http://securityratty.com/tag/fla Wed, 16 Jan 2008 06:51:41 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/9fbf858547c6670a14d3e4ee147593fc http://securityratty.com/article/9fbf858547c6670a14d3e4ee147593fc Security Breach

Date Reported:
7/7/08

Organization:
State of Florida

Contractor/Consultant/Branch:
Agency for Health Care Administration

Victims:
registered organ donors

Number Affected:
"about 55,000"

Types of Data:
"names, addresses, birth dates, driver license numbers and Social Security numbers"

Breach Description:
"TALLAHASSEE, Fla. - State health officials say a security breach in the Organ and Tissue Donor Registry may have exposed thousands of donors' personal information, including their social security numbers."

Reference URL:
AHCA FAQs
Sarasota Herald-Tribune
WCTV CBS News
Orlando Sentinel

Report Credit:
Sarasota Herald-Tribune

Response:
From the online sources cited above:

TALLAHASSEE, Fla. - State health officials say a security breach in the Organ and Tissue Donor Registry may have exposed thousands of donors' personal information, including their social security numbers.

The Agency for Health Care Administrations said Monday it has corrected the flaw, which may have allowed unauthorized users to view the personal information of roughly 55,000 donors.

"We stopped all access to the database, identified the flaws and corrected them."
[Evan]  This breach makes me wonder a couple of things.  Is information security testing part of the development lifecycle and change control?  I also wonder if AHCA uses a formal change control process with segregated development, test, and production environments.

The database includes donors' names, addresses, birth dates and driver license numbers.

The agency is sending letters to inform individuals of the flaw.
[Evan] What kind of flaw, do you suppose?  A Code flaw, an administrative/process flaw, a configuration flaw?

AHCA Secretary Holly Benson said they have not received any indication that the information was accessed inappropriately.
[Evan] No logging?  Logging of the systems, processes, and people accessing confidential information is a must.  Extensive logging would be able to determine if the information "was accessed inappropriately" (assuming the logs weren't subject to unauthorized modification).

The breach happened on June 20 and was fixed a day later, but officials say they thought it best to make the public aware.
[Evan] What does the "breach happened on June 20" mean?  It could mean that a flaw was detected on June 20, but could have been in existence for longer.  It could mean that a vulnerability was actually exploited on June 20.  I guess it really depends on your definition.  I assume that the author means that something changed (code push, updated information, configuration, etc.) on June 20.

"If you have not received a letter our logs note that your information was not affected by this security flaw."

A couple of FAQs:
Q: If I have additional questions regarding this issue, what should I do?
A: You can call 866 757 0677.  This number is open Monday through Friday from 8AM to 7PM Eastern.

Q: If I am a registered donor and I receive a letter, does this mean that I am a victim of identity theft?
A: No. It is unlikely that someone has accessed your information or used it inappropriately. It does not mean that you are a victim of identity theft or that the information may be used to commit fraud. The Agency for Health Care Administration wanted to let you know about the incident so you are aware and may take steps as you see fit.
[Evan] Again, poor logging and other detective controls lead to statements such as "It is unlikely that someone accessed...".

Commentary:
Ugh!  I am left with too many questions about this breach.  On the surface, this breach doesn't look all that significant unless of course, you are a victim.  When I read into it more, I realize that I have some serious concerns surrounding process, control, and detection mechanisms used at AHCA.  With less detail, it is easier to imagine.

Past Breaches:
State of Florida:
January, 2008 - Five stolen Florida Department of Children and Families laptops


]]> Wed, 09 Jul 2008 07:15:38 +0000 breach information personal information breach description flaw configuration flaw health care administration database includes donors security breach Florida's Agency for Health Care Administration reports a breach http://securityratty.com/article/70535b81354ea161a0135979f7d38509 http://securityratty.com/article/70535b81354ea161a0135979f7d38509 Security Breach

Date Reported:
6/11/08

Organization:
University of Florida

Contractor/Consultant/Branch:
Office for Academic Support and Institutional Services

Victims:
Students

Number Affected:
"more than 11,300"

Types of Data:
"names, addresses and Social Security numbers"

Breach Description:
"GAINESVILLE, Fla. - University of Florida officials today mailed letters of notification to more than 11,300 current and former students regarding a privacy breach that resulted in names, addresses and Social Security numbers being posted online that may have been accessible to the public."

Reference URL:
University of Florida
Miami Herald
Inside UF
United Press International

Report Credit:
University of Florida

Response:
From the online sources cited above:

GAINESVILLE, Fla. - University of Florida officials today mailed letters of notification to more than 11,300 current and former students regarding a privacy breach that resulted in names, addresses and Social Security numbers being posted online that may have been accessible to the public.
[Evan] Not "may have been".  The information was accessible to the public and was not even protected by a password.

The student information was actively used from 2003 through 2005 and remained posted until it was recently discovered during a routine audit of UF systems.
[Evan] If I am reading this right, this means that some of the personal information was available publicly for ~5 years!

School officials emphasized that the site would not have been easy to find and they do not believe it was accessed by anyone outside the school.
[Evan] There is no security through obscurity.

"The risk of someone outside actually finding this information and using it inappropriately is very low," - Steve Orlando, UF Spokesman
[Evan] I wonder how Mr. Orlando came to the conclusion that the risk of disclosure and misuse is "very low".  As I understand, the server was publicly accessible, presumably via the internet.  If so, was the site indexed by search engines like Google, Yahoo, and Microsoft?  It is much easier to find information through a search index because folder structure is much less relevant.  The fact that this information was available for 3-5 years adds to the risk too.  I only know what I read and based on this and experience, I wouldn't classify this as a "very low" risk situation.  Either way, the risk was increased due to poor information security practice and was not necessary.

"We've done computer forensics, and we don't have any evidence that anybody accessed this information," he added.
[Evan] This indicates poor logging and monitoring which are both essential detective controls (in most situations).  Information security personnel (or admins) should be empowered to reconstruct events.

"But because we can't say that with absolute certainty, we're going through with the notification out of an abundance of caution," Orlando said.
[Evan] I am NOT a fan of the "abundance of caution" claims that seem more popular in breach notifications lately.  Organizations would be best advised to use an "abundance of caution" in the prevention and early detection of breaches by applying sound information security principles.

Since 2005, the site has been "dormant but accessible," said university spokesman Steve Orlando. "It was just sitting there."

The information has been removed and is no longer available online or elsewhere in the UF systems.

The breach occurred when former student employees of the Office for Academic Support and Institutional Service, or OASIS, program created online records of students participating in the program.

The student employees posted the information online so that they could work with it from remote locations, but they did not install security measures to keep others from accessing it as well
[Evan] I have so many questions and arguments.  Were the students aware of the risks?  If not, then there is probably an information security training and awareness problem.  Why was it necessary to include Social Security numbers in the records?  Why were the seemingly untrained students allowed to post the information without being stopped or detected?  I have many more questions, but I am starting to confuse myself now.

The university sent letters of notification to about 11,300 students whose information is believed to have been potentially compromised.
[Evan] Here's my take on the word "compromised".  If an organization cannot provide reasonable assurance that the information has not been subject to unauthorized disclosure, modification, or destruction, then the information has been "compromised". 

University officials were unable to find contact information for about 570, so they are asking students who were enrolled in CLAS from 2003 to 2005 and did not receive a letter but who believe their information may have been compromised to call UF’s Privacy Office Hotline at 866-876-HIPA and provide the requested information.

Anyone who thinks he or she may be one of the 570 people who were not notified is urged to go to privacy.ufl.edu and read the information posted there before calling the privacy hotline.

"This would certainly appear to be the largest privacy breach we've had," Orlando said.

We're in the process of strengthening some of those policies regarding what information can be posted and what security measures should be in place
[Evan] Good start.

Victim Reaction:
"Why would it be necessary to use a Social Security number instead of something else?" asked Reixach, pointing out that students were given ID numbers. "It's just silly".

"It's negligence on their part, especially if anyone has been affected with identity theft,"

Johann Arias, a spring CLAS graduate, had not heard about the breach Wednesday and said UF should be doing more to notify those affected.

"They always make information very prominent when you have a hold or owe them money," Arias said.

Commentary:
This is a case where poorly trained students are granted access or obtained access to confidential information and posted the information to an unsecured location which went undetected for years.  Bad all around. 

Past Breaches:
May, 2008 - University of Florida doctor loses job over breach
November, 2007 - University of Florida student info online

]]> Thu, 12 Jun 2008 06:41:30 +0000 information information online personal information information security confidential information information security personnel student information security measures install security measures University of Florida student information online for years http://securityratty.com/article/25aefe167382d9d14ee98123ecb5a87c http://securityratty.com/article/25aefe167382d9d14ee98123ecb5a87c Security Breach

Date Reported:
4/17/08

Organization:
University of Miami

Contractor/Consultant/Branch:
Archive America Ltd.

Victims:
Medical patients that visited university medical facilities since January 1st, 1999.

Number Affected:
"more than 2 million" (2,000,000+)*

*According to the ComputerWorld report.  The University of Miami will be notifying 47,000 people whose data may have included credit card or other financial information regarding bill payment

Types of Data:
Names, addresses, Social Security numbers, health information, and credit card or other financial information

Breach Description:
"A private off-site storage company used by the University of Miami has notified the University that a container carrying computer back-up tapes of patient information was stolen.  The tapes were in a transport case that was stolen from a vehicle contracted by the storage company on March 17 in downtown Coral Gables, the company reported."

Reference URL:
University of Miami announcement
The Associated Press via The Florida Times-Union
ComputerWorld

Report Credit:
The University of Miami

Response:
From the online sources cited above:

University of Miami officials last week acknowledged that six backup tapes from its medical school that contained more than 2 million medical records was stolen in March from a van that was transporting the data to an off-site facility.
[Evan] I'm not sure where ComputerWorld came up with the 2,000,000 number.  I could only find references to the number 47,000.  I went with the 2,000,000 in this report because 47,000 doesn't seem large enough for "Anyone who has been a patient of a University of Miami physician or visited a UM facility at any time since January 1, 1999"

Jacqueline Menendez, vice president of communications at the university, said a vehicle used by Archive America Ltd. to transport the patient data was broken into in downtown Coral Gables, Fla., on March 17.

Thieves removed a transport case carrying the school's computer backup tapes

Archive America waited 48 hours before finally notifying the university on Mar. 19 about the break-in and theft.

The university posted an alert about the incident on April 17, a full month after the backup tapes were stolen.

In a statement, Doctor Pascal J. Goldschmidt, senior vice president for medical affairs and dean of the University of Miami Miller School of Medicine, said, "Even though I am confident that our patients' data is safe, we felt that in the best interest of the physician-patient relationship we should be transparent in this matter."
[Evan] Absolutely a good decision!  More organizations should be more transparent in their responses to incidents involving personal information.  After all, personal information belongs to the person, not the organization.

Since the incident, Mendendez said that the university temporarily stopped transporting backup data off-site

"At this point, we're not transporting anything until we conduct our own internal evaluation of the incident and see if there's anything that could have been done differently or better,"
[Evan] I like this response.

Coral Gables law enforcement officials, who are investigating the incident, have informed the school that it was likely a "random theft,"

Law enforcement is investigating the incident as one of a series of petty thefts in the area.
[Evan] Interesting that they chose the word "petty".

The stolen backup tapes hold names, addresses, Social Security numbers and health information all patients at university medical facilities since Jan. 1, 1999.

Financial data from approximately 47,000 people may be on the missing tapes

UM says it will notify 47,000 patients by mail whose records may have included credit card or other financial information

After learning about the data breach, the university contacted local computer forensics companies to see if data on a similar set of backup tapes could be accessed.

security experts at Terremark Worldwide Inc. "tried for days" to decode the data but could not because of proprietary compression and encoding tools used to write data to the storage tapes.

“For more than a week my team devised a number of methods to extract readable data from the tapes,’’ said Christopher Day, senior vice president of the Secure Information Services group at Terremark.  “Because of the highly proprietary compression and encoding used in writing the tapes, we were unable to extract any usable data.’’

Alan Brill, senior managing director at Kroll Ontrack, who was asked by the University to review the testing that had been done, said:  “While the report shows it is not impossible to access the data, in this case there are many barriers that stand between a thief and being able to actually get usable data from the tapes. If the thief cannot cross all of those barriers simultaneously, they can’t access the data.’’  Based on this information, the University believes misuse of the information on the tapes is unlikely.
[Evan] I very much respect Ontrack's views on data recovery.  These guys are the experts in data recovery.

"The university feels confident that the person who took [the tapes] doesn't know what they have. Even if they do know what's contained inside, it's very difficult to extract that information,"

The school regularly sends its data off-site as a precaution against hurricanes and other natural disasters.

the University has also established a call center at 1-866-628-4492

Commentary:
Minus the amount of time it took for the school to get the word out (for which there might be good reason), I am impressed with the school's response to this incident.  The fact that they chose to consult with two independent "experts" about the risk of disclosure and convincing them to comment publicly was an excellent move.  The school's transparency about this incident instills a sense of trust and honesty that could have easily turned the other way.  Other organizations could stand to learn a thing or two here.  Kudos to the school's management team.

Past Breaches:
Unknown

]]> Fri, 25 Apr 2008 11:34:41 +0000 personal information belongs personal information tapes university information financial information secure information services data usable data University of Miami reports stolen tapes affecting patients http://securityratty.com/article/40edb2e1a59a5f76cc2475adab1cd0d1 http://securityratty.com/article/40edb2e1a59a5f76cc2475adab1cd0d1 Mon, 25 Feb 2008 21:00:00 +0000 west palm beach drug bust deployment stage handy police installation tuesday city fla West Palm Beach touts new wireless cameras for curbing crime http://securityratty.com/article/085cae5bc1c684032d89e62527eda208 http://securityratty.com/article/085cae5bc1c684032d89e62527eda208 Security Breach

Date Reported:
1/11/08

Organization:
United States Navy

Contractor/Consultant/Branch:
Naval Surface Warfare Center Dahlgren Division (NSWCDD)*

*Dahlgren is a weapons-system research and test center for the Navy. About 2,800 civilian federal workers and another 3,000 civilian contractors work at the base on the Potomac River.

Victims:
"current and former federal employees who worked at the Naval Bases in Dahlgren, Va., Silver Spring, Md., and Panama City, Fla., on or before July 7, 1994"

Number Affected:
10,000**

**"Dahlgren Division spokesman Russ Coons said it is possible that about 10,000 employees could be affected", Source: www.inrich.com/cva/ric/news.apx.-content-articles-RTD-2008-01-15-0194.html

style="font-weight: bold;">Types of Data:
Names, Social Security numbers, dates of birth, job titles, salary and employment information

Breach Description:
Officials at the Naval Surface Warfare Center Dahlgren Division were made aware of a breach involving personal information belonging to current and former employees after a criminal attempted to purchase a big-screen television at a Sears store in Pennsylvania using the stolen information.  One of the four suspects arrested in the attempted theft had two pages of a NSWCDD 1994 report in their possession that contained names, Social Security numbers, birth dates, job titles, salary and employment information.

Reference URL:
Official NSWCDD Press Release Online
Times-Dispatch News Story

Report Credit:
The Naval Surface Warfare Center Dahlgren Division

Response:
From the online sources cited above:

The Naval Surface Warfare Center Dahlgren Division is contacting all current and former federal employees who worked at the Naval Bases in Dahlgren, Va., Silver Spring, Md., and Panama City, Fla., on or before July 7, 1994, to warn of potential identity theft and to urge them to contact their creditor bureaus in the wake of a reported attempt to illegally obtain a credit card using an employee’s personal information.

NSWCDD officials were notified on Jan. 8 that four individuals had been arrested in Bensalem Township, Pa., on Jan. 5, 2008, for attempted identity fraud.

police in Bensalem Township, Pa., outside Philadelphia, informed a Dahlgren employee that someone was about to use his credit card to buy a big-screen TV at Sears.
[Evan] It adds a level of concern when it is known that the information is being actively used to commit fraud.  It took awareness and good work to catch the four suspects in the identity fraud case.

They had in their possession two pages of a hard copy report dated July 7, 1994, containing personally identifiable information (PII) – names, social security numbers and dates of birth – of nearly 100 individuals with the last name beginning with “B.”

The employees could have been assigned to work within NSWCDD, at one of the following: Naval Facilities Command (NAVFAC), NSWC Dahlgren, NSWC White Oak, Md., NSWC Panama City, Fla., Joint Warfare Analysis Center (JWAC), Naval Space Command and the Aegis Training and Readiness Center (ATRC) or any of their detachments.

Dahlgren Division spokesman Russ Coons said it is possible that about 10,000 employees could be affected.

A call center has been established at 1-800-352-7967, Monday through Friday from 8 a.m. until 4 p.m., to answer employees’ questions and provide additional guidance on reporting and protecting against potential identity theft.

Current or former Navy civilian employees who have experienced recent identity fraud are urged to call this number as well as notify their local authorities.

Current employees were notified of the incident on Jan. 10 through an All Hands e-mail and urged to take action to safeguard their identity. The message is currently posted to the NSWCDD internal website.

At this time, NSWCDD has no information as to how the individual(s) came to be in possession of this hard copy report. The compromise of personal identity was immediately reported to all appropriate law enforcement authorities and is currently under Secret Service investigation.
[Evan] Hopefully it will be found that one of the four individuals stole the information themselves.  If the information were bought from "the stolen information black market" (yes, it exists), then this could get worse before it gets better.

It is unknown whether any additional pages of the report have been compromised. Therefore, all persons employed by NSWCDD or a tenant command on or before July 7, 1994, are advised to take action to protect against any potential identity theft.

Recommended actions endorsed by the Federal Trade Commission (FTC) are available at:
www.ftc.gov/bcp/edu/microsites/idtheft/
href="http://www.usdoj.gov/criminal/fraud/websites/idtheft.html" target="_blank"> www.usdoj.gov/criminal/fraud/websites/idtheft.html
href="http://www.ssa.gov/pubs/idtheft.htm" target="_blank"> www.ssa.gov/pubs/idtheft.htm

NSWCDD follows the Department of the Navy’s policy for disposing of documents containing privacy act data. NSWCDD disposal processes are in place for rendering Personally Identifiable Information (PII) unrecognizable or beyond reconstruction. Documents containing PII are shredded when no longer needed.
[Evan] I imagine that the Department of the Navy's data disposal policy is well-written.  Following policy approval comes training, awareness and enforcement.

NSWCDD and the Department of Navy take this incident very seriously. Current policies and practices will be reviewed to determine if any changes are necessary to preclude a similar occurrence in the future.

Commentary:
This is an interesting story.  I can't recall a time when an identity fraudster was caught with pages of stolen information in their possession.  I have many unanswered questions about this breach.

Overall, I like the NSWCDD's response to the breach.  The response pointed out one very important facet of information security, data destruction.  I am currently writing a Data Destruction and Re-Use Standard for a company I work for. 

From the Introduction section of the standard:

The purpose of the %Company% Data Destruction and Re-Use Standard document is to describe the requirements surrounding the authorized destruction of %Company% data.  This document details the specific settings necessary to conform to SP1. Data Classification Policy, which is in turn part of the greater %Company% Corporate Information Security Policy.

Past Breaches:
Unknown
]]> Wed, 16 Jan 2008 06:51:41 +0000 company data destruction company data employees personal information personal information destruction information information security employees employment information The Naval Surface Warfare Center warns employees