.
What isn’t mentioned is that on at least 87 occasions, Davis’s Social Security number has been used in attempts to steal his identity, and at least one of those times, the perpetrator was successful.
“It’s further evidence of the ineffectiveness of the services that LifeLock advertises,” David Paris, an attorney suing on behalf of the dissatisfied customers, told the Associated Press. Davis also told AP reporter Jordan Robertson it’s possible that driver’s licenses have been issued to other people in his name as a result of the widespread availability of his personal information. But he ascribes this possibility to flimsy fraud checks used by most departments of motor vehicles, rather than the ineffectiveness of his service.
Hospitals, a Danger to Your Personal Data
According to a recently released study carried out by research firm HIMSS Analytics and risk management company Kroll Fraud Solutions, from 2006-2007, over 1.5 million patients’ personal information was exposed through hospitals alone, allowing them to be threatened by identity thefts. The survey however does not take into account insurance companies, pharmaceutical companies or individual doctors’ offices, which would have meant a significant increase in the total number.
According to Dark Reading, we should keep in mind that these numbers are based on reporter breaches only. About 44 percent of hospitals that experienced a breach in 2007 didn’t inform the patients whose records were affected, as shown in the study.
Hospitals are not paying enough attention to security issues, and the steps they are taking are often ineffective, the HIMSS/Kroll study says. While there is a high awareness of the security requirements described in Health Information Portability and Accountability Act (HIPAA) among hospital IT professionals, most hospitals are putting too much emphasis on compliance and not enough on real security vulnerabilities, the study says.
This lack of attention could lead to real problems for individuals down the road, the study warns. Hospitals are often a source for birth, health, and death records that can be very valuable to criminals, and patient data breaches are among the most difficult to clean up, because compromises or changes can affect insurance eligibility or even patient safety if the data is manipulated.
Californian Supermarket Shoppers, Victims of Identity Theft
Over 100 shoppers at a supermarket in Los Gatos, California, became victims of identity theft when their private records have been stolen from their debit and credit cards through the checkout card reader. The thieves from the Lunardi’s grocery store used the stolen PIN numbers and card information to create fake cards which were subsequently use them to shop around.
The supermarket customers have been reporting cases of identity theft to authorities for over a week, and according to Dark Reading have been losing an average of $1,000 from their bank accounts.
“What we have here is more than one person — they’ve been able to get in there (Lunardi’s) and switch out the ATM card reader,” said Los Gatos-Monte Sereno police Sgt. Tam McCarty in an article in the San Jose Mercury News. “Once they’ve done that, they can read the card and PIN numbers and either make a temporary card or sell the numbers over the phone.”
88,000 Patients Exposed to Identity Theft
Hardware containing personal information on about 88,000 patients of the Staten Island University Hospital has been stolen last year in December.
According to Silive.com, after four months of investigations that have led to no arrest, the hospital administrators are now starting to send letter to patients who are currently exposed to identity theft threats. The stolen desktop computer and the backup hard drive stolen from one of the hospital’s finance offices contained patients’ names, Social Security and health insurance numbers.
“The hospital is in the process of issuing a letter of information to each patient involved in which one year of free credit monitoring is being offered,” said a hospital statement released yesterday afternoon by spokeswoman Arleen Ryback. The time frame for when patients whose information was included in the data were treated was not immediately known.
Ms. Ryback said no medical records were included in the files, but wouldn’t speculate why SIUH waited so long to notify people.
Private Information on Iredell County Taxpayers Stolen
The Iredell County Tax Collector’s Office has just informed the public about an information theft that has taken place at the end of April. The incident involved a courier vehicle that provided services for First Citizens Bank which was stolen in Charlotte. The vehicle’s shipment containing included data related to Iredell County tax payments. According to Prime Newswire, Charlotte law enforcement officials are currently investigating the incident, but the contents of the shipment are yet to be recovered.
The stolen shipment contained a computer report of 468 taxpayer’s check information, including account numbers, check numbers, check amounts and routing numbers from various banks on which the checks were drawn. There were also copies of tax bills that contained taxpayer names, addresses and other public information related to tax payments.
CoSoSys to Protect SearchAmerica
CoSoSys, the leading provider of End Point Security solutions, has recently announced that SearchAmerica has selected Endpoint Protector 2008 to manage and enforce portable device security policies in their IT environment. The solution SearchAmerica chose is quite new and extremely powerful, and it will protect all company workstations, notebooks and servers against data loss, data theft and other forms of data leakage.
CoSoSys has added a rather important client to its portfolio, as SearchAmerica is the industry leader in financially clearing patients through address verification, prediction of payment and automated charity/Medicaid processing. See more in the official press release.
Gains from Online Fraud Aim for the Sky
According to the latest data released by the FBI’s Internet Crime Complaint Center, damages caused by online fraud have significantly increased, going up by 20 percent.
The report cited by SecurityFocus shows that, while the number of complaints has been a little lower, the reported damage originated from online fraud grew from $198 million in 2006 to $239 million in 2007. FBI’s IC3 online portal where cybercrime complaints are received processed a little under 207,000 such reports last year, just a few less than in 2006. The criminal activity is in no way discriminatory, affecting victims aged from 10 to 100 years old.
“The Internet presents a wealth of opportunity for would-be criminals to prey on unsuspecting victims, and this report shows how extensive these types of crime have become,” James E. Finch, assistant director of the FBI’s Cyber Division, said in a statement. “What this report does not show is how often this type of activity goes unreported.”
While the media reports often on the crime of identity theft, the largest number of people, more than a third, complain about online auction fraud, the IC3 report stated. Other online crimes, such as industrial espionage by other nation states, largely go unreported. Earlier this month, the Council of Europe requested that Internet service providers help battle cybercrime by sharing information about their users.
Thieves Planted Malware on 300 Hannaford Servers
Since it made security magazines’ headlines, the Hannaford data breach that exposed 4.2 million credit card accounts still ranks high in the news. The question on everyone’s mind is how it could all happen. According to the latest article published by The Register on the topic, the thieves behind the breach installed a sophisticated malicious software on over 300 servers in at least 6 states belonging to the Hannaford grocery chain.
What the malware did was to intercept credit card data while customers paid for purchases using plastic and then transmit the information overseas. While Hannaford has disclosed the number of servers on which the malware has been detected, they are yet to disclose how it got there. Security experts are quite puzzled by this incident, as they regard Hannaford as a legal and standard compliant company.
Security experts have been eager to figure out how thieves siphoned the data out of Hannaford Brothers Cos. network because the company is believed to have been following payment card industry (PCI) rules. If the east coast chain’s systems were vulnerable, plenty of other retailers may be open to the same attack, the experts have warned.
Stolen Agilent Laptop with Records of 51,000 Employees
There have been quite a few cases of stolen laptops that contained private records of hundreds, thousands and even hundreds of thousands of individuals. They’re increasing number and in some cases the consequences are a pretty strong argument when it comes to convincing other companies they need to secure their endpoints. But apparently, recognizing the risk and having a contract signed compelling another company to protect your data is not enough. At least it wasn’t in the case of Agilent Technologies.
A laptop containing sensitive and unencrypted personal data on 51,000 current and former employees of said company has been recently stolen from the car of an Agilent vendor from San Francisco. According to MercuryNews.com, the theft was announced by Agilent in a letter sent to former employees. The stolen data included employee names, Social Security numbers, home addresses and details of stock options and other stock-related awards.
In the letter, Agilent blamed the San Jose vendor, Stock & Option Solutions, for failing to scramble or otherwise safeguard the data - “in violation of the contracted agreement.”
“It wasn’t encrypted, which was a surprise to us,” said Agilent spokeswoman Amy Flores. She said the vendor told Agilent that an East Coast employee had brought the data-laden laptop to California for encryption, but someone broke into her car and stole the computer and her other belongings while the vehicle was parked near Fisherman’s Wharf.
Sensitive Medical Data of 2500 Patients Stolen
Private medical details of over 2,500 patients taking part in a study conducted by the National Institutes of Health have been stolen. The information was stored on a government laptop computer which was stolen in February. The data accounted for seven years of clinical trial, exposing names, medical diagnoses and details on patients’ heart scans. Although governmental policies enforce it, the stolen data was not encrypted.
It took NIH a month to reveal the theft and start notifying the patients whose sensitive records have been lost. According to the Washington Post, the reason behind NIH officials’ hesitation was their concerns they would cause false alarms.
Elizabeth G. Nabel, director of the National Heart, Lung and Blood Institute (NHLBI), said in a statement issued late Friday that “when volunteers enroll in a clinical study, they place great trust in the researchers and study staff, expecting them to act both responsibly and ethically.” She said that “we deeply regret that this incident may cause those who have participated in one of our studies to feel that we have violated that trust.”
NIH officials said the laptop was taken Feb. 23 from the locked trunk of a car driven by an NHLBI laboratory chief named Andrew Arai, who had taken his daughter to a swim meet in Montgomery County. They called it a random theft. Arai oversees the institute’s research program on cardiac magnetic resonance imaging and signed the letters to those whose data was exposed.
Given this recent data theft incident, government agencies should really take the findings of the Government Accountability Office regarding security more seriously and start implementing more effective security policies.
