Stolen Flash Drive with Personal Info on 2,600 Delphi Workers
A flash drive containing private information on 2,600 former Dayton-area Delphi workers has recently been stolen from an unattended laptop of a Job and Family Services department employee. The information stored on said drive included names, addresses, social security numbers and telephone numbers of the workers.
Helen Jones-Kelley, director of the Job and Family Services department, quoted by the Dayton Daily News, said leaving the laptop unattended during lunch hour was a violation of department policy and the responsible employee could be taken disciplinary actions against, including termination.
In what those affected are concerned, the same department representative said they have sent letters to all those involved.
11 Arrested in the TJX Identity Theft and Data Breach Case
The FBI has arrested 11 people in the case of the largest identity theft and data breach in history that targeted TJX and other companies. The suspects of which three are US citizens are believed to have taken part in the theft of over 40 million credit and debit card accounts from 9 major retailers and restaurants. Stealing that much data was possible after installing malicious software on the systems of TJX Companies, BJ’s Wholesale Club, OfficeMax, Barnes & Noble, Sports Authority, Forever 21, DSW, Dave & Busters and Boston Market.
Never surpassed in the time it has passed has been covered constantly by the media. The Reigster tells the story of the breach in a recent article: in the beginning of 2007, TJX first reported the a breach by unknown idividuals who had at the time stolen 46.5 million credit cards, number later proved to be twice as high. According to the Register, the fraud have been going on for quite a while when TJX reported it, as a year earlier industry watchers had noticed an unusual increse in debit card fraud at retailers OfficeMax and Sam’s Club.
US Attorney of Massachussets and the US Attorney General had both commented on the issue:
“While technology has made our lives much easier it has also created new vulnerabilities,” Michael J. Sullivan, US Attorney for the District of Massachusetts, said in a statement announcing the indictments. “This case clearly shows how strokes on a keyboard with a criminal purpose can have costly results.”
“They used sophisticated computer hacking techniques, breaching security systems and installing programs that gathered enormous quantities of personal financial data, which they then allegedly sold to others or used themselves,” US Attorney General Michael Mukasey said in prepared remarks. “And in total, they caused widespread losses by banks, retailers, and consumers.”
Other than having a sophisticated and high end technique of stealing the information, the ring of thieves also had multiple way to turn the theft into profit, either by selling the data to other criminals or by using it to create fake cards and withdraw thousands of dollars at a time.
The eleven arrested individuals are from the United States, Estonia, Ukraine, the People’s Republic of China and Belarus. The FBI is still in pursuit of another member of the group who is only known by his online alias and continues to elude authorities. Let’s hope he’s caught soon enough!
LifeLock Sued By Customers
LifeLock, vendor of a much contested fraud-prevention service has been sued by three very unhappy customers from three USA states. The customers are upset because they feel LifeLock fails to provide the comprehensive protection it adveritses.
As the Register reports, the lawsuits have been initiated by three customers from Mryland, New Jersey and West Virginia. They are targeted against LifeLock ads, in which CEO Todd Davis says he is so confident in the service that he volunteers his Social Security number.
What isn’t mentioned is that on at least 87 occasions, Davis’s Social Security number has been used in attempts to steal his identity, and at least one of those times, the perpetrator was successful.
“It’s further evidence of the ineffectiveness of the services that LifeLock advertises,” David Paris, an attorney suing on behalf of the dissatisfied customers, told the Associated Press. Davis also told AP reporter Jordan Robertson it’s possible that driver’s licenses have been issued to other people in his name as a result of the widespread availability of his personal information. But he ascribes this possibility to flimsy fraud checks used by most departments of motor vehicles, rather than the ineffectiveness of his service.
Californian Supermarket Shoppers, Victims of Identity Theft
Over 100 shoppers at a supermarket in Los Gatos, California, became victims of identity theft when their private records have been stolen from their debit and credit cards through the checkout card reader. The thieves from the Lunardi’s grocery store used the stolen PIN numbers and card information to create fake cards which were subsequently use them to shop around.
The supermarket customers have been reporting cases of identity theft to authorities for over a week, and according to Dark Reading have been losing an average of $1,000 from their bank accounts.
“What we have here is more than one person — they’ve been able to get in there (Lunardi’s) and switch out the ATM card reader,” said Los Gatos-Monte Sereno police Sgt. Tam McCarty in an article in the San Jose Mercury News. “Once they’ve done that, they can read the card and PIN numbers and either make a temporary card or sell the numbers over the phone.”
88,000 Patients Exposed to Identity Theft
Hardware containing personal information on about 88,000 patients of the Staten Island University Hospital has been stolen last year in December.
According to Silive.com, after four months of investigations that have led to no arrest, the hospital administrators are now starting to send letter to patients who are currently exposed to identity theft threats. The stolen desktop computer and the backup hard drive stolen from one of the hospital’s finance offices contained patients’ names, Social Security and health insurance numbers.
“The hospital is in the process of issuing a letter of information to each patient involved in which one year of free credit monitoring is being offered,” said a hospital statement released yesterday afternoon by spokeswoman Arleen Ryback. The time frame for when patients whose information was included in the data were treated was not immediately known.
Ms. Ryback said no medical records were included in the files, but wouldn’t speculate why SIUH waited so long to notify people.
Private Information on Iredell County Taxpayers Stolen
The Iredell County Tax Collector’s Office has just informed the public about an information theft that has taken place at the end of April. The incident involved a courier vehicle that provided services for First Citizens Bank which was stolen in Charlotte. The vehicle’s shipment containing included data related to Iredell County tax payments. According to Prime Newswire, Charlotte law enforcement officials are currently investigating the incident, but the contents of the shipment are yet to be recovered.
The stolen shipment contained a computer report of 468 taxpayer’s check information, including account numbers, check numbers, check amounts and routing numbers from various banks on which the checks were drawn. There were also copies of tax bills that contained taxpayer names, addresses and other public information related to tax payments.
Expensive Security Keeps Breaches Away
UK companies have tripled their spendings on information security defenses in the past three years, fact that has caused reported security breaches to drop by a third. That means 300% more money spent gets you to 30% less breaches.
According to the most recent edition of the UK government-sponsored Information Security Breaches Survey, quoted by the Register, the number of companies reporting a security breach is now at roughly the same level as in 2002, after reaching a peak in 2004.
Expenditure on information security has increased from two per cent to seven per cent of the IT budget on average over the last six years. But this increase in spending is uneven with a significant minority (21 per cent) of companies spending less than one per cent of their IT budget on information security.
Nonetheless, the security landscape has improved markedly over that period with 94 per cent of wireless networks now encrypted, versus only 47 per cent in 2002. More than half (55 per cent) of UK companies have a documented security policy, versus 27 per cent in 2002. Two in five businesses provide ongoing security awareness training to staff – twice as many as six years ago.
DLP on the Right Track, but not Fullproof
Speakers at RSA 2008 state the Data Loss Prevention (DLP) segment of security solution is reporting impressive improvements, but it still not able to stop innovative attacks. While it might be the new hot shot of the entire security industry, DLP can fail when attempting to successfully fight off all data breaches.
In a Symantec-sponsored panel addressing DLP related issues, speakers were highly optimistic towards the future of this new technology, which, according to Dark Reading, “is designed to monitor, detect, and control the egress of sensitive enterprise data in an organization”. Yet the fact that insider-theft technology has been describes as omnipotence was acknowledged to be grossly exaggerated. Here’s a selection of the most interesting quotes Dark Reading published:
“The idea that you’re going to be able to protect every piece of data all the time is probably impossible,” said Joseph Ansanelli, former CEO of DLP pioneer Vontu and now vice president of DLP at Symantec, which bough Vontu last year. “It’s not going to happen.”
“DLP is a tool,” said Craig Shumard, CISO for CIGNA Corp., a Vontu user. “It’s one of a number of things you can use to help control the insider threat. But it’s not the whole solution.”
The key, Rich Mogull, founder of Securosis, says, is to define your “sensitive” data before deploying DLP. “You need to put all of your business people in a room and force them to choose which data is the most valuable,” he said. “Once you’ve done that, you can use DLP to start monitoring that data, to set policies for protecting it, and eventually, to enforce those policies.”
Stolen Hardware – Most Common Cause for Data Breaches
Stolen or lost hardware, from laptops to USB sticks and portable hard drives, were the most common cause of data breaches in 2007, outranking malicious software. These findings have been recently released by Symantec in its latest Internet Security Threat Report. As SecurityFocus shows, this is a significant conclusion, given that the number of unique variants of malicious software more than quadrupled in 2007.
the theft of computers and storage devices, not malicious code, accounted for the majority of lost data. In the latter half of the year, such physical theft accounted for 57 percent of data breaches, up from 46 percent in the first half of 2007, the report stated. While the government had only the second highest number of breaches — 20 percent of the total compared to 24 percent for the education sector — those breaches accounted for 60 percent of identity theft, the report stated.
Gains from Online Fraud Aim for the Sky
According to the latest data released by the FBI’s Internet Crime Complaint Center, damages caused by online fraud have significantly increased, going up by 20 percent.
The report cited by SecurityFocus shows that, while the number of complaints has been a little lower, the reported damage originated from online fraud grew from $198 million in 2006 to $239 million in 2007. FBI’s IC3 online portal where cybercrime complaints are received processed a little under 207,000 such reports last year, just a few less than in 2006. The criminal activity is in no way discriminatory, affecting victims aged from 10 to 100 years old.
“The Internet presents a wealth of opportunity for would-be criminals to prey on unsuspecting victims, and this report shows how extensive these types of crime have become,” James E. Finch, assistant director of the FBI’s Cyber Division, said in a statement. “What this report does not show is how often this type of activity goes unreported.”
While the media reports often on the crime of identity theft, the largest number of people, more than a third, complain about online auction fraud, the IC3 report stated. Other online crimes, such as industrial espionage by other nation states, largely go unreported. Earlier this month, the Council of Europe requested that Internet service providers help battle cybercrime by sharing information about their users.
