The Breach Blog

The Breach Blog 2008-05-16T16:29:02Z http://breachblog.com/atom.aspx Quick Blog Consultant loses laptop with Park National employee information tag:breachblog.com,2008-05-16:e7da46b5-587e-42a0-aa25-06d3434fe9e1 Evan Francen 2008-05-16T11:23:50Z 2008-05-16T11:18:00Z Security Breach

Date Reported:
5/10/08

Organization:
Park National Corporation

Contractor/Consultant/Branch:
Aon Consulting Inc.

Victims:
"past and present employees"

Number Affected:
~2,000

Types of Data:
"personal information"

Breach Description:
"About 2,000 past and present employees of Park National Corp. are keeping their fingers crossed that they don't become identity theft victims after their pension administrator lost a laptop computer containing their personal information."

Reference URL:
Columbus Business First
PogoWasRight

Report Credit:
Columbus Business First via PogoWasRight

Response:
From the online sources cited above:

About 2,000 past and present employees of Park National Corp. are keeping their fingers crossed that they don't become identity theft victims after their pension administrator lost a laptop computer containing their personal information.
[Evan] Do you suppose finger crossing works? I didn't really think of this or include it in my 2008 information security strategic plan.

Aon Consulting Inc., which provides administration services for Newark-based Park's pension plan, lost the laptop in March.
[Evan] One of Aon Consulting's offerings is Enterprise Risk Management ("ERM"). There is no mention of whether or not this lost laptop was encrypted. If it weren't, do you think this is a good demonstration of sound risk management? I posed the question; I'll let you decide the answer.

The bank has received no reports that data on the computer has been accessed and used by thieves, said Park spokeswoman Bethany White.

"This was not our breach and we are the victim," she said. "We are absolutely unhappy to be a victim of this and Aon is working to fix this."
[Evan] Hold on a second! I respectfully but completely disagree with Ms. White. There is a misunderstanding or roles. The data owner is the victim. The data custodians are Park National AND Aon. If the information was given to Park National by the victim and not directly to Aon, then this is absolutely a Park National breach. It is the responsibility of organizations to ensure the security of the information they share with their contractors, consultants, vendors, etc. This is accomplished by creating policy that governs information security in these relationships, including information security in contractual language, and periodic audit and compliance assessments.

Aon is providing free credit-monitoring and fraud-protection insurance services from Experian to those who have been affected, according to a letter from Park CEO C. Daniel DeLawder to those affected by the theft.

Commentary:
The reference article is short, but the information still allows for plenty of commentary and speculation. I would be very interested to read the actual notification letter that went out to the victims. It may shed some more light on the subject.

It is troubling that Park National wants to absolve themselves of any responsibility in this breach.

Past Breaches:
Unknown

]]>

Oklahoma State University Parking Services server is compromised tag:breachblog.com,2008-05-15:88f31a16-daef-4e8d-a0bb-d3b55378142b Evan Francen 2008-05-15T15:08:54Z 2008-05-15T15:01:00Z Security Breach

Date Reported:
5/14/08

Organization:
Oklahoma State University ("OSU")

Contractor/Consultant/Branch:
OSU Parking & Transit Services

Victims:
OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008

Number Affected:
as many as 70,000

Types of Data:
"names, addresses and Social Security numbers"

Breach Description:
"Oklahoma State University has discovered that a server under the control of OSU Parking and Transit Services had been accessed from another country without authorization. The database contained confidential information, specifically the names, addresses and Social Security numbers of OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008."

Reference URL:
Oklahoma State University Alert
KOCO Channel 5 News
The Daily O'Collegian
The Oklahoman

Report Credit:
Oklahoma State University

Response:
From the online sources cited above:

STILLWATER, Okla. -- Personal information belonging to anybody who got a parking pass at Oklahoma State University over the last five years has been compromised, university officials said Wednesday.

Oklahoma State University has discovered that a server under the control of OSU Parking and Transit Services had been accessed from another country without authorization. The database contained confidential information, specifically the names, addresses and Social Security numbers of OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008.
[Evan] What does the OSU Parking and Transit Services department need Social Security numbers for? Do you suppose information security personnel knew that sensitive personal information was stored on the server prior to this incident?

Upon discovering this intrusion, the IT Information Security Office immediately removed the server from the network to evaluate server activity to ascertain if personal information had been accessed.

The confidential information has been removed from the database.

The illegal access was limited to the parking and transit server.

As a result of its investigation, OSU believes the intruder's purpose and only action was to use the OSU server for storage capacity and bandwidth to upload and distribute illegal and inappropriate content.
[Evan] I wonder if I am getting this right. Was there a direct network path from the public Internet through a firewall to the compromised database server running http, ftp, or some other file transfer protocol? That's not cool. A database server storing confidential information should not be accessible from the internet directly through a firewall. It is generally a good practice to separate the database function from the file transfer function into different servers and different firewall DMZs. All this for parking? Ugh.

OSU contacted and worked with federal law enforcement authorities.

After evaluation of all available data related to this incident, OSU found no evidence which would indicate that the database was copied or viewed by the hacker; however, OSU cannot say with 100 percent certainty that the hacker did not access personally identifiable information.
[Evan] I wonder what evidence they looked for and how they went about gathering it.

We are not aware of any instances of misuse of this information or of any identify theft as a result of the temporary availability of this information.

OSU recommends you carefully review any bills or financial transactions you receive in the near future to ensure that the charges associated with your accounts are accurate.
[Evan] Yeah! Review your bills (pay them occasionally) and financial transactions carefully. But wait, you do this already? Disappointing statement coming from an organization that did not carefully review their controls in securing your personal information.

OSU President Burns Hargis said, "This breakdown in security is totally unacceptable. We are conducting a full review and will take whatever steps are necessary to protect our network from unauthorized access. This is a serious matter and we will deal with it aggressively. We regret the circumstances and concern this situation has caused."
[Evan] This is my favorite statement from this story! What do you suppose his stance was prior to being notified of the breach?

In my experience, there are primarily ("primarily" because there are always exceptions) four types of senior information security management. You have the organizations that just don't get it and don't really care or know that they don't get it. These organizations lose information over and over and dangerously continue to operate in a business as usual manner.

Secondly, you have the organizations that didn't get it, suffer some adverse event, then HOLY &$#^! They respond with all guns blazing and overspend on controls they don't need and run a very cost ineffective security program (I guess they really never got it either).

Thirdly, there is the company that didn't get it, suffered an adverse event and admitted they have a problem. These companies may seek guidance and consultation in the effort to build a comprehensive information security program. These programs should be built around business objectives and sound risk management.

Lastly, there are the companies that were proactive and built a sound information security program because it was good business. These organizations didn't need an adverse event or breach before taking action. These organizations don't panic when an adverse event occurs. They know that eventually an adverse event will occur and they will be prepared when it does.

The server is believed to have been compromised on November 23, 2007. OSU learned of the breech [sic] on March 20, 2008 and blocked access to the server immediately.
[Evan] Wow. The server was 0wn3d (like my 1337 5p34k?) for almost 4 months before anyone noticed?! That is way, way, way too long for a compromised server to go unnoticed. We can now assume that there was no effective IDS/IPS (host or network) and no effective logging and monitoring of the server.

The OSU Parking Department has altered their procedures for the collection of private information. Additionally, the server which was located at the OSU Parking Service's office will be relocated to the IT Data Center for enhanced security. OSU is conducting a full review and will be taking additional steps to protect our network from unauthorized access.
[Evan] It's a very good idea to not collect private information if it is not required. It's too bad that it took a breach for this to happen. Moving the server from the Parking Service's office to the IT Data Center will help protect against physical security attacks, but this was a logical attack. Maybe the IT Data Center has better firewalls or something

. I like the "full review". This should be done no less than annually.

The IT Information Security Office has made security recommendations to the OSU Parking Office which include physical relocation of their server and database to a more secure location, additional training for server administrators, and added vulnerability assessments.

Q. How will I know if any of my personal information was used by someone else?
A. The best way to find out is to obtain your credit reports from the three major credit bureaus: Equifax, Experian and Trans Union. If you notice accounts on your credit report that you did not open or applications for credit ("inquiries") that you did not make, these could be indications that someone else is using your personal information, without your permission.
[Evan] "If you notice accounts on your credit report that you did not open or applications for credit ("inquiries") that you did not make", then chances are you have already become an identity-theft victim. I'm not saying whether this is likely, or not.

Q. Why did you have my personal information?
A. You provided this information to us when you applied to Oklahoma State University, or during your tenure as a student or employee here. Oklahoma State, like other institutions, maintains records of all employees and students who have attended the University.
[Evan] Great question! Why did you have my personal information (on a publicly accessible server used in a department that doesn't really need it without proper protections and without proper monitoring)?

Commentary:
This breach torques me a little, in case you didn't pick up on that from the comments above. I made plenty.

Past Breaches:
Unknown

]]>

Technorati Tag: <a href="http://technorati.com/tag/security+breach" rel="tag">Security Breach</a> <img src="http://breachblog.com/images/95781-88451/okstate.jpg" align="right" height="127" width="198">Date Reported: 5/14/08 Organization: <a href="http://osu.okstate.edu/">Oklahoma State University ("OSU")</a>  Contractor/Consultant/Branch: <a href="http://www.parking.okstate.edu/">OSU Parking & Transit Services</a> Victims: OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008 Number Affected: as many as 70,000 Types of Data: "names, addresses and Social Security numbers" Breach Description: "Oklahoma State University has discovered that a server under the control of OSU Parking and Transit Services had been accessed from another country without authorization. The database contained confidential information, specifically the names, addresses and Social Security numbers of OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008."

Two students access confidential Dominican University files tag:breachblog.com,2008-05-14:42a8c6a6-db66-4597-8a54-250f53d6b80a Evan Francen 2008-05-14T22:40:18Z 2008-05-14T22:29:00Z Security Breach

Date Reported:
5/8/08

Organization:
Dominican University

Contractor/Consultant/Branch:
None

Victims:
Students

Number Affected:
5,215

Types of Data:
"names, addresses, phone numbers, birthdays and Social Security numbers"

Breach Description:
"CHICAGO -- Some Dominican University students and alumni were notified this week of a breach in security that could have put their personal information at risk. The university said two students were able to access records on a staff network storage area in April. The files were three spreadsheets from 2003, 2005 and 2007."

Reference URL:
WMAQ NBC Channel 5 News
RiverForest-Leaves
Dominican University

Report Credit:
Dominican University

Response:
From the online sources cited above:

Dominican University takes information security very seriously. In April, we discovered that two student workers had accessed Excel files containing limited student data by misusing passwords related to their work-study employment.

Two computer science sophomores who had password access through their work-study employment discovered three Excel files, containing a total of 5,215 student records.

These files were in an unsecure location that was to be accessible only to specific staff members.
[Evan] Is this password misuse or just poorly secured files and poor security? The confidential files were stored in an unsecure location that was supposed to be accessible by specific staff. Does this make any sense to you?

One of the students came forward earlier this month with the information that they had accessed files that were to be available to staff only. The students then disclosed the full extent of their access to the exposed data and demonstrated to the administration how the access occurred.
[Evan] I wonder if the school would have ever found out if the student didn't come forward. My guess is not.

We notified all affected parties in writing, set up a toll-free hotline, and have worked closely with both the local police and states attorney’s offices.

A letter was sent to all affected students and alumni on April 18 when the extent of the exposure could be determined.

The students went through a full university judicial process, were suspended temporarily and have been barred from future campus employment, among other sanctions.

The students are expected to return to classes next fall "under a lot of supervision, as you'd expect,"
[Evan] I don't know. There are probably students doing worse things on campus that probably need a lot more supervision than these two. Judging only by what I have read, these students seem to have been pretty honest. They came forward, they cooperated with the investigation and even demonstrated what they did.

The university is conducting a complete security audit and internal review.
[Evan] This should be done a regular basis anyway. All good information security programs conduct regular audits, assessments and reviews.

Dominican has conducted a complete internal security audit and has hired an external consultant to review all security processes.
[Evan] I endorse the school's decision to enlist a third-party consultant, assuming that the consultant is good at what they do. The last statement contained the word "conducting", this statement contains "conducted".

At this time we have no reason to believe that any information has been misused, but retain the right to prosecute as necessary.

"Steps have been taken to make something like this more difficult to do in the future. We've significantly tightened security,"
[Evan] If I had a dime for every time I heard this, I could retire very comfortably. If there are no details or facts to support statements like this, they don't mean much to me

If I have more questions, who should I call? You can call our toll-free number: (877) 387-8310.

Student Reaction:
"I was a little upset. I was nervous. I didn't know what to do. I knew that our family's been affected by this before, so I wanted to react right away,"

"I think that's crazy, because ... people can get your information, know things about you (and) you can't do anything about it,"

"Someone actually just charged on my debit card something. (It was) unrelated to this, I think, but it freaks me out every day now,"
[Evan] This student didn't just buy some Adobe education version software, did he/she?

Commentary:
I'm not sure if I am reading this right or not, but it seems almost like these students stumbled upon the confidential files and informed officials of their findings. I don't sense an dishonesty on their part. I could be wrong, but it also seems like the school didn't (and maybe still doesn't) properly secure confidential information. The statement about a secure file in an unsecured location is puzzling.

If assumptions are correct, then it may be ill-advised to sanction these students. Does anyone else see this the same way, or would you say that I am off base here?

Past Breaches:
Unknown

]]>

HSBC loses a server in branch renovation tag:breachblog.com,2008-05-14:64653996-c04e-449d-a900-e9b5c207e955 Evan Francen 2008-05-14T16:16:19Z 2008-05-14T16:08:00Z Security Breach

Date Reported:
5/7/08

Organization:
Hong Kong and Shanghai Banking Corporation ("HSBC")

Contractor/Consultant/Branch:
Kwun Tong branch

Victims:
Customers

Number Affected:
159,000

Types of Data:
"name, account number and transactions of customers"

Breach Description:
"HONG KONG, May 8 (Xinhua) -- The Hong Kong branch of banking giant Hongkong and Shanghai Banking Corporation Limited (HSBC) has lost a computer server with client data involving about 159,000 accounts, the bank confirmed on Wednesday."

Reference URL:
IDG Magazines Norge
Xinhua News Agency
The Standard

Report Credit:
The Breach Blog was notified by an anonymous tip at 11:15AM on May 7th. It just took me a while to get it posted. Sorry for the delay!

Response:
From the online sources cited above:

HSBC has admitted losing a server containing data on 159,000 customers.
[Evan] How do you lose a server?

The server went missing on 26 April from its Kwun Tong district branch in Hong Kong during renovation work

The server held customer names, account numbers, transaction amounts and transaction types

HSBC said the server is protected by "multiple layers of security" and the risk of data breaches and fraud is "deemed to be low".
[Evan] What kind of "multiple layers of security"? This is one of those statements that is misused and overused. Without details, who knows what they are talking about.

the server contained no PIN codes or online banking login credentials.

The bank said it has reported the incident to the police, the Hong Kong Monetary Authority, and the Hong Kong privacy commissioner.

The case has been classified as theft.
[Evan] Ah, so HSBC didn't really "lose" the server? It was stolen.

The Monetary Authority has demanded that the bank contact all the affected customers and explain what measures could be taken to avoid potential losses thereof.

The bank is contacting customers, who will not be liable for any financial loss arising from any fraudulent activity as a result of the lost data.

Clients data are kept in a confidential manner. If any complaint arises, we will deal with it case by case, HSBC chairman Vincent Cheng Hoi-chuen said.

Internet Society chairman Charles Mok Nai-kwong said even though the server has been encrypted, there may still be ways to access the data.
[Evan] Charles Mok Nai-kwong states that the server was encrypted. This is a good thing.

"I do not know how advanced the system is or the skill of those who want to access the data. But if the server goes to the police, they will have ways to get the data," Mok said.
[Evan] This reminds me of a few stories I have read where authorities were unable to break commercially available encryption implementations. The one case that comes to mind was the case of the FBI unable to crack PGP encrypted PDAs captured from terrorists. If the encryption was implemented correctly and key management is sound, it would be very difficult for the police to access meaningful information.

Commentary:
What type of physical controls were present at the time of the server theft? Stuart King on his ComputerWeekly Risk management blog sums this up very well when he says "Spend all you want on boxes of tricks to stop the hackers getting in, but forget to lock the door to the servers and it's game over."

The last HSBC breach that we reported on The Breach Blog was also physical security related, see below.

Past Breaches:
February, 2008 - Five-year-old wanders into bank branch after-hours

]]>

Technical glitch blamed in The Princeton Tower Club breach tag:breachblog.com,2008-05-13:1a72ffad-83dc-45bd-b0ae-0543b63aa450 Evan Francen 2008-05-13T09:20:10Z 2008-05-13T09:14:00Z Security Breach

Date Reported:
5/8/08

Organization:
The Princeton Tower Club

Contractor/Consultant/Branch:
None

Victims:
Former club members

Number Affected:
103

Types of Data:
"names and social security numbers"

Breach Description:
"Tower Club is taking steps to protect 103 of its alumni in the classes of 2006 and 2007 after a spreadsheet listing their names and social security numbers was e-mailed to current club members early Wednesday morning."

Reference URL:
The Daily Princetonian
United Press International
Asbury Park Press

Report Credit:
Rachel Dunn and Josephine Wolff, The Daily Princetonian

Response:
From the online sources cited above:

Tower Club is taking steps to protect 103 of its alumni in the classes of 2006 and 2007 after a spreadsheet listing their names and social security numbers was e-mailed to current club members early Wednesday morning.

The document was attached to an apparently unrelated e-mail that informed current members about a club event.

The spreadsheet was attached unintentionally because of "a technical glitch," Tower graduate board chair Greg Berzolla ’87 said
[Evan] Really? A technical glitch? These types of breaches are usually the result of human error.

"The [spreadsheet] file wasn’t even available on the hard drive [of the computer that sent the e-mail]," Berzolla said. "[The e-mail system] took an old e-mail and used it as a template [for Wednesday’s e-mail] as near as we can guess. It’s not a system very many people use or understand, that’s the problem."

"I cannot comment on [the glitch] because I don’t understand it," he said. "I didn’t figure it out, I think the club technical chair [did]. [Tower president] Stephanie [Burset ’09] tried to explain it to me, but I think she doesn’t really understand it either."
[Evan] At least he is honest.

Burset said in an e-mail that Pine, the e-mail system Tower currently uses, is "fairly antiquated, but our tech chairs have assured me that nothing like this can ever happen again," and added that "we plan on switching to a new client whom is more secure and easier to use."
[Evan] I am concerned by statements like "nothing like this can ever happen again". We still don't know why it happened in the first place.

The e-mail was sent by Tower officers from the tower@princeton.edu account to the roughly 200 current club members.

Tower officers sent another e-mail to the club yesterday asking members to delete the message from their mailboxes "out of respect for ’07."

Berzolla said he believes the risk of identity fraud is "extremely limited"

"It’s hard for any kind of fraud to occur that quickly," he said of the incident. "I feel confident that our club members are not going to use this information badly."
[Evan] It only takes one person. It should also be mentioned that one or more of the destination email accounts could be a shared account and that these emails were sent in clear text (subject to the possibility of interception).

"[The breach] would have had to have been intentional [for there to be legal repercussions]," Berzolla said.
[Evan] Do you have to demonstrate intent to argue negligence (The failure to use reasonable care)? I'm certainly not a lawyer, but I think that there are cases where victims have been awarded damages when there was not intent to harm on the part of the defendant. I don't really advocate lawsuits anyway, but I am just stating what seems obvious to me.

Tower will pay for an identity theft protection services for the affected individuals next year.

Berzolla hopes this measure will assuage any possible threat of legal action from former members against the club. "I don’t expect there to be any problems, but just in case," he said.

The social security numbers on the spreadsheet were collected as part of the process of signing in new members several years ago, Berzolla said. Tower no longer requires its members to submit their social security numbers, he added.
[Evan] It is a good practice to not collect information that isn't required to conduct business. The Tower Club would be well advised to go through the information they currently possess and purge the information they no longer need.

Victim Reaction:
"I had no idea this happened, and frankly, I’m baffled and a little pissed off," Valerie McConnell ’07 said

"Now that I know that the social security numbers weren’t sent out on purpose, I’m not pissed off," McConnell said. "I think my identity is ok. I can’t imagine anyone in the club trying to steal my identity (not that there’s a lot to steal right now anyway)."
[Evan] I think I would still be pissed off. Identity thieves are not all stupid. Many of them will hold on to the information for a year or more before using it or selling it.

"[The incident] is a mistake; it shouldn’t have happened," Beylin said in an e-mail. "However, with the number of times I’ve handed out my SSN this year while seeking financial services or apartment hunting, it’s really not my biggest source of concern for identity theft."
[Evan] This is a good point. Have you ever thought of all the times you have given out your Social Security number? All of your employers, schools, insurance companies, banks, mortgage companies, credit card companies, etc. have your number. The same number used for identification and authentication. A recipe for disaster?

Commentary:
The Tower Club does not handle personal information any worse than most other organizations. It seems like they just didn't know any better. It sometimes makes me nervous.

Past Breaches:
Unknown

]]>

Former employee exposes Purdue Pharma personal information tag:breachblog.com,2008-05-12:4c524a75-a84b-484f-a198-355c0dc12e5a Evan Francen 2008-05-12T18:44:52Z 2008-05-12T18:38:00Z Security Breach

Date Reported:
4/14/08 (delayed)

Organization:
Purdue Pharma L.P.

Contractor/Consultant/Branch:
None

Victims:
Employees

Number Affected:
~5,000

Types of Data:
"names, dates of birth, Social Security numbers and other pension related information"

Breach Description:
"a former employee accessed a disk containing personal information about individuals employed by Purdue Pharma and its associated U.S. companies prior to December 31, 2003 and attempted to email some of the information on the disk to another person"

Reference URL:
The New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

We are writing to inform you about an incident affecting information maintained by Purdue Pharma L.P. ("Purdue Pharma")

Purdue Pharma is a privately held pharmaceutical company.

we recently learned that a former employee accessed a disk containing personal information about individuals employed by Purdue Pharma and its associated U.S. companies prior to December 31, 2003 and attempted to email some of the information on the disk to another person.
[Evan] Attempted? What prevented the former employee from actually sending the information? It's not clear why the former employee wanted to send the information either.

We have determined that the disk contained information concerning approximately 5,000 individuals, and included names, dates of birth, Social Security numbers and other pension related information.

The former employee retained the disk when his employment ended, in direct violation of our policies and standard confidentiality agreement.
[Evan] This former employee may not have given a damn.

As soon as we learned of the unauthorized access, we promptly demanded that the information be deleted and returned to us.

The original disk has been returned and we believe that all copies of the information have been deleted.
[Evan] Once information confidentiality has been compromised it is very difficult (some would argue impossible) to restore it. How can you be certain that the information has been deleted?

We have undertaken a thorough investigation of this matter and, based on results of that investigation to date, we have no reason to believe that the personal information was misused.
[Evan] Actually, there is EVERY reason to believe that the personal information was misused! If the information was used in a manner that was not permitted by the owner (the victim), then it was misused. That’s my definition anyway.

We are continuing to investigate the incident and are examining the measures we can take to help prevent incidents of this kind from happening again.

Even though we believe that there is little risk of fraud or identity theft against the individuals as a result of this incident, we are providing the potentially affected individuals, at our cost, with the identity theft protection services in the attached notification letter, for two years.
[Evan] If there is "little risk of fraud", then why spend thousands of dollars in notification (because it’s the law, I suppose) and identity theft protection (not required by law)?

Purdue has contracted to provide a two year subscription to TrustedID's IDFreeze.
[Evan] The cost of IDFreeze is $8.25/mo. I am almost certain that Purdue isn't paying this full price and there is a good chance that not all affected persons will enroll, but for demonstration purposes only, $8.25/mo. x 5,000 subscriptions x 24 months = $990,000!

We deeply regret that this incident occurred and take very seriously our obligation to protect the privacy of personal information.

Commentary:
Employee and former employee information misuse is a very challenging issue for information security professionals. It's tough to comment because we don't have much detail about what controls are already in place.

Past Breaches:
Unknown

]]>

Did the Rent-a-Center manager knowingly expose personal information? tag:breachblog.com,2008-05-12:3bafe7c7-ba9b-4260-9454-ecf61f98de1f Evan Francen 2008-05-12T15:05:33Z 2008-05-12T15:00:00Z Security Breach

Date Reported:
5/9/08

Organization:
Rent-a-Center*

*formerly RentWay

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
"photocopies of Social Security cards and driver's licenses, credit card numbers, home addresses and phone numbers"

Breach Description:
"Hundreds of RentWay customer files — including Social Security, driver's license and credit card numbers — were abandoned in a parking lot, leaving consumers at risk for identity fraud."

Reference URL:
Sarasota Herald-Tribune
Bradenton Herald
Sarasota Herald-Tribune (May 10)

Report Credit:
Anthony Cormier, Sarasota Herald-Tribune

Response:
From the online sources cited above:

Hundreds of RentWay customer files — including Social Security, driver's license and credit card numbers — were abandoned in a parking lot, leaving consumers at risk for identity fraud.

The files were discovered in a plaza off Cortez Road on Friday morning.

In the files were photocopies of Social Security cards and driver's licenses, credit card numbers, home addresses and phone numbers of people who leased furniture, TVs and appliances from RentWay.

A Manatee Sheriff's deputy arrived at about 10:30 a.m. and called workers from Rent-A-Center, which acquired RentWay in 2006, to clean up the mess.

In dress slacks and business shirts, Rent-A-Center employees crawled in a Dumpster on Friday afternoon.

it was unclear how long the files were in the lot and who may have accessed the sensitive information

Rather than shredding the documents that contained personal information of clients and taking them to their own Dumpster, the employees left the papers piled in the bottom of the Dots' store Dumpster

Kimberly Lash, manager of Dots, a women's clothing store next door to the the vacant storefront, said the mess had been out in the corner of the building for nearly a week.

She said the Rent-A-Center store manager said there were personal documents in the Dumpster.
[Evan] If I understand this correctly, the Rent-A-Center manager knew that there were personal documents being discarded in the dumpster?! What the *&^# kind of manager would knowingly put his/her customers at risk? I wouldn't hold the Dot's store manager ultimately responsible, but I wonder why she didn't do or say anything when she was told that there was personal information in the dumpster.

"All they did was pick it up and put it in my Dumpster," she said.

On Friday morning, a transient was seen rifling through the paperwork until he was shooed off by Don McLucas, who found the mess and called police

"Unbelievable," McLucas said. "Imagine the fraud you could commit with this stuff. And they just dump it like that? Unbelievable."

"You could open a bank account, apply for a credit card, anything. That information could be worth hundreds of thousands of dollars." - Robert Siciliano, CEO of IDTheftSecurity.com
[Evan] The bad guys certainly know this. It seems like others either don't care or don't know.

The store manager of the Rent-A-Center store declined to comment. It's unclear what happened to the documents once they were removed from the Dots Dumpster.

Lt. William Vitaioli said it would not be a criminal violation to dispose of personal information such as Social Security numbers, credit card numbers, driver's license numbers or phone numbers.
[Evan] Should it be? This is a hot debate.

Florida law requires companies to notify consumers if the security of their personal information has been breached.
[Evan] Are notification laws working? Another hot debate.

Commentary:
If I had the time, I would check dumpsters on the way home one of these days. Think I would find anything along my 25 mile ride home?

Past Breaches:
Unknown

]]>

Two stolen Saks Incorporated laptops contained sensitive information tag:breachblog.com,2008-05-11:32559b9c-83ea-41c0-9c5e-d3d54f776839 Evan Francen 2008-05-12T18:04:05Z 2008-05-11T21:23:00Z Security Breach

Date Reported:
4/30/08

Organization:
Saks Incorporated

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown*

*According to the New Hampshire State Attorney General breach notification there were 163 persons affected who reside in the state of New Hampshire

Types of Data:
Name, address, Saks Fifth Avenue credit card account number, and/or Saks Fifth Avenue/MasterCard co-branded credit card account number.

Breach Description:
"In mid-April 2008, Saks learned that four company laptops were stolen. Two of the stolen laptops contained several files that included customer names, addresses, Saks Fifth Avenue credit card account numbers, and/or Saks Fifth Avenue/MasterCard co-branded credit card account numbers."

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

In mid-April 2008, Saks learned that four company laptops were stolen. Two of the stolen laptops contained several files that included customer names, addresses, Saks Fifth Avenue credit card account numbers, and/or Saks Fifth Avenue/MasterCard co-branded credit card account numbers.

Based on our investigation, we have confirmed that these files did not include Social Security numbers, the credit cards' expiration dates, pin numbers, codes, or passwords, or any other types of sensitive data.
[Evan] Thank God for that!

Given the very limited type of personal information on these files and that it was stored on password-protected laptops, we believe there is a very low risk of identity theft or credit card fraud as a result of this event.
[Evan] I agree with the limited type of information argument, but could care less about password-protected laptops. Password-protected laptops are little more than nothing to stop someone for accessing the information.

We have no indication that this personal information has been accessed or misused, or even that the laptops are in the hands of someone seeking to misuse the information.

Nor was this a breach of our network, website, or database (as is typical in many company breaches covered by the news).
[Evan] I think laptop thefts and losses are more typical than network, website or database breaches.

The company has drafted a written notice of the breach that it will be sending to the affected individuals imminently.

Saks takes its customers' privacy very seriously, and we have exercised utmost caution and diligence in our response following the discovery of the theft.

Within hours of learning of the theft, we initiated our own investigation into the incident and notified law enforcement.

Finally, if you have additional questions related to this situation, you can contact us between the hours of 9:00 a.m. ET through 6:00 p.m. ET on Monday though Saturday through our dedicated toll-free information helpline at 1-888-724-2455.

We deeply regret any inconvenience or concern that this matter may cause you.

Commentary:
The letter sent to the affected individuals is signed by Stephen I. Sadove, Chairman and Chief Executive Office of Saks Incorporated. I respect Mr. Sadove for addressing this situation in person (so to speak). It demonstrates his understanding that information security is a corporate issue for which he is ultimately responsible.

Past Breaches:
Unknown

]]>

Technorati Tag: <a href="http://technorati.com/tag/security+breach" rel="tag">Security Breach</a> <img src="http://breachblog.com/images/95781-88451/saks.jpg" align="right" height="75" width="75">Date Reported: 4/30/08 Organization: <a href="http://www.saksincorporated.com/">Saks Incorporated</a> Contractor/Consultant/Branch: None Victims: Customers Number Affected: Unknown* *According to the New Hampshire State Attorney General breach notification there were 163 persons affected who reside in the state of New Hampshire Types of Data: Name, address, Saks Fifth Avenue credit card account number, and/or Saks Fifth Avenue/MasterCard co-branded credit card account number. Breach Description: "In mid-April 2008, Saks learned that four company laptops were stolen.  Two of the stolen laptops contained several files that included customer names, addresses, Saks Fifth Avenue credit card account numbers, and/or Saks Fifth Avenue/MasterCard co-branded credit card account numbers."

Personal Las Cruces Public Schools Special Ed information posted online tag:breachblog.com,2008-05-09:e3ca7626-8af5-4273-a444-8f3d66419815 Evan Francen 2008-05-09T10:02:19Z 2008-05-09T09:56:00Z Security Breach

Date Reported:
5/7/08

Organization:
Las Cruces Public Schools ("LCPS")

Contractor/Consultant/Branch:
None

Victims:
Teachers, principals, administrators and other LCPS employees. The breach also affected students enrolled in special education programs.

Number Affected:
1,800*

*1,750 teachers, principals, administrators and other LCPS employees who had access to the SEAS system because they work with special education children or programs AND 50 students enrolled in special education programs at various LCPS schools, local charter schools, and home schools

Types of Data:
"confidential student and staff information, including some personal identifying data"

Breach Description:
"LAS CRUCES - The Las Cruces Public Schools has announced that confidential student and staff information, including some personal identifying data, was unintentionally posted on the Internet. Immediately upon learning that the data was posted, the district took steps to remove the data from the Internet site where it was found, said Superintendent Stan Rounds."

Reference URL:
LCPS news release (Word document download)
LCPS press conference (Word document download)
Las Cruces Sun-News

Report Credit:
Las Cruces Public Schools

Response:
From the online sources cited above:

LAS CRUCES - The Las Cruces Public Schools has announced that confidential student and staff information, including some personal identifying data, was unintentionally posted on the Internet. Immediately upon learning that the data was posted, the district took steps to remove the data from the Internet site where it was found, said Superintendent Stan Rounds.

"We began a thorough investigation to determine how this happened and to prevent it from happening in the future. The investigation includes a search of the Internet to determine if the information is located anywhere online and how to remove it."

Rounds said there is currently no indication that the data has been misused.

Preliminary information indicates a part-time LCPS computer data analyst unintentionally posted information from a secure LCPS special education computer database, named SEAS (Special Education Automated System), and placed it onto an un-secure website.

The data in question was contained within two electronic database files that were posted on the Internet between Tuesday, April 29 and Monday, May 5, 2008.

For the time being, Rounds said he is not disclosing what specific information was posted online to prevent any potential compromise to those affected
[Evan] The compromise has already taken place. If a bad guy/gal is in possession of the information, he/she probably knows what he/she has without us having to tell him/her.

However, the individuals affected will be notified of what information was released, he said

Those affected include 1,750 teachers, principals, administrators and other LCPS employees who had access to the SEAS system because they work with special education children or programs.

Also affected were 50 students enrolled in special education programs at various LCPS schools, local charter schools, and home schools
[Evan] It especially stinks when children are affected.

Some data for other special education students may have been released as well.

"We’ve already begun to notify the affected individuals about what specific information is involved and we will assist them in taking appropriate safeguards," Rounds said

"If we find any of the information on the web, we will immediately take all appropriate steps to have it removed," said Jeff Harris, LCPS director of technology support services. "As of today, we’ve located the data in two Internet sites and removed it. We’re continuing to search for any other locations where it may exist."

On Monday, May 5, when the Superintendent learned of the potential breach, he directed that each student and staff member affected be provided credit fraud protection for up to one year to ensure their private information was not jeopardized in any way. This will be paid at school district expense.

Rounds said the experienced part-time employee who unintentionally disclosed the data has been placed on administrative leave and no longer has access to any LCPS computer, data, or server.

"LCPS goes to great lengths to ensure student and staff confidentiality, but this incident appears to be caused by human error," Rounds said. "This also highlights the need for the district to review its data security and privacy policies to make sure it never happens again."

Rounds said an ad-hoc committee is being established to immediately review LCPS policies and procedures. This committee will be chaired by Dr. Shaun Cooper, the current Chief Information Officer at New Mexico State University. Cooper is also the former Director of Security and Research Computing at NMSU

Commentary:
Human errors will happen as long as we are humans, I suppose. Not that we should just accept defeat and use it as an excuse. There are numerous controls with varying degrees of effectiveness that information security personnel implement to reduce the frequency and impact of human error related breaches. Without knowing more detail, it's hard to say what could have been done better. Was the cause of this breach simple oversight or lack of awareness, poor training, lack of production control (no formal review and approval process for posting information to public sites), etc. I guess I'm not sure.

I do appreciate Mr. Rounds' response. The response to the breach and notification was swift. I also like the press conference and ad-hoc committee established to review LCPS policy and procedure. I hope that the committee and effort will be ongoing long after this breach is forgotten (by those not personally affected).

Past Breaches:
Unknown

]]>

Technorati Tag: <a href="http://technorati.com/tag/security+breach" rel="tag">Security Breach</a> <img src="http://breachblog.com/images/95781-88451/lcps.jpg" align="right" height="86" width="88">Date Reported: 5/7/08 Organization: <a href="http://www.lcps.k12.nm.us/">Las Cruces Public Schools ("LCPS")</a> Contractor/Consultant/Branch: None Victims: Teachers, principals, administrators and other LCPS employees.  The breach also affected students enrolled in special education programs. Number Affected: 1,800* *1,750 teachers, principals, administrators and other LCPS employees who had access to the SEAS system because they work with special education children or programs AND 50 students enrolled in special education programs at various LCPS schools, local charter schools, and home schools Types of Data: "confidential student and staff information, including some personal identifying data" Breach Description: "LAS CRUCES - The Las Cruces Public Schools has announced that confidential student and staff information, including some personal identifying data, was unintentionally posted on the Internet.  Immediately upon learning that the data was posted, the district took steps to remove the data from the Internet site where it was found, said Superintendent Stan Rounds."

Confidential information sent to PinPay.net and SoftCard.biz is exposed tag:breachblog.com,2008-05-08:da2ea918-e14b-41ad-a734-1e04c6605152 Evan Francen 2008-05-08T13:26:03Z 2008-05-08T12:57:00Z Security Breach

Date Reported:
4/29/08

Organization:
ACAP Security Inc.

Contractor/Consultant/Branch:
PinPay
SoftCard

Victims:
Merchants, Agents and customers

Number Affected:
Unknown

Types of Data:
Name, mailing address, phone number, email address, date of birth, city of birth, sex, and one or more of the following (chosen from drop-down):

Passport
Voting ID card
PAN card
Driving License card
Government issued ID card
Social Security Card
Military ID card
Consular ID card
Postal ID card
Government Employee ID Card
Credit Card
Debit Card

Breach Description:
ACAP Security and affiliated sites are actively marketing a "secure payment system that allows Internet-based businesses to accept secure PIN-debit card payments and transactions at their online store." The PinPay and SoftCard sign-up pages and account access pages are not adequately secured with encryption, potentially exposing extremely sensitive personal information.

Reference URL:
Merchant 911 Blog

Report Credit:
Tom Mahoney, the Founder and Director of Merchant 911

Response:
From the online source cited above and my own cursory investigation:

Back in January, I had short email dialog with a Kip Long, who claimed to be one of the principles of a company called Softcard out of Huntington Beach, CA. They are not to be confused with SoftCard Systems in Athens, GA. As far as I know, SoftCard Systems is a legitimate company with a legitimate product.

Mr. Long was rather aggressively, but not very successfully, trying to impress me with their product - from what I can make of it, a virtual PIN based card.

The company uses PinPay - to process transactions and both companies are a part of ACAP Security, Inc..

I reviewed their site for possible inclusion in our website’s resource pages, but promptly rejected them.

their insecure sign-up form - was requesting “Identity Card Numbers” and issue dates.
[Evan] The sign-up forms at SoftCard.biz and PinPay.net are not secure. Neither are their respected login pages.

“Identity cards” are selectable from a drop down menu and include such ID information as Passport, Driver’s license, SSN, and Credit Card.

The form also requires a full name and DOB.

I tried using the HTTPS URL but it appears that they do not have a security certificate tied to their site.

The fact that Mr. Long used a hotmail address to pitch the company made me wonder too, given that at Merchant911 we try to instill in our members that a free email address from a customer is a fraud alert.

If a company official can’t use his company’s domain for email, I’m not going to talk to him.

I called their attention to the insecure web form in January. They still have the form up there, happily collecting this information with an insecure form.
[Evan] I also sent emails and heard nothing in return.

I have to wonder how much information has already been sniffed or otherwise compromised. You probably don’t want to fill out this form.
[Evan] My advice would be to NOT fill out the form and NOT conduct business with a company that has not demonstrated a willingness to secure your information.

Commentary:
Tom informed me about this vulnerability (and potentially a breach for anyone that signed-up/in) a couple of weeks ago. I've been a little busy lately, but was finally able to check it out. Let me recap what I found.

First, let's go to www.softcard.biz. This is the site that Tom originally pointed out to me.

The flash home page forwards visitors to a static index (indexaa.html) page. The first paragraph on the page informs visitors about PinPay.

"The PINPAY SoftCard is a wise way to carry and transfer money. It gives you the ability to purchase products at participating stores throughout the world (as well as at online shopping malls), with the security of a PIN that travels the internet via private encrypted tunnels. It also allows you the ability to load money to your card, pay bills, transfer money to merchants, transfer money between cards, and withdraw cash from your card at the store."

See where the page says, "Register for your FREE card HERE!!"? This is a link to the sign-up page that Tom was referring to.

No "https" in the URL. Tom was right on that. The sign-up form asks for a personal information ranging from name and address to identity card information (even information for a "Second Identity Card").

The "Select Identity Card" drop down menu displays the choices for the prospective customer, including Passport, Voting ID card, PAN card, Drivers License card, Government issued ID card, Social Security card, Military ID card, Consular ID card, Postal ID card, Government Employee ID Card, Credit Card and Debit Card

SoftCard (or PinPay or ACAP Security) are asking for some very sensitive personal information! First, this is quite a bit more information than they need to approve a person for a "PINPAY SoftCard". Second, no encryption?! Third, who is ACAP/SoftCard/PinPay and what will they do to secure my information once they have it supposing it wasn't intercepted on the way to them?

Let's dig a little (public) information about ACAP Security. According to Entreprenuer.com, ACAP launched "Personal Private Network" (ppn) technology, commercially available under the trade name ppnPRO, which is described as a "highly secure, and highly private" personal private network. ppnPRO uses "Government approved AES encryption, with strong personalized 256-bit encryption keys, and encrypting all information- network addresses, applications and ports, as well as the confidential data content". Sounds impressive, but it also sounds like the company should know a thing or two about securing web site transactions with encryption.

I want to discuss the risk of sending confidential private information over a public network such as the internet without encryption, in particular. This is not a new topic, but I will take some time to demonstrate the risk.

In order for my information to be compromised, someone (or something) will need to capture the traffic. In order for someone to capture my traffic, they will need to tap into the communication somewhere between me (my computer) and the destination (the web server). My information doesn't travel directly from my computer to the server. There are intermediaries (routers, switches, firewalls, etc.) that have to get (or forward) my information from my computer to the server.

As you can see depicted in the graphic above, there are at least 16 routers (or hops) between this example source and www.softcard.biz. The final few hops are not reported due to filtering. So where could my traffic be captured? At the very least:

Between my computer and my router (or firewall)
Between my firewall and the ISP hand-off
Between all the traversed devices within my ISP's network
Between all the traversed devices through the internet
Between all the traversed devices within the destination ISP's network
Between all the traversed devices within the destination organization's network and the server itself.

Anyone in the communication path can use a simple protocol analyzer like Wireshark and capture the sensitive information:

txtfname=Billy&txtmname=J&txtlname=Madison&txtaddress=123+Main+Street&txtcity=Anywhere&
txtstate=MA&txtzip=87451&txtcountry=United+States&mob_phone=NONE&txtphone=18006218200&
txtemail=billymadison@honky.com&txtdob=04%2F20%2F1988&txtbirthcity=Boston&
txtbirthcountry=United+States&txtgender=M&identity1=Social+Security+Card&txtcardno1=123-45-6789&
txtissuedate1=04%2F20%2F1988&identity2=Driving+License+card&txtcardno2=M-1234567890&
txtissuedate2=04%2F20%2F2006&submit=Accept+Card+Agreement-Submit

This is a very simplistic demonstration about why it is important to encrypt sensitive information. If the communication had been encrypted, none of the data would have been visible without access to the private key.

We could go deeper into the server application and SQL, but I think that this is enough.

A Quote from the ACAP Security CEO:
“The right of privacy is a fundamental and very important right of American society. A right our Nation’s founders fought the American Revolution to obtain and a right many brave American soldiers have fought and continue to fight and die to preserve. As this Nation continues to advance into cyberspace, we have expanded the right of privacy to include the right to electronic privacy. The elements of cyber-crime and cyber-vulnerabilities have begun to seriously erode and destroy this important right of electronic privacy.”

Past Breaches:
Unknown

]]>

Technorati Tag: <a href="http://technorati.com/tag/security+breach" rel="tag">Security Breach</a> <img src="http://breachblog.com/images/95781-88451/pinpay.jpg" align="right" height="200" width="178">Date Reported: 4/29/08 Organization: <a href="http://www.acapsecurity.com">ACAP Security Inc.</a> Contractor/Consultant/Branch: <a href="http://www.pinpay.net/index.html">PinPay</a> <a href="http://www.softcard.biz/indexaa.html">SoftCard</a> Victims: Merchants, Agents and customers Number Affected: Unknown Types of Data: Name, mailing address, phone number, email address, date of birth, city of birth, sex, and one or more of the following (chosen from drop-down): <ul><li>Passport</li><li>Voting ID card</li><li>PAN card</li><li>Driving License card</li><li>Government issued ID card</li><li>Social Security Card</li><li>Military ID card</li><li>Consular ID card</li><li>Postal ID card</li><li>Government Employee ID Card</li><li>Credit Card</li><li>Debit Card </li></ul> Breach Description: ACAP Security, and affiliated sites are actively marketing a "secure payment system that allows Internet-based businesses to accept secure PIN-debit card payments and transactions at their online store."  The PinPay and SoftCard sign-up pages and account access pages are not adequately secured with encryption, potentially exposing extremely sensitive personal information.

Personal information from two Colorado mortgage companies found in dumpsters tag:breachblog.com,2008-05-07:11cb580c-1bcd-4365-96db-47d31162264a Evan Francen 2008-05-07T22:20:50Z 2008-05-07T22:10:55Z Security Breach

Date Reported:
4/28/08

Organization:
Cove Creek Mortgage
Front Range Mortgage, LLC

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Mortgage files, tax returns, pay stubs, Social Security numbers, and other personal information

Breach Description:
"ENGLEWOOD, Colo. -- The Arapahoe County District Attorney's Office is advising anyone who has used Cove Creek Mortgage to watch out for identity theft after hundreds of mortgage files were dumped in a public trash bin over the weekend."

Reference URL:
Denver Channel 7 News
Denver Channel 7 News (update)

Report Credit:
Denver Channel 7 News

Response:
From the online sources cited above:

ENGLEWOOD, Colo. -- The Arapahoe County District Attorney's Office is advising anyone who has used Cove Creek Mortgage to watch out for identity theft after hundreds of mortgage files were dumped in a public trash bin over the weekend.
[Evan] Cove Creek Mortgage joins the ranks of other mortgage companies reported for similar breaches on The Breach Blog. The others are Affordable Realty and Union Mortgage Services of Cleveland, Inc..

Cove Creek's owner had abandoned his Englewood office in January, and property managers had not been able to find him
[Evan] What kind of businessman just abandons an office full of confidential files and equipment?

On Saturday, the property manager had a crew clean out his office and throw all items from the office -- including complete mortgage files -- into two Dumpsters.
[Evan] Maybe the property manager should pay a little closer attention to the things they throw in the dumpster. Having said this, the property manager is not really at fault.

David Peters who works in the same complex found the files Monday morning.

"I was taking some other trash out to the garbage can and opened the lid and on there was a couple of laptops,"

"Directly underneath them were files with people's names on it and I was like, 'Well, this is not right.'"

"There were tax returns, pay stubs, everything in there," he said. "And as I looked at the different files I realized that it was mortgage files, which was kind of scary, because who do you disclose the most information to or all of your information? That is when you are getting a mortgage loan."
[Evan] According to the news report, Mr. Peters contacted authorities. This could have easily been much worse for victims.

The Dumpsters were not secured and located at 88 Inverness Drive East, Bldg. F.

Sheriff's investigators finally found the owner of Cove Creek and talked him into retrieving the files, many of which had private information, including Social Security numbers and credit history.
[Evan] Mr. owner guy, will you please come get your stuff and the personal information that was entrusted to you? According to zoominfo a guy named Charlie Cartwright is/was the president of Cove Creek Mortgage. I have no idea if this is the same guy that is referred to in the news article.

The district aAttorney's office got a tip about numerous mortgage files and two laptop computers in a Dumpster behind offices formerly used by Cove Creek Mortgage and Front Range Mortgage.
[Evan] Now Front Range Mortgage joins the ranks. Front Range Mortgage offers credit repair services too! Do you suppose they could have repaired the damage that could have been done?

"With a name, Social Security number and bank account number, they can clean you out before you even know," said Arapahoe County District Attorney Carol Chambers.

The files and computers contained sensitive information on many former customers of Front Range Mortgage, including names and addresses, Social Security numbers and bank, credit card and investment account information.

While there are civil laws against dumping such documentation, Chambers said it is not against the law.
[Evan] It's too bad that we have to write and enforce laws to protect us from idiots.

"I think it is a matter of legislation not catching up with the realities of identity theft," said Chambers. "And absolutely, we think recklessly disposing or negligently disposing of this kind of information should maybe carry a criminal penalty, just to get people's attention that you can't just leave this information or leave it out in a Dumpster."

"The district attorney recommends that any former customers of Front Range or Cove Creek should place a fraud alert on their credit reports and monitor any bank, credit card or investment accounts that might have been included on a mortgage application with that firm."

For further information, assistance or questions, call the District Attorney's Fraud Assistance Line at 720-874-8547.

Commentary:
What is with these mortgage companies? The 90's and early 2000's was a wild ride for mortgage brokers, real estate agents, and investors. The money attracted people from all walks of life and a lot of poor decisions were made. Now that the bubble has burst, we start to see the true colors of some of these "professionals".

I don't know much if anything about the owners of these companies, but I do know that securing personal information poorly is bad business.

Past Breaches:
Unknown

]]>

Adobe web portal exposes educational software users tag:breachblog.com,2008-05-07:0d995482-8934-4c57-bd0b-38e4e2c4fad0 Evan Francen 2008-05-07T16:31:31Z 2008-05-07T16:27:00Z Security Breach

Date Reported:
5/1/08

Organization:
Adobe Systems Incorporated

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Name, address, home and/or cellular phone number, email address, date of birth, school name, partial or full credit card number, credit card expiration data, credit card security code, partial or full bank account number, partial or full Social Security number, school identification card, driver's license number, government identification, military identification number, and a copy of a signature.

Breach Description:
"It appears that certain personal information was stored on a server accessed via an Adobe website portal at a time when the server did not contain security or authentication procedures. The server was created to allow customers to upload information in order to enable Adobe to validate a customer's qualification to purchase certain education software."

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

We are writing to inform you of a recent incident possibly involving the unauthorized exposure of your personal information.

The information was stored on a server accessed via an Adobe website portal at a time when the server did not contain Adobe's standard security or authentication procedures.

The information was stored in relation to status verification for your recent purchase of Adobe education version software.

Based on our investigation to date, we believe some combination of the following information may have been exposed for the customers we are notifying: name, address, home and/or cellular phone number, email address, date of birth, school name, partial or full credit card number, credit card expiration data, credit card security code, partial or full bank account number, partial or full Social Security number, school identification card, driver's license number, government identification, military identification number, and a copy of a signature.
[Evan] Holy moly! How much information did Adobe request from people? The purpose of collecting the information was "status verification", which I assume means making sure that you are allowed to use education version software at a significantly reduced price. No urine samples, blood samples, etc.?

We have no reason to believe that any personally identifiable information was potentially exposed except the information contained in the images that you uploaded to Adobe.
[Evan] Huh?

We apologize for this incident and sincerely regret any inconvenience that these events and responding to this notice may cause you.

Please note that Adobe has no indication that any unauthorized individual has accessed, has used, or is using you personal information; we bring this incident to you attention, however, so that you can be alerted to signs of possible misuse of your personal information should it occur.

Immediately after Adobe learned of this incident, we secured the server and removed the feature in the website portal allowing customer access in order to prevent unauthorized access to the information.

Additionally, we began an investigation to determine which files, if any, we exposed.

Our investigation revealed that files containing the above information were not properly secured, and could have been accessed by unauthorized third parties via the Internet.

Adobe is providing a year of free credit monitoring

Please rest assured that Adobe takes data security very seriously and we have already taken steps to minimize any risk from this incident and any future incidents.

Commentary:
It seems like Adobe is/was collecting much more information than was necessary to verify that a claimed educational user is/was in fact an educational user. Adobe has a very significant web presence. I am pretty sure they employ some very talented (and well trained) web developers, a robust change control process (including segregated dev and prod environments), and a talented information security crew. How did this slip through the cracks? I also wonder how Adobe became aware of the exposure?

Past Breaches:
Unknown

]]>

Technorati Tag: <a href="http://technorati.com/tag/security+breach" rel="tag">Security Breach</a> <img src="http://breachblog.com/images/95781-88451/adobe.jpg" align="right" height="150" width="150">Date Reported: 5/1/08 Organization: <a href="http://www.adobe.com/">Adobe Systems Incorporated</a> Contractor/Consultant/Branch: None Victims: Customers Number Affected: Unknown Types of Data: Name, address, home and/or cellular phone number, email address, date of birth, school name, partial or full credit card number, credit card expiration data, credit card security code, partial or full bank account number, partial or full Social Security number, school identification card, driver's license number, government identification, military identification number, and a copy of a signature. Breach Description: "It appears that certain personal information was stored on a server accessed via an Adobe website portal at a time when the server did not contain security or authentication procedures. The server was created to allow customers to upload information in order to enable Adobe to validate a customer's qualification to purchase certain education software."

Health care practices and UCSF patient records exposed tag:breachblog.com,2008-05-07:8d1a589f-daa2-4134-b469-8e30c0975297 Evan Francen 2008-05-07T16:10:17Z 2008-05-07T14:16:00Z Security Breach

Date Reported:
5/1/08

Organization:
University of California

Contractor/Consultant/Branch:
University of California at San Francisco ("UCSF")
Target America Inc.

Victims:
Patients

Number Affected:
6,313

Types of Data:
"The information included names, addresses, medical departments and some patient medical record numbers"

Breach Description:
"(05-01) 17:22 PDT San Francisco -- Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft"

Reference URL:
San Francisco Chronicle
CNET
United Press International
UCSF News Release

Report Credit:
Elizabeth Fernandez, San Francisco Chronicle

Response:
From the online sources cited above:

Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft, The Chronicle has learned.

The information accessible online included names and addresses of patients along with names of the departments where medical care was provided.

Some patient medical record numbers and the names of the patients' physicians also were available online.

The breach was discovered Oct. 9, but the medical institution did not send out notification letters to the 6,313 affected patients until early April, nearly six months later.

Sensitive information can be used by employers, health insurers and other entities to discriminate

thieves can use purloined information to obtain medical treatment and prescription drugs and to file false medical claims.
[Evan] Purloined is a funny word.

"This is a large and very significant data breach," said Pam Dixon, executive director of the World Privacy Forum

"To commit medical identity theft, all you need is a patient's name, address and the name of the hospital. If you have a doctor's name and the medical department where the patient was being treated, it is gold. If you add a medical record number, it is a disaster for patients."
[Evan] I don't think most people know this. Many people think that they are fine if there were no Social Security numbers or credit card numbers exposed.

Hospital officials say there's no indication of identity theft to date.

UCSF had shared information on its patients with a vendor, Target America Inc., which mines electronic databases amassing information about a nonprofit's potential or existing donors.

Target America, whose Web site says it maintains "the highest standards of security," tunnels through millions of electronic records to help nonprofits identify and cultivate future donors as well as current donors "who could be giving you more." Additionally, it unearths financial information about donor friends and business acquaintances - even offering maps of a donor's neighborhood.
[Evan] Seems wrong, doesn't it? You go to the clinic, the clinic farms out your information to a company that determines whether or not you are a good candidate to hit up for money (you probably don't pay enough in health insurance, deductibles and co-pays). If you are a deemed a good donor candidate, you get emails and letters that you never signed up for. The purpose of the emails and letters is to build a rapport with you with the intention of getting you to donate money. Personally, I would be more willing to donate if an organization were straight with me.

The breach was discovered, said UCSF officials, when the hospital was alerted that a patient's name had been queried on the Internet "and it was listed in association with UCSF."

Corinna Kaarlela, UCSF director of news services, said immediate action was taken to close off the information. Ten days after the breach's discovery, UCSF ended its business agreement with Target America.

Nancy Johnson, president of Target America, said she could not discuss the matter because of client confidentiality.
[Evan] There is no mention of this breach anywhere on Target America's site either. Sweep it under the rug and maybe it will go away?

The breach spotlights a little-known practice among medical institutions to plow the ranks of patients for fundraising purposes.

Hospitals and other health care providers are turning patients into "fundraising free-fire zones," said Dr. Arthur Caplan, chairman of the department of medical ethics at the University of Pennsylvania School of Medicine.

"The breach is a symptom, but the real ethics challenge is the extent to which health care institutions are tracking patients and their families for nonmedical reasons - for fundraising, marketing, advertising," Caplan said. "I don't think people are aware of the degree to which this is occurring, whether it's by a hospital or a nursing home or a hospice."

Since 2004, UCSF said it provided the names and addresses of 30,590 patients to Target America, paying the company $12,000 a year.

Hospital officials said it contracted with the company to assist "with identifying names of individuals who could potentially receive communications from UCSF."
[Evan] Why not say it like it is. The true motive?

"These opportunities included upcoming events, developments in specific UCSF programs, and opportunities to support the University."
[Evan] Closer.

After the breach was discovered, the hospital said it required Target America to hire "an objective third-party firm" to investigate. UCSF received the forensic analysis report March 26. It showed that information was potentially accessible from July 1 to Oct. 9 last year "if a query for a specific name was made." Notification letters were mailed to patients April 4.

While UCSF officials stressed that the breach did not involve Social Security numbers, Dixon said that patients could nonetheless be at risk for harm.

"With medical identity theft, there is so much on the line - only minimal information needs to go out for there to be a problem," she said.

Linking patients to the departments where they were treated, for instance, is problematic because it can serve as a key identifier of a patient's health condition.
[Evan] Don't think that this doesn't happen. Insurance companies are not in business to help people, they are in business to make money. They want to identify as many pre-existing conditions as possible.

UCSF officials say the use of a department's name is not prohibited under HIPAA. But it acknowledged that such a disclosure is against its own "best practice" policy.
[Evan] I think that this is open to interpretation. HIPAA is not clear (nor can it be) in all circumstances, and some people would argue this claim with UCSF officials.

"Steps have been taken to reinforce this practice,"
[Evan] Like what? Are "steps" enough?

For one outraged UCSF patient whose name was part of the online data disclosure, the incident involved an alarming breach of medical trust.

"They told a fundraising company that I'm a patient - morally this should not ever be done by any health care provider," said the patient, a retired executive living in San Francisco. He asked that his name not be published.

"Medical records are supposed to be of utmost privacy," he said. "The University of California is high up in the totem pole for quality medical care. When you go there, the first thing you see are notices regarding patient privacy. Why in the world would they give out my private information? It boils down to monetary greed."
[Evan] There is no doubt that UCSF Medical Center is an outstanding health provider in terms of providing innovative medical care and saving lives. One of the best from what I read.

UCSF is committed to maintaining the privacy of patient information and takes any compromise of patient information very seriously. When patients are seen at UCSF, they are provided with a Notice of Privacy Practice (NOPP), which describes how UCSF may use and disclose their medical information in accordance with the Federal HIPAA Privacy Rule.

UCSF continually modifies systems and practices to enhance the security of patient information.

Commentary:
Hmm. I agree with Dr. Caplan when he stated that "The breach is a symptom, but the real ethics challenge is the extent to which health care institutions are tracking patients and their families for nonmedical reasons - for fundraising, marketing, advertising,". There is not much discussion surrounding the details of the actual breach itself. I have also read concern of the length of time it took before patients were notified.

From Target America's "Why Target America?" page:
"Target America data base, culled from 75 data sources, contains more than 7 million records of the wealthiest and most generous people in the nation -- the top 5 percent in terms of income, assets, and philanthropic history. Ninety-four percent of the individuals on the data base give more than $5,000 a year to charities. The breadth of our data is unique: we focus not only on high-profile, corporate America, but include emerging sources of wealth such as minority-owned business and women entrepreneurs."
Looks like a pretty important database to me.

There are no apologies made by UCSF or Target America for the breach.

Past Breaches:
University of California:
April, 2008 - University of California Irvine students are hit with mysterious breach

]]>

Technorati Tag: <a href="http://technorati.com/tag/security+breach" rel="tag">Security Breach</a> <img src="http://breachblog.com/images/95781-88451/ucsf.jpg" align="right" height="54" width="79">Date Reported: 5/1/08 Organization: <a href="http://www.universityofcalifornia.edu/">University of California</a> Contractor/Consultant/Branch: <a href="http://www.ucsf.edu/">University of California at San Francisco ("UCSF")</a> <a href="http://www.tgtam.com">Target America Inc.</a> Victims: Patients Number Affected: 6,313 Types of Data: "The information included names, addresses, medical departments and some patient medical record numbers" Breach Description: "(05-01) 17:22 PDT San Francisco -- Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft"

Card skimming at Lunardi's Supermarket tag:breachblog.com,2008-05-06:39b65fd5-1c6a-473c-a4de-60ae5cbc967f Evan Francen 2008-05-06T12:25:33Z 2008-05-06T12:17:00Z Security Breach

Date Reported:
4/29/08

Organization:
Lunardi's

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
"bank card numbers and personal identification codes"*

*bank cards include credit cards and debit cards

Breach Description:
"About 150 people who used their bank debit cards at a Lunardi's Supermarket in Los Gatos have become victims of an identity theft scam. And that number is expected to grow, Los Gatos police Capt. Dave Gravel said."

Reference URL:
KPIX TV Channel 5
The Mercury News
The Mercury News (update)

Report Credit:
KPIX TV Channel 5

Response:
From the online sources cited above:

An ATM and credit card reader in a checkout aisle at the Los Gatos Lunardi's supermarket was recently switched, resulting in more than two dozen reported cases of identity theft, a Los Gatos/Monte Sereno Police Department spokesman said today.
[Evan] The number "two dozen" was used in the original report on April 29th.

About 150 people who used their bank debit cards at a Lunardi's Supermarket in Los Gatos have become victims of an identity theft scam.
[Evan] By the time of the May 2nd story, the number of reported cases grew to about 150.

And that number is expected to grow, Los Gatos police Capt. Dave Gravel said.

Police received the first reports from victims who said their credit or debit cards had been used fraudulently on Sunday night and additional victim reports continued on Monday and today, according to police spokesman Tam McCarty.

Police believe the victims all had their card numbers stolen at the Los Gatos Lunardi's, 720 Blossom Hill Road, after officials from Lunardi's contacted them about a problem with one of their card readers.

"It was a switched card reader at one of the aisles,'' McCarty said.

"What we have here is more than one person - they've been able to get in there (Lunardi's) and switch out the ATM card reader," said Los Gatos-Monte Sereno police Sgt. Tam McCarty. "Once they've done that they can read the card and PIN numbers and either make a temporary card or sell the numbers over the phone."
[Evan] Completely switch out the card reader? I have never been to the store so I don't know the layout, but how does a person switch out a card reader during business hours without anyone noticing? It seems very risky to make the switch during business hours. I suppose that a thief could pose as a repair or other support person that wouldn't look suspect. Was the switch done while the store was closed? If so, this seems to imply an insider. Just thoughts, I am sure that the investigators have already thought through these questions.

The thieves then transferred that bank information onto cloned cards - any card with a magnetic stripe can be used - and made cash withdrawals from ATMs in Southern California.
[Evan] Search Google for "Credit Card Encoder" and take your pick of various credit/debit card magnetic stripe readers/writers. Extreme Media has information on "Credit Card Hacking, ATM Hacking, Debit Card Hacking and more. From Identity Fraud to Off Shore Banking we have you covered." I have never used or read any of their wares, so I don't know how reliable it is. The point I am trying to make is that committing fraud with compromised credit/debit card information is easy and there are plenty of people willing to help the bad guys.

police are still trying to determine how much money was stolen.

Recent shoppers of the Los Gatos Lunardi's should check the status of their bank or credit card accounts for charges they did not make, according to police.
[Evan] If I were a customer of Lunardi's, I would contact my bank and close my credit/debit card account and open a new one (with new numbers).

Through an attorney, the Lunardi family, which owns the upscale grocery chain, also declined to discuss specifics about the technology used.

In a statement, the owners said the chain "in no way wants to compromise the ongoing investigation by law enforcement authorities or to reveal details of our security measures which could counteract their effectiveness."

George Silvestri, an attorney for Lunardi's, said the chain has replaced the payment devices at all seven of its Bay Area locations with machines that are locked onto the checkout stands.

Lunardi's employees with access to these devices have been trained in security procedures recommended by law enforcement and banking authorities.

Anyone who finds fraudulent charges on an account should contact the local police department or the Los Gatos/Monte Sereno Police Department at (408) 354-8600.

The thefts at Lunardi's in Los Gatos comes about three weeks after police uncovered a similar scam at an Arco AM/PM in Los Altos.
[Evan] I missed this specific breach, but I did report an ARCO "skimming" related breach in December, 2007. The December breach occurred at the El Monte station.

Commentary:
Card skimming is nothing new, but the methods have been refined and the technology has gotten better. The devices used by the criminals used to be pretty easy to identify, but now some of the devices are so small and well made that it can be difficult to notice, even to a trained eye.

A video or two might be helpful to readers (good information, but nothing earth shattering)

An NBC 10 News report:

From the UK, "The