[SecurityRatty] tag: cleveland

Notacon 9 Pre-Registration Open

Tue, 24 Jun 2008 06:38:01 +0000

The Notacon conference is getting a huge jump on things for next year. They’ve already got their pre-regsitration open for April 2009. Well done.

From the Notacon site:

In order to simplify things for everyone, we have 2 basic registration levels, one with swag, the other with just the badge. With either registration, you can opt to pre-order a Notacon t-shirt via a drop-down option on the registration page.

The swag bag in the premier registration package not only will give you tons of goodies, but will also include a couple of meal vouchers that are good at the hotel to make sure you get at least some good meals over the course of the weekend. We will continue, of course, to have our con suite with complimentary sodas and snacks, but if you want something more substantial, think about the premier package!

$100 for the premium package. Not bad at all. There will be 600 tickets made available for the ‘09 show in Cleveland.

Article Link

UTUIA laptops are missing after shipment

Mon, 16 Jun 2008 05:37:36 +0000

Technorati Tag: Security Breach

Date Reported:
6/9/08

Organization:
United Transportation Union Insurance Association ("UTUIA")

Contractor/Consultant/Branch:
Westin Hotels and Resorts
United Parcel Service

Victims:
Policyholders

Number Affected:
Unknown

Types of Data:
"names and social security numbers"

Breach Description:
Two laptop computers shipped via UPS to UTUIA offices are missing. One of the laptops may contain sensitive personal information belonging to UTUIA policyholders.

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

We are writing to inform you of a recent security incident involving UTUIA, headquartered in Ohio.

During shipment of UTUIA laptop computers to UTUIA offices, laptops have been reported missing.
[Evan] The notification letter sent to victims mentions two laptops.

The laptops may have contained personal information, including names and social security numbers, about policyholders

UTUIA has reported the missing laptops to law enforcement authorities and is pursuing the return of these laptops.

United Transportation Union Insurance Association has filed police reports, is coordinating with the hotel involved (Westin San Francisco) and has notified UPS of the missing items.
[Evan] Based on the information so far, it appears that UTUIA arranged for Westin to ship two laptops via UPS. One of the laptops contained sensitive personal information. There is no mention of encryption or any other protections in the breach notification, so we can only imagine.

Given the time that has passed since notification, we believe the likelihood of timely recovery is low and therefore are proceeding with notification.
[Evan] How much time has passed since the laptops were lost/stolen? Neither the New Hampshire or victim notifications disclose this important piece of information.

Currently, there is no indication that the laptop was stolen for its content, but it is possible that there was unauthorized access to information
[Evan] Do you think that a thief would announce his/her intentions for stealing the laptop? I don't think so. What indication an investigator look for to explain a thief's motives?

We regret this unfortunate situation, and although we have no evidence at this time that any personal information has been accessed or misused, we encourage you to take preventative measures.
[Evan] What "preventative measures" did UTUIA use to protect personal information for which they were not the owners? Who knows?

We sincerely apologize for any inconvenience that this may cause you.

If you have additional questions, please call us toll-free at 866-753-3631 between 8:30 a.m. and 4:30 p.m. eastern time, or contact us by mail at 14600 Detroit Avenue, Cleveland, Ohio 44107.

Commentary:
In my opinion, there is not enough information in the breach notification sent to the New Hampshire Attorney General or victims. Customers deserve more information about what an organization plans to do in order to provide an adequate amount (owner's discretion) of security. Based on the information we've read in the breach notification, there is no basis for judgment, which is sad.

What exactly does UTUIA do to protect the confidential information belonging to policyholders?

Past Breaches:
Unknown

Personal information from two Colorado mortgage companies found in dumpsters

Wed, 07 May 2008 18:20:50 +0000

Technorati Tag: Security Breach

Date Reported:
4/28/08

Organization:
Cove Creek Mortgage
Front Range Mortgage, LLC

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Mortgage files, tax returns, pay stubs, Social Security numbers, and other personal information

Breach Description:
"ENGLEWOOD, Colo. -- The Arapahoe County District Attorney's Office is advising anyone who has used Cove Creek Mortgage to watch out for identity theft after hundreds of mortgage files were dumped in a public trash bin over the weekend."

Reference URL:
Denver Channel 7 News
Denver Channel 7 News (update)

Report Credit:
Denver Channel 7 News

Response:
From the online sources cited above:

ENGLEWOOD, Colo. -- The Arapahoe County District Attorney's Office is advising anyone who has used Cove Creek Mortgage to watch out for identity theft after hundreds of mortgage files were dumped in a public trash bin over the weekend.
[Evan] Cove Creek Mortgage joins the ranks of other mortgage companies reported for similar breaches on The Breach Blog. The others are Affordable Realty and Union Mortgage Services of Cleveland, Inc..

Cove Creek's owner had abandoned his Englewood office in January, and property managers had not been able to find him
[Evan] What kind of businessman just abandons an office full of confidential files and equipment?

On Saturday, the property manager had a crew clean out his office and throw all items from the office -- including complete mortgage files -- into two Dumpsters.
[Evan] Maybe the property manager should pay a little closer attention to the things they throw in the dumpster. Having said this, the property manager is not really at fault.

David Peters who works in the same complex found the files Monday morning.

"I was taking some other trash out to the garbage can and opened the lid and on there was a couple of laptops,"

"Directly underneath them were files with people's names on it and I was like, 'Well, this is not right.'"

"There were tax returns, pay stubs, everything in there," he said. "And as I looked at the different files I realized that it was mortgage files, which was kind of scary, because who do you disclose the most information to or all of your information? That is when you are getting a mortgage loan."
[Evan] According to the news report, Mr. Peters contacted authorities. This could have easily been much worse for victims.

The Dumpsters were not secured and located at 88 Inverness Drive East, Bldg. F.

Sheriff's investigators finally found the owner of Cove Creek and talked him into retrieving the files, many of which had private information, including Social Security numbers and credit history.
[Evan] Mr. owner guy, will you please come get your stuff and the personal information that was entrusted to you? According to zoominfo a guy named Charlie Cartwright is/was the president of Cove Creek Mortgage. I have no idea if this is the same guy that is referred to in the news article.

The district aAttorney's office got a tip about numerous mortgage files and two laptop computers in a Dumpster behind offices formerly used by Cove Creek Mortgage and Front Range Mortgage.
[Evan] Now Front Range Mortgage joins the ranks. Front Range Mortgage offers credit repair services too! Do you suppose they could have repaired the damage that could have been done?

"With a name, Social Security number and bank account number, they can clean you out before you even know," said Arapahoe County District Attorney Carol Chambers.

The files and computers contained sensitive information on many former customers of Front Range Mortgage, including names and addresses, Social Security numbers and bank, credit card and investment account information.

While there are civil laws against dumping such documentation, Chambers said it is not against the law.
[Evan] It's too bad that we have to write and enforce laws to protect us from idiots.

"I think it is a matter of legislation not catching up with the realities of identity theft," said Chambers. "And absolutely, we think recklessly disposing or negligently disposing of this kind of information should maybe carry a criminal penalty, just to get people's attention that you can't just leave this information or leave it out in a Dumpster."

"The district attorney recommends that any former customers of Front Range or Cove Creek should place a fraud alert on their credit reports and monitor any bank, credit card or investment accounts that might have been included on a mortgage application with that firm."

For further information, assistance or questions, call the District Attorney's Fraud Assistance Line at 720-874-8547.

Commentary:
What is with these mortgage companies? The 90's and early 2000's was a wild ride for mortgage brokers, real estate agents, and investors. The money attracted people from all walks of life and a lot of poor decisions were made. Now that the bubble has burst, we start to see the true colors of some of these "professionals".

I don't know much if anything about the owners of these companies, but I do know that securing personal information poorly is bad business.

Past Breaches:
Unknown

Wee-Fi: The New Muni-Fi; Akron Ecstatic; State Park-Fi; Transport-Fi

Fri, 11 Apr 2008 08:43:00 +0000

Millions in grants for wiring, unwiring communities: This week brings $61m in funding to efforts to put affordable broadband with useful purposes in communities across the U.S., Wired reports, between a $36m grant from AT&T and its foundation to One Economy, and a $25m effort by the John S. and James L. Knight Foundation. As Wired notes, One Economy will bring broadband to 500,000 low-income Americans in over 50 communities, with private partners handling deploying. They'll also develop audience-appropriate content. The Knight project will bring together grants and best-practices to help communities create self-sustaining Internet access. OneCommunity in Cleveland was cited as an example, and its head will take the job at a new Knight Center of Digital Excellence.

Akron is pretty ecstatic about the new Knight center, which will be built in its midst, as not only will the city become a center of thought about linking up communities, but a wireless project of its own will now be completed more rapidly. The Knight Foundation is putting in $625,000 towards the $2.2m project to unwire 10 sq mi. Other funds are coming from the city and the University of Akron. Akron's local paper, the Beacon Journal, was the first newspaper owned by the Knight family. [link via Daniel McKimm]

Parks across the U.S.--about 194 of 3,208--have Wi-Fi, but why? This USA Today article enumerates what parks in which states offer Internet access, but are hard-pressed to explain why it's useful. I do like the idea myself of having a lifeline back to people and information even when I'm away from it all, but it's hardly a necessity.

USA Today also runs down some transportation-Fi: The newspaper runs through a list of where Wi-Fi is available on various means of transit.

Another mortgage company out of business leads to more documents in the dumpster

Wed, 19 Mar 2008 11:57:40 +0000

Technorati Tag: Security Breach

Date Reported:
3/19/08

Organization:
Affordable Realty

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
"hundreds"

Types of Data:
"Social Security numbers and financial records"

Breach Description:
"Social Security numbers and financial records of customers of a Flint-based realty mortgage company have been found in a dumpster. "

Reference URL:
WJRT ABC Channel 12 News

Report Credit:
Dawn Jones, ABC12 News Team

Response:
From the online source cited above:

The personal information of hundreds of local residents is now out in public view.

Social Security numbers and financial records of customers of a Flint-based realty mortgage company have been found in a dumpster.

Affordable Realty occupied office space inside the Ben Agree building on Dort Highway for years.

The company was evicted and all of its sensitive customer information ended up outside in a dumpster or on the ground nearby.
[Evan] Maybe the company figured that they had nothing to lose and just vacated the property. There is liability however. The leader(s) of the company is/are morally, ethically, and probably legally responsible for proper document destruction. There really is no excuse.

Included in the papers are bankruptcy statements, financial records, Social Security numbers and addresses of clients who once did business with Affordable Realty.

Witnesses say the business had recently been evicted and they report seeing Genesee County Sheriff's Deputies clearing the office space a few days ago.
[Evan] So am I safe to assume that the Genesee County Sheriff's Deputies actually had a hand in the poor handling of sensitive documents? Perhaps they could have been more careful and taken the time to identify sensitive documents before throwing them in the dumpster.

Since that time, at least one person claims to have seen people rummaging through the dumpster, picking up papers, going through them very carefully and walking away with some.

We talked to Genesee County Sheriff Robert Pickell about how this type of personal information should be handled.

"What the process server should have done is get the stuff, call the landlord and say 'I'm packing this up, I'm putting it into my truck, I'm taking it to my warehouse. You're gonna have to pay for the storage,'" Pickell told ABC12's Dawn Jones.
[Evan] And what the Sheriff's Deputies should have done is taken more care before throwing the documents in the dumpster.

The sheriff talks more about identity theft and how to protect your identity coming up later today on ABC12 News.

Commentary:
This isn't the first time we have read about personal information being discarded/disclosed in a public dumpster after a company has gone out of business. Last month included Union Mortgage Services of Cleveland, Inc. and First Magnus Financial Corporation. Throwing large amounts of documentation containing personal information in the trash is completely in-excusable and lazy. The good thing is that the companies are now out of business; the bad thing is that they may have taken some good people along with them.

I am concerned and uneasy about the fact that the Genesee County Sheriff's Deputies did not notice or take the time to investigate what the documents contained.

Past Breaches:
Unknown

Union Mortgage loan applicant information found in dumpster

Fri, 29 Feb 2008 11:14:23 +0000

Technorati Tag: Security Breach

Date Reported:
2/22/08, updated on 2/28/08

Organization:
Union Mortgage Services of Cleveland, Inc.

Contractor/Consultant/Branch:
None

Victims:
Loan applicants

Number Affected:
Unknown*

*"hundreds of people" including "Thousands of pages of sensitive documents"

Types of Data:
Information that is typically found in loan applications, including bank statements, credit reports, and tax returns.

Breach Description:
Thousands of pages of sensitive loan application information were discovered in a dumpster behind a pizza shop in Cleveland, Ohio. The documents were allegedly discarded by employees of Union Mortgage Services of Cleveland, Inc., which has closed down after failing to pay taxes or failure to file tax returns.

Reference URL:
WKYC-TV News

Report Credit:
WKYC-TV News, by way of Attrition.org

Response:
From the online source cited above:

Thousands of pages of sensitive documents were thrown out in a dumpster located behind a pizza shop at East 105th and Superior in Cleveland.

Confidential files were found on hundreds of people who applied for loans with a company called Union Mortgage, whose last known addresses were in Beachwood and Parma.
[Evan] Union Mortgage Services addresses are/were; 23611 Chagrin Blvd Suite 275 Beachwood, OH 44122 and 1440 Snow Road Suite 118 Parma, OH 44134

Investigator Tom Meyer learned the company closed its doors recently after either failing to pay taxes or file its tax returns
[Evan] Sounds shady for a mortgage company that people trust much of their financial lives with.

Channel 3 News retrieved as many documents as possible and returned them to their rightful owners.

Ken Knabe, a lawyer from Lakewood, was shocked that we had his bank accounts, credit reports, tax returns and other personal information including his social security number. "That's appalling. This is private information in a dumpster,"

Channel 3 News returned files of information on Kim and Edwin Soeder of Mentor, including their retirement accounts. "It makes you wonder how bad your credit rating becomes if people get this in their hands," said Mrs. Soeder.

Ohio Attorney General, Marc Dann, has sued another mortgage company, Randall Mortgage Services, Inc., for allegedly abandoning customers' loan and financial information. Dann says he would take action against Union Mortgage if customers came forward and filed complaints with his office.

[Evan] Attorney General Marc Dann's site has some good information for consumers. To file a complaint, visit http://www.ag.state.oh.us/citizen/consumer/complaints.asp

Dann said businesses that collect personal information are responsible for protecting it just like they would protect their own information.

Commentary:
This is similar to the First Magnus breach reported earlier this month. Similarities include two financially troubled (or bankrupt) loan companies that figured their obligation to protect confidential personal information ceased when they closed the doors. The obligation to protect information entrusted to you only ceases when you transfer custodianship (i.e. return it to the owner, destruction, etc.)

I assume that we will only continue to see more of these types of breaches as more loan companies continue to suffer from today's credit crunch. When I researched Union Mortgage Services for this posting, I had a general sense of uneasiness. The lack of discovered background information and other legitimate references about the company might have made me question whether or not I would have done business with them in the first place. Hindsight is 20/20 they say.

Past Breaches:
Unknown

SaaS and data security - here is the rub

Wed, 27 Feb 2008 14:32:58 +0000

One of the knocks against outsourcing applications and storage has always been control or rather the lack of it. Whether I am referring back to my Interliant days where we stored customers Lotus Notes and PeopleSoft financials data or Qualys storing their customers vulnerability data or as Douglas Schweitzer over at ComputerWorld points out, Google's plan to pilot a program with the world renowned Cleveland Clinic to store patients medical records on line, the idea of confidential, sensitive data being out of your direct and sole control scares many people. Never mind that the data may be more secure with the controls these SaaS providers put in place to than it would be in your own location. There is just something about the concept that deep down instinctually turns people off.

To be fair, the SaaS industry has done many things to overcome this bias. 3rd party audits of security procedures have helped. Also having the data encrypted with only you holding the key helps get many people comfortable. In fact over the last few years, I think on the whole we are seeing more and more IT and risk management departments getting comfortable with outsourcing their applications and the storage of this sensitive data. There are still some last bastions of holdouts, such as the US government with vulnerability data. But as I say, by and large it is much more acceptable. However, every time we take this paradigm to another market, such as confidential medical data the whispers and old doubts surface again. I think if we are truly going to see the Google Apps or Microsoft Live office stuff really take off, people are going to have to get over this phobia. Whether they do or not will go a long way towards determining if this is just a passing fad or the longterm future of the software industry.

SaaS and data security - here is the rub

Wed, 27 Feb 2008 13:33:13 +0000

Centralized, electronic storage of medical records

Wed, 27 Feb 2008 07:46:37 +0000

There has been a plethora of blog postings, articles, and other assorted attempts to put the Google/Cleveland Clinic medical records pilot into perspective. The pilot is described in a Newsday article.

Google, the California search engine company, and the Cleveland Clinic - an Ohio medical institution with a reputation for quality care - said last week they will collaborate on a pilot program to store patient records online. The test program will allow 1,5

Google to manage health records for Cleveland Clinic

Wed, 20 Feb 2008 21:00:00 +0000

Google will test a new online medical record service with a hospital group in Cleveland allowing patients to control who gets to see their health information. The two organizations hope the trial will lead to the creation of a national system for sharing electronic medical records.