Posts Tagged ‘identity theft’

The Oregon Department of Transportation admits to data breach

September 12th, 2011

Data breach at ODOT exposes participants social security numbers

2011 has probably seen the most and the worst set of data breaches. In April 2011, Sony reported a data breach within their Playstation Network. Expedia’s Trip Advisor, email marketing provider Epsilon and professional engineering society Institute of Electrical and Electronics Engineers followed suit.

In the latest incident of data breach, data of 62 current and former employees remained exposed to the public online for nine long years. The breach was reported on Friday.

Details of the breach

Oregon Department of Transportation immediately removed the data from the site and apologized to its users who had participated in the environmental program. Fortunately, no one has had any problems with the exposed data.

Aug. 26 email gave details of this breach to all its users.

According to Theresa Masse, the state’s chief information security officer with the Department of Administrative Services ”Some were electronic — misdirected email, lost laptop, or a file exposed on a website,”. She further added “Others involved misdirected letters or a lost folder. The largest affected 500 people; the smallest, one individual.”

ODOT found out about the breach two weeks ago when it got a call from a citizen who brought to notice that a file in the agency’s file transfer protocol site contained encoded Social Security numbers. A file-transfer protocol site is used to transfer large files to internal and external users. The file contained names and encoded Social Security numbers of 62 people working with ODOT’s environmental programs. This information could have been online since 2002.

This is what ODOT spokesman Dave Thompson had to say when users found out about the breach ” “None of them were necessarily happy with us, or with the news this happened,” Thompson said. “But none of them has indicated they have noticed any sort of issue. It does not mean it hasn’t happened — and that’s why we spoke to them first before we announced it.”

Comparison with two private sector firm breaches

Health histories of 120,000 Oregon customers covered by Health Net were breached in March. Computer disks and backup tapes with details of 365,000 Oregon patients of Providence Health & Services went missing in Dec 2005

Another incident in early 2010

This incident was far more serious than the recent breach. A pen drive with payroll information of 550 Department of Corrections employees was found in Madras. The drive contained Social Security numbers of 300 employees at the Deer Ridge Correctional Institution near Madras and the Shutter Creek Correctional Institution in North Bend, and information of employees at the Warner Creek Correctional Facility in Lakeview.

How can Alertsec help protect data?

Organisations are now made aware about their data security and are implementing data encryption techniques. Alertsec uses encryption software to protect data from breaches and theft.

Alertsec Xpress is backed up by Check Point Full Disk Encryption and is used by over 4 million users worldwide, with single deployments exceeding 150,000 laptops and PCs. This is the most deployed software of its kind and is seen as today’s market leader.

No comments »

Posted in Computer security, Identity and Information loss, computer security software, data breach, identity theft

Tags: California computer encryption software data breach data encryption disk encryption Emergency department Enter your zip code here Health Net identity theft Oregon Oregon Department of Transportation Palo Alto California Personal computer PlayStation Network Providence Health & Services Social Security number Stanford Hospital and Clinics United States Department of Health and Human Services Website

SCRA breaches data for the second time exposing children’s details

September 7th, 2011

Sensitive info papers lost from filing cabinet

Data breaches are online as well as physical

Data breaches are not restricted to online or soft copy data loss. They also include theft or loss of physical documents.

Here’s a look at a recent case of physical and digital data theft.

Scottish Children’s Reporter Administration (SCRA) breaches Data Protection Act for the second time

The Scottish Children’s Reporter Administration (SCRA) is in breach of data security related to children’s data twice in the last 6 months. The SCRA is an organization dedicated to protect children in the judicial system. The body investigates the care of Scotland’s most vulnerable children.

Details of the two breaches

In January 2011 the Scottish body sent documents containing a child’s personal data to the wrong email address. The documents carried sensitive information like child abuse related to the legal case which had the contact information of the child’s mother and witnesses.

Later, in September 2010, the body somehow lost 9 case files which contained personal data such as birth dates, names and social report. Apparently the files got lost when the filing cabinet which contained these files was moved and later sold to a second-hand furniture shop.

Mishandling of sensitive information

Ken Macdonald, assistant information commissioner for Scotland, is concerned that data had been breached twice by the same organization.

“On both occasions the personal data which was compromised related to young children and was caused by human errors that could easily have been avoided,” said Macdonald. He further added “I am pleased that the Scottish Children’s Reporter Administration has taken action to make sure that the personal information they handle is kept secure and would urge other organizations, particularly those handling sensitive information relating to young people, to follow suit,”. Fortunately both times the information was not circulated.

Information handling post breach

Neil Hunter, chief executive of the SCRA, is renewing the organization’s data protection policy and training employees about data security.

The ICO (Information Commissioner’s Office) is holding workshops related to raising awareness of data protection obligations among staff.

About ICO

The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

Security guaranteed with Alertsec Xpress

This incident highlights the need of a data security and data encryption software, the threat could have simply been reduced to an insurance matter by a mere investment of $13/month. The information would have been secure with no loss what so ever. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial.

Alertsec has offices in the US, UK, Sweden and operates in many other countries around the world through partners.

Its mission is to continuously improve its products and services in order to deliver the easiest and most cost-effective managed encryption service on the market

No comments »

Posted in Data Protection, Identity and Information loss, data breach, identity theft

Tags: business Crime data breach Data theft identity theft Information Commissioners Office security Theft

California data breach law revised

September 2nd, 2011

Gov. Jerry Brown signs Senate Bill 24

Breach after breach is forcing lawmakers to make changes in the security policy.

A California lawmaker has come up with a bill that would update the state’s data breach notification law, SB-1386, to help prevent sensitive data.

About Senate Bill 24

Existing law requires any agency, and any person or business

conducting business in California, that owns or licenses

computerized data that includes personal information, as defined,

to disclose in specified ways, any breach of the security of the

system or data, as defined, following discovery or notification of

the security breach, to any California resident whose unencrypted

personal information was, or is reasonably believed to have been,

acquired by an unauthorized person

Existing law requires any agency, and any person or businessconducting business in California, that owns or licensescomputerized data that includes personal information, as defined,to disclose in specified ways, any breach of the security of thesystem or data, as defined, following discovery or notification ofthe security breach, to any California resident whose unencryptedpersonal information was, or is reasonably believed to have been,acquired by an unauthorized person

Bill Update

Senator Simitian had submitted three versions of his security breach notification to former Governor Schwarzenegger in 2008, 2009 and 2010. But they were vetoed all three times.

This time though, he was lucky. The current Governor, Jerry Brown, signed the bill which helps consumers with information to help prevent identity theft.

SB 24 defines key details that must be a part of the notification letter and forces the Attorney General to take cognizance of the breach. In case a social security number or drivers license details get compromised, the notice letter explains how to contact major credit agencies. This is very important as consumers can keep a track of their accounts and get proof of identity theft (if one takes place). The bill further empowers to prevent identity theft, including freezing your credit report.

As per the update the breach notification letters will contain details of the incident i.e. the type of personal information compromised, a description of what happened, and steps to be taken to protect oneself from identity theft. The law also makes it compulsory for organizations to submit a copy of the alert letter to the state attorney general’s office in case the breach has affected 500 or more people

What are the other States doing about ID theft?

Taking a cue from California law, over 40 states have adopted security breach notice laws. Some of them are Alaska, Arkansas, Connecticut, Hawaii, Indiana, Louisiana, Maine, Maryland, Massachusetts, Missouri, New Hampshire, New Jersey, New York, North Carolina, Puerto Rico, South Carolina, Vermont, and Virginia.

Will hackers stop?

Cyber thieves will continue breaking the law but businesses and agencies will take more precautions to protect their data henceforth and if they ever become a victim of data breach, they will know who to turn t0.

It was high time California got the added protection that SB 24 will provide.

Alertsec offers encryption service

Security services like the ones offered by Alertsec are the need of the hour. Alertsec is the frontrunner in offering hard disk encryption as a fully managed service. We provide information security in a cost-effective & easy way. Alertsec is part of the Durator Group which has been awarded the highest credit rating available.

No comments »

Posted in Computer security, Data Protection, Identity and Information loss, Lawsuits and settlements, Uncategorized, data breach, data encryption, identity theft

Tags: California Consultants Crime data breach identity theft Jerry Brown Notification system Personally identifiable information security security policy

Poor IT security measures lead to data theft in Citigroup Japan

August 26th, 2011

Another cyber attack on Citigroup

Hackers love Citigroup and they waste no time in finding loopholes to hack into their system. They have done it again but in a different way. This is not an online hack but an offline one.

This time they have illegally accessed personal information of 92,408 Citigroup Inc. credit card customers in Japan and sold this info to third parties. This is a clear indication that banks are vulnerable to cyber attacks and need to beef up their security.

Customer account numbers, names, addresses, phone numbers, birth dates, account-opening dates and gender information were stolen hacked into. Thankfully, personal identification numbers and card security codes were safe.

So far, no unauthorized use of the cards had been reported by the end of business on Aug. 5, the Kyodo News reported.

Citi is getting in touch with all customers affected by the theft and plans to reissue cards at the customer’s request. It further added that customers won’t be responsible for fraudulent transactions on their accounts.

Who is the perpetrator this time?

According to Citigroup Japan, the system was hacked by a third-party vendor that had been given access to Citi’s internal systems.

Avivah Litan, a distinguished analyst at Gartner, sums up in exact words ”This is a CIO’s worst nightmare,”. “I am sure Citi is not sitting around and twiddling its thumbs as the hackers gain the upper-hand. However, it does prove what a leaky sieve most large banks and corporations are when it comes to protecting customer data. There are so many points of compromise that it’s very difficult for them to thwart all potential attacks.”

Customers have started worrying as cyber criminals are getting better and better in their online attacks stealing private information and documents. They are not fully able to trust the big companies who are handling their money and credit card information.

Citi has been a constant target of hackers

In 2006, Citi’s system had been breached through a third party, giving away corporate banking information. Citi had to take the step of blocking PIN-based transactions for customers in Canada, Russia, and the United Kingdom. This was a followed by an incident in June where the FBI arrested a former Citi executive who allegedly embezzled more than $19 million from the bank and its customers.

About Citigroup

Citigroup is a leading global financial services company housing 200 million customer accounts and operating in more than 140 countries. Through Citicorp and Citi Holdings, Citi provides consumers, corporations, governments and institutions with a broad range of financial products and services, including consumer banking and credit, corporate and investment banking, securities brokerage, and wealth management.

Protect yourself with Alertsec

Organisations are now made aware about their data security and are implementing data encryption techniques. Alertsec uses encryption software to protect data from breaches and theft.

No comments »

Posted in Computer security, Data Protection, Hackers, Identity and Information loss, Uncategorized, computer security software, data breach, data encryption, identity theft

Tags: breach notification data breach data encryption data security Enter your zip code here identity theft

USB drive found in a pub contained data of 26,000 tenants

August 9th, 2011

Storing data is getting easier by the day. First, it was computers, followed by laptops, net-books and now it is the pen-drive. Just hang it on your shirt or carry it in your pocket. That is movable data. It is a boon but at the same time, a curse if you do not keep it safely guarded.

A serious data breach

There was a recent case of a USB drive found unattended in a pub in South London. The drive contained carried data of around 26,000 social housing tenants and bank details of some 800 tenants

Breach details

Apparently, the USB drive owner worked for housing associations Lewisham Homes and Wandle Housing Association. The data belonged to the tenants of these housing associations. The USB drive was seen lying in the All Inn One pub. The authorities were immediately notified; fortunately, the data was not compromised.

According to Sally-Anne Poole, acting head of Enforcement at the ICO “Saving personal information on to an unencrypted memory stick is as risky as taking hard copy papers out of the office. Luckily, there is no suggestion that the data was misused. But this incident could so easily have been avoided if the information had been properly protected.”

The Lewisham Homes and Wandle Housing Association had breached the 1998 Data Protection Act by not encrypting the information of 26,000 people.

Action taken by the ICO

The ICO gave the housing bodies a stern warning and made them aware that they had clearly breached the Data Protection Act. Had the stick gotten into the hands of a hacker, all hell would have broken loose.

Reactions by security experts

According to Edy Almer, VP of product management at Safend: “It is good to see that data stored on the USB was most likely not compromised and that the immediate response from the breached party was to make things right. It is important to note it was a third party contractor that lost the data and not trained internal staff, thus highlighting the need to selectively block or encrypt all devices connecting to your network in order to protect sensitive data.”

Mark Fullbrook, UK and Ireland director at Cyber-Ark’ reacted: “This is yet another example of the poor data protection policies operating within organisations today. Using a memory stick to transport sensitive information may be convenient, but it’s certainly not secure and whilst in this case the memory stick was returned to its rightful owners, should it have fallen into the wrong hands the repercussions could have been severe”

Action taken by the housing associations

Lewisham Homes has revised its data security procedure and the contractor/owner of the stick has been dismissed.

What can be done to protect data?

Using encrypted software is the need of the hour. Be it an organization or an individual, if you are carrying data, it has to be protected, no matter how what it is.

Use Alertsec

Organisations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption