A data breach affecting 1.8 million customers of two New York utilities companies has recently been made public by the  New York State Public Service Commission. The investigation into this data breach was initiated after an employee from a third party IT company contracted by New York State Electric & Gas (NYSEG) and Rochester Gas and Electric (RG&E) was given unauthorized access to the company’s databases.

It is not clear if accessing the customer databases had any malicious intent, both affected companies claiming there was no proof of any data having been misused as a consequence of the breach. But, to stay on the safe side, they have decided to send out notifications regarding the data access, as it exposed Social Security Numbers, dates of birth and financial account information, as shown in the official press release sent out by the NY Commission.

“This investigation will seek a complete understanding of the root causes for this security breach, and the measures in place to protect against such a breach,” said the Commission’s Chairman Garry Brown.

NYSEG and RG&E have  also partnered with credit service group Experian to offer free credit card monitoring to the 1.8 million customers affected by the data breach. They also promised their full cooperation to forensics experts and law enforcement.

According to datalossdb.org, a site belonging to the Open Security Foundation, that publishes the latest news regarding data loss and data breaches, the month of 2011 with the largest number of such incidents was June, when 90 cases were recorded.

The causes of these incidents were very diverse: from the ever-present theft of computers, laptops or hard drives and other portable devices, to fraud, hacking attacks, personal information disclosed on websites, viruses, documents thrown in the dustbin, etc.

The most significant breach from June was the one produced at Sony Pictures, when the LulzSec hackers have accessed one million records of Sony clients in Belgium and the Netherlands.

According to the PlayStation blog, the 70 million users of Qriocity and PlayStation Network may have had their personal information compromised due to a successful hacker attack. Also the network has been shut down since April 20th and users have been unable to download content or play online.

The hacker attack resulted in personal information such as names, home addresses, e-mail addresses, birth dates and passwords being compromised, but the damage to credit card information has not yet been assessed.

“While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility,” said Sony Computer Entertainment and Sony Network Entertainment, which manage the two services, in a joint statement.

It is however certain that although purchasing histories, answers to security questions, card expiration dates and billing addresses could have been stolen, the credit card security codes were kept safe.

Sony strongly advises its customers to place fraud alerts with their credit bureaus and periodically check their credit card statements.

As to the exact number of compromised accounts, the company refuses to comment, this general attitude raising spirits and angering users.

“You waited a WEEK to tell us our (personal) information was compromised?” one PlayStation user wrote on a Sony blog. “That should have been said last Thursday” — the day when Sony first acknowledged the issue.

Apparently, the intrusion occurred between 17 and 19’th of April. On April 20, PlayStation and Qriocity networks have been shut down and continue to remain so until further notice, but according to some reports, the PS network my be down for another week.

US identity fraud losses went down last year by 28%, with the total number of 2010 victims going from 11 million a year before to 8.1 million. The estimated amounts also went down from $56 billion in 2009 to $37 billion in 2010, according to an annual study by Javelin Strategy & Research. These figures appear to be the lowest in the last 8 years.

The average loss per victim went down from $5,000 in 2009 to $4,600 in 2010, the drop being directly linked with the decrease in identity fraud, according to Javelin. Research data also shows 26 million records have been exposed in 404 reported breaches during 2010, compared to 221 million records in 604 breaches during 2009.

Improved consumer awareness of ID fraud risks, stringent checks by lenders to “authenticate users and determine credit risk” as well as and the use of account monitoring tools are also credited in this decline.

“Economic conditions also appear to have contributed to this year-over-year decline, as well as increased security measures and some significant law enforcement successes,” said James Van Dyke, president and founder of Javelin Strategy & Research.

New account fraud, meaning accounts opened without the knowledge of the actual owner, was the biggest single source of fraud with $17 billion lost last year. Existing card fraud has also declined by 38 per cent from $23 billion in 2009 to $14 billion in 2010.

One of the very few categories to see an increase of 7% is fraud perpetrated by people known to victims, such as a relative or roommate.

According to Javelin report, the amount of fraud in retail environments is inversely proportional to the value of sales, a non-intuitive finding that means the fraud decreases as sales increase.

The latest annual statistics from the UK’s National Fraud Authority show that more than £38bn have been lost over the last 12 months due to fraud. This amounts to an increase of more than 25%.The public sector (£21.2bn) reported the biggest part of the loss, while the private sector cost the government only £12bn, with another £4bn in losses from fraud against individuals.

According to the NFA the increase was to be expected, at least in part, due to improved reporting procedures. The figures include estimates for procurement (£2.4bn) and grant fraud (£515m) for the first time.

In the financial services industry £3.6bn in fraudulent losses have been recorded last year. The highest figure in the private sector was £3.8bn and represented a slight decrease from 2009. Losses attributed to plastic card (£440m) and cheque fraud (£30m) have also increased by up to 14%, reaching £60m. Insurance fraud (£2.1bn) and mortgage fraud (£1bn) both remain high.

According to Gavin Cunningham, director in the specialist forensic fraud investigation firm, BTG Global Risk Partners, fraudulent losses are only likely to rise in the future.

“These figures make grim reading for both private and public sector business leaders alike and reflect the significant financial impact of fraud in the UK,” Cunningham said. “With the UK still struggling to recover from the recession and some uncertainty as to what the future may hold, there is unlikely to be a reduction in fraud in the short term; historically, there is evidence that fraud increases as a recession ends, in part because businesses uncover fraudulent actions as the effects start to build up and in part because there is more scrutiny of hidden and unknown costs in tougher times.”

Four women living in the Waco area have been charged and arrested as a result of their conspiracy to commit identity theft. They have developed a scheme scheme involving stolen Fingerprint Applicant Services of Texas (FAST) applications required by licensing and certification entities such as the Texas Education Agency.

A seven count federal grand jury indictment, that was unsealed yesterday afternoon, charges 32-year-old Angela Cuellar, 38-year-old Yolanda Ramos, 33-year-old Diane Rivera and 29-year-old Christine Elifritz with one count of conspiracy to commit identity theft. Angela Cuellar has also been charged with six substantive aggravated identity theft counts while Elifritz and Ramos, with only one aggravated identity theft count.

The indictment alleges that while being employed as a Live Scan Operator by Integrated Biometrics Technology (IBT), between March 10, 2008, and July 27, 2008, Angela Cuellar has used her position to gain access to the earlier mentioned applications, which included personal information such as social security numbers and dates of birth.

When leaving IBT, Cuellar stole thousands of background check applications she had processed, in a direct violation of company policy that required her to destroy them. The indictment also alleges that the women used the stolen information to fraudulently obtain credit and other financial services across the USA.

The 4 defendants remain in federal custody until the pending hearing scheduled on December 21, 2010. If convicted on the conspiracy charge, each defendant faces up to 15 years in federal prison. Each aggravated identity theft charge adds a two-year federal prison term for Cuellar, Elifritz and Ramos.

Employee perpetrated fraud has lost the average company about 5% of it’s revenue in the year 2009, the stealing of company sources representing up to 90% percent of the incidents. Employees tend to be tempted by privileged access to data and commit fraud. According to a report published by the Association of Certified Fraud Examiners (ACFE) this type of fraud is the most damaging, causing a loss over $4 million.

“They have a high level of access, which gives them a greater opportunity to commit fraud,” Ben Knieff, director of product marketing for fraud products at Actimize said.

In order to prevent such fraud there are a few proactive steps a company can take:

Limiting Access To Critical Data – as data is difficult to contain, companies should keep employees under constant surveillance; access to critical data should be limited to a number of authorized employees.

According to Shane Sims, director at PricewaterhouseCoopers’ forensic practice, even if companies cannot successfully control the movement of data inside their networks, knowing which employees access the most important data can be enough to prevent the most significant potential frauds.

Using the inside advantage – when it comes to fraud, insiders have an advantage as they know the network and corporate policies; however, companies can also collect a great deal of information that would not be available outside the network, in the case of external perpetrators.

Employee tapping – by training their employees, companies can benefit from having them detect malicious behavior of other employees.

According to an ACFE report, 40% of insider fraud cases are flagged by a third party, and half of these tips are made by an employee. According to the same report, 43% of the perpetrators are living beyond their means, and more than 30% have financial problems.

In a new incident proving – as if more evidence was needed – that one of the biggest data security threats comes from the inside, an administrative tech of the Texas Child Protective Services in Houston decided to steal data on potential foster care and adoptive parents and use it to apply for credit cards. Together with an outside accomplice, they had used the stolen information to apply for said credit cards at various stores.

Luckily enough, the credit card issuers noticed some discrepancy in the way formed were filled out and the two were discovered and arrested after stealing data on only 70 individuals. The two accomplices charged with fraudulent possession of identifying information could face up to 10 years in prison and a 10,000 US dollar fine. Not quite worth it for some extra stolen cash that probably never came through.

As of now it is unclear if any of their identity theft attempts was successful. We do hope they have failed miserably.

If a company, bank of hospital handling your private details has suffered a data breach, you are four times more likely to have your identity stolen. So if you have received a notification letting you know your data has been exposed, you should acknowledge the greater risk for ID theft or fraud, says a recent study by Javelin Research and quoted by DarkReading.

This new report comes to completely contradict breached companies breached who commonly state they have no indication that the compromised data has been used by criminals.

“During each of the past three years, an average of 11 percent of consumers received a breach notification,” Javelin said. “Slightly more than 33 percent of breach victims experienced exposure of their Social Security numbers, and 15 percent of breach victims had their ATM PINs compromised. [But] despite 19.5 percent of breach victims suffering some kind of fraud in the past year, only 2 percent attribute their fraud to the breach.”

Buying second hand PCs might be quite an adventure. Especially if they contain sensitive information that could blow one’s mind out, as it happened for a group of researchers from the University of Glamorgan in Scotland. According to a DarkReading article, the researchers found their used hard drives to contain details of test-launch procedures for a U.S. defense missile.

The researchers have included these findings in the results of a a five-year study that aimed to show the dangers of poor hard drive and device data-wiping and disposal practices. Acording to this years’ results, which are not yet final, the research also led them to sensitive data from Ford Motor, Laura Ashley, and other businesses.

This year, the researchers found personal or sensitive data on 34 percent of 300 hard disks bought randomly at computer fairs and online auctions in the U.K., U.S., Germany, France, and Australia. The information was enough to expose individuals and firms to fraud and identity theft, they said.

So if someone indulged in the idea of starting a fraud or theft based scam, all they needed is to start buying used computer parts. It’s easy and far less dangerous than actually atemtping to steal the data directly from the businesses currently using them.