Midlothian Council pays hefty fine for data breach

ICO is leaving no stone un-turned to punish data breach culprits. It is levying fines to those who compromised private data, especially children’s sensitive data.

Recently the council fined the Midlothian Council a record fine of £140,000 for disclosing sensitive child data. And we are not talking here about just one breach. There were 5 breaches between Jan and June 2011.

The case in detail

Breach 1 – This happened when documents related to the status of a foster carer were sent to seven healthcare professionals, who had no reason to see this data.

This particular incident took place in January 2011 and details came to light only in March when the council started to investigate. In spite of the investigation similar incidents took place in May and June.

Breach 2 – Minutes of a child protection conference were sent by mistake to the former address of the mother’s partner, where they were opened and read by an unauthorized individual. The documents contained personal data about the mother, who made a complaint to her social worker about this case.

Assistant Commissioner for Scotland Ken Macdonald said “the serious upset that these breaches would have caused to the children’s families is obvious and it is extremely concerning that this happened five times in as many months.’

“I hope this penalty acts as a reminder to all organizations across Scotland and the rest of the UK to ensure that the personal information they handle is kept secure.”

He further added that information about children’s care, details about their health and wellbeing, is the most sensitive information that is held by local authorities. It goes without saying that this information has to be protected and that strict policies are to be chalked out and followed.

The ICO’s investigation

According to the ICO all five breaches could have been avoided if the council had been strict about protection policies, training and had put checks in place. It has further ordered the council to take action to keep the personal data secure.

Since the incidents the council has recovered all of the information that was sent to the wrong recipients and is updating its security policies.

What the the ICO chiefly wants is that the government should give itstronger powers to audit local councils’ data protection compliance, if necessary without consent.

NHS bodies across the UK want the same kind of powers in light of the recent data protection breaches.

Midlothian Council comments:

Colin Anderson, chief social work officer for Midlothian Council, commented: “As soon as the council discovered the problem, it investigated and found eight letters or documents had been sent to the wrong recipients, for which the council is sincerely sorry.

“The council immediately took steps to retrieve the information, or have it destroyed, and voluntarily reported ourselves to the information commissioner. I must emphasise that there is no evidence that anyone was put at risk.

Cyber-security with Alertsec

Alertsec Xpress is a very easy and convenient service which enables securing valuable information on laptops.

Alertsec Xpress is powered by Check Point, the market leader in the field of mobile data protection. The software was launched 16 years ago and is the most robust software on the market today.

Alertsec Xpress provides:

• Fully managed service for your convenience.
• Very cost effective service.
• Market leading laptop protection service.
• Quick and easy implementation.
• Easy to use protection.
• Transparent solution.
• Global 24/7 helpdesk.
• 100% secure and reliable encryption

The Federal State Commission issues data protection guidelines. Lexington Clinic suffers data breach

We have mentioned this before and are reiterating – Medical data is very very vulnerable. Most data breach and laptop stealing cases are related to Medical data. We have covered so many posts related to medical data breach that they have almost become a routine now! It is as if Medical data simply cannot be secured. Is the data security world listening? It is so very important to protect data, especially patient data.

Breaking news: Today’s post highlights the vulnerability of medical data breach and laptop thefts.

Lexington Clinic Laptop Theft

According to the Lexington clinic the laptop was atolen last month from the neurology department in the Saint Joseph office park on Harrodsburg Road.

The clinic further adds that the laptop contained patients’ names and some medical information. Fortunately it did not contain Social Security, credit card, or bank account numbers. A total of 1,018 patients lost their private data.

Letters are being sent to the affected parties.

The moment Lexington Clinic  found out about the theft, it informed the police and all door locks to the neurology department were urgently changed. Lexington Clinic is currently working with the St. Joseph security officials to ascertain the security of offices located in the St. Joseph Office Park.

Note for Lexington Clinic patients – In case you have been or currently are a patient of the Lexington Clinic Neurology Department, and if you have not received a letter about this theft then it is safe to assume that your data was not on the stolen laptop. So far there is no proof that any of the stolen data has been misused.

The Federal Trade Commission is requesting everyone to take steps to protect information:

Beware of signs of identity theft, such as:

• Bank Accounts you didn’t open and debts on your accounts that you  are not aware of

• Wrong information on your credit reports, including accounts and personal information, such as your Social Security number, address(es), name or initials and employers.

• In case you do not receive your bills on time, follow-up with your creditors.

• Receiving credit cards that you didn’t apply for.

• Being denied credit or being offered less favorable credit terms. If it is too good, then it is not true

• Receiving calls or letters from debt collectors or businesses about merchandise or services you didn’t buy.

About Lexington Clinic – It is Central Kentucky’s oldest and largest group practice, with more than 200 providers offering primary and specialty care services. Founded in 1920, Lexington Clinic offers more than 30 specialties and operates offices in more than 25 locations throughout Central and Eastern Kentucky.

Source: LexingtonClinic.com

Alertsec secures your Laptops

3 easy steps to encrypt your data with Alertsec

a. Register for your subscription or 30-day free trial of our encryption software

b. Download and activate Alertsec Xpress online

c. Your laptop is now powered by Check Point Full Disk Encryption

The O2 Scandal

Customers of O2, the European mobile network, suffered a  data breach as their phone numbers were exposed to web sites visited from their smartphones. Unfortunately the security breach went on for two weeks before it was fixed on Jan 25.

Mobile customers in the United Kingdom started tweeting Wednesday morning about the breach after mobile developer Lewis Peckover found out about a security loophole in devices carried by European mobile network O2. It appeared that after O2 had performed its routine maintenance on its network this month, some users’ mobile phones started sending their owners’ phone numbers to web sites that were visited using mobile browsers through a 3G/WAP connection. Fortunately those who used Wi-Fi were saved from this ordeal.

This post shows that customer privacy is at stake. The breached phone numbers could be used for SMS spam or for hacking purpose. They are a treat for hackers and just waiting to be exploited!

The mobile device security industry is going through a bad phase. Just last April, Apple iPhones (running iOS 3.2 and above) had a flaw wherein the bug logged users’ location data in unencrypted files stored on the phones themselves. Customers were at their wits end when they heard this and there was chaos in the mobile industry. As if that was not enough, just last month, phone-monitoring software maker Carrier IQ admitted that its data-tracking program was already installed on all its phones across the country!.

Comment by O2

O2 issued a statement last Wednesday and explained that the issue has been fixed.

“In between the 10th of January and 1400 Wednesday 25th of January…there has been the potential for disclosure of customers’ mobile phone numbers to further website owners,” O2′s statement read. “It was fixed as of 1400 on Wednesday 25th January 2012.”

The office of the Information Commissioner (The ICO is a public U.K. body that enforces and oversees activity pertaining to the Data Protection Act of 1998) is looking into this matter presently.

“When people visit a website via their mobile phone they would not expect their number to be made available to that website,” the ICO said in a statement issued Wednesday. “We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed.”

Update from O2

According to O2, it regularly gives subscriber’s phone numbers to web-sites that offer age-restricted information and premium-rate billing without the user’s knowledge.

Apparently the company has been providing user phone numbers to web-sites that are browsed by millions of users from their phones using the 3G network. This has been happening since Jan 10. Obviously the site owners are having a ball with this piece of information.

What should a common man do to avoid such a pitfall?

Always read the terms and conditions of any mobile service that you choose to use. Better to be safe than sorry!

Alertsec comes to the rescue

80% of data loss is due to lost or stolen equipment. 50% of network breaches take place by using passwords from lost or stolen equipment. Laptop encryption is the solution to laptop theft problem. Small and big companies are now realizing the importance of tracking software. Alertsec offers laptop encryption service to secure your data.

Organisations are now made aware about their data security and are implementing data encryption techniques. Alertsec uses encryption software to protect data from breaches and theft.

Alertsec Xpress

O2, the mobile phone service provider, suffers data breach

is backed up by Check Point Full Disk Encryption and is used by over 4 million users worldwide, with single deployments exceeding 150,000 laptops and PCs. This is the most deployed software of its kind and is seen as today’s market leader.

Companies cannot just get away with data breaches. They are answerable to customers and have to compensate. Customers generally file lawsuits when their demands are not met and where private data is stolen.

The following news report is making headlines

The University of Hawaii has agreed to provide two years of credit protection services to settle a class-action lawsuit that involved data breaches that took place between 2009 and 2011

UOH settles data breach lawsuit

wherein 100,000 students, faculty, alumni and staff between 2009 and 2011, officials and attorneys were involved. This was announced last Thursday.

Apparently the university has denied liability for the breaches. Its spokesperson said it will settle the case by providing two years of credit monitoring and credit restoration services to members who request it. According to the university spokesperson it will continue to “work diligently so that the chance of future data breaches is significantly reduced.”

Data breach details

There were five data breaches in all. It also included the one that took place in 2009 where Social Security numbers, grades and other personal data were posted online for almost a year before being removed from the website. According to University officials a faculty member uploaded files containing the information to an unprotected server, exposing the names, academic performance, disabilities and other information of more than 40,000 students who attended the flagship Manoa campus from 1990 to 1998 and in 2001, by mistake.

Breaches also took place at the West Oahu campus, Kapiolani Community College and Honolulu Community College.

The University’s statement ”We are pleased to settle this case by providing two years of credit monitoring and credit restoration services to those class members who request it. The University continues to work diligently so that the chance of future data breaches is significantly reduced. Given the uncertainties and expense of litigation, the University believes this settlement is in the best interests of the University and its entire ‘ohana.”

The attorneys, Bruce Sherman and Thomas Grande who are representing the class, said

“We have researched more than forty (40) data breaches at colleges and universities across the country. In almost every instance, two years of credit monitoring and fraud restoration were offered to data breach victims,” said Bruce Sherman, one of the attorneys representing the class. “Offering two years of credit monitoring and fraud restoration services to breach victims should be the standard response by any breaching entity in Hawai’i, including government agencies,” Sherman noted.

“The settlement is significant for several reasons,” said Thomas Grande, who also represents the class. “This settlement is the first data breach settlement in Hawai’i and affects almost 100,000 persons,” Grande noted.

“Credit monitoring provides for continuous checking by a credit agency of a class member’s credit file. If there is suspicious activity, the class member is notified immediately and is given assistance to resolve the problem,” Sherman said.

“Credit monitoring services may cost as much as $5 to $15 per month if purchased individually. We are extremely pleased that the University has negotiated a settlement package that provides these services to every class member who wants them,” Grande said.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organisations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

EU Justice Commissioner Viviane Reding talks about introducing new data protection regulations

The European Union is in the process of proposing new regulations regarding how companies use the personal information of Internet users this week. The new regulations are going to have a major impact on companies like Google and Facebook. This is going to put stricter limits on how they use the information of the people that use their services. According to Viciane Reading, vice president of the European Commission, a branch of the EU, these new regulations are absolutely required to protect personal data of the users and rebuild a sense of confidence in them.

Laptop stolen from vehicle belonging to the Kansas Dept. of Aging

Stealing valuables, especially laptops and pen-drives, are in vogue. Thieves have gotten very smart and have realized the value of laptops and mobile devices. It is very difficult to track such thefts and data thieves are getting away easily.

The above will be more clear after reading the following news story.

A laptop computer, flash drive and paper files were stolen from a locked vehicle that belonged to an employee of the Dept.on Aging, Wichita. The Kansas Department on Aging is informing clients tabout this information breach.

The theft took place on Jan. 12 at the Best Western Airport Inn, 6815 W. Kellogg. The suspects broke a rear window on a state-owned car that contained the laptop and paper files. Apparently the employee had covered the items with a blanket before getting into the hotel for safety sake.

Emerging details

The laptop contained data about department clients in Sedgwick, Harvey and Butler counties. So far the police have not been able to recover any of the items. At the same time there is no proof that the stolen information has been misused.

According to the Department on Aging no banking or driver’s license information was involved. But there is a possibility that the stolen information could have full names, addresses, Social Security and Medicaid information and other personal or protected health information. The stolen data also contained social security numbers of 100 people that were a part of the Senior Care Act program.  The Department of Aging is trying to reach these people over phone to inform about the theft.

Comments by Secretary Shawn Sullivan of the Department on Aging: ”To date, the laptop, the flash drive, and the paper files that were stolen, has not been recovered. There’s also no evidence to date that shows the information has been accessed or been misused,”. ”Our staff immediately began notifying and calling the families and the customers that was affected with those 100 files. For the most part, they’ve all been very understanding, very appreciative that we notified them immediately,”

The affected parties have been requested to check all bills and check on credit reports.

“You want to know what’s on your credit report. You want to see and recognize any changes or things that you don’t understand. You can see what changes are happening in your credit report and make sure they’re all accurate and up-to-date,” said Clifton O’Neal, communications director for TransUnion.

Data security with Alertsec

Alertsec is here to take care of our security issues especially for anyone working with PCs. Alertsec Xpress is the service that automatically protects ALL information you store on your PC. The fact that we now buy more laptops than desktops shows that the information we all store is increasingly more vulnerable to be exposed. It is a much higher risk to lose a laptop than a desktop computer.

Encryption is the only secure method for complete protection of data stored on your hard disk. Today laptops are overtaking desktop PCs as the major source of computing and media storage, laptops frequently store an organization’s most valuable information. Thus laptop encryption is becoming more and more important.

Alertsec Xpress offers full disk encryption and is therefore superior to other encryption methods when comparing security, performance, robustness and ease-of-use for both administrators and users.

Zappos center in Kentucky

You love shopping online, don’t you? It is easy, less time consuming and you can do it in your Pajamas ! No need to drive in the middle of the night to shop and waste a gallon of gas! Just a click of a button and your gift is at your door-step.

Hang on! The ‘easy’ shopping just got ‘difficult’ because you entered your credit card details online and now they are vulnerable. You thought they were secure but think again.

The recent hacking case of Zappos, Amazon’s shoe retailer, puts doubts in your mind about online shopping.

The news in detail

Stratfor relaunches site post hack attack

Stratfor is officially back but its servers are heavily burdened due to its offer of free access. Stratfor CEO criticized the attackers for targeting the company, an email said. Stratfor aka Strategic Forecasting is back online after it was hacked into last month.

The new site

Stratfor relaunched  the new site on Jan. 11 exactly 18 days after the hacking group Anonymous hacked into its servers on Dec. 24. The hackers hacked Stratfor’s servers and took away data related to its subscribers and also defaced the site. The information that was dumped online included 75,000 credit card numbers and 860,000 usernames and passwords. Almost 50,000 of the addresses had a .mil or .gov domain. According to a Stratfor spokesperson there was going to be a delay with the site re-launch. The company planned to bring in a team of consultants and experts to tackle the security issues. The company further decided to move all credit card management activities to a third-party company so that customer data remained secure.

According to George Friedman, CEO of Stratfor “This was our failure,”. “I take responsibility. I deeply regret that this occurred and created hardship for our customers and friends.” “I felt bound to protect our customers, who quickly had to be informed about the compromise of their privacy. I also felt bound to protect the investigation,” Friedman said. The FBI had informed credit card companies of the breach and had provided a list of compromised cards, so “our customers were therefore protected,” he said, adding, “We were not compelled to undermine the investigation.” “This attack was clearly designed to silence us by destroying our records and the website,”.

What went wrong?

Apparently Stratfor had failed to encrypt credit card data and had stored the information in cleartext. After the passwords were analyzed, it was seen that security practices were not followed.There was no check on passwords when they were created by users.

Friedman further added “We were no longer an organization that analyzed the world for the interested public, but rather a group of incompetents, and conversely, the hub of a global conspiracy,”. According to him the media had publicized “incompetents” part while the hacking community focused on the “global conspiracy” part.

Relaunch offer

Today’s news story revolves around data theft at the University of Victoria, B.C. Canada.

Over the weekend electronic devices like laptops, mobiles and storage devices were stolen from the University. In addition, cheques and a small amount of cash was stolen too. The stolen information contained names, payroll information and social insurance numbers of UVic employees dating back to Jan. 1, 2010. The disturbing aspect of this case is that the information stolen belonged to current and former employees and also contractors. Also disturbing is the fact that some of this information, especially the names, social insurance numbers and banking information was unencrypted.

According to Gayle Gorril, the univerity vice-president “It included … bank account information needed for direct deposits, social insurance numbers and payroll information,” Gorrill told CBC News late Monday. She further added that an information line has been set up on the website and that employees are being contacted. The affected individuals will be reimbursed bank fees and new checks, promised Gorrill.

Saanich police  and a forensic investigator are working on the case. According to the Police this work is of more than one person.

“Number of credit alerts successfully placed on my credit report: None.”

Caitlin Morrison, a graduate student and employee, said, “You would hope that an organization like the university would have better systems in place to avoid such a widespread problem.”

Janni Aragon, a political science instructor, feels that the university should have informed employees immediately.

“I know a lot of my colleagues are angry we found out at the end of business day [Monday],” she said.

More about laptop security from Alertsec

Laptops generally get stolen from the work place, conference centers, hotel rooms, cars, airports and train stations.  It is difficult to prevent theft as opportunists are everywhere in our society.

Best bet would be to make sure  having a fresh back-up on a server or back-up device.

Lastly, by using encryption software, you greatly enhance the laptop security as there is no way that the information is compromised if lost or stolen.

Data stolen from the University, suspects at large

Stratfor Inc hacked and credit card data stolen

Anonymous has always been in the news for data hacking and just when we were wondering what they were up to, they are here! This time they have been successful in breaching data of the security Think-Tank Strategic Forecating  Inc, based out of Austin.

The details

The group managed to hack into  Stratfor’s web site and get data  about the company’s corporate subscribers. This resulted in the website being closed down temporarily. Anonymous was proud to announce that they stole passwords, credit card details, and home addresses of about 4,000 people on Stratfor’s private client list. Their plan was to use the credit card information to make fraudulent donations to charities. The hackers described the data on Pastebin, then provided several links to websites hosting the information. According to them some 50,000 of the e-mail addresses released end in “.mil” or “.gov.”

Strangely enough, some representatives of the Anonymous group denied complete responsibility of the attacks.  According to an Anonymous spokesman  “it does not attack media sources.” The organization has been known for its hacks on Sony’s PlayStation services, the Church of Scientology, as well as companies, banks, and organizations  that supported WikiLeaks.

What business is  Stratfor into?

The company offers its clients like the U.S. Air Force, the Miami Police Department, and Apple, high-quality economic, political, and even military analysis to clients, delivered daily via email, video, and the Web.

After the hack

Stratfor is offering a free one-year subscription to an identity protection service to those affected. Stratfor’s CEO, George Friedman confirmed on the company’s Facebook page on Monday that the hack disclosed the names of some corporate subscribers along with personal and credit card data.

Barrett Brown, spokesman for Anonymous said “This wealth of data includes correspondence with untold thousands of contacts who have spoken to Stratfor’s employees off the record over more than a decade,”. “Many of those contacts work for major corporations within the intelligence and military contracting sectors, government agencies and other institutions.”

Stratfor’s chief George Friedman’s statement

High profile attacks are making the rounds and security agencies are scrambling to get the security policies of such companies in place. Stratfor’s website is under repair as of today and will take some time before it gets back in shape.

Alertsec equips firms with encryption software

Alertsec is here to take care of our security issues especially for anyone working with PCs. Alertsec Xpress is the service that automatically protects ALL information you store on your PC. The fact that we now buy more laptops than desktops shows that the information we all store is increasingly more vulnerable to be exposed. It is a much higher risk to lose a laptop than a desktop computer.

Encryption is the only secure method for complete protection of data stored on your hard disk. Today laptops are overtaking desktop PCs as the major source of computing and media storage, laptops frequently store an organization’s most valuable information. Thus laptop encryption is becoming more and more important.

Alertsec Xpress offers full disk encryption and is therefore superior to other encryption methods when comparing security, performance, robustness and ease-of-use for both administrators and users.