"Hacker" accessed The Nature Conservancy HR data
Technorati Tag: Security Breach
Date Reported:
9/24/07
Organization:
The Nature Conservancy*
"The Nature Conservancy is a 501(c)(3) non-profit conservation organization whose mission is to preserve the plants, animals, and natural communities that represent the diversity of life on Earth by protecting the lands and waters they need to survive.
Contractor/Consultant:
None
Victims:
Current and former employees of The Nature Conservancy
Number Affected:
14,000
Types of Data:
Name, home address, Social Security number, and "financial account numbers"
Breach Description:
A "hacker" illegally accessed a computer belonging to The Nature Conservancy that contained senstive human resources data. The "hacker" accessed the computer through a Web site.
Reference URL:
New Hampshire Attorney General notification
NBC4 Story
Report Credit:
New Hampshire Attorney General
Response:
From the official New Hampshire breach notification, the official email to affected employees and online resource cited above:
"We are writing to inform you of a recent security incident that we discovered on September 12, 2007."
"The Nature Conservancy has been the victim of a criminal hacking incident in which unauthorized individuals illegally gained access to a Conservancy computer containing Human Resources data"
[Comfyllama] Who is the victim? The Nature Conservancy or the affected individuals. Maybe it’s The Nature Conservancy AND the affected individuals. The sensitive data DOES NOT belong to The Nature Conservancy, it belongs to the affected individuals. The Nature Conservancy was simply a custodian.
"The data accessed included the names, home addresses, Social Security numbers and financial account numbers of some Conservancy employees"
"Spokesman Jim Petterson says that when employees accessed a certain Web site, the site planted a program on their computers that copied the contents of hard drives and sent the information to the hacker"
"Petterson said the theft was reported to Arlington County police and the FBI. The non-profit organization notified former employees in a letter."
"The Nature Conservancy is offering free, year-long credit monitoring for those affected, including alerts on any possible fraudulent activity and $25,000 in identity-theft insurance."
[Comfyllama] If Social Security numbers expired in a year, this would be outstanding.
Commentary:
The information about this breach is conflicting. In the original New Hampshire breach notification letter, the Conservancy claims that there are 3,500 affected individuals, but according to NBC4 there are 14,000. I am going to be honest with you, I went with the 14,000 number because it is more sensational.
The Conservancy claims "individuals illegally gained access to a Conservancy computer containing Human Resources data", then spokesman Jim Petterson says "that when employees accessed a certain Web site, the site planted a program on their computers that copied the contents of hard drives and sent the information to the hacker" which implies that data was stolen from client computers visiting the Web site.
So I think what we have here is a client computer that contained human resources data (a no-no) that accessed "a certain Web site" which was compromised. The compromised Web site then downloaded a program to the client computer, which sent the information to the "hacker". Yeah, sounds about right from what I read. This is most likely the result of an iframe exploit on the compromised Web site, which is an alarming trend. Assuming that what I assume is true, there are ways to prevent this.
The Conservancy does not offer an apology to the affected individuals until the final sentence of the letter, stating "Please know that we are taking this matter very seriously. We regret that this all too common crime has affected you and so many of our colleagues." How about, we are sorry?
Past Breaches:
Unknown
Date Reported:9/24/07
Organization:
The Nature Conservancy*
"The Nature Conservancy is a 501(c)(3) non-profit conservation organization whose mission is to preserve the plants, animals, and natural communities that represent the diversity of life on Earth by protecting the lands and waters they need to survive.
Contractor/Consultant:
None
Victims:
Current and former employees of The Nature Conservancy
Number Affected:
14,000
Types of Data:
Name, home address, Social Security number, and "financial account numbers"
Breach Description:
A "hacker" illegally accessed a computer belonging to The Nature Conservancy that contained senstive human resources data. The "hacker" accessed the computer through a Web site.
Reference URL:
New Hampshire Attorney General notification
NBC4 Story
Report Credit:
New Hampshire Attorney General
Response:
From the official New Hampshire breach notification, the official email to affected employees and online resource cited above:
"We are writing to inform you of a recent security incident that we discovered on September 12, 2007."
"The Nature Conservancy has been the victim of a criminal hacking incident in which unauthorized individuals illegally gained access to a Conservancy computer containing Human Resources data"
[Comfyllama] Who is the victim? The Nature Conservancy or the affected individuals. Maybe it’s The Nature Conservancy AND the affected individuals. The sensitive data DOES NOT belong to The Nature Conservancy, it belongs to the affected individuals. The Nature Conservancy was simply a custodian.
"The data accessed included the names, home addresses, Social Security numbers and financial account numbers of some Conservancy employees"
"Spokesman Jim Petterson says that when employees accessed a certain Web site, the site planted a program on their computers that copied the contents of hard drives and sent the information to the hacker"
"Petterson said the theft was reported to Arlington County police and the FBI. The non-profit organization notified former employees in a letter."
"The Nature Conservancy is offering free, year-long credit monitoring for those affected, including alerts on any possible fraudulent activity and $25,000 in identity-theft insurance."
[Comfyllama] If Social Security numbers expired in a year, this would be outstanding.
Commentary:
The information about this breach is conflicting. In the original New Hampshire breach notification letter, the Conservancy claims that there are 3,500 affected individuals, but according to NBC4 there are 14,000. I am going to be honest with you, I went with the 14,000 number because it is more sensational.
The Conservancy claims "individuals illegally gained access to a Conservancy computer containing Human Resources data", then spokesman Jim Petterson says "that when employees accessed a certain Web site, the site planted a program on their computers that copied the contents of hard drives and sent the information to the hacker" which implies that data was stolen from client computers visiting the Web site.
So I think what we have here is a client computer that contained human resources data (a no-no) that accessed "a certain Web site" which was compromised. The compromised Web site then downloaded a program to the client computer, which sent the information to the "hacker". Yeah, sounds about right from what I read. This is most likely the result of an iframe exploit on the compromised Web site, which is an alarming trend. Assuming that what I assume is true, there are ways to prevent this.
The Conservancy does not offer an apology to the affected individuals until the final sentence of the letter, stating "Please know that we are taking this matter very seriously. We regret that this all too common crime has affected you and so many of our colleagues." How about, we are sorry?
Past Breaches:
Unknown
Posts Atom 1.0
The official New Hampshire breach notification and email sent to affected employees can be found here:
http://doj.nh.gov/consumer/pdf/nature.pdf
Reply to this
And the follow-up announcement that discloses that this breach also affects dependents:
http://doj.nh.gov/consumer/pdf/nature_con.pdf
Reply to this