The Kansas Department on Aging has recently reported a hardware theft that caused a data breach affecting about 7,000 of its customers. A laptop, a flash drive and paper files were stolen out of an employee’s vehicle, putting thousands of senior customers at risk.

The stolen files contained personal and protected health information belonging mainly to customers located in Sedgwick, Harvey, and Butler counties. The theft was immediately reported to the Wichita Police Department. The Kansas Department on Aging says it is cooperating with the police, but the stolen hardware has not yet been recovered.

Fortunately, there is no evidence to indicate that the information has been accessed and misused. The stolen data and documents may include full customer names, complete addresses, dates of birth, social security numbers, gender, in home services program participation information, Medicaid identification numbers, case management location and case manager names and telephone numbers.  No banking, credit card, or driver license information was stored on the stolen devices.

The Kansas Department of Aging has confirmed that at least 100 customers have had their Social Security Numbers stolen and trying to inform those affected through phone calls. They will further notify everyone affected by the breach through letters explaining the situation.

“We are immediately reviewing policies and procedures relevant to information security, especially for those employees whose duties require travel off-site to prevent a similar situation from recurring,” stated Secretary Shawn Sullivan of the Department on Aging.

The Department of Aging also advised their customers to contact their banks and credit card companies and let them know they are victims of a data theft, prompting them to keep an eye on any suspicious activity in the following months.

When you are the lead artist of a security mishaps that ended up in a data breach affecting some 24 million people, consequences are bound to catch up with you. And they just have caught up with shoe retailer Zappos.com and the bigger online fish behind them, Amazon.com. The two companies are being sued by the customers affected by the data breach, being accused of negligence.

A woman from Texas seems to be the main promoter in this Kentucky lawsuit. She claims that she and millions of other customers were harmed by the exposure of their personal account information. Zappos and Amazon have not commented on the lawsuit as of earlier today. 

The Zappos data breach was made public on Sunday when the company emailed employees and customers to let them know that names, phone numbers and email addresses of customers might have been accessed in a hacker attack.  The same statement reassured them that credit card and payment information had not been stolen. Zappos also advised its customers to reset account passwords on their site and any other sites where similar passwords were being used.

The attorneys of the Texas woman are seeking class-action status on behalf of the 24 million affected customers, claiming the security breach was actually a violation of the federal Fair Credit Reporting Act. The sum the lawsuit seeks has not been specified, but it is in the range of millions of dollars in compensatory and exemplary damages for emotional distress and loss of privacy. It also seeks to have Zappos court-ordered to pay for credit monitoring and identity theft insurance, plus periodic audits, for all those affected by the data breach.

The US Department of Taxation (DOTAX) decided to take a closer look at how their systems work this year. The process of evaluation included a security audit which lead to discovering internal security breaches dating back to 2008. DOTAX celebrated the three years of undiscovered breaches by putting employees of the Hawaii DOTAX on administrative leave without pay and starting a comprehensive investigation.

The breaches affected the Department’s computer tax database but no one knows when they occurred, it is suspected they happened at least as far back as 2008.The discovered incidents were immediately turned over to the Department of the Attorney General for review and investigation.

“Protecting the integrity of tax records is a serious matter,” said Fred Pablo, the state tax director, in a written statement. “The possibility of wrongful actions are extremely disturbing, which is why these matters were immediately reported to the Attorney General.”

Other than announcing some of their staff were put on administrative leave, DOTAX did not release any other details on the investigation, stating they would only do so after it had been completed.  We look forward to that moment to know how many people have been affected and what kind of protection they will receive.

Almost two weeks ago, we revealed the major changes that had happened this year in the major data breaches top of all times. 2011 was leading in what the number of high profile of breaches is concerned. The top might change once more, ensuring an even stronger position for the current year as hackers hit Steam, a gaming giant that is home to 35 million user accounts.

What we know so far is that the Steam customer data base has been indeed accessed by hackers.

“We learned that intruders obtained access to a Steam database in addition to the forums,”  said Gabe Newell, co-founder and managing director of Steam parent company Valve. “This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information.”

While the most sensitive account information was encrypted and there is no evidence that the hackers stole any of the details in the database or that they attempted to misuse any credit cards, Valve advises users to keep a close eye on credit card activity for the time being.

“We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords, which are separate from forum passwords,” Newell’s statement explains. “However, it wouldn’t be a bad idea to change that as well.”

Let’s all keep our fingers crossed and hope only a few forum accounts have been compromised and the 35 million records are safe.

While data breaches are as common as any other daily occurrence in the business and individual worlds, the large security incidents don’t happen as often, especially if you think that one of the breaches in the top ten all time largest data exposures dates back to 1984. 2011 is not yet over and it already is the poster child of this top we all want to see unchanged.

2011 is the only year with three major data loss incidents in the top ten: Sony Corporation with 77 million records exposed, SK Communications, Nate, Cyworld with 35 million and again Sony Corporation through their Sony Online Entertainment division with close to 25 million records exposed. Luckily for us, although it featured large incidents, 2011 did not create as many victims as 2009 with its two incidents, Heartland Payment Systems, Tower Federal Credit Union, Beverly National Bank which share the number one position in the infamous top with 130 million records exposed and RockYou Inc. with another 32 million. 

Here’s the ultimate data breach top, the place where you never want to see your company’s name or that of any other company that has your data stored:

1. Heartland Payment Systems, Tower Federal Credit Union, Beverly National Bank – 130 million records (2009)
2. TJX Companies Inc. – 94 million records (2007)
3. TRW, Sears Roebuck – 90 million records (1984)
4. Sony Corporation – 77 million records (2011)
5. CardSystems, Visa, MasterCard, American Express – 40 million records (2005)
6. SK Communications, Nate, Cyworld – 35 million records (2011)
7. RockYou Inc. – 32 million records (2009)
8. U.S. Department of Veterans Affairs – 26,5 million (2006)
9. HM Revenue and Customs, TNT – 25 million records (2007)
10. Sony Online Entertainment, Sony Corporation – 24,6 million (2011)

After the hacking of the PBS network website, Sony’s movie division website was also hacked and at least 50,000 consumer email addresses have published. A group called LulzSec has claimed responsibility for the attack and stated the security breach was made possible by an existing SQL vulnerability.

“What’s worse is that every bit of data we took wasn’t encrypted,” the group wrote in a press release announcing the hack. “Sony stored over 1,000,000 passwords of its customers in plaintext, which means it’s just a matter of taking it. This is disgraceful and insecure: they were asking for it.”

The group published user names and hashed passwords for both Sony’s Fox.com and PBS administrators and users and posted a hoax story involving Tupac Shakur and Biggie Smalls. The number of hacked accounts from Sony alone is around 73.000.

For Sony this is only the latest of a series of attacks launched as a response to their legal campaign against people jailbreaking the PlayStation 3 game console.

A computer that may contain personally identifiable information of almost 20,000 Reid Hospital patients was stolen from an employee’s home office in early April. According to Craig Kinyon, CEO/President of Reid Hospital, the laptop was only one of the items stolen in a break in, this indicating that data was not the objective of the theft.

The computer in question might have been storing reports on Medicare and Medicaid patients that have received treatment and medical services between 1999 and 2008. The reports contain names and Social Security numbers, as well as Medicare numbers.

No information stored after 2008 was stored on the stolen device. Nor were any financial information, banking information or other identifying information stored on the missing notebook.

Inside threat is kicking and screaming and far from being gone from the corporate security world. Upset over being fired, a Californian woman breached the email system of her former employer and posted confidential documents to public websites. She got caught and the sentence was 60 days of home detention plus  ayear of probation for the one count of felony computer intrusion that 44 year old Ming Shao pleaded guilty to.

In her plea, the woman admitted to a value of the stolen information belonging to PanTerra Networks(which included a Weekly Ops Report) ranging between 10,000 and 30,000 US dollars. She admitted to have breached the PanTerra network and exposing the confidential files as a form of revenge for being fired in August 2009.

Shao gained and maintained access to PanTerra employee email accounts for several months after being fired. She then posted the data she collected to websites such as sacramentograpevine.com and hostedpbxproviders.com. The latter website, which covers user feedback on PanTerra and other companies published a posting by Shao that described a server crash. She also leaked details on ongoing negotiations between PanTerra and potential customers, causing the company to lose potential contracts.

Shao was also ordered to pay a 2,000 US dollars fine and another 20,747 in restitution. As she was at her first offence, the court considered a sentence of probation would suffice.

A security problem that allowed malicious web sites to access personal user information without their explicit permission has just been fixed by Facebook. This flaw has been reported by Rui Wang and Zhou Li, two student researchers.

According to Graham Cluley, senior technology consultant at Sophos, the security lapse could let malware spread between users,and abuse data as it goes by impersonating a legitimate site that already has the permission to take information.

“According to Wang and Li, it was possible for any web site to impersonate other sites which had been authorised to access user data, such as name, gender and date of birth,” he said. “Furthermore, the researchers found a way to publish content on the visiting users’ Facebook walls under the guise of legitimate web sites, a potential way to spread malware and phishing attacks.”

The security problem only occurred in accounts with looser settings, as more rigorous privacy settings offered adequate protection for the flaw. Fortunately, the students informed only Facebook and Cluley and not the wider world, which could have led to the exploit being used by malicious groups.

Cluley, an outspoken critic of Facebook’s security practices according to V3.co.uk, acknowledged the social site’s security team “responded promptly, and should be applauded for fixing the vulnerability rapidly once they were informed about it”.

However, Facebook is likely to be targeted by similar malware in the future due to it’s complexity.