Log in

Archive for July, 2010

University of Hawaii Data Breach

July 19th, 2010

: Image by Getty Images via @daylife

Following-up with our last post on Northwestern Iowa University data breach, another data breach incident has happened at the University of Hawaii in Manoa.

The computer security breach is believed to have impacted about 53,000 people causing exposure of their personal information which includes over 40,000 social security numbers and over 200 credit card numbers.Apparently the information was stored on on a computer server used by the Manoa campus Parking Office.

Breach Discovery

The damage was discovered during an audit exercise conducted on 15th June 2010. As per the officials the breach had happened on May 30, 2010. Once the breach was known, the sever was isolated from the rest of the network and an investigation was started which included notification of the Honolulu Police Department and the FBI. In addition, a forensic computer expert was hired to do further investigation.

About the data

As stated above, the database contained Social security numbers and credit card information. In addition, it also had records for faculty, staff, and students who were at the institution during 1998. Business information of people had engaged with the parking office such as purchasing parking permits or having a car towed was also exposed.

The Impact of the Breach

So far there is no evidence that the personal information inside the server has either been used or accessed. However, the people who have been potentially affected will be monitoring their their financial information and taking measures against identity theft. They have been encouraged to obtain credit reports and review credit and bank information statements regularly for any unusual or suspicious activities. A helpline has been setup by the university to answer questions via the phone and through email. The telephone hotline is at #956-6000 and email is at www.hawaii.edu/idalert/.

What the University Says

The university has issued a press release which says, “To protect personal information from further unauthorized access, Social Security numbers are no longer used for parking transactions and are being purged from all current and historic Parking Office databases,” the university said in a news release. “Additional security measures that are being taken include strengthening internal automated network monitoring practices, and performing extensive evaluations of systems to identify other potential security risks”.

The university spokesman Gregg Takayama said, “A computer hacker introduced a virus into a UH Manoa computer server containing parking office information and this enabled access to data on about 53,000 people”. “As part of our investigation we do know that a computer site in China was involved but that doesn’t necessarily mean that the hacker originated in China,” said Takayama.

What should affected individuals know and do?

Khon2.com has published a detailed set of FAQs which addresses most of the queries related to this incident. One of the queries also provides tips for affected individuals:

Carefully monitor your financial information and take protective measures against identity theft, which include:

Obtaining and carefully reviewing credit reports. Free credit reports from all three credit agencies may be obtained by calling 877-322-8228.
Reviewing bank and credit card statements regularly, and looking for unusual or suspicious activities.
Contacting appropriate financial institutions immediately upon noticing any irregularity in a credit report or account.

Are you suffering from the breach?

Have you been affected by data breach? Do you think that your organization is susceptible to a potential security breach? For further information visit our website where you will learn about our encryption software and other security protection methods.

If you use a data security software a theft would simply be reduced to an insurance matter and cost of the hardware plus time to rebuild the laptop. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial.

No comments »

Posted in data breach

Tags: Computer security Credit card data breach identity theft Social Security number Theft United States University of Hawaii

Laptop Stolen at Department of Labor

July 17th, 2010

: Laptop Image by servus via Flickr

Department of Labor’s Bridgeport office has reported loss of confidential unemployment insurance information which has affected about 5,000 individuals and employers. The news was reported last week by the officials. The stolen laptop contains confidential information including Social Security numbers of the claimants of unemployment insurance who had problems with wage discrepancy as well as the data for certain employers in the Bridgeport region.

The department is sending notification mails to all the 5,000 affected people and employers providing them free credit.

Luckily the authorities say that the laptop is encrypted and secured by a series if passwords which would make it extremely difficult to break down the information. The records are containing Full Social Security numbers as per the rules stated by federal laws, however the SSN records are encrypted as well.

Labor Commissioner Linda Agnew said, “While we do not believe the information can be accessed from the laptop’s database and therefore used in a manner that will compromise the security of these individuals, all those potentially impacted by this crime will be offered free, full-service identity theft and credit protection”.

Threat Assessment of the incident

Since the laptop is encrypted and is protected by a series of passwords, it greatly reduces the severity and extent of attacks. But that said, one also needs to understand the type of protection mechanism used and what if the person who has conducted the theft is aware of the password himself.

However, the key highlight that we would want to make is the danger of risk has been averted to a larger degree due to encrpytion mechanism of some kind. This is exactly the point we raise on and on-going basis through our posts, analysis and news.

Get Laptop Encryption now !!

While huge sums are spent on protecting internal networks from hackers, employees are walking out the front door with laptops that not only have vast quantities of data stored on them, but also have applications connecting to internal networks and protected websites.

80% of information theft results from lost or stolen equipment. 50% of network intrusions take place using credentials from lost or stolen equipment. With laptop encryption installed, none of the information or credentials would have been lost. Try Alertsec Express now.

Cyber Security on the Road (wisebread.com)
Why Use Data Encryption? (brighthub.com)

No comments »

Posted in laptop encryption, laptop theft

Tags: Crime data Encryption identity theft Password security Social Security number Theft

ICO faces Mandatory Data Breach Reporting Calls

July 15th, 2010

: Information Security Worldwide Image by purpleslog via Flickr

All the legal experts are holding a common view about the reporting of incidents involving data breaches. The experts believe that the data breaches should be reported to the office of ‘Information Commission (ICO)’ so that there is complete clarity about the amount data which is being lost. It will also enable and improve efforts to prevent breaches.

Infact this pressure is in synchronization with the recent data protection survey conducted by Sophos. Of the 1,200 organisations that were surveyed, around 50% of them believe the current legislation is too weak where as 87 per cent say yes to the reporting of sensitive data breache incidents.

Recently a security roundtable conference was organized. On that occassion, Stewart Room, who is a partner with legal firm Field Fisher Waterhouse emphaized on the mandatory reporting so that organization do not esapce all incidents involing data breaches and losses.

Stewart Room added, “Many firms we deal with often decide not to report data breaches to the ICO as they are not obliged to report it under law, yet could suffer retrospective punishment despite admitting the loss”. “As such they take a calculated risk that it will not be discovered, and rely on the fallback that, if they were discovered not to have disclosed the breach, they are not actually required to anyway under current law.”

Another limitation which was pointed by Room is the current limit of fine which stands at a maximum of £500,000. According to him, it doesn’t make sense to have a specific limit and rather it would be more logical to have an uncapped fine which will be far more stringent.

It is believed that for all ISPs and Telecom companies, mandatory reporting will be introduced from May 2011 onwards.

Another counsel at Vodafone, Kasey Chappelle mentioned that they currently report any serious losses to the ICO but at the same time also keep the customers informed of the smaller losses.

At the outset the need is to educate the citizens and organizations about protecting their data. The idea behind imposing these monetary fines is a step in that direction.

As experts like Jackie Groves believe, “People at an executive level need to be better educated about why it is vital to manage data. Often middle management do not get the support they need from those at the top to ensure that data is correctly managed,” she said.

There has been rising presses from the the European Commission on the Ministry of Justice to provide more powers to the ICO to emphasize on the importance of data protection.

Get Laptop Encryption now !!

While huge sums are spent on protecting internal networks from hackers, employees are walking out the front door with laptops that not only have vast quantities of data stored on them, but also have applications connecting to internal networks and protected websites.

80% of information theft results from lost or stolen equipment. 50% of network intrusions take place using credentials from lost or stolen equipment. With laptop encryption installed, none of the information or credentials would have been lost. Try Alertsec Express now.

ICO faces calls for mandatory data breach reporting (v3.co.uk)
ICO launches online guide to data protection (v3.co.uk)

1 comment »

Posted in Alertsec Express, Data Protection, data breach

Tags: European Commission ICO Information privacy Internet service provider Law Ministry of Justice security Sophos Vodafone

AMR Data Breach: 79000 Employees info at risk

July 12th, 2010

: A Hard Disk Drive

The parent company of American Airlines, AMR has suffered from one of the largest and possibly the most severe data breach incidents in this year.

How did the breach happen?

The hard disk drive which contains sensitive information of over 79,000 employees was stolen from the Texas based corporate headquarters of AMR. The incident was reported at the company headquarters in Fort on June 4, 2010. Luckily no customer information was stolen.

How sensitive was the data?

The disk contained data of more than 79,000 current, former and retired employees and all of the data was very critical. The drive had images of microfilm files, containing names, addresses, dates of birth, Social Security numbers and a “limited amount” of bank account information. In addition there is a possibility that health insurance information could have been also included. Further, it could have contained details about coverage, treatment and other administrative information.

The employee data was spanning from 1960 through 1995 and included benefits information for employees still working for AMR’s various business units including American Airlines.

What could be the impact of the incident?

While no fines have been issued on AMR, going by the fines on other industries AMR could soon witness something similar. Apparently, the state regulators in California have handed out $675,000 in fines to 5 hospitals for security breach incidents of patient files.

What action did AMR take?

According to AMR spokeswoman Stacey Frantz no one has been arrested, nor any employee dismissed in connection with the theft. Frantz said, “The company delayed announcing the theft because it “needed time to understand the scope of the data” and to arrange one year of free credit monitoring for former employees and a small number of the company’s 86,675 active employees who may be affected”.

Like it happens in all incidents of these types, the company has started mailing out notification letters to all employees and retirees from the beginning of last week. To counter the problem, the company is offering a free year of credit-monitoring services. In addition, it is believed to have initiated new security procedures at its headquarters to prevent future data breaches of this magnitude.

People from the union have expressed their concerns about the loss of data and are also hoping that nothing serious comes out of the incident.

Patrick Hancock, national retirement specialist for the Association of Professional Flight Attendants, said, “We wish they were more careful with the data at the headquarters, like union people are careful with the airplanes out in the world”.

Is this Covered under HIPAA?

All of us are very well aware of Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The obvious question is whether this incident is considered under HIPAA or not? The answer is no and it because of the age of the files and other factors. But according to AMR they are definitely following HIPAA compliance, and will take measures to secure the confidentiality of all health and welfare information maintained by them.

Are you suffering from the breach?

In case you or someone know has been impacted by the breach incident, you can visit the frequently asked questions (FAQ Section) on website at www.amrfaq.com. The website also contains addition information and steps individuals may take to protect themselves.

If you use a data security software a theft would simply be reduced to an insurance matter and cost of the hardware plus time to rebuild the laptop. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial.