Almost two weeks ago, we revealed the major changes that had happened this year in the major data breaches top of all times. 2011 was leading in what the number of high profile of breaches is concerned. The top might change once more, ensuring an even stronger position for the current year as hackers hit Steam, a gaming giant that is home to 35 million user accounts.
What we know so far is that the Steam customer data base has been indeed accessed by hackers.
“We learned that intruders obtained access to a Steam database in addition to the forums,” said Gabe Newell, co-founder and managing director of Steam parent company Valve. “This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information.”
Health systems company Spectrum has been the victim of a data breach affecting confidential health information of some of their clients. The breach was the result of an electronic device theft, the perpetrators also taking a hard drive that included the medical details. According to Spectrum representatives, the stolen information was not encrypted, but it was double password protected.
The thieves took three electronic devices when breaking in the offices located at 484 Main St. in Worcester in late August, but only one was used to temporarily store personal and protected health information. Read more
Personal data for 1.9 million current and former members of Health Net Inc. may have been compromised. An investigation of a security breech has been launched in Rancho, Cordova, at Health Net’s data center. This investigation is a follow-up after IBM, the technology vendor for Health Net, sent a notice that it could not locate several server drives.
An investigation has been launched on Monday by The California Department of Managed Health, Health Net’s security practices. Health Net Inc. is currently notifying individuals whose information is on the lost drives and offering two years of free credit monitoring services, including fraud resolution. Also restoration of credit files and identify theft insurance will be provided if necessary. These services will be provided with the help of Debix Identify Protection Network.
According to the agency, more than 622,000 members in health plans regulated by the Dept. of Managed Health Care may have been compromised. Also records for 223,000 members in products regulated by the Department of Insurance may find themselves in the same situation. Some Medicare beneficiaries record appear to be also lost.
The Alaska Department of Education and Early Development issued a warning for school districts across the state announcing that a computer hard drive containing information on 90,000 students was stolen from Juneau.The Juneau Police Department is currently investigating the theft.
“Alaska law requires government agencies that collect personal information to notify you if your information is lost or stolen,” Commissioner Mike Hanley wrote in a news release. “This theft has unfortunately resulted in the release of some of your personal information to an unauthorized third party.”
Personal information such as names, birth dates, id numbers and more could have been accessed with the help of the stolen equipment. Read more
The latest local authority to contravene the Data Protection Act after losing sensitive information is the Cambridgeshire County Council. According to the Information Commissioner’s Office, an unencrypted memory stick containing personal information on at least six “vulnerable adults” has been lost by the council.
This breach occurred just after the council had launched an internal campaign designed to highlight the importance of personal information, thus putting the council in a shady position.
“While Cambridgeshire County Council clearly recognises the importance of encrypting devices in order to keep personal data secure, this case shows that organisations need to check that their data protection policies are continually followed and fully understood by staff,” said ICO enforcement group manager Sally Anne Poole. “We are pleased that Cambridgeshire County Council has taken action to improve its existing security measures, and has agreed to carry out regular and routine monitoring of its encryption policy to ensure it is being followed.”
Fines of £80,000 and £70,000 have also been applied to the Ealing Council and Hounslow Councils earlier this month, after the loss of 1000 private records by the first council and 700 by the second.
Personal information of more than 760,000 of the current and former Ohio State University students, faculty and staff was repeatedly compromised earlier this year by hackers who managed to access an unsecured university server. Starting this week, according to an advisory posted on the university’s website, school officials said they began sending out notification letters all affected individuals.
A routine IT security review discovered the breach, during late October. This breach allowed hackers to access student and staff files containing names, social security numbers, birth dates and addresses. Read more
Two recent thefts of desktop computers belonging to the Montefiore Medical Center lead to the exposure of sestive information on patients and students stored by Montefiore’s Finance Department and School Health Program Administrative Offices.
The first incident happened in late May when two desktop computers were stolen from Montefiore’s Finance Department. The theft was discovered a couple of days later. Montefiore assessed the incident and concluded patient information had been stored on the computers, including patient names and medical record numbers. For some patients, the data stored also included social security numbers, dates of birth, hospital admission dates and/or insurer information.
AvMed Health Plans is currently dealing with a prominent data breach after having two company laptops stolen from their corporate offices in Gainesville in early December. The theft could compromise personal information of over 200,000 current and former subscribers, as well as their dependents, said a company announcement quoted by Gainesville.com.
The two laptops contained details such as names, addresses, phone numbers, Social Security numbers and protected health information. Yet the company states that the risk of identity theft is very low, as data was listed in a random way, regardless of the fact that, 12 days after the incident, AvMed discovered the data on one of the two laptops was not properly encrypted.
AvMed states there were no reports of identity theft up to now, but they will only have a clearer view on the situation after their members start registering for identity protection, service provided by the company for free for the next 24 months.
A recent breach reported by the Federal Aviation Administration has exposed the private data of about 45,000 employees, as a result of a hack in one of the FAA computer systems. The FAA has released a warning notice, quoted in Dark Reading, stating that employee personal identity information has been stolen during the illegal access. Those affected by this security breach will also receive individual letter, letting them know their data is stolen and probably used in fraud or identity theft attempts.
“Two of the 48 files on the breached computer server contained personal information about more than 45,000 FAA employees and retirees who were on the FAA’s rolls as of the first week of February 2006,” states the notice. “The server that was accessed was not connected to the operation of the air traffic control system or any other FAA operational system, and the FAA has no indication those systems have been compromised in any way.”
The FAA also stated it has learned its lesson and taken the necessary steps to prevent future incidents of the sort. They are also taking long term measures to protect personal information. As for those who have been affected by this very real breack, there’s a a toll-free number and some details on the employee site.
Everyone fears the Internal Revenue Service! But now it’s for a new reason. It seems using two applications they provide exposes taxpayers’ data to security breaches. The IRS deployed two critical computer systems although they new of their weak security and the risks they embedded.
The Treasury Inspector General for Tax Administration (TIGTA) office, explains DarkReading, has recently issued a statement saying the IRS’s mainframe-based Customer Account Data Engine (CADE) for managing taxpayer accounts and its Account Management Services (AMS) for IRS access to taxpayer data contained security flaws that the IRS identified but did not fix before deploying them last year.
The billion-dollar, high-sensitivity CADE system is one of the key elements of the IRS’s computer modernization program, and processed about 20 percent of the 142 billion tax returns filed to the IRS.
AMS, meanwhile, includes taxpayer identification numbers in its application error log, and its operating system has only a 77.8 percent compliance rate with the required security settings, according to the report.
TGTA has no proof on any data being compromised or being accessed by any wrong doers, yet the risk has been quite real.