An employee of the California Department of Health thought it would be a great idea to access and copy to a portable drive personal information belonging to 9,000 former and current state employees. The security breach discovered within the department involved names, dates of birth, and addresses stored in compensation records of the affected parties.
The California Department of Health is currently running an investigation on the scope and extent of the breach. In the mean time, the person responsible for the unauthorized removal of personal records from the institution is on administrative leave, answering all the questions needed to understand the incident. Read more
According to Verizon’s DBIR (Data Breach Investigations Report) issued this year, the number of data breaches in the last years has fallen significantly, but there is still reason to remain vigilant. The numbers show a decrease from 144 million compromised records in 2009 to 4 million compromised records in 2010. The progress is even more significant if we take under consideration the progress since 2008, when 361 million records have been compromised.
This study was conducted by Verizon along with U.S. Secret Service (USSS) and the Dutch High Tech Crime Unit (NHTCU).
“With the addition of Verizon’s 2010 caseload and data contributed from the USSS and NHTCU, the DBIR series now spans 7 years, 1,700-plus breaches, and over 900 million compromised records,” said a post to the Verizon Business Security Blog that accompanied the report.
Inside threat is kicking and screaming and far from being gone from the corporate security world. Upset over being fired, a Californian woman breached the email system of her former employer and posted confidential documents to public websites. She got caught and the sentence was 60 days of home detention plus ayear of probation for the one count of felony computer intrusion that 44 year old Ming Shao pleaded guilty to.
In her plea, the woman admitted to a value of the stolen information belonging to PanTerra Networks(which included a Weekly Ops Report) ranging between 10,000 and 30,000 US dollars. She admitted to have breached the PanTerra network and exposing the confidential files as a form of revenge for being fired in August 2009. Read more
After discovering leads, customer names and other documents have been lifted form a local home loan company in the Lee County, the local sheriff’s detectives are investigating a man, former employee of the company in question, claimed to have been responsible for this crime.
An Edmonton travel agency is currently investigated for credit card fraud after complaints of foul play totalling over 50,000 US dollars have been reported by former customers. According to the ongoing police investigation of the Canadian travel company, a former employee has been charged in the case, but other charges might still be pending, involving other prople related to the agency.
While the information is still foggy, it is clear that there have been about 11 reports from ex-customers who have used the agency’s services and then noticed unauthorized usage of their credit cards. The initial complaint came from a customer who had found out that almost 20,000 USD had been charged to his card. Subsequent complaints raised the total abount to 50,000 USD.
It is unclear how many credit card accounts had been stolen, as the agency personnel had access to all this data. The police investigation might be able to reveal who’s to blame and how many people were affected by this data theft.
In a new incident proving – as if more evidence was needed – that one of the biggest data security threats comes from the inside, an administrative tech of the Texas Child Protective Services in Houston decided to steal data on potential foster care and adoptive parents and use it to apply for credit cards. Together with an outside accomplice, they had used the stolen information to apply for said credit cards at various stores.
Luckily enough, the credit card issuers noticed some discrepancy in the way formed were filled out and the two were discovered and arrested after stealing data on only 70 individuals. The two accomplices charged with fraudulent possession of identifying information could face up to 10 years in prison and a 10,000 US dollar fine. Not quite worth it for some extra stolen cash that probably never came through.
As of now it is unclear if any of their identity theft attempts was successful. We do hope they have failed miserably.
If any manager out there was still wondering if their employees would actually steal company data, the answer is here. Yes, they would, although they know it’s illegal. And while most companies know the main threats that can lead to data theft are insiders, they do little to nothing about it. This is the Dark Reading conclusion after putting together two separate surveys conducted by security vendors.
One of the researches surveyed over 600 employees from the financial districts in New York, USA, and London UK. A lot of respondents admitted they had no problem taking work home and then keeping it for their own benefit. While the overwhelming majority knows this would be illegal, some had already taken confidential data to a new job and others said they would share such data at any time with friends or family if that would help them get hired in a better position. There are also those who would just take the private data just in case, as a long term insurance policy. Read more
Over 30 reports of data theft filed since January 2009 have lead investigators to a potential leak at Johns Hopkins Hospital. One of their employees is believed to have used her credentials to access and then leak data on more than 10,000 patients while working at the hospital. Law enforcement agencies also suspect that the thefts might be related to a fraudulent driver’s license scheme discovered in Virginia.
According to Dark Reading, Johns Hopkins representatives stressed the fact that the data leak was not a hacking incident, but that the suspected employee had access to the breached records as part of her job. They also stated the records contain no medical data, but do contain other sensitive details, such as Social Security numbers and addresses. As the Dark Reading article further explained, the hospital took comprehensive measures to balance the loss of data:
Johns Hopkins is offering credit monitoring and fraud resolution services, as well as $30,000 in identity theft reimbursements, to the 31 victims, as well as to any of the 526 Virginia residents in the database who report fraud. It also is notifying the other 10,000 patients whose records were in the database.
Apart from the economic downturn, the year 2008 brought another critical issue to US companies: a nearly 50% increase in data breaches, leading them to lose considerably more sensitive data. According to an Identity Theft Resources Center (ITRC) study quoted by the Register, last year 35 million data records were exposed in 656 admitted incidents, amounting to a 47% increase compared to the 446 data loss incidents reported in 2007.
ITRC also states that about 40% of security breaches are never reported, thus the true number of exposed confidential records is most likely to be far greater than the study suggests.
Computer malware, hacking, and insider theft accounted for 29.6 per cent of recorded breaches, where the root cause of the attack is known. One in six breaches (15.7 per cent) were blamed to insider theft, a figure that’s more then doubled between 2007 and 2008.
The good news is that as education regarding data loss prevention reached more companies, the number of incidents caused by human errors has decreased. But that is a very small light in a highly untrained corporate world, where most reported data breaches involved data unprotected by either encryption or the simplest password protection. Let’s hope for a better protected 2009!