Better late than never, 24 breaches from the New Hampshire Attorney General
Dissent has already posted many, if not all of these breaches on the Office of Inadequate Security. I’ve been on vacation for the past week, so now I finally get to it!
Here they are, 24 breaches in chronological order, from oldest to newest (as reported to the New Hampshire Attorney General):
November 3rd, 2008 (2 breaches)
Organization: Baylor Health Care SystemsContractor/Consultant/Branch: Health Texas Provider Network
Location: Dallas/Fort Worth, Texas
Victims: Patients
Number Affected: 100,000
Types of Data: "Social security numbers and a limited amount of patient information"
Tag: Stolen Laptop
Source Reference: The New Hampshire Attorney General, The Maryland Attorney General and previously posted to The Breach Blog in “Baylor Health Care System employee is fired over stolen laptop”.
Breach Description: "We recently became aware of the theft of a laptop computer containing certain personal information about some HealthTexas Provider Network patients. The information on the laptop included patient names, Social Security numbers (“SSNs”) and limited health information (such as codes indicating treatments received)”
Comment: Nothing much new to report from the New Hampshire breach notification, so please check out my comments previously made in The Breach Blog post referenced above.
Organization: National Association of Chain Drug Stores (NACDS)Contractor/Consultant/Branch: None
Location: Alexandria, Virginia
Victims: Scholarship applicants
Number of Affected: Unknown
Types of Data: "name, Social Security number and permanent and school addresses"
Source Reference: The New Hampshire Attorney General, The Maryland Attorney General, and previously posted to The Breach Blog in “27 Breaches reported on Maryland Attorney General’s Web site”
Tag: Employee Mistake
Breach Description: “On October 7, 2008, our scholarship applicant database became publicly accessible through a link that was transmitted to scholarship applicants via e-mail. The e-mail containing the link was sent to approximately 160 applicants for the purpose of permitting its recipient to access his or her individual online application to complete the missing application data fields. The link permitted access to other applicants’ files.”
Comment: There is no new information contained in the breach notification letter sent to the New Hampshire State Attorney General. It is nearly identical to the one sent to the Maryland Attorney General. Please see The Breach Blog post referenced above.
November 4th, 2008 (1 breach):
Organization: Emergency Medical Association (“EMA”)Contractor/Consultant/Branch: None
Location: Livingston, New Jersey
Victims: Patients
Number of Affected: 27
Types of Data: Personal information including American Express credit card information
Tag: Nobody Knows
Source Reference: The New Hampshire Attorney General
Breach Description: On or about July 15,2008, the Secret Service informed EMA that, during the course of an independent investigation, they had identified a total of twenty-seven (27) American Express credit cards that were possibly the subject of identity theft. The Secret Service contacted EMA because the twenty-seven (27) affected American Express cardholders all used their American Express credit card to pay a legitimate bill of EMA.
Comment: When the Secret Service calls, people listen. There are not many details in the breach notification and I am left with more questions than I am given facts. I wonder what precipitated the Secret Service’s “independent investigation”. I also wonder if there are only twenty-seven cardholders affected in total, or if there are other organizations involved too. We don’t even know how (or if) the credit card information was taken from EMA.
November 5th, 2008 (1 breach):
Organization: Wells Real Estate FundsContractor/Consultant/Branch: None
Location: Suwanee, Georgia
Victims: Customers
Number of Affected: Unknown (213 New Hampshire residents mentioned here and 704 Maryland residents mentioned previously)
Types of Data: "Wells account numbers, third party account numbers, tax identification numbers, Social Security Numbers and specific investment information"
Tag: Stolen Laptop
Source Reference: The New Hampshire Attorney General, The Maryland Attorney General and previously posted to The Breach Blog in “27 Breaches reported on Maryland Attorney General’s Web site”.
Breach Description: “On the evening of October 6, 2008, a laptop computer of a Wells employee was stolen from a parked automobile. The theft was reported to the City of Suwanee, Georgia, Police Department, and a police report was filed on October 7, 2008. To date, however, law enforcement has not yet recovered the laptop. From our investigation, we have determined that the laptop computer was password-protected and may have contained Wells account numbers, third-party account numbers, Tax Identification Numbers, Social Security numbers, and specific investment information.” Affected persons are being offered one year of credit monitoring.
Comment: Really? Password protection, eh? Big deal! Operating system password protection is nothing more than a momentary nuisance to anyone who may want to access data on a laptop. By itself it is NOT adequate protection. Why even mention it?
November 21st, 2008 (1 breach):
Organization: Toyota Motor Sales, U.S.A., Inc.Contractor/Consultant/Branch: Express Scripts
Location: Torrance, California
Victims: Current and former employees
Number of Affected: Unknown, but at least 188
Types of Data: “name, social security number and date of birth”
Tag: Intrusion
Source Reference: The New Hampshire Attorney General, The Maryland Attorney General and previously posted to The Breach Blog in “Express Scripts extortion, potentially millions affected”.
Breach Description: “On November 6, 2008, Express Scripts, Toyota’s pharmacy benefits manager, informed Toyota that an unknown person or persons had made an extortionate threat to disclose Express Script’s members’ personal information, including the name, Social Security number and date of birth to identity thieves unless Express Scripts paid a ransom. At the time, Express Scripts advised Toyota that it did not believe personal information about Toyota members was involved.” “Early the following week, Toyota received a similar threat directly, apparently from the same extortionist.”
Comment: We didn’t think we had heard the last of the Express Scripts breach did we? This is now the third time that this breach has appeared on The Breach Blog (See references above). Now we know of an additional company affected. I expect this breach to continue and include more companies. We still don’t know how this breach occurred or who may be responsible.
November 23rd, 2008 (1 breach):
Organization: Wyndham Hotel Group Contractor/Consultant/Branch: Unknown
Location: Phoenix, Arizona (and other unspecified locations)
Victims: Customers
Number of Affected: Unknown
Types of Data: “credit or debit card number, expiration data and possibly your name”
Tag: Intrusion
Source Reference: The New Hampshire Attorney General, The Maryland Attorney General and previously posted to The Breach Blog in “27 Breaches reported on Maryland Attorney General’s Web site”.
Breach Description: “As you may recall, on October 9, 2008, Wyndham Hotel Group provided notice to you of a data security incident which involved our Data Center in Phoenix, Arizona, and certain impacted Wyndham hotels.” “In connection with the investigation, we determined that notification to consumers in the state of New Hampshire is appropriate, as Track 2 credit card data may also have been compromised in the attack.”
Comment: “Track 2 credit card data” includes the PAN (usually the same as the credit card number), expiration date, and discretionary data (may include card verification code) among other things. Wyndham states that they have “revalidated our information security infrastructure to confirm that we maintain industry standard protections for customer data” and is offering affected customers with one year of credit monitoring. I am not typically big fan of “industry standard protections”. Industry standard protections would be fine if all the companies in the industry were the same (i.e. same people, same processes, same programs, same locations, etc.). In my opinion, it doesn’t take a whole lot of talent to implement something that everybody else is.
One last comment… My mother received this notification.
November 26th, 2008 (2 breaches):
Organization: RoadSafe Traffic Systems, Inc. Contractor/Consultant/Branch: None
Location: Oklahoma City, Oklahoma and somewhere in Pennsylvania
Victims: Employees
Number of Affected: Unknown
Types of Data: "names, social security numbers and addresses"
Tag: Stolen Laptop
Source Reference: The New Hampshire Attorney General
Breach Description: "On November 11, 2008, a laptop belonging to a RoadSafe employee was stolen from a rental car in Oklahoma City. On November 17, 2008, in a separate incident, a different laptop was stolen from a vehicle in Pennsylvania. The computers may have contained electronic data including names, social security numbers and addresses of RoadSafe employees."
Comment: What are the chances of two laptops being stolen from the same company within a week of each other; each containing sensitive personal information? Especially considering that we haven’t heard of any breaches from this company in the past?
“Upon notification of the thefts, RoadSafe took proactive steps to obtain legal counsel to quickly inform residents of how to best protect against identity theft and to minimize risks to the residents.” What? Is this really proactive, or is this reactive? Proactive steps would have been to protect the information better. Proactive would have been to prohibit storage of sensitive information on laptops and other mobile devices. Proactive would have been to encrypt sensitive data at rest. Legal counsel retained by the company is there to protect the company.
RoadSafe is offering one year of credit monitoring.
Organization: TD Bank Financial GroupContractor/Consultant/Branch: TD Banknorth
Location: Hillsdale and Park Ridge, New Jersey
Victims: Customers
Number of Affected: “estimated 3,235”
Types of Data: "names, addresses, birthdates, Social Security Numbers, account numbers and balances"
Tag: Stolen Device
Source Reference: The New Hampshire Attorney General
Breach Description: "On Monday, October 27, 2008, equipment containing such customer information as names, addresses, birthdates, Social Security Numbers, account numbers and balances was removed without authorization from two TD Banknorth branches that were consolidating into TD Bank Stores in Hillsdale and Park Ridge, New Jersey."
Comment: Who would ever think to encrypt sensitive customer information at rest? It’s probably too hard and too expensive. Not! At least TD Banknorth has sincere regret for any concern this may cause its affected customers. They say that “protecting our customers’ personal information is a priority and something we take very seriously.” Like they would say otherwise, but what do their actions say? TD Banknorth is offering 12 months of credit monitoring.
December 3rd, 2008 (1 breach):
Organization: Zyacorp Companies, LLC.Contractor/Consultant/Branch: Zyacorp Entertainment Cinemagic, Merrimack and Radiant Systems, Inc.
Location: Merrimack, New Hampshire
Victims: Customers
Number of Affected: 56
Types of Data: Personal information including credit/debit card information
Tag: Intrusion
Source Reference: The New Hampshire Attorney General and previously posted to The Breach Blog in “Merrimack, New Hampshire movie theater hacked for credit card data”.
Breach Description: “On or about November 5, 2008, Visa notified Bank of America (BOA) Merchant Services (the “acquiring” bank) that Sovereign Bank and St. Mary’s Bank (“the issuing banks”) had contacted them identifying fraudulent transactions associated with approximately 36 Sovereign Bank Visa accounts and 20 St. Mary’s Bank Visa accounts. Visa concluded that all 56 accounts had legitimately been used at a Cinemagic theatre between January 6, 2008 and October 17, 2008 (i.e. a common point of legitimate transaction). Radiant has, after investigation, determined that the legitimate transactions for the 56 accounts were processed at the Merrimack facility and that no other locations have been affected.”
Comment: This is an interesting breach. Additionally, “Radiant Systems, Inc. (“Radiant”), Zyacorp’s payment application vendor, has confirmed that storage and transmission of credit card and/or debit card numbers are properly encrypted.” Then Zyacorp goes on to state; “While we do not believe Zyacorp is required to provide notice pursuant to 359-C:20 because it does not “own or license computerized data that includes personal information” and because the compromised data does not meet the definition of “personal information” within 359-C:20, we are writing this notice out of an abundance of caution.”
Apparently there will be no notice sent to the affected account holders because “Zyacorp is not privy to the identification information for the affected individuals.”, but thankfully (in jest) “Zyacorp has, through BOA Merchant Services, notified those institutions whom it believes “owns” the compromised information under the provisions of RSA 359-C:20, I(c).” “Zyacorp does not believe that it has an obligation to notify individual account holders under RSA 359-C:20, I(a)”, regardless of whether or not it would be the right thing to do. Due to the fact that 56 affected people all used their cards at one of Zyacorp’s establishments really seems to indicate a security compromise there. Zyacorp seems inclined to pass the buck in my opinion.
December 4th, 2008 (1 breach):
Organization: Hewlett-Packard ("HP")Contractor/Consultant/Branch: Unknown
Location: Houston, Texas area
Victims: Current and former HP employees
Number of Affected: Unknown (926 New Hampshire residents mention here and 704 Maryland residents mentioned in a previous notification)
Types of Data: Personal information including names and Social Security numbers
Tag: Stolen Laptop
Source Reference: The New Hampshire Attorney General, The Maryland Attorney General and previously posted to The Breach Blog in “Unknown number of employees affected by stolen HP laptop”.
Breach Description: Hewlett-Packard has reported the theft of a laptop computer containing sensitive personal information to the Maryland Attorney General's office. The laptop contained information belonging to current and former employees who were at one time participants in the HP benefits program.
Comment: Nothing new to report here. Please see references above for comments and/or additional information.
December 5th, 2008 (1 breach):
Organization: Bill Dube Ford/ToyotaContractor/Consultant/Branch: None
Location: Dover, New Hampshire
Victims: Customers
Number of Affected: "thousands"
Types of Data: "names and address information, and in some instances, social security numbers, driver's license or other government identification numbers "
Tag: Stolen Tape
Source Reference: The New Hampshire Attorney General and previously posted to The Breach Blog in “Backup tape stolen from New Hampshire auto dealer, thousands affected”.
Breach Description: "We would like to inform you of a situation involving a backup computer tape that was found to be missing from its secure storage area on August 5, 2008. The tape contained the names and address information, and in some instances, social security numbers, driver’s license or other government identification numbers, of our customers.”
Comments: Bill Dube Ford Toyota says “We utilized one of the best computer software products available and our vendor has assured us that it is very unlikely that the data could be accessed by an unauthorized person.” Assuming that these backup tapes were stolen, we should question why? It seems that a primary motivation for stealing something is that someone sees value in the something that they stole. There is certainly more value in selling/using the information than there is in selling/using the physical tapes. What protects the information on the tape? The “best computer software” backup product? I am very skeptical.
December 8th, 2008 (1 breach):
Organization: HeidelbergCement AGContractor/Consultant/Branch: Lehigh Hanson
Location: Irving, Texas
Victims: Current and former employees
Number of Affected: Unknown
Types of Data: "payroll information containing names and social security numbers"
Tag: Employee Mistake
Source Reference: The New Hampshire Attorney General
Breach Description: “In late September 2008, Lehigh Hanson was advised that a former employee posted certain Lehigh Hanson computer data on a public server of his new employer, a state university. While the former employee believed the data was only forms and templates, there were underlying folders that contained payroll information about current and former employees”.
Comment: Aren’t the forms and templates property of Lehigh Hanson? Former employees should not be permitted to take ANYTHING from their former employers except their own personal belongings (pictures, clothing, etc.). There are a number of controls (primarily administrative) that can be used to minimize these types of occurrences, but nothing is 100%.
December 9th, 2008 (1 breach):
Organization: Science Applications International Corporation (SAIC)Contractor/Consultant/Branch: Unknown
Location: San Diego, California
Victims: People processed for government facility access or clearance
Number of Affected: Unknown
Types of Data: Personal information, including “name and social security number, date of birth, home address, home phone number and clearance level and possibly other personal information necessary to complete government security clearance questionnaires (e.g., SF-85P or SF-86)”
Tag: Malware
Source Reference: The New Hampshire Attorney General
Breach Description: “This letter is to notify you of a potential compromise of personal information” “Our Security personnel routinely receive information regarding malicious software from industry partners. This process led to the recent discovery on October 28, 2008 of malicious software designed to provide backdoor access on a computer used to process your security clearance or visit request.”
Comment: SIAC is a well-respected U.S. Government contractor. The people that write malicious software (“malware”) don’t care. SAIC claims to use “industry best practices and software”, but this doesn’t make them immune either. SAIC is in the process now of implementing “Trusted Desktop” which remove privileged access from computer users. Removing privileged access from computer users goes a long ways to limiting the amount of exposure to malware. This is the second breach concerning SIAC in the past 12 months. The other breach came as a result of lost backup tapes from BNY Mellon.
December 12th, 2008 (2 breaches):
Organization: DJO IncorporatedContractor/Consultant/Branch: Creditek, LLC
Location: “the Bahamas”
Victims: Patients
Number of Affected: 68,857
Types of Data: “names, addresses, social security numbers, dates of birth, gender, dates of services rendered by DJO, diagnostic codes (and, in some cases, a brief description of the diagnosis), summary charges (reflecting the total retail value of services rendered), patient balances, insurance ID numbers, current payors, and, if the payor was an insurance company, the insurance plan identification numbers.”
Tag: Stolen Laptop
Source Reference: The New Hampshire Attorney General
Breach Description: “On November 14, 2008, a laptop computer owned by Creditek, LLC of Pennsylvania, a company which provides billing services to DJO, was stolen from a locked home in the Bahamas, where a Creditek employee was staying.”
Comment: It’s not clear whether or not the Creditek employee lives in the Bahamas or was simply vacationing there. I guess I wouldn’t suggest taking work with you on vacation, especially if you decide to work with poorly secured sensitive information. DJO believes that the stolen computer was stolen “to wipe and resell, and not to use the data.” What facts support this belief? If the thief does intend to wipe the computer, do you think that they will actually use a “secure” wipe? Hah!
Organization: Fiserv, Inc.Contractor/Consultant/Branch: CheckFree Corporation
Location: Norcross, Georgia and “a website based in Ukraine
Victims: Customers
Number of Affected: “approximately 160,000”
Types of Data: Personal information including the possible compromise of usernames and passwords used to access CheckFree accounts
Tag: Hack
Source Reference: The New Hampshire Attorney General
Breach Description: “Please be advised that CheckFree, a business unit of Fiserv, Inc., recently experienced an incident that may have resulted in the infection of certain consumers’ personal computers with malicious software. Between the hours of 12:35 a.m. and 10:10 a.m. Eastern Standard Time of December 2, 2008, traffic to certain CheckFree-operated online bill payment websites was redirected without our knowledge or consent to a website based in Ukraine capable of infecting some but not all users’ computers, depending on their computer’s operating system and virus protection software.”
Comment: Another way of saying that “certain CheckFree-operated online bill payment website was redirected without our knowledge or consent” is that their DNS was hi-jacked, although the letter doesn’t even mention DNS. There is really no excuse for this. If you do business on the internet, DNS is critical. It wouldn’t take long to detect this attack, given that normal traffic loads would be severely impacted. The letter almost makes it seem as if CheckFree is doing their customers a great service by informing them of a malicious software install and offering to clean it for free. Ugh.
December 16th, 2008 (2 breaches):
Organization: State of New HampshireContractor/Consultant/Branch: Department of Health and Human Services
Location: Concord, New Hampshire
Victims: Clients (Medicare Part D recipients)
Number of Affected: “approximately 9,300”
Types of Data: “names, addresses, Medicare Part D plan information, Social Security numbers and the amount of each person's monthly premium”
Tag: Employee Mistake
Source Reference: The New Hampshire Attorney General and previously posted to The Breach Blog in “New Hampshire Medicare recipients affected by email mistake”.
Breach Description: “On December 1, 2008, DHHS inadvertently sent an e-mail with an attachment containing information about changes to Medicare Part D plans to a list of providers and other health related organizations. The attachment had two pages. The first page contained general information about the monthly premiums for Medicare Part D recipients. The second page, attached by accident, contained personally identifying information including name, address and social security number of approximately 9,300 individuals.
Comment: There are no surprises in the New Hampshire breach notification. The information contained in the previously posted references above is accurate and the comments there are valid.
Organization: Merrill LynchContractor/Consultant/Branch: Tacoma, Washington branch office
Location: Tacoma, Washington
Victims: Client(s)
Number of Affected: Unknown
Types of Data: “Merrill Lynch account number, client name, Social Security number, address, telephone number, and e-mail address”
Tag: Stolen Laptop
Source Reference: The New Hampshire Attorney General
Breach Description: “Pursuant to New Hampshire’s security breach notification law, we are writing to notify your office that on November 26, 2008, the laptop of a Merrill Lynch employee was stolen from the Merrill Lynch Tacoma, Washington Office.”
Comment: Merrill Lynch does not have a very good track record of securing sensitive information judging from the number of breaches reported in the past 12 months. This is the third one mentioned on the New Hampshire Attorney General’s web site (the fourth is mentioned below), not to mention others mentioned on other sites. This breach comes to us as a result of a stolen laptop which I assume was poorly secured. Something needs to change at Merrill Lynch.
December 19th, 2008 (2 breaches):
Organization: University System of New HampshireContractor/Consultant/Branch: Granite State College
Location: Concord, New Hampshire
Victims: “individuals that are associated with Granite State College”
Number of Affected: Two (2)
Types of Data: “first name, last name and social security number”
Tag: Nobody Knows
Source Reference: The New Hampshire Attorney General
Breach Description: “The purpose of this letter is to notify you that Granite State College of 8 Old Suncook Road, Concord, NH recently experienced a security breach. In accordance with Title XXXI Trade and Commerce, Chapter 359-C:20 we hereby notify your office of the security breach involving electronically-stored personal information about two individuals that are associated with Granite State College. We believe the breach to have occurred sometime between the hours of 5:30 PM – December 1, 2008 and 8:30 AM December 2, 2008.”
Comment: In this breach, sensitive information “may have been” compromised sometime within a 15 hour period of time. What’s with the uncertainty? Are we to assume that the school really doesn’t know? Sensitive information requires detective controls commensurate with its risk and impact of loss. Adequate logging (a detective control) is required to tell admins who accessed data, from where, and when.
Organization: LRGHealthcareContractor/Consultant/Branch: Lighthouse Financial Services and United Parcel Service (UPS)
Location: LRGHealthcare is located Laconia, New Hampshire, but the breach occurred sometime while data was in transit.
Victims: Patients
Number of Affected: “approximately 1,500”
Types of Data: “Name, address, date of birth, diagnosis, date(s) of service, procedure codes and descriptions”, “Guarantor Name and address”, “Insurance name, address and phone number”, “Billed Amount, Paid amount, Patient balance due, deductibles and maximums”, and “For any Workers compensation claims the employer name, address and dare of injury”
Tag: Lost Media
Source Reference: The New Hampshire Attorney General
Breach Description: “A package containing copies of checks and payment support has apparently been lost by UPS in the shipping process. As of today UPS Is considering the package to be lost (see attachment A). This package was sent to LRGHealthcare by Lighthouse Financial Services under an agreement with Franklin Savings Bank. Lighthouse prepares and deposits insurance and patient payments on behalf of LRGHealthcare. We believe that the package contained information on approximately 1,500 patients”
Comment: Does sending sensitive information via UPS sound like a good idea to you? If you must, encrypt it!
December 22nd, 2008 (1 breach):
Organization: The Seibels Bruce Group, Inc.Contractor/Consultant/Branch: None
Location: Columbia, South Carolina
Victims: Employee(s) and/or prospective employee(s) of client company(ies)
Number of Affected: Unknown
Types of Data: “name, address, telephone number, Social Security number, and/or date of birth”
Tag: Intrusion
Source Reference: The New Hampshire Attorney General
Breach Description: “The Seibels Bruce Group, Inc. and its subsidiaries (“Seibels Bruce”) provide various identity verification and related services to insurance companies who use our services during the process of granting and servicing insurance policies. In mid-December, we became aware that certain personal records that we use for these business purposes were accessed improperly by an unauthorized third party.”
Comment: The breach notification really doesn’t tell anybody all that much. How was the sensitive information improperly accessed and what does Seibels Bruce Group intend to do in order to ensure that a similar incident doesn’t happen in the future? The very nature of Seibels Bruce Group dictates strict information security standards.
December 23rd, 2008 (3 breaches):
Organization: North Pacific Group, Inc.Contractor/Consultant/Branch: None
Location: Portland, Oregon
Victims: Current and former employees
Number of Affected: 2,249
Types of Data: “names, addresses, Social Security numbers, and dates of birth”
Tag: Stolen laptop
Source Reference: The New Hampshire Attorney General
Breach Description: “On Monday, December 1, 2008, North Pacific Group discovered that several laptops and other computer equipment belonging to our Human Resources and Information Technology departments in Portland, Oregon had been stolen sometime over the long Thanksgiving weekend.”
Comment: More stolen laptops containing sensitive information. Encrypted? Not likely. Seriously people.
Organization: The Pepsi Bottling Group, Inc. (“PBG”)Contractor/Consultant/Branch: None
Location: Somers, New York
Victims: “employees in the US”
Number of Affected: Unknown (198 Maryland residents mentioned)
Types of Data: “name social security number, employee identification number and state of residence”
Tag: Lost Device
Source Reference: The New Hampshire Attorney General
Breach Description: “During the week of December 8, the payroll department of The Pepsi Bottling Group (PBG) reported that it could not account for a portable data storage device, which contained unencrypted personal information, including the names and social security numbers of PBG employees in the US.””
Comment: Obviously, it’s not a good idea to use a poorly secured portable data storage device (flash drive, external hard drive, etc.) to store personal information. You might expect better control from a $14 billion dollar company. It’s hard to secure all the devices in such a large organization, not that this is a good excuse. I appreciate what seems like transparency in the PBG notification. PBG is offering 12 months of credit monitoring.
Organization: Vonage America Inc. ("Vonage")Contractor/Consultant/Branch: "a third party vendor supporting the Vonage sales organization"
Location: Holmdel, New Jersey
Victims: Customers
Number of Affected: Unknown, "a small number" according the breach notification
Types of Data: “name, address, and credit card number and CCV or bank account number and routing number”
Tag: Employee Mistake
Source Reference: The New Hampshire Attorney General and previously posted to The Breach Blog in “Google Notebook is not a good place to store sensitive information”.
Breach Description: “Vonage recently discovered that a telemarketing sales agent working on behalf of Vonage at a third party vendor kept notes of her sales contacts on Google Notebook." As a result, sensitive customer information was made publicly accessible.
Comment: The New Hampshire breach notification gives us a few additional details, but nothing material. Please see the previous posting referenced above.
December 29th, 2008 (1 breach):
Organization: Merrill LynchContractor/Consultant/Branch: “a third-party consulting services firm”
Location: Unknown
Victims: “current and former Merrill Lynch Financial Advisors and some applicants for employment”
Number of Affected: Unknown
Types of Data: “names and Social Security numbers”
Tag: Stolen Computer
Source Reference: The New Hampshire Attorney General
Breach Description: “Pursuant to New Hampshire’s security breach notification law, we are writing to notify your office that on December 19, 2008, a third-party consulting services firm working on behalf of Merrill Lynch reported that earlier in December, one of their employees was burglarized and severely beaten in his home. The burglars took various items, including a computer, which had on it the names and Social Security numbers of a population of current and former Merrill Lynch Financial Advisors and some applicants for employment”
Comment: Well, here it is. This is the fourth Merrill Lynch breach reported to the New Hampshire Attorney General in the past 12 months. I feel bad for the guy/gal who was severely beaten. I have to wonder if the data on the computer was encrypted. If not, then why? Merrill Lynch claims that they have been doing business with this consulting services firm for ten years without incident. This doesn’t mean much of anything in terms of their information security practices. Sometimes it’s just a matter of time.
Posted by Evan Francen at 1/10/2009 8:31 PM 
Categories: Wyndham Hotel Group, Science Applications Int'l Corp., TD Bank Financial Group, Employee Mistake, CheckFree Corporation, Zyacorp Companies, Vonage America Inc., Emergency Medical Association, State of New Hampshire, Stolen Laptop, Nat'l Assoc. of Chain Drug Stores, Lost Device, Fiserv, Lost Media, Malware, Bill Dube Ford-Toyota, Granite State College, Baylor Health Care System, DJO Incorporated, Seibels Bruce Group, LRGHealthcare, Pepsi Bottling Group, Stolen Tape, HeidelbergCement AG, Nobody Knows, Stolen Device, RoadSafe Traffic Systems, North Pacific Group, Intrusion, Toyota Motor Sales, Stolen Computer, Hack, Wells Real Estate Funds, Merrill Lynch, Lehigh Hanson, Hewlett-Packard, TD Banknorth
Categories: Wyndham Hotel Group, Science Applications Int'l Corp., TD Bank Financial Group, Employee Mistake, CheckFree Corporation, Zyacorp Companies, Vonage America Inc., Emergency Medical Association, State of New Hampshire, Stolen Laptop, Nat'l Assoc. of Chain Drug Stores, Lost Device, Fiserv, Lost Media, Malware, Bill Dube Ford-Toyota, Granite State College, Baylor Health Care System, DJO Incorporated, Seibels Bruce Group, LRGHealthcare, Pepsi Bottling Group, Stolen Tape, HeidelbergCement AG, Nobody Knows, Stolen Device, RoadSafe Traffic Systems, North Pacific Group, Intrusion, Toyota Motor Sales, Stolen Computer, Hack, Wells Real Estate Funds, Merrill Lynch, Lehigh Hanson, Hewlett-Packard, TD Banknorth
Posts Atom 1.0
Comments