A thumb drive containing personal data of current and past graduate medical education residents and fellows at Cooper University Hospital has recently gone missing. Lost around July 8th, the incident has been reported to the proper authorites a few days later who are now looking into the potential security breach only two weeks later.

According to hospital sources, the lost data includes Social Security numbers, addresses, and phone numbers. As it always happens in such cases, the data was not in anyway encrypted or protected.

The University later released the following statement:

“Cooper University Hospital is investigating the circumstances surrounding a missing thumb drive. The thumb drive contained information with personal data about graduate medical education residents and fellows for the current and prior academic years. We have advised the residents and fellows who were advised to contact their local police. No other employee information was compromised. Further, No patient information or records were compromised. The incident was reported to the New Jersey State Police Cyber Crimes Unit on Friday, July 23 as per the state notification procedure. The hospital is conducting a thorough investigation and has initiated an aggressive plan to protect any personnel who could be affected by this potential security breach.”

As of yet there are no information on the number of individuals affected by the breach.

When it comes to high-level executives, the rules of the game often change. They are used to ask for exceptions to be made for them, backdoors to be opened and a whole different set of rules to be applied. This is what turns them in one of the biggest threats to corporate security.

According to Jayson Street, CIO and managing partner of Stratagem 1 Solutions, senior executives often circumvent security rules and policies to suit their needs and whims at the expense of security. The negative effect is that the special treatment leads to enabling cybercriminals to easily gain access to corporate networks by impersonating as management personnel. That is why, because of their systems privilege and access rights, they become ideal targets for all those wanting to hack into corporate networks.

“[Hackers are] not going after the bank teller, [they are] going after the bank president, because the tellers have USB drive rights deactivated, they have controls on where they can go on websites.” Street recounted how he was able to access the server room of a hotel simply by gathering information through social networks such as LinkedIn and Twitter of the owner, then sending an email to the access control personnel masquerading as the CEO of the tech support organisation. When the staff was later asked why he allowed Street access, he said: “Because [the boss] sends email messages like these all the time! He asked, and he’s the owner — you have to let him do what he wants.”

What can companies do to stop turning their top dogs into easy targets? Jayson Street recommends that IT security experts should stop enabling them and instead explain how fast they can become victims of cybercriminals. Lower rank employees should also be encouraged to report abnormal behaviors in order to maintain a safe environment. Also, educating all users about how and social engineering, impersonation, identity theft and other such menaces occur could also prove to be very effective.

AvMed Health Plans is currently dealing with a prominent data breach after having two company laptops stolen from their corporate offices in Gainesville in early December. The theft could compromise personal information of over 200,000 current and former subscribers, as well as their dependents, said a company announcement quoted by Gainesville.com.

The two laptops contained details such as names, addresses, phone numbers, Social Security numbers and protected health information. Yet the company states that the risk of identity theft is very low, as data was listed in a random way, regardless of the fact that, 12 days after the incident, AvMed discovered the data on one of the two laptops was not properly encrypted.

AvMed states there were no reports of identity theft up to now, but they will only have a clearer view on the situation after their members start registering for identity protection, service provided by the company for free for the next 24 months.

A recent DOS attack on an Eugene School District server managed to succeed in breaching their security and access the said computer which contained the names, employee ID numbers and phone numbers of about 2500 current and former employees. While other sensitive information such as security numbers were not stored on the breached machine, the server was connected with others (apparently protected by other security systems as well), that contained private details on a total of 26000 people and vendors.

Luckily all student data are stored on different networks of the Eugene School District, so none of those studying in the region have been affected. The supposed breach seems to have only affected adults.

Yet the safetly of the 26000 different records is in no way guaranteed. There is no proof of further breaching, but there isn’t any to show there was none either. In the mean time, the breach is being investigated, while the school district’s website has been updated with information on the breach.

“A thorough investigation of the security breach has been initiated, police have been notified, and the district has taken measures to further safeguard the involved server,” the district said. “We are continuing to assess our information security systems to make certain that we have all appropriate measures in place to ensure that personal information is secure. We sincerely regret any inconvenience this may cause to our staff and vendors.”

More information here.

French financial authorities might have just blown away an interesting case against people suspected of tax evasion because they have used stolen data in their investigation. The French had come across a list of 3000 of their nationals suspected of using Swiss banking secrecy to pay less or no taxes. But the list has been handed to them by a former IT worker at HSBC in Switzerland who, as it happens, did not have the bank’s approval to give it to the French…

The Swiss HSBC confirmed one of their employees was suspected of stealing data (in the 2008-2007 interval), but said case only involved a list of 10 accounts. A conviction of sorts isn’t confirmed, but the former IT employee is rumored to have fled to France where he benefits from French protection.

French newspapers quoted by The Register claim that the stolen list actually contained 4000 names of French clients, all of them holding abut 6 billion EUR, of which only a part were actually suspected of tax evasion. More on this case in The Register and The Times.

When it comes to security breaches leading to data loss, accidents caused by insiders are more frequent and generally do more damage than those caused by insiders with malicious intents, shoes a new study published by industry research firm IDC industry research firm and sponsored bu RSA.

According to a report, 52 % of respondents characterized their insider threat incidents as predominantly accidental, while only 19% believed the threats were deliberate. Another 26 % said their insider issues were an equal combination of accidental and malicious threats.

“One of the things that jumped out at us from the study was how many insider incidents are unintentional,” says Chris Young, senior vice president of RSA products, quoted by Dark Reading. “These are individual actors who often are just trying to do their jobs and don’t understand that what they are doing is dangerous.”

“Employers view their relationship with employees as one of trust and recognize their people are their biggest asset,” said Chris Christiansen, program vice president of security products at IDC. “But the vast nature of an organization’s infrastructure, coupled with a dispersed, often global, employee base and complex internal user mix of employees, consultants, partners, and outsourcers make addressing the risks posed by its internal users the biggest security challenge that CXOs currently face. Whether the risk is intentional or not, it’s there. It’s real.”

The study also showed that in the past 12 months the 400 respondents that took part in the study admitted to 6244 incidents of unintentional data loss, 5830 malware/spyware attacks from within the enterprise, and 5794 incidents of risks created by excessive privilege and access control rights. The total number of internal security incidents was of a whoooping 57485 issues for the year.

As a response to this huge number of security only 40% plan to invest more in their on better handling their internal security risks. We would have definitely expected a higher percentage, given said number of incidents!

The “I am legend” of the hacking and data theft world, Albert Gonzales, decided to plead guilty and now faces 15 to 25 years in jail. Gonzales is accused of masterminding a hacking circle that stole 130 million credit and debit card numbers from major retail chains such as Barnes and Noble, T.J. Maxx, Sports Authority, and OfficeMax.

According to The Register, Gonzales, who also used to be a government informant, agreed to plead guilty to 19 felony counts in Massachusetts by September 11. He also intends to plead guilty to a New York indictment accusing him of similar crimes that targeted 11 Dave & Buster’s restaurants. And that’s not all!

The deal does not cover a third indictment in New Jersey against Gonzalez related to the alleged theft of data from more than 130 million credit card accounts from card payment processor Heartland Payment Systems and retailers Hannaford Brothers and 7-Eleven.

In what money is concerned, Gonzales will also say goodbye to nearly 1.65 million US dollars in cash, his Miami condominium, a 2006 BMW, laptop computers, three Rolex watches, and then some more!

The Mozilla Foundation takes security breaches very seriously. It immediately closed its online stores after finding out a third-party company that runs one of the sites’ back-end operations had suffered a breach.

The security issues affected GatewayCDI, an SMB with offices in three US cities, which runs the Mozilla Store, the foundation said in a blog post quoted by the Register. There is still no information to confirm whether any customers of the website selling coffee cups, tee-shirts, and other Mozilla promotional goods have been compromised.

“Once notified, we took the immediate preventative step of shutting down the Mozilla Store to ensure that no additional users could be compromised,” Mozilla representatives wrote. “Mozilla immediately reached out to GatewayCDI and encouraged them to quickly inform individuals whose data had been compromised.”

Mozilla also stated they were undergoing a thorough analysis of their systems to determine the cause and extent of the breach. Additionally, GatewayCDI  will make sure to contact directly any Mozilla Store customers who may have been affected by this blurry breach.

According to the same Register article, Mozilla also closed down its International Mozilla Store, although it wasn’t run by GatewayCDI. Both stores displayed a message saying “closed for maintenance.”

There has been much noise about the Goldman Sachs ex-employee who managed to leave the company with their secret solution to be faster and better than their financial services competitors. At first, the name of the company reporting the data breach was unclear, then more started whispering Goldman Sachs. Let’s sink into the juicy details.

It all started when a computer programmer was arrested for stealing classified application code that powerd his former employer’s, later identified as Goldman Sachs, high-speed financial trading platform. The programmer’s name, along with more details on the incident, were reproduced from an FBI affidavit by DarkReading:

According to an affidavit (PDF) filed by the arresting FBI officer and subsequently posted by news media, the programmer, Sergey Aleynikov, copied “proprietary trade code” from his company and uploaded it to a Website in Germany. He later quit his job at the New York firm and moved to a new company in Chicago that “intended to engage in high-volume automated trading” — and paid him around three times his old salary of $400,000, according to the affidavit.

The programmer says it was all a mistake. Apparently, he only wanted some open sourced files he was working on and ended up with the entire shabang. The fact he never sold the code or tried to otherwise use it plays in his favor. The fact he tried to hide all traces of the data transfer, doesn’t. But that’s somehting to be settled in a court.

What’s fascinating, as ZDNet’s Larry Dignan explained on one of the network’s blogs, is that Goldman Sachs, “a master at gauging risk”, was able to overlook the danger of inside threats. Especially when it’s something all security experts have been talking about for a long while.

When you think about it, nothing happened to Goldman Sachs. Other than a much needed wake up call. What could have happened? The competition actually improving their own platforms and taking over more and more clients from Goldman Sachs. I have a feeling adding up the numbers of this potential loss would make us all dizzy!.

Did a data breach occur at T-Mobile USA? According to a group of hackers it did. They claimed to have gained access to all customer information of the company and posted network scans to prove it on the Full Disclosure web site. They also said they were trying to sell all the private records to T-Mobile’s competitors, who wouldn’t take them on the offer. Yet they’re still doing their best to sell all stolen info to the highest bidder.

T-Mobile has a different view on the story though. They said, and were quoted by ChannelWeb, that there is no proof whatsoever of any breach. And although the document posted online did in fact belong to T-Mobile, it contained to sensitive date, nor was it obtained while their system had been hacked into.

“The document in question has been determined to be a T-Mobile document, though there is no customer information contained in the document,” the company said in a statement. “There is no evidence to indicate that the T-Mobile security system was hacked into nor any evidence of a breach.”

While ChannelWeb seems to incline to believe T-Mobile on this one, their security experts say large mobile carriers often fall pray to hackers who harest their confidential customer records for their own benefit, mostly because the security systems they’re using are outdated. If I were T-Mobile right now, I’d make sure to check everything 100 times and find out exactly how the harmless file get posted online. Cause you can never know, can you?