http://securityratty.com/tag/donors Wed, 28 Nov 2007 02:45:00 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/9fbf858547c6670a14d3e4ee147593fc http://securityratty.com/article/9fbf858547c6670a14d3e4ee147593fc Security Breach

Date Reported:
7/7/08

Organization:
State of Florida

Contractor/Consultant/Branch:
Agency for Health Care Administration

Victims:
registered organ donors

Number Affected:
"about 55,000"

Types of Data:
"names, addresses, birth dates, driver license numbers and Social Security numbers"

Breach Description:
"TALLAHASSEE, Fla. - State health officials say a security breach in the Organ and Tissue Donor Registry may have exposed thousands of donors' personal information, including their social security numbers."

Reference URL:
AHCA FAQs
Sarasota Herald-Tribune
WCTV CBS News
Orlando Sentinel

Report Credit:
Sarasota Herald-Tribune

Response:
From the online sources cited above:

TALLAHASSEE, Fla. - State health officials say a security breach in the Organ and Tissue Donor Registry may have exposed thousands of donors' personal information, including their social security numbers.

The Agency for Health Care Administrations said Monday it has corrected the flaw, which may have allowed unauthorized users to view the personal information of roughly 55,000 donors.

"We stopped all access to the database, identified the flaws and corrected them."
[Evan]  This breach makes me wonder a couple of things.  Is information security testing part of the development lifecycle and change control?  I also wonder if AHCA uses a formal change control process with segregated development, test, and production environments.

The database includes donors' names, addresses, birth dates and driver license numbers.

The agency is sending letters to inform individuals of the flaw.
[Evan] What kind of flaw, do you suppose?  A Code flaw, an administrative/process flaw, a configuration flaw?

AHCA Secretary Holly Benson said they have not received any indication that the information was accessed inappropriately.
[Evan] No logging?  Logging of the systems, processes, and people accessing confidential information is a must.  Extensive logging would be able to determine if the information "was accessed inappropriately" (assuming the logs weren't subject to unauthorized modification).

The breach happened on June 20 and was fixed a day later, but officials say they thought it best to make the public aware.
[Evan] What does the "breach happened on June 20" mean?  It could mean that a flaw was detected on June 20, but could have been in existence for longer.  It could mean that a vulnerability was actually exploited on June 20.  I guess it really depends on your definition.  I assume that the author means that something changed (code push, updated information, configuration, etc.) on June 20.

"If you have not received a letter our logs note that your information was not affected by this security flaw."

A couple of FAQs:
Q: If I have additional questions regarding this issue, what should I do?
A: You can call 866 757 0677.  This number is open Monday through Friday from 8AM to 7PM Eastern.

Q: If I am a registered donor and I receive a letter, does this mean that I am a victim of identity theft?
A: No. It is unlikely that someone has accessed your information or used it inappropriately. It does not mean that you are a victim of identity theft or that the information may be used to commit fraud. The Agency for Health Care Administration wanted to let you know about the incident so you are aware and may take steps as you see fit.
[Evan] Again, poor logging and other detective controls lead to statements such as "It is unlikely that someone accessed...".

Commentary:
Ugh!  I am left with too many questions about this breach.  On the surface, this breach doesn't look all that significant unless of course, you are a victim.  When I read into it more, I realize that I have some serious concerns surrounding process, control, and detection mechanisms used at AHCA.  With less detail, it is easier to imagine.

Past Breaches:
State of Florida:
January, 2008 - Five stolen Florida Department of Children and Families laptops


]]> Wed, 09 Jul 2008 07:15:38 +0000 breach information personal information breach description flaw configuration flaw health care administration database includes donors security breach Florida's Agency for Health Care Administration reports a breach http://securityratty.com/article/7cab17fdc352275114a54ec17a2e2887 http://securityratty.com/article/7cab17fdc352275114a54ec17a2e2887 Security Breach

Date Reported:
5/1/08

Organization:
University of California

Contractor/Consultant/Branch:
University of California at San Francisco ("UCSF")
Target America Inc.

Victims:
Patients

Number Affected:
6,313

Types of Data:
"The information included names, addresses, medical departments and some patient medical record numbers"

Breach Description:
"(05-01) 17:22 PDT San Francisco -- Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft"

Reference URL:
San Francisco Chronicle
CNET
United Press International
UCSF News Release

Report Credit:
Elizabeth Fernandez, San Francisco Chronicle

Response:
From the online sources cited above:

Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft, The Chronicle has learned.

The information accessible online included names and addresses of patients along with names of the departments where medical care was provided.

Some patient medical record numbers and the names of the patients' physicians also were available online.

The breach was discovered Oct. 9, but the medical institution did not send out notification letters to the 6,313 affected patients until early April, nearly six months later.

Sensitive information can be used by employers, health insurers and other entities to discriminate

thieves can use purloined information to obtain medical treatment and prescription drugs and to file false medical claims.
[Evan] Purloined is a funny word. 

"This is a large and very significant data breach," said Pam Dixon, executive director of the World Privacy Forum

"To commit medical identity theft, all you need is a patient's name, address and the name of the hospital. If you have a doctor's name and the medical department where the patient was being treated, it is gold. If you add a medical record number, it is a disaster for patients."
[Evan] I don't think most people know this.  Many people think that they are fine if there were no Social Security numbers or credit card numbers exposed.

Hospital officials say there's no indication of identity theft to date.

UCSF had shared information on its patients with a vendor, Target America Inc., which mines electronic databases amassing information about a nonprofit's potential or existing donors.

Target America, whose Web site says it maintains "the highest standards of security," tunnels through millions of electronic records to help nonprofits identify and cultivate future donors as well as current donors "who could be giving you more." Additionally, it unearths financial information about donor friends and business acquaintances - even offering maps of a donor's neighborhood.
[Evan] Seems wrong, doesn't it?  You go to the clinic, the clinic farms out your information to a company that determines whether or not you are a good candidate to hit up for money (you probably don't pay enough in health insurance, deductibles and co-pays).  If you are a deemed a good donor candidate, you get emails and letters that you never signed up for.  The purpose of the emails and letters is to build a rapport with you with the intention of getting you to donate money.  Personally, I would be more willing to donate if an organization were straight with me.

The breach was discovered, said UCSF officials, when the hospital was alerted that a patient's name had been queried on the Internet "and it was listed in association with UCSF."

Corinna Kaarlela, UCSF director of news services, said immediate action was taken to close off the information. Ten days after the breach's discovery, UCSF ended its business agreement with Target America.

Nancy Johnson, president of Target America, said she could not discuss the matter because of client confidentiality.
[Evan] There is no mention of this breach anywhere on Target America's site either.  Sweep it under the rug and maybe it will go away?

The breach spotlights a little-known practice among medical institutions to plow the ranks of patients for fundraising purposes.

Hospitals and other health care providers are turning patients into "fundraising free-fire zones," said Dr. Arthur Caplan, chairman of the department of medical ethics at the University of Pennsylvania School of Medicine.

"The breach is a symptom, but the real ethics challenge is the extent to which health care institutions are tracking patients and their families for nonmedical reasons - for fundraising, marketing, advertising," Caplan said. "I don't think people are aware of the degree to which this is occurring, whether it's by a hospital or a nursing home or a hospice."

Since 2004, UCSF said it provided the names and addresses of 30,590 patients to Target America, paying the company $12,000 a year.

Hospital officials said it contracted with the company to assist "with identifying names of individuals who could potentially receive communications from UCSF."
[Evan] Why not say it like it is.  The true motive?

"These opportunities included upcoming events, developments in specific UCSF programs, and opportunities to support the University."
[Evan] Closer.

After the breach was discovered, the hospital said it required Target America to hire "an objective third-party firm" to investigate. UCSF received the forensic analysis report March 26. It showed that information was potentially accessible from July 1 to Oct. 9 last year "if a query for a specific name was made." Notification letters were mailed to patients April 4.

While UCSF officials stressed that the breach did not involve Social Security numbers, Dixon said that patients could nonetheless be at risk for harm.

"With medical identity theft, there is so much on the line - only minimal information needs to go out for there to be a problem," she said.

Linking patients to the departments where they were treated, for instance, is problematic because it can serve as a key identifier of a patient's health condition.
[Evan] Don't think that this doesn't happen.  Insurance companies are not in business to help people, they are in business to make money.  They want to identify as many pre-existing conditions as possible.

UCSF officials say the use of a department's name is not prohibited under HIPAA. But it acknowledged that such a disclosure is against its own "best practice" policy.
[Evan] I think that this is open to interpretation.  HIPAA is not clear (nor can it be) in all circumstances, and some people would argue this claim with UCSF officials.

"Steps have been taken to reinforce this practice,"
[Evan] Like what?  Are "steps" enough?

For one outraged UCSF patient whose name was part of the online data disclosure, the incident involved an alarming breach of medical trust.

"They told a fundraising company that I'm a patient - morally this should not ever be done by any health care provider," said the patient, a retired executive living in San Francisco. He asked that his name not be published.

"Medical records are supposed to be of utmost privacy," he said. "The University of California is high up in the totem pole for quality medical care. When you go there, the first thing you see are notices regarding patient privacy. Why in the world would they give out my private information? It boils down to monetary greed."
[Evan] There is no doubt that UCSF Medical Center is an outstanding health provider in terms of providing innovative medical care and saving lives.  One of the best from what I read.

UCSF is committed to maintaining the privacy of patient information and takes any compromise of patient information very seriously. When patients are seen at UCSF, they are provided with a Notice of Privacy Practice (NOPP), which describes how UCSF may use and disclose their medical information in accordance with the Federal HIPAA Privacy Rule.

UCSF continually modifies systems and practices to enhance the security of patient information.

Commentary:
Hmm.  I agree with Dr. Caplan when he stated that "The breach is a symptom, but the real ethics challenge is the extent to which health care institutions are tracking patients and their families for nonmedical reasons - for fundraising, marketing, advertising,".  There is not much discussion surrounding the details of the actual breach itself.  I have also read concern of the length of time it took before patients were notified.

From Target America's "Why Target America?" page:
"Target America data base, culled from 75 data sources, contains more than 7 million records of the wealthiest and most generous people in the nation -- the top 5 percent in terms of income, assets, and philanthropic history. Ninety-four percent of the individuals on the data base give more than $5,000 a year to charities. The breadth of our data is unique: we focus not only on high-profile, corporate America, but include emerging sources of wealth such as minority-owned business and women entrepreneurs."
Looks like a pretty important database to me. 

There are no apologies made by UCSF or Target America for the breach.

Past Breaches:
University of California:
April, 2008 - University of California Irvine students are hit with mysterious breach

]]> Wed, 07 May 2008 12:10:17 +0000 ucsf ucsf patient ucsf patients patients patient sensitive information information patient information ucsf medical center Health care practices and UCSF patient records exposed http://securityratty.com/article/31ae26c705d39decf66cfee8c2d3c7b2 http://securityratty.com/article/31ae26c705d39decf66cfee8c2d3c7b2 Security Breach

Date Reported:
3/14/08

Organization:
Catalina Conservancy Divers

Contractor/Consultant/Branch:
None

Victims:
Donors

Number Affected:
816

Types of Data:
Donor information including credit card numbers, expiration dates and possibly CVV2 codes.

Breach Description:
"Hammonds, 36, was able to obtain the names and credit card numbers of hundreds of victims when they made online donations to the Catalina Conservancy Divers site he was hired to develop in 2005, police said. He then used the information he obtained through the site, www.ccd.org, to make online purchases and pay for personal items."

Reference URL:
The Newport Beach Police Department News Release
The Daily Pilot
The Orange County Register

Report Credit:
Joseph Sema, The Daily Pilot

Response:
From the online sources cited above:

On February 13, 2008, Newport Beach Police Detectives arrested Trevor Hammonds for 484G PC – Illegal Use of a Credit Card.  Detectives had learned that Hammonds was renting an apartment in Newport Beach through fraudulent means.  He was paying his rent by providing valid credit card account numbers of unsuspecting victims as payment.  Since his arrest, Detectives have been attempting to discover where and how Hammonds obtained his victim’s personal credit information.

Detectives recently discovered that Hammonds had created a website for the “Catalina Conservancy Divers” Avalon Harbor Cleanup, www.catalinaconservancy.org in 2005.  Through 2005 and 2006, Hammonds was able to obtain unsuspecting victim’s names and credit card numbers when they made online donations to the Conservancy.

Since that time, he has been using victim’s names and valid credit card account information to make online purchases and pay for personal items.  Detectives have identified a total of 816 possible victim credit profiles in the possession of Hammonds.

In 2005, the Catalina Conservancy group did not have a website capable of receiving electronic donations, conservancy spokeswoman Leslie Baer said. Many of its loosely organized support groups, such as the Catalina Conservancy Divers that would clean up Avalon Harbor, set up their own websites to accept donations.

Hammonds is currently being housed at the Orange County Jail in lieu of $100,000 bail.  The Catalina Conservancy Divers is a victim of Hammonds scheme and is not involved in any manner.

If you registered to this site and/or made an online donation to the Catalina Conservancy Divers during 2005 or 2006, please check your credit profile and account records.

The Catalina Conservancy Divers no longer accepts online donations
[Evan] This is sad not only for the individual victims, but Catalina Conservancy also.  Online donations should be a viable option, but now it viewed so.

If you believe you have been the victim of a crime, please notify your bank immediately to close your account(s) and prevent any further crimes from occurring.

In addition, contact the Newport Beach Police Department in order to report your crime.  This can be done by contacting Investigator Bob Watts at (800) 550-NBPD or (949) 644-3799.

Commentary:
I am impressed with how the Newport Beach Police Department has handled this investigation, at least from what I read.  I very much like Sergeant Evan Sailor's remarks to the press and the decision to publish a public press release.

Employee fraud can be a very difficult crime to protect against and pose a very high risk to organizations.  As long as we have bad apples in the bushel, we will have a certain amount of fraud.  Not that we should throw up our hands and give up though!  This article "Eight Tips to Prevent Employee Theft and Fraud" is a pretty good read.

Past Breaches:
Unknown

]]> Mon, 17 Mar 2008 10:32:50 +0000 catalina conservancy conservancy catalina conservancy divers hammonds trevor hammonds victims names names victims online donations Catalina Conservancy Divers donors are warned http://securityratty.com/article/f31da5eef0868dc2cbc067042e25fee8 http://securityratty.com/article/f31da5eef0868dc2cbc067042e25fee8 Security Breach

Date Reported:
3/5/08

Organization:
Cascade Healthcare Community

Contractor/Consultant/Branch:
St. Charles Medical Center (Bend - Redmond)

Victims:
"community members", Donors

Number Affected:
11,500

Types of Data:
Names, addresses, dates of birth and credit card information

Breach Description:
"A computer virus may have exposed the names, credit card numbers, dates of birth and home addresses of more than 11,500 individuals who donated to Cascade Healthcare Community in Bend and Redmond"

Reference URL:
Cascade Healthcare Community press release
The Oregonian
The Bend Bulletin

Report Credit:
Cascade Healthcare Community

Response:
From the online sources cited above:

Like all health care organizations, Cascade Healthcare Community has a strong commitment to protecting patient and employee information.
[Evan] We would like to think "all health care organizations" have a strong commitment to protecting patient and employee information, but some obviously take this commitment more seriously than others.

Unfortunately, CHC was recently the victim of a computer virus that may have made some personal information vulnerable to inappropriate use.

Despite having an anti-virus security system in place, the CHC computer network was hit by a virus on Dec. 11.

The IT group immediately worked to halt the attack and closely monitored the network for several weeks before detecting suspicious activity on Feb. 5. At that time, CHC hired an external information technology forensic team to investigate the incident.

After an exhaustive forensic evaluation, CHC learned Feb. 20 that some personal information stored on our systems may have been compromised.

This information included names, addresses, dates of birth and credit card information for approximately 11,500 members of our community.
[Evan] Although I think I understand why this information was kept by CHC, I don't agree with CHC's decision to keep credit card information on file.  I can see something like this as a statement, "In the best interests of CHC, it's donors and patients, we do not store credit card information".

At this time, there is no evidence indicating any patient health information was compromised.

“Although the investigation provided no indication that information was misused, CHC is working quickly and diligently to provide all affected members of our community with leading credit monitoring services at no charge,” said James A. Diegel, FACHE, President and CEO of CHC.
[Evan] Mr. Diegel understands that the information security buck stops with him.  As an organizational leader, he understands that he is ultimately responsible for the due care of information assets.  I admire Mr. Diegel for addressing this situation personally.

“We want to express our sincere apologies to those community members who have trusted us with their information for the inconvenience and worry this situation may have caused.”

CHC has contracted with an industry-leading provider of credit monitoring services and is providing free enrollment in a 12-month credit monitoring program for those affected. All potentially affected individuals will receive additional information directly from this agency within the next several days that includes information on enrollment.

In addition to community member information, CHC has learned that usernames and passwords of all CHC employees were also vulnerable for a short period of time.

All caregiver passwords were changed as of 2 p.m. on Thursday, Feb. 21 and there is no evidence that unauthorized users accessed individual patient health information.

“It is vital that we continue to raise the level of security within the organization,” Diegel said. “We are working diligently on all levels of security from educating caregivers on the importance of protecting their passwords to upgrading our virus protections.”
[Evan] "It is vital that we continue to raise the level of security within the organization".  This is one of the best statements I have read from an organization leader in some time.  It is vital that ALL of us raise the "level of security" within our areas of responsibility (personally and within our organizations) and explore ways to continuously improve our security posture.  This is a never-ending cycle.

A few select FAQ's from the press release:
Q:  Is there any way to find out how this virus entered the environment?

A: We suspect that it was through an Internet Web browser or through a thumb drive or floppy disk media. We do not know who did this and whether it was done intentionally or by accident. We have no guarantee we will ever find out who did this.
[Evan] This is all too common.  Understand that each and every connection we make from work to an Internet site is a potential (and at times successful) avenue of attack.  We weigh the convenience and business benefits of using the Internet against the risk of exposure.  It's about balance.

Q:   What is Cascade Healthcare Community doing to prevent this from happening in the future?

A.  Cascade Healthcare Community has examined and analyzed existing procedures and systems to ensure appropriate security measures are in place. We have taken immediate steps to increase our investment and focus in the security area. We have created a multiple-step plan to outline immediate and also longer term steps. New virus software and approaches are developed each and every day worldwide. Our protection is a full-time evolving strategy.

Commentary:
I am very impressed with Cascade Healthcare Community's press release.  The information they provide paints a clear picture of what happened and helps me to feel confident that they know what they are doing.  I would just suggest that they not store credit card information anymore (if possible).

Past Breaches:
Unknown

]]> Fri, 07 Mar 2008 11:02:22 +0000 personal information vulnerable personal information cascade healthcare community community information information assets employee information credit card information credit card Cascade Healthcare Community donors affected by malware http://securityratty.com/article/189165f11484d3514e254fe195dd775e http://securityratty.com/article/189165f11484d3514e254fe195dd775e Wed, 20 Feb 2008 15:30:20 +0000 irish blood donors laptop theft york records february official Laptop theft highlights security weakness http://securityratty.com/article/942b00ba051c5682ac533eb6b8c57745 http://securityratty.com/article/942b00ba051c5682ac533eb6b8c57745 Security Breach

Date Reported:
2/13/08

Organization:
Lifeblood

Contractor/Consultant/Branch:
None

Victims:
Blood donors

Number Affected:
320,000

Types of Data:
"names, contact information, blood type, gender, ethnicity, and, in some cases, Social Security numbers"

Breach Description:
Two laptop computers are lost and presumed stolen from a storage room at the Lifeblood office building.  The laptops contained sensitive and personal information belonging to blood donors.

Reference URL:
Lifeblood Press Release
Commercialappeal.com story
WREG Memphis Channel 3 News

Report Credit:
Lifeblood

Response:
From the online sources cited above:

Two laptop computers are missing from Lifeblood’s possession and presumed to be stolen.

Someone got inside a storage room at the Lifeblood building on Madison and took the computers.

The dual-password protected laptops were used on mobile blood collection drives, and each included information about Lifeblood’s blood donors, including names, contact information, blood type, gender, ethnicity, and, in some cases, Social Security numbers.
[Evan] I have to say, "dual-password protected" sounds very impressive and very secure, but the I should follow-up and say IT'S NOT.  I am guessing that one password is for the operating system, which takes less than five minutes to bypass/change and I am also guessing that there is (was) a password to access the database or the program that opens the database.  The second password probably isn't that hard to crack/bypass either.

The organization is notifying all of the approximately 320,000 affected individuals about the situation and encouraging them to place fraud alerts on their credit reports in the unlikely event that an unauthorized person gained access to the data on the computers.
[Evan] What a hassle for 320,000 people.

Lifeblood started sending out letters to donors this week, notifying them about what happened.

Based on the level of password security and the intricacies of the database structure, Lifeblood believes that is extremely unlikely that an individual who is not specifically trained to use the laptop and who does not have a valid Lifeblood ID and password could access the information contained on it.
[Evan] If this statement weren't so sad, it would be funny.  I could stretch and maybe agree with "unlikely", but I would certainly not go as far as to say "extremely unlikely".  It really is easier than most people think.

"Our hope was we'd be able to locate the devices and with that we'd be able to find whether the database had been accessed or not," said Dr. Edward Scott of Lifeblood.

Since the discovery Lifeblood has implemented additional security measures to protect against future theft of property or donor information. These measures include more restrictive access to and continuous closed circuit monitoring of the areas housing the laptops, installation of software to allow remote tracking and erasure of the hard drives on laptops used on mobile drives, and additional programming to prevent full Social Security numbers from being downloaded to mobile laptops.
[Evan] WHERE IS ENCRYPTION?  Remote tracking and erasure provides some protection, but it isn't very hard to disable/bypass either to anyone with skill.  Nobody breaks strong encryption with sound key management, no matter how skilled they may be.  Why does a donor have to supply a Social Security number to donate blood in the first place?  What does my blood have to do with my Social Security benefits?

He says a private investigator's been working this case. But with no solid leads, they've now teamed up with Memphis Police.

"We're concerned it may be a former employee. Or someone else who had access to building at the time," said Dr. Scott.
[Evan] Someone did have access or the laptops wouldn't be stolen.

The worry now though is that this breach will discourage people from donating.

"Blood is always going to be needed in the community, there's no substitute for that," said Dr. Scott.
[Evan] This is by far the most intelligent remark of any I have read about this breach.  PEOPLE NEED BLOOD AND BLOOD SAVES LIVES.  At the end of the day, I would trade my Social Security number to save someone's life.

Commentary:
We have now reported two blood centers that each stored confidential personal information on laptops (without encryption) and had them stolen.  The other was Memorial Blood Centers in Minnesota.  I don't understand why blood centers need my Social Security number in order for them to take my blood.  I assume they use it as a personal identifier.  I would much prefer that they create an identifier for me that cannot be used against me later.

I really appreciate all the work that blood centers do for the communities they serve, but they really don't serve the victims well when they don't take the time to properly secure the information they collect.

I cannot think of a good alternative to laptop encryption.  Why won't Lifeblood encrypt confidential data at rest?

Past Breaches:
Unknown

]]> Thu, 14 Feb 2008 07:17:22 +0000 mobile blood collection blood personal information memorial blood centers blood saves lives blood type lifebloods blood donors lifeblood information Donor personal information was on Lifeblood stolen laptop http://securityratty.com/article/94ca1ad8c16254e5da8358774edd4fe4 http://securityratty.com/article/94ca1ad8c16254e5da8358774edd4fe4 Security Breach

Date Reported:
2/5/08

Organization:
Memorial University

Contractor/Consultant/Branch:
None

Victims:
Students

Number Affected:
150

Types of Data:
"private information"

Breach Description:
A personal laptop computer was stolen from the home of a Memorial University professor while he was out of town that may have contained sensitive personal information belonging to students of the school.

Reference URL:
Memorial University new release
Canadian Press story

Report Credit:
Memorial University

Response:
From the online sources cited above:

Email Message from Newsline:
As you may know from a MUN Today article, a laptop stolen from a Memorial professor's home may have led to a breach of private information.

The professor, on returning home from an out of province trip on Jan. 18, discovered that his home had been burglarized and a laptop stolen.

The laptop was stolen sometime between Jan. 15-18, 2008.

the laptop computer may have contained students' personal information

Mr. Burns used the personally-owned laptop occasionally for university-related purposes and reports that it may have contained class lists from: Business 1000, Section 2 and Section 4, which were taught in the fall 2006 semester; and Business 7302 which was taught in the fall 2007 semester.
[Evan] A personally-owned laptop?  It is good information security practice to prohibit the use of personal computers to access business information resources.  This is a unnecessary and often unacceptable risk.

While Mr. Burns could not confirm that the information from those courses was actually on the stolen laptop, the university has decided to contact all 150 students who may have been affected to advise them of the possible breach.

As a result of this possible breach of students' personal information and as the privacy officer for Memorial, I want to remind all faculty and staff that they must secure all personal information (of students, employees, alumni, donors, research subjects and others) against unauthorized access.
[Evan] OK, how?

we are reminding all faculty and staff at the university, and anyone who teaches at the university and who may handle private information, to use password protection and/or data encryption on all laptops and removable media devices
[Evan] "and/or" encryption?!  No, no, no.  Information security policy must be cut-and-dry whenever possible.  Remove the "/or" and you may have something.

“If you are not sure how to set a password for your laptop or other storage device, consult an IT support person who can assist you. As well, ask about data encryption to further secure personal information.”
[Evan] "If you are not sure" (meaning users) then you need training!  It is our job as information security personnel to train the users and communicate with them regularly (awareness) about what is expected of them.  This comment is way too wishy-washy for me.

Since last spring, Memorial's Information Access and Privacy Protection (IAPP) office has been developing a privacy strategy and privacy compliance tools for the university, with the assistance of a privacy consultant.

The report, together with findings and recommendations, compliance tools, and draft policy and procedures, are available on the IAPP website www.mun.ca/iapp.

Finalizing policy, procedures and planning for implementation of most of the recommendations is now under way.

We remain confident that the information that may have been exposed by this theft was minimal and cannot lead to further problems for the students affected

Commentary:
Poor practice that contributes to a increased risk involved in this breach:

#1 - DO NOT allow the use of personal computers (or equipment).  Personal computers are typically not tested, not built with standard OS images, and lack the security controls in place on organization-owned equipment.

#2 - AVOID "and/or" statements wherever possible in security directives.  "And/or" implies ambiguity, where security needs certainty.

#3 - DO NOT expect users to seek out security best practices.  Security needs to be brought to them through regular training and awareness.

Past Breaches:
Unknown

]]> Tue, 05 Feb 2008 11:57:10 +0000 secure personal information personal information sensitive personal information university information information access memorial professor memorial professor Stolen personal laptop may have Memorial University student info http://securityratty.com/article/5654bc0d7a27b8d23c68ea9b57d92b98 http://securityratty.com/article/5654bc0d7a27b8d23c68ea9b57d92b98 Security Breach

Date Reported:
12/28/07

Organization:
State of Minnesota

Contractor/Consultant/Branch:
Department of Commerce
Promissor Corporation

Victims:
Certain real estate, abstractor, appraiser, and debt collection license applicants and licensees

Number Affected:
219

Types of Data:
Names, Social Security numbers, addresses and state license numbers.

Breach Description:
A laptop computer containing sensitive personal information belonging to 219 Minnesota real estate, abstractor, appraiser and debt collection license applicants and licensees was stolen from an employee of Promissor Corporation, a contractor employed by the Minnesota Department of Commerce.

Reference URL:
Minnesota Department of Commerce News Release
St. Paul Pioneer Press News Story

Report Credit:
Minnesota Department of Commerce

Response:
From the official news release and online source cited above:

On December 6, 2007 a laptop computer containing the personal information of 219 Minnesota residents was stolen from an employee of Promissor Corporation in Philadelphia, Pennsylvania. Promissor is a vendor used by the Minnesota Department of Commerce to manage licensing data for the real estate, mortgage, and debt collection industries in Minnesota.

The theft of this computer has been reported to the Philadelphia Police Department and at this point it has not been recovered. Regrettably, Promissor waited until December 21 to alert the Minnesota Department of Commerce about this theft and since then Department staff has been working with the vendor to identify the extent to which Minnesota licensees have been affected and to notify them so they can take action to protect their identity.
[Evan] I can sense the frustration with the vendor.  Vendors working with confidential information in any manner must be held to the same standards as everyone else.  We recommend the creation and enforcement of a seperate Vendor/Third-Party Access Policy (sample) to our customers that employ vendors.

The laptop was used to support and test the real estate, abstractors, appraisers and debt collection licensing system and data base used by several states including Minnesota.
[Evan] The use of production (real) data for support and test purposes is NOT a recommended practice.  Promissor Corporation should know better.

password protected, but not encrypted.

information included some or all of the following data fields for 257 applicants/licensees in the licensing system (including 219 Minnesota licensees): name, social security number, address and state license number.

On Friday, December 28, the Department of Commerce received from Promissor a list of the 219 individuals affected by the theft. Department staff is currently contacting these licensees by phone to notify them of the theft of their data and suggest steps they should take to protect their identity. Promissor also sent each licensee written notification which includes an offer by the company to purchase the credit watch monitoring service from Equifax for one year at no cost to the licensee.
[Evan] Credit monitoring only monitors for fraud and alerts a victim after it has already occurred.  One year's worth of protection is only good for information that is no good after a year.

The Department is also demanding from Promissor stricter measures of security for all other data containing Minnesota licensee information on all of their computer systems.
[Evan] Like?

Commentary:
What information security measures are required of Minnesota Department of Commerce vendors and contractors?  Stolen or lost laptops containing sensitive information without encryption is nothing new, although no more excusable.  A twist in this breach is the use of production data in support and test functions.  I can't tell you how many times I have butted heads with programmers that insisted on using real data for code testing.  Developers should ONLY use fabricated and/or sanitized data for testing, no exceptions.

I am a Minnesota resident.  This is the second breach in the past month related to an unencrypted stolen laptop for my state.  The other breach concerned the Memorial Blood Centers and the disclosure that a laptop containing information belonging to 268,000 donors was stolen.

Past Breaches:
Unknown


]]> Fri, 28 Dec 2007 21:01:21 +0000 minnesota minnesota real estate sensitive personal information personal information minnesota department department minnesota licensees real information Laptop stolen from Minnesota Department of Commerce vendor http://securityratty.com/article/51972210a2a286bd2be3bac4df6b20f3 http://securityratty.com/article/51972210a2a286bd2be3bac4df6b20f3 Security Breach

Date Reported:
12/5/07

Organization:
Memorial Blood Centers*

*Memorial Blood Centers is a nationally known, locally operated nonprofit community blood center that has supplied blood and blood components to area hospitals for nearly 60 years. Memorial Blood Center operates 10 donor centers at nine Minnesota sites and one in Superior, Wisconsin and conducts more than 125 blood drives monthly.

Contractor/Consultant/Branch:
None

Victims:
Blood donors

Number Affected:
About 268,000

Types of Data:
Name and Social Security number.

Breach Description:
A laptop was stolen from the Memorial Blood Centers on the morning of November 28th, 2007 while preparations were being made for a blood drive in downtown Minneapolis, Minnesota.  The laptop contained names and Social Security numbers of 268,000 blood donors and appears to have not been encrypted.

Reference URL:
Press Release on BusinessWire
Press Release on the Memorial Blood Centers Press Release

Report Credit:
Memorial Blood Centers

Response:
From the official press release cited above:

Memorial Blood Centers reported today that it has begun notifying blood donors of the theft of a laptop computer holding donor information.

About 268,000 donor records on this laptop computer contain a donor name in combination with the donor’s social security number.
[Comfyllama] Why is a Social Security number required to donate blood?!?!  Crazy.

The laptop computer was stolen on November 28, 2007 in downtown Minneapolis during early morning preparations for a blood drive.

The theft was captured on building security cameras. The Minneapolis Police Department was notified and Memorial Blood Centers is working with law enforcement authorities to recover the laptop computer.

Access to the donor information on the laptop is protected by multiple levels of passwords and requires the use of other technologies to prevent unauthorized use. The donor records do not contain medical information.
[Comfyllama] Multiple levels of passwords means little more than a nuisance to anyone with even minimal computer skill.  If this was a shared laptop (not uncommon in this situation), then the chance of the password(s) being written down are increased.  I am curious what "other technologies" means?  Right now, it means nothing to me.

“We apologize for any anxiety this incident may cause for our donors,” said Don Berglund, Chief Executive Officer of Memorial Blood Centers. “This appears to have been a random crime. We believe the measures securing access to the donor records protect against their inappropriate use. We also immediately implemented additional measures to further protect against unauthorized access to donor data.”
[Comfyllama] On the one hand, I am always impressed when a CEO comments about a breach of security because it shows recognition of the fact that "the buck stops" with him/her.  On the other hand, the comment "We believe the measures securing access to the donor records protect against their inappropriate use" shows a level of naiveness (assuming no encryption).

Memorial Blood Centers has begun notifying the affected donors whose names and Social Security numbers were on the stolen computer. Notified individuals are being encouraged to monitor their financial accounts as a precaution.

A special hotline has been established for donors who may have further questions about this theft. Donors with questions can reach the hotline by calling 888-333-1491.

Persons with any knowledge of the theft are asked to call the Minneapolis Police Tipline at (612) 692-TIPS.

Commentary:
This is a serious breach that needs further explanation.  Why on earth does the Memorial Blood Centers need to collect Social Security numbers as part of their blood collection process?  I assume that they use Social Security numbers as identifiers, which everyone should know is a "no-no" unless its require by law.  I'm no lawyer, so is it required by law?

Let's say for a second that Memorial Blood Centers is required by law to collect and store Social Security numbers as part of the donation process.  This is the year 2007, and we should be encrypting confidential data at rest.  There should be no more excuses.

Let's say for a second second that this information was protected with encryption.  Then state this in the press release.

Past Breaches:
Unknown



]]> Thu, 06 Dec 2007 11:09:42 +0000 donors blood security security cameras store social security memorial blood centers donors social security breach description blood components 268,000 donors exposed through stolen Memorial Blood Centers laptop http://securityratty.com/article/c5948a771e0e767cae508cafb8266bdc http://securityratty.com/article/c5948a771e0e767cae508cafb8266bdc Convio, one of the larger Internet donation service providers for charities, was recently hacked and a significant number of donor email addresses and passwords were compromised. Major NGOs using the company's services including CARE and the American Red Cross were among the victims. More commentary on the story is here.

This incident demonstrates the potential for data vulnerability when relying on outsourced IT services. It also shows that a large number of humanitarian organizations were negligent in not notifying donors after the information security breech occurred. While no credit card information was compromised, a risk still exists that stolen information could be used to access banking, retail and other online services. Management should have contingency plans in place to quickly notify donors of any data compromise. Transparency in situations like this is critical.]]> Wed, 28 Nov 2007 02:45:00 +0000 information security breech information credit card information online services services donor email addresses american red cross humanitarian organizations donors Online Donation Service Hacked