Breach Revealed after Extortion Threat
Express Script, a pharmacy benefits-management firm, has recently revealed a data theft that took place in early October. The information was made public after being threatened the stolen data will be made public if a certain amount of money had not been paid.
The threat was made within a letter from the thieves who claimed they had beached Express Script’s network security and gotten their hands on millions of customer records. According to SecurityFocus, the letter listed personal details on 75 of Express Script’s, including their names, dates of birth, social security numbers, and in some cases, their prescription information. Although it’s only recently been released to the public, the data theft had been reported by Express Scripts to the FBI. The Bureau is currently running a full investigation on the incident.
The company is also notifying all those affected by the breach so that they can take the neccessary precaution to prevent and identity theft. SecurityFocus has not released the sum of money requested by the thieves.
Caught in the Act: IT Contractor Stole Shell Oil Employee Data
If you’re thinking to prevent inside threats by hiring consultants from outside your company, think again! They’re drive to make money using others’ identities is a genuine concern. Take Shell Oil for example, who caught one of its IT contractors stealing personal data on its employees from one of the US databases of the company.
After descovering the unnamed employee of a vendor working on said US database used the social security numbers and other info of four employees to file bogus unemployment claims, Shell Oil warned all its former and current personnel they have been exposed to identity theft. More on the ongoing investigation in the Register.
Gambling Site Ex-Employee Responsible for 150 ID Thefts
Speaking of inside threats, while they might have fun stealing from customers and shaking their employers’ credibility and making them loose money, some of them actually get caught. This happened to a former employee of an internet-based gambling website who has recently pleaded guilty of having stolen the identities of 150 customers of the site in question.
According to the Register, Canadian Patrick Kalonji stole the victims’ names, birth dates, addresses, mothers’ maiden names, social security numbers, and other personal details between July 2002 and August 2004 while working for BetOnSports.com. Using two Yahoo personal email accounts, he shared the information with others who booked no more and no less than roundtrip plane tickets from Nigeria to New York!
Wonder if They Sell Private Records on eBay…
Wonder no more, as the answer is no public: they do! You can buy hardware containing private details of strangers on eBay! Just a short while ago an IT manager paid 35 pounds on a computer hard disk containing one million sets of bank details.
The said hardware piece contained details of customers of American Express, NatWest and the Royal Bank of Scotland, as reported by The Register. And Andrew Chapman, the guy who paid the money, would have had everything he needed for identity thefts: names, addresses, sort codes, account numbers, credit card numbers, mobile phone numbers, mothers’ maiden names and scans of signatures.
The second hand computer the hard drive belonged to was the property of Graphic Data. The Archiving firm seems to be missing a second computer with the same type of information.
Insider Compromises 2 million Private Records
If you’re acquainted to endpoint security solutions and the threats they try to prevent, you have definitely heard of the inside threat. It refers to employees who breach security systems and compromise confidential data. Whether it criminal intent that drives them or ignorance, the effects on the company are the same: loss of money, trust, customers and quite a lot of hassle, all eventually leading to loosing more money.
There are dozens of examples and they such breaches keep happening. The latest has recently been reported by Countrywide Financial Corp. The FBI has just arrested one of their employees and his accomplice for stealing and subsequently selling private records on the company’s customers.
The breach is thought to have started three years ago. The employee in question used to copy batches of 2000 records containing sensitive details, such as social security numbers, and sell them to the competition. Those investigating what happened estimate the total number of affected customers to around 2 million. If you want more details on how it all happened, see the details in the LA Times.
In this specific case, the employee is thought to have acted knowingly. Yet he exploited a flaw in the company’s security. Had they monitored all the computers on their premises and make sure unauthorized data transfers to portable devices was denied, the whole breach would have been avoided.
The inside threat is real and can lead to significant damages. It’s not something to get paranoid about or fear, it’s something companies can easily monitor, preventing such data thefts.
Stolen Flash Drive with Personal Info on 2,600 Delphi Workers
A flash drive containing private information on 2,600 former Dayton-area Delphi workers has recently been stolen from an unattended laptop of a Job and Family Services department employee. The information stored on said drive included names, addresses, social security numbers and telephone numbers of the workers.
Helen Jones-Kelley, director of the Job and Family Services department, quoted by the Dayton Daily News, said leaving the laptop unattended during lunch hour was a violation of department policy and the responsible employee could be taken disciplinary actions against, including termination.
In what those affected are concerned, the same department representative said they have sent letters to all those involved.
11 Arrested in the TJX Identity Theft and Data Breach Case
The FBI has arrested 11 people in the case of the largest identity theft and data breach in history that targeted TJX and other companies. The suspects of which three are US citizens are believed to have taken part in the theft of over 40 million credit and debit card accounts from 9 major retailers and restaurants. Stealing that much data was possible after installing malicious software on the systems of TJX Companies, BJ’s Wholesale Club, OfficeMax, Barnes & Noble, Sports Authority, Forever 21, DSW, Dave & Busters and Boston Market.
Never surpassed in the time it has passed has been covered constantly by the media. The Reigster tells the story of the breach in a recent article: in the beginning of 2007, TJX first reported the a breach by unknown idividuals who had at the time stolen 46.5 million credit cards, number later proved to be twice as high. According to the Register, the fraud have been going on for quite a while when TJX reported it, as a year earlier industry watchers had noticed an unusual increse in debit card fraud at retailers OfficeMax and Sam’s Club.
US Attorney of Massachussets and the US Attorney General had both commented on the issue:
“While technology has made our lives much easier it has also created new vulnerabilities,” Michael J. Sullivan, US Attorney for the District of Massachusetts, said in a statement announcing the indictments. “This case clearly shows how strokes on a keyboard with a criminal purpose can have costly results.”
“They used sophisticated computer hacking techniques, breaching security systems and installing programs that gathered enormous quantities of personal financial data, which they then allegedly sold to others or used themselves,” US Attorney General Michael Mukasey said in prepared remarks. “And in total, they caused widespread losses by banks, retailers, and consumers.”
Other than having a sophisticated and high end technique of stealing the information, the ring of thieves also had multiple way to turn the theft into profit, either by selling the data to other criminals or by using it to create fake cards and withdraw thousands of dollars at a time.
The eleven arrested individuals are from the United States, Estonia, Ukraine, the People’s Republic of China and Belarus. The FBI is still in pursuit of another member of the group who is only known by his online alias and continues to elude authorities. Let’s hope he’s caught soon enough!
Breach Disclosure Laws are Pointless
Researchers at the Carnegie Mellon University have just released data showing information security breach laws enforced in the US have failed to reduce identity theft. According to the Register, these findings come at a time when there’s an increased demand for similar laws in Europe that would oblige organizations to notify customers in cases where their personal details become exposed.
Research findings were based on a state-by-state analysis of data from the US Federal Trade Commission (FTC). They analyzed identity theft complaints made to the FTC from 2002 to 2006, trying to spot differences after states introduced data breach disclosure laws. California was the first state to introduce such regulations and 43 other states have since followed its lead.
The researchers determned that factors such as changes in average income and population in a state or overall levels of fraud had a much greater impact on fraud rates than these laws, as a Register reproduction of the abstract to the paper shows:
We find no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce. If the probability of becoming a victim conditional on a data breach is very small, then the law’s maximum effectiveness is inherently limited. Quality of data and the possibility of reporting bias also make proper identification difficult. However, we appreciate that these laws may have other benefits such as reducing a victim’s average losses and improving a firm’s security and operational practices.
“There doesn’t seem to be any evidence that the laws actually reduce identity theft,” Sasha Romanosky, a PhD student at Carnegie Mellon and one of three authors of the study, told Computerworld.
LifeLock Sued By Customers
LifeLock, vendor of a much contested fraud-prevention service has been sued by three very unhappy customers from three USA states. The customers are upset because they feel LifeLock fails to provide the comprehensive protection it adveritses.
As the Register reports, the lawsuits have been initiated by three customers from Mryland, New Jersey and West Virginia. They are targeted against LifeLock ads, in which CEO Todd Davis says he is so confident in the service that he volunteers his Social Security number.
What isn’t mentioned is that on at least 87 occasions, Davis’s Social Security number has been used in attempts to steal his identity, and at least one of those times, the perpetrator was successful.
“It’s further evidence of the ineffectiveness of the services that LifeLock advertises,” David Paris, an attorney suing on behalf of the dissatisfied customers, told the Associated Press. Davis also told AP reporter Jordan Robertson it’s possible that driver’s licenses have been issued to other people in his name as a result of the widespread availability of his personal information. But he ascribes this possibility to flimsy fraud checks used by most departments of motor vehicles, rather than the ineffectiveness of his service.
Hospitals, a Danger to Your Personal Data
According to a recently released study carried out by research firm HIMSS Analytics and risk management company Kroll Fraud Solutions, from 2006-2007, over 1.5 million patients’ personal information was exposed through hospitals alone, allowing them to be threatened by identity thefts. The survey however does not take into account insurance companies, pharmaceutical companies or individual doctors’ offices, which would have meant a significant increase in the total number.
According to Dark Reading, we should keep in mind that these numbers are based on reporter breaches only. About 44 percent of hospitals that experienced a breach in 2007 didn’t inform the patients whose records were affected, as shown in the study.
Hospitals are not paying enough attention to security issues, and the steps they are taking are often ineffective, the HIMSS/Kroll study says. While there is a high awareness of the security requirements described in Health Information Portability and Accountability Act (HIPAA) among hospital IT professionals, most hospitals are putting too much emphasis on compliance and not enough on real security vulnerabilities, the study says.
This lack of attention could lead to real problems for individuals down the road, the study warns. Hospitals are often a source for birth, health, and death records that can be very valuable to criminals, and patient data breaches are among the most difficult to clean up, because compromises or changes can affect insurance eligibility or even patient safety if the data is manipulated.
