http://securityratty.com/tag/carol Wed, 26 Mar 2008 04:54:16 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/7ae56d34b365648af4041ccd173db81f http://securityratty.com/article/7ae56d34b365648af4041ccd173db81f Security Breach

Date Reported:
4/28/08

Organization:
Cove Creek Mortgage
Front Range Mortgage, LLC

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Mortgage files, tax returns, pay stubs, Social Security numbers, and other personal information

Breach Description:
"ENGLEWOOD, Colo. -- The Arapahoe County District Attorney's Office is advising anyone who has used Cove Creek Mortgage to watch out for identity theft after hundreds of mortgage files were dumped in a public trash bin over the weekend."

Reference URL:
Denver Channel 7 News
Denver Channel 7 News (update)

Report Credit:
Denver Channel 7 News

Response:
From the online sources cited above:

ENGLEWOOD, Colo. -- The Arapahoe County District Attorney's Office is advising anyone who has used Cove Creek Mortgage to watch out for identity theft after hundreds of mortgage files were dumped in a public trash bin over the weekend.
[Evan] Cove Creek Mortgage joins the ranks of other mortgage companies reported for similar breaches on The Breach Blog.  The others are Affordable Realty and Union Mortgage Services of Cleveland, Inc..

Cove Creek's owner had abandoned his Englewood office in January, and property managers had not been able to find him
[Evan] What kind of businessman just abandons an office full of confidential files and equipment?

On Saturday, the property manager had a crew clean out his office and throw all items from the office -- including complete mortgage files -- into two Dumpsters.
[Evan] Maybe the property manager should pay a little closer attention to the things they throw in the dumpster.  Having said this, the property manager is not really at fault.

David Peters who works in the same complex found the files Monday morning.

"I was taking some other trash out to the garbage can and opened the lid and on there was a couple of laptops,"

"Directly underneath them were files with people's names on it and I was like, 'Well, this is not right.'"

"There were tax returns, pay stubs, everything in there," he said. "And as I looked at the different files I realized that it was mortgage files, which was kind of scary, because who do you disclose the most information to or all of your information? That is when you are getting a mortgage loan."
[Evan] According to the news report, Mr. Peters contacted authorities.  This could have easily been much worse for victims.

The Dumpsters were not secured and located at 88 Inverness Drive East, Bldg. F.

Sheriff's investigators finally found the owner of Cove Creek and talked him into retrieving the files, many of which had private information, including Social Security numbers and credit history.
[Evan] Mr. owner guy, will you please come get your stuff and the personal information that was entrusted to you?  According to zoominfo a guy named Charlie Cartwright is/was the president of Cove Creek Mortgage.  I have no idea if this is the same guy that is referred to in the news article.

The district aAttorney's office got a tip about numerous mortgage files and two laptop computers in a Dumpster behind offices formerly used by Cove Creek Mortgage and Front Range Mortgage.
[Evan] Now Front Range Mortgage joins the ranks.  Front Range Mortgage offers credit repair services too! Do you suppose they could have repaired the damage that could have been done?

"With a name, Social Security number and bank account number, they can clean you out before you even know," said Arapahoe County District Attorney Carol Chambers.

The files and computers contained sensitive information on many former customers of Front Range Mortgage, including names and addresses, Social Security numbers and bank, credit card and investment account information.

While there are civil laws against dumping such documentation, Chambers said it is not against the law.
[Evan] It's too bad that we have to write and enforce laws to protect us from idiots.

"I think it is a matter of legislation not catching up with the realities of identity theft," said Chambers. "And absolutely, we think recklessly disposing or negligently disposing of this kind of information should maybe carry a criminal penalty, just to get people's attention that you can't just leave this information or leave it out in a Dumpster."

"The district attorney recommends that any former customers of Front Range or Cove Creek should place a fraud alert on their credit reports and monitor any bank, credit card or investment accounts that might have been included on a mortgage application with that firm."

For further information, assistance or questions, call the District Attorney's Fraud Assistance Line at 720-874-8547.

Commentary:
What is with these mortgage companies?  The 90's and early 2000's was a wild ride for mortgage brokers, real estate agents, and investors.  The money attracted people from all walks of life and a lot of poor decisions were made.  Now that the bubble has burst, we start to see the true colors of some of these "professionals".

I don't know much if anything about the owners of these companies, but I do know that securing personal information poorly is bad business.

Past Breaches:
Unknown

]]> Wed, 07 May 2008 18:20:50 +0000 mortgage files numerous mortgage files personal information information complete mortgage files personal information poorly files cove creek mortgage cove creek Personal information from two Colorado mortgage companies found in dumpsters http://securityratty.com/article/7240fed31e61581015599856bf2549e3 http://securityratty.com/article/7240fed31e61581015599856bf2549e3 Security Breach

Date Reported:
4/24/08

Organization:
Hough, MacAdam & Wartnik LLC

Contractor/Consultant/Branch:
Coos County, Oregon
South Coast Hospice & Palliative Care
Two other undisclosed organizations

Victims:
Client employees

Number Affected:
482

Types of Data:
"name, Social Security number, and other personal information"

Breach Description:
"NORTH BEND - The theft of a laptop computer owned by a local accounting firm has made nearly 500 employees of Coos County and private organizations concerned about identity theft."

Reference URL:
The World

Report Credit:
Jessica Musicar and Jolene Guzman, Staff Writers at The World

Response:
From the online source cited above:

The theft of a laptop computer owned by a local accounting firm has made nearly 500 employees of Coos County and private organizations concerned about identity theft.

County officials worry the data may have contained employees’ names, Social Security numbers and other personal information, which had been used in recent audits performed by Hough, MacAdam & Wartnik LLC of North Bend.
[Evan] We see too many breaches occurring through contractor/vendor relationships.

Although, there have been no known reports of identity theft from any of the 482 employees notified, the computer has not been found and, according to a letter from the firm, thieves sometimes hold victims’ information for later use.
[Evan] The fact that thieves DO sometimes hold victims' information for later use is important to remember.  This is one reason why one year or two year free credit monitoring (a semi-standard offering by breached companies) is a very limited short term response.

According to a Coos Bay Police press log, at approximately 7:28 a.m. on March 5, officers received a report of a woman flagging down Officer Tony Wetmore, identified as 122 in the log, near Coos Bay City Hall. Crystal Albiar, 30, told Wetmore a laptop computer had been stolen from a vehicle, which, Wetmore said, belonged to Albiar. The victim is listed on the press log as Hough, MacAdam & Wartnik. Albiar is a senior accountant at the firm.

Later that day, a letter from the company was sent to clients stating that a  "serious data security incident" may have involved clients’ personal information.
[Evan] Quick response.

"During the night of Tuesday, March 4, 2008, a notebook computer was stolen from a locked vehicle. The notebook’s hard drive may have contained your name, Social Security number, and other personal information,"

"We have notified law enforcement about this incident. This notification included a general report alerting them to the fact that the incident occurred. However, we have not notified them about the presence of your specific information in the data breach."
[Evan] I wonder why the firm decided not to notify law enforcement about specific information on the computer.

A public accounting firm, Hough, MacAdam & Wartnik is locally owned by Jim Hough, Shirley MacAdam and Jayson Wartnik. It opened in July 2004, following the acquisition of the office from Moss Adams LLP. The business dates back to the 1940s.

Shirley MacAdam said the March 5 letters were sent to the 482 employees of four clients - only one of which was a public agency. She demurred from identifying the clients involved, but further investigation revealed the County and South Coast Hospice & Palliative Care in Coos Bay are among the four.

it is possible the four data files from the four clients contained Social Security numbers and addresses of some of the employees on the laptop’s hard drive.

Some of the information could have been on the laptop since October 2007.
[Evan] This is a long time for personal information to be stored on a mobile device.  The longer the time, the higher the risk that the mobile device will be lost or stolen.  Right?  CPAs now this thing called risk, don't they?

The CPA said the computer was password protected, as were certain files.
[Evan] Oh boy, here it is.  The password protection mention.  Password protection should not be considered adequate protection is most circumstances (some would argue ALL circumstances).  Operating system passwords are simple to circumvent as are many common application passwords.

Some of the information contained in the programs require "special knowledge in order to find the personal information inside of the program"
[Evan] And now, the security through obscurity mention. Security through obscurity is a myth.  It is not effective.

When MacAdam and other members of the firm learned the computer had been stolen, their first priority was to identify affected clients and to notify them of potential risks. This was done within 24 hours of the theft

"Our concern was to ensure that we are taking all actions that we should as prudent business people, in addition to complying with all regulations regarding proper and timely notification," MacAdam wrote to The World.
[Evan] Prudent business people should do many things, and one thing among them is to regularly evaluate the risks involved with the way the handle information.  A prudent business person should be able to identify that storing confidential information from multiple clients on a poorly secured laptop is an unnecessary and unacceptable risk.

"We informed them of the actions they and their employees needed to take. Due to the nature of our work and our internal policies, no client information other than audit data is ever stored on a laptop, so there is no concern that any other client information might be on the stolen laptop."

The firm has since revisited its internal information technology security policy and implemented changes such as increased frequency of password changes, more complex passwords and encryption software when applicable.
[Evan] Careful.  Increased frequency of password changes and increased password complexity can very easily lead to an increase in the probability that people will write passwords down.  A person writing a password down on a Post-It note will defeat all of these controls (password changes, password complexity, and encryption software).

Additional training also was provided to Hough, MacAdam & Wartnik staff regarding the security policy
[Evan] I am a big proponent of training.  People argue about its effectiveness, but my experience has typically shown that it is well worth the time and effort.  Training should be fun and interactive, periodic (maybe annual), and followed-up with regular awareness reminders (such as posters, email newsletters, banners, freebies, etc.).

While no reports of identity theft or fraud have been made to the firm, MacAdam said the impacts of the theft have been felt by clients as well as by the firm.

"The impact on HMW has been both time and financial as we took all steps necessary to inform the individuals affected and address all concerns brought to our attention."
[Evan] The costs of a breach are significant in soft and hard dollars.  What did my grandma say "an ounce of prevention is worth a pound of cure"?  Wise advise, maybe she could have been a good information security professional .

MacAdam noted her firm has never experienced a data breach in the past and is still not aware if one has occurred.
[Evan] The firm is "still not aware is one has occurred" (meaning a breach)?  Oh yes, it has occurred!  In my definition, if you cannot be reasonably assured that confidential information has remained confidential, then a breach has occurred (not to mention integrity and availability).

More than 300 employees who received paper paychecks from the county may have had their personal information on the laptop, said Coos County Commissioner Kevin Stufflebean.

Information on the missing computer was left over from the county’s 2005-06 audit, Stufflebean said. There is a chance nothing was on the computer, he added.

"They didn’t have confirmation that it was wiped off the computer," he said. 'That’s why they notified (employees)."

Coos County Counsel Jacki Haggerty said she had not received any reports from county employees of any unauthorized use of their information. Still, the incident will raise the level of awareness of possible breaches in the future, according to Haggerty.

"I think it’s sobering,' she said. "You don’t think about it until something like this happens. This is kind of a wake-up call."
[Evan] This should be a wake-up call.  It's really too bad that it takes an personally affecting incident before waking up.  Wouldn't it be easier and more cost-effective to do a little research and learn from other people's mistakes?

Both the county and Hough, MacAdam & Wartnik are in the process of changing how data is used to make sure no unnecessary personal information is released in future audits. Haggerty said she feels assured by the lengths the firm has gone in order to increase data security.

"They are taking certain steps ... including not requesting or accepting certain information," she said. On the list of banned data includes clients’ Social Security numbers.
[Evan] This is the best control so far.  You can't lose information that you never had.

Employees of South Coast Hospice & Palliative Care also received copies of the March 5 letter from the accounting firm.

Carol Gardner, the administrative and personnel manager for South Coast Hospice, said Hough, MacAdam & Wartnik  has audited the organization for approximately 10 incident-free years. In fact, Gardner said, the hospice’s board of directors complimented the company for acting so promptly.

"It was one of those unfortunate faux pas," Gardner said of the theft. "This was an unusual situation and proper steps (were) taken to coach and correct that employee.
[Evan] A faux pas (false step) yes, but I would argue against "unfortunate".  Unfortunate for the victims, certainly, but not for the firm.  Information mismanagement should not be confused with bad luck.

"It did scare me a little bit to think that somebody had access," Gardner said, adding her own son dealt with a four-year struggle after someone stole his identity. However, 'Up to this point we have not heard of any repercussions from it.

"I feel that we were very fortunate because, as I understand (it), it’s big business  " things getting stolen out of vehicles ... " I think everyone needs to be aware not to leave anything of value in their vehicles."

Commentary:
Another sad incident of personal information on a poorly secured laptop computer.  When I read news articles like this, my blood boils.  Do people not know any better?  If they don't, then they shouldn't be allowed to create, collect, process, transfer, or store confidential information.

It is Monday morning, so maybe I'm in a bit of a mood.

Past Breaches:
None

]]> Mon, 28 Apr 2008 05:50:55 +0000 information clients personal information clients personal information specific information store confidential information client information confidential information personal information inside Stolen account firm laptop contained personal information http://securityratty.com/article/0d9ae2d3e2d576f50b189920a0a37a00 http://securityratty.com/article/0d9ae2d3e2d576f50b189920a0a37a00 Security Breach

Date Reported:
4/16/08

Organization:
University of Virginia

Contractor/Consultant/Branch:
None

Victims:
Students, staff and faculty members

Number Affected:
More than 7,000

Types of Data:
Names and Social Security numbers

Breach Description:
"CHARLOTTESVILLE -- A laptop stolen from a University of Virginia employee contained sensitive information about more than 7,000 students, staff and faculty members."

Reference URL:
inRich.com
DailyProgress.com

Report Credit:
Brian McNeill, DailyProgress.com

Response:
From the online sources cited above:

A laptop stolen from a University of Virginia employee contained sensitive information about more than 7,000 students, staff and faculty members.

Stolen from an unidentified employee from an undisclosed location in Albemarle County, the laptop contained a confidential file filled with names and Social Security numbers.

"As soon as we learned about the theft, we starting moving as quickly as we could," UVa spokeswoman Carol Wood said.

UVa mailed out letters Monday to each person affected by the data breach.

The Albemarle County Police Department is investigating the theft.

At the police department’s request, UVa is releasing few details about the incident.

the theft did not occur on UVa’s campus

Investigators apparently do not believe that the personal information was the target of the theft, according to the letter from James Hilton, UVa’s vice president and chief information officer.
[Evan] This type of statement is very common in breach notifications and responses.  I give very little weight to these statements because they are based on beliefs and feelings, not facts.  The facts are that a laptop was stolen with confidential personal information stored on it which exposes the information to unnecessary risk of exposure.

"Although circumstances suggest the thief was not targeting this information and there is no evidence he or she has seen or is using your personal information, I am bringing this incident to your attention so you can be aware of signs of misuse," Hilton wrote.

Victim Reaction:
Brian Reed, a graduate student in UVa’s Curry School of Education:
"You hear all the stuff on the news about identity theft,"
"I had this moment of panic."

Reed said he was "frustrated" that a UVa employee would keep his personal information on a laptop.

Too many similar incidents have occurred at other universities and government agencies, he said, for UVa to store sensitive data anywhere other than on secure servers.

"This has happened many times before,"
[Evan] Mr. Reed may know more about risk and information security than the people responsible for it at the school.

Commentary:
Another stolen laptop containing confidential information.  Due to the fact that there is no mention of encryption, I will assume that there wasn't any.  What is the excuse?  Does "circumstances suggest the thief was not targeting this information" work well enough for people?  It certainly doesn't work for the people I work for or the people that work for me!

Past Breaches:
June, 2007 - Hackers download personal details of University of Virginia faculty members

]]> Fri, 18 Apr 2008 11:34:25 +0000 confidential personal information personal information virginia information chief information officer information security virginia employee laptop confidential information More than 7,000 are affected by stolen University of Virginia laptop http://securityratty.com/article/0392ea590b4558ead40890faf5a96af5 http://securityratty.com/article/0392ea590b4558ead40890faf5a96af5 Security Breach

Date Reported:
3/23/08

Organization:
Western Carolina University

Contractor/Consultant/Branch:
Department of Business Computer Information Systems and Economics

Victims:
Graduates

Number Affected:
555

Types of Data:
Social Security numbers and other personally identifiable data

Breach Description:
"Someone had hacked into a computer and had access to the Social Security numbers of 555 graduates of Western Carolina University who had signed up for a newsletter."

Reference URL:
Asheville Citizen-Times

Report Credit:
Carol Motsinger, Asheville Citizen-Times

Response:
From the online source cited above:

Someone had hacked into a computer and had access to the Social Security numbers of 555 graduates of Western Carolina University who had signed up for a newsletter.
[Evan] What?  Give me your Social Security number, and I'll give you a newsletter?

WCU officials discovered the breach while trying to track down and eliminate private information on unsecure computer servers
[Evan] WCU deserves some credit for going through their systems like this.  This is something that should be done semi-annually, and never less than annually.

The compromised information was on a computer server managed by the Department of Business Computer Information Systems and Economics. And it was hacked several times, as long ago as 2006, said Bil Stahl, chief information officer at WCU.
[Evan] Ouch!  Several times since 2006 is bad news.  See my note above.

"We know the data was taken off the server, but we don’t have any evidence that their data was used," he said.

Social Security numbers were included in the stolen information because up until last fall, campuses in the University of North Carolina system could use those digits as student identification numbers. While the practice was stopped then, old data on servers remains vulnerable.

The private information was immediately removed from the compromised server and the Federal Bureau of Investigation is now handling the case.

Letters informing effected alumni of the security breach were also sent quickly, Stahl said.

Despite the breach, Stahl said WCU has "very robust security."
[Evan] Really?  I guess it depends on your definition of "very robust security".  How does a server get hacked several times over the course of a year or so and not get detected?  I think intrusion detection, logging, log management, penetration testing, and audits should all be added to the "very robust security" program (among other things).

"We haven’t had any problems on our secure servers," he said. The compromised information was stored on an unsecure server that is normally used for sharing class notes and assignments.
[Evan] Are the "secure servers" and the "unsecure" servers using the same security domain and centralized authentication (i.e. Windows domain)?  If so, then the "secure servers" are likely "unsecure" too.

The biggest challenge facing WCU is not keeping computer criminals out: It’s finding all the Social Security numbers that are stored in documents on unsecured servers.
 
"Most servers are secure," Stahl said. "We manage more than 150 servers, but they are secure."
[Evan] 150 servers is not too many to run them all as "secure servers".

WCU is currently mounting a twofold attack. It is combing computers for Social Security numbers used for student identification. If the school doesn’t need the numbers, they are deleted. If the numbers are needed, they are placed on a secure server, Stahl said.

The school is using software that finds nine-digit numbers in documents.

However, "there is no easy way to determine whether it’s a Social Security number or not," Stahl said. "You literally have to look at every nine-digit number."

Remarks from an affected alumnus, Wesley Todd
"The process is just tedious, having to take time out to verify that everything is still OK from my end and that my identity has not been stolen,"

"It’s just something that people worry about enough without the university creating more concern for us by not protecting our secured information." So far, Todd has "not found any credit issues,"

Remarks from an alumnus, Tom Fisher
"the most important thing any company, school or government entity can do after a security breach and/or data leak is notify the victims and potential victims."

"not at all surprised that the event actually occurred."

"Data breaches like this are like car accidents - you might not see one every day, but they are happening many times a day all across the country. All you can do is wear your seatbelt and hope it doesn’t happen to you."
[Evan] Sad, but true.  The analogy seems to fit.  Just like road fatalities we know that we can't completely eliminate them, but we never stop trying to make the roads safer.  Understanding this, our job is to reduce the frequency and number of incidents as much as possible.  Today there are still WAY TOO MANY breaches affecting WAY TOO MANY people.  Many of these breaches could/should have been easily avoided.

Commentary:
The fact that a server was compromised several times without detection is hard to explain away.  Some people may claim that the compromise was detected, but in my opinion it was not.  Stumbling upon a breach is not the same as detection.

I understand the challenge that WCU faces in trying to find Social Security numbers (and other confidential information) in all of the data they possess.  This is a challenge facing thousands of companies and organizations throughout the world.  Too many of these companies ignore that fact that data management is an issue and just continue to "throw more disk" at the problem rather than organize, manage, and secure.  The longer the problem exists without attention, the worse the problem gets.

Past Breaches:
Unknown

]]> Wed, 26 Mar 2008 04:54:16 +0000 server servers remains vulnerable servers secure servers computer server wcu social security unsecure server times WCU server "hacked several times" since 2006