Log in

Posts Tagged ‘privacy’

Personal details of Westfield Bondi Junction exposed in Data Breach

August 14th, 2010

The personal details of people that shop at Westfield Bondi Junction have been exposed on the Internet, following a direct marketing email mishap on Monday night, the 9^th of August.

Westfield has already notified the subscribers to its mailing list stating that customer details were visible on the web for eight hours. In a note sent to customers, Westfield said it experienced a “technical problem” with a link in an email newsletter sent to subscribers, asking them to update their contact details.

“As a consequence, the personal information of people who updated their details between 6.18pm on Monday 9 August 2010 and 2.30am on Tuesday 10 August 2010 may have been able to be viewed by other subscribers clicking on the link during that time,” the note stated.

The shopping giant also claimed that within three hours of the newsletter being sent, its staff was made aware of the problem and the issue was resolved by 2.30 am on Tuesday.

According to the company’s privacy policy, Westfield would usually collect only the names and email addresses of subscribers, and the owners of shopping centers it builds or leases. It also collects domain information and IP addresses, and logs user’s browsing behavior whilst on the Westfield site. Their privacy policy also mentions that its customer database “is protected by a firewall as well as host-based security.

Westfield remained unavailable for comment when it was approached to reveal how many customer records were exposed and the nature of personal information contained within them.

“The data is not transmitted over the Internet once it has been stored in the database. If Westfield ever has a requirement to transmit the data over the Internet (For example, to make an off-site backup) it will be in encrypted form. The electronic environments are real-time monitored by Westfield and a third party specialist security monitoring company”, the privacy policy states.

Westfield described this matter as a ”one off occurrence due to a technical problem which has now been remedied and will not occur again.

“However, you should be aware that any personal information you uploaded during this period may have been viewed during this time,” the shopping giant told customers. ”If you receive any unusual emails, telephone calls or other communications you should treat these with caution.”

Currently there is no formal data breach notification requirement in place under Australian law that would require Westfield to notify its customers, but the Australian Law Reform Commission expressed a desire for the Federal Government to introduce such a law in a report released two years ago. In its absence, Australia’s privacy commission has sought organizations to create a voluntary code to self-regulate.

Secure your organization with Alertsec

Alertsec Xpress is used in all organisations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to large multinational companies with offices around the globe. By using industry leading Check Point Full Disk Encryption (former Pointsec) software, Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption

For security and technology observations, consider following us on Twitter.

No comments »

Posted in data breach

Tags: Bondi Junction New South Wales Cryptography IP address Personal computer privacy security Twitter Westfield Bondi Junction

Data Breach at San Bernardino Community Hospital

June 15th, 2010

: Image via Wikipedia

The Community hospital of San Bernardino has been reprimanded with a fine of $325,000 for violating confidential patient data in a major data breach incident. Apparently, the fine was imposed on the hospital because there was unauthorized access of the medical information of 204 patients by an employee. Initiialy, the fine was calculated at a value of $250000.

However, another $750000 was added when a separate case involving the unauthorized access of medical records of 3 more patients was found out.

Diane E. Nitta the hospital administrator said that hospital has,”enhanced staff education efforts around patient privacy (and) put in place expensive security measures that guard against inappropriate access to our patients’ records.”

According to the official spokeswoman of the hospital, Tobey Robertson none of the information was used to harm the patients.

How did these incidents happen?

In the first case, a radiology technician had obtained access to computerized medical records of 204 patients without a clinical need for the information.
In the second incident, a clerk had let a friend enter a restricted area, where the person heard confidential patient information given by three patients during the admitting process.

Apparently, the Department of Public Health has fined 5 authorities for data breach and the hospital is one of them.

Frequent incidents like these highlight the structured use of computer security software and data encryption software which ensures the protection of data and prevents loss of information incase of theft and losses.

Stay Secure with Alertsec Xpress

Why do data breach incidents happen in the first place? Perhaps your organization didn’t take the requisite steps or there was some level of negligence with the handling of data.

If you use a data security software a theft would simply be reduced to an insurance matter and cost of the hardware plus time to rebuild the laptop. That is certainly a small price to pay compared to what can happen if you lose confidential or senstive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial.

Nine California hospitals fined for serious medical errors (latimesblogs.latimes.com)

No comments »

Posted in data breach

Tags: computer security software data breach data encryption software data security Facilities Health Hospital Medical record Medicine privacy Public health Radiology San Bernardino San Bernardino California security United States

Ireland Considering New Data Breach Notification Rules

June 11th, 2010

: Data Security Concerns in Ireland

Close on the footsteps of its neighbouring countries, Ireland is also looking at the data protection rules with more details. According to these rules an organization should report a data breach incident to the authorities incase of any incidents involving loss of personal data of more than 100 people.

According to William Malcolm, a privacy lawyer with the law firm Pinsent Masons Ireland has had its share of high-profile data breaches which has spurred the creation of the code of practice.

As per the proposal by Ireland’s privacy regulator data losses will now be declared to Ireland’s Data Protection Commissioner in line the draft code of practice published by the Commissioner.

Can the organizations avoid reporting?

Yes, they can certainly avoid the report of data breach if their data is encrypted and protected by a strong password. In addition, they can also escape reporting if their devices are using a remote memory-wipe feature which is activated on the lost device.

Some experts foresee the masking of critical incidents as the problem with data breach notification guidelines. They believe that due to these rules there is a possibility that major incidents could get hidden and lesser known events exposed.

A couple of years ago, the government of Ireland had recommended the creation of an official guidance which would highlight the the time to report the incidents. The office of the data protection commissioner has published the proposed draftcode of practice on its Web site and starting June 18 it would be available for public comment.

According to Irish Data Protection Commissioner Billy Hawkes, “I have sought to bring forward a draft Code as quickly as possible after the Review Group report to respond to public concern in relation to organisations losing personal data under their control while at the same time not imposing an undue burden on those organisations”.

What if data loss involves less than 100 people?

If the loss incident involving less than 100 people includes sensitive personal data or financial information then that must be reported as well.

What would the report constitute?

The report would include the following:

Type of the data compromised
What action has been taken
How people have been informed or the reason for not informing people
What kind of actions have been taken to limit the problems for affected people.

Data Security with Alertsec Xpress

Why do data breach incidents happen in the first place? Perhaps your organization didn’t take the requisite steps or there was some level of negligence with the handling of data.

If you use a data security software a theft would simply be reduced to an insurance matter and cost of the hardware plus time to rebuild the laptop. That is certainly a small price to pay compared to what can happen if you lose confidential or senstive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial.

Related articles by Zemanta

Ireland publishes proposed data breach notification rules (go.theregister.com)
ICO will not compel companies to report data losses (v3.co.uk)

No comments »

Posted in Uncategorized

Tags: alertsec AlertSec Xpress data breach Data Protection Acts Data Protection Commissioner Government of Ireland Ireland Law privacy Review Group

ING Compromises Customer Data

February 14th, 2010

Millions of people use search engines like Google to access all sorts of information every day. It’s become a common practice for users to search their names to see what comes up.

Imagine doing that and seeing your personal information show up in the search results, available for anyone to see. Everything including your address and social security number would appear. A security breach by the Internationale Nederlanden Groep (ING), a worldwide financial service provider, made this horror a reality for 106 of its customers. Though the file which hosted the compromised data has since been removed, the repercussions of the breach are still largely unknown.

Investigating the Breach

A filing [PDF] from the company to the the New Hampshire Attorney General’s Office explained:

On January 25, 2010 a customer alerted her securities broker to the fact she was able to access customer information through the ingfunds.com website. An electronic file containing customers’ personal information was inadvertently made accessible through the ingfunds.com website due to an isolated error, which has been resolved. The file was mistakenly posted to the website in August 2008. The error was quickly detected and the ability to access the file via link on the website was removed. The file, however, remained accessible through a specific search conducted via a web search engine. The file included the name, address, account number and social security number for 106 shareholders.

It’s remarkable that ING stored the private details of some of its customers on a file that wasn’t encrypted or even hosted on a private server. What’s really striking as dangerous is the fact that accessing this information wouldn’t require any complicated hacking- a clever search engine user could stumble on the social security numbers and do untold damage! Customers of financial institutions deserve a higher class of service- organizations like ING have a responsibility to ensure that the information they’re entrusted with remains well-protected.

Next Steps and Lessons for ING

While poor data security is hard to forgive, ING has acted quickly to resolve the issue and has done everything possible to help the customers affected. On top alerting the authorities in a timely manner, the company has conducted investigations into each customer’s account and announced that no suspicious activity had occurred. As an additional apology, ING offered a free year of credit monitoring and fraud coverage to the 106 customers to help prevent the future risk of identity theft.

Unfortunately, ING can’t get rid of this embarrassing situation that easily. Mainstream media will pick up the story and will end up damaging the business’s reputation and brand image. More so, the error may be a lot a more serious than the company realizes. It’s very likely that a number of the 106 victims will leave ING and take their business elsewhere. Some may even sue the company, especially if they incur damages due to the security breach. Identity theft may have already happened- sometimes it takes a while for the crime to be noticed. Even the Attorney General may end up imposing a fine for irresponsible business practices!

Keeping customer data secure should be an imperative for any business organization. Companies need to protect private information to avoid all the problems that ING will have to deal with in the coming weeks and months. Had ING encrypted the files which contained personal user details and stored them on a private server, this debacle could have easily been avoided.

Further Reading
ING Fund client data exposed on the web for 18 months [Office of Inadequate Security]

4 comments »

Posted in Data Protection, Encryption, Identity and Information loss, Lawsuits and settlements

Tags: business data breach ING lawsuit organization privacy unencrypted