27 Breaches reported on Maryland Attorney General’s Web site
The following breaches were added (in batch) to the Maryland Attorney General’s web site on or about December 5th, 2008. The breaches were all reported to the Maryland Attorney General, in accordance with the Maryland Personal Information Protection Act (PIPA), between the dates of October 6th, 2008 and December 4th, 2008.
Dissent has already posted these breaches on his blog, but to avoid further questions about why these haven’t been posted on The Breach Blog, I have decided to include them here also. Typically, PogoWasRight does a much better job of posting breaches as they are announced and commentary is the strength of The Breach Blog.
Here they are, 27 breaches in chronological order, from oldest to newest (as reported to the Maryland Attorney General):
October 6th, 2008 (2 breaches)
Organization: Reed Smith
Contractor/Consultant/Branch: Highmark, Inc.
Location: Pittsburgh, Pennsylvania
Victims: Members of the Reed Smith healthcare plan
Number Affected: Unknown (2 Maryland residents mentioned)
Types of Data: “names, addresses, Social Security numbers, type of insurance contract, effective date, and group billing information”
Tag: Employee Mistake
Source Reference: The Maryland Attorney General
Breach Description: “On September 17, 2008, an encrypted Microsoft Excel file intended for a Highmark Inc. group account customer was mistakenly transmitted to the wrong group account customer.”
Comment: According to the notification; “The unintended recipient of the file immediately notified Highmark Inc. of the error and was instructed to delete the file and destroy any paper copies of the same.” Additionally, it was noted; “As this was a manual error, the employee responsible for sending the information has received additional training on the importance of appropriately handling confidential information.” This breach is being attributed to an employee mistake. Additional training and awareness in combination with process and procedure improvement seems like a reasonable response.
Organization: The Marketing Arm
Contractor/Consultant/Branch: Usmp
Location: Marina Del Rey, California
Victims: Company personnel
Number of Affected: 873
Types of Data: “names, addresses, and social security numbers”
Source Reference: The Maryland Attorney General
Tag: P2P Network
Breach Description: Usmp became aware of confidential personnel files that “were inadvertently made available to the public through the sharing on the Internet of an employee’s home PC hard drive” on September 9, 2008.
Comment: The company claims to have been “informed of” as opposed to having “found” the breach, which may imply that an outsider found the information (Rian?). The manner in which the breach took place implies that a P2P application was involved. The company mentions the fact that they are not aware of any improper use of the information, and they have already notified affected persons in many other states. Of course the company also states that they “have taken numerous steps to protect the security of personal information of the affected individuals, including implementing additional quality controls to avoid similar incidents in the future”, but provides no detail.
Confidential company information should never be allowed on equipment that is not controlled by the company and is not fully-compliant with established corporate standards. In this case we find the personnel information was breached through the use of a personal, home-based computer.
October 9th, 2008 (2 breaches):
Organization: Royal Dutch Shell PLC
Contractor/Consultant/Branch: Shell Oil Company
Location: Houston, Texas
Victims: "current and former Shell employees"
Number of Affected: a “majority of Shell’s US current and terminated employees”
Types of Data: “First Name, Last Name, SSN# and Date of Birth.”
Tag: Employee Fraud
Source Reference: The Maryland Attorney General
Breach Description: Personal information belonging to current and former Shell Oil Company (US) employees was accessed and used fraudulently by an employee of a “third-party agency engaged by Shell”. Shell’s internal investigation resulted in the termination of the contract with the agency.
Comment: It appears as though the Maryland breach notification refers to the same event (or series of events) noted in “Shell Oil Company contractor accused of fraud”. The only new information contained in the Maryland breach notification is “Shell does not have knowledge that the agency’s employee has used or intends to use additional employee personal information in a fraudulent manner”. So according to Shell, the fraud stops at four victims. Third-party relationships can pose a significant risk to information resource security if not managed appropriately.
Organization: Merrill Lynch
Contractor/Consultant/Branch: Unknown
Location: Unknown
Victims: Customers
Number of Affected: Unknown
Types of Data: “name, SSN/tax ID #, DOB, address, phone #, e-mail address, passport #, DL #, Merrill Lynch account #, loan info, insurance policy info, other financial account info, online user credentials”
Tag: Lost Device
Source Reference: The Maryland Attorney General
Breach Description: An external hard drive used by Merrill Lynch was lost or stolen while en route to a vendor’s “central tech facility”. The hard drive contained sensitive personal information belonging to customers.
Comment: There are very few details available about this breach other than that which is disclosed above. This breach is only one of two in which there is no link to the Maryland Attorney General notification letter, so we are left to our imagination. I will assume that the sensitive data on the lost or stolen external hard drive was not encrypted due to the fact that Maryland has an encrypted data exemption for notification. It baffles me when a respected company like Merrill Lynch allows sensitive information to be transferred on poorly secured, unencrypted media. This is a very risky practice and it is no surprise that it resulted in a breach.
October 14th, 2008 (2 breaches):
Organization: Wyndham Hotels and Resorts
Contractor/Consultant/Branch: Unknown
Location: Unknown
Victims: Customers
Number of Affected: Unknown
Types of Data: “name, credit card #”
Tag: Intrusion
Source Reference: The Maryland Attorney General
Breach Description: According to the Maryland Attorney General’s “Maryland Information Security Breach Notices” web page, Wyndham Hotels reported a breach in which a “hacker accessed credit card records”, presumably belonging to customers staying at hotels and/or resorts owned by the company.
Comment: Much like the Merrill Lynch breach reported prior, there are very few details available about this breach other than that which is disclosed above. This breach is the second of two in which there is no link to the Maryland Attorney General notification letter. We can only assume what might have taken place.
Organization: Connecticut General Insurance (CIGNA Healthcare)
Contractor/Consultant/Branch: “a certified carrier”
Location: Hartford, Connecticut
Victims: CIGNA HealthCare members
Number of Affected: Unknown (1 Maryland resident mentioned)
Types of Data: “name, address, Social Security Number and medical information”
Tag: Lost Media
Source Reference: The Maryland Attorney General
Breach Description: “CIGNA HealthCare has recently learned that a package that was being sent to a governmental agency at their request via a certified courier was lost in transit. The package contained a compact disk (CD) which included the name, address, Social Security Number and medical information of one Maryland resident.” “The package was shipped on June 20, 2008. On September 9, 2008 we were notified by the overnight courier that the package was damaged in transit and that the contents were missing.” “The resident of Maryland who has been affected by this incident will be notified via mail between October 14 through 16, 2008.” The affected individuals are being offered two years of free credit monitoring.
Comment: Irregardless of the fact that a “governmental agency” requested the information, there is no excuse for not encrypting it prior to shipment. I am confused with how it took nearly 2 ½ months for the “overnight” courier to alert CIGNA.
October 14th, 2008 (1 breach):
Organization: Luxottica Group
Contractor/Consultant/Branch: Cole National Group, Inc. and Things Remembered, Inc.
Location: Mason, Ohio
Victims: Employees of the "Things Remembered brand" between 1998 and March, 2005
Number of Affected: 59,419
Types of Data: "name, address, Social Security Number, date of birth, and other information used for processing payroll"
Tag: Intrusion
Source Reference: The Maryland Attorney General and previously posted to The Breach Blog in “Things Remembered, Inc. employee information exposed” and “Update to Things Remembered breach”.
Breach Description: "During a routine check of the IT department at Cincinnati-based Luxottica Retail, it was discovered that a hacker had been inside a computer mainframe and downloaded the personal information of more than 59,000 former workers."
Comment: Please see one or both of The Breach Blog post references above.
November 3rd, 2008 (1 breach):
Organization: Express Scripts (ESRX)
Contractor/Consultant/Branch: None
Location: St. Louis, Missouri
Victims: Patients
Number of Affected: “millions”
Types of Data: "names, dates of birth, social security numbers, and in some cases, their prescription information"
Tag: Intrusion
Source Reference: The Maryland Attorney General and previously posted to The Breach Blog in “Express Scripts extortion, potentially millions affected”.
Breach Description: "ST. LOUIS, Nov 6, 2008 (GlobeNewswire via COMTEX News Network) -- Express Scripts (Nasdaq:ESRX), one of the largest pharmacy benefit management companies in North America, today announced that it has received a letter from an unknown person or persons trying to extort money from the company by threatening to expose millions of the company's patients' records."
Comment: Please see The Breach Blog post reference above.
November 6th, 2008 (2 breaches):
Organization: National Association of Chain Drug Stores (“NACDS”) Foundation
Contractor/Consultant/Branch: None
Location: Alexandria, Virginia
Victims: Scholarship applicants
Number of Affected: Unknown
Types of Data: "name, Social Security number and permanent and school addresses"
Tag: Employee Mistake
Source Reference: The Maryland Attorney General
Breach Description: “On October 7, 2008, our scholarship applicant database became publicly accessible through a link that was transmitted to scholarship applicants via e-mail. The e-mail containing the link was sent to approximately 160 applicants for the purpose of permitting its recipient to access his or her individual online application to complete the missing application data fields. The link permitted access to other applicants’ files.”
Comment: This seems like an innocent enough mistake. Do you think information security training and awareness could have helped to prevent it?
Organization: Wells Real Estate Funds, Inc.
Contractor/Consultant/Branch: None
Location: Suwanee, Georgia
Victims: Customers
Number of Affected: Unknown (704 Maryland residents mentioned)
Types of Data: "Wells account numbers, third party account numbers, tax identification numbers, Social Security Numbers and specific investment information"
Tag: Stolen Laptop
Source Reference: The Maryland Attorney General
Breach Description: “On the evening of October 6, 2008, a laptop computer of a Wells employee was stolen from a parked automobile. The theft was reported to the City of Suwanee, Georgia, Police Department, and a police report was filed on October 7, 2008. To date, however, law enforcement has not yet recovered the laptop. From our investigation, we have determined that the laptop computer was password-protected and may have contained Wells account numbers, third-party account numbers, Tax Identification Numbers, Social Security numbers, and specific investment information.” Affected persons are being offered one year of credit monitoring.
Comment: NEWS!!! Operating system password protection is nothing more than a momentary nuisance to anyone who may want to access data on a laptop. By itself it is NOT adequate protection. Why even mention it?
November 10th, 2008 (1 breach):
Organization: Baylor Health Care System
Contractor/Consultant/Branch: Health Texas Provider Network
Location: Dallas/Fort Worth, Texas
Victims: Patients
Number of Affected: 100,000
Types of Data: "Social security numbers and a limited amount of patient information"
Tag: Stolen Laptop
Source Reference: The Maryland Attorney General and previously posted to The Breach Blog in “Baylor Health Care System employee is fired over stolen laptop”.
Breach Description: "We recently became aware of the theft of a laptop computer containing certain personal information about some HealthTexas Provider Network patients. The information on the laptop included patient names, Social Security numbers (“SSNs”) and limited health information (such as codes indicating treatments received)”
Comments: Comments were previously made in The Breach Blog post referenced above.
November 12th, 2008 (1 breach):
Organization: The Nielsen Company
Contractor/Consultant/Branch: Health Texas Provider Network
Location: Manhattan, New York City, New York
Victims: Employees
Number of Affected: Unknown (14 Maryland residents mentioned)
Types of Data: "names, addresses, dates of birth, Social Security numbers and other information related to their Flexible Spending Accounts"
Tag: Stolen Laptop
Source Reference: The Maryland Attorney General
Breach Description: “On Monday, October 20th, Nielsen learned that a laptop computer had been stolen from the eighth floor of its Manhattan office some time over that week-end. Unfortunately, a file on the laptop contained certain personal information about some Nielsen employees” “The laptop is password protected, but the information is not encrypted.” Nielsen is offering all affected employees one year of “free credit monitoring”.
Comment: Another poorly secured laptop used to store sensitive information. Do these people read?
November 13th, 2008 (2 breaches):
Organization: Kraft Foods
Contractor/Consultant/Branch: Gevalia and Affinitas
Location: Milford, Delaware
Victims: Customers
Number of Affected: 185
Types of Data: Personal information “including names and credit card numbers"
Tag: Employee Fraud
Source Reference: The Maryland Attorney General
Breach Description: “We recently learned that an employee of Affinitas, the company that manages outbound telephone sales of products for Kraft’s Gevalia subsidiary, copied personal information regarding 11 of our customers, including names and credit card numbers. The same individual had access to personal information provided by approximately 174 other customers.” The person alleged to have copied the personal information is “now under police investigation”. Kraft is offering two years of credit monitoring to affected customers.
Comment: There are real risks involved with employing contractors and other third-parties. These risks should be accounted for in all risk management/information security programs.
Organization: DaVita Inc.
Contractor/Consultant/Branch: DVA Renal Healthcare, Inc.
Location: Florida
Victims: Patients
Number of Affected: Unknown (354 Maryland residents mentioned)
Types of Data: “name, social security number, medical insurance coverage information, and/or other personal and health related information”
Tag: Stolen Computer
Source Reference: The Maryland Attorney General
Breach Description: “DVA Renal Healthcare, Inc. (“Company”) recently discovered that it sustained a loss of personal information of approximately 354 Maryland residents (“Residents”). The loss occurred when a DaVita facility in Florida suffered a burglary resulting in the theft of multiple desktop computers, which are password protected.” “If you have any questions, please contact our Guest Services Contact Center at .”
Comment: DaVita is listed previously on The Breach Blog for a stolen laptop announced in March, 2008. Don’t expect the password protection to stop anyone with an ounce of determination.
November 17th, 2008 (3 breaches):
Organization: Severn School
Contractor/Consultant/Branch: None
Location: Severna Park, Maryland
Victims: Students
Number of Affected: 104
Types of Data: “names, addresses and Social Security numbers”
Tag: Hack
Source Reference: The Maryland Attorney General
Breach Description: “Based upon our investigation, it appears that one or more students accessed the Severn School IT system without authorization as early as April of 2008, and downloaded sensitive and confidential files”. “We have since recovered a flash drive with a copy of the file containing the students’ personal information.” “Based upon our investigation and the limited information we have to date, we have discovered no evidence to suggest that the personal information has been misused or that there is a threat of identity theft with regard to these students.”
Comment: We read about plenty of student “hacking” incidents occurring at high schools. If you had to pin these occurrences on one factor, what would it be? Are students sophisticated “hackers”? Likely not, but the students are probably more sophisticated than the people charged with securing school information. The one quote from this breach notification that caught my attention was the school’s claim that there is no threat of identity theft. There must be a misunderstanding of word threat. If an unauthorized person accesses sensitive information months ago and makes copies of the sensitive information, how can we classify this as no threat?
Organization: St. Margaret's Episcopal School
Contractor/Consultant/Branch: Blackbaud, Inc.
Location: San Juan Capistrano, California, event occurred in Charlestown, South Carolina
Victims: Students and/or parents
Number of Affected: Unknown (73 Maryland residents mentioned)
Types of Data: “names and addresses and in some cases social security numbers and credit card numbers”
Tag: Stolen Laptop
Source Reference: The Maryland Attorney General
Breach Description: “This is to inform you of a recent incident involving school records containing personal information about you. While we are not aware, and believe it highly unlikely, that this personal information has or will be misused, we are treating this incident as a serious matter.” “The information in question was stored on a laptop computer stolen on September 19, 2008. The laptop, belonging to our software provider (Blackbaud, Inc.), was stolen with other valuables from a car in Charleston, South Carolina. The computer password protection and some of the data was encrypted.” Blackbaud is offering a free year of credit monitoring to those persons affected by this incident.
Comment: I appreciate how the data was encrypted, but it would be preferred if the entire hard drive were encrypted. Based on my past experience, it is too easy to miss confidential information and too hard to manage file-level encryption on any more than a few computers. As an information security professional, I want a little more assurance and control.
Organization: Symantec Corporation
Contractor/Consultant/Branch: None
Location: Cupertino, California
Victims: Employees
Number of Affected: Unknown (1 Maryland resident mentioned)
Types of Data: Personal information, including “name, address and Social Security number”
Tag: Stolen Laptop
Source Reference: The Maryland Attorney General
Breach Description: “We recently became aware of a theft of a laptop computer at a Symantec employee’s home. The laptop computer contained certain personal information about some of our employees including name, address, and Social Security number.” Symantec is offering free credit monitoring services to those people affected by this incident.
Comment: There is no mention of encryption in the breach notification, so we will assume that neither the laptop nor the sensitive information were encrypted. Lending credibility to this assumption is my belief that Maryland law does not require disclosure if the data were encrypted. Shame, shame. Symantec is big player in the information security market.
November 19th, 2008 (2 breaches):
Organization: SGS Group
Contractor/Consultant/Branch: SGS North America Inc.
Location: Rochelle Park, New Jersey
Victims: Employees “of SGS and its subsidiaries who worked for one of those companies as of June 2008”
Number of Affected: Unknown (53 Maryland residents mentioned)
Types of Data: “names, dates of birth, employee identification numbers, and Social Security numbers”
Tag: Stolen Laptop
Source Reference: The Maryland Attorney General
Breach Description: “On July 10, 2008. a thief broke into the car of an SGS employee and stole a briefcase that contained a company-issued laptop computer. The stolen laptop computer contained the names, dates of birth, employee identification numbers, and Social Security numbers of the employees of SGS and its subsidiaries who worked for one of those companies as of June 2008”. “As the result of a breakdown in communication, management employees responsible for responding to this incident did not learn of the theft until August 12, 2008.” “We are pleased to report that the stolen laptop was password protected”. SGS is offering one year of credit monitoring and has retained “identity theft protection and fraud resolution” services on behalf of those people affected by this incident.
Comment: When I first started to read this breach notification I was thinking to myself that SGS seems really honest in this disclosure. Then I got to the notification letter sent to those victims. In this letter, I read statements like; “Even the most rigorous safeguards, however, can not guarantee protection against criminal conduct.” Is this meant to somehow imply that SGS was utilizing “the most rigorous safeguards”? Like what, password protection?! Puhleez. Then as I read on, I come across; “We are pleased to report that the stolen laptop was password protected and did not contain any credit or debit card numbers or financial account numbers.” Wow! SGS really did use the “most rigorous safeguards”! This most rigorous technical safeguard (password protection) could be bypassed in less than five minutes. A bad guy/gal doesn’t need credit or debit card numbers when he/she can just apply for their own (in the victim’s name, of course).
Organization: Starbucks Corporation
Contractor/Consultant/Branch: None
Location: Seattle, Washington
Victims: "partners" (employees)
Number of Affected: “approximately 97,000”
Types of Data: “private information (including name, address and social security number)”
Tag: Stolen Laptop
Source Reference: The Maryland Attorney General and previously posted to The Breach Blog in “Stolen Starbucks laptop contained sensitive partner information”.
Breach Description: “On October 29, 2008, a laptop computer containing personal information of Starbucks employees, including names and social security numbers was stolen. The personal information was all electronic, stored on the stolen laptop. The laptop was password protected, and we currently have no indication that the personal information has been misused.” Starbucks is offering affected employees one free year of credit monitoring.
Comment: Please review comments posted in The Breach Blog reference above.
November 20th, 2008 (1 breach):
Organization: Howland Capital Management
Contractor/Consultant/Branch: None
Location: Boston, Massachusetts
Victims: Clients
Number of Affected: Unknown (6 Maryland residents mentioned)
Types of Data: “name, address, driver’s license number, social security number, and account number”
Tag: Lost Media
Source Reference: The Maryland Attorney General
Breach Description: “At the end of July, Federal Express lost a package that contained Howland Capital backup electronic media. The backup media contained certain confidential personal information”. “Howland Capital initiated a broadened Disaster Recovery program following the World Trade Center attack in September of 2001. As part of that program, backup media from our database and trust accounting system was sent offsite to ensure an orderly accounting and distribution of client assets in a “worst case scenario. The backup media is password protected and cannot be accessed without a proprietary Sungard Series 7 Trust account platform.”
Comment: Howland Capital now claims to use a dedicated line for the transfer of backup data instead of shipping it the old fashioned way. Howland has also implemented a policy which states “backup disks, laptops and ‘zip drives’ must be password protected and have the latest encryption technology before they leave the premises.” Hopefully, this can expand to all sensitive data at rest, no matter the physical location. Key management (passwords) need to be addressed too. Overall, I like Howland’s response.
November 24th, 2008 (3 breaches):
Organization: Rockwell Collins, Inc.
Contractor/Consultant/Branch: Fidelity Investments
Location: Boston, Massachusetts
Victims: Employees
Number of Affected: Unknown (7 Maryland residents mentioned)
Types of Data: “names, Social Security numbers, employee ID numbers, and employee stock plan purchase information”
Tag: Employee Mistake
Source Reference: The Maryland Attorney General
Breach Description: “Fidelity Investments (“Fidelity”) on behalf of Rockwell Collins, Inc. is reporting a matter involving the personal information relating to Rockwell Collins employees. Fidelity administers the employee stock plan for Rockwell Collins. As described in the enclosed letter to affected employees, due to an administrative error at Fidelity, a stock plan administrator at another Fidelity Investments client firm was briefly able to view some personal information about Rockwell Collins employees. This information was in a file on a secure website and was briefly accessed by one stock plan administrator at another fidelity client.” “The stock plan administrator at the other client firm immediately notified Fidelity of the error and Fidelity immediately deleted the file”.
Comment: This breach is more embarrassing for Fidelity than anything else. Based on the information provided in the notification, there doesn’t seem to be a significant increase in risk to the affected employees of Rockwell Collins. There is little doubt that preventing these sorts of breaches can be challenging.
Organization: Capstone Companies
Contractor/Consultant/Branch: Capstone On-Campus Management LLC
Location: Birmingham, Alabama
Victims: Residents living in residence halls managed by Capstone
Number of Affected: Unknown (1400 Maryland residents mentioned)
Types of Data: “name, age, residence hall address, permanent address, residence hall telephone number, permanent telephone number, gender, email address” and “social security number”
Tag: Employee Mistake
Source Reference: The Maryland Attorney General
Breach Description: “Capstone On-Campus Management, LLC experienced a data breach when a [sic] an employee unintentionally accessed a company file by way of an insecure method which enabled outsiders to access files on the employee’s computer. Some of the files on that computer contained personal information of residents living in residence halls managed by Capstone.”
Comment: Is anyone wondering what “accessed a company file by way of an insecure method which enabled outsiders to access files on the employee’s computer” means? Sounds a little like a P2P application, maybe on a home computer. I don’t know, this notification is not very clear. Communication 101.
Organization: MasTec, Inc.
Contractor/Consultant/Branch: None
Location: Stuart, Florida
Victims: Employees
Number of Affected: Unknown (95 Maryland residents mentioned)
Types of Data: “first and last name, date of birth, employee identification number, and Social Security number (SSN)”
Tag: Employee Fraud
Source Reference: The Maryland Attorney General
Breach Description: “On October 29, 2008, MasTec learned that an erstwhile employee disclosed without authorization, a human resources department report to third parties who were not authorized to receive it. The unauthorized disclosure occurred on September 11, 2008, but MasTec did not learn about it until the Stuart, Florida Police Department informed MasTec that it had recovered the report from the possession of the unauthorized third parties. Both the former employee and the third parties have been arrested.”
Comment: Employee misconduct is one of the most challenging information security issues to protect against. Is the employee erstwhile because of this incident? Erstwhile is a funny word.
December 1st, 2008 (1 breach):
Organization: TierraNet, Inc.
Contractor/Consultant/Branch: None
Location: Poway, California
Victims: Customers
Number of Affected: “less than 300”
Types of Data: “credit or debit card information such as cardholder name, card number, card expiration data, and similar information”
Tag: Poor Design
Source Reference: The Maryland Attorney General
Breach Description: “The purpose of this letter is to notify you of a security breach involving Personal Information discovered by our client, TierraNet, Inc., a corporation located in California. The security breach was limited to less than a total of 300 affected TierraNet customers”. “The security breach was discovered in the “PHPLive!” Chat software that operated the “Live Chat” instant messaging system for the TierraNet Support Department.” “The breach involved the log files of customer support chat sessions.” “As a result of the security breach, information submitted to the TierraNet Support Department via a live chat support session between Aug 14, 2003 and November 11, 2008, may have been obtained by unauthorized persons, including credit of debit card information such as cardholder name, card number, card expiration date, and similar information.”
Comment: This breach gives us a good example of the importance of patching. It is important to patch more than just operating systems. It is also important to patch all other applications. Secunia provides excellent resources to find vulnerabilities and patches. Check out the Vulnerability Report for PHP Live! 3.x. It is probably not a good idea for TierraNet to store credit card information in log files either.
December 2nd, 2008 (1 breach):
Organization: The World Bank
Contractor/Consultant/Branch: None
Location: Washington, D.C.
Victims: Employees and individual contractors
Number of Affected: Unknown (1 Maryland resident mentioned)
Types of Data: “names and account numbers”
Tag: Employee Mistake
Source Reference: The Maryland Attorney General
Breach Description: “Although the World Bank (Bank) is not subject to national law requirements, in the spirit of cooperation with the US authorities, we are voluntarily providing the following information as prescribed by the State of Maryland.” “On November 21, 2008, a file containing information was mistakenly posted on a public site and accessed through a single download of the information.” “The file accessed was a payment record containing names and account numbers of Bank employees and individual contractors”. The Bank is providing free credit monitoring to the affected employees.
Comment: It was so nice of The Bank to notify “in the spirit of cooperation”. How about the spirit of the right thing to do? The Bank hasn’t been immune to controversy this year, see the CSO Magazine story “4 Security Lessons From the World Bank Breach”.
December 3rd, 2008 (1 breach):
Organization: Hewlett-Packard ("HP")
Contractor/Consultant/Branch: Unknown
Location: Houston, Texas area
Victims: Current and former HP employees
Number of Affected: Unknown (626 Maryland resident mentioned)
Types of Data: Personal information including names and Social Security numbers
Tag: Stolen Laptop
Source Reference: The Maryland Attorney General and previously posted to The Breach Blog in “Unknown number of employees affected by stolen HP laptop”.
Breach Description: “Hewlett-Packard has reported the theft of a laptop computer containing sensitive personal information to the Maryland Attorney General's office. The laptop contained information belonging to current and former employees who were at one time participants in the HP benefits program.”
Comment: See The Breach Blog post referenced above for comments.
December 4th, 2008 (1 breach):
Organization: GMAC LLC
Contractor/Consultant/Branch: GMAC Mortgage, LLC
Location: Bedford, New Hampshire
Victims: Customers
Number of Affected: Unknown (16 Maryland resident mentioned)
Types of Data: “names, mailing addresses and mortgage loan account numbers”
Tag: Employee Theft
Source Reference: The Maryland Attorney General
Breach Description: “On September 3, 2008, GMAC Mortgage announced the closing of its retail branch offices across the country. GMAC Mortgage put into place procedures to capture all assets in branch office locations including customer/consumer data. On or about October 2 and 6, 2008, at least two GMAC Mortgage customers received mal from former GMAC Mortgage loan officers who formerly worked at the Bedford, NH branch office prior to its closure.” “Based on this mailing, GMAC Mortgage investigated this incident and determined that prior to the employment end date of certain loan officers, they forwarded to themselves of their associates, GMAC Mortgage customer lists.” “It is reasonable certain that the former GMAC employees did this to create marketing opportunities for themselves in their new positions at Schaefer Mortgage in Londonderry, NH.” “GMAC Mortgage is currently pursing [sic] legal remedies against 7 former loan officers and Schaefer Mortgage in United States Federal District Court in New Hampshire”.
Comments: When I think about this breach, I think about how common this may be in this current economy. As more mortgage companies, finance companies and banks close offices, what happens with the information? Employee theft is hard enough to prevent without the added pressure of a site closure.
Phew! 27 breaches in one post is a heckuva lot!
Dissent has already posted these breaches on his blog, but to avoid further questions about why these haven’t been posted on The Breach Blog, I have decided to include them here also. Typically, PogoWasRight does a much better job of posting breaches as they are announced and commentary is the strength of The Breach Blog.
Here they are, 27 breaches in chronological order, from oldest to newest (as reported to the Maryland Attorney General):
October 6th, 2008 (2 breaches)
Organization: Reed SmithContractor/Consultant/Branch: Highmark, Inc.
Location: Pittsburgh, Pennsylvania
Victims: Members of the Reed Smith healthcare plan
Number Affected: Unknown (2 Maryland residents mentioned)
Types of Data: “names, addresses, Social Security numbers, type of insurance contract, effective date, and group billing information”
Tag: Employee Mistake
Source Reference: The Maryland Attorney General
Breach Description: “On September 17, 2008, an encrypted Microsoft Excel file intended for a Highmark Inc. group account customer was mistakenly transmitted to the wrong group account customer.”
Comment: According to the notification; “The unintended recipient of the file immediately notified Highmark Inc. of the error and was instructed to delete the file and destroy any paper copies of the same.” Additionally, it was noted; “As this was a manual error, the employee responsible for sending the information has received additional training on the importance of appropriately handling confidential information.” This breach is being attributed to an employee mistake. Additional training and awareness in combination with process and procedure improvement seems like a reasonable response.
Organization: The Marketing ArmContractor/Consultant/Branch: Usmp
Location: Marina Del Rey, California
Victims: Company personnel
Number of Affected: 873
Types of Data: “names, addresses, and social security numbers”
Source Reference: The Maryland Attorney General
Tag: P2P Network
Breach Description: Usmp became aware of confidential personnel files that “were inadvertently made available to the public through the sharing on the Internet of an employee’s home PC hard drive” on September 9, 2008.
Comment: The company claims to have been “informed of” as opposed to having “found” the breach, which may imply that an outsider found the information (Rian?). The manner in which the breach took place implies that a P2P application was involved. The company mentions the fact that they are not aware of any improper use of the information, and they have already notified affected persons in many other states. Of course the company also states that they “have taken numerous steps to protect the security of personal information of the affected individuals, including implementing additional quality controls to avoid similar incidents in the future”, but provides no detail.
Confidential company information should never be allowed on equipment that is not controlled by the company and is not fully-compliant with established corporate standards. In this case we find the personnel information was breached through the use of a personal, home-based computer.
October 9th, 2008 (2 breaches):
Organization: Royal Dutch Shell PLCContractor/Consultant/Branch: Shell Oil Company
Location: Houston, Texas
Victims: "current and former Shell employees"
Number of Affected: a “majority of Shell’s US current and terminated employees”
Types of Data: “First Name, Last Name, SSN# and Date of Birth.”
Tag: Employee Fraud
Source Reference: The Maryland Attorney General
Breach Description: Personal information belonging to current and former Shell Oil Company (US) employees was accessed and used fraudulently by an employee of a “third-party agency engaged by Shell”. Shell’s internal investigation resulted in the termination of the contract with the agency.
Comment: It appears as though the Maryland breach notification refers to the same event (or series of events) noted in “Shell Oil Company contractor accused of fraud”. The only new information contained in the Maryland breach notification is “Shell does not have knowledge that the agency’s employee has used or intends to use additional employee personal information in a fraudulent manner”. So according to Shell, the fraud stops at four victims. Third-party relationships can pose a significant risk to information resource security if not managed appropriately.
Organization: Merrill LynchContractor/Consultant/Branch: Unknown
Location: Unknown
Victims: Customers
Number of Affected: Unknown
Types of Data: “name, SSN/tax ID #, DOB, address, phone #, e-mail address, passport #, DL #, Merrill Lynch account #, loan info, insurance policy info, other financial account info, online user credentials”
Tag: Lost Device
Source Reference: The Maryland Attorney General
Breach Description: An external hard drive used by Merrill Lynch was lost or stolen while en route to a vendor’s “central tech facility”. The hard drive contained sensitive personal information belonging to customers.
Comment: There are very few details available about this breach other than that which is disclosed above. This breach is only one of two in which there is no link to the Maryland Attorney General notification letter, so we are left to our imagination. I will assume that the sensitive data on the lost or stolen external hard drive was not encrypted due to the fact that Maryland has an encrypted data exemption for notification. It baffles me when a respected company like Merrill Lynch allows sensitive information to be transferred on poorly secured, unencrypted media. This is a very risky practice and it is no surprise that it resulted in a breach.
October 14th, 2008 (2 breaches):
Organization: Wyndham Hotels and ResortsContractor/Consultant/Branch: Unknown
Location: Unknown
Victims: Customers
Number of Affected: Unknown
Types of Data: “name, credit card #”
Tag: Intrusion
Source Reference: The Maryland Attorney General
Breach Description: According to the Maryland Attorney General’s “Maryland Information Security Breach Notices” web page, Wyndham Hotels reported a breach in which a “hacker accessed credit card records”, presumably belonging to customers staying at hotels and/or resorts owned by the company.
Comment: Much like the Merrill Lynch breach reported prior, there are very few details available about this breach other than that which is disclosed above. This breach is the second of two in which there is no link to the Maryland Attorney General notification letter. We can only assume what might have taken place.
Organization: Connecticut General Insurance (CIGNA Healthcare)Contractor/Consultant/Branch: “a certified carrier”
Location: Hartford, Connecticut
Victims: CIGNA HealthCare members
Number of Affected: Unknown (1 Maryland resident mentioned)
Types of Data: “name, address, Social Security Number and medical information”
Tag: Lost Media
Source Reference: The Maryland Attorney General
Breach Description: “CIGNA HealthCare has recently learned that a package that was being sent to a governmental agency at their request via a certified courier was lost in transit. The package contained a compact disk (CD) which included the name, address, Social Security Number and medical information of one Maryland resident.” “The package was shipped on June 20, 2008. On September 9, 2008 we were notified by the overnight courier that the package was damaged in transit and that the contents were missing.” “The resident of Maryland who has been affected by this incident will be notified via mail between October 14 through 16, 2008.” The affected individuals are being offered two years of free credit monitoring.
Comment: Irregardless of the fact that a “governmental agency” requested the information, there is no excuse for not encrypting it prior to shipment. I am confused with how it took nearly 2 ½ months for the “overnight” courier to alert CIGNA.
October 14th, 2008 (1 breach):
Organization: Luxottica GroupContractor/Consultant/Branch: Cole National Group, Inc. and Things Remembered, Inc.
Location: Mason, Ohio
Victims: Employees of the "Things Remembered brand" between 1998 and March, 2005
Number of Affected: 59,419
Types of Data: "name, address, Social Security Number, date of birth, and other information used for processing payroll"
Tag: Intrusion
Source Reference: The Maryland Attorney General and previously posted to The Breach Blog in “Things Remembered, Inc. employee information exposed” and “Update to Things Remembered breach”.
Breach Description: "During a routine check of the IT department at Cincinnati-based Luxottica Retail, it was discovered that a hacker had been inside a computer mainframe and downloaded the personal information of more than 59,000 former workers."
Comment: Please see one or both of The Breach Blog post references above.
November 3rd, 2008 (1 breach):
Organization: Express Scripts (ESRX)Contractor/Consultant/Branch: None
Location: St. Louis, Missouri
Victims: Patients
Number of Affected: “millions”
Types of Data: "names, dates of birth, social security numbers, and in some cases, their prescription information"
Tag: Intrusion
Source Reference: The Maryland Attorney General and previously posted to The Breach Blog in “Express Scripts extortion, potentially millions affected”.
Breach Description: "ST. LOUIS, Nov 6, 2008 (GlobeNewswire via COMTEX News Network) -- Express Scripts (Nasdaq:ESRX), one of the largest pharmacy benefit management companies in North America, today announced that it has received a letter from an unknown person or persons trying to extort money from the company by threatening to expose millions of the company's patients' records."
Comment: Please see The Breach Blog post reference above.
November 6th, 2008 (2 breaches):
Organization: National Association of Chain Drug Stores (“NACDS”) FoundationContractor/Consultant/Branch: None
Location: Alexandria, Virginia
Victims: Scholarship applicants
Number of Affected: Unknown
Types of Data: "name, Social Security number and permanent and school addresses"
Tag: Employee Mistake
Source Reference: The Maryland Attorney General
Breach Description: “On October 7, 2008, our scholarship applicant database became publicly accessible through a link that was transmitted to scholarship applicants via e-mail. The e-mail containing the link was sent to approximately 160 applicants for the purpose of permitting its recipient to access his or her individual online application to complete the missing application data fields. The link permitted access to other applicants’ files.”
Comment: This seems like an innocent enough mistake. Do you think information security training and awareness could have helped to prevent it?
Organization: Wells Real Estate Funds, Inc.Contractor/Consultant/Branch: None
Location: Suwanee, Georgia
Victims: Customers
Number of Affected: Unknown (704 Maryland residents mentioned)
Types of Data: "Wells account numbers, third party account numbers, tax identification numbers, Social Security Numbers and specific investment information"
Tag: Stolen Laptop
Source Reference: The Maryland Attorney General
Breach Description: “On the evening of October 6, 2008, a laptop computer of a Wells employee was stolen from a parked automobile. The theft was reported to the City of Suwanee, Georgia, Police Department, and a police report was filed on October 7, 2008. To date, however, law enforcement has not yet recovered the laptop. From our investigation, we have determined that the laptop computer was password-protected and may have contained Wells account numbers, third-party account numbers, Tax Identification Numbers, Social Security numbers, and specific investment information.” Affected persons are being offered one year of credit monitoring.
Comment: NEWS!!! Operating system password protection is nothing more than a momentary nuisance to anyone who may want to access data on a laptop. By itself it is NOT adequate protection. Why even mention it?
November 10th, 2008 (1 breach):
Organization: Baylor Health Care SystemContractor/Consultant/Branch: Health Texas Provider Network
Location: Dallas/Fort Worth, Texas
Victims: Patients
Number of Affected: 100,000
Types of Data: "Social security numbers and a limited amount of patient information"
Tag: Stolen Laptop
Source Reference: The Maryland Attorney General and previously posted to The Breach Blog in “Baylor Health Care System employee is fired over stolen laptop”.
Breach Description: "We recently became aware of the theft of a laptop computer containing certain personal information about some HealthTexas Provider Network patients. The information on the laptop included patient names, Social Security numbers (“SSNs”) and limited health information (such as codes indicating treatments received)”
Comments: Comments were previously made in The Breach Blog post referenced above.
November 12th, 2008 (1 breach):
Organization: The Nielsen CompanyContractor/Consultant/Branch: Health Texas Provider Network
Location: Manhattan, New York City, New York
Victims: Employees
Number of Affected: Unknown (14 Maryland residents mentioned)
Types of Data: "names, addresses, dates of birth, Social Security numbers and other information related to their Flexible Spending Accounts"
Tag: Stolen Laptop
Source Reference: The Maryland Attorney General
Breach Description: “On Monday, October 20th, Nielsen learned that a laptop computer had been stolen from the eighth floor of its Manhattan office some time over that week-end. Unfortunately, a file on the laptop contained certain personal information about some Nielsen employees” “The laptop is password protected, but the information is not encrypted.” Nielsen is offering all affected employees one year of “free credit monitoring”.
Comment: Another poorly secured laptop used to store sensitive information. Do these people read?
November 13th, 2008 (2 breaches):
Organization: Kraft FoodsContractor/Consultant/Branch: Gevalia and Affinitas
Location: Milford, Delaware
Victims: Customers
Number of Affected: 185
Types of Data: Personal information “including names and credit card numbers"
Tag: Employee Fraud
Source Reference: The Maryland Attorney General
Breach Description: “We recently learned that an employee of Affinitas, the company that manages outbound telephone sales of products for Kraft’s Gevalia subsidiary, copied personal information regarding 11 of our customers, including names and credit card numbers. The same individual had access to personal information provided by approximately 174 other customers.” The person alleged to have copied the personal information is “now under police investigation”. Kraft is offering two years of credit monitoring to affected customers.
Comment: There are real risks involved with employing contractors and other third-parties. These risks should be accounted for in all risk management/information security programs.
Organization: DaVita Inc.Contractor/Consultant/Branch: DVA Renal Healthcare, Inc.
Location: Florida
Victims: Patients
Number of Affected: Unknown (354 Maryland residents mentioned)
Types of Data: “name, social security number, medical insurance coverage information, and/or other personal and health related information”
Tag: Stolen Computer
Source Reference: The Maryland Attorney General
Breach Description: “DVA Renal Healthcare, Inc. (“Company”) recently discovered that it sustained a loss of personal information of approximately 354 Maryland residents (“Residents”). The loss occurred when a DaVita facility in Florida suffered a burglary resulting in the theft of multiple desktop computers, which are password protected.” “If you have any questions, please contact our Guest Services Contact Center at .”
Comment: DaVita is listed previously on The Breach Blog for a stolen laptop announced in March, 2008. Don’t expect the password protection to stop anyone with an ounce of determination.
November 17th, 2008 (3 breaches):
Organization: Severn SchoolContractor/Consultant/Branch: None
Location: Severna Park, Maryland
Victims: Students
Number of Affected: 104
Types of Data: “names, addresses and Social Security numbers”
Tag: Hack
Source Reference: The Maryland Attorney General
Breach Description: “Based upon our investigation, it appears that one or more students accessed the Severn School IT system without authorization as early as April of 2008, and downloaded sensitive and confidential files”. “We have since recovered a flash drive with a copy of the file containing the students’ personal information.” “Based upon our investigation and the limited information we have to date, we have discovered no evidence to suggest that the personal information has been misused or that there is a threat of identity theft with regard to these students.”
Comment: We read about plenty of student “hacking” incidents occurring at high schools. If you had to pin these occurrences on one factor, what would it be? Are students sophisticated “hackers”? Likely not, but the students are probably more sophisticated than the people charged with securing school information. The one quote from this breach notification that caught my attention was the school’s claim that there is no threat of identity theft. There must be a misunderstanding of word threat. If an unauthorized person accesses sensitive information months ago and makes copies of the sensitive information, how can we classify this as no threat?
Organization: St. Margaret's Episcopal SchoolContractor/Consultant/Branch: Blackbaud, Inc.
Location: San Juan Capistrano, California, event occurred in Charlestown, South Carolina
Victims: Students and/or parents
Number of Affected: Unknown (73 Maryland residents mentioned)
Types of Data: “names and addresses and in some cases social security numbers and credit card numbers”
Tag: Stolen Laptop
Source Reference: The Maryland Attorney General
Breach Description: “This is to inform you of a recent incident involving school records containing personal information about you. While we are not aware, and believe it highly unlikely, that this personal information has or will be misused, we are treating this incident as a serious matter.” “The information in question was stored on a laptop computer stolen on September 19, 2008. The laptop, belonging to our software provider (Blackbaud, Inc.), was stolen with other valuables from a car in Charleston, South Carolina. The computer password protection and some of the data was encrypted.” Blackbaud is offering a free year of credit monitoring to those persons affected by this incident.
Comment: I appreciate how the data was encrypted, but it would be preferred if the entire hard drive were encrypted. Based on my past experience, it is too easy to miss confidential information and too hard to manage file-level encryption on any more than a few computers. As an information security professional, I want a little more assurance and control.
Organization: Symantec CorporationContractor/Consultant/Branch: None
Location: Cupertino, California
Victims: Employees
Number of Affected: Unknown (1 Maryland resident mentioned)
Types of Data: Personal information, including “name, address and Social Security number”
Tag: Stolen Laptop
Source Reference: The Maryland Attorney General
Breach Description: “We recently became aware of a theft of a laptop computer at a Symantec employee’s home. The laptop computer contained certain personal information about some of our employees including name, address, and Social Security number.” Symantec is offering free credit monitoring services to those people affected by this incident.
Comment: There is no mention of encryption in the breach notification, so we will assume that neither the laptop nor the sensitive information were encrypted. Lending credibility to this assumption is my belief that Maryland law does not require disclosure if the data were encrypted. Shame, shame. Symantec is big player in the information security market.
November 19th, 2008 (2 breaches):
Organization: SGS GroupContractor/Consultant/Branch: SGS North America Inc.
Location: Rochelle Park, New Jersey
Victims: Employees “of SGS and its subsidiaries who worked for one of those companies as of June 2008”
Number of Affected: Unknown (53 Maryland residents mentioned)
Types of Data: “names, dates of birth, employee identification numbers, and Social Security numbers”
Tag: Stolen Laptop
Source Reference: The Maryland Attorney General
Breach Description: “On July 10, 2008. a thief broke into the car of an SGS employee and stole a briefcase that contained a company-issued laptop computer. The stolen laptop computer contained the names, dates of birth, employee identification numbers, and Social Security numbers of the employees of SGS and its subsidiaries who worked for one of those companies as of June 2008”. “As the result of a breakdown in communication, management employees responsible for responding to this incident did not learn of the theft until August 12, 2008.” “We are pleased to report that the stolen laptop was password protected”. SGS is offering one year of credit monitoring and has retained “identity theft protection and fraud resolution” services on behalf of those people affected by this incident.
Comment: When I first started to read this breach notification I was thinking to myself that SGS seems really honest in this disclosure. Then I got to the notification letter sent to those victims. In this letter, I read statements like; “Even the most rigorous safeguards, however, can not guarantee protection against criminal conduct.” Is this meant to somehow imply that SGS was utilizing “the most rigorous safeguards”? Like what, password protection?! Puhleez. Then as I read on, I come across; “We are pleased to report that the stolen laptop was password protected and did not contain any credit or debit card numbers or financial account numbers.” Wow! SGS really did use the “most rigorous safeguards”! This most rigorous technical safeguard (password protection) could be bypassed in less than five minutes. A bad guy/gal doesn’t need credit or debit card numbers when he/she can just apply for their own (in the victim’s name, of course).
Organization: Starbucks CorporationContractor/Consultant/Branch: None
Location: Seattle, Washington
Victims: "partners" (employees)
Number of Affected: “approximately 97,000”
Types of Data: “private information (including name, address and social security number)”
Tag: Stolen Laptop
Source Reference: The Maryland Attorney General and previously posted to The Breach Blog in “Stolen Starbucks laptop contained sensitive partner information”.
Breach Description: “On October 29, 2008, a laptop computer containing personal information of Starbucks employees, including names and social security numbers was stolen. The personal information was all electronic, stored on the stolen laptop. The laptop was password protected, and we currently have no indication that the personal information has been misused.” Starbucks is offering affected employees one free year of credit monitoring.
Comment: Please review comments posted in The Breach Blog reference above.
November 20th, 2008 (1 breach):
Organization: Howland Capital ManagementContractor/Consultant/Branch: None
Location: Boston, Massachusetts
Victims: Clients
Number of Affected: Unknown (6 Maryland residents mentioned)
Types of Data: “name, address, driver’s license number, social security number, and account number”
Tag: Lost Media
Source Reference: The Maryland Attorney General
Breach Description: “At the end of July, Federal Express lost a package that contained Howland Capital backup electronic media. The backup media contained certain confidential personal information”. “Howland Capital initiated a broadened Disaster Recovery program following the World Trade Center attack in September of 2001. As part of that program, backup media from our database and trust accounting system was sent offsite to ensure an orderly accounting and distribution of client assets in a “worst case scenario. The backup media is password protected and cannot be accessed without a proprietary Sungard Series 7 Trust account platform.”
Comment: Howland Capital now claims to use a dedicated line for the transfer of backup data instead of shipping it the old fashioned way. Howland has also implemented a policy which states “backup disks, laptops and ‘zip drives’ must be password protected and have the latest encryption technology before they leave the premises.” Hopefully, this can expand to all sensitive data at rest, no matter the physical location. Key management (passwords) need to be addressed too. Overall, I like Howland’s response.
November 24th, 2008 (3 breaches):
Organization: Rockwell Collins, Inc.Contractor/Consultant/Branch: Fidelity Investments
Location: Boston, Massachusetts
Victims: Employees
Number of Affected: Unknown (7 Maryland residents mentioned)
Types of Data: “names, Social Security numbers, employee ID numbers, and employee stock plan purchase information”
Tag: Employee Mistake
Source Reference: The Maryland Attorney General
Breach Description: “Fidelity Investments (“Fidelity”) on behalf of Rockwell Collins, Inc. is reporting a matter involving the personal information relating to Rockwell Collins employees. Fidelity administers the employee stock plan for Rockwell Collins. As described in the enclosed letter to affected employees, due to an administrative error at Fidelity, a stock plan administrator at another Fidelity Investments client firm was briefly able to view some personal information about Rockwell Collins employees. This information was in a file on a secure website and was briefly accessed by one stock plan administrator at another fidelity client.” “The stock plan administrator at the other client firm immediately notified Fidelity of the error and Fidelity immediately deleted the file”.
Comment: This breach is more embarrassing for Fidelity than anything else. Based on the information provided in the notification, there doesn’t seem to be a significant increase in risk to the affected employees of Rockwell Collins. There is little doubt that preventing these sorts of breaches can be challenging.
Organization: Capstone CompaniesContractor/Consultant/Branch: Capstone On-Campus Management LLC
Location: Birmingham, Alabama
Victims: Residents living in residence halls managed by Capstone
Number of Affected: Unknown (1400 Maryland residents mentioned)
Types of Data: “name, age, residence hall address, permanent address, residence hall telephone number, permanent telephone number, gender, email address” and “social security number”
Tag: Employee Mistake
Source Reference: The Maryland Attorney General
Breach Description: “Capstone On-Campus Management, LLC experienced a data breach when a [sic] an employee unintentionally accessed a company file by way of an insecure method which enabled outsiders to access files on the employee’s computer. Some of the files on that computer contained personal information of residents living in residence halls managed by Capstone.”
Comment: Is anyone wondering what “accessed a company file by way of an insecure method which enabled outsiders to access files on the employee’s computer” means? Sounds a little like a P2P application, maybe on a home computer. I don’t know, this notification is not very clear. Communication 101.
Organization: MasTec, Inc.Contractor/Consultant/Branch: None
Location: Stuart, Florida
Victims: Employees
Number of Affected: Unknown (95 Maryland residents mentioned)
Types of Data: “first and last name, date of birth, employee identification number, and Social Security number (SSN)”
Tag: Employee Fraud
Source Reference: The Maryland Attorney General
Breach Description: “On October 29, 2008, MasTec learned that an erstwhile employee disclosed without authorization, a human resources department report to third parties who were not authorized to receive it. The unauthorized disclosure occurred on September 11, 2008, but MasTec did not learn about it until the Stuart, Florida Police Department informed MasTec that it had recovered the report from the possession of the unauthorized third parties. Both the former employee and the third parties have been arrested.”
Comment: Employee misconduct is one of the most challenging information security issues to protect against. Is the employee erstwhile because of this incident? Erstwhile is a funny word.
December 1st, 2008 (1 breach):
Organization: TierraNet, Inc.Contractor/Consultant/Branch: None
Location: Poway, California
Victims: Customers
Number of Affected: “less than 300”
Types of Data: “credit or debit card information such as cardholder name, card number, card expiration data, and similar information”
Tag: Poor Design
Source Reference: The Maryland Attorney General
Breach Description: “The purpose of this letter is to notify you of a security breach involving Personal Information discovered by our client, TierraNet, Inc., a corporation located in California. The security breach was limited to less than a total of 300 affected TierraNet customers”. “The security breach was discovered in the “PHPLive!” Chat software that operated the “Live Chat” instant messaging system for the TierraNet Support Department.” “The breach involved the log files of customer support chat sessions.” “As a result of the security breach, information submitted to the TierraNet Support Department via a live chat support session between Aug 14, 2003 and November 11, 2008, may have been obtained by unauthorized persons, including credit of debit card information such as cardholder name, card number, card expiration date, and similar information.”
Comment: This breach gives us a good example of the importance of patching. It is important to patch more than just operating systems. It is also important to patch all other applications. Secunia provides excellent resources to find vulnerabilities and patches. Check out the Vulnerability Report for PHP Live! 3.x. It is probably not a good idea for TierraNet to store credit card information in log files either.
December 2nd, 2008 (1 breach):
Organization: The World BankContractor/Consultant/Branch: None
Location: Washington, D.C.
Victims: Employees and individual contractors
Number of Affected: Unknown (1 Maryland resident mentioned)
Types of Data: “names and account numbers”
Tag: Employee Mistake
Source Reference: The Maryland Attorney General
Breach Description: “Although the World Bank (Bank) is not subject to national law requirements, in the spirit of cooperation with the US authorities, we are voluntarily providing the following information as prescribed by the State of Maryland.” “On November 21, 2008, a file containing information was mistakenly posted on a public site and accessed through a single download of the information.” “The file accessed was a payment record containing names and account numbers of Bank employees and individual contractors”. The Bank is providing free credit monitoring to the affected employees.
Comment: It was so nice of The Bank to notify “in the spirit of cooperation”. How about the spirit of the right thing to do? The Bank hasn’t been immune to controversy this year, see the CSO Magazine story “4 Security Lessons From the World Bank Breach”.
December 3rd, 2008 (1 breach):
Organization: Hewlett-Packard ("HP")Contractor/Consultant/Branch: Unknown
Location: Houston, Texas area
Victims: Current and former HP employees
Number of Affected: Unknown (626 Maryland resident mentioned)
Types of Data: Personal information including names and Social Security numbers
Tag: Stolen Laptop
Source Reference: The Maryland Attorney General and previously posted to The Breach Blog in “Unknown number of employees affected by stolen HP laptop”.
Breach Description: “Hewlett-Packard has reported the theft of a laptop computer containing sensitive personal information to the Maryland Attorney General's office. The laptop contained information belonging to current and former employees who were at one time participants in the HP benefits program.”
Comment: See The Breach Blog post referenced above for comments.
December 4th, 2008 (1 breach):
Organization: GMAC LLCContractor/Consultant/Branch: GMAC Mortgage, LLC
Location: Bedford, New Hampshire
Victims: Customers
Number of Affected: Unknown (16 Maryland resident mentioned)
Types of Data: “names, mailing addresses and mortgage loan account numbers”
Tag: Employee Theft
Source Reference: The Maryland Attorney General
Breach Description: “On September 3, 2008, GMAC Mortgage announced the closing of its retail branch offices across the country. GMAC Mortgage put into place procedures to capture all assets in branch office locations including customer/consumer data. On or about October 2 and 6, 2008, at least two GMAC Mortgage customers received mal from former GMAC Mortgage loan officers who formerly worked at the Bedford, NH branch office prior to its closure.” “Based on this mailing, GMAC Mortgage investigated this incident and determined that prior to the employment end date of certain loan officers, they forwarded to themselves of their associates, GMAC Mortgage customer lists.” “It is reasonable certain that the former GMAC employees did this to create marketing opportunities for themselves in their new positions at Schaefer Mortgage in Londonderry, NH.” “GMAC Mortgage is currently pursing [sic] legal remedies against 7 former loan officers and Schaefer Mortgage in United States Federal District Court in New Hampshire”.
Comments: When I think about this breach, I think about how common this may be in this current economy. As more mortgage companies, finance companies and banks close offices, what happens with the information? Employee theft is hard enough to prevent without the added pressure of a site closure.
Phew! 27 breaches in one post is a heckuva lot!
Posted by Evan Francen at 12/15/2008 7:50 PM 
Categories: The World Bank, Hack, Kraft, Capstone Companies, Baylor Health Care System, Employee Mistake, CIGNA Healthcare, P2P Network, Things Remembered, Royal Dutch Shell PLC, Nat'l Assoc. of Chain Drug Stores, Symantec Corporation, Lost Device, Stolen Computer, Hewlett-Packard, Lost Media, Stolen Laptop, Luxottica Group, Employee Theft, Fidelity Investments, Severn School, TierraNet, Employee Fraud, Poor Design, Rockwell Collins, Express Scripts, GMAC LLC, Reed Smith, DaVita, SGS Group, Intrusion, Howland Capital Management, The Nielsen Company, GMAC Mortgage, Starbucks Corporation, Cole National Group, Wyndham Hotels and Resorts, St. Margaret's Episcopal School, The Marketing Arm, Wells Real Estate Funds, Merrill Lynch, Shell Oil Company, MasTec
Categories: The World Bank, Hack, Kraft, Capstone Companies, Baylor Health Care System, Employee Mistake, CIGNA Healthcare, P2P Network, Things Remembered, Royal Dutch Shell PLC, Nat'l Assoc. of Chain Drug Stores, Symantec Corporation, Lost Device, Stolen Computer, Hewlett-Packard, Lost Media, Stolen Laptop, Luxottica Group, Employee Theft, Fidelity Investments, Severn School, TierraNet, Employee Fraud, Poor Design, Rockwell Collins, Express Scripts, GMAC LLC, Reed Smith, DaVita, SGS Group, Intrusion, Howland Capital Management, The Nielsen Company, GMAC Mortgage, Starbucks Corporation, Cole National Group, Wyndham Hotels and Resorts, St. Margaret's Episcopal School, The Marketing Arm, Wells Real Estate Funds, Merrill Lynch, Shell Oil Company, MasTec
Posts Atom 1.0
Exhausting, isn't it? :)
I didn't post all 27 to Pogo (yet). I held off on one because there was a problem with the report, and was trying to get additional info on a few others before posting. Did I ever mention how I hate being stonewalled? :)
By the way, did you know that Vermont also publishes breach notifications online? They had a few posted that I had not seen elsewhere, but I haven't tried to backfill Pogo with their reports yet.
Reply to this
Absolutely exhausting. Too much for one sitting.
Oh Crap! Did I stonewall you?! Not cool. Sorry.
Vermont, eh? I did not know that. Thank you for sharing.
Reply to this
Oh no, I didn't mean that you had ever stonewalled me. I was alluding to the organizations that I email or call to get more details that don't answer me and pretend that they didn't get the inquiry. That's why some breaches don't appear on Pogo promptly -- I'm often waiting for a reply or clarification. And I wait, and wait, and wait.... and then I give up and post without the clarification in some cases.
Sorry if I miscommunicated. You're fine. They're not. :)
Reply to this
Cool. I just misunderstood. We'll keep up the fight then.
Reply to this