http://securityratty.com/tag/equifax Tue, 15 Jan 2008 10:32:24 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/02762ed90939b5fec285c30e70bf385a http://securityratty.com/article/02762ed90939b5fec285c30e70bf385a Wed, 02 Jul 2008 20:00:00 +0000 compiles credit reports employees access security requirements equifax network contractors firm machines technology Equifax bolsters border security http://securityratty.com/article/3313abd868212bd3a9ed98811169e851 http://securityratty.com/article/3313abd868212bd3a9ed98811169e851 Security Breach

Date Reported:
6/13/08

Organization:
CNET Networks, Inc. ("CNET")

Contractor/Consultant/Branch:
Colt Express Outsourcing Services, Inc. ("Colt")

Victims:
"current and former employees and their dependants"

Number Affected:
"around 6,500"

Types of Data:
"first names, last names, date of birth, Social Security numbers, address, employer, hire date, benefits group numbers, and relationship to the policy holder"

Breach Description:
"Colt informed our client by this letter that on Memorial Day, Monday, May 26, 2008, Colt's offices in Walnut Creek, California were burglarized.  Certain computer equipment was taken which contains the human resources data of several of their clients, including CNET.  The theft of this equipment may have compromised the personal information of our client's current and former employees and their dependants, and our client is working to understand the extent of any exposure for its employees."

Reference URL:
Maryland State Attorney General breach notification
PCWorld
WebProNews
PogoWasRight

Report Credit:
The Maryland State Attorney General

Response:
From the online sources cited above:

On June 6, 2008, CNET received the attached letter from Colt Express Outsourcing Services, Inc., ("Colt") who has provided our client with employee benefit plan administrative services for the past 8 years.

Colt informed our client by this letter that on Memorial Day, Monday, May 26, 2008, Colt's offices in Walnut Creek, California were burglarized.
[Evan] Uh Oh!, this is starting to read like and smell like the ASI breach reported in February.

The breach occurred on Memorial Day, Monday, May 26, 2008, between approximately 4:30 p.m. and 5:00 p.m. PST, when someone broke into Colt Express's office at 2125 Oak Grove Road, Suite 210, Walnut Creek, California, 94598

Certain computer equipment was taken which contains the human resources data of several of their clients, including CNET.
[Evan] According to a CNET spokesperson, via PogoWasRight.org, the "computer equipment" did not employ encryption to protect the information.  Encryption could have been a prudent control in a defense-in-depth approach, a mitigating control to protect information against a physical break-in and theft.

The theft of this equipment may have compromised the personal information of our client's current and former employees and their dependants, and our client is working to understand the extent of any exposure for its employees.
[Evan] Not "may have", but did.  Information security and control can no longer be reasonably assured, which in my book constitutes a compromise.

Colt has also informed us that they reported the break-in to Walnut Creek police and to REACT High Tech Crimes Task Force in Silicon Valley when they discovered the burglary and that there is an ongoing criminal investigation.

report number 08-12367

In speaking directly with the Walnut Creek Police on June 12, 2008, Officer Greg Leonard, the primary investigator for the incident informed us that they are not aware of any misuse of personal information as a result of this theft at this time.

The information included first names, last names, Social Security numbers, address, employer, hire date, benefits group numbers, and relationship to the policy holder for around 6,500 of our client's current and former employees, and their dependants.



some of your current and former employees and their dependants during the time period of 01-Aug-00 to present.
[Evan] August 1st, 2000 through May 26th, 2008 is almost eight years of information!  I wonder what the data retention policy states at Colt, supposing one exists.

We do not have any understanding that the computers stored personal health information.

Our client is providing written notification to all affected individuals at the last home address we have on record

Although there is no evidence of misuse of the data to date, our client's notification will also inform affected individuals that it has contracted with Equifax to provide Equifax Credit Watch Gold with 3 in 1 Monitoring service, including identity theft insurance, for one full year at no cost.
[Evan] I have said it before, and I will say it again.  One year of semi-effective protection should not be considered adequate for information that has a usable life that far exceeds this time frame.  It should be pointed out howevere that it is better than nothing and the company is not required to offer it.

Although we are not aware of the exact number of individuals affected by the Colt breach, we do know that we were among many of Colt's clients whose data were stored on the stolen computers.
[Evan] The word that catches my attention almost immediately is "many".  How many clients will be affected in the end?  PogoWasRight is already following up on another company that may be affected.

Colt Express takes the protection of its customer and personal information very seriously.
[Evan] Making a statement like this and the demonstration by action are two entirely different matters.  An organization such as Colt Express creates, collects, stores and transfers very sensitive information as an integral part of their business.  This being said, I wonder why this information was not protected better.

Colt Express is taking steps to ensure that a potential data security breach does not occur in the future.

We installed an alarm system on Friday, May 30th.
[Evan] Are we to assume that there was none prior to May 30th?  I hope not!

Colt Express is looking into what additional steps may be taken to provide enhanced security.

By this letter and enclosures, we are providing you with all the information we believe you need, and that we are able to give you.  We do not have the resources, financial and otherwise, to assist you further.
[Evan] Say huh?

Towards the end of last year, our customer base was reduced to an unsustainable level.

Colt has been in the process of going out of business, while at the same time providing time for remaining customers to find alternative solutions.
[Evan] This is a twist.  How long has the company been in the process of going out of business and was CNET (and the "many" other clients) aware of it?  If so, this could have been a sign that could have spurred some action.  Then again, maybe not.


http://www.colthr.com/



Those decisions are now final.

We are firmly committed to protecting all of the information that is entrusted to us both before and after we close down.

We sincerely apologize for the inconvenience and concern this incident will cause.

Commentary:
As I stated earlier in the post, I am a little fearful that this breach could end up as significant or more significant (in terms of number of people and organizations affected) than the ASI breach reported in February.  The ASI breach was the 2nd most popular posting in The Breach Blog's history at the time, based on number of online page reads and comments posted.

This breach has got me thinking.  Some of the key risks that we address with the organizations we work with are those involving the management of vendor and third-party relationships.  Ideally, information security personnel are involved throughout the relationship, including the initial vendor feasibility assessment.  Vendors and "trusted" third-parties need to be held to the same high security standards that we set for the organization.  The methods in which this can be accomplished vary from organization to organization, but typically include risk assessments (initial and ongoing), information security requirements built into contractual language, and enforcement actions if necessary.  If a vendor is not encrypting confidential information or employing burglar alarms, it is known (and hopefully addressed).

Past Breaches:
Unknown

]]> Wed, 25 Jun 2008 07:25:20 +0000 information personal information information security confidential information protect information breach sensitive information information security requirements colt "many of Colt's clients" affected by breach, CNET included http://securityratty.com/article/f74dd3d54ef8465c68b7797c38075517 http://securityratty.com/article/f74dd3d54ef8465c68b7797c38075517 Security Breach

Date Reported:
5/14/08

Organization:
Oklahoma State University ("OSU") 

Contractor/Consultant/Branch:
OSU Parking & Transit Services

Victims:
OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008

Number Affected:
as many as 70,000

Types of Data:
"names, addresses and Social Security numbers"

Breach Description:
"Oklahoma State University has discovered that a server under the control of OSU Parking and Transit Services had been accessed from another country without authorization. The database contained confidential information, specifically the names, addresses and Social Security numbers of OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008."

Reference URL:
Oklahoma State University Alert
KOCO Channel 5 News
The Daily O'Collegian
The Oklahoman

Report Credit:
Oklahoma State University

Response:
From the online sources cited above:

STILLWATER, Okla. -- Personal information belonging to anybody who got a parking pass at Oklahoma State University over the last five years has been compromised, university officials said Wednesday.

Oklahoma State University has discovered that a server under the control of OSU Parking and Transit Services had been accessed from another country without authorization. The database contained confidential information, specifically the names, addresses and Social Security numbers of OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008.
[Evan] What does the OSU Parking and Transit Services department need Social Security numbers for?  Do you suppose information security personnel knew that sensitive personal information was stored on the server prior to this incident?

Upon discovering this intrusion, the IT Information Security Office immediately removed the server from the network to evaluate server activity to ascertain if personal information had been accessed.

The confidential information has been removed from the database.

The illegal access was limited to the parking and transit server.

As a result of its investigation, OSU believes the intruder's purpose and only action was to use the OSU server for storage capacity and bandwidth to upload and distribute illegal and inappropriate content.
[Evan] I wonder if I am getting this right.  Was there a direct network path from the public Internet through a firewall to the compromised database server running http, ftp, or some other file transfer protocol?  That's not cool.  A database server storing confidential information should not be accessible from the internet directly through a firewall. It is generally a good practice to separate the database function from the file transfer function into different servers and different firewall DMZs.  All this for parking?  Ugh.

OSU contacted and worked with federal law enforcement authorities.

After evaluation of all available data related to this incident, OSU found no evidence which would indicate that the database was copied or viewed by the hacker; however, OSU cannot say with 100 percent certainty that the hacker did not access personally identifiable information.
[Evan] I wonder what evidence they looked for and how they went about gathering it.

We are not aware of any instances of misuse of this information or of any identify theft as a result of the temporary availability of this information.

OSU recommends you carefully review any bills or financial transactions you receive in the near future to ensure that the charges associated with your accounts are accurate.
[Evan] Yeah!  Review your bills (pay them occasionally) and financial transactions carefully.  But wait, you do this already?  Disappointing statement coming from an organization that did not carefully review their controls in securing your personal information.

OSU President Burns Hargis said, "This breakdown in security is totally unacceptable. We are conducting a full review and will take whatever steps are necessary to protect our network from unauthorized access. This is a serious matter and we will deal with it aggressively. We regret the circumstances and concern this situation has caused."
[Evan] This is my favorite statement from this story!  What do you suppose his stance was prior to being notified of the breach? 

In my experience, there are primarily ("primarily" because there are always exceptions) four types of senior information security management.  You have the organizations that just don't get it and don't really care or know that they don't get it.  These organizations lose information over and over and dangerously continue to operate in a business as usual manner.

Secondly, you have the organizations that didn't get it, suffer some adverse event, then HOLY &$#^!  They respond with all guns blazing and overspend on controls they don't need and run a very cost ineffective security program (I guess they really never got it either). 

Thirdly, there is the company that didn't get it, suffered an adverse event and admitted they have a problem.  These companies may seek guidance and consultation in the effort to build a comprehensive information security program.  These programs should be built around business objectives and sound risk management. 

Lastly, there are the companies that were proactive and built a sound information security program because it was good business.  These organizations didn't need an adverse event or breach before taking action.  These organizations don't panic when an adverse event occurs.  They know that eventually an adverse event will occur and they will be prepared when it does.

The server is believed to have been compromised on November 23, 2007. OSU learned of the breech [sic] on March 20, 2008 and blocked access to the server immediately.
[Evan] Wow.  The server was 0wn3d (like my 1337 5p34k?) for almost 4 months before anyone noticed?!  That is way, way, way too long for a compromised server to go unnoticed.  We can now assume that there was no effective IDS/IPS (host or network) and no effective logging and monitoring of the server.

The OSU Parking Department has altered their procedures for the collection of private information. Additionally, the server which was located at the OSU Parking Service's office will be relocated to the IT Data Center for enhanced security. OSU is conducting a full review and will be taking additional steps to protect our network from unauthorized access.
[Evan] It's a very good idea to not collect private information if it is not required.  It's too bad that it took a breach for this to happen.  Moving the server from the Parking Service's office to the IT Data Center will help protect against physical security attacks, but this was a logical attack.  Maybe the IT Data Center has better firewalls or something .  I like the "full review".  This should be done no less than annually.

The IT Information Security Office has made security recommendations to the OSU Parking Office which include physical relocation of their server and database to a more secure location, additional training for server administrators, and added vulnerability assessments.

Q. How will I know if any of my personal information was used by someone else?
A. The best way to find out is to obtain your credit reports from the three major credit bureaus: Equifax, Experian and Trans Union. If you notice accounts on your credit report that you did not open or applications for credit ("inquiries") that you did not make, these could be indications that someone else is using your personal information, without your permission.
[Evan] "If you notice accounts on your credit report that you did not open or applications for credit ("inquiries") that you did not make", then chances are you have already become an identity-theft victim.  I'm not saying whether this is likely, or not.

Q. Why did you have my personal information?
A. You provided this information to us when you applied to Oklahoma State University, or during your tenure as a student or employee here. Oklahoma State, like other institutions, maintains records of all employees and students who have attended the University.
[Evan] Great question!  Why did you have my personal information (on a publicly accessible server used in a department that doesn't really need it without proper protections and without proper monitoring)?

Commentary:
This breach torques me a little, in case you didn't pick up on that from the comments above.  I made plenty.

Past Breaches:
Unknown

]]> Thu, 15 May 2008 11:08:54 +0000 server sensitive personal information personal information information server administrators server immediately server prior database server confidential information Oklahoma State University Parking Services server is compromised http://securityratty.com/article/184d08544bae8b30426de5caac87fb7a http://securityratty.com/article/184d08544bae8b30426de5caac87fb7a Security Breach

Date Reported:
4/9/08

Organization:
Interbank FX, LLC ("IBFX")

Contractor/Consultant/Branch:
None

Victims:
Customers and prospective customers prior to April 2, 2007

Number Affected:
Unknown

Types of Data:
"social security number, driver's license, and passport information, and may also include your Interbank FX account information"

Breach Description:
In April, 2007 an employee posted a file to an insecure server that was accessible via the Internet.  The file contained personal information belonging to certain persons who applied for an Interbank FX account prior to April, 2007.  Interbank FX became aware of the exposure on March 28th, 2008.

Reference URL:
The New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

The letter to victims is signed by Todd B. Crosland, CEO and President of Interbank FX
[Evan] This fact is important to note.  I admire corporate leaders who step up and respond to an incident.  Mr. Crosland seems to understand his role very well as it pertains to information security.  Business leaders are the people that are ultimately responsible for the security of the organizations they run.

We are writing to inform you of a matter that may affect you. The security of some personal information you provided as you considered our service was inadvertently compromised.

Interbank FX has thoroughly investigated the matter, has taken immediate steps to protect your information, and is taking the additional precautions outlined in this letter to assist you in monitoring and guarding the security of your personal information.

The incident involved an electronic file dated April 2, 2007, which contained personal information provided by certain individuals who had applied for an Interbank FX account prior to that date.

Around that time, an employee uploaded the file to a computer server accessible via the internet.
[Evan] So, sometime around April, 2007 is the date of the actual exposure.

The employee's action - placing the file outside of the Company's development lab, firewalls and secure computing environment - was contrary to Interbank FX policies and procedures and compromised the security of the information in the file.
[Evan] I understand what the meaning of this statement is, but I also want to make it clear that a "development lab, firewalls, and secure computing environment" do not ensure security.  There is a lot of room for interpretation.

The file contained the information you provided to us when you opened or considered opening an account with us. This may include your social security number, driver's license, and passport information, and may also include your Interbank FX account information.

Upon learning on March 28, 2008 that this information was available outside our secured computing envirornnent, the Company took immediate steps to secure the information.
[Evan] The breach was discovered (by Interbank FX) almost a year later.  The window of exposure was pretty long.

Within hours of that discovery, all files containing sensitive personal information were removed from the server and brought within the Company's firewalls and electronic security controls.

We also terminated the employee's access to all personal information in Interbank FX 's files.

You are receiving this letter because your application information was provided prior to April 2, 2007.

The incident does not affect anyone who applied for an Interbank FX account after April 2, 2007.

Interbank FX is committed to protecting your personal information. Thus, we are offering you the opportunity to enroll, at no cost to you, in Equifax Credit Watch(TM) Gold with 3-in-l Monitoring for a one-year period.
[Evan] Although one-year has become a sort of de-facto standard in breach responses, it is not long enough.  A Social Security number is valuable for a much longer period of time.

We also will reimburse you for the direct cost of any freeze you choose to put on your credit file as a result of this issue.
[Evan] I though that this statement was interesting.  Maybe I don't read breach notifications thoroughly enough, but I don't think I have seen this offer before.

As an additional precaution, we also encourage you to change any password you created for your Interbank FX account prior to April 2, 2007.

We have established a toll-free hotline (800-550-1571) to answer your questions and assist you in signing up for the Equifax Credit WatchTM program. We ask you to notify us immediately if you notice (or have noticed) any unusual activity in any of your accounts.

We regret this incident and apologize for any inconvenience.

Commentary:
One year of exposure is a very long time for confidential information.  I wonder how the company finally learned about the presence of the file(s).  What do you suppose are the chances that the employee who uploaded the file:

1. Was not aware of the "Interbank FX policies and procedures" that pertained to his/her actions?
2. Was not aware that the file contained sensitive personal information?
3. Was not aware that the server was insecure and accessible publicly?
4. All of the above?

Personnel that handle sensitive information must be trained and re-trained.  These personnel must also be reminded regularly through an ongoing awareness program.

Past Breaches:
Unknown

]]> Tue, 15 Apr 2008 19:57:04 +0000 information sensitive personal information personal information application information handle sensitive information information security interbank file confidential information File containing Interbank FX customer information exposed for almost a year http://securityratty.com/article/bf493a8ef2c8aae077b6aa21c463f815 http://securityratty.com/article/bf493a8ef2c8aae077b6aa21c463f815 Security Breach

Date Reported:
3/21/08

Organization:
State of Georgia

Contractor/Consultant/Branch:
Department of Human Resources

Victims:
Current and former employees

Number Affected:
Unknown

Types of Data:
"names, social security numbers, birth dates, home contact and federal tax information"

Breach Description:
"The Georgia Department of Human Resources is taking extensive measures to alert current and former employees of a breach of confidential records that may expose personal employee information."

Reference URL:
Georgia Department of Human Resources
The Lincoln Journal

Report Credit:
Georgia Department of Human Resources

Response:
From the online sources cited above:

The Georgia Department of Human Resources is taking extensive measures to alert current and former employees of a breach of confidential records that may expose personal employee information.

An external hard drive that stored a database containing identifying information such as names, social security numbers, birth dates, home contact and federal tax information was removed by an unauthorized person.

The agency warns that the breach took place on or around March 19th.
[Evan] This is a very quick public response by Georgia DHR.

Since discovering the breach, DHR has been working diligently to inform employees of the breach while also conducting an internal investigation led by the Office of Investigative Services.

The agency has also proactively alerted the three credit bureaus about the situation.
[Evan] Using "proactively" is interesting.  This seems more reactive to me!

DHR has instituted a new directive which requires password protection on jump and flash drives and portable computer media that contains personnel information.
[Evan] So what?  What about encryption?  I am interested to see how this works out for DHR.

Additionally, the agency is directing employees to secure these items when away from their desks and offices.

While DHR has no evidence that the information is being used fraudulently, the agency is taking every immediate measure to limit the possibility of potential fraud and identity theft.

Georgia law indicates that all residents are to receive two credit reports free of charge each year. The agency urges employees to retrieve a copy of their credit report and request a fraud alert be placed on their records. Employees should contact each credit bureau at the following: Experian, P. O. Box 9595, Allen, TX 75013-9595   Tel:  888-397-3742; Equifax, P. O. Box 740241, Atlanta, GA 30374-0241 Tel:  800-685-1111; and Trans Union, P. O. Box 1000, Chester, PA 19022 Tel:  800-888-4213.

Commentary:
I have more questions than answers about this breach.  DHR is mandating password protection with no mention of encryption.  I wonder if encryption is meant to be implied and how DHR will enforce the new directive.

Past Breaches:
Unknown

]]> Thu, 27 Mar 2008 12:51:45 +0000 georgia dhr dhr georgia information agency agency urges employees georgia law georgia department employees Personal information stolen from Georgia DHR http://securityratty.com/article/7f98d0a3b5ecf0829f46d93469acf677 http://securityratty.com/article/7f98d0a3b5ecf0829f46d93469acf677 Security Breach

Date Reported:
3/22/08

Organization:
Agilent Technologies

Contractor/Consultant/Branch:
Stock & Options Solutions

Victims:
Current and former Agilent employees

Number Affected:
51,000

Types of Data:
"names, Social Security numbers, home addresses and details of stock options and other stock-related awards"

Breach Description:
"A laptop containing sensitive and unencrypted personal data on 51,000 current and former employees of Agilent Technologies was stolen from the car of an Agilent vendor March 1 in San Francisco, the company said in a letter mailed to former employees this week."

Reference URL:
The Mercury News - Silicon Valley

Report Credit:
Vindu Goel, The Mercury News

Response:
From the online source cited above:

A laptop containing sensitive and unencrypted personal data on 51,000 current and former employees of Agilent Technologies was stolen from the car of an Agilent vendor March 1 in San Francisco, the company said in a letter mailed to former employees this week.
[Evan] A person in the comments of Vindu's View From The Valley "Agilent alert: Thief steals laptop with personal info on 51,000 employees" story claims "Estimates show that 700,000 laptops are stolen every year. A little more than 1900 a day!"  This number seems high to me, but I guess I wouldn't be too surprised if it were true.  Storing confidential information on laptops (especially without additional controls) is risky.

The data includes employee names, Social Security numbers, home addresses and details of stock options and other stock-related awards.

In the letter, Agilent blamed the San Jose vendor, Stock & Option Solutions, for failing to scramble or otherwise safeguard the data - "in violation of the contracted agreement."
[Evan] We don't often read about a company coming right out and blatantly pointing the finger at their vendor.  I like the "call it like you see it" approach.

"It wasn't encrypted, which was a surprise to us," said Agilent spokeswoman Amy Flores. She said the vendor told Agilent that an East Coast employee had brought the data-laden laptop to California for encryption, but someone broke into her car and stole the computer and her other belongings while the vehicle was parked near Fisherman's Wharf.
[Evan] #1, we (meaning information security personnel) should not be surprised by what our vendors are doing with the information we are charged with protecting.  Not only should we mandate specific controls in policies and contracts, but we also need to audit for compliance.  #2, The vendor employee was bringing the laptop to California for encryption?  I don't think there are any requirements that you have to go to California to encrypt laptops.  Encryption should have taken place prior to allowing the information on it in the first place, and better yet should be part of a "standard" laptop build.

Flores said Agilent, a Santa Clara maker of test and measurement equipment, has no evidence that the lost data has been used to steal anyone's identity. However, Agilent is offering affected employees one free year of credit monitoring from Equifax.
[Evan] I haven't said this for a while, but credit "monitoring" is an after the fact solution that only alerts a person after they are an identity theft victim.  One year of monitoring is good for monitoring information that is no longer useful after one year.  Obviously a Social Security number will still be valid after the monitoring has ended.

Ironically, Stock & Option Solutions was hired to make sure that money management firm Smith Barney had properly transferred employee stock data to a new management firm, Fidelity Investments, which had been hired to administer Agilent's stock programs.

Matt O'Brien of Milpitas, a former research manager at Agilent who left in 2001, said he was "disgusted" when he received notice of the theft in his Friday mail.

said O'Brien. "Agilent should have put all of the data into an encrypted format to begin with."
[Evan] Bingo.  A victim with more information security common sense than the offender.

Commentary:
At what point do we no longer accept lost or stolen laptops with confidential personal information at risk?  Are the myriad of laws, regulations, negative news reports, etc. having a positive impact in reducing the frequency and number of victims?  Maybe it's too early to tell.

I am also curious what Agilent and/or Stock & Options Solutions are planning in order to prevent similar circumstances in the future.

Past Breaches:
Unknown

]]> Tue, 25 Mar 2008 06:13:20 +0000 agilent agilent technologies agilent vendor march vendor administer agilent agilent alert agilent employees stock stock options 51,000 Current and former Agilent Technologies employees at risk http://securityratty.com/article/b843fad19d119230af985462a5bfdc22 http://securityratty.com/article/b843fad19d119230af985462a5bfdc22 Security Breach

Date Reported:
3/10/08

Organization:
Wolters Kluwer

Contractor/Consultant/Branch:
Lippincott Williams & Wilkins
Stedman's
Bixler Incorporated

Victims:
Customers who made online purchases from Stedman's between August 30th, 2007 and February 27th, 2008

Number Affected:
Unknown*

*There were 25 New Hampshire residents affected.  The total number affected is expected to be much larger.

Types of Data:
Names, addresses, telephone numbers, email addresses, credit card numbers, expiration dates, and card verification numbers.

Breach Description:
"On February 27, 2008, Lippincott Williams & Wilkins, a Wolters Kluwer business was informed by the company that hosts one of our websites, www.stedmans.com, that personal information collected from consumers through the website may have been compromised through an unauthorized intrusion into the server that stores information from individuals who purchased products at our website."

Reference URL:
The New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

On February 27, 2008, Lippincott Williams & Wilkins, a Wolters Kluwer business was informed by the company that hosts one of our websites, www.stedmans.com, that personal information collected from consumers through the website may have been compromised through an unauthorized intrusion into the server that stores information from individuals who purchased products at our website.
[Evan] The company that hosts stedmans.com is Bixler Incorporated.

The personal information that may have been comprised may include names, addresses, telephone numbers, email addresses, credit card numbers, expiration dates, and card verification numbers of individuals who made purchases at the site from approximately August 30, 2007 to February 27, 2008.
[Evan] Storing card verification numbers is a violation of the Payment Card Industry (PCI) Data Security Standard.  According to Requirement 3: Protect stored cardholder data, Section 3.2.1 "NEVER store the card verification code or value or PIN verification value data elements." and 3.2.2 "Do not store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions"  Stedmans.com was not compliant with the standard.  Why wasn't the site compliant, and what vulnerability was exploited?

The company has contacted the three major national credit reporting agencies, and the company mailed a notice to consumers who may have been affected by this incident on March 10, 2008
[Evan] It would be a better idea to contact Visa and Mastercard than it would be to contact the credit reporting agencies.  If the information was limited to what was reported, then there is not a high risk of immediate identity theft (no Social Security numbers in particular).  There is a medium to high risk of credit card fraud, which is much different.

We are working with our website hosting company on additional security measures for the Stedmans.com website
[Evan] It would be a good idea to work with information security professionals (third-party review).

we have arranged with Equifax Personal Solutions to provide potentially affected consumers with an opportunity to enroll in the Equifax Credit Watch Gold identity theft protection product at no cost to them for one year
[Evan] Again, this is not really an identity theft issue.  It is a credit card fraud issue.  Two related but different issues.

Lippincott Williams & Wilkins is committed to maintaining and protecting the confidentiality of our customers' personal, private, and sensitive information. We regret that this situation has occurred, and we will be working to reduce the risks of a similar situation happening in the future.

Commentary:
This breach certainly affects much more than the 25 New Hampshire residents mentioned in the breach notification to the New Hampshire State Attorney General.  I am disappointed by appearance that stedmans.com was not VISA/PCI DSS compliant and the response that shows a misunderstanding of risks.  Stedmans.com customers are mostly people in the medical field, so I am guessing that many of these credit cards have limits that exceed mine.

Past Breaches:
Unknown
]]> Sat, 22 Mar 2008 21:37:57 +0000 credit information credit card credit cards equifax credit report credit stedmans information security professionals personal information Intrusion at Stedmans.com exposes credit card information http://securityratty.com/article/4d3b40d70e709c609969c6cfd0bb93f0 http://securityratty.com/article/4d3b40d70e709c609969c6cfd0bb93f0 Security Breach

Date Reported:
3/10/08

Organization:
HealthNow New York Inc.

Contractor/Consultant/Branch:
BlueCross BlueShield of Western New York

Victims:
Healthcare members

Number Affected:
40,000

Types of Data:
Names, dates of birth, Social Security numbers, addresses, employer group names, and health insurance identifier numbers

Breach Description:
"Blue-Cross Blue-Shield of Western New York says it is notifying tens of thousands of its members about identity theft concerns after one of it's company laptops went missing."

Reference URL:
The Buffalo News
WIVB Channel 4 News
WGRZ Channel 2 News

Report Credit:
WGRZ Channel 2 News

Response:
From the online sources cited above:

HealthNow New York has alerted 40,000 members in Western and Northeastern New York that they may be at risk for identity theft, after a former employee’s laptop computer went missing with confidential information several months ago.

The Buffalo-based parent of Blue- Cross BlueShield of Western New York sent letters late last week to the affected customers, even though officials are still not certain what, if anything, was on the computer.
[Evan] Not sure where confidential information is?  Sad, common and true.

Based on the company’s investigation, the potential information includes names, dates of birth, Social Security numbers, addresses, employer group names, and health insurance identifier numbers.

there was no health or medical claims information involved
[Evan] I think a name, date of birth, Social Security number, address, and employer should be enough to do some damage.

HealthNow has arranged for any affected member to receive a one-year free membership in Equifax Credit Watch, to monitor for identity theft.

The laptop was not encrypted, but does have security features, including the requirement to enter the user’s identification number and passcode after 15 minutes of inactivity.
[Evan] OK, seriously?  Does anyone expect a username and password to stop someone with even novice computer skills?  I am assuming that this is a Windows laptop, all the more simple.

the company shut down the laptop’s access to the corporate network, and has not detected any activity from the laptop since the disappearance.
[Evan] Shutdown the laptop's access or access from the user id of the person that had been using the laptop?  Semantics, I know.  The information that may be on the laptop is the real concern.

The employee is no longer with HealthNow, having accepted a position at another company out of state, but the insurer is still in contact.

the company is reconfiguring its claims software system, and the employee had downloaded some member information to his laptop while working on the project so he could work either in building or at home
[Evan] Too many "no-nos".  "No-no" #1 is not knowing where confidential resides within the organization.  "No-no" #2 is allowing confidential information onto mobile devices without additional controls such as encryption.  "No-no" #3 is working with sensitive confidential information for software development and testing purposes.  Only sanitized information should be used for development and test work.

The laptop was reported missing in late fall, but the company did not notify customers until now because officials wanted to make sure whether such action would be necessary.
[Evan] This is way too long!  An excerpt from New York Bill A02261 "Notice of Information Breach" can be found in the commentary below.

officials first "spent an exhorbitant amount of time" to try and locate the laptop, which they still believe is in the company’s building

Using the company’s shared drive and with the cooperation of the employee, officials retraced his path to determine what information he was working with. The company then set up the credit-monitoring, and began contacting members last Thursday and Friday.

"We didn’t want to have to reach out to our members and cause them unnecessary worry until we knew the potential of what we were dealing with," she said. "With all of the factors and orchestrating credit monitoring, we do believe our response time has been reasonable."
[Evan] "We didn't want to have to reach out to our members and cause them unnecessary worry until we know the potential of what we were dealing with" is a terrible reason to delay notification.  BlueCross BlueShield needs to understand that they are NOT the information owners.

The company has also tightened its policies and procedures about use of laptops and other mobile devices "to ensure that the policies are more strict," she said. She added that officials are also encrypting all information on laptops "to prevent this situation from recurring."
[Evan] Of the "No-nos" I mentioned above, this takes care of one.

Commentary:
Another laptop that may or may not have contained sensitive personal information that goes missing without encryption.  Do you think John Doe from XYZ company thought twice about filling out his health insurance forms on his first day of work?  He probably just expected better protection from a company that handles thousands of personal records.

I am certainly not a lawyer, nor am I qualified to give legal advise of any kinds, but this is a simple copy and paste...

Excerpt from New York Bill A02261:
"ANY  PERSON,  FIRM,  PARTNERSHIP,  ASSOCIATION OR CORPORATION THAT COLLECTS, OWNS, MAINTAINS OR USES PERSONAL INFORMATION SHALL DISCLOSE  A BREACH  OF  SECURITY  RELATED  TO  UNENCRYPTED  OR NON-REDACTED PERSONAL INFORMATION CONCERNING TWENTY-FIVE OR MORE RESIDENTS OF NEW YORK.    THE DISCLOSURE  SHALL BE MADE WITHIN TWO BUSINESS DAYS AFTER LEARNING OF THE BREACH OF SECURITY, BUT MAY BE  DELAYED  IF  A  LAW  ENFORCEMENT  AGENCY DETERMINES  THAT  THE NOTIFICATION WILL IMPEDE A CRIMINAL INVESTIGATION. THE NOTIFICATION REQUIRED BY THIS SECTION SHALL BE MADE  AFTER  THE  LAW ENFORCEMENT  AGENCY  DETERMINES THAT IT WILL NOT COMPROMISE THE INVESTIGATION."

Past Breaches:
Unknown

]]> Tue, 11 Mar 2008 12:31:27 +0000 sensitive personal information personal information information confidential information laptop information owners breach description breach security breach 40,000 BlueCross BlueShield members notified of lost laptop http://securityratty.com/article/2037234f20d359e95edd4fe9f57e2ede http://securityratty.com/article/2037234f20d359e95edd4fe9f57e2ede Security Breach

Date Reported:
2/26/08

Organization:
Nestle Waters North America Inc. ("NWNA")

Contractor/Consultant/Branch:
Systematic Automation*

*This breach is related to:
"Theft from vendor affects Modesto City Schools employees" dated 2/12/08,
"L.A. Dept. of Water of Power employees exposed" dated 2/19/08, and
"Clovis Unified School District employees receive notice" dated 2/21/08
"Systematic Automation breach continued..." dated 2/22/08

Victims:
Employees of NWNA in 2006

Number Affected:
8,245

Types of Data:
Names, dates of birth, addresses and Social Security numbers.

Breach Description:
Computer equipment was stolen from a Nestle Waters North America ("NWNA") vendor, Systematic Automation that contained sensitive personal information belonging to persons employed with NWNA in 2006.  Systematic Automation was employed by NWNA to create and distribute employee benefits statements.  So far, this single breach has affected persons affiliated with five separate organizations.

Reference URL:
The New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

An Important Notification To Our NWNA Employees:
Systematic Automation Inc. ("SAI"), one of our vendors, recently experienced a breakin at their facility in Fullerton, California. Among other things, a desktop computer was stolen that contained a database of sensitive personal informatiion about NWNA employees, including a list of NWNA employees' names, addresses, dates of birth, and social security numbers.

This database only contained information about employees that were on the payroll as of February 1, 2006.

The information was password protected, but was not in an encrypted format.
[Evan] A username and password (most likely Windows operating system) is not adequate protection for confidential information.  A Windows XP/2000 password can be bypassed in a matter of minutes.  IF the desktop computer were stolen for the information it contained, then we should consider it disclosed.  Although encryption is not a perfect solution, it reduces the risk of exposure to an acceptable level in most circumstances.

We use SAI to create and distribute your employee benefits statements. In order for SAI to properly complete the work, we must provide SAI with certain personal information.
[Evan] Understood, but then SAI needs to be regularly monitored for compliance with policy around the protection of such information.

We deeply regret that this incident occurred and we are talking immediate steps to make sure that something like this does not happen again.

At this time, we do not know if the thieves stole the computer with the intent to use the personal information for credit fraud purposes or whether this was merely a random criminal act.

The Fullerton Police Department is investigating the incident and SAI is cooperating fully with the Police Department investigation.

If this stolen personal information got in the wrong hands, however, you are at risk for identity theft or fraud.

NWNA will also provide, at no cost to you, one year of premium credit monitoring from Equifax, a leading credit monitoring company.
[Evan] Equifax is a leading credit monitoring company, but also one of the three credit reporting agencies.  It amazes me how Experian has capitalized on the information they collect, manage and sell.  They are responsible for keeping accurate records, but at the same time will charge people a fee to make sure that they are doing what they are supposed to be doing.  Something should give.

In the near future, instructions on enrollment will be mailed directly to your homes.

In addition, NWNA is in the process of establishing a hotline to provide you with the resources you need to get your questions answered.

NWNA sincerely regrets any inconvenience this incident may cause you.

Commentary:
As mentioned earlier, NWNA is the fifth known organization to be affected by the single breakin at Systematic Automation.  It is becoming more and more clear that Systematic Automation did not follow some information security "best practices" by segmenting confidential customer data and encrypting it at rest.

I have not yet seen a statement from Systematic Automation.

Past Breaches:
Nestle Waters North America:
Unknown
Systematic Automation:
February, 2008 - Systematic Automation breach continued...
February, 2008 - Clovis Unified School District employees receive notice
February, 2008 - L.A. Dept. of Water of Power employees exposed
February, 2008 - Theft from vendor affects Modesto City Schools employees

]]> Tue, 04 Mar 2008 07:08:42 +0000 systematic automation breach systematic automation sensitive personal information personal information breach employees power employees information nwna Nestle Waters North America employee affected by Systematic Automation breach http://securityratty.com/article/9a6d54372e14b872a4ab99130a9853eb http://securityratty.com/article/9a6d54372e14b872a4ab99130a9853eb Security Breach

Date Reported:
1/9/08

Organization:
State of Wisconsin

Contractor/Consultant/Branch:
Department of Revenue
Department of Administration

Victims:
Wisconsin residents who itemized deductions, received a 2006 Wisconsin income tax refund, AND live in Freedom, Kaukauna, Keshena, Kimberly, Krakow, Lakewood, Lena, Little Chute, Little Suamico, or Marinette community.

Number Affected:
5,000

Types of Data:
Name, address and Social Security number.

Breach Description:
The Wisconsin Department of Revenue announced that as many as 5,000 mailings were sent to residents in which Social Security numbers were exposed through the envelope window.  The error is being blamed on a "misfold" on Form 1099-G.

Reference URL:
Wisconsin Department of Revenue News Release
The Associated Press Story at greenbaygazette.com

Report Credit:
Wisconsin Department of Revenue

Response:
From the online sources cited above:

The Department of Administration (DOA) and Department of Revenue (DOR) learned on January 9, 2008, that during a mailing, a printing misfold led to some social security numbers on Form 1099-G being partially visible through the window envelope.
[Evan] Oh boy!  Not again.

The State of Wisconsin apologizes for this error and is taking steps to assist any taxpayer that may be affected.

You may be affected if all the following apply:
You itemized your deductions AND received a 2006 Wisconsin income tax refund. The forms at risk were sent to the following communities with a postmark of January 2, 2008: Freedom, Kaukauna, Keshena, Kimberly, Krakow, Lakewood, Lena, Little Chute, Little Suamico, and Marinette.

Only the social security number of the “primary” taxpayer were printed on the Form 1099-G.

DOA, the agency responsible for printing, folding and mailing the Form 1099-G, corrected the problem with the folding machine.
[Evan] "DOA" is the Department of Administration.

DOA and DOR identified which machine malfunctioned, what zip codes were impacted, and which taxpayers’ social security numbers were potentially viewable through the window envelope.

DOR contacted the taxpayers potentially affected and offered instructions on how to apply for one year of free credit monitoring.
[Evan] One year of free credit monitoring is better than nothing, but hardly adequate.  Credit monitoring only alerts a victim after the attacker has committed fraud.  When confidential information is disclosed, the information is disclosed forever, not for only a year.

A letter to affected taxpayers was mailed the week of January 14, 2007. If your social security number is identified as one of the 5,000 potentially affected by the misfolding, you will receive a letter.

The social security number is required by the Internal Revenue Service to be placed on all 1099 forms. The social security number is necessary to ensure that income reported on the form belongs to the taxpayer.

Taxpayers who receive a letter with a Equifax PIN should follow the instructions to apply for free credit monitoring. There are other steps that can be taken to protect personal information. Ask credit bureaus to place a “fraud alert” in your credit files for free. Fraud alerts notify potential credit grantors to verify your indetification before extending credit in your name. You can also place a “security freeze” on your credit report, which prohibits a credit bureau from releasing information in your credit report without your express authorization. You must request a freeze in writing by certified mail with each of the three credit bureaus, and there is a $10 fee per credit bureau.

Commentary:
This is the second similar (mailing) breach involving the State of Wisconsin in the last week!

Maybe the State of Wisconsin should QA their folding machines and other mailing processes before sending.  I have not worked in a mailing shop before, but don't they do test runs before production runs?

At least the Packers are in the NFC Championship game.  Go Pack!

Past Breaches:
January, 2008 - Wisconsin Dept. of Health and Family Services mails Social Security numbers
December, 2006 - Wisconsin mails tax forms with Social Security numbers printed on them

]]> Tue, 15 Jan 2008 10:32:24 +0000 security taxpayers taxpayers social security social security wisconsin credit bureau credit breach description breach Another Wisconsin mailing exposes Social Security numbers