Data breach at ODOT exposes participants social security numbers

2011 has probably seen the most and the worst set of data breaches. In April 2011, Sony reported a data breach within their Playstation Network. Expedia’s Trip Advisor, email marketing provider Epsilon and professional engineering society Institute of Electrical and Electronics Engineers followed suit.

In the latest incident of data breach, data of 62 current and former employees remained exposed to the public online for nine long years. The breach was reported on Friday.

Details of the breach

Oregon Department of Transportation immediately removed the data from the site and apologized to its users who had participated in the environmental program. Fortunately, no one has had any problems with the exposed data.

Aug. 26 email gave details of this breach to all its users.

According to Theresa Masse, the state’s chief information security officer with the Department of Administrative Services ”Some were electronic — misdirected email, lost laptop, or a file exposed on a website,”. She further added “Others involved misdirected letters or a lost folder. The largest affected 500 people; the smallest, one individual.”

ODOT found out about the breach two weeks ago when it got a call from a citizen who brought to notice that a file in the agency’s file transfer protocol site contained encoded Social Security numbers. A file-transfer protocol site is used to transfer large files to internal and external users. The file contained names and encoded Social Security numbers of 62 people working with ODOT’s environmental programs. This information could have been online since 2002.

This is what ODOT spokesman Dave Thompson had to say when users found out about the breach ” “None of them were necessarily happy with us, or with the news this happened,” Thompson said. “But none of them has indicated they have noticed any sort of issue. It does not mean it hasn’t happened — and that’s why we spoke to them first before we announced it.”

Comparison with two private sector firm breaches

Health histories of 120,000 Oregon customers covered by Health Net were breached in March. Computer disks and backup tapes with details of 365,000 Oregon patients of Providence Health & Services went missing in Dec 2005

Another incident in early 2010

This incident was far more serious than the recent breach. A pen drive with payroll information of 550 Department of Corrections employees was found in Madras. The drive contained Social Security numbers of 300 employees at the Deer Ridge Correctional Institution near Madras and the Shutter Creek Correctional Institution in North Bend, and information of employees at the Warner Creek Correctional Facility in Lakeview.

How can Alertsec help protect data?

Organisations are now made aware about their data security and are implementing data encryption techniques. Alertsec uses encryption software to protect data from breaches and theft.

Alertsec Xpress is backed up by Check Point Full Disk Encryption and is used by over 4 million users worldwide, with single deployments exceeding 150,000 laptops and PCs. This is the most deployed software of its kind and is seen as today’s market leader.

CVR-linked computer breached in Millinocket

What is a CVR system?

Central Voter Registration System (CVR) is used to improve the accuracy and integrity of voter lists and to enhance services to voters. The CVR also provides new efficiencies for election administrators and meet the requirements of the Help America Vote Act of 2002 (HAVA).

The CVR contains personal information on registered voters including names, addresses, dates of birth and driver’s license numbers. It does not include Social Security numbers.

It is not a large amount of personally identifiable information (PII), but valuable enough for the data-hungry hacking community.

CVR system breached

Apparently one of the CVR-linked remote computer, at the town clerk’s office in Millinocket, had a Malware installed which stole large amounts of voters data. Maine Secretary of State Charlie Summers confirmed this information. The Department of Homeland Security’s US-CERT team first found out about it and informed Summers office. The CVR contains information of one million registered Maine voters.

Although no personal information was accessed, there is a strong possibility that some data was snooped into. What and how much is yet to be found.

“I am in the process of assessing what, if any, information has been compromised”, Summers said. “I have taken immediate action to shut this computer down and disable the username and password assigned to the town clerk. I will keep the press updated with information as it is made available to me”

Maine Officials and the state police computer crimes department are investigating the breach.

Latest update

The latest update gives a twist in the story. It now appears to be a mountain made out of a molehill. There was a single malware infected computer in the remote town of Millinocket, which apparently did not access any information.

This is a sensitive issue, which discusses about regulations related to disclosure of security breaches: When is a breach really a breach and when should it be made public?

It is important to disclose even if the tiniest amount of data has been breached.

There are companies, which sweep such issues under the carpet. But in this case State of Maine is to be applauded for divulging the facts sooner than later.

Encryption software prevents data breaches

Traditional antivirus approaches don’t work any more and a new approach to endpoint security is required to better protect your company from malicious threats.

The above threat could have simply been reduced to an insurance matter by a mere investment of $13/month. The information would have been secure with no loss what so ever. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial

Alertsec further offers computer protection software from Check Point as a fully customizable and pre-packaged data encryption software solution. It can help you dramatically reduce your cost of ownership for encrypting your laptops.

Another cyber attack on Citigroup

Hackers love Citigroup and they waste no time in finding loopholes to hack into their system. They have done it again but in a different way. This is not an online hack but an offline one.

This time they have illegally accessed personal information of 92,408 Citigroup Inc. credit card customers in Japan and sold this info to third parties. This is a clear indication that banks are vulnerable to cyber attacks and need to beef up their security.

Customer account numbers, names, addresses, phone numbers, birth dates, account-opening dates and gender information were stolen hacked into. Thankfully, personal identification numbers and card security codes were safe.

So far, no unauthorized use of the cards had been reported by the end of business on Aug. 5, the Kyodo News reported.

Citi is getting in touch with all customers affected by the theft and plans to reissue cards at the customer’s request. It further added that customers won’t be responsible for fraudulent transactions on their accounts.

Who is the perpetrator this time?

According to Citigroup Japan, the system was hacked by a third-party vendor that had been given access to Citi’s internal systems.

Avivah Litan, a distinguished analyst at Gartner, sums up in exact words ”This is a CIO’s worst nightmare,”. “I am sure Citi is not sitting around and twiddling its thumbs as the hackers gain the upper-hand. However, it does prove what a leaky sieve most large banks and corporations are when it comes to protecting customer data. There are so many points of compromise that it’s very difficult for them to thwart all potential attacks.”

Customers have started worrying as cyber criminals are getting better and better in their online attacks stealing private information and documents. They are not fully able to trust the big companies who are handling their money and credit card information.

Citi has been a constant target of hackers

In 2006, Citi’s system had been breached through a third party, giving away corporate banking information. Citi had to take the step of blocking PIN-based transactions for customers in Canada, Russia, and the United Kingdom. This was a followed by an incident in June where the FBI arrested a former Citi executive who allegedly embezzled more than $19 million from the bank and its customers.

About Citigroup

Citigroup is a leading global financial services company housing 200 million customer accounts and operating in more than 140 countries. Through Citicorp and Citi Holdings, Citi provides consumers, corporations, governments and institutions with a broad range of financial products and services, including consumer banking and credit, corporate and investment banking, securities brokerage, and wealth management.

Protect yourself with Alertsec

Organisations are now made aware about their data security and are implementing data encryption techniques. Alertsec uses encryption software to protect data from breaches and theft.

Alertsec Xpress is backed up by Check Point Full Disk Encryption and is used by over 4 million users worldwide, with single deployments exceeding 150,000 laptops and PCs. This is the most deployed software of its kind and is seen as today’s market leader.

Data breach at Wake Forest Baptist Medical Center

Medical records are the most vulnerable lot. Umpteen cases of hacking into medical data have been making headlines.

The latest joining the bandwagon is the Wake forest Baptist.

What happened?

Winston-Salem, N.C.-based Wake Forest Baptist Medical Center suffered a data loss of medical records and documents that affected 357 people.

Wake Forest Baptist Medical Center had fired an employee, Linda Bowden Turner, on June 1. It appears she had taken pages from 136 patient medical records and 221 employee documents that included Social Security numbers of past and current employees.

Ms. Turner was charged with larceny by employee. According to her attorney and WFBMC Ms. Turner was a hoarder and did not commit this deed intentionally.

Here is the statement issued by the Medical Center “On the afternoon of May 31, 2011, Wake Forest Baptist Medical Center received a call about documents, belonging or pertaining to the medical center, discovered in the basement of a rental home. Following an immediate response by our Privacy and Compliance Offices and with assistance from the Winston-Salem Police Department, our staff removed boxes from properties and storage units owned by former employee, Linda Turner”.

“None of the documents discovered comprised a complete patient medical record,” the center said. “The employment records date from a time when many hospitals used Social Security numbers as the employee identification number. Wake Forest Baptist discontinued this practice several years ago.”

Investigation showed that there were employment and medical documents mixed in with large volumes of the former employee’s personal documents, newspapers, magazines and trash.

There was no evidence found that said that the information was misused in any way. The documents appeared to be undisturbed in storage areas till the discovery.

Post breach

Wake Forest Baptist mailed Thursday a letter to affected individuals offering a free year of Debix credit-monitoring services, which require registration for use.

Soon after the incident the medical center has started training employees regarding the proper handling of paper documents containing personal or protected health information. Training program also includes training new staff and implementing this program in the annual mandatory compliance training.

The medical center has submitted a report to the appropriate regulatory agencies, including the U.S. Department of Health and Human Services, the North Carolina Attorney General and The Joint Commission. A review of the case has been completed by the North Carolina Department of Health Services Regulation (DHSR). DHSR found no discrepancies.

Implementing security measures with Alertsec

Time and again it has been proven that most laptops are stolen or valuable document taken from the place of work. Alertsec Xpress is the web-based service powered by Check Point Full Disk Encryption – the global leader in encryption for laptops and is used by big and small organizations that have recognized the need to protect their information.

Alertsec Xpress provides:

• Fully managed service for your convenience.
• Very cost effective service.
• Market leading laptop protection service.
• Quick and easy implementation.
• Easy to use protection.
• Transparent solution.
• Global 24/7 helpdesk.
• 100% secure and reliable encryption.
• Powered by Check Point – the market leader

.

User names stolen from Apple server

Hacking groups

Hacking attacks are on the rise.  Hacker groups such as LulzSec have been successfully breaking into networks of big companies like Fox, Sony, AT&T, PBS, Citigroup and even the CIA.   LulzSec, an anonymous group of hackers, have claimed responsibility for hacking into several major company websites.

The latest in the line is Apple’s website. It appears that hackers have broken into Apple’s systems before posting a list of names and password hashes online. The names were not linked to the more than 200m customer credit cards stored on the iTunes online store.

The complete story

Hacking group Anonymous broke into an Apple server, collecting 26 administrative user names and passwords. The group announced the breach through its Twitter where it shared a link to the data posted on text-sharing website Pastebin. “Apple could be target, too,” the group tweeted. “But don’t worry, we are busy elsewhere.”

LulzSec group has been very active in the hacking field and recently announced it was ending its hacking operation and asked its users to support Anonymous. Their movement is called “AntiSec.” Both Anonymous and LulzSec have always targeted big companies disclosing their political motives.

What does Apple have to say?

Apple declined to comment declined to comment and has not confirmed the breach as yet. Fortunately the data that was hacked has little value to the culprits.

Why is this happening?

“Part of the problem is that companies don’t have an incentive to disclose when a breach occurs unless it’s required by law,” said Ronald Deibert, director of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. “But the volume [of attacks] suggests something is going on.”

Hacking operations by groups like Anonymous and LulzSec started with Sony who is still having a hard time getting its systems back on track since its breach in April.

One of the reasons for these successful hacking attempts is the very nature of most major corporations’ digital data. Up till now, large companies had an Internet website for public information and an “intranet” for internal use. But the picture has drastically changed today. A company’s public online presence includes websites, YouTube channels, Facebook pages and Twitter accounts – all very vulnerable for getting compromised!

Add to this the high-profile nature of such services.  Even though Social networking platforms like Twitter or Facebook offer very less business value, they  can be used to quickly and publicly embarrass a company –  the latest in the news – Fox News Twitter account which displayed fake Obama tweets! Stay tuned..

Time for giant Corp orates to tighten their security – AlertSec’s security services

Organisations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Alertsec Xpress’s Check Point Full Disk Encryption is used by over 4 million users worldwide.

Cybercrime

Wikipedia defines cybercrime as “any crime that involves a computer and a network. The computer may have been used in the commission of a crime, or it may be the target. A computer can be a source of evidence. Even though the computer is not directly used for criminal purposes, it is an excellent device for record keeping, particularly given the power to encrypt the data. If this evidence can be obtained and decrypted, it can be of great value to criminal investigators”.

The AT&T iPad hacking case

More than 100,000 Apple iPad users were a victim of data breach after the hackers accessed AT&T’s servers. Last June, Daniel Spitler of San Francisco, Calif., and Andrew Auernheimer of Fayetteville, Ark. broke into a computer without user authorization. They tried to obtain email addresses from the SIM card addresses of at least 114,000 iPad 3G users. Initially the attack appeared to be a sophisticated hack, the actual exploit used an automated script to submit HTTP requests for thousands of possible serial numbers and collect AT&T’s responses.

Post-breach, AT&T issued a statement. “This issue was escalated to the highest levels of the company and was corrected by Tuesday. We are continuing to investigate and will inform all customers whose e-mail addresses… may have been obtained,”.

How Daniel pilfered AT&T’s servers?

Daniel Spitler wrote a script called the “iPad 3G Account Slurper” and used it to access AT&T servers thereby getting info on e-mail addresses and associated unique iPad numbers. Spitler got in touch with co-defendant Andrew Auernheimer over Internet Relay Chat and they both hatched the plan of taking advantage of the Web site hole and the data from 100,000 accounts that was exposed.

Update on the case

Daniel Spitler has pleaded guilty to breaking into AT&T’s systems and obtaining the email addresses of iPad users. He is allegedly member of the Goatse Security hacking group. Spitler faces up to 10 years in prison and, $500,000 in fines on one count of conspiracy to gain unauthorized access to computers and on one count of identity theft. He is scheduled to be sentenced September 28 in Newark federal court.

Andrew Auernheimer was arrested January 18 in Fayetteville, Ark., while appearing in state court. Charges against him are still pending. He had pleaded not-guilty saying that he and his Goatse Security hacking group were planning to warn AT&T about the hole and notifying iPad 3G customers about the exposure of their data. But the chat logs were evidence enough to point out that they had not contacted AT&T.

“The magnitude of this crime affected everyone from high ranking members of the White House staff to the average American citizen,” said Michael B. Ward, special agent in charge of the FBI’s Newark Division. “It’s important to note that it wasn’t just the hacking itself that was criminal, but what could potentially occur utilizing the pilfered information.”

How Alertsec can protect our computers?

Alertsec provides protection for all information stored on laptops and PCs in an easy, convenient, and cost-effective way. It uses Check Point Full Disk Encryption (former Pointsec) software, and has created a web based encryption service that radically simplifies deployment and management of PC encryption.

Alertsec Xpress is the service that automatically protects ALL information you store on your PC

Alertsec Xpress provides:

• Fully managed service for your convenience.
• Very cost effective service.
• Market leading laptop protection service.
• Quick and easy implementation.
• Easy to use protection.
• Transparent solution.
• Global 24/7 helpdesk.
• 100% secure and reliable encryption.
• Powered by Check Point – the market leader

Square Enix, the latest victim of data breach

It is now obvious that hackers have decided to hit all major game developers! Last few weeks has seen data breaches of game sites like Nintendo, Bethesda Softworks, Sony, Epic games and Codemasters. The latest is Square Enix, one of the world’s largest developers and publishers of games for PCs and consoles.

Square Enix, well-known for creating the Final Fantasy and Kingdom of Hearts franchises were targeted by unknown hackers mid-way through last month. The cyber attack also reportedly focused on the company’s website.

Computer hackers managed to hit two websites of the Japanese company, Eidosmontreal.com, run by Square Enix’s subsidiary Eidos, and Deusex.com, a promotional site for the upcoming game, Deus Ex: Human Revolution. Up to 25,000 email addresses had been taken in the security breach. The company also stated that the attackers couldn’t access the credit card numbers of users, but they managed to download the resumes of about 350 people who applied for jobs in one of the company’s offices in Canada.

As per the statement “Eidosmontreal.com does not hold any credit card information or code data, however there are resumes which are submitted to the website by people interested in jobs at the studio. Regrettably up to 350 of these resumes may have been accessed, and we are in the process of writing to each of the individuals who may have been affected to offer our sincere apologies for this situation,”

Former Washington Post writer Brian Krebs reports that both the official Deus Ex: Human Revolution and Eidos websites were closed on Thursday morning, May 12. It appears that during this period hackers put up a banner that read “Owned by Chippy1337”. The hackers threatened to distribute the stolen information on file sharing networks. Personal information of more than 25,000 users was stolen. 350 of these were resumes that were accessed and each of the affected individuals were sent apology letters.

The hacked sites were immediately closed down. Damage was analyzed and once improved security measures were implemented, the sites were up and running.

Square Enix has lost so much sensitive data that one has now started questioning about network security.

Robust information security initiatives and a proficiently skilled IT security workforce are the need of the hour. In order to avoid cyber-attacks and security breaches,  IT security professionals can increase their information security knowledge and skills by getting equipped with highly technical training programs.

Data security with Alertsec

Following the essential guidelines is very necessary for data security in any organization. This news exemplifies the need for data protection applications. In an incident which highlights the need of Data encryption software and recovery software, the threat could have simply been reduced to an insurance matter by a mere investment of $13/month. The information would have been secure with no loss what so ever. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial

Laptop theft on the rise

A Laptop/Notebook is stolen or lost every 12 seconds

How are laptops stolen?

90% of the Laptops are being lost/stolen during the travel.

Some are stolen at the work place, conference centers, hotel rooms, cars, airports and train stations. As statistics show, it is just impossible to be able to prevent theft to occur as opportunists are everywhere in our society.

Laptop loss not only proves costly to the owner but it also includes the loss of sensitive and creative information/data in it. It could be your important documents, presentations, credit card details, financial information or maybe a contract or legal document.

Here’s a story which talks about laptop theft and loss of valuable health related data.

Laptop stolen from Dept. of Aging

A laptop belonging to a PASSPORT case manager, with the Mansfield Area Agency on Aging, Inc., was  stolen on June 3 from his car in the Ohio District 5 region which serves counties in the Mansfield area. It contained  data of thousands of clients.

According to the agency  the laptop contained the personal health information on up to 43,000 consumers and the personal contact information on up to 35,000 related clients’ personal representatives.

In a news release, CEO Duana Patton said, “The Area Agency on Aging understands the importance of safeguarding our consumer’s personal information and takes that responsibility very seriously. We deeply regret that this incident occurred and we have already taken steps to ensure our laptops are properly equipped to secure personal information from unauthorized access in the future.”

The department is in the process of informing all of the affected users  by letter to explain credit protection options available to them.

Individuals can reach the staff for queries related to the data breach on the following number – 800-522-5680 extension 1234

Preventive measures

a. Always back-up your data on a server or back-up device

b. Use encryption software. It greatly enhances the laptop security as there is no way that the information is compromised if lost or stolen. A theft would simply be reduced to an insurance matter and cost of the hardware plus time to rebuild the laptop. A small price to pay compared to what can happen if you lose confidential or senstive data

Computer protection with Alertsec

Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subsribe for your personal 30-day free trial

Alertsec is the only service provider on the market that offers a pre-configured, ready-to-use solution which also includes 24/7 helpdesk.

Alertsec Xpress is powered by Check Point, the market leader in the field of mobile data protection. The software was launched 16 years ago and is the most robust software on the market today. You can read more about Check Point here.

Once you make your decision you can have the laptops protected within minutes. No delays with set-up, configuration, order or delivery - order now.

With every new data breach, hackers are proving their smartness and honing their hacking skills. The gaming world appears to be an lucrative area for them as the latest victim to have online identities and passwords stolen is Video game maker Sega. Sega produces games for a range of consoles, including the PlayStation 3, Nintendo DS, Microsoft’s Xbox 360 and Nintendo’s motion-control Wii.

Sega’s servers were accessed and information belonging to 1.3 million customers was stolen from Sega’s database. That  included names, email addresses, dates of birth and encrypted (not hashed or plain-text) passwords.

Surprisingly credit card numbers have not been affected. Sega Pass, Sega’s online system for giving newsletters, demos and other perks, had been closed for a complete investigation.

As per the latest update, 1,290,755 accounts have been compromised. Sega confirmed that no financial; data was stolen. Sega’s network is being currently strengthened and Lulz Security has taken the lead to find the perpetrators. They stated on Twitter that they would help “destroy” the responsible party because they love the Dreamcast.

What is puzzling is that the attack on Sega’s network took place after it confimed to have put new security measures following the data breach on Sony’s PlayStation Network

“We are deeply sorry for causing trouble to our customers. We want to work on strengthening security,” Sega spokeswoman Yoko Nagasawa told Reuters, adding it is unclear when the firm would restart Sega Pass.

According to BBC report, customers have been advised  to change their log-on details on other services and websites where they used the same credentials. In addition, Sega has reset all customer passwords.

Comparison with breach at Sony’s and Citigroup

Sega handled this situation better than Sony and Citigroup. It locked down the system and wasted no time in informing its customers. Sony informed almost after a week and Citigroup had the nerve to tell people that they didn’t disclose information because they didn’t want to shock customers !

Reality check

No system is 100% secure. So in case data theft takes place what is important is

1) Financial data does not get affected and

2) Systems should be immediately closed down, customers should be informed on time and security ought to be strengthened

Time for Alertsec to step in

By using industry leading Check Point Full Disk Encryption (former Pointsec) software, Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption

Alertsec’s mission is to continuously improve our products and services in order to deliver the easiest and most cost-effective managed encryption service on the market

The only way to protect information stored on a PC or laptop is by using encryption. Alertsec Xpress offers full disk encryption and is therefore superior to other encryption methods when comparing security, performance, robustness and ease-of-use for both administrators and users

Image via Wikipedia

It is the era of hacking ! Before the Cyber-world recovers from the recent data attack on Sony and Citigroup, hackers have managed to access personal data of Codemasters ’s users.

The story

The British games developer was attacked on June 3 and personal details like names, addresses and phone numbers of thousands of people were stolen. IP addresses, details of last site activity, order history, biographies, Xbox Live Gamer-tags of the Codemasters CodeM database and the DiRT 3 VIP code redemption page were also a part of the theft. Luckily payment details were not hacked into as those were processed by an external provider.

Codemasters.com and its associate web services have been taken off the web till the investigation is on. Users have been advised to log on to the company’s Facebook Page for more information. US and UK websites have also been redirected to the company’s Facebook page. A new Web site is in the pipeline.

According to BBC News, the company is still probing about possible suspects. The number of affected users is still not known. It could be anywhere from thousand to hundred thousand. The company said. “We assure you that we are doing everything within our legal means to track down the perpetrators and take action to the full extent of the law”

Data Security

Gamers have also been advised to change their passwords linked with Codemasters accounts. Codemasters spokesperson has further advised to refrain from opening any suspicious mail that might lead a user to an illegal website. Users need to be extra cautious of emails asking them to share their password or any other personal information

Users’ reactions

Leanne Lee from Eastbourne, Codemasters website user, blamed the company of being slow to report. She was shocked that she was told a week later after the breach occurred and that too via an impersonal email. According to Brad Langford of Manchester, Codemasters or any video game company for that matter does not really require sensitive information like birth place and birth dates.

Breaking news

‘Epic Games’ suffers cyber attacked  ! Stay tuned..

Data security with Alertsec

Data security is of utmost importance for any organization. This news stresses the need for data protection applications. The loss in the above incident could have simply been reduced to an insurance matter by a mere investment of $13/month.  The amount is meager compared to what the company has lost.  The need of Data encryption software and recovery software cannot be underestimated . Had the company used Alertsec’s services, the information would have been secure. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial