Starbucks Loses Laptop with Employee Information
In the second half of November, Starbucks disclosed a security breach that had occured a month earlier. A company laptop went missing and was thought to be stolen. It contained private details of 97,000 employees from accross he USA.
The data loss was announced through a memo posted on Starbucksgossip.com and was later confirmed by Starbucks officials. The memo also recommended those affected to monitor their financial accounts and look or any suspicios activities, as well as take all the necesary steps to prevent misusage of the lost records.
According to Seattlepi.com, this isn’t the first laptop containing company information stolen from Starbucks. In 2006, the company discovered it had misplaced 4 out-of-use laptops containing the names, addresses and Social Security numbers of 50,000 former and 10,000 then-current employees. One would expect enhanced security after such an incident.
US Army bans USB devices to stop worm from spreading
The US Army has temporarily banned the use of USB devices, along with floppy discs, CDs, external drives, flash media cards and all other removable media devices, to prevent a worm from spreading through its networks. According to the Register, the worm that caused this extreme measure is Agent-BTZ, a variant of the SillyFDC worm.
While the ban itself is bound to cause some distress, as it would in any other organization, the work flow will be more extensively affected in the US Army because for some offices email or online file transfers are not allowed either.
The measure is a bit drastic, but at least something was done. I personally would have expected a safer endpoint security system and protected USB drives, given the Army’s impressive history with lost hardware and data breaches (see some examples here, here and here). Who knows, maybe this time they will learn 
IRS – Helping You Put Your Data at Risk
Everyone fears the Internal Revenue Service! But now it’s for a new reason. It seems using two applications they provide exposes taxpayers’ data to security breaches. The IRS deployed two critical computer systems although they new of their weak security and the risks they embedded.
The Treasury Inspector General for Tax Administration (TIGTA) office, explains DarkReading, has recently issued a statement saying the IRS’s mainframe-based Customer Account Data Engine (CADE) for managing taxpayer accounts and its Account Management Services (AMS) for IRS access to taxpayer data contained security flaws that the IRS identified but did not fix before deploying them last year.
The billion-dollar, high-sensitivity CADE system is one of the key elements of the IRS’s computer modernization program, and processed about 20 percent of the 142 billion tax returns filed to the IRS.
AMS, meanwhile, includes taxpayer identification numbers in its application error log, and its operating system has only a 77.8 percent compliance rate with the required security settings, according to the report.
TGTA has no proof on any data being compromised or being accessed by any wrong doers, yet the risk has been quite real.
Employees Dodge Security to Increase their Productivity
The most recent survey released by security firm RSA showed that technology workers are very resourceful when it comes to bypassing corporate security policies to get their work done more effectively.
The 2008 Insider Threat Survey showed that over 50% of those surveyed believed security policies to be too restrictive. The overwhelming majority is familiar with the policies enforced by their employers, that’s why they know how to circumvent them. As a consequence, more than half manage to access their work email accounts from public computers and even more check their emails through public wireless networks.
According to the Security Focus article on the survey, respondents came from three different countries, the US, Brazil and Mexico.
What solutions are there for companies in these conditions? Tightening security would definitely not be the answer. Instead of blocking their access to technological advantages, they should adapt their security solutions to enable access while still preserving the desired level of security.
Caught in the Act: IT Contractor Stole Shell Oil Employee Data
If you’re thinking to prevent inside threats by hiring consultants from outside your company, think again! They’re drive to make money using others’ identities is a genuine concern. Take Shell Oil for example, who caught one of its IT contractors stealing personal data on its employees from one of the US databases of the company.
After descovering the unnamed employee of a vendor working on said US database used the social security numbers and other info of four employees to file bogus unemployment claims, Shell Oil warned all its former and current personnel they have been exposed to identity theft. More on the ongoing investigation in the Register.
Playing Hide and Seek with Private Records
The security breach case we’re about to talk about is both troubling and funny. Missing data found after a few days after the disclosure of the breach, or, in other words, playing hide and seek with personal records is what’s been happening at the Tennessee State University.
After spreading the news that a flash drive containing the financial information and Social Security numbers of more than 9,000 students, TSU thoroughly proceeded to notify their students of the security breach. They also backed their announcement with credit protection for those affected.
TSU has a policy about keeping Social Security numbers in protected files, yet the reality was that the missing flash drive wasn’t believed to be encrypted or password-protected. Pretty standard case up to now, as hardware is lost and leads to significant data loss, security policies are not complied with, etc.
But! Yes, there’s a “but”, a few days after the announcement, a student turned the flash drive in and TSU released the good news. No one really knows why the student had the drive or how he got it; let’s hope the internal audit will clear this mystery.
The fact that security policies are not really complied with no longer surprises any of us. But finding out that any student can get their hands on private records that easily is a bit troubling. And the position of TSU is a bit weird as well: ooouups, we’ve lost some pretty important data on our students! Oh, no, our bad, one of our students had it because we have protocol and policies just to show off!
TJX Effects: Forever 21 Payment Card Breach
It has recently been discovered that the people behind the largest security breach in history, TJX, a heist affecting 46.5 million cards, have also breached US retailer Forever 21, lifting about 99,000 debit and credit cards.
As the Register reported, Forever 21 discolesed the breach on their site, letting everyone know they found out about the heist about a month ago from law enforcement officers. There where 9 specific dates when the payment card system was breached, spread from March 2004 to August 2007. The breach exposed card numbers and expiration dates, along with other details stored but not disclosed by Forever 21.
If you’re looking for the Forever 21 official statement, read the explanation on how to get to it on the Register, apparently it cannot be linked to… So much for transparency and caring more about your customers finding out and being protected than your image, which will be affected anyway…
Gambling Site Ex-Employee Responsible for 150 ID Thefts
Speaking of inside threats, while they might have fun stealing from customers and shaking their employers’ credibility and making them loose money, some of them actually get caught. This happened to a former employee of an internet-based gambling website who has recently pleaded guilty of having stolen the identities of 150 customers of the site in question.
According to the Register, Canadian Patrick Kalonji stole the victims’ names, birth dates, addresses, mothers’ maiden names, social security numbers, and other personal details between July 2002 and August 2004 while working for BetOnSports.com. Using two Yahoo personal email accounts, he shared the information with others who booked no more and no less than roundtrip plane tickets from Nigeria to New York!
Private Data of 5,000 Lost along with Hard Drive
Lost hardware is the cause of another data loss that has affected 5000 employees of the National Offender Management Service in England and Wales. The hard drive containing the personal records of the employees, including prison staff, was lost by a private firm, EDS.
Although detail on EDS and the circumstances in which the hard drive was lost are not yet very clear, the BBC article announcing the breach is rich in statements from Secretary of State Jack Straw and a couple of justice minister, as well as critiques of the British government.
Justice Minister David Hanson is the one who most surprised me. He stated he did not believe the safety of those working in the Justice system would be threatened. No wonder the British government and authorities are hit so hard by data losses or thefts if they have no idea what to consequences are. Of course their safety, identity and money will be threatened, a justice minister who’s at the second data breach in a few weeks, after loosing private info on thousands of criminals, should at least know that and not be taken by surprise 
.
Real Count: NY Bank Lost Data on 12 Million Customers
Do you remember the Bank of New York Mellon’s lost backup tapes? Initially, it was said they contained private records on 4.2 million customers. Yet according to new info from DarkReading, the count has just rose to 12 million.
“When we announced [the lost tapes] back in May, we said we were going to do a top to bottom review across the company and go back and review it again,” a Bank of New York Mellon spokesperson said. “When we discovered [there was] this additional data that may have non-public personal data on it, we brought in a third party” to help investigate it, the spokesperson said.
The unencrypted tapes were lost by a courier earlier this year and according to data released in May, those whose private data was stored on them where clients of BNY Mellon Shareholder Services. The newly discovered clients that have been affected by the breach are currently being notified by the bank.
