Archive for the ‘Uncategorized’ category

Stolen laptop and data breach

April 14th, 2016

Laptop theft can lead to data breach. OptumRx, the pharmacy care branch of a health services and technology company in Minnesota suffered data breach due to the theft incident. An unencrypted laptop was stolen from an employee’s vehicle in Indianapolis, Indiana as per the reports. OptumRx mentioned that laptop belonged to an unnamed vendor who provides home delivery services to patients.

Affected information included names, health plan names,addresses, prescription drug information, and prescribing provider information. For some individuals, dates of birth may have been exposed.

It also confirmed that Social Security numbers, credit cards, and other financial information was not involved.

Company did not specify the number of affected individuals. Also, Office of Civil Rights data breach portal didn’t mention the number of individuals affected by the security incident.

OptumRx has now contacted local authorities and launched an outside investigation. It has also mailed notification letters to potentially affected individuals.

“In addition, we have worked with the vendor to put immediate and additional protections in place to prevent the occurrence of similar incidents in the future,” explained OptumRx’s notification letter. “These measures include additional security requirements on laptops they use for OptumRx work, training and reinforcement of existing policies and practices, and further evaluation of additional safeguards.”

The company is also working with local law enforcement. Vendor is asked to put in place additional levels of protection for its laptops. One free year of identity theft protection services is also offered to individuals. It is supplying each with a one-year subscription to LifeLock.

LifeLock subscription includes following facilities to users:

  • Identity Threat Detection and Alerts:

With this service, LifeLock actively monitors an extensive online network for attempts to use your personal information. Whenever suspicious activity is detected, user will receive an alert via email or phone.

  • Wallet Protection

It also provides services for missing wallet. It has asked users to just call— anytime, anywhere—and LifeLock will help cancel or replace the contents to stop fraudulent activities. Coverage under this scheme includes credit and debit cards, Social Security cards, driver’s licenses, insurance cards, checkbooks and travelers checks.

  • Address & Verification

Impersonating can be done and Identity thieves can redirect your mail, containing financial information and providing a fraudulent new address. LifeLock monitors these such kinds of requests and notifies the user.

  • Black Market Surveillance

Identity thieves also get involved in illegal buy, sell and trade sensitive personal information on black market Internet sites. LifeLock now patrols over 10,000 criminal websites. Any suspicious activity is  notified to the user.

  • Pre-Approved Credit Card Offers

LifeLock works with bank to reduce emailing to affected individuals to avoid identity theft.

  • LifeLock Member Service 24/7/365

Sign in to your secure member portal at LifeLock.com is available all the time.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Laptop stolen from Doctor’s Car

March 2nd, 2015

Heath information was potentially compromised when laptop was stolen from doctor’s car. Around 400 patients are notified about the recent data breach. The incident took place at the Medical College of Wisconsin. According to the Medical College spokesperson, that a document with private information on about 400 patients was stolen from the vehicle, while a laptop with data on one patient was also taken.

“Firm policies are in place prohibiting the downloading of patient information to portable media, as well as the secured transport of documents containing patient information,” read a Medical College statement obtained by WDJT. “We sincerely regret that this unfortunate event occurred.

According to the statement, the affected patients are contacted and steps are taken to prevent this type of event. Institutional policy is revisited to safe guard the sensitive information. Excerpts from the statement on website –

The purpose of this policy is to address the appropriate protection and encryption of all MCW Electronic Protected Information (EPI) when it is stored, transferred or accessed on any mobile device.  Full mobile device encryption and related controls are required to access MCW’s electronic network or information through another means.

All Workforce members must protect MCW EPI. Workforce members using a Mobile Device owned by a workforce member, an external entity or one provided by MCW, to access or store EPI must have encryption using an institution-approved tool.

On personally owned devices (i.e. BYOD), should a workforce member choose not to permit MCW’s MDM tools and supporting processes on their personal device, access to MCW’s secured resources will be limited as outlined in procedure below.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Protected Health Information documents in Dumpster

February 24th, 2015

Suburban Lung Associates in Illinois may face a protected health information (PHI) breach after its medical record was found in the dumpster. Local CBS affiliate news station reported the incident. It found out that number of patient charts was thrown in the trash that contained PHI such as patients’ medical histories, Social Security numbers and driver’s licenses.

According to the reports, CBS affiliate discovered that the dumpster belonged to Filefax, a company that stores and transports medical records. The news station broadcasted news with inputs from dumpster driver. The women driver explained that Filefax had allowed her to take the papers a week prior and she had made ten trips with 1,000 pounds of Suburan’s medical records.

Filefax avoided news reporter after the incident. News station has alerted Northbrook police of the unsecure medical information, and police then ordered Filefax to secure the dumpster in their facility.

Hospital mentioned that its security policy mandates that the vendor destroy all medical files. They also said that they believe in protecting patient’s information at priority and this breach is isolated incident. The Illinois Attorney General and US Department of Health and Human Services are now investigating the breach.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Owensboro Medical Practice suffers data breach

September 24th, 2014

Medical Practice has notified 3000 patients who have suffered data breach due to employees who tried to contact them with intention of starting own business. Still there are conflicting reports about the involvement of a business associate (BA) and the dates of breaches. Information which was affected included patient names, addresses, telephone numbers, dates of birth, Social Security numbers, and health conditions.

According to the reports, Medical Practice, located in Owensboro, KY, the breach occurred three years ago and Director of Research for Owensboro Medical Practice, Timothy Hillard said he knew of the incident.”Even if it was one patient, that one patient’s information is highly important to us and not the entire medical records were taken but demographics such as name, date of birth, age, social security number, which is, you know, very concerning to us.”

According to the statement:

On or about July 24, 2014, Owensboro Medical Practice, PLLC, and its business associate, Research Integrity, LLC, learned that a spreadsheet containing protected health information was wrongfully copied and removed from the offices of Research Integrity by a former employee. This occurred despite the fact that only properly authorized persons at Research Integrity had access to the spreadsheet.

Owensboro Medical Practice and Research Integrity are both investigating the incident and taking steps to ensure that patient information is secure. The companies are also pursuing the return of all hard copies of all information from the spreadsheet, the deletion of all computerized versions of such information on a permanent basis, and permanent injunctions against the persons or entities who had possession of the data from utilizing such data in the future.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

White Lodge Investigates Data Breach, Card Fraud

February 8th, 2014

White Lodging Services, a hospitality company that manages 168 hotels in 21 states under Hilton, Marriott, and Sheraton brand names, is investigating a suspected credit and debit card breach. It has suspected 14 hotels along with some hotel restaurants and lounges where the possible breach happened at point of sales systems. It suspected below establishments.

  • Sheraton Erie Bayfront, Erie, Pa.
  • Marriott Midway, Chicago, Ill.
  • Holiday Inn Midway, Chicago, Ill.
  • Holiday Inn Austin Northwest, Austin, Texas
  • Westin Austin at the Domain, Austin, Texas
  • Marriott Boulder, Boulder, Colo.
  • Marriott Denver South, Denver, Colo.
  • Marriott Indianapolis Downtown, Indianapolis, Ind.
  • Marriott Richmond Downtown, Richmond, Va.
  • Marriott Louisville Downtown, Louisville Ky.
  • Renaissance Plantation, Plantation, Fla.
  • Renaissance Broomfield Flatiron, Broomfield, Colo.
  • Radisson Star Plaza, Merrillville, Ind.

Information about the breach first came to notice when security journalist Brian Krebs reported, Marriott properties operated by White Lodging Services based in Merrillville, Ind was affected by the unnamed card processors tied to fraud involving hundreds of credit cards to a number of this property. He reported location of other affected hotels as Austin, Texas, Chicago, Denver, Los Angeles, Louisville, Ky., and Tampa, Fla., among other cities.

White Lodge spokeswoman Kathleen Quilligan told The Times of Northwest Indiana, “An investigation is in progress, and we will provide meaningful information as soon as it becomes available,” White Lodge is owned by Dean White 90, whose Forbes estimation is $1.9 billion. His company manages 168 hotels under variety of brand names.

Hilton, Starwood Hotels and Resorts Worldwide Spokesperson did not immediately respond to an emailed request for comment on apparent data breach. Marriot issued a statement later about the White Lodging Data breach which includes, ‘”One of our franchise management companies has experienced unusual fraud patterns in connection with its systems that process credit card transactions at a number of hotels across a range of brands, including some Marriott-branded hotels,” and it continued “They are in the midst of the investigation and are in close contact with the banks and credit cards companies.”

Marriot failed to share details immediately as per the statement as it says “Because the suspected breach did not impact any systems that Marriott owns or controls, we do not have additional information to provide,” and “Since this impacts customer of Marriott properties, we want to provide assurance that Marriott has a long-standing commitment to protect the privacy of the personal information that our guests entrust to us, and we will continue to monitor the situation closely.”

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software. Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Enhanced by Zemanta

Data Breach at Saint Louis University

October 8th, 2013

A health data breach at Saint Louis University (SLU) affected 3,000 patients. Few SLU employees received a phishing scam mail and gave out their account information by mistake.

About 20 SLU email accounts were accessed by the phishing culprits. These email accounts had protected health information (PHI) of about 3,000 people and about 200 Social Security numbers as well. According to the spokesman, employees’ financial information was the main target of the scam. And while no unauthorized financial transactions occurred, 10 employees changed their direct deposit information.

Affected students were offered one year of free credit monitoring and identity theft protection and restoration to affected students.

The University discovered that some SLU employees provided their account information in response to a sophisticated phishing email scam they received.

A full-scale investigation was started immediately after the University learnt about the incident. Employees who were targeted by the email scam were notified, and their accounts were secured. While about 10 employees had direct deposit information changed, no unauthorized financial transactions occurred.

As it appeared the main target of this scam must have been the direct deposit information of these employees. However, during the investigation, the University learned that the incident also resulted in unauthorized access to about 20 SLU email accounts belonging to approximately 3,000 individuals which contained their personal health information. This was mostly limited to diagnosis, procedure and medical chart information. The email accounts contained about 200 people’s name and Social Security Numbers. At present, there is no evidence to suggest that someone accessed any of the personal information in the emails.

All individuals whose information was in the email accounts affected by the incident are being notified by the University. SLU has also notified law enforcement officials and has engaged the services of a global leader to avoid such incidents in future.

University is providing the affected individuals with one year of free continuous credit monitoring and identity theft protection and restoration. Instructions for signing up for these free services are enclosed in the notification letters.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

California AG reports 131 Data Breaches in 2012

July 17th, 2013

Data breach incidents are increasing at fast pace and their impact is affecting millions of people. California being one of its victims, the personal information of millions of individuals were exposed in data breaches last year.

Personal information of 2.5 million residents of California were exposed in 131 online data breaches in 2012, as indicated by a recent study done by Attorney General of California. However, more than half of these incidents were easily avoidable.

In a report released by the Attorney General Kamala Harris she revealed that out of 2.5 million California residents affected by data breaches in 2012, 1.4 million would have been fine if the companies had encrypted their data. If the exposed data had been cloaked earlier these incidents would have never been reported under existing state law.

According to some other findings in 2012, average of 22,500 people were affected in each breach. Majority of data leakage incidents were reported in retail industry followed by the insurance and financial sectors. More than 100,000 people were involved in five of the reported data breaches, more than half of breaches involved SSN.

“Data breaches are a serious threat to individuals’ privacy, finances and even personal security. Companies and government agencies must do more to protect people by protecting data.” Harris said in a release.

Harris gave some suggestions for companies and agencies, explaining them that data encryption should always be used to secure the data. She asked them to train their employees and contractors to improve the overall security in an organization. However, some experts in IT security industry declared awareness training to be a waste of money and time.

She further proposed to improve the readability of breach notices, better the access to resources for victims of breaches involving Social Security and driver’s license numbers, and the passage of legislation mandating notifications of breaches involving the exposure of online credentials, such as usernames and passwords.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

Hackers Attack Ubisoft, Steal Customer Data

July 5th, 2013

French game maker Ubisoft has admitted that hackers have breached its networks, gaining access to usernames, email addresses and encrypted passwords. The incident likely affects millions of people worldwide.

PCMag’s Max Eddy reported, “Yesterday, French video game publisher Ubisoft alerted fans that customer information had been accessed by an attacker. The company advises everyone with an Ubisoft account to log in and change their passwords, but victims might have other dangers ahead. On the Ubisoft blog, Gary Steinman writes that user names, email addresses, and encrypted passwords were accessed during the intrusion. That’s the bad news, but here’s the good news: because Ubisoft does not store payment information, no credit card or other sensitive data was accessed.”

Matt Peckham with Time added, “The France-based company says it ‘instantly took steps’ to seal the breach and began investigating ‘with the relevant authorities, internal and external security experts, and to start restoring the integrity of any systems that may have been compromised.’ Ubisoft notes that Uplay, the company’s in-game digital distribution and multiplayer service, was not impacted — only Ubisoft’s website, though you can use your Uplay account credentials to log into the site, so I’m guessing Uplay accounts are at risk as well.”

Paresh Dave with the Los Angeles Times noted, “The company didn’t disclose how many of its users were hit, but it has sold more than 55 million of its top game…. Many websites automatically reset user passwords after a data breach. But Ubisoft took a different approach, recommending via email that users manually update their passwords on its website and any other websites where users might use a similar password.”

User access control Fundamental but forgotten

May 7th, 2013

User access control is a cornerstone of information security management. Everybody needs it and does it. Yet in practice it’s poorly conceived, implemented and managed. It’s one of those elephants in the room: a problem that is highly significant, but difficult to tackle so business is reluctant to acknowledge it. If it wasn’t for compliance and internal audit the situation would be even worse.

A number of theoretical models have been developed over the years but they don’t deliver in practice. We’ve got ACLs, Capabilities, MAC, DAC and RBAC, none of which work in a medium or large enterprise. There are several reasons for this.

Firstly, the models are too simple. Access control is too rich a subject to be determined by a single label or capability. Deciding whether a user can have access to an enterprise system is far from simple. It depends on who they are, what they are, how important they are, where they are, what they are doing, to whom they report, and what other access they might already possess. This requires unambiguous policy rules and reliable decision processes, supported by smart application front-ends, all of which are in short supply.

Secondly, we rarely have enough knowledge in one place to make this work. Neither systems owners nor administrators have perfect knowledge of who does what across the enterprise and what access they require, especially in an organization that is continuously acquiring, divesting and restructuring business units.

Thirdly, we don’t pay enough attention to administration. It’s too often poorly resourced and equipped. Cost savings can easily be made by streamlining processes and implementing better tools but this requires enterprise-wide cooperation and it’s rarely at the top of any business unit’s agenda.

Fourthly, we are constrained by legacy systems and infrastructure which complicate the problem space and restrict the solution space. Ambitious visions quickly fade into the distance.

An inescapable fact is that we can’t control a complex situation with simple controls. Today’s access requirements are a sophisticated blend of numerous factors. Access rights depend on multiple user characteristics that can be surprisingly hard to define measure and monitor.

The end result is that it doesn’t get done properly. Instead we fudge it. We do the minimum we can to keep it going and rarely get around to developing the rich policies, knowledge base and streamlined processes needed to build a sustainable, effective access control system.

In fact it’s much easier to close the back doors, through vulnerability management and penetration testing rather than to secure the front entrance. But compliance is catching up with the thousands of wrong profiles, toxic combinations and dead registrations. Sooner or later we will have to put aside the easy, quick wins and face up to the long-standing elephant in the room.

Prevention is better than cure. Prevent your systems from attacks with Alertsec Xpress.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta