The Breach Blog, from FRSecure
The Breach Blog
Teen becomes instant "celebrity" after breach
Date Reported:
10/21/10
Organization:
Thames Valley District School Board
Contractor/Consultant/Branch:
Unknown
Location:
London, Ontario Canada and Online
Victims:
Students
Number Affected:
"more than 27,000"
Types of Data:
"private information such as student passwords"
Breach Description:
London - A 15-year-old Lucan, Ontario, teen has become a bit of a celebrity after hacking into the Thames Valley District School Board website last week.
<< MORE >>
Ireland's HSE caught in another breach
Date Reported:
10/17/10
Organization:
Health Service Executive ("HSE")
Contractor/Consultant/Branch:
Undisclosed "private IT contractor"
Location:
Dublin, Ireland
Victims:
Patients
Number Affected:
1,500
Types of Data:
"sensitive health records"
Breach Description:
A private IT contractor working on behalf of the HSE brought senstive health records belonging to patients home with the intention of working with them and emailing them back to the HSE office. The private IT contractor accidentally mistyped the recipient email address and sent the information to another government agency, resulting in a security breach.
<< MORE >>
Customer details exposed at award-winning security software vendor
Date Reported:
9/11/10
Organization:
Omniquad Ltd
Contractor/Consultant/Branch:
Undisclosed third-party helpdesk software vendor
Location:
Online
Victims:
Customers
Number Affected:
Undisclosed
Types of Data:
"customer log-in details"
Breach Description:
”The leak of consumer data, managed by network security provider Omniquad, has been held up as an example of the data breaches that undermine confidence in online business by the Cloud Industry Forum."
<< MORE >>
Virus infection at University of Oklahoma exposes nearly 20,000 patients
Date Reported:
10/11/10, 9/24/10, and 7/25/10
Organization:
University of Oklahoma
Contractor/Consultant/Branch:
University of Oklahoma - Tulsa
University of Oklahoma-Tulsa, Neurology Clinic
Location:
Tulsa, Oklahoma
Victims:
Patients
Number Affected:
19,264
Types of Data:
"patient name, telephone number, address, birth date, Social Security Number, medical record and insurance numbers, procedure billing codes, diagnosis codes, lab reports, office notes, radiology reports, and service dates. In some records, guarantor information was also included."
Breach Description:
The University of Oklahoma-Tulsa, Neurology Clinic recently posted a public notification of a breach that occurred through an infected clinic computer. The Office of Inadequate Security reports that the organization notified the U.S. Department of Health and Human Services ("HHS") of this (or a very similar incident) affecting 19,264 patients that was "detected on or about July 25". The letter posted online on the University of Oklahoma's web site is dated September 24th, but wasn't actually posted online until sometime in October.
<< MORE >>
Lawyer receives public reprimand from court over document disposal practice(s)
Date Reported:
9/30/10
Organization:
Attorney Steven A. Litz, Esquire
Contractor/Consultant/Branch:
None
Location:
Central Indiana
Victims:
"clients and former clients"
Number Affected:
Undisclosed
Types of Data:
Confidential client information
Breach Description:
"An Indiana adoption lawyer whose client files were scattered in the wind after his adult children left boxes of them beside a recycling bin has received a public reprimand" from the Indiana Supreme Court
<< MORE >>
Local Omaha doctor busted for dumping patient files
Date Reported:
10/5/10
Organization:
Omaha Gastroenterology Consultants, P.C.
Contractor/Consultant/Branch:
None
Location:
"60th and Harrison Streets in Omaha"
Victims:
Patients
Number Affected:
"hundreds"
Types of Data:
"Names, social security numbers, and sensitive medical records"
Breach Description:
An alert Omaha citizen discovered hundreds of medical records in recycling dumpsters allegedly originating from the offices of a local Gastroenterology clinic. The find was reported to and by KMTV Action 3 News.
<< MORE >>
Maine Department of Education halts collection of Social Security Numbers after breach
Date Reported:
9/28/10
Organization:
State of Maine
Contractor/Consultant/Branch:
Department of Education
Infinite Campus, Inc.
Location:
Online/Various
Victims:
Students and/or staff members
Number Affected:
Undisclosed/Undetermined*
*There are more than 200,000 K-12 students in public and private schools across the state of Maine.
Types of Data:
Personal information, including Social Security numbers
Breach Description:
"AUGUSTA — The Maine Department of Education is telling school districts not to submit students' Social Security numbers to a state database until it works out a system error that gave a school technology director access to restricted information."
<< MORE >>
Two Lincoln area golf courses respond to breach of credit/debit card information
Date Reported:
9/20/10
Organization:
The Lodge at Wilderness Ridge
Hidden Valley Golf Club
Contractor/Consultant/Branch:
None
Location:
Lincoln, Nebraska area
Victims:
Customers
Number Affected:
"more than 200"
Types of Data:
Credit and debit card information
Breach Description:
"Two Lincoln golf courses and a restaurant say they are the sources of more than 200 credit and debit card numbers stolen recently from Lincoln-area residents."
<< MORE >>
Inadvertent internal email leads to KCI breach
Date Reported:
9/14/10
Organization:
Kinetic Concepts, Inc.
Contractor/Consultant/Branch:
None
Location:
In transit
Victims:
Employees
Number Affected:
Undisclosed
Types of Data:
Personal information, "such as name, address, date of birth and Social Security number"
Breach Description:
Kinetic Concepts, Inc. ("KCI") has notified the New Hampshire Attorney General of a breach. The breach occurred when an email attachment containing personal information belonging to KCI employees was inadvertently distributed to other KCI employees.
<< MORE >>
SanDiegoFit.com customers affected by computer theft
Share
|
Date Reported:
9/10/10
Organization:
SanDiegoFit.com
Contractor/Consultant/Branch:
None
Location:
San Diego, California
Victims:
Customers
Number Affected:
Undisclosed*
*There are 15 New Hampshire residents affected according to the breach notification letter.
Types of Data:
Personal information, including "name, address, phone number, and in some instances" credit card information.
Breach Description:
SanDiegoFit.com, Inc. has notified the New Hampshire Attorney General of a breach. According to the breach notification letter, a computer was stolen from their office that was not encrypted and contained personal customer information.
<< MORE >>
Employee caught selling Cardinal Health computer on eBay
Date Reported:
9/7/10
Organization:
Cardinal Health
Contractor/Consultant/Branch:
None
Location:
Dublin, Ohio and Online (eBay)
Victims:
Current and former employees, and some job applicants
Number Affected:
Undisclosed
Types of Data:
"personal information that included employee number, birth date and social security number"
Breach Description:
Cardinal Health has notified the New Hampshire Attorney General of a breach concerning personal information belonging to certain current and former employees, and job applicants. Cardinal Health became aware of the breach through the sale of one or more of their computers on eBay.
<< MORE >>
Sensitive NYC school records discovered in public dumpster
Date Reported:
9/6/10
Organization:
New York City Department of Education
Contractor/Consultant/Branch:
School for the Physical City High School
Location:
Manhattan, New York
Victims:
Current and former students
Number Affected:
Undisclosed "hundreds"
Types of Data:
Personal information including "psychological exams, copies of birth certificates and Social Security cards, and medical records"
Breach Description:
"Hundreds of students’ confidential records — including psychiatric exams and Social Security numbers — were dumped on the sidewalk in front of their former Manhattan high school yesterday."
<< MORE >>
Lost KPMG flash drive affects 3,600+ patients
Date Reported:
9/13/10
Organization:
Saint Barnabas Health Care System
Contractor/Consultant/Branch:
Newark Beth Israel Medical Center
KPMG LLP
Location:
Undisclosed
Victims:
Patients
Number Affected:
3,630
Types of Data:
"patient names and information about their care"
Breach Description:
"KPMG LLP (“KPMG”), an independent accounting firm that provides professional services to the Saint Barnabas Health Care System and its affiliated hospitals, has informed us that a KPMG employee lost an unencrypted flash drive."
<< MORE >>
A home invasion leads to a breach for a local lawyer
I apologize to The Breach Blog readers for falling behind in posting new breaches. We have been very busy lately at FRSecure, helping our clients prevent breaches! There are around a dozen breaches that I need to write about, including six from the New Hampshire Attorney General. Thank you for your patience, and stay tuned!
-Evan
Date Reported:
Letter dated 7/26/10, posted online 9/17-9/18
Organization:
George R. LaRocque, Jr. - Attorney at Law
Contractor/Consultant/Branch:
None
Location:
Hudson, New Hampshire
Victims:
Clients
Number Affected:
"approximately 25"
Types of Data:
Personal information "including such things as names, social security numbers, tax identification numbers, account numbers, etc."
Breach Description:
On the morning of July 26, 2010 Mr. LaRocque awoke to find that someone had entered his home and stole his laptop computer from his kitchen. The laptop contained personal information belonging to some (or all) of his family law clients.
<< MORE >>
Small financial services firm learns about security the hard (wrong) way
Date Reported:
9/16/10
Organization:
Advisors Unlimited
Contractor/Consultant/Branch:
None
Location:
Hagatna, Guam
Victims:
Clients
Number Affected:
As many as 1,000
Types of Data:
Personal information including "names, dates of birth, addresses, Social Security numbers, driver's license numbers and bank account information and credit card numbers"
Breach Description:
The Hagatna office of Advisors Unlimited was burglarized and among the items taken was an external hard drive containing financial information and personal information belonging to their clients.
<< MORE >>
Mayo Clinic fires worker for snooping in patient records
Date Reported:
9/9/10
Organization:
Mayo Clinic
Contractor/Consultant/Branch:
None
Location:
"all Mayo sites"
Victims:
Patients
Number Affected:
"about 1,700"
Types of Data:
"patients' medical and financial records"
Breach Description:
"ROCHESTER, Minn. - The Mayo Clinic has fired an employee for snooping through patients' medical and financial records."
<< MORE >>
Benefits Concepts' employees at risk of ID theft after FedEx package goes missing
Date Reported:
9/3/10
Organization:
Benefits Concepts, Inc.
Contractor/Consultant/Branch:
CompuPay
FedEx
Location:
Believed to be Warwick, Rhode Island
Victims:
Benefits Concepts employees
Number Affected:
Undisclosed
Types of Data:
"first/last names, social security numbers and bank account numbers"
Breach Description:
Benefits Concepts, Inc. has notified the New Hampshire Attorney General of a security breach concerning confidential personal information belonging to Benefits Concepts' employees. "A FedEx Express ("FedEx") package containing BC employee payroll checks, along with an electronic copy of the checks on a CD, was lost in transit."
<< MORE >>
FIFA customer details sold on "black market" by insider
Date Reported:
9/10/10
Organization:
Fédération Internationale de Football Association (FIFA)
Contractor/Consultant/Branch:
MATCH Services
MATCH Hospitality AG
Location:
Undisclosed
Victims:
Football (soccer) fans who attended the 2006 World Cup in Germany
Number Affected:
"more than 350,000"
Types of Data:
Personal information including "full name, date of birth and passport number".
Breach Description:
"A Norwegian website has claimed that it is in possession of the personal data of more than 250,000 football fans which were sold on the black market by an employee in the FIFA system."
<< MORE >>
CDPH fines Lucile Packard Children's Hospital for delayed breach notification
Date Reported:
9/9/10
Organization:
Stanford University Medical Center
Contractor/Consultant/Branch:
Lucile Packard Children’s Hospital
Location:
Palo Alto, California
Victims:
Patients
Number Affected:
532
Types of Data:
"names, date of birth, medical record numbers, diagnoses, procedures, insurance information and/or social security numbers"
Breach Description:
The California Department of Public Health (CDPH) has levied a $250,000 fine against Lucile Packard Children’s Hospital at Stanford for what CDPH believes was a late reporting of a breach involving the employee theft of a desktop computer containing patient medical records.
<< MORE >>
Patrons of at least six upscale hotels are affected by HEI Hospitality breach
Date Reported:
9/2/10
Organization:
HEI Hospitality LLC
Contractor/Consultant/Branch:
Algonquin Hotel
Starwood Hotels & Resorts Worldwide, Inc.
Sheraton Crystal City Hotel
The Westin Minneapolis
The Equinox, a Luxury Collection Golf Resort & Spa
Sheraton Music City Hotel
The Westin St. Louis
Location:
Undisclosed
Victims:
Customers
Number Affected:
Undisclosed*
*The breach notification letter mentions "approximately 14 New Hampshire residents", but does not mention the number affected in other states of residence.
Types of Data:
"credit card information" "credit card type, credit card number, expiration date, security code and information encoded on the magnetic stripe on the back of the card" It is also assumed (by me) that debit cards are involved.
Breach Description:
HEI Hospitality LLC (a private real estate investment group holding at least 36 commercial hotel properties) has notified the New Hampshire Attorney General of a breach affecting customers who used credit cards (and debit cards) at some of their hotel properties. The breach resulted from a suspected exploit of a vulnerability found in point-of-sale (POS) systems used by the organization.
<< MORE >>
Visitor Map
Subscribers
Bookmarks
