[SecurityRatty] tag: newsday

Confidential Connecticut Department of Labor mailing is missing

Tue, 10 Jun 2008 08:00:32 +0000

Technorati Tag: Security Breach

Date Reported:
6/2/08

Organization:
State of Connecticut

Contractor/Consultant/Branch:
Connecticut Department of Labor

Victims:
Customers

Number Affected:
2,160

Types of Data:
"personal information, including name, address and Social Security number"

Breach Description:
"WETHERSFIELD, The Connecticut Department of Labor is notifying approximately 2,100 customers that files containing copies of letters sent to them regarding their unemployment insurance claim cannot be located."

Reference URL:
Connecticut Department of Labor
Associated Press via The Hartford Courant
Newsday

Report Credit:
Connecticut Department of Labor

Response:
From the online sources cited above:

WETHERSFIELD, The Connecticut Department of Labor is notifying approximately 2,100 customers that files containing copies of letters sent to them regarding their unemployment insurance claim cannot be located.

the agency strongly believes that the letters were mistakenly shredded along with others that were being rightfully destroyed

Following an extensive search, it appears the copies were inadvertently shredded and destroyed on or before May 21

we feel it is in the best interest of our customers to be proactive in our efforts to ensure that personal information is not compromised

The files contained copies of letters dated from May 2 to May 20 informing applicants that they were ineligible for the unemployment insurance.

Copies of the letters, which must be kept on file for three years, contained personal information, including name, address and Social Security number.
[Evan] Why does a letter informing someone that they are not eligible for unemployment insurance require a Social Security number?

we do not believe information on these letters will be used in a manner that will compromise the security of these residents

we have arranged for two years of free preventative services through the Debix Identity Protection Network
[Evan] Two years is much better that the semi-standard one year given by many organizations. Government breaches tick me off a little more than most. One reason is the fact that taxpayers get to foot the bill.

We sincerely regret any inconvenience or concern that has been caused by this situation

the agency takes the protection of personal information very seriously and since last year, we have been working on additional security features for the state’s unemployment insurance compensation system

Since federal law mandates that we use the entire Social Security number in the course of business, we are looking at ways to encrypt that data and still comply with regulations.
[Evan] I am glad to read that the agency is considering encryption of confidential information (albeit late, better than never), but this is only feasible for electronic information. Encryption would not have provided any protection against this particular breach which involved printed confidential information, namely Social Security numbers. I think it is generally a poor business practice to send mail with Social Security numbers in print unless it is absolutely necessary. I don't think that federal law requires that these mailings include Social Security numbers.

Residents who receive a letter from the agency and who may have questions regarding the free protection service can contact Debix directly at 888-332-4963. Those with questions about their Determination Letter can call the Labor Department’s Assistance Center at 860-263-6785.

Commentary:
If the missing letters only contained the information necessary to communicate the required message, then the impact of this breach would be considerably smaller.

Information security personnel don't currently review mailed information prior to release in the companies I consult for. This breach gets me thinking about a potential risk that I may have missed in my assessments.

Past Breaches:
September, 2007 - Stolen laptop contains names and allegations in state DCF cases
August, 2007 - State of Connecticut Stolen Laptop

Wee-Fi: First Starbucks with AT&T? Plus, L.I.-Fi, Panasonic Camera, Corpus Christi Decision

Wed, 16 Apr 2008 08:03:00 +0000

AT&T-equipped Starbucks live in San Antonio? Alan Weinkrantz believes he's spotted the first transitioned Starbucks. He saw installers putting in gear, and the login screen shows AT&T Wi-Fi prominently, with T-Mobile's HotSpot logo relegated to a square in the upper right. He may be right. In Seattle and New York at least, the Starbucks login banner shows T-Mobile prominently across the top with AT&T in a square at the upper right, as I noted with Klaus Ernst's help on 10 April 2008. The store is located a few miles from AT&T's HQ.

Suffolk signs contract with E-Path: After yesterday's scathing New York Times article--which I wrote up and elaborated on--you might be surprised to read that Suffolk County's executive Steve Levy has signed a contract with E-Path, the Wi-Fi network builder. As of Monday, Levy was saying that no services would need to be paid for by the county. Now, it's "a price 'as close to zero as possible.'" Apparently the contract doesn't specify any actual purchase of services? While the New York Times was unable to get E-Path's head on the phone, Newsday had no such problem. E-Path's Joe Tortoretti is now saying that an anchor tenant and minimum service commitments are needed to build a network. That's rather a different tune, isn't it? E-Path, a firm that has built no such networks to date, is now going after the Long Island Railroad, too, with Levy's backing. Shouldn't this be bid out again by the county, given all the terms have changed?

Panasonic adds Wi-Fi camera: The Lumix DMC-TZ50 can upload directly to Google's Picasa photo-sharing service. It's got a 9.1-megapixel sensor, and comes with 12 months of free service at T-Mobile hotspots in the U.S. As I have noted many times before, uploading and "emailing" photos via photo-sharing services from Wi-Fi-enabled cameras typically involves a downsampled or compressed image, and that level of degradation isn't noted in the widely marketed information about the camera.

Corpus Christi to reclaim network: The city council voted 7-0 last night to take its Wi-Fi network back over from EarthLink. As noted yesterday, EarthLink avoids paying $1.59m in fees to the city, but the city gets $3m in improvements, and hundreds of thousands of dollars in additional equipment. The improbably amount of $50,000 in yearly operating expense was once again bandied about in this GigaOm report.

Drama surrounds People's United Bank breach

Tue, 08 Apr 2008 08:47:21 +0000

Technorati Tag: Security Breach

Date Reported:
4/6/08

Organization:
People's United Bank

Contractor/Consultant/Branch:
Various branches

Victims:
Customers

Number Affected:
"hundreds"

Types of Data:
"confidential financial data" and "private information, including customers' Social Security numbers and account information"

Breach Description:
"For four months, James Hastings dove into Dumpsters outside People's United Bank branches throughout Fairfield County, pulling out bags of paperwork containing private information, including customers' Social Security numbers and account information."

Reference URL:
The Connecticut Post
Newsday/Associated Press

Report Credit:
The Connecticut post

Response:
From the online sources cited above:

For four months, James Hastings dove into Dumpsters outside People's United Bank branches throughout Fairfield County, pulling out bags of paperwork containing private information, including customers' Social Security numbers and account information.

Bank employees didn't know what Hastings was doing until the Fairfield resident told them and delivered a video depicting him digging through the Dumpsters and sitting in front of a wall in his home he had papered with the documents.
[Evan] People's Bank would have had no idea that confidential documents were taken from dumpsters had Mr. Hastings not approached them. How long could the practice of discarding confidential information in the garbage have gone on before someone else noticed? How long has this practice been accepted, and is it still occurring?

The bank got a restraining order against Hastings on March 20, and detectives from the State Police, on a search-and-seizure warrant, raided his home. He is scheduled to appear in Bridgeport Superior Court Monday and he said he could face prison for violating the order the bank secured from the court to stop Hastings from discussing or distributing any of the material.
[Evan] Judging from what I read, Mr. Hastings is appearing in court to faces charges of violating the restraining order, not for taking the documents from the dumpster. I don't think it's against the law to rummage through dumpsters. If it were, how could you enforce it well?

The restraining order also came into play Wednesday when Hastings tried to turn over the remaining boxes of documents to Attorney General Richard Blumenthal.

The AG's office late Wednesday refused to talk to him until lawyers there investigated the restraining order. It had not made a determination on how it can proceed.
[Evan] This is sad. I think it is in the public's and the victims' best interests to have the Attorney General investigate fully.

In a series of interviews, Hastings says he's not an identity thief. He says he wants the bank to react to what he calls a serious lapse in security.
[Evan] The bank has reacted, but obviously not in the way Mr. Hastings had preferred.

On Tuesday, he displayed two boxes filled with documents he says he culled from bags of garbage People's United Bank threw away.

People's, however, doesn't see it that way, and said Hastings is attempting to extort money from the bank. It is also demanding the information be turned over to the bank.

Brent DiGiorgio, a People's spokesman, says the bank's primary concern is protecting the customers' information that Hastings has taken.
[Evan] If "protecting customers' information" were the bank's primary concern, then should they have done more to disallow these documents to be thrown in the garbage? Should they address the root issue more aggressively? The information that Mr. Hastings found does not belong to the bank, the information belongs to the victims.

"We're going to provide one year of free credit monitoring for customers whose information was taken when this gentleman rummaged through our trash," DiGiorgio said.
[Evan] Big deal. Broken record... Credit monitoring helps to alert a person only after they have become an identity theft victim. A one year time frame is insufficient for information that has a life span which far exceeds this limit.

He said the bank notified police immediately when it found out what Hastings had. That notification resulted in a search of Hastings home and the seizure of documents.

Letters are being mailed out to affected customers, DiGiorgio said.

About four months ago, Hastings says he was driving out of a People's branch parking lot in Fairfield when he saw a Dumpster brimming with garbage bags. When he looked more closely, he saw the clear garbage bags were stuffed with financial documents.
[Evan] An opportunist.

Hastings says he wanted to try to determine the extent of the problem, so he says he worked nights and weekends digging into Dumpsters at People's and other financial institutions.

"I'm disgusted by what I've pulled out of those bags," Hastings says, adding that the paperwork contains information on how much money individuals have in their accounts and where they live. He's got Social Security numbers and more on customers.

"I've got a guy in here that's got $8 million in gold," Hastings says.

He turned over a lot of those documents to police during the raid, but retained some in boxes, he says, that he hoped Blumenthal's office would accept.

During trips to People's branches from Stratford to Stamford, he made a video to, he claims, to protect himself from the charge of extortion. "It needs editing," he said, before turning one of the many discs over to the Connecticut Post.

There are applications for credit cards, reports on bank deposit and account information.

Hastings says after several months he contacted People's and the bank set up a meeting with him. On March 19, he met with People's Director of Corporate Security William A Gniazdowski.

Gniazdowski's affidavit of the meeting is on file with the court.

In it, he says Hastings went to the bank's headquarters at Main Street in Bridgeport, met with executives and dropped off DVDs and toy handcuffs. In the video the bank saw, and Hastings confirms, he wears an orange jumpsuit to indicate People's employees should face criminal charges if any of this private information is made public.
[Evan] I can think of a more tactful way for Mr. Hastings to present the information.

Gniazdowski says Hastings asked People's to hire him as a "fraud consultant." When Gniazdowski asked what would happen if the bank didn't comply, Hastings allegedly said he'd take "great pleasure shoving it up their nose."
[Evan] Thus the charge of extortion.

Hastings said the bank's security chief trapped him in the room and wouldn't let him leave, so Hastings got mad and told the security officer to take the DVDs and shove them up his nose.
[Evan] Thus the defense.

As for the charge of extortion, Hastings says, that's the bank trying to protect its reputation.

The fact that the police didn't arrest him when they searched his house shows that it's clear he wasn't trying to extort anything, he says. He adds that if he were a criminal he would have never gone to the bank because he could be living off the information he found. He noted the bank didn't know he was out there until he came to People's.
[Evan] More defense.

Hastings, who admits he's concerned about his freedom and reputation, says he wishes he'd never started this, but now that he has he's not going to just roll over.

He volunteered that he has a record. He was arrested and served a two-year probation for trying to secure drugs from a pharmacy by impersonating a doctor, but that was for a painkiller he needed, and he was convicted of drunken driving. The Post confirmed he has a small criminal record.

As for what he offered the bank, Hastings says, "What I said is you need a consultant. You don't need to hire me."

The bank disagrees, and a law professor says he would tend to side with the bank.
[Evan] Interesting choice of words. I assume that the professor is basing his assumptions on past experiences and not necessarily on the detailed facts of this case.

Jeffrey Meyer, a Quinnipiac University Law School associate professor and former assistant U.S. attorney, says he's heard of situations like this, but they usually involve computer hackers.

In those scenarios, a hacker finds a weakness in a corporation's Web site, exploits it and sabotages the site. The hacker will do it several times, Meyer says, before contacting the company to suggest it hire him or her as a consultant.

This has resulted in prosecution for extortion, Meyer says.

"It's the quid pro quo," Meyer said, which makes it a problem.

If the person demands payment not to damage the company, "it certainly crosses the legal line," he said.

This is not the first time Hastings says he's investigated a company's procedures and asked to be hired as a consultant. He says he found a problem with a cell phone company and it paid him $10,000 as a consultant in the late 1990s.

Hastings said the bank's Dumpsters aren't properly secured and it isn't shredding documents, he says.
[Evan] Yes, the ROOT of the problem. We shouldn't lose sight of the fact that the bank did not adequately secure the personal information of some of it's customers. If the documents had been destroyed appropriately, we would have no story, no search warrant, no restraining order, no court case, no victims, etc., etc. This is all a waste of valuable resources due to poor security (business) practices.

"We believe this is an isolated incident to the greater Bridgeport and greater Stamford," DiGiorgio said. "It's unfortunate."
[Evan] It is more than "unfortunate"!

DiGiorgio says the bank has training on how to safeguard customer information and takes that obligation very seriously. It is reviewing its policies, he said when asked if People's will still throw documents into Dumpsters.

"We do have a policy of how to dispose of customer information," DiGiorgio says, but security reasons prevented him from revealing what those policies are.
[Evan] Why do people state that they cannot disclose a security policy for "security reasons"? There is no "confidential" information in any one of the security policies I write for companies. Maybe "internal" information on occasion. Sometimes there is "confidential" information and processes in procedures, but never in policies. I share my information security policies openly with colleagues and partners.

DiGiorgio says that since Hastings went to the bank it has posted "no trespassing" signs and has installed locks on the Dumpsters it controls. But some of those receptacles, the bank shares with other companies and therefore cannot lock
[Evan] No trespassing signs and locks are a deterrent to the casual opportunist, but do not stop criminals. I'm not saying it is or is not a good practice (I don't have enough detail), but proper shredding is optimal.

While the bank is reviewing its procedures, DiGiorgio said it does not believe that Hastings has a right to take the documents to "extort money from the bank."
[Evan] The question is his motive I suppose. I don't think he broke the law by taking the documents out of the garbage, but the legal questions surround what he intended to do with the information.

Blumenthal said Thursday his office is still investigating the matter and attempting to verify Hastings' story.

But he said in an earlier interview banks have a legal responsibility to secure customers' financial information.
[Evan] Amen.

Blumenthal questioned how People's could be securing customers' information by throwing it away unshredded or even shredded in a state that could be pieced together.
[Evan] Wait. Now, Amen.

The bank "might have an explanation," Blumenthal says. "But then again it might want to change its current practices or buy a new shredder."

Commentary:
Another interesting story. The circumstances and drama that surround this breach should not take away from the original cause. It seems as though the bank broke the law by not adequately securing customer information and Mr. Hastings may or may not have broken the law in the way he handled the disclosure. I guess the lawyers will have to haggle and the court will ultimately have to decide.

Past Breaches:
Unknown

Centralized, electronic storage of medical records

Wed, 27 Feb 2008 07:46:37 +0000

There has been a plethora of blog postings, articles, and other assorted attempts to put the Google/Cleveland Clinic medical records pilot into perspective. The pilot is described in a Newsday article.

Google, the California search engine company, and the Cleveland Clinic - an Ohio medical institution with a reputation for quality care - said last week they will collaborate on a pilot program to store patient records online. The test program will allow 1,5

Long Island University notifies students of mailing error

Tue, 12 Feb 2008 06:53:50 +0000

Technorati Tag: Security Breach

Date Reported:
2/12/08

Organization:
Long Island University

Contractor/Consultant/Branch:
None

Victims:
"all students who were enrolled at Long Island University in the calendar year 2007"

Number Affected:
~28,000

Types of Data:
Student names, addresses and Social Security Numbers

Breach Description:
"During the week of February 4, University officials discovered that some IRS 1098-T “Tuition Statement” forms for 2007, that had been delivered to the Post Office in what may have been defective mailers supplied to the University, were damaged by Post Office processing machinery. Student names, addresses and social security numbers were on these forms and may have been exposed."

Reference URL:
Long Island University online notification
Newsday.com online report

Report Credit:
Long Island University

Response:
From the online sources cited above:

Long Island University is notifying approximately 28,000 students that their personal data may have been exposed to potential identity theft.

The personal data of all students who were enrolled at Long Island University in the calendar year 2007 may have been exposed.

This exposure affects the University’s two main campuses - Brooklyn and C.W. Post; and its regional campuses.

The personal data includes names, addresses and Social Security Numbers.

Earlier this week, University officials discovered that some IRS 1098-T "Tuition Statement" forms for 2007, that had been delivered to the Post Office in what may have been defective mailers supplied to the University, were damaged by Post Office processing machinery. Student names, addresses and social security numbers on those forms may have been exposed.

one side of each envelope was missing adhesive, according to LIU officials, which caused about half of the statements to be damaged by U.S. Postal Service processing machinery

At this time Long Island University has no indication that this data has been accessed or used by anyone. However, the University recognizes the seriousness of this exposure and the need to inform the affected students as quickly as possible.
[Evan] In this day and age, this is a prudent decision to notify students quickly. LIU deserves credit.

"Long Island University deeply regrets that personal information may have been inadvertently exposed to potential identity theft," Long Island University President David Steinberg said.
[Evan] The leader of the school addressing the situation is another good call in my opinion.

We are notifying all the affected students by letter. We also have established a "Notification of 1098-T Data Exposure" link on the University’s website, set up a hotline (516-299-2553); and provided information to students that will help them protect their personal information.

"The likelihood of identity theft is low," said LIU treasurer and vice president for finance Robert N. Altholz. "But for some period of time the names, addresses and Social Security numbers were available to the people in the post office
[Evan] The additional risk posed by this breach is relatively low. It appears that the information was only exposed to Post Office personnel. I don't feel comfortable with confidential information being sent in the mail, but this happens everyday, especially during this time of year (tax time).

A Victim Reaction:
"Of course, I don't feel good about having my personal information out there," said junior education major Joanna DeMauro, who attends C.W. Post. "This is the first I am hearing about this incident."

Commentary:
As I read the school's breach notification and response, I come away with a sense that the school really does care about the personal information of their students. This is another one of those breaches that could have easily been "swept under the rug". The school is clearly not trying to hide anything. They even have a prominently displayed link on their homepage that reads "NOTIFICATION OF 1098-T DATA EXPOSURE"

The school deserves some credit for their prompt and clear response.

How many IRS forms are sent through the mail this time of year with Social Security numbers on them?

Past Breaches:
Unknown