In a new incident proving – as if more evidence was needed – that one of the biggest data security threats comes from the inside, an administrative tech of the Texas Child Protective Services in Houston decided to steal data on potential foster care and adoptive parents and use it to apply for credit cards. Together with an outside accomplice, they had used the stolen information to apply for said credit cards at various stores.

Luckily enough, the credit card issuers noticed some discrepancy in the way formed were filled out and the two were discovered and arrested after stealing data on only 70 individuals. The two accomplices charged with fraudulent possession of identifying information could face up to 10 years in prison and a 10,000 US dollar fine. Not quite worth it for some extra stolen cash that probably never came through.

As of now it is unclear if any of their identity theft attempts was successful. We do hope they have failed miserably.

If a company, bank of hospital handling your private details has suffered a data breach, you are four times more likely to have your identity stolen. So if you have received a notification letting you know your data has been exposed, you should acknowledge the greater risk for ID theft or fraud, says a recent study by Javelin Research and quoted by DarkReading.

This new report comes to completely contradict breached companies breached who commonly state they have no indication that the compromised data has been used by criminals.

“During each of the past three years, an average of 11 percent of consumers received a breach notification,” Javelin said. “Slightly more than 33 percent of breach victims experienced exposure of their Social Security numbers, and 15 percent of breach victims had their ATM PINs compromised. [But] despite 19.5 percent of breach victims suffering some kind of fraud in the past year, only 2 percent attribute their fraud to the breach.”

Buying second hand PCs might be quite an adventure. Especially if they contain sensitive information that could blow one’s mind out, as it happened for a group of researchers from the University of Glamorgan in Scotland. According to a DarkReading article, the researchers found their used hard drives to contain details of test-launch procedures for a U.S. defense missile.

The researchers have included these findings in the results of a a five-year study that aimed to show the dangers of poor hard drive and device data-wiping and disposal practices. Acording to this years’ results, which are not yet final, the research also led them to sensitive data from Ford Motor, Laura Ashley, and other businesses.

This year, the researchers found personal or sensitive data on 34 percent of 300 hard disks bought randomly at computer fairs and online auctions in the U.K., U.S., Germany, France, and Australia. The information was enough to expose individuals and firms to fraud and identity theft, they said.

So if someone indulged in the idea of starting a fraud or theft based scam, all they needed is to start buying used computer parts. It’s easy and far less dangerous than actually atemtping to steal the data directly from the businesses currently using them.

As you’ve probably seen on this blog, there are news about security breaches, people who’ve been affected by identity theft and fraud, billions of dollars in losses every single day. More a day in really bad cases. Although there’s a ton of information out there, individuals and companies still fail at protecting themselves against such breaches and at keeping their private data safe.

CoSoSys, leading developer of endpoint security and data loss prevention solutions, has chosen a different approach to raise awareness about the risks we face everyday: humor, namely a series of comic strips showing what can really happen. As CNET puts it, they put the fun back in security threats.

The first comic, originally published on CoSoSys’ EndpointProtector.com site shows how easy it is for an employee to copy your entire data base and take it to your main competitor. A simple thumb drive, three minutes left alone in the office, and that’s it!

But as fun and laughing are not the only goals of the strip, each of them also helps you find out what to do and how you do it. Designed to promote the company’s most popular DLP, endpoint security and device management solution, Endpoint Protector, each issue will show how everything can be prevented.

“Recent research performed in both the US and the UK shows a troubling trend: data breaches are rising in numbers and in costs as well. Millions of people have their data exposed to identity theft or fraud each year and few of those affected or those responsible of the incidents know that most of these instances could easily be prevented. Making sure that your private records and all endpoints in your network are secured is not a difficult task. That is why we are committed to put our best efforts into raising awareness and educating the public about staying safe without making any lifestyle compromises”, explained Roman Foeckl, CoSoSys CEO.

The next issues of the strip will be published each Thursday for the next 7 weeks. You can see them here or register to get them on your email. Easier if you asked me, as remembering to visit a link every week is not something I usually do.

A recent breach reported by the Federal Aviation Administration has exposed the private data of about 45,000 employees, as a result of a hack in one of the FAA computer systems. The FAA has released a warning notice, quoted in Dark Reading, stating that employee personal identity information has been stolen during the illegal access. Those affected by this security breach will also receive individual letter, letting them know their data is stolen and probably used in fraud or identity theft attempts.

“Two of the 48 files on the breached computer server contained personal information about more than 45,000 FAA employees and retirees who were on the FAA’s rolls as of the first week of February 2006,”  states the notice. “The server that was accessed was not connected to the operation of the air traffic control system or any other FAA operational system, and the FAA has no indication those systems have been compromised in any way.”

The FAA also stated it has learned its lesson and taken the necessary steps to prevent future incidents of the sort. They are also taking long term measures to protect personal information. As for those who have been affected by this very real breack, there’s a a toll-free number and some details on the employee site.

We’ve all come to refer to the TJX data breach as the largest one in history, with an estimated 45.7 million credit card accounts exposed through a brech in the discount retaler’s wireless network. Some even place the number of affected acounts in the vicinity 94 million. Whichever the real number is, it is huge, scary and as it has happened over a significant period of time, it got plenty of coverage.

In the recovery process, they had to pay 40.9 million dollars to settle a lawsuit, but according to the Register TJX had created a 118 million fund to pay for breach-related damages in August 2007. 11 people were charged in relation with the data theft and some trials are still ongoing. The retailer has made an attempt to close this dark chapter for good by offering one-day 15 percent discounts in all its US and Canadian stores, as a token of their appreciation for the customers “for retaining their loyalty after it did such a bad job of retaining their records”.

Nice strategy to reward customers, build trust and boost sales at the same time! But I believe they need to implement all the cutting edge security toys in the market and make every new added layer of protection public to ease the minds of those affected.

Fashionably late, as the who’s who laws require, electronic payment services firm RBS WorldPay has admitted a breach that exposed 1.5 million payroll and gift card holders exposed to fraud and identity theft. The breach was caused by a group of hackers finding their way to the RBS network and accessing about 1.1 million social security records, along with other private details, reports The Register.

RBS disclosed the breach to law enforcement and regulators on November 10, but waited untill December 23rd to also let those affected know their private data was at risk. Great Christmas gift idea! Yet the company pledges strong commitment to prevent any fraud or identity theft attempts and  offers 12 months complimentary membership to a credit monitoring service toall those whose personal information has been exposed by the hackers. Does this mean they will also take a good look at everything going on in their customer’s accounts between November 10 and December 23? 100 payroll cards have already been misused as a result of the breach, but have been deactivated since. We hope the toll does not go up.

If you’re thinking to prevent inside threats by hiring consultants from outside your company, think again! They’re drive to make money using others’ identities is a genuine concern. Take Shell Oil for example, who caught one of its IT contractors stealing personal data on its employees from one of the US databases of the company.

After descovering the unnamed employee of a vendor working on said US database used the social security numbers and other info of four employees to file bogus unemployment claims, Shell Oil warned all its former and current personnel they have been exposed to identity theft. More on the ongoing investigation in the Register.

The FBI has arrested 11 people in the case of the largest identity theft and data breach in history that targeted TJX and other companies. The suspects of which three are US citizens are believed to have taken part in the theft of over 40 million credit and debit card accounts from 9 major retailers and restaurants. Stealing that much data was possible after installing malicious software on the systems of TJX Companies, BJ’s Wholesale Club, OfficeMax, Barnes & Noble, Sports Authority, Forever 21, DSW, Dave & Busters and Boston Market.

Never surpassed in the time it has passed has been covered constantly by the media. The Reigster tells the story of the breach in a recent article: in the beginning of 2007, TJX first reported the a breach by unknown idividuals who had at the time stolen 46.5 million credit cards, number later proved to be twice as high. According to the Register, the fraud have been going on for quite a while when TJX reported it, as a year earlier industry watchers had noticed an unusual increse in debit card fraud at retailers OfficeMax and Sam’s Club.

US Attorney of Massachussets and the US Attorney General had both commented on the issue:

“While technology has made our lives much easier it has also created new vulnerabilities,” Michael J. Sullivan, US Attorney for the District of Massachusetts, said in a statement announcing the indictments. “This case clearly shows how strokes on a keyboard with a criminal purpose can have costly results.”

“They used sophisticated computer hacking techniques, breaching security systems and installing programs that gathered enormous quantities of personal financial data, which they then allegedly sold to others or used themselves,” US Attorney General Michael Mukasey said in prepared remarks. “And in total, they caused widespread losses by banks, retailers, and consumers.”

Other than having a sophisticated and high end technique of stealing the information, the ring of thieves also had multiple way to turn the theft into profit, either by selling the data to other criminals or by using it to create fake cards and withdraw thousands of dollars at a time.

The eleven arrested individuals are from the United States, Estonia, Ukraine, the People’s Republic of China and Belarus. The FBI is still in pursuit of another member of the group who is only known by his online alias and continues to elude authorities. Let’s hope he’s caught soon enough!

Burglars breaking into the Minneapolis Veterans Home stole a backup computer server containing private records of over 300 residents. The server stored telephone numbers, addresses, next-of-kin details, social security numbers and other private medical details or the 336 residents, according to the statement of an official with the Minnesota Department of Veterans Affairs quoted by StarTribune.com.

It appears the burglars broke into the facility early on a Sunday. According to Gil Acevedo, deputy commissioner for Veterans Health Care, the thieves also took a tool kit, a laptop computer, a guitar and a computer game, and are unlikely to have targeted the private records.

“We don’t suspect the burglars came in looking for that specifically,” he said. “They broke in, kicked in several doors, and took a series of things. There’s no pattern.”

The case is currently investigated by the Minneapolis police together with the Veterans Affairs department. The residents, their families and credit bureaus have all been informed of the data theft in order to prevent subsequent identity theft and fraud attempts.