http://securityratty.com/tag/evan Tue, 24 Jun 2008 13:51:19 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/769d77ddea6a7ce4dd58d70e453e805b http://securityratty.com/article/769d77ddea6a7ce4dd58d70e453e805b Security Breach

Date Reported:
5/16/08

Organization:
Wells Fargo & Company

Contractor/Consultant/Branch:
Wells Fargo Home Mortgage

Victims:
Customers

Number Affected:
Unknown

Types of Data:
"names, addresses, dates of birth, loan numbers, Personal Identification Numbers (PIN), current bank account numbers and last five digits of their Social Security numbers"

Breach Description:
"We have learned that a former Wells Fargo employee working in our reverse mortgage servicing department inappropriately used another customer's account information. We have taken appropriate action against this individual."

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

Pursuant to the information compromise notification requirements of the State of New Hampshire, Wells Fargo hereby notifies you that we have give notice to approximately 24 residents of the state of New Hampshire of a potential compromise of their Social Security numbers and mortgage loan account numbers.

We have learned that a former Wells Fargo employee working in our reverse mortgage servicing department inappropriately used another customer's account information.
[Evan] Employee fraud is one of the most difficult breaches to prevent (and sometimes to detect).  Most controls are largely administrative in nature such as background checks, segregation of duties, job rotation, policy and procedure, etc.  Sometimes even the best controls won't do much to prevent an attack from the enemy within.

We have taken appropriate action against this individual.
[Evan] I wonder what this means.

We have no information indicating your information was compromised.

However, the former employee, in the course of their employment, had access to information that may have included your name, address, date of birth, loan number, Personal Identification Number (PIN), current bank account number and last five digits of your Social Security number.
[Evan] The fact that only the last five digits of the Social Security numbers were accessible is a good indication that Wells Fargo identified the risk involved with a person in the former employee's position accessing confidential information.  Limiting Social Security number exposure also limits the extent and impact of the breach.

We started mailing consumer notices on May 13, 2008.

Wells Fargo Home Mortgage takes information security very seriously and wants to assure you that we are taking precautionary measures to reduce the potential risk associated with this incident.

Wells Fargo Home Mortgage, to ensure everything is done to protect you, will be providing you with a new PIN to access the line of credit on your reverse mortgage loan.
[Evan] Not just "to protect you".  Remember that Wells Fargo is in business to make money and I am pretty sure that the things they do are to that end.

As a precaution, Wells Fargo has partnered with a company called Intersections, Inc. to provide you with a free one-year subscription to IDENTITY GUARD CREDITPROTECTX3.
[Evan] Cool!  "CREDITPROTECTX3" sounds super strong and effective!

Wells Fargo Home Mortgage values and appreciates the trust you have placed in us by allowing us to serve you.

We sincerely apologize for this situation.

If we can be of further assistance, please do not hesitate to call us at (800) 472-3209 between the hours of 8:00 am and 8:00 pm eastern time, Monday through Friday.

Commentary:
I think that breaches like this are more common than some people would like to admit.  Banks have the one thing that everyone wants!

Past Breaches:
Unknown

]]> Tue, 08 Jul 2008 08:58:12 +0000 fargo fargo home mortgage employee fargo employee reverse mortgage loan reverse mortgage social security evan cool evan Employee fraud at Wells Fargo Home Mortgage affects some customers http://securityratty.com/article/a32c42499f84224830293f2af83d152f http://securityratty.com/article/a32c42499f84224830293f2af83d152f Security Breach

Date Reported:
7/1/08

Organization:
Houghton Mifflin Harcourt ("HMH")

Contractor/Consultant/Branch:
None

Victims:
"individuals affiliated with Harcourt Trade"

Number Affected:
194

Types of Data:
Social Security numbers

Breach Description:
"Houghton Mifflin Harcourt (HMH), a publishing company based in Boston, will begin notifying individuals whose information may have been compromised by a worldwide Internet-based attack that affected one of its websites."

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

Houghton Mifflin Harcourt (HMH), a publishing company based in Boston, will begin notifying individuals whose information may have been compromised by a worldwide Internet-based attack that affected one of its websites.
[Evan] A "worldwide Internet-based attack" sounds impressive.  In order for an attack to be successful, a vulnerability must be exploited.  I wonder what the vulnerability was.

On April 25, 2008, HMH's Information Security group learned of a worldwide Internet-based attack that affected one of its non-e-commerce websites.

Within minutes, HMH took steps to secure the affected databases.

HMH has reported this matter to the U.S. Secret Service and state law enforcement, who are actively investigating the incident.
[Evan] I question how "actively" the U.S. Secret Service is investigating this incident.  The incident doesn't seem to be significant enough.  Sad but usually true.  The Secret Service has to prioritize just like everyone else.

As part of its internal investigation, which is still ongoing, HMH retained digital forensics experts to collect and analyze data from the relevant computer systems.
[Evan] The attack was detected on April 25th (not necessarily originated on this date), and the notification went out to the New Hampshire State Attorney General on June 1st.  This is a long forensic investigation!  I also noticed that this statement mentions "computer systems".  Does this mean that more than one server was compromised?

They have determined that social security numbers of approximately 194 individuals affiliated with Harcourt Trade, 2 of whom are New Hampshire residents, were in a company database on the affected computer server, and may have been compromised as a result.
[Evan] I don't like the "may have been" portion of this statement.  My definition of compromise probably differs though.

HMH has no evidence to date to suggest that the data has been misused.

Although we do not know whether any of your information has been misused, we are committed to doing what we can to make sure support is available to you

Since learning of the incident, HHM [sic] has:

1. Reported this matter to the U.S. Secret Service and state law enforcement;
2. Cooperated with law enforcement, which is actively investigating the incident;
3. Conducted a thorough investigation of the incident, including an assessment of whether or not the theft created any prospective data security risk;
4. Identified the sensitive personal information about individuals stored on the affected server; and
5. Made arrangements to notify affected individuals about the incident in accordance with state laws, offer premium credit monitoring, ID theft insurance, and ID theft resolution services, and provide additional information about prevention and detection of ID theft including information about credit alerts and credit freezes.
   

HMH is continuing to work with information security professionals to review current policies and procedures to identify steps that can be taken to better protect against incidents of this kind.

We apologize and deeply regret that this happened.

I have asked our editors to reach out directly to everyone affected by this matter and I hope they will be or already have been able to answer your questions.
[Evan] This is a nice touch.  The letter to the affected persons was signed by Gary Gentel, President or Houghton Mifflin Harcourt Publishing Company, Trade and Reference Division.

Commentary:
There aren't many publicly available details available other than those outlined in the breach notification, so we are left to speculate.  Why was a server that contained a database of Social Security numbers available to this "worldwide Internet-based attack"?

Past Breaches:
Unknown

]]> Tue, 08 Jul 2008 08:22:09 +0000 houghton mifflin harcourt information information security professionals sensitive personal information information security server notification hmh company based Houghton Mifflin Harcourt server breach leads to notification http://securityratty.com/article/75e76f13934090aa771da66fbd1be73c http://securityratty.com/article/75e76f13934090aa771da66fbd1be73c Security Breach

Date Reported:
6/13/08

Organization:
U.S. Foodservice, Inc.

Contractor/Consultant/Branch:
None

Victims:
Present and former employees, "and in a few instances, their dependents and applicants for jobs at USF"

Number Affected:
Unknown

Types of Data:
"names, social security numbers, home addresses, and/or dates of birth"

Breach Description:
"We were informed recently of the theft of a U.S. Foodservice, Inc. ("USF") laptop computer, which contained sensitive personnel information."

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

We were informed recently of the theft of a U.S. Foodservice, Inc. ("USF") laptop computer, which contained sensitive personnel information.
[Evan] We now add U.S. Foodservice to the ever-growing list of organizations that refuse to encrypt laptops, yet allow confidential information to be stored on them.

Local authorities were immediately notified and we conducted an internal investigation.

the laptop contained certain old data files
[Evan] I wonder how old these data files were.  I also wonder if these files were supposed to have been removed and/or destroyed, but were missed.

In the course of our investigation, we determined that the laptop computer contained the names, social security numbers, home addresses, and/or dates of birth of some present and former USF employees, and in a few instances, their dependents and applicants for jobs at USF.

We are sending a notification letter to individuals impacted by this incident.

We expect to begin mailing the notification letters on June 13, 2008.

we have no indication that any of the information is being misused
[Evan] A breach notification is almost not a real breach notification without this mention.

Please note that several years ago, the Company stopped using social security numbers to identify employees for internal reporting or other purposes.
[Evan] A good move by the Company.  USF is still required to collect Social Security numbers however.

Pursuant to USF policies, the laptop was protected by a unique user ID and password, but the individual files containing personal information were not encrypted or password protected.
[Evan] I am interested in reading the USF policies.  Do the policies only require a user ID and password to protect (or access) confidential information?  Probably not sufficient.

U.S. Foodservice takes the security of your personal information seriously and apologizes for any inconvenience or worry this incident may cause you.

As a precautionary measure, we are making several services available at the Company's expense, free of charge to you, to assist you in protecting your identity.
[Evan] A true "precautionary measure" might have been restricting confidential information storage on laptops (and other mobile media) or encryption.

Although at this point we have no indication that your information has been compromised
[Evan] My definition of "compromised" obviously differs.  In my opinion, if the confidentiality, integrity or availability of information cannot be reasonable assured, then the information IS compromised.  If you believe that password-protection provides reasonable assurance, then you and I disagree.

Call the Toll Free Help Line at 1-866-584-9681 to get answer [sic] to your questions.

• Staffed by a team of professionals
• Monday through Friday from 6:00 a.m. to 6:00 p.m. (Pacific Daylight Time)
• Saturday and Sunday from 8:00 a.m. to 5:00 p.m. (Pacific Daylight Time)
  

Please know that while we have information security policies in place, we are reviewing those practices and procedures to see what changes need to be made.
[Evan] Its good the USF has information security policies in place, but it doesn't mean that they are effective or that they are well enforced.  A poorly enforced policy isn't worth the paper its written on.

Commentary:
U.S. Foodservice is also offering one year of free credit monitoring and identity theft insurance.  This would be fine minus the fact that a Social Security number has an effective lifespan that far exceeds one year.

If only there were other controls available to protect information stored on a laptop.  Wait, we do!
 

Past Breaches:
Unknown

]]> Mon, 07 Jul 2008 19:35:13 +0000 information personal information confidential information protect information information security policies usf usf policies policies security Laptop containing personal information is stolen from U.S. Foodservice http://securityratty.com/article/83b43862a5d586f2e8d29257c1e832ef http://securityratty.com/article/83b43862a5d586f2e8d29257c1e832ef Security Breach

Date Reported:
6/26/08

Organization:
U.S. Government

Contractor/Consultant/Branch:
Social Security Administration

Victims:
United States citizens

Number Affected:
"more than 20,000"

Types of Data:
Name, date of birth and Social Security number

Breach Description:
"The Social Security Administration inadvertently compromised the personal information of more than 20,000 people by listing them in the Death Master File (DMF) while they were still alive"

Reference URL:
FederalComputerWeek

Report Credit:
Michael Hardy, FederalComputerWeek

Response:
From the online source cited above:

The Social Security Administration inadvertently compromised the personal information of more than 20,000 people by listing them in the Death Master File (DMF) while they were still alive, the agency's inspector general has determined.
[Evan] "The DMF is a publicly available database maintained by SSA that contains detailed information on more than 82 million deceased numberholders. Each year, SSA receives death reports for more than 2.5 million individuals and adds the information to the DMF. " (Source: SSA Inspector General AUDIT REPORT A-06-07-27156).  This breach was not the result of single occurrence, but instead is a result of errors in current process.

The IG's analysis dates to January 2004.

Since then, SSA has made the live people's Social Security number, full name, date of birth, and state and ZIP code of last known residence available to users of the database
[Evan] The organization that distributes and manages the "system" cannot secure the information.  Is this is just another case that proves that the "system" is busted?

After learning that those people were not deceased, SSA deleted the information

The IG's investigators found some instances where the personal information was available for free viewing on the Internet

SSA provides the data to the Commerce Department's National Technical Information Service (NTIS), which in turn sells it to customers.
[Evan] Selling a dead man's (or woman's) information doesn't seem right to me.  Do you see anything wrong with it?

Customers include the government, investigative businesses, financial and credit reporting firms, and geneaology researchers.

Some, including prominent geneaology Web sites, post some or all of the information online for their users.

To prevent a repeat of the situation, the IG's  recommendations include:

• Implementing a risk-based approach for distribution of DMF information. One suggestion: Have NTIS delay release of updates to public customers for one year to give SSA ample time to correct erroneous entires.
• Limiting information included in the data sold to public customers.
• Starting required breach notification evaluation procedures.
• Providing appropriate notification to living individuals whose information was released in error.
  

In response to the IG's report, SSA said limiting the personal information might be difficult, but it would consider doing so.
[Evan] There are many practices to secure information that "might be difficult", but this is not a good excuse.  Life "might be difficult", so what?

The agency agreed with the other recommendations.

Commentary:
The use of Social Security numbers as personal identifiers as well as authenticators seems to be a very significant contributing factor to the identity theft mess we face today.  So how did Social Security numbers become so important in the first place?  Read the "Social Security Number Chronology" on the Social Security Administration web site for some clues.

To my knowledge, the victims in this breach have not been (nor will they be) notified.

Past Breaches:
U.S. Government:
March, 2008 - A breach that hits home with 2008 presidential candidates 
March, 2008 - Laptop stolen from NHLBI contained personal health information

]]> Mon, 07 Jul 2008 04:44:12 +0000 information secure information social security social security administration personal information information online dmf information death master file ssa Social Security Administration lists live people in the Death Master File http://securityratty.com/article/9af68c57ed3f10d814be79e5d395b72b http://securityratty.com/article/9af68c57ed3f10d814be79e5d395b72b Security Breach

Date Reported:
7/4/08

Organization:
Daily Mail and General Trust plc

Contractor/Consultant/Branch:
Northcliffe Media
Associated Newspapers Ltd

Victims:
Staff, suppliers and contributors

Number Affected:
"thousands"

Types of Data:
"name, address, bank account number and bank sort code"

Breach Description:
"Daily Mail publisher Associated Newspapers has admitted that a laptop containing financial and personal details of thousands of staff, suppliers and contributors has been stolen."

Reference URL:
ComputerWorldUK
Guardian News (UK)
Guardian News (UK) additional info

Report Credit:
Guardian Newspaper

Response:
From the online sources cited above:

Daily Mail publisher Associated Newspapers has admitted that a laptop containing financial and personal details of thousands of staff, suppliers and contributors has been stolen.

A Daily Mail & General Trust spokeswoman said: "DMGT confirms that a laptop company computer containing certain confidential information was stolen last week.

After months of criticising "criminally careless" government departments for losing confidential records, the company has been forced to send out an embarrassing letter telling journalists they may now be at risk of identity theft
[Evan] This is the same Daily Mail managed by Associated Newspapers that according to The Guardian "has been at the forefront of coverage of the recent bank and government department missing data scandals".  It would be very difficult for Associated Newspapers to claim that they didn't know any better than to store confidential information on a poorly protected laptop.

Details such as names, addresses, bank account numbers and sort codes were on the laptop

the laptop was "password protected" but tell recipients to contact their banks and also "consult the government website ... for advice on avoiding or dealing with identity theft"
[Evan] The mention of password protection is nothing more than an effort to minimize the effect of the breach.  It does very little (if anything) to protect the personal information.

In a letter to those who details were affected, Simon Dyson, finance director at Daily Mail publisher Associated Newspapers, and Martyn Hindley, his counterpart at sister company Northcliffe, said it was likely that the details had been erased by the thief.
[Evan] How is the conclusion drawn?  I don't see how there could be enough information to determine what the thief was likely to do.

From the letter to affected persons from the Associated Newspapers group finance director, Simon Dyson, and his Northcliffe counterpart, Martyn Hindley:

"Unfortunately one of the company's laptops has been stolen."

"The contents included personal data, some of which related to you."

"The laptop was password-protected. "
[Evan] So what?  This won't adequately protect the information on the laptop, so why mention it?

"We are writing to you as quickly as possible to alert you to the fact that the theft has happened and to inform you of the data types lost, so that you can take appropriate action."
[Evan] I guess we should give some credit for the quick notification, if nothing else.

"In your case, your name, address, bank account number and bank sort code were the sensitive information lost."

"The likelihood is that this theft was carried out in an opportunistic manner by a thief who will not realise that there is any personal data on the laptop and who may just erase what is on the hard disk in order to disguise the fact that the laptop is stolen."
[Evan] This is nothing more than speculation.  I can't imagine that there are any specific facts for which this conclusion is based on.

"We have, of course, notified the police of the theft of the laptop and are talking to the Office of the Information Commissioner about what has happened."

"On behalf of the company, I would like to offer my sincere apologies for any annoyance and inconvenience to you that this breach of security may cause."

"I can assure you that we take security of personal data very seriously and have, since this incident, which was inadvertently caused by a technical issue, already further strengthened procedures."
[Evan] This breach was caused by a "technical issue"?  Like what?  I presume that the technical aspects surrounding this breach were working exactly as they were designed to in the manner of which that they were implemented.  Without further elaboration, "strengthened procedures" is subjective and means little.  Organizations should offer details, instead of general statements in order to bolster some sense of confidence.

Commentary:
This breach must be embarrassing for Associated Newspapers.  A breach like this should be embarrassing for any organizations.  Unencrypted lost of stolen laptops storing personal (or other confidential) information is a pretty well-known risk nowadays.  An unacceptable risk for most.

Past Breaches:
Unknown

]]> Sat, 05 Jul 2008 08:55:49 +0000 information personal information daily mail publisher daily mail personal store confidential information laptop personal data laptop company computer Daily Mail publisher admits to stolen laptop http://securityratty.com/article/0b1145db0ad92794aa6d34d54d9a00ca http://securityratty.com/article/0b1145db0ad92794aa6d34d54d9a00ca Security Breach

Date Reported:
6/27/08

Organization:
Government of Canada

Contractor/Consultant/Branch:
Service Canada

Victims:
Canadian Residents

Number Affected:
More than 1,500

Types of Data:
Name and Social Insurance Number

Breach Description:
"Service Canada recently sent a letter to 1500 individuals that where affected by a recent incident. It seems that a USB key, containing the names and social security number of 1500 canadians was lost."

Reference URL:
NowPublic
Radio-Canada (French)
Radio-Canada (Google English translation)

Report Credit:
Radio-Canada, via an email from an informed Breach Blog reader

Response:
From the online sources cited above:

An Employee Service Canada has lost in March, a USB stick containing personal information on more than 1,500 Canadians.
[Evan] This statement was translated from french.  An employee of Service Canada lost a flash drive with confidential personal information belonging to more than 1,500 Canadians stored on it.  Service Canada is responsible for the security of some very sensitive personal information belonging to thousands (maybe millions) of Canadians.  As such, the people that are permitted to access (assuming that role-based access control is enforced at Service Canada) confidential information must be properly trained and made constantly aware of the risks involved with creating, accessing, storing, destroying, and transferring this information.  Was this employee aware of the risk of using a flash drive to store this information?  If so, then there should be consequences for his/her actions.  If not, then Service Canada really needs some help.  Training and awareness is only a part of an effective information security program, but it is a very important one.  Are flash drives permitted for use at Service Canada?  They probably shouldn't be.

The agency sent a letter to the persons concerned to advise them of the situation and asking them to check their bank accounts, their credit file and expenditure on their card.

Among the information contained in the key, were found including the names of persons and their number of social insurance.

One of the victims wanted to know why Canada Service data contained on the key, a minidisk drive, were not protected.  "They said they did not want to invest to secure customer data," said Queen Fraser.
[Evan] Obviously, this is an unacceptable response and probably one that wasn't authorized.

There are a few problems with this statement of course... First and foremost, Service Canada employees need training in Security incident management and, in particular, in the important aspect of security incident communications.
[Evan] Among many other things, I'm sure.

Second, this means that they are either not aware of Governement of Canada security policies or Privacy policies as published by Treasury Bord [sic] Secretariat, or they do not care.

The government agency has opened an investigation and added that no identity theft had been reported.

It did not specify whether measures have been taken to avoid another incident.
[Evan] We can only imagine what the current state of information security is at Service Canada.  It may be worse than some of us think, and it may be better than others of us think.  In my opinion, Service Canada owes a thorough explanation to the victims of this breach and owes detailed assurances to Canadian citizens.

As anyone with some knowledge of IT security practices can tell you, USB keys should not be used to carry delicate, protected or private information.
[Evan] In general, I agree.

If it must be done then, at a minimum, a threat and risk assessment must be done and proper encryption of the data must be used.
[Evan] I absolutely agree.  Risk management is critical.

However, mosts organisations that deal with data that is sensitive, protected under privacy laws, such as PIPEDA, commercial trade secrets or of national interest (such as National Defence secrets) AND are serious about IT security would disable floppy disk drives and USB ports on most computers.
[Evan] Most "organisations" should, but unfortunately most do not.

Commentary:
I would like to think that this is an isolated incident at Service Canada, but I don't think that it actually is.  I would like to see the Privacy Commissioner of Canada investigate and audit the security program and practices at Service Canada.  We'll see if this happens.  I don't expect things to change until the people responsible are held responsible.

How does the Canadian government expect the private sector to provide adequate security measures for the protection of personal information if it does not follow best practices and the law itself?

Past Breaches:
Government of Canada:
November, 2007 - Service Canada stolen laptop affects more than 1,600 
December, 2007 - Passport Canada web site suffers serious breach 
June, 2008 - Canadian farmer personal information on stolen CCGA laptop 
Service Canada:
November, 2007 - Service Canada stolen laptop affects more than 1,600

]]> Sat, 28 Jun 2008 19:18:19 +0000 service canada employee service canada recently canada service canada employees employee aware practices security practices employee service canada Service Canada employee loses flash drive http://securityratty.com/article/5603502d0088acde782f2669d07e2fb6 http://securityratty.com/article/5603502d0088acde782f2669d07e2fb6 Security Breach

Date Reported:
6/27/08

Organization:
New South Wales Government (AU)

Contractor/Consultant/Branch:
Sydney West Area Health Service
Unnamed "bankrupt contractor"

Victims:
Patients

Number Affected:
Unknown

Types of Data:
"confidential medical records"

Breach Description:
"The Sydney West Area Health Service has been embarrassed by the discovery of medical records in an abandoned amusement park."

Reference URL:
ABC News
Macquarie National News
Macquarie National News (2)

Report Credit:
ABC NEws

Response:
From the online sources cited above:

The Sydney West Area Health Service has been embarrassed by the discovery of medical records in an abandoned amusement park.
[Evan] This is a first.  An abandoned amusement park?  I would be embarrassed too!

Pathology results and slides were found when a container dumped in the former Magic Kingdom park at Lansvale was set alight this week.

The container was discovered after it caught on fire yesterday, attracting the attention of the local fire department.

A bankrupt contractor is being blamed for dumping confidential medical records and contaminated waste in the grounds of an abandoned fun park.
[Evan] Confidential medical records AND contaminated waste?  Ugh.

Police said it was likely the container had been there for a decade.
[Evan] A decade?  This story keeps getting more bizarre.

The Health Department is reviewing waste disposal procedures following the discovery at Lansvale in Sydney's south west.
[Evan] I presume that the waste disposal procedures have probably changed over the past ten years.  The Health Department should be reviewing procedures on a regular basis anyway.

The health service's chief executive, Professor Steven Boyages, says it is a serious breach and the health service is reviewing its waste disposal procedures.

"There are clear policy and procedures in place to manage records and disposal of records and clear policies in place to manage and dispose of any clinical waste," he said.

"It appears at first glance that the policy and procedures weren't followed by the contractors who were engaged to do this."

“It is a huge concern, I’ve called for an immediate review to ensure our existing contractors are following standard policy and procedures so this doesn't happen again," he said

Shadow health minister Jillian Skinner said the state government also has some explaining to do.

"Why if it was know this company had gone bankrupt and wasn't carrying out its duties they didn't check to make sure this material was disposed of properly?" Ms Skinner said.

Commentary:
The landscape of information security and personal information issues has changed markedly over the past ten years.  SWAHS should still be held accountable, but how much can you comment on something that happened ten years ago and probably does not reflect upon current practice.

This is one of the most bizarre breaches I have read about in some time.

Past Breaches:
Unknown

]]> Sat, 28 Jun 2008 09:10:55 +0000 confidential medical records medical records clinical waste waste waste disposal procedures disposal records procedures amusement park Australian medical information found in abandoned amusement park http://securityratty.com/article/d0a7010fb8fd83b7750424b96154c42b http://securityratty.com/article/d0a7010fb8fd83b7750424b96154c42b Security Breach

Date Reported:
6/27/08

Organization:
Direct Marketing Services Inc.

Contractor/Consultant/Branch:
Montgomery Ward
HomeVisions.com
SearsHomeCenter.com
SearsShowPlace.com
SearsRoomForKids.com

Victims:
Customers

Number Affected:
"at least 51,000 records"

Types of Data:
Names, addresses, phone numbers, card numbers, "security codes", and expiration dates

Breach Description:
"NEW YORK (AP) -- The parent company of Montgomery Ward is admitting that it was hit with a credit card hack, but it didn't inform the customers affected."

Reference URL:
The Associated Press
The Associated Press via WZTV Channel 17 News

Report Credit:
The Associated Press

Response:
From the online sources cited above:

At least 51,000 records were exposed in the breach at the parent company of Montgomery Ward.

The venerable Wards chain that began in 1872 went out of business in 2001, but in 2004 a catalog company, Direct Marketing Services Inc., bought the brand name out of bankruptcy.

Direct Marketing Services' CEO, David Milgrom, said the financial company Citigroup detected the computer invasion in December.

By going through HomeVisions.com, another Direct Marketing Services site, hackers had plundered the database that holds account information for all the company's retail properties.
[Evan] The AP story names five of the six Direct Marketing Services retail properties (See Above).  I don't know what the sixth is.

It now runs a Wards.com Web site along with six other sites, including three with Sears brands it has acquired: SearsHomeCenter.com, SearsShowplace.com and SearsRoomforKids.com

Milgrom said Direct Marketing Services immediately informed its payment processor and Visa and MasterCard.

Direct Marketing Services closely followed a set of guidelines, issued by Visa, on how to respond to a security breach.
[Evan] This is sad.  The Visa documentation regarding breach response is way too narrowly focused to be used as an organizational incident response.  Every organization that creates, collects, uses, stores, and/or transfers confidential information should have an incident response policy and accompanying procedures.  Take a look at the Visa "What To Do if Compromised" procedures, and judge for yourself.

That included a report to the U.S. Secret Service.

He said he believed by the end of December that Direct Marketing Services had met its obligations.
[Evan] Mr. Milgrom is the president of the company.  He really thought that his company had met all of its obligations with respect to this breach?  It never occurred to him that he should notify customers, even if he weren't required to by law?  Not only was the lack of notification illegal, but I think it is also unethical.

However, those guidelines from Visa are largely technical, and they do not cover a key additional step: that notification laws in nearly every state generally require organizations that have been hacked to come clean to the affected consumers, not just to the financial industry.

Companies that fail to comply can be hit with fines or be sued by affected customers, depending on the state

After being asked about those laws by The Associated Press, Milgrom said Direct Marketing Services now plans to contact consumers.

This hack might have stayed quiet except for online chatter detected in June by Affinion Group Inc.'s CardCops, a group of investigators who track payment-card theft for financial institutions.

In Internet chat rooms frequented by card thieves, CardCops spotted hackers touting the sale of 200,000 payment cards belonging to one merchant.

CardCops then intercepted several hundred of the records, along with the online handles belonging to hackers whose real names remain unknown.

Along with the card numbers, their three-digit "security codes" and expiration dates, the thieves had the cardholders' names, addresses and phone numbers.

The data had been organized in the same way, indicating the numbers likely came from the same database.

CardCops' president, Dan Clements, also noticed that the vast majority of the cardholders were women, a clue that the records came from a merchant catering to a certain demographic.

When he began calling them, the first eight said they had bought things online or through mail order from Montgomery Ward. At that point, Clements realized, "there's a high probability the entire database of Montgomery Ward was breached."
[Evan] This is some good investigative work.

It is not clear to Clements, though, whether the hackers were inflating their claim when they offered 200,000 records or whether Milgrom's number of 51,000 is accurate.
[Evan] According to the article, the "hackers" were able to compromise the information from all six Direct Marketing Services, Inc. properties.  51,000 may be Montgomery Wards customer accounts, and the remainder could be from the other five properties (just speculating).

A spokeswoman for Discover Financial Services LLC, Mai Lee Ua, said her company had addressed the problem by sending new cards to its cardholders who appeared in the compromised records.

Ua said they weren't told which merchant had been breached

Visa declined to comment.
[Evan] Visa always declines to comment.  No sense in even seeking one.

MasterCard issued a statement Friday acknowledging it was aware of the breach at Direct Marketing Services, and had notified the banks that issue MasterCards, telling them to monitor the accounts for suspicious charges.
[Evan] Three different card companies, three entirely different responses.  Of the three, I think I like the Discover one the best.

Such silence was the norm in the industry for years. But in response to fears of identity theft, 44 states have passed laws that generally require organizations holding consumer data to tell people when their information has leaked

Clements and other security analysts say that despite those laws, many breaches still are kept quiet, judging by the data being hawked in online black markets.

Avivah Litan, an analyst at Gartner Inc., believes unreported data breaches might still outnumber the ones that do get publicized.
[Evan] I absolutely agree.  You would be naïve to think that victim notifications go out in all breaches.  Too many corporate leaders would rather not notify and hope that nobody notices.

Litan says it especially is the case with online merchants. She believes it happens because of a lack of pressure from credit card companies, which are not responsible for fraudulent charges in "card not present" transactions over the Web and mail order.

Until fraud actually appears on the card, they'd rather avoid the cost of voiding compromised cards and giving consumers new ones, she said.

"What it reveals is the convoluted banking system," she said. "If this had taken place at a grocery store, we all would have heard about it."

In fact, because of the silence that still sometimes follows data breaches, even people who have never been informed one of their records has leaked should assume their information is floating online, Litan said.

"Probably every one of our cards is up there somewhere now," she said.
[Evan] I agree with all of the statements made by Avivah Litan except this one.  This is a stretch.

On the Net:
Links to the 44 state notification laws

Commentary:
Is this a case of a company that was caught trying to cover up a breach, or was this a company that didn't know any better?  I lean towards the former.  Either way, is ignorance of the law any kind of valid excuse? 

Let's assume for a second that company really didn't know that they were required to notify victims.  If this were true, then this leads me to believe that the company doesn't govern information security well (due care?), probably has no formal information security program, lacks incident response policy and procedures, and doesn't manage risk well.

I could only guess how the "hack" took place.  What vulnerability was exploited?  Even in this, the company appears to have not detected the attack.  Direct Marketing Services, Inc. had to be told of it by Citibank.  Does this mean that the company did not use intrusion detection/prevention? 

I could go on and on, but in the end I don't have much confidence here.

Past Breaches:
Unknown

]]> Fri, 27 Jun 2008 19:45:03 +0000 card companies companies services services closely credit card companies services retail properties financial company citigroup company montgomery ward Montgomery Ward breached, no notification obligation? http://securityratty.com/article/3313abd868212bd3a9ed98811169e851 http://securityratty.com/article/3313abd868212bd3a9ed98811169e851 Security Breach

Date Reported:
6/13/08

Organization:
CNET Networks, Inc. ("CNET")

Contractor/Consultant/Branch:
Colt Express Outsourcing Services, Inc. ("Colt")

Victims:
"current and former employees and their dependants"

Number Affected:
"around 6,500"

Types of Data:
"first names, last names, date of birth, Social Security numbers, address, employer, hire date, benefits group numbers, and relationship to the policy holder"

Breach Description:
"Colt informed our client by this letter that on Memorial Day, Monday, May 26, 2008, Colt's offices in Walnut Creek, California were burglarized.  Certain computer equipment was taken which contains the human resources data of several of their clients, including CNET.  The theft of this equipment may have compromised the personal information of our client's current and former employees and their dependants, and our client is working to understand the extent of any exposure for its employees."

Reference URL:
Maryland State Attorney General breach notification
PCWorld
WebProNews
PogoWasRight

Report Credit:
The Maryland State Attorney General

Response:
From the online sources cited above:

On June 6, 2008, CNET received the attached letter from Colt Express Outsourcing Services, Inc., ("Colt") who has provided our client with employee benefit plan administrative services for the past 8 years.

Colt informed our client by this letter that on Memorial Day, Monday, May 26, 2008, Colt's offices in Walnut Creek, California were burglarized.
[Evan] Uh Oh!, this is starting to read like and smell like the ASI breach reported in February.

The breach occurred on Memorial Day, Monday, May 26, 2008, between approximately 4:30 p.m. and 5:00 p.m. PST, when someone broke into Colt Express's office at 2125 Oak Grove Road, Suite 210, Walnut Creek, California, 94598

Certain computer equipment was taken which contains the human resources data of several of their clients, including CNET.
[Evan] According to a CNET spokesperson, via PogoWasRight.org, the "computer equipment" did not employ encryption to protect the information.  Encryption could have been a prudent control in a defense-in-depth approach, a mitigating control to protect information against a physical break-in and theft.

The theft of this equipment may have compromised the personal information of our client's current and former employees and their dependants, and our client is working to understand the extent of any exposure for its employees.
[Evan] Not "may have", but did.  Information security and control can no longer be reasonably assured, which in my book constitutes a compromise.

Colt has also informed us that they reported the break-in to Walnut Creek police and to REACT High Tech Crimes Task Force in Silicon Valley when they discovered the burglary and that there is an ongoing criminal investigation.

report number 08-12367

In speaking directly with the Walnut Creek Police on June 12, 2008, Officer Greg Leonard, the primary investigator for the incident informed us that they are not aware of any misuse of personal information as a result of this theft at this time.

The information included first names, last names, Social Security numbers, address, employer, hire date, benefits group numbers, and relationship to the policy holder for around 6,500 of our client's current and former employees, and their dependants.



some of your current and former employees and their dependants during the time period of 01-Aug-00 to present.
[Evan] August 1st, 2000 through May 26th, 2008 is almost eight years of information!  I wonder what the data retention policy states at Colt, supposing one exists.

We do not have any understanding that the computers stored personal health information.

Our client is providing written notification to all affected individuals at the last home address we have on record

Although there is no evidence of misuse of the data to date, our client's notification will also inform affected individuals that it has contracted with Equifax to provide Equifax Credit Watch Gold with 3 in 1 Monitoring service, including identity theft insurance, for one full year at no cost.
[Evan] I have said it before, and I will say it again.  One year of semi-effective protection should not be considered adequate for information that has a usable life that far exceeds this time frame.  It should be pointed out howevere that it is better than nothing and the company is not required to offer it.

Although we are not aware of the exact number of individuals affected by the Colt breach, we do know that we were among many of Colt's clients whose data were stored on the stolen computers.
[Evan] The word that catches my attention almost immediately is "many".  How many clients will be affected in the end?  PogoWasRight is already following up on another company that may be affected.

Colt Express takes the protection of its customer and personal information very seriously.
[Evan] Making a statement like this and the demonstration by action are two entirely different matters.  An organization such as Colt Express creates, collects, stores and transfers very sensitive information as an integral part of their business.  This being said, I wonder why this information was not protected better.

Colt Express is taking steps to ensure that a potential data security breach does not occur in the future.

We installed an alarm system on Friday, May 30th.
[Evan] Are we to assume that there was none prior to May 30th?  I hope not!

Colt Express is looking into what additional steps may be taken to provide enhanced security.

By this letter and enclosures, we are providing you with all the information we believe you need, and that we are able to give you.  We do not have the resources, financial and otherwise, to assist you further.
[Evan] Say huh?

Towards the end of last year, our customer base was reduced to an unsustainable level.

Colt has been in the process of going out of business, while at the same time providing time for remaining customers to find alternative solutions.
[Evan] This is a twist.  How long has the company been in the process of going out of business and was CNET (and the "many" other clients) aware of it?  If so, this could have been a sign that could have spurred some action.  Then again, maybe not.


http://www.colthr.com/



Those decisions are now final.

We are firmly committed to protecting all of the information that is entrusted to us both before and after we close down.

We sincerely apologize for the inconvenience and concern this incident will cause.

Commentary:
As I stated earlier in the post, I am a little fearful that this breach could end up as significant or more significant (in terms of number of people and organizations affected) than the ASI breach reported in February.  The ASI breach was the 2nd most popular posting in The Breach Blog's history at the time, based on number of online page reads and comments posted.

This breach has got me thinking.  Some of the key risks that we address with the organizations we work with are those involving the management of vendor and third-party relationships.  Ideally, information security personnel are involved throughout the relationship, including the initial vendor feasibility assessment.  Vendors and "trusted" third-parties need to be held to the same high security standards that we set for the organization.  The methods in which this can be accomplished vary from organization to organization, but typically include risk assessments (initial and ongoing), information security requirements built into contractual language, and enforcement actions if necessary.  If a vendor is not encrypting confidential information or employing burglar alarms, it is known (and hopefully addressed).

Past Breaches:
Unknown

]]> Wed, 25 Jun 2008 07:25:20 +0000 information personal information information security confidential information protect information breach sensitive information information security requirements colt "many of Colt's clients" affected by breach, CNET included http://securityratty.com/article/ca6f5be22b8296dc3dbda7041339d863 http://securityratty.com/article/ca6f5be22b8296dc3dbda7041339d863 Security Breach

Date Reported:
6/23/08

Organization:
State of California

Contractor/Consultant/Branch:
Department of Consumer Affairs

Victims:
"employees, contractors and board members"

Number Affected:
5,000

Types of Data:
Names, Social Security numbers, salaries and job titles

Breach Description:
"The state Department of Consumer Affairs (DCA) has sent letters to 5,000 employees, contractors and board members warning them of a security breach that has compromised their names and social security numbers. "

Reference URL:
Capitol Weekly
Central Valley Business Times
Props to PogoWasRight

Report Credit:
Malcolm Maclachlan, Capitol Weekly

Response:
From the online sources cited above:

The state Department of Consumer Affairs (DCA) has sent letters to 5,000 employees, contractors and board members warning them of a security breach that has compromised their names and social security numbers.

About 2,800 of the people on the list are current, full-time employees of the DCA.

The document also included some former employees and numerous contractors, such as people who proctor state job examinations.

The rest of the names were employees and board members of the 56 professional boards and bureaus administered by the DCA, such as the Bureau of Automotive Repair and the Medical Board.

The breach occurred on June 5 or 6 when a Microsoft Word document was improperly transmitted electronically outside of the department, said DCA spokesman Russ Heimerich.

The document also contained the salaries and titles of everyone on the list, but Heimerich noted that this was public information.

"The thing that is troubling to us is that information was coupled with their social security numbers," Heimerich said.
[Evan] Troubling to you?  It's probably hard for the victims to have much sympathy.

The main danger with giving away a social security number is that it can be used to set up new credit cards, loans or purchases in someone's name.

However, a thief would generally need other information that was not included and could be harder to get, such as addresses, phone numbers and driver's license numbers.
[Evan] Addresses and phone numbers are usually pretty easy to obtain and I would think are much easier to get than Social Security numbers.  Unless of course, somebody emails them to you.

The DCA is the main state agency charged with protecting consumers in California.
[Evan] Ironic.

From 2003 to 2007, it also housed the office charged with educating consumers and businesses about identity theft and fraud.
[Evan] More Ironic

One agency whose employees were not on the list is the California Office of Privacy Protection (OPP).

Heimerich said the incident is still being investigated, and that he could not disclose who had received the document.

He said that so far there is no evidence that any information has been used. It was not even clear the recipient had opened the document.

"We know that it left the building and that it wound up somewhere it shouldn't have wound up," Heimerich. "We're looking into how that happened."

“We kind of know where it was sent,” Mr. Heimerich says
[Evan] Sounds obvious, but did anyone check "Sent Items"?  Yeah, probably.  Seriously though, does the California DCA not log email sends and receives?  It's hard to believe that the sender does not recall to whom they sent the email and there is no evidence of where it was sent.

The breach was discovered on Monday, June 9
[Evan] It took 3 or 4 days for the DCA to discover the breach.

People's whose names were on the list were sent an email the next day and an official letter a week later.
[Evan] Excellent quick notification.  The earlier that a breach is detected and communicated to the data owner, the better.

Heimerich said the DCA will pay for a year of free credit reports and provide fraud insurance of up to $25,000 for everyone on the list.
[Evan] One year of protection does not adequately protect information that has a lifespan that far exceeds that one year.  Most bad guys (or gals) know that the "standard" organization response to a breach includes one year of free credit monitoring/protection, so many of them wait a year to use the information.  It is also important to point out that just because a person monitors their credit, does not mean that their identity isn't being used elsewhere.  It's a scary thought, but it's a broken system.

He said the DCA had not yet determined how much these protections were going to cost.
[Evan] You can estimate the cost yourself.

Commentary:
I like how Microsoft Outlook helps me when I am typing an email address in the "To:" field of my email.  It saves me some keystrokes and a few precious seconds.  Sometimes I am in such a hurry that I don't even notice that Outlook put in the wrong email address.  I type my email, click send and away I go onto another task.  A couple of days later, I get a call from a customer asking where their information is.  I state that I sent it to them a couple of days ago, but they claim to have never gotten my email.  I look through my sent items, and HOLY #*@^!  I just sent some confidential (sensitive and potentially damaging) information to a competitor instead of my customer.

Sound conceivable?  Have you ever sent an embarrassing email to the wrong person?  It is very easy to do if your not paying attention.

There are a number of controls us information security guys can put in place to reduce the risk of this happening.  One of the best is information security training and awareness (kind of an administrative control).

Past Breaches:
State of California:
March, 2008 - San Quentin visitor and volunteer information lost

]]> Tue, 24 Jun 2008 13:51:19 +0000 information email volunteer information lost wrong email address email address information security adequately protect information credit cards credit Errant email exposed Department of Consumer Affairs personal information