Common criminals caught with Columbus City Schools employee information
Technorati Tag: Security Breach
Date Reported:
1/12/09
Organization:
Columbus City Schools ("CCS")
Contractor/Consultant/Branch:
None
Location:
Columbus, Ohio
Victims:
Employees
Number Affected:
Unknown, but "At this point we're looking at around 80 to 100 employees", according to Columbus Police Det. Ronald Reese
Types of Data:
Personal information including names and Social Security numbers
Breach Description:
"COLUMBUS, Ohio — Police have arrested two men who they said used personal information belonging to Columbus City Schools employees to rent cars, open credit card accounts and book hotel rooms"
Reference URL:
WBNS-TV Channel 10 News
Columbus Channel 4 News
Report Credit:
Kevin Landers, WBNS-TV Channel 10 News
Response:
From the online sources cited above:
Columbus City Schools experienced a security breach, resulting in employees’ Social Security numbers being at risk.
Arrests conducted by Columbus police Thursday, Jan 8., turned up the Social Security numbers of 80 to 100 CCS employees
CPD officers went to the 2000 block of East 6th Avenue on the city’s near North Side to serve drug and auto-theft felony warrants on John Lent and Carl Lowe, Detective Ronald Reese said.
During the arrest officers learned there might be stolen personal information in the house and found personal information on district employees
[Evan] Many people are under the false impression that identity theft is a high-tech crime committed by high-tech criminals. It is NOT. Identity theft is easy for anyone to commit. Common thugs (criminals) are adding identity theft to their traditional repertoire with auto-theft, drug dealing, robbery, et. al.
CPD said it believes the suspects either stole or intercepted part of a mailing from the payroll division that was en route to annuity companies.
[Evan] Here is a good opportunity for a security tip. Mail is NOT a secure method for transferring sensitive information. Mail should only be used to send packages and information with a low sensitivity. Organizations that must send sensitive information to other parties should do so in a securely. VPNs, encrypted email, and secure web sites using TLS/SSL may all provide an adequate assurance of confidentiality. In this particular instance where it is suspected that payroll information mailings were intercepted in transit from CCS to "annuity companies", it might make better sense to configure a restricted VPN, send encrypted email, or configure a secure web site. In the end, the entire process could be more efficient and secure. Information would be transferred almost instantaneously and much more securely.
Lent and Lowe opened credit cards and checking accounts and paid for hotel rooms and car rentals with the personal numbers, Reese said.
The two suspects don’t have any connection with the district, police said.
Two employees filed a police report, claiming that credit cards were opened and that someone rented cars in their names.
The investigation also revealed that the men were in the process of, or had already printed counterfeit checks
Police said there could be more victims.
Columbus City Schools said it notified everyone involved in the security breach and was in the process of setting up consumer-protection services for those involved—regardless of whether suspicious activity has taken place.
CPD advised all victims to pull credit reports and to file a police report and was working to help all concerned employees file reports.
One victim of the scheme told 10TV News a bank account was opened using his identity, and he had no idea until Columbus City Schools notified him of the scheme.
"They opened up a bank account using my name, my social security number," the victim said. The victim, who refused to be identified, said the account was opened online, so no one at the bank ever saw the person who opened the account.
The investigation was ongoing.
Commentary:
The breaches which make headlines involve the theft of thousands (and sometimes millions) of sensitive records such as Social Security numbers or credit card numbers. What doesn't make the headlines as much are the stories of criminals actually using the information to commit fraud. Most of the people committing identity fraud are not highly trained, high-tech criminals. Most of them are your ordinary, everyday thugs.
In today's environment, we seem to be looking at an identity-theft (and other information-related crime) "perfect storm". Logic may tell us that given the current economy, there is greater desperation for easy money. On the other side, given the current economy, information security spending may wane on the part of companies and other organizations. Too many poorly educated organizational leaders see information security as a cost center as opposed to a business driver (when managed properly)
.
Past Breaches:
Unknown
Date Reported:1/12/09
Organization:
Columbus City Schools ("CCS")
Contractor/Consultant/Branch:
None
Location:
Columbus, Ohio
Victims:
Employees
Number Affected:
Unknown, but "At this point we're looking at around 80 to 100 employees", according to Columbus Police Det. Ronald Reese
Types of Data:
Personal information including names and Social Security numbers
Breach Description:
"COLUMBUS, Ohio — Police have arrested two men who they said used personal information belonging to Columbus City Schools employees to rent cars, open credit card accounts and book hotel rooms"
Reference URL:
WBNS-TV Channel 10 News
Columbus Channel 4 News
Report Credit:
Kevin Landers, WBNS-TV Channel 10 News
Response:
From the online sources cited above:
Columbus City Schools experienced a security breach, resulting in employees’ Social Security numbers being at risk.
Arrests conducted by Columbus police Thursday, Jan 8., turned up the Social Security numbers of 80 to 100 CCS employees
CPD officers went to the 2000 block of East 6th Avenue on the city’s near North Side to serve drug and auto-theft felony warrants on John Lent and Carl Lowe, Detective Ronald Reese said.
During the arrest officers learned there might be stolen personal information in the house and found personal information on district employees
[Evan] Many people are under the false impression that identity theft is a high-tech crime committed by high-tech criminals. It is NOT. Identity theft is easy for anyone to commit. Common thugs (criminals) are adding identity theft to their traditional repertoire with auto-theft, drug dealing, robbery, et. al.
CPD said it believes the suspects either stole or intercepted part of a mailing from the payroll division that was en route to annuity companies.
[Evan] Here is a good opportunity for a security tip. Mail is NOT a secure method for transferring sensitive information. Mail should only be used to send packages and information with a low sensitivity. Organizations that must send sensitive information to other parties should do so in a securely. VPNs, encrypted email, and secure web sites using TLS/SSL may all provide an adequate assurance of confidentiality. In this particular instance where it is suspected that payroll information mailings were intercepted in transit from CCS to "annuity companies", it might make better sense to configure a restricted VPN, send encrypted email, or configure a secure web site. In the end, the entire process could be more efficient and secure. Information would be transferred almost instantaneously and much more securely.
Lent and Lowe opened credit cards and checking accounts and paid for hotel rooms and car rentals with the personal numbers, Reese said.
The two suspects don’t have any connection with the district, police said.
Two employees filed a police report, claiming that credit cards were opened and that someone rented cars in their names.
The investigation also revealed that the men were in the process of, or had already printed counterfeit checks
Police said there could be more victims.
Columbus City Schools said it notified everyone involved in the security breach and was in the process of setting up consumer-protection services for those involved—regardless of whether suspicious activity has taken place.
CPD advised all victims to pull credit reports and to file a police report and was working to help all concerned employees file reports.
One victim of the scheme told 10TV News a bank account was opened using his identity, and he had no idea until Columbus City Schools notified him of the scheme.
"They opened up a bank account using my name, my social security number," the victim said. The victim, who refused to be identified, said the account was opened online, so no one at the bank ever saw the person who opened the account.
The investigation was ongoing.
Commentary:
The breaches which make headlines involve the theft of thousands (and sometimes millions) of sensitive records such as Social Security numbers or credit card numbers. What doesn't make the headlines as much are the stories of criminals actually using the information to commit fraud. Most of the people committing identity fraud are not highly trained, high-tech criminals. Most of them are your ordinary, everyday thugs.
In today's environment, we seem to be looking at an identity-theft (and other information-related crime) "perfect storm". Logic may tell us that given the current economy, there is greater desperation for easy money. On the other side, given the current economy, information security spending may wane on the part of companies and other organizations. Too many poorly educated organizational leaders see information security as a cost center as opposed to a business driver (when managed properly)
Past Breaches:
Unknown
Posts Atom 1.0
Comments