Midlothian Council pays hefty fine for data breach

ICO is leaving no stone un-turned to punish data breach culprits. It is levying fines to those who compromised private data, especially children’s sensitive data.

Recently the council fined the Midlothian Council a record fine of £140,000 for disclosing sensitive child data. And we are not talking here about just one breach. There were 5 breaches between Jan and June 2011.

The case in detail

Breach 1 – This happened when documents related to the status of a foster carer were sent to seven healthcare professionals, who had no reason to see this data.

This particular incident took place in January 2011 and details came to light only in March when the council started to investigate. In spite of the investigation similar incidents took place in May and June.

Breach 2 – Minutes of a child protection conference were sent by mistake to the former address of the mother’s partner, where they were opened and read by an unauthorized individual. The documents contained personal data about the mother, who made a complaint to her social worker about this case.

Assistant Commissioner for Scotland Ken Macdonald said “the serious upset that these breaches would have caused to the children’s families is obvious and it is extremely concerning that this happened five times in as many months.’

“I hope this penalty acts as a reminder to all organizations across Scotland and the rest of the UK to ensure that the personal information they handle is kept secure.”

He further added that information about children’s care, details about their health and wellbeing, is the most sensitive information that is held by local authorities. It goes without saying that this information has to be protected and that strict policies are to be chalked out and followed.

The ICO’s investigation

According to the ICO all five breaches could have been avoided if the council had been strict about protection policies, training and had put checks in place. It has further ordered the council to take action to keep the personal data secure.

Since the incidents the council has recovered all of the information that was sent to the wrong recipients and is updating its security policies.

What the the ICO chiefly wants is that the government should give itstronger powers to audit local councils’ data protection compliance, if necessary without consent.

NHS bodies across the UK want the same kind of powers in light of the recent data protection breaches.

Midlothian Council comments:

Colin Anderson, chief social work officer for Midlothian Council, commented: “As soon as the council discovered the problem, it investigated and found eight letters or documents had been sent to the wrong recipients, for which the council is sincerely sorry.

“The council immediately took steps to retrieve the information, or have it destroyed, and voluntarily reported ourselves to the information commissioner. I must emphasise that there is no evidence that anyone was put at risk.

Cyber-security with Alertsec

Alertsec Xpress is a very easy and convenient service which enables securing valuable information on laptops.

Alertsec Xpress is powered by Check Point, the market leader in the field of mobile data protection. The software was launched 16 years ago and is the most robust software on the market today.

Alertsec Xpress provides:

• Fully managed service for your convenience.
• Very cost effective service.
• Market leading laptop protection service.
• Quick and easy implementation.
• Easy to use protection.
• Transparent solution.
• Global 24/7 helpdesk.
• 100% secure and reliable encryption

Stratfor relaunches site post hack attack

Stratfor is officially back but its servers are heavily burdened due to its offer of free access. Stratfor CEO criticized the attackers for targeting the company, an email said. Stratfor aka Strategic Forecasting is back online after it was hacked into last month.

The new site

Stratfor relaunched  the new site on Jan. 11 exactly 18 days after the hacking group Anonymous hacked into its servers on Dec. 24. The hackers hacked Stratfor’s servers and took away data related to its subscribers and also defaced the site. The information that was dumped online included 75,000 credit card numbers and 860,000 usernames and passwords. Almost 50,000 of the addresses had a .mil or .gov domain. According to a Stratfor spokesperson there was going to be a delay with the site re-launch. The company planned to bring in a team of consultants and experts to tackle the security issues. The company further decided to move all credit card management activities to a third-party company so that customer data remained secure.

According to George Friedman, CEO of Stratfor “This was our failure,”. “I take responsibility. I deeply regret that this occurred and created hardship for our customers and friends.” “I felt bound to protect our customers, who quickly had to be informed about the compromise of their privacy. I also felt bound to protect the investigation,” Friedman said. The FBI had informed credit card companies of the breach and had provided a list of compromised cards, so “our customers were therefore protected,” he said, adding, “We were not compelled to undermine the investigation.” “This attack was clearly designed to silence us by destroying our records and the website,”.

What went wrong?

Apparently Stratfor had failed to encrypt credit card data and had stored the information in cleartext. After the passwords were analyzed, it was seen that security practices were not followed.There was no check on passwords when they were created by users.

Friedman further added “We were no longer an organization that analyzed the world for the interested public, but rather a group of incompetents, and conversely, the hub of a global conspiracy,”. According to him the media had publicized “incompetents” part while the hacking community focused on the “global conspiracy” part.

Relaunch offer

Stratfor Inc hacked and credit card data stolen

Anonymous has always been in the news for data hacking and just when we were wondering what they were up to, they are here! This time they have been successful in breaching data of the security Think-Tank Strategic Forecating  Inc, based out of Austin.

The details

The group managed to hack into  Stratfor’s web site and get data  about the company’s corporate subscribers. This resulted in the website being closed down temporarily. Anonymous was proud to announce that they stole passwords, credit card details, and home addresses of about 4,000 people on Stratfor’s private client list. Their plan was to use the credit card information to make fraudulent donations to charities. The hackers described the data on Pastebin, then provided several links to websites hosting the information. According to them some 50,000 of the e-mail addresses released end in “.mil” or “.gov.”

Strangely enough, some representatives of the Anonymous group denied complete responsibility of the attacks.  According to an Anonymous spokesman  “it does not attack media sources.” The organization has been known for its hacks on Sony’s PlayStation services, the Church of Scientology, as well as companies, banks, and organizations  that supported WikiLeaks.

What business is  Stratfor into?

The company offers its clients like the U.S. Air Force, the Miami Police Department, and Apple, high-quality economic, political, and even military analysis to clients, delivered daily via email, video, and the Web.

After the hack

Stratfor is offering a free one-year subscription to an identity protection service to those affected. Stratfor’s CEO, George Friedman confirmed on the company’s Facebook page on Monday that the hack disclosed the names of some corporate subscribers along with personal and credit card data.

Barrett Brown, spokesman for Anonymous said “This wealth of data includes correspondence with untold thousands of contacts who have spoken to Stratfor’s employees off the record over more than a decade,”. “Many of those contacts work for major corporations within the intelligence and military contracting sectors, government agencies and other institutions.”

Stratfor’s chief George Friedman’s statement

High profile attacks are making the rounds and security agencies are scrambling to get the security policies of such companies in place. Stratfor’s website is under repair as of today and will take some time before it gets back in shape.

Alertsec equips firms with encryption software

Alertsec is here to take care of our security issues especially for anyone working with PCs. Alertsec Xpress is the service that automatically protects ALL information you store on your PC. The fact that we now buy more laptops than desktops shows that the information we all store is increasingly more vulnerable to be exposed. It is a much higher risk to lose a laptop than a desktop computer.

Encryption is the only secure method for complete protection of data stored on your hard disk. Today laptops are overtaking desktop PCs as the major source of computing and media storage, laptops frequently store an organization’s most valuable information. Thus laptop encryption is becoming more and more important.

Alertsec Xpress offers full disk encryption and is therefore superior to other encryption methods when comparing security, performance, robustness and ease-of-use for both administrators and users.

PRC Director Beth Givens gives an insight into Medical data breaches

The San Diego-based Privacy Rights Clearinghouse has come up with a list of 2011’s six most significant data breaches.

An overview

2011 has been a bad year for Medical data breaches. According to the PRC there were a total of 535 breaches that involved 30.4 million sensitive records. When we talk about sensitive information we mean Social Security numbers, drivers license numbers, financial account information and medical data.

Top breaches

The worst hit was Health Net as nine of its data servers went missing from a Northern California data center in January. The servers had records of almost two million current and former policy holders.

Sutter Health experienced data breach when its company-issued computer was stolen from Sutter’s Medication Foundation offices. Health Data of more than 4 million patients was compromised.

Tricare Management Activity and Science Applications International Corporation – Backup tapes containing data ofto 4.9 million patients were stolen from an employee’s car.

Powys County Council in deep waters over data breach

Last few posts mentioned about fines being imposed on councils who have breached the data protection act. But this post breaks all records. It talks about how Powys County council was asked to pay a fine of £130,000 to ICO for data breach. This is the biggest fine ever!

The ICO’s office was conferred powers to impose fine on data breaching organizations on April 2010. Assistant Commissioner for Wales Anne Jones says”There is clearly an underlying problem with data protection in social services departments and we will be meeting with stakeholders from across the UK’s local government sector to discuss how we can support them in addressing these problems,”.

The strange part is that Powys County Council had earlier breached this act twice but had not gotten caught. But this time luck was against the organization and it is expected to pay a hefty fine. Here is the ICO’s statement regarding the earlier data breaches “Two separate reports about child protection cases were sent to the same shared printer. It is thought that two pages from one report were then mistakenly collected with the papers from another case and were sent out without being checked. The recipient mistakenly received the two pages of the report and knew the identities of the parent and child whose personal details were included in the papers. The recipient made a complaint to the council and a further complaint was also submitted by the recipient’s mother via her MP.”

The first incident was written off as an ‘once in a blue moon’ error but then a second one occured where a social worker sent data about another child to the same member of the public who was also familiar with the child.

Ann Jones further added”This is the third UK council in as many weeks to receive a monetary penalty for disclosing sensitive information about vulnerable people. It’s the most serious case yet and it has attracted a record fine. The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented if Powys County Council had acted on our original recommendations.”

The ICO had given an warning to the council to revamp its security policies or be ready to face consequences. Not much has changed in terms of security, the latest breach makes that all too clear. Now the ICO has threatened to take the council to court if it does not get back on its feet and beef up its security measures. The ICO has further made it compulsory for the counil to train its staff on how to follow the council’s guidance on the handling of personal data by 31 March 2012, along with refresher training provided every three years.

Alertsec to the rescue

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organisations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

According to the Middletown police Larry A. Osborne Jr., 29,has been charged with third-degree felony theft on Nov. 9 in Middletown Municipal Court. He is accused of stealing computers since 2008. Osborne, a computer technician, was a former contractor of the Butler County Educational Service Center. The approximate value of the 400 laptops is $123,000. Osborne used to sell these computers on ebay.  He sold around 350 computers to a man in PA who had no clue that these computers were stolen property. The PA man has not been charged. The machines were either used ones or non-working.

Former school contractor stole 400 laptops

The first theft was reported on Nov. 8 where eight Apple laptop computers were stolen from the district’s warehouse, 110 Baltimore St.

The case of the missing laptops and their recovery

The York County Sheriff’s Department has succeeded in recovering 50 Apple laptop computers that were stolen from Massabesic High School this week. Where exactly were they found is not revealed as yet, only that it was a good distance away from the school.

According to Sheriff Maurice Ouellette the laptops are in good condition and had been placed inside two, large plastic tubs with covers on them at the time of recovery.

“This was stuff that kids used to study with … That’s something I take personally,” Ouellette said.

How did the thieves manage to steal these computers?

It appears that the thief or thieves pried open a window to gain entrance to the school. The thieves entered the East Building of the school and did away with the computers and a projector.

“I’ve been working for this school district for a number of years and this is certainly the largest theft of any equipment that i’ve ever experienced or that i know of”, said RSU 57 Technology Director Bob Stackpole

School staff and students were interviewed in detail by the police in hope of getting clues about the theft.

A TV viewer caught this piece of news item on TV and got in touch with the authorities. The total value of the computers was around $60,000.

Alertsec equips firms with encryption software

Alertsec is here to take care of our security issues especially for anyone working with PCs. Al

Stolen Laptops from Massabesic School recovered

Aertsec Xpress is the service that automatically protects ALL information you store on your PC. The fact that we now buy more laptops than desktops shows that the information we all store is increasingly more vulnerable to be exposed. It is a much higher risk to lose a laptop than a desktop computer.

Encryption is the only secure method for complete protection of data stored on your hard disk. Today laptops are overtaking desktop PCs as the major source of computing and media storage, laptops frequently store an organization’s most valuable information. Thus laptop encryption is becoming more and more important.

Alertsec Xpress offers full disk encryption and is therefore superior to other encryption methods when comparing security, performance, robustness and ease-of-use for both administrators and users.

Ruth Crawford QC was on a holiday when her laptop went missing. The laptop contained personal information related to clients who were a part of Ms Crawford’s eight court cases. This data was specifically about the mental and physical health of the clients.

Ms Crawford was lucky that the incident took place in 2009. Had it taken place seven months later, she would have been fined for breaching the data protection Act as that was when the ICO was given new powers to impose fines of up to £500,000.

As of today Ms Crawford has signed an undertaking that says she is going to encrypt all her portable devices and secure them properly. These are the exact words of the undertaking ”The theft occurred while the data controller (Ms Crawford) was on holiday, having left plumbers to fit a new boiler at her home. The data controller provided the plumbers with keys and the code to her alarm. She highlighted the importance of keeping her front door locked and of activating the alarm when leaving the house.

“Upon returning from holiday on September 3 2009, the data controller discovered that the laptop and a purse were missing from her study. She subsequently reported the matter to the police. The commissioner has noted that physical security measures were in place at the time of the incident but that there was insufficient technical security employed on the laptop to protect the data.”

According to Ken Macdonald, Assistant Commissioner for Scotland: “The legal profession holds some of the most sensitive information available. It is therefore vital that adequate security measures are in place to keep information secure.”

“As this incident took place before the 6 April 2010, the ICO is unable to serve a financial penalty in this instance. But this case should act as a warning to other legal professionals that their failure to protect personal information is not just about potentially being served with a penalty of up to £500,000, it could affect their careers too. If confidential information is made public, it could also jeopardise the important work they do in court.

“The ICO would also like to assure the legal profession that any information reported to this office will not be disclosed unless there is specific legal authority for us to do so. Therefore all breaches should be reported to our office as soon as practically possible.”

Alertsec is a data encryption service company. Organisations, be it big or small, must have encryption in place. If you are an individual works independently or is not covered by the organisation can  also use self-encrypted drives. Alertsec helps with the installation, the cost of this encryption service is negligible compared with the hassle, cost and embarrassment.

Safeguard your data with Alertsec Encryption Service

The complete story

Razer co-founder Min-Liang Tan’s statement says”As you can imagine, the return of these prototype units is very important to the company,” he said. “We have already reported this to the authorities who are working closely with us on this matter.”

“We take this act of theft seriously and would like to appeal for its return and discourage anyone from buying the Razer Blade prototypes from the perpetrators, whether online or otherwise, as they are stolen property.”

Razer came up earlier this year with a ultra-thin laptop, called the Blade– a $2,800 laptop that’ is not even an inch in thickness and weighs less than 7 pounds.

The break-in

Apparently the thieves had access to the building as it was not exactly a ‘break-in’. They seem to have entered the lobby and quietly nicked off the two laptops. What makes this case more interesting is that none of these laptops were completely functional, so looks like the robbers were not that lucky.

A great loss to the company

Speciality of this Razer laptop was the touchscreen on the right where generally the number pad is located. Razer is requesting the thieves to return these laptops as they contain a lot of diagnostic data. These laptops were getting tested that weekend. Customers are being requested not to buy any such laptop if they are offered one for sale or come across e-bay or craigslist.

Investigation

Police are investigating thoroughly every employee at Razer who swiped their security cards that weekend, in hope to catch the thief. Access logs are being checked out too. Razer has further asked that they are to be contacted about the break-in and/or missing prototypes on the following email “cult@razerzone.com”.

Was this just a publicity gimmick? Did Razer secretly want this? What did Razer have to say about it?

Razer has flatly denied these speculations and provided details about the theft. Razer has further stated that it won’t delay the release of the product because of this theft.

Alertsec offers good encryption service

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software. Encryption is the only secure method for complete protection of data stored on your hard disk. Today laptops are overtaking desktop PCs as the major source of computing and media storage, laptops frequently store an organization’s most valuable information. Thus laptop encryption is becoming more and more important.

Razer's CEO Min-Liang Tan hopes for the return of the laptops

According to Japanese Defense Ministry hackers have most probably accessed sensitive data relating to military aircraft, missiles, and nuclear power plant designs and safety systems.

The news in detail

Mitsubishi Heavy–Japan’s largest defense contractor is best known in America for manufacturing the surface-to-air Patriot missile.–In August it found out that multiple computers were infected with a Trojan application. Further investigation showed that the information had been sent outside the company’s computer network, clearly indicating an outsider’s involvement.

The computers were located in 11 different places. Some were placed in sensitive areas like the Kobe and Nagasaki shipyards that are into submarines and destroyers constructions. A few others were located at the Nagoya facility that manufactures guided missile systems. The nuclear data that was stolen included anti-quake measures.

Mitsubishi Heavy Industries was reluctant to share this info at first. It kept the Japanese authorities in dark stating that its military information was safe and that all security measures were followed. Initially the company said that the attackers were caught early on but later contradicted their own statement saying that data had been compromised.

Statement issued by the company

“The company recently confirmed unintended transferring of some information on the company’s products and technologies between servers within the company,” said Mitsubishi Heavy in a statement. “Based on the finding, the company investigated the incident further and recognized the possibility of some data leakage from the server in question.”

Other recent military data breaches

Lockheed Martin, which manufactures the F-22 Raptor and F-35 Lightning II fighter aircraft, was a victim of military data theft recently. The Lockheed hack was done by using information stolen earlier from RSA Security. RSA is the branch of EMC that produces the SecurID two-factor authentication token used by thousands of contractors and corporations to secure their networks.

What are the Tokyo Police doing about it?

Mitsubishi Heavy has given a complaint to the Tokyo Metropolitan Police Department with details about damage done to its computer system in late September. The police are looking into computer records to find out the source of the data.

Protect your confidential data with Alertsec

Alertsec Xpress offers a customizable data encryption software solution from Checkpoint, the industry leader in encryption software (former Pointsec). Alertsec has come up with a web based encryption service that helps in deployment and management of PC encryption.

The need of a Data encryption software and recovery software is felt by big and small companies in today’s vulnerable data world. The threat could have simply been reduced to an insurance matter by a mere investment of $13/month. Certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model.