The Breach Blog, from FRSecure
The Breach Blog

Digital River breach affects "a dozen different companies"

|

Date Reported:
6/4/10

Organization:
Digital River, Inc.

Contractor/Consultant/Branch:
Digital River Marketing Solutions, Inc. (DirectTrack)

Location:
Pittsburgh, Pennsylvania

Victims:
Digital River, "a dozen different companies", and individuals

Number Affected:
198,398 (unconfirmed)

Types of Data:
"names, e-mail addresses, websites, company names and unique user-identification numbers"

Breach Description:
"A massive data theft from the e-commerce company Digital River Inc. has led investigators to hackers in India and a 20-year-old in New York who allegedly tried to sell the information to a Colorado marketing firm for half a million dollars. "

<< MORE >>

Who's responsible for medical records dumped at church?

|

Date Reported:
6/7/10

Organization:
Nursing Visioned Medical Services ("NVMS")*

*NVMS is now defunct (bankrupt), and its assets were purchased by Impulse Monitoring, Inc
.
Contractor/Consultant/Branch:
None

Location:
Nashville, Tennessee

Victims:
Patients

Number Affected:
Unknown; however, "thousands of patient records" were discovered

Types of Data:
"patient records, surgery information, Social Security numbers and bank information"

Breach Description:
"Thousands of patient records, surgery information, Social Security numbers and bank information were found dumped behind a Nashville Church."

<< MORE >>

Roanoke City Public Schools surplus computers put employees at risk

|

Date Reported:
6/1/10

Organization:
Roanoke City Public Schools

Contractor/Consultant/Branch:
None

Location:
Roanoke, Virginia

Victims:
Persons employed by the Division in November, 2006

Number Affected:
"more than 2,000"

Types of Data:
"names, school locations and Social Security numbers"

Breach Description:
"Computers with hard drives containing personal data of school employees as of November 2006 were sold as surplus. The drives have since been recovered."

<< MORE >>

Penn State announces two breaches involving personal information

|

Date Reported:
6/2/10

Organization:
Pennsylvania State University ("Penn State")

Contractor/Consultant/Branch:
Outreach Market Research and Data office, and university libraries

Location:
University Park, Pennsylvania

Victims:
"appear to belong to alumni"

Number Affected:
25,572 Total:
15,806, in the breach affecting the Outreach Market Research office
9,766, in the breach affecting the university libraries

Types of Data:
"personal information, including Social Security numbers"

Breach Description:
"As many as 25,572 Social Security numbers once stored on Penn State computer systems may have been exposed during security breaches in recent weeks, the university reported Wednesday."

<< MORE >>

Sensitive patient information leaked on U of L website

|

Date Reported:
6/2/10

Organization:
University of Louisville ("U of L")

Contractor/Consultant/Branch:
Division of Nephrology

Location:
Louisville, Kentucky

Victims:
Dialysis patients

Number Affected:
708

Types of Data:
"names, social security numbers and other personal information"

Breach Description:
"A University of Louisville database with the names, social security numbers and other personal information of 708 dialysis patients was accessible via the Internet for more than a year, university officials announced Wednesday morning."

<< MORE >>

Unencrypted laptop stolen from children's hospital employee

|

Date Reported:
5/28/10

Organization:
Cincinnati Children's Hospital Medical Center

Contractor/Consultant/Branch:
None

Location:
Cincinnati, Ohio

Victims:
Patients

Number Affected:
61,027

Types of Data:
"personal information, including names, medical record numbers, and services received"

Breach Description:
"The theft of an unencrypted laptop from an employee's car resulted in a breach affecting more than 61,000 patients at Cincinnati Children's Hospital Medical Center. "

<< MORE >>

UK's HMRC mailing error affects more than 50,000 taxpayers

|

Date Reported:
5/27/10

Organization:
HM Customs and Revenue ("HMRC")

Contractor/Consultant/Branch:
Unknown "print supplier"

Location:
London, England

Victims:
English taxpayers

Number Affected:
"around 19,000"*

*Some reports state that as many as 50,000 are affected, but roughly 31,000 did receive the correct information; however, it was unusable - Source: Telegraph.co.uk

Types of Data:
"names, addresses and dates of birth, as well as parts of bank account numbers, salary details and National Insurance numbers"

Breach Description:
"Around 19,000 individuals were sent other people's personal information in the post along with their annual award notice" from HMRC (roughly the UK equivalent to the US IRS).

<< MORE >>

City of Charlotte breach affects 5,220 current and former employees

|

Date Reported:
5/26/10

Organization:

City of Charlotte, North Carolina

Contractor/Consultant/Branch:

Towers Watson
Unnamed "mail service provider"

Location:

Charlotte, North Carolina

Victims:

Current and former city employees

Number Affected:

5,220

Types of Data:

Personal information including "Social Security numbers, health plan coverage numbers, and prescription information".

Breach Description:

"The city of Charlotte says the personal information of 5,220 current and former city employees and elected officials has been lost" on two DVDs that have gone missing.

<< MORE >>

AT&T Wireless customer records found by good Samaritan

|

Date Reported:
5/25/10

Organization:
Ferrell Communication (defunct, no website)
AT&T

Contractor/Consultant/Branch:
Unknown

Location:
Jacksonville, Florida

Victims:
"AT&T cell phone customers"

Number Affected:
Unknown*

*The report claims that "hundreds of files" were discovered

Types of Data:
"personal information of AT&T cell phone customers, including credit card numbers, driver's licenses and Social Security numbers"

Breach Description:
Hundreds of files containing personal information belonging to AT&T cell phone customers were found in a residential recycle bin.

<< MORE >>

Loma Linda University Medical Center confirms breach

|

Date Reported:
5/25/10

Organization:
Loma Linda University Medical Center

Contractor/Consultant/Branch:
None

Location:
Loma Linda, California

Victims:
"surgical patients"

Number Affected:
"more than 500"

Types of Data:
"name, medical record number, diagnosis, surgery date, and the type of procedure"

Breach Description:
"A thief has stolen personal information regarding more than 500 surgical patients of Loma Linda University Medical Center, according to hospital officials. "

<< MORE >>

Date Reported:
5/23/10

Organization:
Tri-City Healthcare District

Contractor/Consultant/Branch:
Tri-City Medical Center

Location:
Oceanside, California

Victims:
Patients

Number Affected:
Unknown

Types of Data:
Patient information

Breach Description:
"Dozens of Tri City Medical Center employees may have shared patient's information in social networking sites without the consent of patients."

What do the Teamsters, Canada and FedEx have in common?

Date Reported:
5/23/10

Organization:
Saskatchewan Government Insurance ("SGI")

Contractor/Consultant/Branch:
Ministry of Justice

Location:
Saskatoon, SK  Canada

Victims:
Unknown*

*The reports only name a FedEx employee and her co-workers, but the breach could extend further.

Number Affected:
"around 25"

Types of Data:
Names and residential addresses

Breach Description:
"A Saskatoon FedEx worker is concerned about a privacy breach where the addresses of around 25 local employees were leaked from Saskatchewan Government Insurance (SGI) to the union trying to organize the global courier service."

<< MORE >>

We’re Bringing it Back!

After more than 15 months off, we are bringing the Breach Blog back!  We hope that it’ll be better than ever too.

Much has happened in the 15 months since I wrote our last post:

  • We started an information security consulting company; FRSecure LLC .
  • We have worked with and consulted with almost 50 companies!  The companies we have been working with vary widely in their size (5 – 46,000+ employees), industry (healthcare, financial services, printing, software development, and application hosting to name a few), culture, and structure.
  • Hundreds of breaches have occurred.  Breaches are still happening too.  Some are the result of unfortunate circumstances, but most are still happening due to a lack of good information security practices.

Our motivations for writing on The Breach Blog again are the same as they were when I first started it 2-1/2 years ago.  These motivations will drive my writing style and content.

The Breach Blog is an education and awareness tool.

Although I am often critical of the people and companies who, in my professional opinion, are responsible for information security breaches, it is not my focus to tear people or companies down.  I am really a pretty positive guy.  My focus is to educate victims, consumers, information security professionals, and anyone else who wishes to read my posts.  Most of my posts will be written about breaches.  Occasionally I may throw in a special article or two.

I hope that you will participate with your commentary.  Your comments are extremely valuable to me, to FRSecure, and to other readers.

Well, that’s it for now.  Sadly, I doubt that it will be long before I am writing about the next breach that I come across.

-Evan

Thank You and Moving On

First, I want to sincerely thank all of the readers of the Breach Blog.  I have been blessed with the opportunity to meet some very genuine and talented people during my time writing here.

Now is the time for me to move on.  I am moving on to other information security related projects.  I am moving on to projects that play more into my strengths as an information security practitioner and give more value to a greater number of people.  The project taking up most of my time right now is the creation of a series of information security training classes and seminars.  It is just one way that I think I can contribute more.

The Breach Blog will still remain active, it just won't be updated on a regular basis anymore.  Sometime within the next few weeks, I will post links to one or more of my new projects in a hope that you will find me and my work there.

The Breach Blog started out 18 months ago as a place where I could jot down my thoughts about breaches.  It was a place that allowed me to read about current breaches, learn from mistakes, and make comments about my thoughts.  What started out small, grew over time and I was (and continue to be) glad to share.  In the end, I just want to help people do a better job securing the information assets that they are responsible for.

There are many sites that do a great job of staying current with today's breaches.  These sites are maintained by talented and passionate information security professionals.  True patriots.  Check them out at the links below.

PogoWasRight
Inside ID Theft
Emergent Chaos
Personal Health Information Privacy
Office of Inadequate Security
Merchant 911
Identity Theft Resource Center
Open Security Foundation Dataloss db
National ID Watch
Streetwise Security Zone

If I forgot a site, my apologies in advance.

I still have plenty of opinions, I will just be voicing them in a different manner in a different place.

Again, a sincere thank you to everyone who read and participated.  I hope to run into you all again soon!

Evan Francen
P.S.  The "Contact Me" link on the right sidebar will remain active for anyone who wishes to use it.

Kaiser Permanente personnel files found after arrest

Technorati Tag:

Date Reported:
2/6/09

Organization:
Kaiser Permanente

Contractor/Consultant/Branch:
None

Location:
Sacramento, California

Victims:
"individuals or organizations who were employed on a temporary basis by Purdue University in 2008"

Number Affected:
"nearly 30,000"

Types of Data:
Personal information, including "names, social security numbers and birthdates"

Breach Description:
"SACRAMENTO, Calif. - Personal information from about 29,500 employees of Kaiser Permanente might have been stolen by someone who took a computer file, the company said Friday."

<< MORE >>

Purdue mailing error hits temporary workers

Technorati Tag:

Date Reported:
2/3/09

Organization:
Purdue University

Contractor/Consultant/Branch:
None

Location:
West Lafayette, Indiana

Victims:
"individuals or organizations who were employed on a temporary basis by Purdue University in 2008"

Number Affected:
"248 companies and 962 individuals"

Types of Data:
Personal information, including that found on IRS 1099 forms (Names, addresses, employer identification numbers, Social Security numbers, etc.)

Breach Description:
"WEST LAFAYETTE, Ind. - A potential problem involving 1099 forms may affect individuals or organizations who were employed on a temporary basis by Purdue University in 2008.  Due to a mailing error, some of these forms were inadvertently sent to the wrong individual or organization."

<< MORE >>

Credit card skimming may affect 4,000 Best Buy customers

Technorati Tag:

Date Reported:
2/6/09

Organization:
Best Buy Co., Inc.

Contractor/Consultant/Branch:
West Palm Beach, Florida store

Location:
West Palm Beach, Florida

Victims:
Customers during November and December, 2008

Number Affected:
"approximately 4,000"

Types of Data:
"credit card information"

Breach Description:
"An employee at Best Buy’s 1880 Palm Beach Lakes Blvd in West Palm Beach, Florida allegedly stole credit card information during November and December 2008 using an unauthorized personal device."

<< MORE >>

Laptop stolen from Educational Testing Service office

Technorati Tag:

Date Reported:
1/29/09

Organization:
Educational Testing Service ("ETS")

Contractor/Consultant/Branch:
None

Location:
Unknown

Victims:
Readers

Number Affected:
Unknown

Types of Data:
Personal information, including names and Social Security numbers

Breach Description:
"Overnight on December 15, 2008, a laptop went missing from the desk of an employee at the offices of Educational Testing Service (ETS).  The laptop contained sensitive information belonging to people serving in the "role as a reader for ETS."

<< MORE >>

Successful social engineering attack leads to 45 vitcims

Technorati Tag:

Date Reported:
1/30/09

Organization:
State of Oregon

Contractor/Consultant/Branch:
Department of Human Services

Location:
Salem, Oregon

Victims:
"Coos County residents applying for assistance"

Number Affected:
45

Types of Data:
Personal information, including Social Security numbers

Breach Description:
"COOS BAY, Ore. (AP) — An online scam resulted in the theft of 45 Social Security numbers at the Oregon Department of Human Services office in Coos Bay last week."

<< MORE >>

Georgia parolee information lost on stolen computer

Technorati Tag:

Date Reported:
2/3/09

Organization:
State of Georgia

Contractor/Consultant/Branch:
State Board of Pardons and Paroles

Location:
Roswell, Georgia

Victims:
"current and past parolees supervised by the agency since 1998"

Number Affected:
Unknown

Types of Data:
"names, dates of birth and social security numbers"

Breach Description:
The Georgia State Board of Pardons and Paroles has issued a News Release announcing the theft of a computer from a contractor working on behalf of the agency.  The computer contained sensitive information belonging to certain current and former parolees.

<< MORE >>
Older Entries

Contact Us!

Click here!

Want email updates?

Enter your email address

Our Feeds

  • Recent Entries Atom 1.0 Entries Atom 1.0
  • Recent Comments Atom 1.0 Comments Atom 1.0
  • Recent Entries RSS 2.0 Entries RSS 2.0
  • Recent Comments RSS 2.0 Comments RSS 2.0
  • Podcasts RSS 2.0 Podcasts RSS 2.0

Privacy News

Calendar

August 2010
Su Mo Tu We Th Fr Sa
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31

Subscribers

Bookmarks

Add to Technorati Favorites









Archive List

ANALYTICS