As data storage devices get smaller and easier to carry, the chance of them being stolen or lost goes higher. Thumb drives, laptops, computers, everything shrinks, while storage capacity grows exponentially, great for productivity, awful for unencrypted data. While laptops and USB sticks have always been the easiest to steal or lose, it does not mean that the old fashioned desktop computers cannot share in the same fate.

The result of the following incidents? Exposed data affecting hundreds or thousands, making them perfect targets for identity theft or fraud. Another thing they have in common? You guessed it, they are all part of the healthcare industry! Most of these data breaches can be prevented and it’s a rather simple process. But let’s move on to our list of incidents!

The London Ambulance Service ended up losing the data of close to 3000 patients when a personal laptop storing their names, addresses, dates of birth, NHS numbers and accessibility requirements for transportation was stolen from the house of a staff member.

In the very same, frequently breached field we love to call healthcare, the University Hospital of South Manchester NHS Foundation Trust had a data breach incident. A student lost a thumb drive containing the details of some 90 patients, including name, age, occupation and surgical details.

Treatment Services Northwest had their own security breach to deal with. A computer that belonged to them and ended up stolen exposed the protected health information of 1,200 patients.

The last on today’s list is Indiana University School of Medicine. A researcher’s car was broken into, their laptop was stolen, resulting in a data breach involving 3,192 patients’ records, with details including name, gender, age, diagnosis, and some social security numbers.

A piece of advice to the healthcare industry worldwide: start taking better care of the data entrusted to you.

Have a great weekend everyone!

Photo by Peter Beug

The weekend brings news of several security breaches, some showing a trend, others just containing very real warnings. As the week starts, here’s what you might have missed over the weekend, to keep you alert and informed. Today’s roundup brings you a few employees gone rogue on corporate data, sensitive information posted online, again the ever present stolen laptop and quite a few of these mishaps happening in institutions related to health care.

A security breach that happened back in April finally surfaced and it involves South Australian DNA testing company Medvet. The mishap led to customers’ names, work and home addresses, and types of DNA testing kit ordered being exposed online and dutifully indexed by Google. Australia’s Privacy Commissioner Tim Pilgrim has already launched an investigation.

The Meath County Council followed in the steps of the Australian security breach when planning applicants’ personal information, including birth certificates, bank account details and drivers’ licenses were posted online on their website. It took notifications from the general public for the information to be taken down.

UPromise Investments is one of the companies where employees thought to go against the employer in a security breach. The person in question accessed accessed 300 depositors’ names, social security numbers, birthdays and other contact information. This happened over 7 months while the suspected employee was on the job. What the job was? Withdrawals and deposits of course! The other such case happened at the Haartman Hospital, where an employee accessed 188 patients’ records without authorization.

The ever present stolen laptop this time belonged to the Kirklees Council and contained confidential files on 25 employees. What’s even more shocking is that this is one of several incidents in which private data was lost by the authority. If you were wondering, none of the information was encrypted and no one at the Council had to explain themselves for these breaches. Classic case of never learning from past mistakes!

Have a safe week everyone!

Hackers love big players in the gaming industry, it seems. After the prolonged downtime of Sony’s PlayStation Network due to subsequent hacks that exposed about 70 million players to fraud or identity theft, SEGA was the next target in the same industry segment. As a result, 1.2 million customers of the Japanese gaming company had their information stolen by the hackers, being exposed to the same risks as in the PSN breach.

SEGA stated that only Japanese players and the Japanese website were affected and that fortunately they do not store any sensitive information, such as credit card details. Yet even less details are sometimes enough to be used as a start point to get someone’s life turned upside down. 

Targeting large gaming companies seems to become a trend. Probably for the promise of enormous numbers of details that could be accessed at once. Maybe it’s because the money required for original games are annoying certain people with advanced hacking skills. Maybe it’s because the “fame” such a hack could bring someone, although we’d say it would be safer if no one ever found out who done it (for the hacker in question of course).

If this is a trend indeed, I wonder whose next? Nintendo? Blizzard with their huge Battle.net database of millions and millions of World of Warcraft, Starcraft and other game players? Or maybe Microsoft for their Xbox success? Who do you think might need to up their security and keep a close watch on shady characters looking to access their networks?

After the hacking of the PBS network website, Sony’s movie division website was also hacked and at least 50,000 consumer email addresses have published. A group called LulzSec has claimed responsibility for the attack and stated the security breach was made possible by an existing SQL vulnerability.

“What’s worse is that every bit of data we took wasn’t encrypted,” the group wrote in a press release announcing the hack. “Sony stored over 1,000,000 passwords of its customers in plaintext, which means it’s just a matter of taking it. This is disgraceful and insecure: they were asking for it.”

The group published user names and hashed passwords for both Sony’s Fox.com and PBS administrators and users and posted a hoax story involving Tupac Shakur and Biggie Smalls. The number of hacked accounts from Sony alone is around 73.000.

For Sony this is only the latest of a series of attacks launched as a response to their legal campaign against people jailbreaking the PlayStation 3 game console.

A laptop computer stolen last month endangered the personal information of over 8,300 current and former students and employees of P.K. Yonge Development Research School, a kindergarten-through-grade-12 laboratory school affiliated with University of Florida’s College of Education.

The files stored on the stolen laptop contained employee payroll, employee parking permit and student information dating back to 2000, along with names, Social Security numbers and, in some cases, Florida driver’s license numbers. PK Yonge officials have confirmed that no student academic or medical records, nor any credit card details, were on the computer.

The school has started an official mailing campaign with 841 letters already sent and more on the way, explaining to those affected by the breach that their information has been exposed by the theft.

“We regret that this incident occurred and are working diligently to notify the people who may be impacted by this theft,” P.K. Yonge Director Fran Vandiver said.

The incident happened on July 23 when the laptop was taken from a P.K. Yonge employee’s rental car in San Francisco. The good news is that, unlike other hardware theft cases, the computer files were password-protected, yet school officials have no way of knowing if the information was accessed.

And another piece of good news, P.K. Yonge is working on preventing similar breaches. They are installing  protective encryption software on laptops that contain restricted data, and the university continues to review and improve its policies and procedures for protecting information.

“Employees and students have entrusted us with their personal information, and we take that responsibility seriously,” said Elias Eldayrie, UF’s chief information officer. “We are committed, as always, to continuous improvement and doing everything that we can to protect university data.”

Those who think they might have been affected by the breach can find more information on how to act here: http://privacy.ufl.edu/incidents/.

French financial authorities might have just blown away an interesting case against people suspected of tax evasion because they have used stolen data in their investigation. The French had come across a list of 3000 of their nationals suspected of using Swiss banking secrecy to pay less or no taxes. But the list has been handed to them by a former IT worker at HSBC in Switzerland who, as it happens, did not have the bank’s approval to give it to the French…

The Swiss HSBC confirmed one of their employees was suspected of stealing data (in the 2008-2007 interval), but said case only involved a list of 10 accounts. A conviction of sorts isn’t confirmed, but the former IT employee is rumored to have fled to France where he benefits from French protection.

French newspapers quoted by The Register claim that the stolen list actually contained 4000 names of French clients, all of them holding abut 6 billion EUR, of which only a part were actually suspected of tax evasion. More on this case in The Register and The Times.

…70 GB of stolen data behind a new botnet that has caught researchers’ full attention. Security researchers have managed to infliltrate, through the Torpig botnet, one of the well known zombie networks in the virtual world. According to their findings, this impressive amount of data was stolen in only 10 days.

As the Register reports, Torpig bots manage to steal more than 8,300 credentials corresponding to 410 different financial institutions.  The research team from the University of California at Santa Barbara, over 21% of the accounts belonged to PayPal users. Almost 298,000 unique credentials were intercepted from more than 52,000 infected machines.

How could this happen so fast? It’s all due to the “unusually large haul is Torpig’s ability to siphon credentials from a large number of computer programs”.

After wrapping its tentacles around Mozilla Thunderbird, Microsoft Outlook, Skype, ICQ, and 26 other applications, Torpig constantly monitors every keystroke entered into them. Every 20 minutes, the malware automatically uploads new data to servers controlled by the authors. Because the software runs at such a low level, it is able to intercept passwords before they may be encrypted by secure sockets layer or other programs.

Definitely scary!

Wonder no more, as the answer is no public: they do! You can buy hardware containing private details of strangers on eBay! Just a short while ago an IT manager paid 35 pounds on a computer hard disk containing one million sets of bank details.

The said hardware piece contained details of customers of American Express, NatWest and the Royal Bank of Scotland, as reported by The Register. And Andrew Chapman, the guy who paid the money, would have had everything he needed for identity thefts: names, addresses, sort codes, account numbers, credit card numbers, mobile phone numbers, mothers’ maiden names and scans of signatures.

The second hand computer the hard drive belonged to was the property of Graphic Data. The Archiving firm seems to be missing a second computer with the same type of information.