The Breach Blog

Personal Las Cruces Public Schools Special Ed information posted online

Evan Francen — Fri, 09 May 2008 10:02:19 GMT

Technorati Tag: Security Breach

Date Reported:
5/7/08

Organization:
Las Cruces Public Schools ("LCPS")

Contractor/Consultant/Branch:
None

Victims:
Teachers, principals, administrators and other LCPS employees. The breach also affected students enrolled in special education programs.

Number Affected:
1,800*

*1,750 teachers, principals, administrators and other LCPS employees who had access to the SEAS system because they work with special education children or programs AND 50 students enrolled in special education programs at various LCPS schools, local charter schools, and home schools

Types of Data:
"confidential student and staff information, including some personal identifying data"

Breach Description:
"LAS CRUCES - The Las Cruces Public Schools has announced that confidential student and staff information, including some personal identifying data, was unintentionally posted on the Internet. Immediately upon learning that the data was posted, the district took steps to remove the data from the Internet site where it was found, said Superintendent Stan Rounds."

Reference URL:
LCPS news release (Word document download)
LCPS press conference (Word document download)
Las Cruces Sun-News

Report Credit:
Las Cruces Public Schools

Response:
From the online sources cited above:

LAS CRUCES - The Las Cruces Public Schools has announced that confidential student and staff information, including some personal identifying data, was unintentionally posted on the Internet. Immediately upon learning that the data was posted, the district took steps to remove the data from the Internet site where it was found, said Superintendent Stan Rounds.

"We began a thorough investigation to determine how this happened and to prevent it from happening in the future. The investigation includes a search of the Internet to determine if the information is located anywhere online and how to remove it."

Rounds said there is currently no indication that the data has been misused.

Preliminary information indicates a part-time LCPS computer data analyst unintentionally posted information from a secure LCPS special education computer database, named SEAS (Special Education Automated System), and placed it onto an un-secure website.

The data in question was contained within two electronic database files that were posted on the Internet between Tuesday, April 29 and Monday, May 5, 2008.

For the time being, Rounds said he is not disclosing what specific information was posted online to prevent any potential compromise to those affected
[Evan] The compromise has already taken place. If a bad guy/gal is in possession of the information, he/she probably knows what he/she has without us having to tell him/her.

However, the individuals affected will be notified of what information was released, he said

Those affected include 1,750 teachers, principals, administrators and other LCPS employees who had access to the SEAS system because they work with special education children or programs.

Also affected were 50 students enrolled in special education programs at various LCPS schools, local charter schools, and home schools
[Evan] It especially stinks when children are affected.

Some data for other special education students may have been released as well.

"We’ve already begun to notify the affected individuals about what specific information is involved and we will assist them in taking appropriate safeguards," Rounds said

"If we find any of the information on the web, we will immediately take all appropriate steps to have it removed," said Jeff Harris, LCPS director of technology support services. "As of today, we’ve located the data in two Internet sites and removed it. We’re continuing to search for any other locations where it may exist."

On Monday, May 5, when the Superintendent learned of the potential breach, he directed that each student and staff member affected be provided credit fraud protection for up to one year to ensure their private information was not jeopardized in any way. This will be paid at school district expense.

Rounds said the experienced part-time employee who unintentionally disclosed the data has been placed on administrative leave and no longer has access to any LCPS computer, data, or server.

"LCPS goes to great lengths to ensure student and staff confidentiality, but this incident appears to be caused by human error," Rounds said. "This also highlights the need for the district to review its data security and privacy policies to make sure it never happens again."

Rounds said an ad-hoc committee is being established to immediately review LCPS policies and procedures. This committee will be chaired by Dr. Shaun Cooper, the current Chief Information Officer at New Mexico State University. Cooper is also the former Director of Security and Research Computing at NMSU

Commentary:
Human errors will happen as long as we are humans, I suppose. Not that we should just accept defeat and use it as an excuse. There are numerous controls with varying degrees of effectiveness that information security personnel implement to reduce the frequency and impact of human error related breaches. Without knowing more detail, it's hard to say what could have been done better. Was the cause of this breach simple oversight or lack of awareness, poor training, lack of production control (no formal review and approval process for posting information to public sites), etc. I guess I'm not sure.

I do appreciate Mr. Rounds' response. The response to the breach and notification was swift. I also like the press conference and ad-hoc committee established to review LCPS policy and procedure. I hope that the committee and effort will be ongoing long after this breach is forgotten (by those not personally affected).

Past Breaches:
Unknown

Confidential information sent to PinPay.net and SoftCard.biz is exposed

Evan Francen — Thu, 08 May 2008 13:26:03 GMT

Technorati Tag: Security Breach

Date Reported:
4/29/08

Organization:
ACAP Security Inc.

Contractor/Consultant/Branch:
PinPay
SoftCard

Victims:
Merchants, Agents and customers

Number Affected:
Unknown

Types of Data:
Name, mailing address, phone number, email address, date of birth, city of birth, sex, and one or more of the following (chosen from drop-down):

Passport
Voting ID card
PAN card
Driving License card
Government issued ID card
Social Security Card
Military ID card
Consular ID card
Postal ID card
Government Employee ID Card
Credit Card
Debit Card

Breach Description:
ACAP Security and affiliated sites are actively marketing a "secure payment system that allows Internet-based businesses to accept secure PIN-debit card payments and transactions at their online store." The PinPay and SoftCard sign-up pages and account access pages are not adequately secured with encryption, potentially exposing extremely sensitive personal information.

Reference URL:
Merchant 911 Blog

Report Credit:
Tom Mahoney, the Founder and Director of Merchant 911

Response:
From the online source cited above and my own cursory investigation:

Back in January, I had short email dialog with a Kip Long, who claimed to be one of the principles of a company called Softcard out of Huntington Beach, CA. They are not to be confused with SoftCard Systems in Athens, GA. As far as I know, SoftCard Systems is a legitimate company with a legitimate product.

Mr. Long was rather aggressively, but not very successfully, trying to impress me with their product - from what I can make of it, a virtual PIN based card.

The company uses PinPay - to process transactions and both companies are a part of ACAP Security, Inc..

I reviewed their site for possible inclusion in our website’s resource pages, but promptly rejected them.

their insecure sign-up form - was requesting “Identity Card Numbers” and issue dates.
[Evan] The sign-up forms at SoftCard.biz and PinPay.net are not secure. Neither are their respected login pages.

“Identity cards” are selectable from a drop down menu and include such ID information as Passport, Driver’s license, SSN, and Credit Card.

The form also requires a full name and DOB.

I tried using the HTTPS URL but it appears that they do not have a security certificate tied to their site.

The fact that Mr. Long used a hotmail address to pitch the company made me wonder too, given that at Merchant911 we try to instill in our members that a free email address from a customer is a fraud alert.

If a company official can’t use his company’s domain for email, I’m not going to talk to him.

I called their attention to the insecure web form in January. They still have the form up there, happily collecting this information with an insecure form.
[Evan] I also sent emails and heard nothing in return.

I have to wonder how much information has already been sniffed or otherwise compromised. You probably don’t want to fill out this form.
[Evan] My advice would be to NOT fill out the form and NOT conduct business with a company that has not demonstrated a willingness to secure your information.

Commentary:
Tom informed me about this vulnerability (and potentially a breach for anyone that signed-up/in) a couple of weeks ago. I've been a little busy lately, but was finally able to check it out. Let me recap what I found.

First, let's go to www.softcard.biz. This is the site that Tom originally pointed out to me.

The flash home page forwards visitors to a static index (indexaa.html) page. The first paragraph on the page informs visitors about PinPay.

"The PINPAY SoftCard is a wise way to carry and transfer money. It gives you the ability to purchase products at participating stores throughout the world (as well as at online shopping malls), with the security of a PIN that travels the internet via private encrypted tunnels. It also allows you the ability to load money to your card, pay bills, transfer money to merchants, transfer money between cards, and withdraw cash from your card at the store."

See where the page says, "Register for your FREE card HERE!!"? This is a link to the sign-up page that Tom was referring to.

No "https" in the URL. Tom was right on that. The sign-up form asks for a personal information ranging from name and address to identity card information (even information for a "Second Identity Card").

The "Select Identity Card" drop down menu displays the choices for the prospective customer, including Passport, Voting ID card, PAN card, Drivers License card, Government issued ID card, Social Security card, Military ID card, Consular ID card, Postal ID card, Government Employee ID Card, Credit Card and Debit Card

SoftCard (or PinPay or ACAP Security) are asking for some very sensitive personal information! First, this is quite a bit more information than they need to approve a person for a "PINPAY SoftCard". Second, no encryption?! Third, who is ACAP/SoftCard/PinPay and what will they do to secure my information once they have it supposing it wasn't intercepted on the way to them?

Let's dig a little (public) information about ACAP Security. According to Entreprenuer.com, ACAP launched "Personal Private Network" (ppn) technology, commercially available under the trade name ppnPRO, which is described as a "highly secure, and highly private" personal private network. ppnPRO uses "Government approved AES encryption, with strong personalized 256-bit encryption keys, and encrypting all information- network addresses, applications and ports, as well as the confidential data content". Sounds impressive, but it also sounds like the company should know a thing or two about securing web site transactions with encryption.

I want to discuss the risk of sending confidential private information over a public network such as the internet without encryption, in particular. This is not a new topic, but I will take some time to demonstrate the risk.

In order for my information to be compromised, someone (or something) will need to capture the traffic. In order for someone to capture my traffic, they will need to tap into the communication somewhere between me (my computer) and the destination (the web server). My information doesn't travel directly from my computer to the server. There are intermediaries (routers, switches, firewalls, etc.) that have to get (or forward) my information from my computer to the server.

As you can see depicted in the graphic above, there are at least 16 routers (or hops) between this example source and www.softcard.biz. The final few hops are not reported due to filtering. So where could my traffic be captured? At the very least:

Between my computer and my router (or firewall)
Between my firewall and the ISP hand-off
Between all the traversed devices within my ISP's network
Between all the traversed devices through the internet
Between all the traversed devices within the destination ISP's network
Between all the traversed devices within the destination organization's network and the server itself.

Anyone in the communication path can use a simple protocol analyzer like Wireshark and capture the sensitive information:

txtfname=Billy&txtmname=J&txtlname=Madison&txtaddress=123+Main+Street&txtcity=Anywhere&
txtstate=MA&txtzip=87451&txtcountry=United+States&mob_phone=NONE&txtphone=18006218200&
txtemail=billymadison@honky.com&txtdob=04%2F20%2F1988&txtbirthcity=Boston&
txtbirthcountry=United+States&txtgender=M&identity1=Social+Security+Card&txtcardno1=123-45-6789&
txtissuedate1=04%2F20%2F1988&identity2=Driving+License+card&txtcardno2=M-1234567890&
txtissuedate2=04%2F20%2F2006&submit=Accept+Card+Agreement-Submit

This is a very simplistic demonstration about why it is important to encrypt sensitive information. If the communication had been encrypted, none of the data would have been visible without access to the private key.

We could go deeper into the server application and SQL, but I think that this is enough.

A Quote from the ACAP Security CEO:
“The right of privacy is a fundamental and very important right of American society. A right our Nation’s founders fought the American Revolution to obtain and a right many brave American soldiers have fought and continue to fight and die to preserve. As this Nation continues to advance into cyberspace, we have expanded the right of privacy to include the right to electronic privacy. The elements of cyber-crime and cyber-vulnerabilities have begun to seriously erode and destroy this important right of electronic privacy.”

Past Breaches:
Unknown

Personal information from two Colorado mortgage companies found in dumpsters

Evan Francen — Wed, 07 May 2008 22:20:50 GMT

Technorati Tag: Security Breach

Date Reported:
4/28/08

Organization:
Cove Creek Mortgage
Front Range Mortgage, LLC

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Mortgage files, tax returns, pay stubs, Social Security numbers, and other personal information

Breach Description:
"ENGLEWOOD, Colo. -- The Arapahoe County District Attorney's Office is advising anyone who has used Cove Creek Mortgage to watch out for identity theft after hundreds of mortgage files were dumped in a public trash bin over the weekend."

Reference URL:
Denver Channel 7 News
Denver Channel 7 News (update)

Report Credit:
Denver Channel 7 News

Response:
From the online sources cited above:

ENGLEWOOD, Colo. -- The Arapahoe County District Attorney's Office is advising anyone who has used Cove Creek Mortgage to watch out for identity theft after hundreds of mortgage files were dumped in a public trash bin over the weekend.
[Evan] Cove Creek Mortgage joins the ranks of other mortgage companies reported for similar breaches on The Breach Blog. The others are Affordable Realty and Union Mortgage Services of Cleveland, Inc..

Cove Creek's owner had abandoned his Englewood office in January, and property managers had not been able to find him
[Evan] What kind of businessman just abandons an office full of confidential files and equipment?

On Saturday, the property manager had a crew clean out his office and throw all items from the office -- including complete mortgage files -- into two Dumpsters.
[Evan] Maybe the property manager should pay a little closer attention to the things they throw in the dumpster. Having said this, the property manager is not really at fault.

David Peters who works in the same complex found the files Monday morning.

"I was taking some other trash out to the garbage can and opened the lid and on there was a couple of laptops,"

"Directly underneath them were files with people's names on it and I was like, 'Well, this is not right.'"

"There were tax returns, pay stubs, everything in there," he said. "And as I looked at the different files I realized that it was mortgage files, which was kind of scary, because who do you disclose the most information to or all of your information? That is when you are getting a mortgage loan."
[Evan] According to the news report, Mr. Peters contacted authorities. This could have easily been much worse for victims.

The Dumpsters were not secured and located at 88 Inverness Drive East, Bldg. F.

Sheriff's investigators finally found the owner of Cove Creek and talked him into retrieving the files, many of which had private information, including Social Security numbers and credit history.
[Evan] Mr. owner guy, will you please come get your stuff and the personal information that was entrusted to you? According to zoominfo a guy named Charlie Cartwright is/was the president of Cove Creek Mortgage. I have no idea if this is the same guy that is referred to in the news article.

The district aAttorney's office got a tip about numerous mortgage files and two laptop computers in a Dumpster behind offices formerly used by Cove Creek Mortgage and Front Range Mortgage.
[Evan] Now Front Range Mortgage joins the ranks. Front Range Mortgage offers credit repair services too! Do you suppose they could have repaired the damage that could have been done?

"With a name, Social Security number and bank account number, they can clean you out before you even know," said Arapahoe County District Attorney Carol Chambers.

The files and computers contained sensitive information on many former customers of Front Range Mortgage, including names and addresses, Social Security numbers and bank, credit card and investment account information.

While there are civil laws against dumping such documentation, Chambers said it is not against the law.
[Evan] It's too bad that we have to write and enforce laws to protect us from idiots.

"I think it is a matter of legislation not catching up with the realities of identity theft," said Chambers. "And absolutely, we think recklessly disposing or negligently disposing of this kind of information should maybe carry a criminal penalty, just to get people's attention that you can't just leave this information or leave it out in a Dumpster."

"The district attorney recommends that any former customers of Front Range or Cove Creek should place a fraud alert on their credit reports and monitor any bank, credit card or investment accounts that might have been included on a mortgage application with that firm."

For further information, assistance or questions, call the District Attorney's Fraud Assistance Line at 720-874-8547.

Commentary:
What is with these mortgage companies? The 90's and early 2000's was a wild ride for mortgage brokers, real estate agents, and investors. The money attracted people from all walks of life and a lot of poor decisions were made. Now that the bubble has burst, we start to see the true colors of some of these "professionals".

I don't know much if anything about the owners of these companies, but I do know that securing personal information poorly is bad business.

Past Breaches:
Unknown

Adobe web portal exposes educational software users

Evan Francen — Wed, 07 May 2008 16:31:31 GMT

Technorati Tag: Security Breach

Date Reported:
5/1/08

Organization:
Adobe Systems Incorporated

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Name, address, home and/or cellular phone number, email address, date of birth, school name, partial or full credit card number, credit card expiration data, credit card security code, partial or full bank account number, partial or full Social Security number, school identification card, driver's license number, government identification, military identification number, and a copy of a signature.

Breach Description:
"It appears that certain personal information was stored on a server accessed via an Adobe website portal at a time when the server did not contain security or authentication procedures. The server was created to allow customers to upload information in order to enable Adobe to validate a customer's qualification to purchase certain education software."

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

We are writing to inform you of a recent incident possibly involving the unauthorized exposure of your personal information.

The information was stored on a server accessed via an Adobe website portal at a time when the server did not contain Adobe's standard security or authentication procedures.

The information was stored in relation to status verification for your recent purchase of Adobe education version software.

Based on our investigation to date, we believe some combination of the following information may have been exposed for the customers we are notifying: name, address, home and/or cellular phone number, email address, date of birth, school name, partial or full credit card number, credit card expiration data, credit card security code, partial or full bank account number, partial or full Social Security number, school identification card, driver's license number, government identification, military identification number, and a copy of a signature.
[Evan] Holy moly! How much information did Adobe request from people? The purpose of collecting the information was "status verification", which I assume means making sure that you are allowed to use education version software at a significantly reduced price. No urine samples, blood samples, etc.?

We have no reason to believe that any personally identifiable information was potentially exposed except the information contained in the images that you uploaded to Adobe.
[Evan] Huh?

We apologize for this incident and sincerely regret any inconvenience that these events and responding to this notice may cause you.

Please note that Adobe has no indication that any unauthorized individual has accessed, has used, or is using you personal information; we bring this incident to you attention, however, so that you can be alerted to signs of possible misuse of your personal information should it occur.

Immediately after Adobe learned of this incident, we secured the server and removed the feature in the website portal allowing customer access in order to prevent unauthorized access to the information.

Additionally, we began an investigation to determine which files, if any, we exposed.

Our investigation revealed that files containing the above information were not properly secured, and could have been accessed by unauthorized third parties via the Internet.

Adobe is providing a year of free credit monitoring

Please rest assured that Adobe takes data security very seriously and we have already taken steps to minimize any risk from this incident and any future incidents.

Commentary:
It seems like Adobe is/was collecting much more information than was necessary to verify that a claimed educational user is/was in fact an educational user. Adobe has a very significant web presence. I am pretty sure they employ some very talented (and well trained) web developers, a robust change control process (including segregated dev and prod environments), and a talented information security crew. How did this slip through the cracks? I also wonder how Adobe became aware of the exposure?

Past Breaches:
Unknown

Health care practices and UCSF patient records exposed

Evan Francen — Wed, 07 May 2008 16:10:17 GMT

Technorati Tag: Security Breach

Date Reported:
5/1/08

Organization:
University of California

Contractor/Consultant/Branch:
University of California at San Francisco ("UCSF")
Target America Inc.

Victims:
Patients

Number Affected:
6,313

Types of Data:
"The information included names, addresses, medical departments and some patient medical record numbers"

Breach Description:
"(05-01) 17:22 PDT San Francisco -- Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft"

Reference URL:
San Francisco Chronicle
CNET
United Press International
UCSF News Release

Report Credit:
Elizabeth Fernandez, San Francisco Chronicle

Response:
From the online sources cited above:

Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft, The Chronicle has learned.

The information accessible online included names and addresses of patients along with names of the departments where medical care was provided.

Some patient medical record numbers and the names of the patients' physicians also were available online.

The breach was discovered Oct. 9, but the medical institution did not send out notification letters to the 6,313 affected patients until early April, nearly six months later.

Sensitive information can be used by employers, health insurers and other entities to discriminate

thieves can use purloined information to obtain medical treatment and prescription drugs and to file false medical claims.
[Evan] Purloined is a funny word.

"This is a large and very significant data breach," said Pam Dixon, executive director of the World Privacy Forum

"To commit medical identity theft, all you need is a patient's name, address and the name of the hospital. If you have a doctor's name and the medical department where the patient was being treated, it is gold. If you add a medical record number, it is a disaster for patients."
[Evan] I don't think most people know this. Many people think that they are fine if there were no Social Security numbers or credit card numbers exposed.

Hospital officials say there's no indication of identity theft to date.

UCSF had shared information on its patients with a vendor, Target America Inc., which mines electronic databases amassing information about a nonprofit's potential or existing donors.

Target America, whose Web site says it maintains "the highest standards of security," tunnels through millions of electronic records to help nonprofits identify and cultivate future donors as well as current donors "who could be giving you more." Additionally, it unearths financial information about donor friends and business acquaintances - even offering maps of a donor's neighborhood.
[Evan] Seems wrong, doesn't it? You go to the clinic, the clinic farms out your information to a company that determines whether or not you are a good candidate to hit up for money (you probably don't pay enough in health insurance, deductibles and co-pays). If you are a deemed a good donor candidate, you get emails and letters that you never signed up for. The purpose of the emails and letters is to build a rapport with you with the intention of getting you to donate money. Personally, I would be more willing to donate if an organization were straight with me.

The breach was discovered, said UCSF officials, when the hospital was alerted that a patient's name had been queried on the Internet "and it was listed in association with UCSF."

Corinna Kaarlela, UCSF director of news services, said immediate action was taken to close off the information. Ten days after the breach's discovery, UCSF ended its business agreement with Target America.

Nancy Johnson, president of Target America, said she could not discuss the matter because of client confidentiality.
[Evan] There is no mention of this breach anywhere on Target America's site either. Sweep it under the rug and maybe it will go away?

The breach spotlights a little-known practice among medical institutions to plow the ranks of patients for fundraising purposes.

Hospitals and other health care providers are turning patients into "fundraising free-fire zones," said Dr. Arthur Caplan, chairman of the department of medical ethics at the University of Pennsylvania School of Medicine.

"The breach is a symptom, but the real ethics challenge is the extent to which health care institutions are tracking patients and their families for nonmedical reasons - for fundraising, marketing, advertising," Caplan said. "I don't think people are aware of the degree to which this is occurring, whether it's by a hospital or a nursing home or a hospice."

Since 2004, UCSF said it provided the names and addresses of 30,590 patients to Target America, paying the company $12,000 a year.

Hospital officials said it contracted with the company to assist "with identifying names of individuals who could potentially receive communications from UCSF."
[Evan] Why not say it like it is. The true motive?

"These opportunities included upcoming events, developments in specific UCSF programs, and opportunities to support the University."
[Evan] Closer.

After the breach was discovered, the hospital said it required Target America to hire "an objective third-party firm" to investigate. UCSF received the forensic analysis report March 26. It showed that information was potentially accessible from July 1 to Oct. 9 last year "if a query for a specific name was made." Notification letters were mailed to patients April 4.

While UCSF officials stressed that the breach did not involve Social Security numbers, Dixon said that patients could nonetheless be at risk for harm.

"With medical identity theft, there is so much on the line - only minimal information needs to go out for there to be a problem," she said.

Linking patients to the departments where they were treated, for instance, is problematic because it can serve as a key identifier of a patient's health condition.
[Evan] Don't think that this doesn't happen. Insurance companies are not in business to help people, they are in business to make money. They want to identify as many pre-existing conditions as possible.

UCSF officials say the use of a department's name is not prohibited under HIPAA. But it acknowledged that such a disclosure is against its own "best practice" policy.
[Evan] I think that this is open to interpretation. HIPAA is not clear (nor can it be) in all circumstances, and some people would argue this claim with UCSF officials.

"Steps have been taken to reinforce this practice,"
[Evan] Like what? Are "steps" enough?

For one outraged UCSF patient whose name was part of the online data disclosure, the incident involved an alarming breach of medical trust.

"They told a fundraising company that I'm a patient - morally this should not ever be done by any health care provider," said the patient, a retired executive living in San Francisco. He asked that his name not be published.

"Medical records are supposed to be of utmost privacy," he said. "The University of California is high up in the totem pole for quality medical care. When you go there, the first thing you see are notices regarding patient privacy. Why in the world would they give out my private information? It boils down to monetary greed."
[Evan] There is no doubt that UCSF Medical Center is an outstanding health provider in terms of providing innovative medical care and saving lives. One of the best from what I read.

UCSF is committed to maintaining the privacy of patient information and takes any compromise of patient information very seriously. When patients are seen at UCSF, they are provided with a Notice of Privacy Practice (NOPP), which describes how UCSF may use and disclose their medical information in accordance with the Federal HIPAA Privacy Rule.

UCSF continually modifies systems and practices to enhance the security of patient information.

Commentary:
Hmm. I agree with Dr. Caplan when he stated that "The breach is a symptom, but the real ethics challenge is the extent to which health care institutions are tracking patients and their families for nonmedical reasons - for fundraising, marketing, advertising,". There is not much discussion surrounding the details of the actual breach itself. I have also read concern of the length of time it took before patients were notified.

From Target America's "Why Target America?" page:
"Target America data base, culled from 75 data sources, contains more than 7 million records of the wealthiest and most generous people in the nation -- the top 5 percent in terms of income, assets, and philanthropic history. Ninety-four percent of the individuals on the data base give more than $5,000 a year to charities. The breadth of our data is unique: we focus not only on high-profile, corporate America, but include emerging sources of wealth such as minority-owned business and women entrepreneurs."
Looks like a pretty important database to me.

There are no apologies made by UCSF or Target America for the breach.

Past Breaches:
University of California:
April, 2008 - University of California Irvine students are hit with mysterious breach

Card skimming at Lunardi's Supermarket

Evan Francen — Tue, 06 May 2008 12:25:33 GMT

Technorati Tag: Security Breach

Date Reported:
4/29/08

Organization:
Lunardi's

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
"bank card numbers and personal identification codes"*

*bank cards include credit cards and debit cards

Breach Description:
"About 150 people who used their bank debit cards at a Lunardi's Supermarket in Los Gatos have become victims of an identity theft scam. And that number is expected to grow, Los Gatos police Capt. Dave Gravel said."

Reference URL:
KPIX TV Channel 5
The Mercury News
The Mercury News (update)

Report Credit:
KPIX TV Channel 5

Response:
From the online sources cited above:

An ATM and credit card reader in a checkout aisle at the Los Gatos Lunardi's supermarket was recently switched, resulting in more than two dozen reported cases of identity theft, a Los Gatos/Monte Sereno Police Department spokesman said today.
[Evan] The number "two dozen" was used in the original report on April 29th.

About 150 people who used their bank debit cards at a Lunardi's Supermarket in Los Gatos have become victims of an identity theft scam.
[Evan] By the time of the May 2nd story, the number of reported cases grew to about 150.

And that number is expected to grow, Los Gatos police Capt. Dave Gravel said.

Police received the first reports from victims who said their credit or debit cards had been used fraudulently on Sunday night and additional victim reports continued on Monday and today, according to police spokesman Tam McCarty.

Police believe the victims all had their card numbers stolen at the Los Gatos Lunardi's, 720 Blossom Hill Road, after officials from Lunardi's contacted them about a problem with one of their card readers.

"It was a switched card reader at one of the aisles,'' McCarty said.

"What we have here is more than one person - they've been able to get in there (Lunardi's) and switch out the ATM card reader," said Los Gatos-Monte Sereno police Sgt. Tam McCarty. "Once they've done that they can read the card and PIN numbers and either make a temporary card or sell the numbers over the phone."
[Evan] Completely switch out the card reader? I have never been to the store so I don't know the layout, but how does a person switch out a card reader during business hours without anyone noticing? It seems very risky to make the switch during business hours. I suppose that a thief could pose as a repair or other support person that wouldn't look suspect. Was the switch done while the store was closed? If so, this seems to imply an insider. Just thoughts, I am sure that the investigators have already thought through these questions.

The thieves then transferred that bank information onto cloned cards - any card with a magnetic stripe can be used - and made cash withdrawals from ATMs in Southern California.
[Evan] Search Google for "Credit Card Encoder" and take your pick of various credit/debit card magnetic stripe readers/writers. Extreme Media has information on "Credit Card Hacking, ATM Hacking, Debit Card Hacking and more. From Identity Fraud to Off Shore Banking we have you covered." I have never used or read any of their wares, so I don't know how reliable it is. The point I am trying to make is that committing fraud with compromised credit/debit card information is easy and there are plenty of people willing to help the bad guys.

police are still trying to determine how much money was stolen.

Recent shoppers of the Los Gatos Lunardi's should check the status of their bank or credit card accounts for charges they did not make, according to police.
[Evan] If I were a customer of Lunardi's, I would contact my bank and close my credit/debit card account and open a new one (with new numbers).

Through an attorney, the Lunardi family, which owns the upscale grocery chain, also declined to discuss specifics about the technology used.

In a statement, the owners said the chain "in no way wants to compromise the ongoing investigation by law enforcement authorities or to reveal details of our security measures which could counteract their effectiveness."

George Silvestri, an attorney for Lunardi's, said the chain has replaced the payment devices at all seven of its Bay Area locations with machines that are locked onto the checkout stands.

Lunardi's employees with access to these devices have been trained in security procedures recommended by law enforcement and banking authorities.

Anyone who finds fraudulent charges on an account should contact the local police department or the Los Gatos/Monte Sereno Police Department at (408) 354-8600.

The thefts at Lunardi's in Los Gatos comes about three weeks after police uncovered a similar scam at an Arco AM/PM in Los Altos.
[Evan] I missed this specific breach, but I did report an ARCO "skimming" related breach in December, 2007. The December breach occurred at the El Monte station.

Commentary:
Card skimming is nothing new, but the methods have been refined and the technology has gotten better. The devices used by the criminals used to be pretty easy to identify, but now some of the devices are so small and well made that it can be difficult to notice, even to a trained eye.

A video or two might be helpful to readers (good information, but nothing earth shattering)

An NBC 10 News report:

From the UK, "The Real Hustle - ATM Scam"

Past Breaches:
Unknown

Cornerstone Fitness for Women information found in discarded file cabinet

Evan Francen — Mon, 05 May 2008 14:01:48 GMT

Technorati Tag: Security Breach

Date Reported:
4/30/08

Organization:
Cornerstone Fitness for Women

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Names, addresses, phone numbers and in many instances Social Security numbers copies of checks and credit card information

Breach Description:
"EDINBURG - A local company that operates several fitness centers across the region could be fined if investigators substantiate allegations it left clients' sensitive personal information in a trash bin."

Reference URL:
KRGV-TV Newschannel 5
The Monitor
The Brownsville Herald

Report Credit:
KRGV-TV Newschannel 5

Response:
From the online sources cited above:

EDINBURG - A local company that operates several fitness centers across the region could be fined if investigators substantiate allegations it left clients' sensitive personal information in a trash bin.

This story came to our attention after NEWSCHANNEL 5's Lisa Cortez received a phone call from a complete stranger on her cell phone.

He had Lisa's contract from Cornerstone Fitness.

He knew not only her phone number, but also her address, employer, and a copy of a check used to pay her account.

He also had about 30 other contracts.

It has everything you would want to know about them. I think those people deserve to know about it, " said Zumwalt. (Sammy Zumwalt, the person that called Ms. Cortez)

All contracts list names, addresses and phone numbers. Some of them list social security numbers and have copies of checks and credit cards.

Zumwalt says his friend found a filing cabinet in a dumpster behind the former Cornerstone Fitness Center for Women in Edinburg.

The center shut down several months ago.
[Evan] This isn't the first time that we have read about an organization vacating a location and leaving sensitive information behind (unsecured). Just in the past few months there was Affordable Realty in March, and Union Mortgage and First Magnus in February.

The paperwork was in Zumwalt's room for several weeks.

Recently, he decided to go through the stack of papers and came across the sensitive information.

Zumwalt turned the contracts over to NEWSCHANNEL 5.
[Evan] Why NEWSCHANNEL 5 and not the police or the Texas Attorney General? Do you think somebody wanted their 15 minutes of fame?

"At this point, we don't know what happened. This is not our usual practice. We are investigating it. We've been in the business for 10 years and this is the first time we hear of something like this. " (Joseph De la garza, one of the fitness club's owners)

NEWSCHANNEL 5 sorted through the contracts and contacted several members from the pile.

Cornerstone tells NEWSCHANNEL 5 they carefully guard all sensitive client information.

State Sen. Juan "Chuy" Hinojosa, D-McAllen, urged Texas Attorney General Greg Abbott to investigate, according to Jerry Strickland, a spokesman for the attorney general's office.
[Evan] I guess this is one good thing about reporting it to the media instead of the authorities. Mr. Hinojosa sees it on TV and pushes for an investigation.

"A lot of businesses are being very careless in the way they handle personal information," Hinojosa said. "Businesses (are required) to shred all information they no longer need."
[Evan] Oh yes, very true.

Victim Reaction:
"I mean, I don't even know how to explain how I feel, because I am so in shock," said one woman after we read her social security number.

Denise Grant told NEWSCHANNEL 5, "You never realize how important this information is until you have to try to prove that you are who you say you are." (a woman who claims to have been an victim of identity theft before)

Commentary:
Well, we all know (or should know) that this type of breach is nothing new, but I am keyed in on what Mr. Hinojosa stated, "A lot of businesses are being very careless in the way they handle personal information".

What will urge businesses to be more careful and secure personal information better? More laws? More costly fines? More laws mean more compliance. More compliance means more cost to companies. More cost to companies means more expensive goods and services. Seems that the same argument holds true for fines.

Maybe we should stop using a single identifier for all things personal (i.e. Social Security numbers). Do you think that the credit bureaus and the rest of the financial industry would go for such a radical idea? Do you know how the credit bureaus make money (I won't go into this now)? This would be a tough battle to fight.

An easy to implement solution does not exist. We have walked so far down this road that I think we may have gotten a little lost.

I have ranted long enough. On to the next breach, right?

Past Breaches:
Unknown

Stolen General Internal Medicine laptop exposes nearly 12,000

Evan Francen — Mon, 05 May 2008 12:17:36 GMT

Technorati Tag: Security Breach

Date Reported:
4/25/08

Organization:
General Internal Medicine of Lancaster (PA)

Contractor/Consultant/Branch:
None

Victims:
Patients*

*"who visited the office of General Internal Medicine of Lancaster, 2301 Columbia Ave., from 2005 through 2007"

Number Affected:
"nearly 12,000"

Types of Data:
Names, addresses, telephone and Social Security numbers

Breach Description:
"EAST HEMPFIELD TOWNSHIP, Pa. -- A laptop stolen from a doctors office containing the social security numbers of patients and office staff was stolen recently in East Hempfield Township, Lancaster County."

Reference URL:
WGAL Channel 8 News
Lancaster Intelligencer Journal
General Internal Medicine of Lancaster

Report Credit:
General Internal Medicine of Lancaster (PA)

Response:
From the online sources cited above:

EAST HEMPFIELD TOWNSHIP, Pa. -- A laptop stolen from a doctors office containing the social security numbers of patients and office staff was stolen recently in East Hempfield Township, Lancaster County.
[Evan] Why do we store personal (and other confidential) information on poorly secured laptops? Why, why, why?

A medical practice in East Hempfield Township is contacting nearly 12,000 of its patients to notify them that a computer was stolen from the office April 17

"We're just sick about this," said practice manager Lois Summers. "We know that the computer didn't contain the information of all (12,000) patients, but we notified everyone we saw during that three-year period just to be safe."
[Evan] The organization is not providing (as far as I can tell) fraud alert or credit monitoring, but the costs are probably still significant. 12,000 mailings has a hard cost and is pretty easy to quantify. The price involved with lost confidence and visits is harder to nail down.

office workers on April 17 were taking paper records bearing basic patient information and scanning them into a laptop computer so the records could then be transferred to a disk.
[Evan] Even in a small scale project it is important to evaluate risks EARLY on in the process, before work starts.

After that process was completed, the office planned to burn the paper records.

no medical information about patients was compromised.

The computer contained the names, addresses, telephone numbers and Social Security number s of many of the patients who visited the office of General Internal Medicine of Lancaster, 2301 Columbia Ave., from 2005 through 2007.

East Hempfield Township police said someone stole the computer from an unlocked conference room inside the Physicians Alliance office building on Columbia Avenue last week.

An employee left the area where the scanning was being done for a brief period the morning of April 17. When that employee returned, Summers said, the laptop was gone.
[Evan] It only takes a second or two for a thief to nab a mobile device. People think that it won't happen to them until it does. Then it's like "@^ @%*#"! Understand that these things will happen. We don't know when. We don't know how. We don't know where. Many times the hardware costs are a write-off, but what is the cost of personal information for which you are not the owner? We can take steps to significantly reduce the risk of data exposure.

Police said they suspect whoever stole the laptop wanted the computer more than the information on it.
[Evan] Sure.

Investigators also said the personal information is not easy to access.
[Evan] "Not easy" is subjective. If the information was only protected by an operating system password, then the information is likely very easy to access.

"Obviously, this was not a secure system we had and it will never be done again in this office," Summers said. "We need a secure (computer) drive that cannot be removed from the office."
[Evan] Excellent quote, "Obviously, this was not a secure system". Lois Summers then goes on to address physical security of the drive itself. Physical security is very important, but it should be noted that logical security (biometrics, encryption, etc.) are equally as important.

General Internal Medicine of Lancaster located in the office building sent a letter to patients to alert them of what happened.

Anyone with questions is urged to call General Internal Medicine at 397-2738.

Commentary:
The General Internal Medicine of Lancaster web site prominently displayed a "Fraud Alert" graphic in the middle of the home page.

I appreciate organizations that do not hide the fact that personal information (entrusted to them) has been compromised. Losing the information causes enough stress for victims. General Internal Medicine does a good job of openly admitting the breach and providing information. Their "Fraud Alert" page even provides a link to a copy of the East Hempfield Township police report. I get a real sense that the organization feels terrible about the breach and has taken steps to mend the relationship with patients. I don't get this sense from many breaches.

Unfortunately the information security practices at General Internal Medicine that led to this breach are commonplace in many organizations of all sizes, in many industries.

Past Breaches:
Unknown

SCSU web server becomes spam server and exposes personal information

Evan Francen — Fri, 02 May 2008 11:12:47 GMT

Technorati Tag: Security Breach

Date Reported:
4/24/08

Organization:
Southern Connecticut State University

Contractor/Consultant/Branch:
None

Victims:
Current and former students

Number Affected:
11,000

Types of Data:
Names, addresses and Social Security numbers

Breach Description:
"Two weeks after discovering that its Web site had been used by hackers to flog fancy wedding rings, Southern Connecticut State University is notifying 11,000 current and former students that their Social Security numbers may have been compromised."

Reference URL:
SCSU Alert
PCWorld
NBC Channel 30 News
Chronicle of Higher Education

Report Credit:
Southern Connecticut State University

Response:
From the online sources cited above:

From the University's Alert Page:
During a recent security review of the Southern Connecticut State University Web server, it was discovered that certain identifying information pertaining to current students and alumni could have been vulnerable to access by unauthorized individuals.
[Evan] As you will read further in this posting, the web server appears to have been compromised. I don't think "could have been vulnerable" is an accurate assessment. The information WAS vulnerable.

The information, including names, addresses, and Social Security numbers, was contained in a protected records office file in which students would register for graduation.

Records of about 11,000 students had been stored in the file dating back to 2002.
[Evan] Personal information belonging to thousands of people on a public web server. UGH.

Upon discovering this potential vulnerability, the university immediately disabled the application and secured the file.

There has been no determination that the personal information contained in the file was accessed, nor is there any indication that this data has been or will be used for purposes of identity theft.
[Evan] Even novice web site administrators log access to web pages and files. If the attacker accessed the file through the web service/daemon, then access was probably logged. If the attacker had completely compromised the web server or taken a different avenue of attack, then there might not be easily obtained evidence of access. Either way, I assume that the file could have been accessed easily.

The university has notified all the affected individuals by letter and taken a number of proactive steps, along with a full security review of the university's Web server.
[Evan] What is proactive in a response?

The University has undertaken a review of all files containing personal information on its Web server and there is no evidence to date that any of them have been compromised.
[Evan] The University should undertake a review of all files containing personal (and other confidential) information everywhere, not just its Web server. Why would personal information storage be permitted at all on a web server?

Identity protection services will be provided at the university's expense to the affected individuals, for a period of up to two years. To obtain this optional coverage, registration for this service is necessary.
[Evan] At the "university's expense" means at the current and future student's expense. As the cost of business goes up, so does the cost of service (at some point) which means an increase in the price of tuition or increase in taxes (SCSU is a member of the Connecticut State University System). Does this sound like good management?

A help desk has been established to respond to questions. The help desk number is: (203) 392-7216 and will be staffed between the hours of 8:30 a.m. to 4:30 p.m.

A dedicated Web page, containing updated information, has been created and may be accessed at www.southernct.edu/creditmonitoring/

Now From Outside Sources:
Two weeks after discovering that its Web site had been used by hackers to flog fancy wedding rings, Southern Connecticut State University is notifying 11,000 current and former students that their Social Security numbers may have been compromised.
[Evan] Do you see how the school's alert web site differs from outside sources? See a spin (one way or the other)? Do you think that the outside sources try to sensationalize the story, or do you think that the school doesn't want the embarrassment that their web server was a spam-related site for some time? Maybe a combination of the two.

The personal data was in a file on the university's Web server, which was accessed by criminals who were using the university's site as part of a spam operation, said Patrick Dilger, the university's director of public affairs.
[Evan] Not only was personal information stored on a public web server, but it was stored on a poorly secured (and probably poorly monitored) public web server.

"The hackers were using our Web server as a host for their own Web site," he said.

Pages on the university's site contained ads for diamond rings, Viagra and Cialis.

After noticing the ads on April 9th, IT staff discovered the file containing the sensitive information. "When we were doing the security review after the hacker incident, we saw this file there and it wasn't properly secured, so it could have been targeted by someone," Dilger said.

The university believes that the hackers came from outside the U.S., and it is working with Connecticut's attorney general's office to investigate

Richard Blumenthal, Connecticut’s attorney general, sent a letter last week to Michael J. Hogan, president of the University of Connecticut, describing the breach and advising him that the many campuses he oversees should be vigilant about their storage, use, and disposal of confidential data.

Commentary:
There are so many things wrong with this, it is hard to know where to start. Will anyone be held accountable.

Past Breaches:
April, 2008 - Stolen SunGard laptop affects at least 10 post-secondary schools (PogoWasRight has been keeping a running update of the Sungard breach, check out their search.)

Staten Island University Hospital notifies patients of December theft

Evan Francen — Thu, 01 May 2008 15:09:25 GMT

Technorati Tag: Security Breach

Date Reported:
5/1/08

Organization:
Staten Island University Hospital

Contractor/Consultant/Branch:
None

Victims:
Patients

Number Affected:
88,000

Types of Data:
"names, Social Security and health insurance numbers"

Breach Description:
"STATEN ISLAND, N.Y. -- Computer equipment stolen from an administrative office in Rosebank in December contained personal information about 88,000 patients who have been treated at Staten Island University Hospital."

Reference URL:
Staten Island Advance
Staten Island Advance (Video)

Report Credit:
Glenn Nyback, Staten Island Advance

Response:
From the online sources cited above:

STATEN ISLAND, N.Y. -- Computer equipment stolen from an administrative office in Rosebank in December contained personal information about 88,000 patients who have been treated at Staten Island University Hospital.
[Evan] Wow, December?!

After four months with no arrests, hospital administrators are just now beginning the process of sending letters to patients whose names, Social Security and health insurance numbers were contained in computer files on a desktop computer and a backup hard drive stolen Dec. 29 from one of the hospital's finance offices at 1 Edgewater Plaza.
[Evan] A desktop computer and backup hard drive, likely without encryption and containing sensitive personal information is generally poor information security practice. There was no mention of encryption in the news report, so I will assume that it was not present.

"The hospital is in the process of issuing a letter of information to each patient involved in which one year of free credit monitoring is being offered,"
[Evan] As stated in numerous Breach Blog postings, true credit monitoring only alerts an individual AFTER fraud has already taken place. A Social Security number and other personal information does not expire or become ineffective after a year, so how good is one year of protection?

Ms. Ryback said no medical records were included in the files

wouldn't speculate why SIUH waited so long to notify people. "I'm not going to get into that," she said.

Police described the suspect -- caught on a surveillance camera -- as a black man between 30 and 40 years old. The man is seen walking out carrying the computer equipment in a cardboard box.
[Evan] The video of the theft is here. Its almost surreal to watch someone walk away with something that is very valuable to many people.

"at this time, there is no reason to believe that patient information from the stolen computer has been misused."
[Evan] Nope. The thief has not called the hospital to inform them that he is misusing the information.

Ms. Ryback said that, while the motive for the theft is open to question, it appears that it might have been purely for the value of the equipment.

"We take this opportunity to offer our apologies to the patients who are affected by the theft,"

"We reassure our patients and community that, as always, we regard patient confidentiality as one of our highest priorities, and in this regard, we are working to take additional steps to protect patient information and to reduce the possibility of computer theft in the future."
[Evan] Like what? Provide some details. Tell your customers/patients specifically what you plan to do in order to protect the information that belongs to them.

Without elaborating, Ms. Ryback said that "all you can do is be more security-conscious."
[Evan] Uh, no. This is not all you can do. Being security-conscious is important, but it is far, far, far from all you can do. How much weight should we put behind a statement like this? It's obvious that Ms. Ryback is not qualified to quantify "all you can do".

Police are asking for the public's help in catching a thief who made off with computer equipment from a Staten Island administrative building occupied by Staten Island University Hospital.

Police ask that anyone with information about the theft call NYPD's Crimestopper Hotline at 800-577-TIPS.

Citizen/Victim Reaction:
"After 4 months? Why did it take so long, Ms. Ryback? and now your going to offer to watch peoples credit ? I hope they sue your pants off," one reader, goaway12, posted yesterday.

averagedude, asked, "where was security?"

youbetchabar, joked, "4 months is about the same amount of time it takes to get called in the ER," poking fun at the waiting time for emergency patients.

Commentary:
On the one hand I enjoy doing research, albeit brief research about information security breaches. On the other hand I get really offended by organizations that demonstrate a lack of due care in the handling of personal information. No organization is going to state ""We reassure our patients and community that, as always, we regard patient confidentiality as one of our lowest priorities, and in this regard, we are working to take additional steps to disclose patient information and to increase the possibility of computer theft in the future." In the end, what really matters? It's not what the organization claims, it is what it demonstrates.

I am miffed by SIUH's apparent lack of risk, information security, and incident response management.

Past Breaches:
Unknown

Thousands of Canadian Chrysler Financial customers at risk

Evan Francen — Wed, 30 Apr 2008 22:04:34 GMT

Technorati Tag: Security Breach

Date Reported:
4/22/08

Organization:
Chrysler Corporation

Contractor/Consultant/Branch:
Chrysler Financial (Canada)
United Parcel Service ("UPS")

Victims:
Canadian customers

Number Affected:
"thousands"

Types of Data:
"names, addresses and social insurance numbers"

Breach Description:
"TORONTO - The lending arm of the Chrysler Corporation says the U-P-S courier service may have lost a data tape containing personal information about thousands of its Canadian customers."

Reference URL:
The Windsor Star
The Hamilton Spectator
Winnipeg Sun
Toronto Star

Report Credit:
Dave Hall, The Windsor Star

Response:
From the online sources cited above:

TORONTO - The lending arm of the Chrysler Corporation says the U-P-S courier service may have lost a data tape containing personal information about thousands of its Canadian customers.
[Evan] In this day, it baffles me that companies still send backup tapes through UPS, DHL, FedEx, etc. without encryption. This is especially difficult for me to comprehend when the company deals with extremely sensitive personal information. In this instance, I don't place much blame on UPS.

The lost information affects Chrysler Financial lease customers across Canada.

The Office of the Privacy Commissioner of Canada says it is "monitoring" Chrysler's lending arm

Chrysler Financial also acknowledged yesterday that it waited five weeks or longer to tell customers the tape had been lost or possibly destroyed.

Chrysler Financial acknowledged it did not inform customers for five weeks or longer about a "destroyed or lost" tape because of an internal search and investigation, noting it didn't want to alarm customers until it exhausted a search with United Parcel Service.
[Evan] This is a common excuse, but is it a valid one?

The automaker had sent a package with the mainframe data tape from Farmington Hills, Mich., via UPS to a Quebec credit agency when it disappeared in early March.

The company has not recovered the tape but it found a damaged envelope it was in.

The tape holds names, addresses and social insurance numbers of customers.

Jelena Jelich says special computer software and other equipment is needed to access the data.

"The data tape cannot be easily accessed and requires specialized software and equipment to read but it did contain some personal information that Chrysler Financial had obtained from you,"
[Evan] A person would need "specialized software" like backup software (Veritas, Commvauly, etc.) and equipment like an appropriate tape drive, I assume. Nothing all that special. The "cannot be easily accessed" claim could be argued.

During the past week, customers have received letters from Chrysler Financial general counsel Brian Chillman informing them of the incident.

Chillman said the company has no reason to suspect that an unauthorized person has retrieved or is using the personal information.

"Nonetheless, as a precautionary measure we are alerting you to this recent incident so that you may be watchful for signs of any possible misuse of you personal information by an unauthorized recipient,"
[Evan] How nice of Chrysler Financial. After all, the information BELONGS to the customers, not the company.

A Chrysler Financial spokeswoman said that after the tape went missing, internal processes were changed and the information is now sent by secure electronic transmissions. UPS is no longer used.
[Evan] Welcome to 2008, or was it 1995 (the year IPsec RFCs 1825 & 1829 were published)?

"We apologize for any inconvenience or harm this may cause you."

Victim Reaction:
Chris Jovanovic, who leases a car from Chrysler, said the company was notified by United Parcel Service about the lost tape on Mar. 12 but a letter from Chrysler Financial dated Mar. 27 didn't arrive in his mailbox until Monday.

"It's the time frame of notification that's got me upset because if the tape did fall into the wrong hands, they've had six weeks to access the information and do something with it,"

Jovanovic said he wasn't convinced by Chillman's assurances because "someone who knows what they're doing could probably access the information. Nothing's that secure these days and it annoys me to think that if the tape never shows up, will we be looking over our shoulders for years waiting for the information to be used."

Jovanovic said he was seeking legal advice to determine his next steps.

Commentary:
I don't have much patience or compassion for organizations that send tapes containing gigabytes (and sometimes terabytes) of confidential information through couriers and mail without encryption. Chrysler Financial claims that this is the first time something like this has ever happened. Don't you think that it was just a matter of time?

Past Breaches:
Unknown

Intrusion into UMass Amherst University Health Services network

Evan Francen — Wed, 30 Apr 2008 15:54:48 GMT

Technorati Tag: Security Breach

Date Reported:
4/18/08

Organization:
University of Massachusetts System

Contractor/Consultant/Branch:
University of Massachusetts System at Amherst
University Health Services

Victims:
Patients

Number Affected:
Unknown

Types of Data:
"personal information" and "medical records"

Breach Description:
"Hackers breached the computer system used by UMass Amherst's Health Services, potentially gaining access to thousands of medical records."

Reference URL:
CBS Channel 3 News (Springfield)
UMass Amherst Press Release

Report Credit:
Lesley Tanner, CBS Channel 3 News

Response:
From the online source cited above:

Hackers breached the computer system used by UMass Amherst's Health Services, potentially gaining access to thousands of medical records.

More than half of the student population at UMass Amherst are patients on record at the University Health Services.
[Evan] According to the UMass Amherst web site, the school had an enrollment of 25,593 total undergraduate and graduate students in the fall of 2006. This just gives us a sense for how big the school is, not how many people may be affected by the supposed breach.

Though many of the most personal medical records are kept on paper files, officials say some personal information is available on the 150 computers used by the department.

The incident occurred April 11, and, after an initial investigation of the remote intrusion, the University decided to shut down the network

To date, about 30 workstations have been returned to service and officials project that the entire network will be operating within the next week.

The workstations in question contained limited patient information.

"What we're doing is going through as quickly as we can," says UMass Spokesperson Ed Blaguszewski. "And we are making an assessment and can't say for sure that the material wasn't breached."

Officials believe outside hackers wanted to use the server as a host for illegal music and video downloads, one that would make the culprits untraceable.
[Evan] Firewalls, intrusion detection/prevention, logging, etc.? Outside "hackers" for the most part are amongst the easiest to protect confidential information from. "Hackers" looking for a place to store and distribute files are typically opportunists and script-kiddies, and these are even easier to protect against. Were the affected machines workstations, or servers?

"It wasn't a case from what we can tell of someone being in the office and breaking into a computer," says Blaguszewski. "These things are done remotely often times from countries all over the world."

A fact that's even more unsettling for patients who were unaware of the breach more than a week after it occurred.
[Evan] It seems like the school doesn't know who may be affected and thus they don't know who to notify.

The University did post a notice on the Health Services website, and say they are notifying patients when they enter the clinic.
[Evan] The notice

Campus officials say it will be weeks before they are completely sure what information, if any, was taken off the computers.

The University has launched a detailed evaluation of the incident to find out if any of the files were accessed during the intrusion, and will keep the community advised of its findings.

They say the entire campus system is being looked at to avoid future breaches.
[Evan] This should be a continuous effort.

Reaction from Students:
"I've been here every time I've been sick this semester," says Freshman Brooke Quinn.

"That's my doctor, it's where I go," says Senior Jennifer Scott.

"I think that it is scary that anybody on our campus could have our personal information and medical records," says Quinn.

"I wasn't aware of it, and no one I know was aware of it," says Scott. "If it's that easy for someone who just wanted to get music who knows what would happen for someone who was trying to get confidential information."

Commentary:
There is too much uncertainty surrounding this (apparent) breach. If you are a concerned and potentially affected person, I would encourage you to contact officials with the school and seek answers. You could also contact Ed Blaguszewski, his contact information is on the press release. They should be done with their investigation by now.

Past Breaches:
Unknown

CollegeInvest external hard drive goes missing

Evan Francen — Wed, 30 Apr 2008 14:10:46 GMT

Technorati Tag: Security Breach

Date Reported:
4/25/08

Organization:
State of Colorado

Contractor/Consultant/Branch:
Department of Higher Education
CollegeInvest*

*"As a nonprofit division of the Department of Higher Education, CollegeInvest helps students and families finance college through student savings accounts, loans and scholarships."

Victims:
Customers**

**CollegeInvest Education Loan Borrowers January 2002 - August 2007:

Student Loan Borrower
Parent Loan Borrower
Consolidation Loan Borrower

CollegeInvest 529 College Savings Program

Direct Portfolio College Savings - Account Owner, Beneficiary
Stable Value Plus College Savings - Account Owner, Beneficiary & Account Successor
Prepaid Tuition Fund - Account Owner, Beneficiary & Account Successor

CollegeInvest Scholarship Programs

Early Achievers Scholarship Program - All Participants
College In Colorado Scholarship Program - All Participants
College Opportunity Fund (COF) Participants - Paper Applications Mailed In Only

Number Affected:
~200,000

Types of Data:
Loan, savings account and scholarship information, including names, addresses and Social Security numbers

Breach Description:
"CollegeInvest moved to a new office space the weekend of March 28th using the international moving firm Graebel. Although Graebel specializes in office relocations and has specialists in moving computer equipment, CollegeInvest discovered while unpacking at the new location that a hard drive with the personal data of some customers was missing. Despite an extensive internal investigation, the hard drive has not been found."

Reference URL:
CollegeInvest Data Privacy Information Frequently Asked Questions
The Gazette (Colorado Springs)
Colorado Fox News
The Denver Post

Report Credit:
CollegeInvest

Response:
From the online sources cited above:

CollegeInvest moved to a new office space the weekend of March 28th using the international moving firm Graebel. Although Graebel specializes in office relocations and has specialists in moving computer equipment, CollegeInvest discovered while unpacking at the new location that a hard drive with the personal data of some customers was missing. Despite an extensive internal investigation, the hard drive has not been found.
[Evan] Is this an attempt to push some of the blame onto Graebel?

About 200,000 CollegeInvest clients - including its entire list of student-loan recipients - had personal information stored on a computer hard drive that the agency said is missing.
[Evan] Really? This was an external hard drive being used as a backup device. Not necessarily a recommended practice (without encryption and good key management).

Roughly 23 percent of its client base was affected

CollegeInvest sent out letters this week to clients informing them that their names, addresses and Social Security numbers may be at risk.

"We feel pretty confident the data itself will not be accessed," spokeswoman Jennifer Robinson said
[Evan] Why is that?

She said it is encoded and password protected.
[Evan] Encoded? How? The Denver post claims that Jennifer Robinson states that the hard drive was encrypted. None of the other sources (including CollegeInvest) are clear on this issue. Clarity in an incident response is very important.

CollegeInvest believes it is unlikely that any of the personal information has been compromised because the data is in a format that would be very difficult to access. Recovery of the data would require significant technical expertise and specialized software tools.
[Evan] We have read statements like this before. Who is to judge?

The company has not received any calls from clients saying their identities have been stolen

The lost data were stored on an external hard drive used to back up files.

CollegeInvest discovered the drive was missing after it moved into its new Denver offices.

The Colorado Bureau of Investigation has been asked to determine if the drive was stolen or lost.

CollegeInvest has recommended its customers monitor bank statements and credit reports. It will also pay for one year of free credit monitoring for those affected.

We know that consumers are very focused on maintaining the confidentiality of their personal data and we want to assure them that we take this responsibility very seriously. CollegeInvest deeply regrets any inconvenience to customers that this may cause and wants to ensure that our customers get all their questions answered and their concerns addressed.

Commentary:
It's difficult to comment much on this breach due to the lack of clarity in the response. Lack of clarity in the response is a problem by itself.

How much could credit monitoring cost (hypothetically)? List price for Triple Alert costs $10.45 for a one-year subscription; FamilySecure costs $29.95 for one year. 200,000 victims x $10.45 = $2,090,000. 200,000 victims x $29.95 = $5,990,000. So a simple lost or stolen hard drive has the potential to cost $2 - 6 million in credit monitoring costs only. No cost to the victims right? Well, not unless you happen to be a taxpayer. Somebody always pays the price.

We all know that a significant number of victims will not sign up for credit monitoring. We also know that CollegeInvest will not be charged full list price for the service. Nevertheless, the costs no matter what they are are significant.

Past Breaches:
Unknown

Three computers at the University of Colorado are compromised

Evan Francen — Tue, 06 May 2008 13:09:57 GMT

Technorati Tag: Security Breach

UPDATE (May 6th, 2008):
"The University of Colorado at Boulder today announced that a forensic analysis of a computer suspected to have been compromised last week revealed no malicious software, and no exposure of student and staff private data."
As reported at the University of Colorado.

Date Reported:
4/25/08

Organization:
University of Colorado

Contractor/Consultant/Branch:
University of Colorado at Boulder

Victims:
Students and instructors involved with the Division of Continuing Education and Professional Studies between 1997 and 2003.

Number Affected:
~9,500*

*According to the school's response, "approximately 9,000 students, and approximately 500 instructors"

Types of Data:
"names, Social Security numbers, addresses, grades"

Breach Description:
"The University of Colorado at Boulder has announced that it discovered three computers in the Division of Continuing Education and Professional Studies were compromised and that one of the computers contains private data (i.e. names, Social Security numbers, addresses, grades) of approximately 9,000 students, and approximately 500 instructors."

Reference URL:
University of Colorado at Boulder
KUSA Channel 9 News
KJCT Channel 8 News
FOX News Colorado

Report Credit:
University of Colorado at Boulder

Response:
From the online sources cited above:

BOULDER - The University of Colorado at Boulder announced Friday that three computers in the Division of Continuing Education and Professional Studies were compromised, leaving nearly 10,000 people open to potential identity theft.
[Evan] It's not clear whether or not these computers were client computers or servers.

CU Boulder IT security investigators on Thursday discovered a malicious file on the computers and began analyzing log files to determine the extent of the exposure and whether any information was accessed.
[Evan] Hmm. A "malicious file" could mean a lot of things.

Investigators are still trying to determine the intent of the malicious file and whether it allowed the perpetrator to gain access to any private data.
[Evan] The school must think that there is a chance that the intent of the malicious file was to capture and transmit sensitive information and that there was a chance of success. Otherwise, why would the school report it? If it were a run of the mill virus (supposing one exists nowadays), would you report it? Hard to say.

Bronson Hilliard, a spokesman for CU-Boulder, says one of the three computers had personal data, including names, Social Security numbers, addresses and grades, of about 9,000 students and about 500 instructors.
[Evan] Should we assume that these were client computers and that "had" means stored?

"The university and I are deeply troubled that this compromise occurred despite efforts under way across campus to address computer security," stated Chancellor G.P. "Bud" Peterson

"We will continue and strengthen our security efforts and hold our departments accountable for their success."
[Evan] Excellent quote, from G.P. "Bud" Peterson. The keywords that I really like are "continue", "strengthen" and "accountable".

Hilliard says they do not believe the data has been accessed, but CU is in the process of contacting the affected students and instructors by mail.

Officials say students and instructors who were involved in the Division of Continuing Education and Professional Studies between 1997 and 2003 were affected.
[Evan] Does the school still need to store personal information that is 5 - 11 years old?

CU says a computer forensics firm has been hired to conduct an analysis.

Over the past few years, the CU-Boulder campus has stepped up efforts to increase security awareness and address IT security.

These efforts have included:

Launching a campus risk assessment process in 2005 to identify campus IT security risks and to locate and eliminate unnecessary databases of social security and credit card numbers;
Switching from Social Security numbers to a student identification number system in 2005;
Using a restrictive network firewall installed in August 2006 that has greatly reduced the campus’s exposure to vulnerabilities;
Conducting computer security training for all employees.

Commentary:
Generally, I get the feeling that the University of Colorado is much better off in their information security efforts than most schools. The leader of the organization, G.P. "Bud" Peterson seems to be in touch based on his remarks, and this should not be undervalued. Organizational leadership is absolutely critical for the implementation and management of an effective information security program.

Let’s make some assumptions.

Assumption #1 - Most malicious files are obtained through web browsing and email. There are numerous controls that can prevent (or detect early) attempted infections through this avenue of attack. Are these in place at CU?

Assumption #2 - The compromised computers were client computers. Generally, it is not advised to store confidential information on client computers unless there is a compelling business case.

Assumption #3 - The compromised computers were servers and Assumption #1 is true. I have run into many cases where a server was compromised through administrator web surfing. I also used to remember when it was recommended that people not run anti-malware applications on servers (due to heavy I/O primarily). A tip: Don't surf the web from servers and in most cases run (and maintain) anti-malware applications on servers.

So, I make a lot of assumptions. Some may be true, and some may be so far off that I should be writing this article on the moon. Either way breaches get me thinking and thinking is mostly a good thing.

Past Breaches:
Unknown