As data storage devices get smaller and easier to carry, the chance of them being stolen or lost goes higher. Thumb drives, laptops, computers, everything shrinks, while storage capacity grows exponentially, great for productivity, awful for unencrypted data. While laptops and USB sticks have always been the easiest to steal or lose, it does not mean that the old fashioned desktop computers cannot share in the same fate.
The result of the following incidents? Exposed data affecting hundreds or thousands, making them perfect targets for identity theft or fraud. Another thing they have in common? You guessed it, they are all part of the healthcare industry! Most of these data breaches can be prevented and it’s a rather simple process. But let’s move on to our list of incidents! Read more
The weekend brings news of several security breaches, some showing a trend, others just containing very real warnings. As the week starts, here’s what you might have missed over the weekend, to keep you alert and informed. Today’s roundup brings you a few employees gone rogue on corporate data, sensitive information posted online, again the ever present stolen laptop and quite a few of these mishaps happening in institutions related to health care.
A security breach that happened back in April finally surfaced and it involves South Australian DNA testing company Medvet. The mishap led to customers’ names, work and home addresses, and types of DNA testing kit ordered being exposed online and dutifully indexed by Google. Australia’s Privacy Commissioner Tim Pilgrim has already launched an investigation.
Hackers love big players in the gaming industry, it seems. After the prolonged downtime of Sony’s PlayStation Network due to subsequent hacks that exposed about 70 million players to fraud or identity theft, SEGA was the next target in the same industry segment. As a result, 1.2 million customers of the Japanese gaming company had their information stolen by the hackers, being exposed to the same risks as in the PSN breach.
SEGA stated that only Japanese players and the Japanese website were affected and that fortunately they do not store any sensitive information, such as credit card details. Yet even less details are sometimes enough to be used as a start point to get someone’s life turned upside down. Read more
After the hacking of the PBS network website, Sony’s movie division website was also hacked and at least 50,000 consumer email addresses have published. A group called LulzSec has claimed responsibility for the attack and stated the security breach was made possible by an existing SQL vulnerability.
“What’s worse is that every bit of data we took wasn’t encrypted,” the group wrote in a press release announcing the hack. “Sony stored over 1,000,000 passwords of its customers in plaintext, which means it’s just a matter of taking it. This is disgraceful and insecure: they were asking for it.” Read more
A laptop computer stolen last month endangered the personal information of over 8,300 current and former students and employees of P.K. Yonge Development Research School, a kindergarten-through-grade-12 laboratory school affiliated with University of Florida’s College of Education.
The files stored on the stolen laptop contained employee payroll, employee parking permit and student information dating back to 2000, along with names, Social Security numbers and, in some cases, Florida driver’s license numbers. PK Yonge officials have confirmed that no student academic or medical records, nor any credit card details, were on the computer. Read more
French financial authorities might have just blown away an interesting case against people suspected of tax evasion because they have used stolen data in their investigation. The French had come across a list of 3000 of their nationals suspected of using Swiss banking secrecy to pay less or no taxes. But the list has been handed to them by a former IT worker at HSBC in Switzerland who, as it happens, did not have the bank’s approval to give it to the French…
The Swiss HSBC confirmed one of their employees was suspected of stealing data (in the 2008-2007 interval), but said case only involved a list of 10 accounts. A conviction of sorts isn’t confirmed, but the former IT employee is rumored to have fled to France where he benefits from French protection.
French newspapers quoted by The Register claim that the stolen list actually contained 4000 names of French clients, all of them holding abut 6 billion EUR, of which only a part were actually suspected of tax evasion. More on this case in The Register and The Times.
…70 GB of stolen data behind a new botnet that has caught researchers’ full attention. Security researchers have managed to infliltrate, through the Torpig botnet, one of the well known zombie networks in the virtual world. According to their findings, this impressive amount of data was stolen in only 10 days.
As the Register reports, Torpig bots manage to steal more than 8,300 credentials corresponding to 410 different financial institutions. The research team from the University of California at Santa Barbara, over 21% of the accounts belonged to PayPal users. Almost 298,000 unique credentials were intercepted from more than 52,000 infected machines.
How could this happen so fast? It’s all due to the “unusually large haul is Torpig’s ability to siphon credentials from a large number of computer programs”.
After wrapping its tentacles around Mozilla Thunderbird, Microsoft Outlook, Skype, ICQ, and 26 other applications, Torpig constantly monitors every keystroke entered into them. Every 20 minutes, the malware automatically uploads new data to servers controlled by the authors. Because the software runs at such a low level, it is able to intercept passwords before they may be encrypted by secure sockets layer or other programs.
Wonder no more, as the answer is no public: they do! You can buy hardware containing private details of strangers on eBay! Just a short while ago an IT manager paid 35 pounds on a computer hard disk containing one million sets of bank details.
The said hardware piece contained details of customers of American Express, NatWest and the Royal Bank of Scotland, as reported by The Register. And Andrew Chapman, the guy who paid the money, would have had everything he needed for identity thefts: names, addresses, sort codes, account numbers, credit card numbers, mobile phone numbers, mothers’ maiden names and scans of signatures.
The second hand computer the hard drive belonged to was the property of Graphic Data. The Archiving firm seems to be missing a second computer with the same type of information.