[SecurityRatty] tag: mortgage

Canadian farmer personal information on stolen CCGA laptop

Sun, 08 Jun 2008 15:32:52 +0000

Technorati Tag: Security Breach

Date Reported:
6/4/08

Organization:
Government of Canada

Contractor/Consultant/Branch:
Canadian Canola Growers Association (CCGA)

Victims:
Farmers

Number Affected:
~32,000

Types of Data:
"social insurance numbers, bank account numbers and other data"

Breach Description:
"OTTAWA, June 5 (UPI) -- Prairie farmers in Canada are upset the federal government waited two months to tell them a laptop computer containing their personal data was missing."

Reference URL:
Winnipeg Free Press
CBC News
United Press International

Report Credit:
Lindsay Wiebe, Winnipeg Free Press

Response:
From the online sources cited above:

About 32,000 Canadian farmers are on the alert after learning a laptop containing their financial information has been stolen.

The laptop was stolen when a programmer working for the Canadian Canola Growers Association took the machine off-site for routine maintenance.
[Evan] No offense to programmers, but in my experience the ways they use information can be some of the most dangerous threats to information security. There is no reason for a programmer to EVER have access to confidential production information. Programmers should only be permitted to work with scrubbed information in a test and/or development environment.

CCGA general manager Rick White described the theft as a classic "smash and grab."
[Evan] Also classic as in another organization that either does not know how or is unwilling to properly secure confidential information.

The laptop has the bank account numbers and social insurance numbers of farmers who applied for Agriculture Canada's advance payments program, which is administered by the CCGA on behalf of the federal government.

Although the theft happened March 30, Canadians weren't sent letters until last week informing them

The federal department has sent letters out to all farmers affected by the theft.

The letter said the laptop was stolen from an undisclosed, remote location in Manitoba.

"We treat this very seriously," White said. "This is an unfortunate incident, a very low-risk one."
[Evan] Mr. White is probably not well versed in risk analysis. Or incident response for that matter.

the strict security measures being used on the laptop reduce the chances of information being misused, White said.
[Evan] Like what?

"There was a very strong password protection on it, [and] there was a biometric fingerprint reader on it," he said. "That would prohibit anyone other than the user or the person with the password to access the data on the laptop."
[Evan] These are "strict security measures"? My emphatic answer is NO! These "strict security measures" are easily bypassed.

but the data was not encrypted
[Evan] The missing piece of the puzzle. Why go through all of the (self-proclaimed) "strict security measures" and not employ encryption. What you get with full-disk encryption is pre-boot authentication and this defeats the boot to CD attack.

Agriculture Canada spokesman Sean Malone said there were security features on the laptop, but a sophisticated hacker could likely bypass them.
[Evan] No sophistication required. A novice could figure it out with Google, a CD, and 15 minutes.

So far, there have been no reports of identity theft among the farmers, the report said.

Pitblado LLP privacy lawyer Brian Bowman said the CCGA and agriculture department deserve credit for notifying people of the breach -- a move not required by Manitoba law.
[Evan] Just because CCGA is not required by law, doesn't mean that they deserve any credit for notification. The information belongs to the victims not CCGA, and as owners of the information don't you think they should be informed of an incident that has the potential affect them personally?

Victim Reaction:
"If they're devilish enough to steal a computer, maybe they're devilish enough to do something with the information,"

"What frustrates me is that they've treated this like it's no skin off their back,"

"They've known this since then and they're only getting the letters out now?"

"I don't want to find out a mortgage has been taken out on our farm."

Commentary:
It is bad enough for an organization to lose confidential information on a poorly protected laptop, but what makes this more troubling is the apparent fact that they still view the practice that led to the breach as a low risk. Clueless and sad.

Past Breaches:
Government of Canada:
December, 2007 - Passport Canada web site suffers serious breach
November, 2007 - Service Canada stolen laptop affects more than 1,600

Business Week blows the lid off of credit card companies ripping off consumers

Fri, 06 Jun 2008 17:45:31 +0000

There is a great article in Business Week this week that talks about a scam that bank and credit card companies are pulling on consumers. It has resulted in the banks winning arbitration cases against consumers to the tune of a 99.998% clip. That is right, 99.998%. It has turned arbitration, where an impartial judge makes determination into the biggest home field advantage this side of the NBA play offs.

It seems many of the credit card agreements that govern your use of credit cards call for arbitration to settle any disputes between you and the credit card company. Well the credit card company gets to pick the arbitration company. Many pick the National Arbitration Forum, which markets itself to the credit card companies as a form of collection agency. The whole system is basically stacked against the consumer, which results in the credit card companies getting their way. Business Week does a great job of digging in here and finding out all of the dirty secrets of this scam. I highly recommend you read the article for all of the details.

I don't think too many people disagree that over the last years there has been a big swing in the pendulum favoring business's over the consumer. Many of the laws and rules that were put in place to protect consumers over the years have either been thrown out or ignored. Our bankruptcy laws have been totally rewritten to the disadvantage of the consumer. Lazes-fare attitudes toward regulating business has seen oil companies raking in billions of dollars a quarter while we pay 4 dollars a gallon. Health insurance companies raising rates higher than inflation while hospitals have to close for not making enough money. A mortgage industry that without oversight has written loans that has our finance system to the brink of disaster. A return of inflation and recession at the same time.

Not too advertise my own political views, but do I think it is time for a change? Your damn right I do! I hope that the press shining the light on some of these injustices will make it easier for a new era in Washington to make right (no pun intended) some of the wrongs in our system.

Business Week blows the lid off of credit card companies ripping off consumers

Fri, 06 Jun 2008 16:45:40 +0000

Did Hackers Cause the 2003 Northeast Blackout? Umm, No

Fri, 30 May 2008 14:00:00 +0000

The latest cyberterrorism fairy tale circulating in Washington posits that Chinese government hackers were responsible for the worst power failure in U.S. history. Next week: How Chinese hackers caused Hurricane Katrina, the mortgage crisis and climate change.

Technical glitch blamed in The Princeton Tower Club breach

Tue, 13 May 2008 05:20:10 +0000

Technorati Tag: Security Breach

Date Reported:
5/8/08

Organization:
The Princeton Tower Club

Contractor/Consultant/Branch:
None

Victims:
Former club members

Number Affected:
103

Types of Data:
"names and social security numbers"

Breach Description:
"Tower Club is taking steps to protect 103 of its alumni in the classes of 2006 and 2007 after a spreadsheet listing their names and social security numbers was e-mailed to current club members early Wednesday morning."

Reference URL:
The Daily Princetonian
United Press International
Asbury Park Press

Report Credit:
Rachel Dunn and Josephine Wolff, The Daily Princetonian

Response:
From the online sources cited above:

Tower Club is taking steps to protect 103 of its alumni in the classes of 2006 and 2007 after a spreadsheet listing their names and social security numbers was e-mailed to current club members early Wednesday morning.

The document was attached to an apparently unrelated e-mail that informed current members about a club event.

The spreadsheet was attached unintentionally because of "a technical glitch," Tower graduate board chair Greg Berzolla ’87 said
[Evan] Really? A technical glitch? These types of breaches are usually the result of human error.

"The [spreadsheet] file wasn’t even available on the hard drive [of the computer that sent the e-mail]," Berzolla said. "[The e-mail system] took an old e-mail and used it as a template [for Wednesday’s e-mail] as near as we can guess. It’s not a system very many people use or understand, that’s the problem."

"I cannot comment on [the glitch] because I don’t understand it," he said. "I didn’t figure it out, I think the club technical chair [did]. [Tower president] Stephanie [Burset ’09] tried to explain it to me, but I think she doesn’t really understand it either."
[Evan] At least he is honest.

Burset said in an e-mail that Pine, the e-mail system Tower currently uses, is "fairly antiquated, but our tech chairs have assured me that nothing like this can ever happen again," and added that "we plan on switching to a new client whom is more secure and easier to use."
[Evan] I am concerned by statements like "nothing like this can ever happen again". We still don't know why it happened in the first place.

The e-mail was sent by Tower officers from the tower@princeton.edu account to the roughly 200 current club members.

Tower officers sent another e-mail to the club yesterday asking members to delete the message from their mailboxes "out of respect for ’07."

Berzolla said he believes the risk of identity fraud is "extremely limited"

"It’s hard for any kind of fraud to occur that quickly," he said of the incident. "I feel confident that our club members are not going to use this information badly."
[Evan] It only takes one person. It should also be mentioned that one or more of the destination email accounts could be a shared account and that these emails were sent in clear text (subject to the possibility of interception).

"[The breach] would have had to have been intentional [for there to be legal repercussions]," Berzolla said.
[Evan] Do you have to demonstrate intent to argue negligence (The failure to use reasonable care)? I'm certainly not a lawyer, but I think that there are cases where victims have been awarded damages when there was not intent to harm on the part of the defendant. I don't really advocate lawsuits anyway, but I am just stating what seems obvious to me.

Tower will pay for an identity theft protection services for the affected individuals next year.

Berzolla hopes this measure will assuage any possible threat of legal action from former members against the club. "I don’t expect there to be any problems, but just in case," he said.

The social security numbers on the spreadsheet were collected as part of the process of signing in new members several years ago, Berzolla said. Tower no longer requires its members to submit their social security numbers, he added.
[Evan] It is a good practice to not collect information that isn't required to conduct business. The Tower Club would be well advised to go through the information they currently possess and purge the information they no longer need.

Victim Reaction:
"I had no idea this happened, and frankly, I’m baffled and a little pissed off," Valerie McConnell ’07 said

"Now that I know that the social security numbers weren’t sent out on purpose, I’m not pissed off," McConnell said. "I think my identity is ok. I can’t imagine anyone in the club trying to steal my identity (not that there’s a lot to steal right now anyway)."
[Evan] I think I would still be pissed off. Identity thieves are not all stupid. Many of them will hold on to the information for a year or more before using it or selling it.

"[The incident] is a mistake; it shouldn’t have happened," Beylin said in an e-mail. "However, with the number of times I’ve handed out my SSN this year while seeking financial services or apartment hunting, it’s really not my biggest source of concern for identity theft."
[Evan] This is a good point. Have you ever thought of all the times you have given out your Social Security number? All of your employers, schools, insurance companies, banks, mortgage companies, credit card companies, etc. have your number. The same number used for identification and authentication. A recipe for disaster?

Commentary:
The Tower Club does not handle personal information any worse than most other organizations. It seems like they just didn't know any better. It sometimes makes me nervous.

Past Breaches:
Unknown

Personal information from two Colorado mortgage companies found in dumpsters

Wed, 07 May 2008 18:20:50 +0000

Technorati Tag: Security Breach

Date Reported:
4/28/08

Organization:
Cove Creek Mortgage
Front Range Mortgage, LLC

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Mortgage files, tax returns, pay stubs, Social Security numbers, and other personal information

Breach Description:
"ENGLEWOOD, Colo. -- The Arapahoe County District Attorney's Office is advising anyone who has used Cove Creek Mortgage to watch out for identity theft after hundreds of mortgage files were dumped in a public trash bin over the weekend."

Reference URL:
Denver Channel 7 News
Denver Channel 7 News (update)

Report Credit:
Denver Channel 7 News

Response:
From the online sources cited above:

ENGLEWOOD, Colo. -- The Arapahoe County District Attorney's Office is advising anyone who has used Cove Creek Mortgage to watch out for identity theft after hundreds of mortgage files were dumped in a public trash bin over the weekend.
[Evan] Cove Creek Mortgage joins the ranks of other mortgage companies reported for similar breaches on The Breach Blog. The others are Affordable Realty and Union Mortgage Services of Cleveland, Inc..

Cove Creek's owner had abandoned his Englewood office in January, and property managers had not been able to find him
[Evan] What kind of businessman just abandons an office full of confidential files and equipment?

On Saturday, the property manager had a crew clean out his office and throw all items from the office -- including complete mortgage files -- into two Dumpsters.
[Evan] Maybe the property manager should pay a little closer attention to the things they throw in the dumpster. Having said this, the property manager is not really at fault.

David Peters who works in the same complex found the files Monday morning.

"I was taking some other trash out to the garbage can and opened the lid and on there was a couple of laptops,"

"Directly underneath them were files with people's names on it and I was like, 'Well, this is not right.'"

"There were tax returns, pay stubs, everything in there," he said. "And as I looked at the different files I realized that it was mortgage files, which was kind of scary, because who do you disclose the most information to or all of your information? That is when you are getting a mortgage loan."
[Evan] According to the news report, Mr. Peters contacted authorities. This could have easily been much worse for victims.

The Dumpsters were not secured and located at 88 Inverness Drive East, Bldg. F.

Sheriff's investigators finally found the owner of Cove Creek and talked him into retrieving the files, many of which had private information, including Social Security numbers and credit history.
[Evan] Mr. owner guy, will you please come get your stuff and the personal information that was entrusted to you? According to zoominfo a guy named Charlie Cartwright is/was the president of Cove Creek Mortgage. I have no idea if this is the same guy that is referred to in the news article.

The district aAttorney's office got a tip about numerous mortgage files and two laptop computers in a Dumpster behind offices formerly used by Cove Creek Mortgage and Front Range Mortgage.
[Evan] Now Front Range Mortgage joins the ranks. Front Range Mortgage offers credit repair services too! Do you suppose they could have repaired the damage that could have been done?

"With a name, Social Security number and bank account number, they can clean you out before you even know," said Arapahoe County District Attorney Carol Chambers.

The files and computers contained sensitive information on many former customers of Front Range Mortgage, including names and addresses, Social Security numbers and bank, credit card and investment account information.

While there are civil laws against dumping such documentation, Chambers said it is not against the law.
[Evan] It's too bad that we have to write and enforce laws to protect us from idiots.

"I think it is a matter of legislation not catching up with the realities of identity theft," said Chambers. "And absolutely, we think recklessly disposing or negligently disposing of this kind of information should maybe carry a criminal penalty, just to get people's attention that you can't just leave this information or leave it out in a Dumpster."

"The district attorney recommends that any former customers of Front Range or Cove Creek should place a fraud alert on their credit reports and monitor any bank, credit card or investment accounts that might have been included on a mortgage application with that firm."

For further information, assistance or questions, call the District Attorney's Fraud Assistance Line at 720-874-8547.

Commentary:
What is with these mortgage companies? The 90's and early 2000's was a wild ride for mortgage brokers, real estate agents, and investors. The money attracted people from all walks of life and a lot of poor decisions were made. Now that the bubble has burst, we start to see the true colors of some of these "professionals".

I don't know much if anything about the owners of these companies, but I do know that securing personal information poorly is bad business.

Past Breaches:
Unknown

Cornerstone Fitness for Women information found in discarded file cabinet

Mon, 05 May 2008 10:01:48 +0000

Technorati Tag: Security Breach

Date Reported:
4/30/08

Organization:
Cornerstone Fitness for Women

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Names, addresses, phone numbers and in many instances Social Security numbers copies of checks and credit card information

Breach Description:
"EDINBURG - A local company that operates several fitness centers across the region could be fined if investigators substantiate allegations it left clients' sensitive personal information in a trash bin."

Reference URL:
KRGV-TV Newschannel 5
The Monitor
The Brownsville Herald

Report Credit:
KRGV-TV Newschannel 5

Response:
From the online sources cited above:

EDINBURG - A local company that operates several fitness centers across the region could be fined if investigators substantiate allegations it left clients' sensitive personal information in a trash bin.

This story came to our attention after NEWSCHANNEL 5's Lisa Cortez received a phone call from a complete stranger on her cell phone.

He had Lisa's contract from Cornerstone Fitness.

He knew not only her phone number, but also her address, employer, and a copy of a check used to pay her account.

He also had about 30 other contracts.

It has everything you would want to know about them. I think those people deserve to know about it, " said Zumwalt. (Sammy Zumwalt, the person that called Ms. Cortez)

All contracts list names, addresses and phone numbers. Some of them list social security numbers and have copies of checks and credit cards.

Zumwalt says his friend found a filing cabinet in a dumpster behind the former Cornerstone Fitness Center for Women in Edinburg.

The center shut down several months ago.
[Evan] This isn't the first time that we have read about an organization vacating a location and leaving sensitive information behind (unsecured). Just in the past few months there was Affordable Realty in March, and Union Mortgage and First Magnus in February.

The paperwork was in Zumwalt's room for several weeks.

Recently, he decided to go through the stack of papers and came across the sensitive information.

Zumwalt turned the contracts over to NEWSCHANNEL 5.
[Evan] Why NEWSCHANNEL 5 and not the police or the Texas Attorney General? Do you think somebody wanted their 15 minutes of fame?

"At this point, we don't know what happened. This is not our usual practice. We are investigating it. We've been in the business for 10 years and this is the first time we hear of something like this. " (Joseph De la garza, one of the fitness club's owners)

NEWSCHANNEL 5 sorted through the contracts and contacted several members from the pile.

Cornerstone tells NEWSCHANNEL 5 they carefully guard all sensitive client information.

State Sen. Juan "Chuy" Hinojosa, D-McAllen, urged Texas Attorney General Greg Abbott to investigate, according to Jerry Strickland, a spokesman for the attorney general's office.
[Evan] I guess this is one good thing about reporting it to the media instead of the authorities. Mr. Hinojosa sees it on TV and pushes for an investigation.

"A lot of businesses are being very careless in the way they handle personal information," Hinojosa said. "Businesses (are required) to shred all information they no longer need."
[Evan] Oh yes, very true.

Victim Reaction:
"I mean, I don't even know how to explain how I feel, because I am so in shock," said one woman after we read her social security number.

Denise Grant told NEWSCHANNEL 5, "You never realize how important this information is until you have to try to prove that you are who you say you are." (a woman who claims to have been an victim of identity theft before)

Commentary:
Well, we all know (or should know) that this type of breach is nothing new, but I am keyed in on what Mr. Hinojosa stated, "A lot of businesses are being very careless in the way they handle personal information".

What will urge businesses to be more careful and secure personal information better? More laws? More costly fines? More laws mean more compliance. More compliance means more cost to companies. More cost to companies means more expensive goods and services. Seems that the same argument holds true for fines.

Maybe we should stop using a single identifier for all things personal (i.e. Social Security numbers). Do you think that the credit bureaus and the rest of the financial industry would go for such a radical idea? Do you know how the credit bureaus make money (I won't go into this now)? This would be a tough battle to fight.

An easy to implement solution does not exist. We have walked so far down this road that I think we may have gotten a little lost.

I have ranted long enough. On to the next breach, right?

Past Breaches:
Unknown

Former LendingTree employees sold access to customer information

Wed, 23 Apr 2008 09:08:37 +0000

Technorati Tag: Security Breach

Date Reported:
4/21/08

Organization:
IAC/InterActiveCorp (IAC)

Contractor/Consultant/Branch:
LendingTree, LLC

Victims:
Customers

Number Affected:
Unknown

Types of Data:
"loan request data such as name, address, email address, telephone number, Social Security number, income and employment information"

Breach Description:
"Recently, LendingTree learned that several former employees may have taken Company passwords and given them to a handful of lenders. These lenders then used the passwords to access LendingTree customer information files, normally available only to LendingTree-approved lenders, to market loans to LendingTree's customers."

Reference URL:
LendingTree FAQs
MSNBC Red Tape Chronicles
NetworkWorld

Report Credit:
LendingTree

Response:
From the online sources cited above:

LendingTree has told its customers that former employees helped unauthorized mortgage lenders hack into its systems and steal customer information from 2006 to 2008.
[Evan] From Rob Douglas, editor of InsideIDTheft.info "Given that data was accessed from 2006 to early 2008, it can be inferred that passwords used by former employees remained operational for months or even years after their employment was terminated, generally considered poor security practice"

Recently, LendingTree learned that several former employees may have taken Company passwords and given them to a handful of lenders.
[Evan] Monitoring insider activity for fraud is a difficult challenge for information security personnel, especially when the credentials (username/password) used are valid.

These lenders then used the passwords to access LendingTree customer information files, normally available only to LendingTree-approved lenders, to market loans to LendingTree's customers.

The files contained loan request data such as name, address, email address, telephone number, Social Security number, income and employment.
[Evan] Sheesh! This is everything that a bad guy (or gal) would need to do some serious damage.

A LendingTree spokeswoman said the company was not granting interviews to discuss the data theft. She would not say how many customers were affected nor how much data was stolen, but instead supplied a copy of the customer letter sent by the firm.

Our internal security uncovered this situation. We began an internal investigation and reported it to the authorities. We continue to assist the authorities and are telling our customers as soon as it was possible to do so.

Credit card information (such as account number or account balance) was not involved.
[Evan] No need, with information such as name, address, email address, telephone number, Social Security number, income and employment, a fraudster could get his/her own credit card.

We promptly enhanced the security of our system so that this situation couldn't happen again. We also brought lawsuits against the lenders and other persons involved.
[Evan] What? How do you promptly fix human behavior? If there were such a simple fix for the problem that led to this incident then why wasn't it implemented prior to the incident? I don't buy it.

we have no reason to believe any identity theft or fraudulent financial activity resulted from this situation

You still might want to get a free credit report and file a fraud alert with the credit bureaus. When you get your credit report, look for any accounts you didn't open and/or inquiries from creditors that you didn't initiate. If you see anything you don't understand, contact the credit bureau.
[Evan] What if an affected individual has already used their free annual credit report?

LendingTree believes that the information accessed was limited to mortgage customer loan requests only, which were then used by the mortgage lenders to solicit those customers for mortgage loans.

We brought a lawsuit against Newport Lending Group, Irvine, California; Home Loan Consultants, Inc., Newport Beach, California; and Sage Credit Company, Irvine, California, in connection with this incident.
[Evan] I wonder what the lawsuits seek.

LendingTree sent emails or letters to the mortgage customers that it believes, based on its investigation to date, might be at risk of having their information accessed and used by these mortgage companies to solicit mortgage loans.

You should also be vigilant for 12 to 24 months in reviewing bank and credit card statements and any future credit reports.
[Evan] As long as Social Security numbers are still used for authentication, people should remain vigilant, whether it be 12, 24, or 300 months.

You can call LendingTree at 866-505-8874 to speak with one of our customer service representatives who are available from 9am to 9pm ET seven days a week.
[Evan] Well thank you for permission Mr. LendingTree

Commentary:
I don't necessarily fault LendingTree too much for the incident occurrence. Preventing internal privileged access abuse is a real challenge. There are some controls that can reduce risk, but we don't know which of these are in use at LendingTree. I think it was just a matter of time. Actually, I would be surprised if this was the first time with past occurrences remaining internal and private.

What I do fault LendingTree for is a really poor public response. There are no apologies in the FAQs for the inconvenience. There is no offer of any real assistance. There is no readily available information on the company's web site (the FAQs are very hard to find without any direct link from the home page). The information (once found) given by LendingTree is much less than what would make me comfortable. Overall, their response gives off this general feeling of arrogance.

Personally, I am a LendingTree customer as I have applied for a previous car loan through them. Am I to take LendingTree at their word and believe that this breach only affected mortgage applications? What controls were in place to prevent employees from granting access to my data? I need more detailed information about the investigation and what LendingTree did to "promptly" enhance security before I conduct business with them again.

Past Breaches:
Unknown

An old/new kind of cybercrime/cybercriminal

Wed, 23 Apr 2008 07:13:09 +0000

I was reading Ellen Messmer's report today about the security incident over at Lending Tree. Yeah, I know another information breach by insiders case, BFD. But I think there is something different about this one. From what I am reading this is more a case of corporate espionage than the usual hackers for fraud and financial gain type of deal. For a long time now we have been hearing from people like Bruce Schneier in this article talk about the front in security moving from dealing with script kiddies working for kicks to organized cybercriminal gangs that are in it for financial gain. Mostly the gain is about identity theft and gaining access to funds fraudulently.

In the Lending Tree case though there was not evidently a motive to use the ill begotten information for identity theft or fraud. Rather they represented Glengary, Glen Ross leads. That is the names, contacts and qualifications of people looking for mortgages. A mortgage company would consider these leads more valuable than gold, more valuable even that gasoline! So to my mind this is more a case of corporate espionage where a company that is competitive to Lending Tree infiltrated their networks through people, rather than technology to gain access to their corporate crown jewels.

This sort of stealing your competitors information has been going on for decades, well before computers and cybercrime were around. However, this is a great example of some things not going out of style. Obtaining your competitors information is a great motive, computers are just the container where the information is kept. Sort of like cracking a safe. It is always easier getting into a safe if you are given the combination, than if you have to crack it yourself.

Yet another front in the cybercrime war that security folks need to be on guard for!

An old/new kind of cybercrime/cybercriminal

Wed, 23 Apr 2008 06:13:09 +0000

Yet another front in the cybercrime war that security folks need to be on guard for!