An employee of the California Department of Health thought it would be a great idea to access and copy to a portable drive personal information belonging to 9,000 former and current state employees.  The security breach discovered within the department involved names, dates of birth, and addresses stored in compensation records of the affected parties.

The California Department of Health is currently running an investigation on the scope and extent of the breach. In the mean time, the person responsible for the unauthorized removal of personal records from the institution is on administrative leave, answering all the questions needed to understand the incident. 

The data breach was discovered due to a state security detection system, which alerted officials of potentially suspicious activity back in April. The department stated they have upgraded their security to prevent future such security incidents.

Is there an easy way to prevent such breaches? An endpoint security and data loss prevention solution, if it’s a top line one, involves file tracing, telling IT departments who copied what and to which device. It also prevents the use of unauthorized portable drives and in the case of certain products it actually allows the creation of file lists, granting access to only those that are safe for use.

Inside threat is kicking and screaming and far from being gone from the corporate security world. Upset over being fired, a Californian woman breached the email system of her former employer and posted confidential documents to public websites. She got caught and the sentence was 60 days of home detention plus  ayear of probation for the one count of felony computer intrusion that 44 year old Ming Shao pleaded guilty to.

In her plea, the woman admitted to a value of the stolen information belonging to PanTerra Networks(which included a Weekly Ops Report) ranging between 10,000 and 30,000 US dollars. She admitted to have breached the PanTerra network and exposing the confidential files as a form of revenge for being fired in August 2009.

Shao gained and maintained access to PanTerra employee email accounts for several months after being fired. She then posted the data she collected to websites such as sacramentograpevine.com and hostedpbxproviders.com. The latter website, which covers user feedback on PanTerra and other companies published a posting by Shao that described a server crash. She also leaked details on ongoing negotiations between PanTerra and potential customers, causing the company to lose potential contracts.

Shao was also ordered to pay a 2,000 US dollars fine and another 20,747 in restitution. As she was at her first offence, the court considered a sentence of probation would suffice.

After discovering  leads, customer names and other documents have been lifted form a local home loan company in the Lee County, the local sheriff’s detectives are investigating a man, former employee of the company in question, claimed to have been responsible for this crime.

An Edmonton travel agency is currently investigated for credit card fraud after complaints of foul play totalling over 50,000 US dollars have been reported by former customers. According to the ongoing police investigation of the Canadian travel company, a former employee has been charged in the case, but other charges might still be pending, involving other prople related to the agency.

While the information is still foggy, it is clear that there have been about 11 reports from ex-customers who have used the agency’s services and then noticed unauthorized usage of their credit cards. The initial complaint came from a customer who had found out that almost 20,000 USD had been charged to his card. Subsequent complaints raised the total abount to 50,000 USD.

It is unclear how many credit card accounts had been stolen, as the agency personnel had access to all this data. The police investigation might be able to reveal who’s to blame and how many people were affected by this data theft.

In a new incident proving – as if more evidence was needed – that one of the biggest data security threats comes from the inside, an administrative tech of the Texas Child Protective Services in Houston decided to steal data on potential foster care and adoptive parents and use it to apply for credit cards. Together with an outside accomplice, they had used the stolen information to apply for said credit cards at various stores.

Luckily enough, the credit card issuers noticed some discrepancy in the way formed were filled out and the two were discovered and arrested after stealing data on only 70 individuals. The two accomplices charged with fraudulent possession of identifying information could face up to 10 years in prison and a 10,000 US dollar fine. Not quite worth it for some extra stolen cash that probably never came through.

As of now it is unclear if any of their identity theft attempts was successful. We do hope they have failed miserably.

If any manager out there was still wondering if their employees would actually steal company data, the answer is here. Yes, they would, although they know it’s illegal. And while most companies know the main threats that can lead to data theft are insiders, they do little to nothing about it. This is the Dark Reading conclusion after putting together two separate surveys conducted by security vendors.

One of the researches surveyed over 600 employees from the financial districts in New York, USA, and London UK. A lot of respondents admitted they had no problem taking work home and then keeping it for their own benefit. While the overwhelming majority knows this would be illegal, some had already taken confidential data to a new job and others said they would share such data at any time with friends or family if that would help them get hired in a better position. There are also those who would just take the private data just in case, as a long term insurance policy.

What they’d still from your company? Customer and contract lists first, proposals and plans afterward and only then product information.

The second survey showed that about 70% of companies see full-time employees as the biggest threat when it comes to stealing corporate data. The majority of respondents, most of them from the financial services field, are moderately to extremely concerned that laid-off or disgruntled employees could plant malicious software scripts or destroy company property. How much lost money would that mean? They again agreed on about 100 million dollars in the next 12 months.

Yet companies do believe at least half of those stealing their data ar caught. They also plan to change almost nothing in their security policy to prevent such breaches. They do believe though that the financial industry in general has a poor to somewhat acceptable ability to detect fraud.

It seems that the general trend is to worry, but do nothing. I’d say that’s a suicidal business strategy!

Over 30 reports of data theft filed since January 2009 have lead investigators to a potential leak at Johns Hopkins Hospital. One of their employees is believed to have used her credentials to access and then leak data on more than 10,000 patients while working at the hospital. Law enforcement agencies also suspect that the thefts might be related to a fraudulent driver’s license scheme discovered in Virginia.

According to Dark Reading, Johns Hopkins representatives stressed the fact that the data leak was not a hacking incident, but that the suspected employee had access to the breached records as part of her job. They also stated the records contain no medical data, but do contain other sensitive details, such as Social Security numbers and addresses. As the Dark Reading article further explained, the hospital took comprehensive measures to balance the loss of data:

Johns Hopkins is offering credit monitoring and fraud resolution services, as well as $30,000 in identity theft reimbursements, to the 31 victims, as well as to any of the 526 Virginia residents in the database who report fraud. It also is notifying the other 10,000 patients whose records were in the database.

Apart from the economic downturn, the year 2008 brought another critical issue to US companies: a nearly 50% increase in data breaches, leading them to lose considerably more sensitive data. According to an Identity Theft Resources Center (ITRC) study quoted by the Register, last year 35 million data records were exposed in 656 admitted incidents, amounting to a 47% increase compared to the 446 data loss incidents reported in 2007.

ITRC also states that about 40% of security breaches are never reported,  thus the true number of exposed confidential records is most likely to be far greater than the study suggests.

Computer malware, hacking, and insider theft accounted for 29.6 per cent of recorded breaches, where the root cause of the attack is known. One in six breaches (15.7 per cent) were blamed to insider theft, a figure that’s more then doubled between 2007 and 2008.

The good news is that as education regarding data loss prevention reached more companies, the number of incidents caused by human errors has decreased. But that is a very small light in a highly untrained corporate world, where most reported data breaches  involved data unprotected by either encryption or the simplest password protection. Let’s hope for a better protected 2009!