The Breach Blog, from FRSecure
The Breach Blog
Digital River breach affects "a dozen different companies"
|
Date Reported:
6/4/10
Organization:
Digital River, Inc.
Contractor/Consultant/Branch:
Digital River Marketing Solutions, Inc. (DirectTrack)
Location:
Pittsburgh, Pennsylvania
Victims:
Digital River, "a dozen different companies", and individuals
Number Affected:
198,398 (unconfirmed)
Types of Data:
"names, e-mail addresses, websites, company names and unique user-identification numbers"
Breach Description:
"A massive data theft from the e-commerce company Digital River Inc. has led investigators to hackers in India and a 20-year-old in New York who allegedly tried to sell the information to a Colorado marketing firm for half a million dollars. "
<< MORE >>
Who's responsible for medical records dumped at church?
|
Date Reported:
6/7/10
Organization:
Nursing Visioned Medical Services ("NVMS")*
*NVMS is now defunct (bankrupt), and its assets were purchased by Impulse Monitoring, Inc
.
Contractor/Consultant/Branch:
None
Location:
Nashville, Tennessee
Victims:
Patients
Number Affected:
Unknown; however, "thousands of patient records" were discovered
Types of Data:
"patient records, surgery information, Social Security numbers and bank information"
Breach Description:
"Thousands of patient records, surgery information, Social Security numbers and bank information were found dumped behind a Nashville Church."
<< MORE >>
Roanoke City Public Schools surplus computers put employees at risk
|
Date Reported:
6/1/10
Organization:
Roanoke City Public Schools
Contractor/Consultant/Branch:
None
Location:
Roanoke, Virginia
Victims:
Persons employed by the Division in November, 2006
Number Affected:
"more than 2,000"
Types of Data:
"names, school locations and Social Security numbers"
Breach Description:
"Computers with hard drives containing personal data of school employees as of November 2006 were sold as surplus. The drives have since been recovered."
<< MORE >>
Penn State announces two breaches involving personal information
|
Date Reported:
6/2/10
Organization:
Pennsylvania State University ("Penn State")
Contractor/Consultant/Branch:
Outreach Market Research and Data office, and university libraries
Location:
University Park, Pennsylvania
Victims:
"appear to belong to alumni"
Number Affected:
25,572 Total:
15,806, in the breach affecting the Outreach Market Research office
9,766, in the breach affecting the university libraries
Types of Data:
"personal information, including Social Security numbers"
Breach Description:
"As many as 25,572 Social Security numbers once stored on Penn State computer systems may have been exposed during security breaches in recent weeks, the university reported Wednesday."
<< MORE >>
Sensitive patient information leaked on U of L website
|
Date Reported:
6/2/10
Organization:
University of Louisville ("U of L")
Contractor/Consultant/Branch:
Division of Nephrology
Location:
Louisville, Kentucky
Victims:
Dialysis patients
Number Affected:
708
Types of Data:
"names, social security numbers and other personal information"
Breach Description:
"A University of Louisville database with the names, social security numbers and other personal information of 708 dialysis patients was accessible via the Internet for more than a year, university officials announced Wednesday morning."
<< MORE >>
Unencrypted laptop stolen from children's hospital employee
|
Date Reported:
5/28/10
Organization:
Cincinnati Children's Hospital Medical Center
Contractor/Consultant/Branch:
None
Location:
Cincinnati, Ohio
Victims:
Patients
Number Affected:
61,027
Types of Data:
"personal information, including names, medical record numbers, and services received"
Breach Description:
"The theft of an unencrypted laptop from an employee's car resulted in a breach affecting more than 61,000 patients at Cincinnati Children's Hospital Medical Center. "
<< MORE >>
UK's HMRC mailing error affects more than 50,000 taxpayers
|
Date Reported:
5/27/10
Organization:
HM Customs and Revenue ("HMRC")
Contractor/Consultant/Branch:
Unknown "print supplier"
Location:
London, England
Victims:
English taxpayers
Number Affected:
"around 19,000"*
*Some reports state that as many as 50,000 are affected, but roughly 31,000 did receive the correct information; however, it was unusable - Source: Telegraph.co.uk
Types of Data:
"names, addresses and dates of birth, as well as parts of bank account numbers, salary details and National Insurance numbers"
Breach Description:
"Around 19,000 individuals were sent other people's personal information in the post along with their annual award notice" from HMRC (roughly the UK equivalent to the US IRS).
<< MORE >>
City of Charlotte breach affects 5,220 current and former employees
|
Date Reported:
5/26/10
Organization:
City of Charlotte, North Carolina
Contractor/Consultant/Branch:
Towers Watson
Unnamed "mail service provider"
Location:
Charlotte, North Carolina
Victims:
Current and former city employees
Number Affected:
5,220
Types of Data:
Personal information including "Social Security numbers, health plan coverage numbers, and prescription information".
Breach Description:
"The city of Charlotte says the personal information of 5,220 current and former city employees and elected officials has been lost" on two DVDs that have gone missing.
<< MORE >>
AT&T Wireless customer records found by good Samaritan
|
Date Reported:
5/25/10
Organization:
Ferrell Communication (defunct, no website)
AT&T
Contractor/Consultant/Branch:
Unknown
Location:
Jacksonville, Florida
Victims:
"AT&T cell phone customers"
Number Affected:
Unknown*
*The report claims that "hundreds of files" were discovered
Types of Data:
"personal information of AT&T cell phone customers, including credit card numbers, driver's licenses and Social Security numbers"
Breach Description:
Hundreds of files containing personal information belonging to AT&T cell phone customers were found in a residential recycle bin.
<< MORE >>
Loma Linda University Medical Center confirms breach
|
Date Reported:
5/25/10
Organization:
Loma Linda University Medical Center
Contractor/Consultant/Branch:
None
Location:
Loma Linda, California
Victims:
"surgical patients"
Number Affected:
"more than 500"
Types of Data:
"name, medical record number, diagnosis, surgery date, and the type of procedure"
Breach Description:
"A thief has stolen personal information regarding more than 500 surgical patients of Loma Linda University Medical Center, according to hospital officials. "
<< MORE >>
Date Reported: 
5/23/10
Organization:
Tri-City Healthcare District
Contractor/Consultant/Branch:
Tri-City Medical Center
Location:
Oceanside, California
Victims:
Patients
Number Affected:
Unknown
Types of Data:
Patient information
Breach Description:
"Dozens of Tri City Medical Center employees may have shared patient's information in social networking sites without the consent of patients."
5/23/10
Organization:
Tri-City Healthcare District
Contractor/Consultant/Branch:
Tri-City Medical Center
Location:
Oceanside, California
Victims:
Patients
Number Affected:
Unknown
Types of Data:
Patient information
Breach Description:
"Dozens of Tri City Medical Center employees may have shared patient's information in social networking sites without the consent of patients."
What do the Teamsters, Canada and FedEx have in common?
Date Reported: 
5/23/10
Organization:
Saskatchewan Government Insurance ("SGI")
Contractor/Consultant/Branch:
Ministry of Justice
Location:
Saskatoon, SK Canada
Victims:
Unknown*
*The reports only name a FedEx employee and her co-workers, but the breach could extend further.
Number Affected:
"around 25"
Types of Data:
Names and residential addresses
Breach Description:
"A Saskatoon FedEx worker is concerned about a privacy breach where the addresses of around 25 local employees were leaked from Saskatchewan Government Insurance (SGI) to the union trying to organize the global courier service."
<< MORE >>
5/23/10
Organization:
Saskatchewan Government Insurance ("SGI")
Contractor/Consultant/Branch:
Ministry of Justice
Location:
Saskatoon, SK Canada
Victims:
Unknown*
*The reports only name a FedEx employee and her co-workers, but the breach could extend further.
Number Affected:
"around 25"
Types of Data:
Names and residential addresses
Breach Description:
"A Saskatoon FedEx worker is concerned about a privacy breach where the addresses of around 25 local employees were leaked from Saskatchewan Government Insurance (SGI) to the union trying to organize the global courier service."
<< MORE >>
We’re Bringing it Back!
After more than 15 months off, we are bringing the Breach Blog back! We hope that it’ll be better than ever too.
Much has happened in the 15 months since I wrote our last post:
- We started an information security consulting company; FRSecure LLC .
- We have worked with and consulted with almost 50 companies! The companies we have been working with vary widely in their size (5 – 46,000+ employees), industry (healthcare, financial services, printing, software development, and application hosting to name a few), culture, and structure.
- Hundreds of breaches have occurred. Breaches are still happening too. Some are the result of unfortunate circumstances, but most are still happening due to a lack of good information security practices.
Our motivations for writing on The Breach Blog again are the same as they were when I first started it 2-1/2 years ago. These motivations will drive my writing style and content.
The Breach Blog is an education and awareness tool.
Although I am often critical of the people and companies who, in my professional opinion, are responsible for information security breaches, it is not my focus to tear people or companies down. I am really a pretty positive guy. My focus is to educate victims, consumers, information security professionals, and anyone else who wishes to read my posts. Most of my posts will be written about breaches. Occasionally I may throw in a special article or two.
I hope that you will participate with your commentary. Your comments are extremely valuable to me, to FRSecure, and to other readers.
Well, that’s it for now. Sadly, I doubt that it will be long before I am writing about the next breach that I come across.
-Evan
Thank You and Moving On
First, I want to sincerely thank all of the readers of the Breach Blog. I have been blessed with the opportunity to meet some very genuine and talented people during my time writing here.
Now is the time for me to move on. I am moving on to other information security related projects. I am moving on to projects that play more into my strengths as an information security practitioner and give more value to a greater number of people. The project taking up most of my time right now is the creation of a series of information security training classes and seminars. It is just one way that I think I can contribute more.
The Breach Blog will still remain active, it just won't be updated on a regular basis anymore. Sometime within the next few weeks, I will post links to one or more of my new projects in a hope that you will find me and my work there.
The Breach Blog started out 18 months ago as a place where I could jot down my thoughts about breaches. It was a place that allowed me to read about current breaches, learn from mistakes, and make comments about my thoughts. What started out small, grew over time and I was (and continue to be) glad to share. In the end, I just want to help people do a better job securing the information assets that they are responsible for.
There are many sites that do a great job of staying current with today's breaches. These sites are maintained by talented and passionate information security professionals. True patriots. Check them out at the links below.
If I forgot a site, my apologies in advance.
I still have plenty of opinions, I will just be voicing them in a different manner in a different place.
Again, a sincere thank you to everyone who read and participated. I hope to run into you all again soon!
Evan Francen
P.S. The "Contact Me" link on the right sidebar will remain active for anyone who wishes to use it.
Now is the time for me to move on. I am moving on to other information security related projects. I am moving on to projects that play more into my strengths as an information security practitioner and give more value to a greater number of people. The project taking up most of my time right now is the creation of a series of information security training classes and seminars. It is just one way that I think I can contribute more.
The Breach Blog will still remain active, it just won't be updated on a regular basis anymore. Sometime within the next few weeks, I will post links to one or more of my new projects in a hope that you will find me and my work there.
The Breach Blog started out 18 months ago as a place where I could jot down my thoughts about breaches. It was a place that allowed me to read about current breaches, learn from mistakes, and make comments about my thoughts. What started out small, grew over time and I was (and continue to be) glad to share. In the end, I just want to help people do a better job securing the information assets that they are responsible for.
There are many sites that do a great job of staying current with today's breaches. These sites are maintained by talented and passionate information security professionals. True patriots. Check them out at the links below.
PogoWasRight
Inside ID Theft
Emergent Chaos
Personal Health Information Privacy
Office of Inadequate Security
Merchant 911
Identity Theft Resource Center
Open Security Foundation Dataloss db
National ID Watch
Streetwise Security Zone
If I forgot a site, my apologies in advance.
I still have plenty of opinions, I will just be voicing them in a different manner in a different place.
Again, a sincere thank you to everyone who read and participated. I hope to run into you all again soon!
Evan Francen
P.S. The "Contact Me" link on the right sidebar will remain active for anyone who wishes to use it.
Kaiser Permanente personnel files found after arrest
Technorati Tag: Security Breach
Date Reported:
2/6/09
Organization:
Kaiser Permanente
Contractor/Consultant/Branch:
None
Location:
Sacramento, California
Victims:
"individuals or organizations who were employed on a temporary basis by Purdue University in 2008"
Number Affected:
"nearly 30,000"
Types of Data:
Personal information, including "names, social security numbers and birthdates"
Breach Description:
"SACRAMENTO, Calif. - Personal information from about 29,500 employees of Kaiser Permanente might have been stolen by someone who took a computer file, the company said Friday."
<< MORE >>
Date Reported:2/6/09
Organization:
Kaiser Permanente
Contractor/Consultant/Branch:
None
Location:
Sacramento, California
Victims:
"individuals or organizations who were employed on a temporary basis by Purdue University in 2008"
Number Affected:
"nearly 30,000"
Types of Data:
Personal information, including "names, social security numbers and birthdates"
Breach Description:
"SACRAMENTO, Calif. - Personal information from about 29,500 employees of Kaiser Permanente might have been stolen by someone who took a computer file, the company said Friday."
<< MORE >>
Purdue mailing error hits temporary workers
Technorati Tag: Security Breach
Date Reported:
2/3/09
Organization:
Purdue University
Contractor/Consultant/Branch:
None
Location:
West Lafayette, Indiana
Victims:
"individuals or organizations who were employed on a temporary basis by Purdue University in 2008"
Number Affected:
"248 companies and 962 individuals"
Types of Data:
Personal information, including that found on IRS 1099 forms (Names, addresses, employer identification numbers, Social Security numbers, etc.)
Breach Description:
"WEST LAFAYETTE, Ind. - A potential problem involving 1099 forms may affect individuals or organizations who were employed on a temporary basis by Purdue University in 2008. Due to a mailing error, some of these forms were inadvertently sent to the wrong individual or organization."
<< MORE >>
2/3/09
Organization:
Purdue University
Contractor/Consultant/Branch:
None
Location:
West Lafayette, Indiana
Victims:
"individuals or organizations who were employed on a temporary basis by Purdue University in 2008"
Number Affected:
"248 companies and 962 individuals"
Types of Data:
Personal information, including that found on IRS 1099 forms (Names, addresses, employer identification numbers, Social Security numbers, etc.)
Breach Description:
"WEST LAFAYETTE, Ind. - A potential problem involving 1099 forms may affect individuals or organizations who were employed on a temporary basis by Purdue University in 2008. Due to a mailing error, some of these forms were inadvertently sent to the wrong individual or organization."
<< MORE >>
Credit card skimming may affect 4,000 Best Buy customers
Technorati Tag: Security Breach
Date Reported:
2/6/09
Organization:
Best Buy Co., Inc.
Contractor/Consultant/Branch:
West Palm Beach, Florida store
Location:
West Palm Beach, Florida
Victims:
Customers during November and December, 2008
Number Affected:
"approximately 4,000"
Types of Data:
"credit card information"
Breach Description:
"An employee at Best Buy’s 1880 Palm Beach Lakes Blvd in West Palm Beach, Florida allegedly stole credit card information during November and December 2008 using an unauthorized personal device."
<< MORE >>
Date Reported:2/6/09
Organization:
Best Buy Co., Inc.
Contractor/Consultant/Branch:
West Palm Beach, Florida store
Location:
West Palm Beach, Florida
Victims:
Customers during November and December, 2008
Number Affected:
"approximately 4,000"
Types of Data:
"credit card information"
Breach Description:
"An employee at Best Buy’s 1880 Palm Beach Lakes Blvd in West Palm Beach, Florida allegedly stole credit card information during November and December 2008 using an unauthorized personal device."
<< MORE >>
Laptop stolen from Educational Testing Service office
Technorati Tag: Security Breach
Date Reported:
1/29/09
Organization:
Educational Testing Service ("ETS")
Contractor/Consultant/Branch:
None
Location:
Unknown
Victims:
Readers
Number Affected:
Unknown
Types of Data:
Personal information, including names and Social Security numbers
Breach Description:
"Overnight on December 15, 2008, a laptop went missing from the desk of an employee at the offices of Educational Testing Service (ETS). The laptop contained sensitive information belonging to people serving in the "role as a reader for ETS."
<< MORE >>
Date Reported:1/29/09
Organization:
Educational Testing Service ("ETS")
Contractor/Consultant/Branch:
None
Location:
Unknown
Victims:
Readers
Number Affected:
Unknown
Types of Data:
Personal information, including names and Social Security numbers
Breach Description:
"Overnight on December 15, 2008, a laptop went missing from the desk of an employee at the offices of Educational Testing Service (ETS). The laptop contained sensitive information belonging to people serving in the "role as a reader for ETS."
<< MORE >>
Successful social engineering attack leads to 45 vitcims
Technorati Tag: Security Breach
Date Reported:
1/30/09
Organization:
State of Oregon
Contractor/Consultant/Branch:
Department of Human Services
Location:
Salem, Oregon
Victims:
"Coos County residents applying for assistance"
Number Affected:
45
Types of Data:
Personal information, including Social Security numbers
Breach Description:
"COOS BAY, Ore. (AP) — An online scam resulted in the theft of 45 Social Security numbers at the Oregon Department of Human Services office in Coos Bay last week."
<< MORE >>
Date Reported:1/30/09
Organization:
State of Oregon
Contractor/Consultant/Branch:
Department of Human Services
Location:
Salem, Oregon
Victims:
"Coos County residents applying for assistance"
Number Affected:
45
Types of Data:
Personal information, including Social Security numbers
Breach Description:
"COOS BAY, Ore. (AP) — An online scam resulted in the theft of 45 Social Security numbers at the Oregon Department of Human Services office in Coos Bay last week."
<< MORE >>
Georgia parolee information lost on stolen computer
Technorati Tag: Security Breach
Date Reported:
2/3/09
Organization:
State of Georgia
Contractor/Consultant/Branch:
State Board of Pardons and Paroles
Location:
Roswell, Georgia
Victims:
"current and past parolees supervised by the agency since 1998"
Number Affected:
Unknown
Types of Data:
"names, dates of birth and social security numbers"
Breach Description:
The Georgia State Board of Pardons and Paroles has issued a News Release announcing the theft of a computer from a contractor working on behalf of the agency. The computer contained sensitive information belonging to certain current and former parolees.
<< MORE >>
Date Reported:2/3/09
Organization:
State of Georgia
Contractor/Consultant/Branch:
State Board of Pardons and Paroles
Location:
Roswell, Georgia
Victims:
"current and past parolees supervised by the agency since 1998"
Number Affected:
Unknown
Types of Data:
"names, dates of birth and social security numbers"
Breach Description:
The Georgia State Board of Pardons and Paroles has issued a News Release announcing the theft of a computer from a contractor working on behalf of the agency. The computer contained sensitive information belonging to certain current and former parolees.
<< MORE >>
Older Entries
Our Feeds
Entries Atom 1.0- Comments Atom 1.0
- Entries RSS 2.0
- Comments RSS 2.0
- Podcasts RSS 2.0
Bookmarks
